The BlackCat RaaS affiliates are taking advantage of vulnerable Microsoft Exchange servers to gain access to corporate networks, Microsoft has warned.

First observed in November 2021, BlackCat/ALPHV is relatively new ransomware-as-a-service (RaaS) operation, which, as seen with other ransomware families, utilizes multiple extortion techniques. It is one of the first ransomware written in the Rust programming language. The ransomware has extensive capabilities and can target and encrypt Windows and Linux devices and VMWare instances.

To gain initial access to a targeted system threat actors typically use remote desktop applications and compromised credentials, but Microsoft said it observed a BlackCat affiliate leverage the ProxyLogon Exchange server vulnerabilities as an entry vector.

ProxyLogon is the name for a set of four remote execution zero-day bugs tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 impacting Microsoft’s Exchange Server enterprise email product, which Microsoft patched in March 2021.

In this case, once breaching the target network via ProxyLogon, the threat actor executed a series of commands to collect information about operating system and domain computers, domain controllers, and domain admins in the environment. The attackers then used account credentials found in one of the folders to launch a further attack.

“It was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment, thus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of access an attacker gained from their activity. Distribution of the ransomware payload using PsExec.exe proved to be the most common attack method,” the Microsoft 365 Defender Threat Intelligence Team said.

The tech giant did not name the ransomware affiliate who deployed BlackCat ransomware in this attack, but said that at least two known affiliates are now adopting BlackCat: DEV-0237 (aka FIN12) known for previously deploying Ryuk, Conti, and Hive, and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).

Microsoft said FIN12’s shift from the Hive ransomware (their last used payload) may be due to the public discourse around Hive’s decryption methodologies.

“Organizations must shift their defensive strategies to prevent the end-to-end attack chain. As noted above, while attackers’ entry points may vary, their TTPs remain largely the same. In addition, these types of attacks continue to take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Therefore, defenders should address these common paths and weaknesses by hardening their networks through various best practices such as access monitoring and proper patch management,” the company advised.