Lockbit, Hive, and BlackCat attack an automotive supplier in this triple #ransomware attack.
After gaining access via RDP, all three threat actors encrypted files, in an investigation complicated by event log clearing and backups.
1/17
In May 2022, an automotive supplier was hit with three separate ransomware attacks. All three threat actors abused the same misconfiguration – a firewall rule exposing Remote Desktop Protocol (RDP) on a management server – but used different ransomware strains and tactics. 2/17
The first ransomware group, identified as Lockbit, exfiltrated data to the Mega cloud storage service, used Mimikatz to extract passwords, and distributed their ransomware binary using PsExec. 3/17
The second group, identified as Hive, used RDP to move laterally, before dropping their ransomware just two hours after the Lockbit threat actor. 4/17
As the victim restored data from backups, an ALPHV/BlackCat affiliate accessed the network, installed Atera Agent (a legitimate remote access tool) to establish persistence, and exfiltrated data. 5/17
Two weeks after the Lockbit and Hive attacks, the threat actor distributed their ransomware, and cleared Windows Event Logs.
@Sophos’ Rapid Response (RR) team investigated, and found several files which had been encrypted multiple times – as many as five in some instances. 6/17
We’ve covered several dual ransomware attacks before – and recently investigated the phenomenon of multiple attacks more generally, as it’s something which appears to be increasingly common... 7/17
...but this is the first incident we’ve seen where three separate ransomware actors used the same point of entry to attack a single organization. 8/17
Check out a more detailed breakdown of the attacks that our team investigated in the article linked below. 9/17
After the dust had settled, Sophos’ RR team found files that had been encrypted by all three ransomware groups. In fact, as shown in the screenshot below, some files had even been encrypted five times! 10/17
Because the Hive attack started 2 hours after Lockbit, the Lockbit ransomware was still running – so both groups kept finding files without the extension signifying that they were encrypted. 11/17
However, despite all three ransomware groups being known for ‘double extortion’ techniques (where, in addition to encrypting files, threat actors threaten to publish the victim’s data if the ransom is not paid), no information was published on any of the groups’ leak sites. 12/17
When it comes to defense, there are two elements: proactive (following security best practices to minimize the risk of being attacked), and reactive (how to recover quickly and safely if an attack does happen). 13/17
On the proactive side, our white paper on multiple attackers includes several learning points and best-practice guidance, including:
🔹Patch and investigate
🔹Lock down accessible services
🔹Practice segmentation and zero-trust 14/17
🔹Set and enforce strong passwords and multifactor authentication (MFA)
🔹Inventory your assets and accounts
🔹Install layered protection to block attackers at as many points as possible 15/17
But once threat actors are inside a network, there’s not much that can be done to ‘stop the bleeding’ without having comprehensive Incident Response and remediation plans, and taking immediate action. 16/17
Sophos X-Ops has posted IOCs relating to the Lockbit, Hive, and BlackCat attacks covered in this report on our Github repository.
NEW: Excel 4.0 macros, also known as XLM 4.0 macros, have been around for a long time – 30 years! They’ve become very popular with threat actors as an alternative to VBA macros. 1/14
These macros are specific to Excel and are commonly used by organizations, but can easily be weaponized. Add in a wide variety of obfuscation techniques, and it’s no wonder that threat actors love them. 2/14
The real excitement in this month’s 121-CVE #PatchTuesday collection wasn’t the size of the haul; it was the part where Microsoft took us all the way back to 2019 for a moment.
1/6
Remember Follina, the MSDT issue that rolled onstage in late May? Turns out that vulnerability (CVE-2022-30190) has a cousin. An *older* cousin. 2/6
Researcher Imre Rad reported to the company back in December 2019. We explain in today’s blog post how it is you’re only hearing about it in August 2022. 3/6
NEW: Multiple attackers increase pressure on victims, complicate incident response
Sophos’ latest Active Adversary report explores the issue of organizations being hit multiple times by attackers...
1/17
There’s a well-worn industry phrase about the probability of a cyberattack: “It’s not a matter of if, but when.”
Some of the incidents @Sophos recently investigated may force the industry to consider changing this: The question is not if, or when – but how many times? 2/17
In an issue we highlighted in our Active Adversary Playbook 2022, we’re seeing organizations being hit by multiple attackers. 3/17
NEW: Reconstructing PowerShell scripts from multiple Windows event logs
On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.
1/19
Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19
... this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike. 3/19
Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers
1/14
In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed “Log4Shell”) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weakness—particularly among cryptocurrency mining bots. 2/14
The vulnerability affected hundreds of software products, making it difficult for some organizations to assess their exposure. 3/14
We published some news this week about Conti. In brief, a #Conti affiliate infiltrated the network of a healthcare provider that a different #ransomware threat actor had already penetrated.
The technical debt in healthcare is dangerous.
1/23
But Conti, in particular, attracts a particularly aggressive group of affiliates. And we have another, previously untold, Conti-adjacent story about one of their ransomware affiliates.
It serves as a cautionary tale that not all attackers are necessarily after a ransom. 2/23
This past January we were contacted by a customer in the Middle East to investigate a malware incident that began in mid-December, 2021. The target, in the financial services industry, discovered lateral movement and backdoors in their network the week before new year's day. 3/23