One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 4790514 |
| Date de publication | 2022-05-24 13:29:37 (vue: 2022-05-24 21:06:34) |
| Titre | Meet BlackByte Ransomware |
| Texte | FortiGuard Labs is aware of a relatively new ransomware family "BlackByte" is in the wild, infecting organizations around the globe. BlackByte was first observed as early as July 2021. In February 2022, the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint advisory that "multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture) were targeted by BlackByte ransomware affiliates. In common with other ransomware, BlackByte encrypts and steals files on the compromised machines, and demands ransom from the victim to recover the files and not to leak the stolen information to the public.Why is this Significant?This is significant as the BlackByte ransomware family reportedly compromised organizations around the globe including multiple US and foreign businesses and US critical infrastructure sectors. Also, ProxyShell, an exploit attack chain involving three vulnerabilities in Microsoft Exchange Server, widely used in enterprise email application, were reported to have been used as an infection vector. Microsoft issued patches for ProxyShell in May and July 2021. BlackByte ransomware infection may indicate that some organizations have not yet applied those fixes or workaround.FortiGuard Labs previously published multiple Threat Signals on ProxyShell. See the Appendix section for links to New Threat Actor Leverages ProxyShell Exploit to Serve RansomwareVulnerable Microsoft Exchange Servers Actively Scanned for ProxyShellBrand New LockFile Ransomware Distributed Through ProxyShell and PetitPotamWhat is BlackByte?BlackByte is a ransomware-as-a-service (RaaS), which runs a business of leasing necessary ransomware services to its affiliates. Such ransomware services including developing ransomware, creating and maintaining necessary infrastructures (i.e., ransom payment portal), ransom negotiation with victims as well as provides support service to the affiliates. Attacks are typically carried out by BlackByte affiliates, who rent and use those services. Once a victim is compromised and ransom is paid, BlackByte developers take a portion of the ransom as a service fee.How does the Attack Work?Typically attacks that deliver ransomware arrive in emails, however the join advisory reported that BlackByte threat actors, in some case, exploited known Microsoft Exchange Server vulnerabilities including ProxyShell to gain access to the victim's network. Once the attacker gains a foothold in the victim's network, the attacker deploys tools such as oft-abused Cobalt Strike to move laterally across the network and escalate privileges before exfiltrating and encrypting files. Some BlackByte ransomware variants may have worm functionality, which allows itself to self-propagate through the victim's network.Files that are encrypted by BlackByte ransomware typically have a ".blackbyte" file extension.BlackByte ransomware reportedly avoids encrypting files if the ransomware detects compromised systems that use Russian and ex-USSR languages.What is ProxyShell?ProxyShell is a name for a Microsoft Exchange Server exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows an attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against currently available Indicator-of-Compromises (IOCs) associated with BlackByte ransomware:RTF/BlackByte.DC56!tr.ransomW64/BlackByte.DC56!tr.ransomW32/Agent.CH!trW32/CobaltStrike.NV!trJS/Agent.49CC!trW32/PossibleThreatFortiGuard Labs provides the following IPS coverage against three vulnerabilities that are leveraged in ProxyShell:MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge |
| Envoyé | Oui |
| Condensat | 2021 2022 31207 34473 34523 49cc about abused access accomplished acl across actively actor actors addressed advisory affiliates against agriculture all allows also always any appendix application applied arbitrary are around arrive associated attachments attack attacker attackers attacks available avoids aware awareness been before beforehand being blackbyte blocks box bureau business businesses bypass can carried case caution chain cobalt code common compromised compromises conduct configuration controls could coverage creating critical crucial currently cve daily damage date dc56 deliver delivered demands department deploys detects developers developing disconnect disruption distributed distribution does don due early ease educate elevate elevation email emails employees encourage encouraged encrypted encrypting encrypts end engineering ensure enterprise entities escalate establishing etc exchange execute execution exfiltrating exploit exploited extension facilities family fbi february federal fee file files financial first fixes following food foothold foreign fortiedr fortiguard from functionality gain gains globe government has have help how however identifiable important impromptu including indicate indicator infecting infection inform information infrastructure infrastructures initial internal internet investigation involving iocs ips issued its itself join joint july keep know knowledge known labs languages laterally latest leak leasing least leveraged leverages links lockfile machines made mailboxexportrequest maintaining malicious may mechanisms meet microsoft mitigation move multiple name necessary need negotiation network never new not observed oft once ongoing open operations organization organizations other out paid patch patches payment personally personnel petitpotamwhat phishing phishing/spearphishing pii portal portion potential predetermined prevent previously prior privilege privileges propagate protect provides proxyshell proxyshell:ms proxyshellbrand public published raas ransom ransomw32/agent ransomw64/blackbyte ransomware ransomware:rtf/blackbyte ransomwarevulnerable recover regular relatively release remote rent reported reportedly reputation runs russian scanned secret section sectors security see self senders serve server servers service services sessions signals signatures significant simple since social some someone spearphishing special spot status steals stolen strike such suggested support system systems take targeted templates tests those threat three through token tools training treat trjs/agent trw32/cobaltstrike trw32/possiblethreatfortiguard types typically unrecognized/untrusted until unwanted updated use used user users using ussr usss variants various vector vendor victim victims vulnerabilities vulnerable well what which who why widely wild within without work workaround worm write yet |
| Tags | Ransomware Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.