14 June 2022

BlackCat ransomware affiliates use unpatched Exchange servers to sneak into networks


BlackCat ransomware affiliates use unpatched Exchange servers to sneak into networks

The BlackCat RaaS affiliates are taking advantage of vulnerable Microsoft Exchange servers to gain access to corporate networks, Microsoft has warned.

First observed in November 2021, BlackCat/ALPHV is relatively new ransomware-as-a-service (RaaS) operation, which, as seen with other ransomware families, utilizes multiple extortion techniques. It is one of the first ransomware written in the Rust programming language. The ransomware has extensive capabilities and can target and encrypt Windows and Linux devices and VMWare instances.

To gain initial access to a targeted system threat actors typically use remote desktop applications and compromised credentials, but Microsoft said it observed a BlackCat affiliate leverage the ProxyLogon Exchange server vulnerabilities as an entry vector.

ProxyLogon is the name for a set of four remote execution zero-day bugs tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 impacting Microsoft’s Exchange Server enterprise email product, which Microsoft patched in March 2021.

In this case, once breaching the target network via ProxyLogon, the threat actor executed a series of commands to collect information about operating system and domain computers, domain controllers, and domain admins in the environment. The attackers then used account credentials found in one of the folders to launch a further attack.

“It was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment, thus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of access an attacker gained from their activity. Distribution of the ransomware payload using PsExec.exe proved to be the most common attack method,” the Microsoft 365 Defender Threat Intelligence Team said.

The tech giant did not name the ransomware affiliate who deployed BlackCat ransomware in this attack, but said that at least two known affiliates are now adopting BlackCat: DEV-0237 (aka FIN12) known for previously deploying Ryuk, Conti, and Hive, and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).

Microsoft said FIN12’s shift from the Hive ransomware (their last used payload) may be due to the public discourse around Hive’s decryption methodologies.

“Organizations must shift their defensive strategies to prevent the end-to-end attack chain. As noted above, while attackers’ entry points may vary, their TTPs remain largely the same. In addition, these types of attacks continue to take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Therefore, defenders should address these common paths and weaknesses by hardening their networks through various best practices such as access monitoring and proper patch management,” the company advised.


Back to the list

Latest Posts

Zero Day Initiative cuts some vulnerability disclosure timelines

Zero Day Initiative cuts some vulnerability disclosure timelines

The new approach is aimed at forcing vendors take a quicker action when it comes to ineffective patches.
17 August 2022
Ransomware gang target UK water supplier but send ransom demand to the wrong company

Ransomware gang target UK water supplier but send ransom demand to the wrong company

The threat actors claimed to have access to water treatment SCADA systems and “these systems which control chemicals in water.”
17 August 2022
Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022