The rapid rise and sophistication of ransomware enable threat actors to launch attacks more frequently and disrupt businesses and organizations that are lacking adequate preparation.
The researchers at Microsoft Incident Response recently investigated an intrusion in which it’s been the threat actor’s rapid attack progression, caused major disruptions for the victim organization in just five days.
To accomplish their goals, a wide range of tools and techniques were used by the threat actor during those five days to deploy BlackByte 2.0 ransomware.
Here below we have mentioned all the TTPs used by the threat actor:-
Exploiting the following ProxyShell vulnerabilities, the threat actor gained initial access to the victim’s environment through Microsoft Exchange Servers that are unpatched:-
By exploiting these vulnerabilities, the threat actor achieved the following abilities:-
Upon device access, the threat actor established registry run keys to execute payloads upon user login each time. Here below we have mentioned those registry run keys:-
Here, to achieve persistence the threat actor used Cobalt Strike, and the Microsoft Defender Antivirus flagged sys.exe as Trojan:Win64/CobaltStrike!MSR, downloaded from temp[.]sh (hxxps://temp[.]sh/szAyn/sys.exe) which was detected as Cobalt Strike Beacon.
Threat actors use legit remote access tools to blend in, and in this instance, for persistence and lateral movement, AnyDesk was utilized.
This tool was installed as a service that ran from the following paths:-
AnyDesk log file ad_svc.trace revealed successful connections with anonymizer service IP addresses associated with:-
It’s been used by threat actors commonly to hide their source IP ranges. Moreover, security analysts detected the utilization of NetScan, a network discovery tool, by the threat actor to conduct network enumeration.
Using the following command the attacker disabled Microsoft Defender Antivirus, allowing them to execute Trojan:Win64/WinGoObfusc.LK!MT file:-
Analysts found that explorer.exe is ExByte, a GoLang-based tool used in BlackByte ransomware attacks to collect and steal files from victim networks after reverse engineering it.
Here below, we have mentioned the capabilities of BlackByte 2.0 ransomware:-
Here below, we have mentioned all the recommendations offered by the security researchers at Microsoft Incident Response:-
“AI-based email security measures Protect your business From Email Threats!” – .
The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a proposed update to the National…
In a joint cybersecurity advisory, the FBI, CISA, NSA, and partner agencies from Canada, the…
A high-severity vulnerability has been discovered in the popular web framework, Next.js, which allows attackers…
In a decisive move to bolster cloud security, the Cybersecurity and Infrastructure Security Agency (CISA)…
Fortinet, a global leader in cybersecurity solutions, has issued an urgent security advisory addressing two…
Google has released a new security update on the Stable channel, bringing Chrome to version 131.0.6778.204/.205…