The Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint Cybersecurity Advisory warning of BlackByte ransomware compromising multiple organizations around the globe.
“As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers,” the FBI and USSS stated in the advisory.
“Once in, actors deploy tools to move laterally across the network and escalate privileges before
exfiltrating and encrypting files.”
Some of the ransomware victims noted the threat actors may have exploited a known Microsoft Exchange Server vulnerability to gain access to their networks.
Although specific CVEs were not called out in the advisory, readers may recall several recent Exchange vulnerabilities, such as ProxyShell have been exploited within the past year.
Last November, the FBI and several international government cybersecurity experts warned that advanced persistent threat (APT) actors had been exploiting known Exchange vulnerabilities across a broad set of organizations and multiple sectors since March, 2021.
In August of 2021, Cyberattackers were spotted scanning and exploiting ProxyShell vulnerabilities on unpatched Microsoft Exchange servers. One of those (CVE-2021-34473) could result in remote code execution. Microsoft had previously patched the ProxyShell vulnerabilities in May 2021.
Readers can check out more details in the advisory to include Indicators of Compromise, mitigations and additional cybersecurity resources.
- Iranian state-sponsored APT actors target Microsoft Exchange and Fortinet vulnerabilities
- Top 30 most commonly exploited vulnerabilities over 2020 and 2021
- Hackers are targeting vulnerable VPNs
- APT group ChamelGang targets Russian Energy and Aviation industries, 9 other countries
- Cyberattackers exploiting ProxyShell vulnerabilities
- FBI releases Lockbit 2.0 ransomware-as-a-service IoCs
- BlackCat: a new ransomware-as-a-service threat