fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware

Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware

The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.

ProxyShell is the name for a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together.

These vulnerabilities are listed below and were fixed by security updates released in April and May 2021:

Since researchers disclosed the vulnerabilities, threat actors have begun to exploit them to breach servers and install web shells, coin miners, and ransomware.

Also Read: 10 Tips For Drafting Key Terms In A Service Agreement

BlackByte begins exploiting ProxyShell

In a detailed report by Red Canary, researchers analyzed a BlackByte ransomware attack where they saw them exploiting the ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server.

Web Shells are small scripts uploaded to web servers that allow a threat actor to gain persistence to a device and remotely execute commands or upload additional files to the server.

Example webshell
Example webshell
Source: BleepingComputer

The planted web shell is then utilized to drop a Cobalt Strike beacon on the server, injected into the Windows Update Agent process.

The widely abused penetration testing tool is then used for dumping credentials for a service account on the compromised system.

Finally, after taking over the account, the adversaries install the AnyDesk remote access tool and then proceed to the lateral movement stage.

BlackByte is still a severe threat

When conducting ransomware attacks, threat actors commonly use third-party tools to gain elevated privileges or deploy the ransomware on a network.

However, the actual BlackByte ransomware executable plays a central role as it handles both privilege escalation and the ability to worm, or perform lateral movement, within the compromised environment.

Also Read: How To Make A PDPC Complaint: With Its Importance And Impact

The malware sets three registry values, one for local privilege elevation, one for enabling network connection sharing between all privilege levels, and one to allow long path values for file paths, names, and namespaces.

Before encryption, the malware deletes the “Raccine Rules Updater” scheduled task to prevent last-minute interceptions and also wipes shadow copies directly through WMI objects using an obfuscated PowerShell command.

Finally, stolen files are exfiltrated using WinRAR to archive files and anonymous file-sharing platforms such as “file.io” or “anonymfiles.com.”

Although Trustwave released a decryptor for BlackByte ransomware in October 2021, it is unlikely that the operators are still using the same encryption tactics that allowed victims to restore their files for free.

As such, you may or may not be able to restore your files using that decryptor, depending on what key was used in the particular attack.

Red Canary has seen multiple “fresh” variants of BlackByte in the wild, so there’s clearly an effort from the malware authors to evade detection, analysis, and decryption.

From ProxyShell to ransomware

Exploiting ProxyShell vulnerabilities to drop ransomware is not new, and in fact, we saw something similar at the start of November by actors who deployed the Babuk strain.

The ProxyShell set has been under active exploitation from multiple actors since at least March 2021, so the time to apply the security updates is well overdue.

If that’s impossible for any reason, admins are advised to monitor their exposed systems for precursor activity such as the deletion of shadow copies, suspicious registry modification, and PowerShell execution that bypasses restriction policies.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us