fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft: Exchange Servers Hacked to Deploy BlackCat Ransomware

Microsoft: Exchange Servers Hacked to Deploy BlackCat Ransomware

Microsoft says BlackCat ransomware affiliates are now attacking Microsoft Exchange servers using exploits targeting unpatched vulnerabilities.

In at least one incident that Microsoft’s security experts observed, the attackers slowly moved through the victim’s network, stealing credentials and exfiltrating information to be used for double extortion.

Two weeks after the initial compromise using an unpatched Exchange server as an entry vector, the threat actor deployed BlackCat ransomware payloads across the network via PsExec.

“While the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access,” the Microsoft 365 Defender Threat Intelligence Team said.

Also Read: Guarding against common types of data breaches in Singapore

Although it didn’t mention the Exchange vulnerability used for initial access, Microsoft links to a security advisory from March 2021 with guidance on investigating and mitigating ProxyLogon attacks.

Also, while Microsoft did not name the ransomware affiliate who deployed BlackCat ransomware in this case study, the company says several cybercrime groups are now affiliates of this Ransomware as a Service (RaaS) operation and are actively using it in attacks.

BlackCat entry via vulnerable Exchange server
Entry via vulnerable Exchange server (Microsoft)

Cybercriminals flock to BlackCat ransomware

One of them, a financially motivated cybercrime group tracked as FIN12, is known for previously deploying Ryuk, Conti, and Hive ransomware in attacks mainly targeting healthcare organizations.

However, as Mandiant revealed, FIN12 operators are much faster as they sometimes skip the data theft step and take less than two days to drop their file-encrypting payloads across a target’s network.

“We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022,” Microsoft added.

“Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.”

BlackCat ransomware is also being deployed by an affiliate group tracked as DEV-0504 that typically exfiltrates stolen data using Stealbit, a malicious tool the LockBit gang provides its affiliates as part of its RaaS program.

Also Read: Upholding privacy by design principles: Why does it matter?

DEV-0504 has also used other ransomware strains starting with December 2021, including BlackMatter, Conti, LockBit 2.0, Revil, and Ryuk.

To defend against BlackCat ransomware attacks, Microsoft advises organizations to review their identity posture, monitor external access to their networks, and update all vulnerable Exchange servers in their environment as soon as possible.

Used in hundreds of ransomware attacks 

In April, the FBI warned in a flash alert that the BlackCat ransomware had been used to encrypt the networks of at least 60 organizations worldwide between November 2021 and March 2022.

“Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations,” the FBI said at the time.

However, the real number of BlackCat victims is most likely a lot higher given that more than 480 samples have been submitted on the ID-Ransomware platform between November 2021 and June 2022.

BlackCat activity
BlackCat activity (ID-Ransomware)

In its April alert, the FBI also asked admins and security teams who detect BlackCat activity within their networks to share any related incident info with their local FBI Cyber Squad.

Helpful information that would help track down and identify the threat actors using this ransomware in their attacks includes “IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us