[BreachExchange] Japanese Manufacturer Yamabiko Targeted by Babuk Ransomware

[Destry Winant]

https://www.infosecurity-magazine.com/news/japanese-manufacturer-yamabiko/

A ransomware group that claimed to be retiring after an audacious attack on
Washington DC’s police department appears to be back in action after
reportedly targeting a Japanese firm.

Yamabiko, a Tokyo-headquartered manufacturer of power tools and
agricultural and industrial machinery, was apparently added to the data
leak site used by the Babuk group.

Although official confirmation is still pending from the firm itself,
reports suggest the Russian-speaking threat actors have already released
some of the data on their naming-and-shaming site.

This includes personally identifiable information (PII) on employees,
product schematics, financial data and more, according to TechNadu.

The group reportedly claimed to have a total of 0.5TB of data in its
possession.

With annual revenue exceeding $1 billion, Yamabiko is a prime candidate for
targeting by “hands-on-keyboard” ransomware attacks which often use
“living-off-the-land” techniques and legitimate tools like Cobalt Strike to
move laterally inside networks and exfiltrate data.

Confusingly, the Babuk group intimated last month that its attack on the
Washington DC police department, in which it threatened to release stolen
data on officers and informants, would be its last. However, it
subsequently deleted an online note which claimed that it would be open
sourcing its code for Ransomware as a Service (RaaS) actors to use.

Saumitra Das, CTO of Blue Hexagon, said Babuk has in the past been linked
to attacks that exploit VPN vulnerabilities to gain a foothold inside
victim networks.

“Due to the deluge of new CVEs this year, attackers have now started
attacking company infrastructure as an entry rather than the usual first
vectors of phishing users, finding leaked credentials or open RDP,” he
added.

“Such infection methods circumvent prevention-based perimeter defense like
firewalls and necessitate the use of network detection and response to find
attack traces that signature-based technologies miss. “
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210513/a333e55e/attachment.html>