Every ransomware attack starts with a compromised endpoint, and to that end, threat actors have now started looking into Microsoft Exchange servers. As per a report (opens in new tab) published by the Microsoft 365 Defender Threat Intelligence Team, at least one unpatched and vulnerable server (opens in new tab) was targeted by crooks, and abused to gain access to the target network.
After gaining a foothold, the threat actors lurked around, mapping out the network, stealing credentials, and pulling out data to be later used in a double extortion attack.
After these steps were successfully completed, the threat actor deployed the BlackCat ransomware via PsExec.
Potential attackers
“While the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access,” the Microsoft 365 Defender Threat Intelligence Team said.
While these things are fact, there are a couple of others, currently in the domain of speculation, namely – the vulnerabilities abused and the threat actors involved. BleepingComputer believes the Exchange server vulnerability in question was covered in the March 2021 security advisory, that suggests mitigation measures for ProxyLogon attacks.
As for the potential threat actors, two names are at the top of the list: FIN12, and DEV-0504. While the former is a financially motivated group, known for deploying malware (opens in new tab) and ransomware strains in the past, the latter is an affiliate group usually deploying Stealbit to steal data.
“We've observed that this group added BlackCat to their list of distributed payloads beginning March 2022,” Microsoft said about FIN12. “Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter's decryption methodologies.”
To defend against ransomware, Microsoft suggests businesses should keep their endpoints updated, and monitor their networks (opens in new tab) for suspicious traffic. Deploying a strong cybersecurity solution (opens in new tab) is always a welcome idea, too.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba