ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Recent AD News

FBI issues alert: A lethal ransomware that breached 60 companies

The FBI has issued a warning on the lethal Blackcat/ALPHV ransomware as a service (RaaS), which is currently on prowl. The malware family was responsible for compromising accounts spanning over sixty organizations, with attacks spanning from November 2021 till March this year.

In their flash report, the FBI detailed the indicators of compromise (IOC) and tactics, techniques and procedures (TTPs), mitigation strategies pertaining to a Blackcat ransomware attack. They noted that the malware “leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts.

The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.”

The disclosure came in the aftermath of the reports published by Cisco Talos and Kaspersky, which revealed the nexus between BlackCat and BlackMatter ransomware families. On April 22, the analysis of a recent Blackcat ransomware incident conducted by Forescout’s Vedere Labs revealed that their attack featured two unique exploitations:

  • Breaching an Internet-exposed SonicWall firewall to gain unauthorized access to a network.
  • Shifting to and encrypting a VMware ESXi virtual farm

For mitigations the FBI recommended periodic data backups and reviewing of domain controllers, servers, active directory for unauthorized user accounts among other techniques.

Related posts
Recent AD News

Chinese hacker group 'Naikon' strikes again: Targets ASEAN nations

Recent AD News

Bumblebee: A new malware loader on the prowl

Recent AD News

Israel's Pegasus spyware finds a new target

Recent AD News

Researchers warn of two info-stealers on the prowl targeting users

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.