Share this page!

Sophos X-Ops Profile picture
Twitter logo
Aug 10 17 tweets 4 min read
3 attackers, 2 weeks – 1 entry point...

Lockbit, Hive, and BlackCat attack an automotive supplier in this triple #ransomware attack.

After gaining access via RDP, all three threat actors encrypted files, in an investigation complicated by event log clearing and backups.

1/17
In May 2022, an automotive supplier was hit with three separate ransomware attacks. All three threat actors abused the same misconfiguration – a firewall rule exposing Remote Desktop Protocol (RDP) on a management server – but used different ransomware strains and tactics. 2/17
The first ransomware group, identified as Lockbit, exfiltrated data to the Mega cloud storage service, used Mimikatz to extract passwords, and distributed their ransomware binary using PsExec. 3/17
The second group, identified as Hive, used RDP to move laterally, before dropping their ransomware just two hours after the Lockbit threat actor. 4/17
As the victim restored data from backups, an ALPHV/BlackCat affiliate accessed the network, installed Atera Agent (a legitimate remote access tool) to establish persistence, and exfiltrated data. 5/17
Two weeks after the Lockbit and Hive attacks, the threat actor distributed their ransomware, and cleared Windows Event Logs.

@Sophos’ Rapid Response (RR) team investigated, and found several files which had been encrypted multiple times – as many as five in some instances. 6/17
We’ve covered several dual ransomware attacks before – and recently investigated the phenomenon of multiple attacks more generally, as it’s something which appears to be increasingly common... 7/17
...but this is the first incident we’ve seen where three separate ransomware actors used the same point of entry to attack a single organization. 8/17
Check out a more detailed breakdown of the attacks that our team investigated in the article linked below. 9/17
After the dust had settled, Sophos’ RR team found files that had been encrypted by all three ransomware groups. In fact, as shown in the screenshot below, some files had even been encrypted five times! 10/17
Because the Hive attack started 2 hours after Lockbit, the Lockbit ransomware was still running – so both groups kept finding files without the extension signifying that they were encrypted. 11/17
However, despite all three ransomware groups being known for ‘double extortion’ techniques (where, in addition to encrypting files, threat actors threaten to publish the victim’s data if the ransom is not paid), no information was published on any of the groups’ leak sites. 12/17
When it comes to defense, there are two elements: proactive (following security best practices to minimize the risk of being attacked), and reactive (how to recover quickly and safely if an attack does happen). 13/17
On the proactive side, our white paper on multiple attackers includes several learning points and best-practice guidance, including:

🔹Patch and investigate
🔹Lock down accessible services
🔹Practice segmentation and zero-trust 14/17
🔹Set and enforce strong passwords and multifactor authentication (MFA)
🔹Inventory your assets and accounts
🔹Install layered protection to block attackers at as many points as possible 15/17
But once threat actors are inside a network, there’s not much that can be done to ‘stop the bleeding’ without having comprehensive Incident Response and remediation plans, and taking immediate action. 16/17
Sophos X-Ops has posted IOCs relating to the Lockbit, Hive, and BlackCat attacks covered in this report on our Github repository.

Read more from authors Linda Smith, Rajat Wason, and Syed Zaidi: news.sophos.com/en-us/2022/08/… 17/17

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sophos X-Ops

Sophos X-Ops Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosXOps

Sophos X-Ops Profile picture
Aug 11
NEW: Excel 4.0 macros, also known as XLM 4.0 macros, have been around for a long time – 30 years! They’ve become very popular with threat actors as an alternative to VBA macros. 1/14
These macros are specific to Excel and are commonly used by organizations, but can easily be weaponized. Add in a wide variety of obfuscation techniques, and it’s no wonder that threat actors love them. 2/14
The Knotweed threat actor used Excel 4.0 macros in 2021 (microsoft.com/security/blog/…).

Ransomware actors are also heavy users.

As were Trickbot, Zloader, Qakbot, Dridex, and more. 3/14
Read 14 tweets
Sophos X-Ops Profile picture
Aug 10
The real excitement in this month’s 121-CVE #PatchTuesday collection wasn’t the size of the haul; it was the part where Microsoft took us all the way back to 2019 for a moment.

1/6 Image
Remember Follina, the MSDT issue that rolled onstage in late May? Turns out that vulnerability (CVE-2022-30190) has a cousin. An *older* cousin. 2/6
Researcher Imre Rad reported to the company back in December 2019. We explain in today’s blog post how it is you’re only hearing about it in August 2022. 3/6
Read 6 tweets
Sophos X-Ops Profile picture
Aug 9
NEW: Multiple attackers increase pressure on victims, complicate incident response

Sophos’ latest Active Adversary report explores the issue of organizations being hit multiple times by attackers...

1/17
There’s a well-worn industry phrase about the probability of a cyberattack: “It’s not a matter of if, but when.”

Some of the incidents @Sophos recently investigated may force the industry to consider changing this: The question is not if, or when – but how many times? 2/17
In an issue we highlighted in our Active Adversary Playbook 2022, we’re seeing organizations being hit by multiple attackers. 3/17
Read 17 tweets
Sophos X-Ops Profile picture
Mar 30
NEW: Reconstructing PowerShell scripts from multiple Windows event logs

On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.

1/19
Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19
... this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike. 3/19
Read 19 tweets
Sophos X-Ops Profile picture
Mar 29
NEW on #Log4Shell...

Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers

1/14
In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed “Log4Shell”) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weakness—particularly among cryptocurrency mining bots. 2/14
The vulnerability affected hundreds of software products, making it difficult for some organizations to assess their exposure. 3/14
Read 14 tweets
Sophos X-Ops Profile picture
Mar 3
NEW 🧵on Conti...

We published some news this week about Conti. In brief, a #Conti affiliate infiltrated the network of a healthcare provider that a different #ransomware threat actor had already penetrated.

The technical debt in healthcare is dangerous.

1/23
But Conti, in particular, attracts a particularly aggressive group of affiliates. And we have another, previously untold, Conti-adjacent story about one of their ransomware affiliates.

It serves as a cautionary tale that not all attackers are necessarily after a ransom. 2/23
This past January we were contacted by a customer in the Middle East to investigate a malware incident that began in mid-December, 2021. The target, in the financial services industry, discovered lateral movement and backdoors in their network the week before new year's day. 3/23
Read 23 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(