© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

BlackCat gang uses legitimate pen testing tool to attack its victims

BlackCat ransomware gang, using unpatched or outdated firewalls and VPNs, added Brute Ratel, a penetration testing tool, to its arsenal.

BlackCat gang emerged in November 2021 and quickly became prominent because of its unusual coding language, Rust.

The gang infiltrates vulnerable networks and systems worldwide by exploiting outdated and unpatched virtual private networks (VPNs) and firewalls.

According to the cybersecurity company Sophos, BlackCat has recently switched to the newer post-exploitation C2 framework Brute Ratel in their attacks, illustrating the innovative approach to avoid security defenses.

“What we’re seeing with BlackCat and other attacks recently is that threat actors are very efficient and effective in their work. They use tried and true methods, like attacking vulnerable firewalls and VPNs because they know these still work,” said Christopher Budd of Sophos.

As soon as December 2021, the Sophos Rapid Response team was asked to investigate at least five attacks involving BlackCat. In four incidents, the infection occurred by exploiting different firewalls. Once inside the network, attackers obtained VPN credentials, logged in as authorized users, and moved laterally throughout the systems.

According to Sophos, BlackCat also leveraged commercial and open source tools, including TeamViewer, nGrok, Cobalt Strike, and Brute Ratel, to create additional backdoors and alternative pathways for remote access to targeted systems.

Attacks occurred across the US, Europe, and Asia at large corporations. The targeted companies shared specific environmental vulnerabilities that simplified the gang’s work, including no longer updated systems, lack of multi-factor authentication for VPNs, and flat networks (where every machine can see every other device in the network.)

“The common denominator with all these attacks is that they were easy to carry out. In one instance, the same BlackCat attackers installed cryptominers a month before launching the ransomware. This latest research highlights how important it is to follow established best security practices; they still have a lot of power to prevent and thwart attacks, including multiple attacks against a single network.”

BlackCat’s latest victim

Japanese video game publisher Bandai Namco, has confirmed a cyberberattack. According to a security research group VX-Underground, BlackCat, also known as ALPHV, was behind the hack.

Like so many others in the criminal underworld, BlackCat operates a ransomware-as-a-service (RaaS) business, selling criminals malware subscriptions.

ALPHV/BlackCat was noted for the use of the Rust programming language. According to an analysis by the Microsoft 365 Defender Threat Intelligence Team, threat actors that started deploying ALPHV/BlackCat were known to work with other prominent ransomware families such as Conti, LockBit, and REvil.

The FBI believes money launderers for ALPHV/BlackCat cartel are linked to Darkside and Blackmatter ransomware cartels, indicating the group has a well-established network of operatives in the ransomware business.

Lately, ALPHV/BlackCat has been among the most active ransomware gangs. According to the cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.

Cybersecurity firm Digital Shadows noted that the group’s activity increased by 117% last quarter. Only LockBit and Conti surpassed the group in the total number of victims breached over the second quarter of 2022.

Most recently, ALPHV/BlackCat ransomware was used to attack the University of Pisa. Threat actors demanded that the university administration pay $4.5 million for the release of encrypted data.

More from Cybernews:

Microsoft uncovered exploit for Sandbox escape bug

Threat actors impersonate crowdstrike

UK police arrest three using facial recognition

Ex-CIA hacker convicted of data leak

Bandai Namco confirms cyberattack

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked