Microsoft has recently discovered a new variant of the BlackCat ransomware, also known as ALPHV and Noberus, that uses advanced tools such as Impacket and RemCom to facilitate lateral movement and remote code execution. As stated by Microsoft's threat intelligence team, "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments." Moreover, the BlackCat version also includes the RemCom hacktool for remote code execution.
In the past, tools like RemCom have been used by Chinese and Iranian nation-state threat actors, such as Dalbit and Chafer (aka Remix Kitten), to navigate through victim environments. The new BlackCat variant was first observed by Microsoft in attacks conducted by a BlackCat affiliate in July 2023. This discovery comes two months after IBM Security X-Force revealed details about an updated version of BlackCat called Sphynx, which emerged in February 2023 with enhanced encryption speed and stealth.
As per IBM Security X-Force, "The BlackCat ransomware sample contains more than just ransomware functionality but can function as a 'toolkit'." The ransomware group, which began its operations in November 2021, is known for its constant evolution, recently releasing a data leak API to enhance the visibility of its attacks. According to Rapid7's Mid-Year Threat Review for 2023, BlackCat has been attributed to 212 out of a total of 1,500 ransomware attacks.
Other ransomware groups such as Cuba (aka COLDRAW) have also been found to use a comprehensive attack toolset, including BUGHATCH, BURNTCIGAR, Wedgecut, Metasploit, and Cobalt Strike frameworks. One of the attacks by the group in June 2023 reportedly exploited CVE-2020-1472 (Zerologon) and CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication software, previously exploited by the FIN7 gang, for initial access.
Ransomware continues to be a lucrative avenue for financially motivated threat actors, with the number and sophistication of attacks in the first half of 2023 surpassing the entirety of 2022. Some groups have shifted from encryption to pure exfiltration and ransom, or alternatively, resorting to triple extortion. This involves not only data encryption and theft but also blackmailing a victim's employees or customers and conducting DDoS attacks for added pressure.
A notable tactic involves targeting managed service providers (MSPs) to breach downstream corporate networks. This was evident in a Play ransomware campaign targeting industries such as finance, software, legal, and shipping and logistics, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. The attacks leveraged "Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer's environment, bypassing the majority of its defenses," as noted by Adlumin. This allowed threat actors unrestricted, privileged access to networks. The repeated misuse of legitimate RMM software by threat actors led to the U.S. government releasing a Cyber Defense Plan to mitigate threats to the RMM ecosystem.