[BreachExchange] Inside a ransomware incident: How a single mistake left a door open for attackers

[Matthew Wheeler]

https://www.zdnet.com/article/inside-a-ransomware-incident-how-a-single-mistake-left-a-door-open-for-attackers/

A security vulnerability that was left unpatched for three years allowed a
notorious cyber-criminal gang to breach a network and plant ransomware.

The BlackCat ransomware attack against the undisclosed organization took
place in March 2022 and has been detailed by cybersecurity researchers at
Forescout who investigated the incident.

BlackCat ransomware – also known as ALPHV – is becoming one of the most
active ransomware groups currently, to the extent that the FBI has released
an alert about it, warning how the group has compromised at least 60
victims around the world.

While BlackCat has a reputation for running a sophisticated ransomware
operation, it was a simple technique that allowed malicious cyber criminals
to gain initial access to the network – exploiting an SQL injection
vulnerability in an internet-exposed SonicWall SRA 4600 firewall.

A security patch has been available to fix the vulnerability since 2019,
but it hadn't been applied in this case, providing cyber criminals with an
easy entry point into the network.

>From there, the attackers were able to gain access to usernames and
passwords, using them to gain access to ESXi servers, where the ransomware
payload was ultimately deployed.

BlackCat deploys several techniques not used by other ransomware groups
designed to make attacks successful. For starters, the ransomware is
written in the Rust programming language, which is unusual for malware and
makes it more difficult to detect and examine.

The ransomware also uses a unique binary for each victim, based around
information found in the target environment. The unique binary makes it
more difficult to identify attacks as the code used in each campaign will
be slightly different.

"A unique binary that is not general for each victim makes the detection
harder," Daniel dos Santos, head of security research at Forescout, told
ZDNet.

In the case of the March 2022 incident, the attack was partially
successful. BlackCat ransomware successfully encrypted servers and files,
but the attack wasn't able to spread to other parts of the network because
it had been segmented. While the attackers could control one area of the
network, they couldn't move into other sections.

"The segmentation was actually well done in this case and that's why it was
contained," said dos Santos, who added that this attack using BlackCat
ransomware-as-a-service appeared to have been carried out by a cyber
criminal who was still learning how to conduct attacks properly.

"The impression we got is that the affiliate that was running the actual
malware wasn't very experienced".

However, despite the inexperience of the attacker, some servers were still
infected with malware. While no ransom was paid, and the network
segmentation reduced the impact of the attack, the whole incident could
have been avoided if some basic cybersecurity hygiene advice had been
followed.

Those steps would have included applying the relevant security updates to
fix a vulnerability that was first disclosed in 2019.

"The biggest lesson here is patch the network infrastructure – whatever is
facing the internet, it's always important for it to be fully patched,"
said dos Santos.

It's also recommended that organizations monitor their networks for
external access from known IP addresses or unusual patterns of behavior. In
addition, businesses should backup their servers regularly. Then, if
something happens, the network can be restored to a recent point without
needing to pay a ransom.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220426/1396667f/attachment.html>