BlackByte Ransomware compromised multiple entities in US critical infrastructure sectors

The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint Cybersecurity Advisory warning of BlackByte ransomware compromising multiple organizations around the globe.

“As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers,” the FBI and USSS stated in the advisory.

“Once in, actors deploy tools to move laterally across the network and escalate privileges before
exfiltrating and encrypting files.”

Some of the ransomware victims noted the threat actors may have exploited a known Microsoft Exchange Server vulnerability to gain access to their networks.

Although specific CVEs were not called out in the advisory, readers may recall several recent Exchange vulnerabilities, such as ProxyShell have been exploited within the past year.

Last November, the FBI and several international government cybersecurity experts warned that advanced persistent threat (APT) actors had been exploiting known Exchange vulnerabilities across a broad set of organizations and multiple sectors since March, 2021.

In August of 2021, Cyberattackers were spotted scanning and exploiting ProxyShell vulnerabilities on unpatched Microsoft Exchange servers. One of those (CVE-2021-34473) could result in remote code execution. Microsoft had previously patched the ProxyShell vulnerabilities in May 2021.

Moreover, it is also noteworthy that other RaaS threat actors, such as Lockbit 2.0 and BlackCat, have been recently targeting victims as reported earlier this month.

Readers can check out more details in the advisory to include Indicators of Compromise, mitigations and additional cybersecurity resources.