Microsoft Under Attack by BlackCat: Exchange Servers hacked

Modus Operandi of BlackCat ransomware affiliates

• The threat actor used PsExec to spread BlackCat ransomware payloads across the network two weeks after the original penetration utilizing an unpatched Exchange server as an entry vector.
• The common entry vectors for these threat actors include remote desktop applications and compromised credentials.

Was there any significant damage?

• The extent of damage is still unknown, and also there wasn’t any mention of the Exchange vulnerability used for initial access.
• There was also no mention of the ransomware affiliate who deployed BlackCat ransomware in this case study by Microsoft. 

Who is behind these attacks?

• FIN12 is infamous for previously deploying Ryuk, Conti, and Hive ransomware in attacks. 
• FIN12 main targets were healthcare organizations.
• FIN12 operators are much faster and take less than two days to drop their file-encrypting payloads across a target's network.
• Microsoft observed that FIN12 added BlackCat to their list of distributed payloads beginning March 2022.

BlackCat ransomware & DEV-0504 - what’s the connection?

• Stealbit is a malicious tool provided by the LockBit gang to its affiliates as part of its RaaS scheme, to exfiltrate stolen data.
• Since December 2021, DEV-0504 has also utilized other ransomware strains such as BlackMatter, Conti, LockBit 2.0, Revil, and Ryuk.

How can enterprises stay secure?

• Enterprises need to examine their identity posture and monitor external access to their networks
• Also, update all susceptible Exchange servers in their environment as quickly as possible to protect themselves from BlackCat ransomware attacks.

Final thoughts