Every ransomware attack starts with a compromised endpoint, and to that end, threat actors have now begun examining Microsoft Exchange servers. According to a report (Opens in a new tab) published by the Microsoft 365 Defender Threat Intelligence team, at least one unpatched and vulnerable server (Opens in a new tab) has been targeted by fraudsters and abused to gain access to the destination network.

After gaining a foothold, the threat actors went into hiding, mapped the network, stole credentials, and exfiltrated data to use later in a double-extortion attack.

Once these steps were successfully completed, the threat actor deployed the BlackCat ransomware via PsExec.

potential attackers

“While common entry vectors for these threat actors include remote desktop applications and compromised credentials, we have also seen a threat actor exploit vulnerabilities in the Exchange server to gain access to the target network,” the team said. of Microsoft 365 Defender Threat Intelligence.

While these things are facts, there are a few more, currently in the realm of speculation, namely the vulnerabilities abused and the threat actors involved. BleepingComputer believes that the vulnerability in the Exchange server in question was covered in the March 2021 security advisory, which suggests mitigations for ProxyLogon attacks.

When it comes to potential threat actors, two names top the list: FIN12 and DEV-0504. While the former is a financially motivated group known for deploying malware (opens in a new tab) and ransomware strains in the past, the latter is an affiliated group that typically deploys Stealbit to steal data.

"We note that this group added BlackCat to its list of distributed payloads as of March 2022," Microsoft said of FIN12. "Its move to BlackCat from its last used payload (Hive) is suspected to be due to public discourse on the latter's decryption methodologies."

To defend against ransomware, Microsoft suggests that businesses keep their endpoints up to date and monitor their networks (opens in a new tab) for suspicious traffic. Implementing a strong cybersecurity solution (opens in a new tab) is always a good idea, too.

Via: BleepingComputer (Opens in a new tab)

Share This