On Thursday, Microsoft announced that it has discovered a fresh iteration of the BlackCat ransomware, also known as ALPHV and Noberus, that incorporates tools like Impacket and RemCom for lateral movement and remote code execution.
The company's threat intelligence team stated in a series of posts on X (previously Twitter) that the Impacket tool features credential dumping and remote service execution components that might be leveraged for widespread propagation of the BlackCat ransomware in target environments.
The RemCom hacktool for remote code execution is also included in this BlackCat version's executable. Additionally, the file has hardcoded compromised target credentials that criminals use to move about and spread ransomware more widely.
Chinese and Iranian nation-state threat actors like Dalbit and Chafer (a.k.a. Remix Kitten) have previously used RemCom, marketed as an open-source substitute for PsExec, to move around the victim environments.
Redmond claimed that beginning in July 2023, it began to see the new variation in attacks carried out by a BlackCat affiliate.
Cybersecurity
The advancement comes more than two months after IBM Security X-Force revealed information about the updated BlackCat, known as Sphynx, which first surfaced in February 2023 with improved encryption speed and stealth. This indicates that threat actors are still working to improve and retool the ransomware.
IBM Security X-Force stated in late May 2023 that "The BlackCat ransomware sample contains more than just ransomware functionality but can function as a "toolkit"". "An additional string implies that tooling is built using Impacket's tools,"
The cybercrime gang, which began operations in November 2021, is known for its continual evolution; most recently, it unveiled a data leak API to increase the visibility of its activities. Rapid7's Mid-Year Threat Review for 2023 states that 212 out of 1,500 ransomware attacks have been linked to BlackCat.
Not just BlackCat, but the Cuba (aka COLDRAW) ransomware threat group has also been seen using a full assault toolkit that includes the Cobalt Strike and Metasploit frameworks, as well as BUGHATCH, a bespoke downloader, BURNTCIGAR, an antimalware killer, and Wedgecut, a host enumeration tool.
In order to prevent analysis, BURNTCIGAR in particular has been modified internally to include a hashed list of targeted processes that should be terminated.
A high-severity vulnerability in Veeam Backup & Replication software that has previously been exploited by the FIN7 gang, CVE-2020-1472 (Zerologon), and CVE-2023-27532, are claimed to have been weaponized in one of the attacks carried out by the group in early June 2023.
BlackBerry, a Canadian cybersecurity firm, stated that this is the group's "first observed use of an exploit for the Veeam vulnerability CVE-2023-27532."
"The Cuba ransomware operators continue to recycle network infrastructure and use a core set of TTPs that they have been subtly modifying from campaign to campaign, often adopting readily available components to upgrade their toolset whenever the opportunity arises," it continued.
Despite increased law enforcement attempts to shut them down, ransomware remains a significant source of income for financially motivated threat actors, expanding in sophistication and quantity in 2023's first half compared to all of 2022.
Cybersecurity
Some groups have also started abandoning encryption in favor of straightforward exfiltration and ransom or, alternatively, turning to triple extortion, in which the operations go beyond data theft and encryption to engage in employee or customer blackmail as well as DDoS attacks to increase pressure.
A Play ransomware campaign that targeted the financial, software, legal, shipping, and logistics sectors as well as state, local, tribal, and territorial (SLTT) organizations in the United States, Australia, the United Kingdom, and Italy is one example of this noteworthy tactic. Another noteworthy tactic is the targeting of managed service providers (MSPs) as entry points to breach downstream corporate networks.
The assaults give threat actors unrestricted, privileged access to networks because they exploit "Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer's environment, bypassing the majority of its defenses," according to Adlumin.
The U.S. government has released a Cyber Defense Plan to lessen dangers to the RMM ecosystem in response to threat actors' persistent exploitation of genuine RMM software.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning: "Cyber threat actors can gain access via RMM software into managed service providers' (MSPs') or manage security providers' (MSSPs') servers and, by extension, can cause cascading effects for MSP/MSSP customers' small- and medium-sized businesses.
Comments