The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
In recent months, a cybercrime group known as Blacktail has begun to make headlines as they continue to target organizations around the globe. The group was first spotted by the Unit 42 Team at Palo Alto Networks earlier this year. Since February, the group has launched multiple attacks based on their latest ransomware campaign labeled Buhti.
An interesting detail about the organization is that they do not make their own strains of malware. Rather, they opt to repurpose pre-existing strains to achieve their end goal of monetary gain. Two of the most popular tools that have been used by the cybercrime group are LockBit 3.0 for targets using Windows OS and Babuk for targets using Linux OS. Both LockBit 3.0 and Babuk are strains of ransomware that encrypt files on a victim’s machine and demand payment in exchange for decrypting the files. These tools allow Blacktail to operate using a RaaS (ransomware as a service) model which falls in line with their goal of monetary gain.
Lockbit 3.0 is the latest version of the Lockbit ransomware which was developed by the Lockbit group in early 2020. Since its launch it has been linked to over 1400 attacks worldwide. This has led to the group receiving over $75 million in payouts. This ransomware is most distributed through phishing attacks where the victim clicks on a link which starts the download process.
Babuk is a ransomware that was first discovered in early 2021. Since then, it has been responsible for many cyber-attacks that have been launched against devices using Linux OS. This strain of ransomware serves a similar purpose to Lockbit 3.0 and its main purpose is to compromise files on a victim’s machine and make them inaccessible until the ransom is paid.
Recently, this group has been seen leveraging two different exploits. The first is CVE-2023-27350 which allows attackers to bypass the authentication required to utilize the Papercut NG 22.05 on affected endpoints. They leverage this vulnerability to install programs such as Cobalt Strike, Meterpreter, Sliver, and ConnectWise. These tools are used to steal credentials and move laterally within the target network. The second vulnerability, CVE-2022-47986, which affects the IBM Aspera Faspex File Exchange system allows attackers to perform remote code execution on the target devices.
Blacktail represents a significant threat in the world of cybercrime, employing a wide range of sophisticated methods to attack its victims. From phishing and social engineering to ransomware campaigns and APT attacks, their tactics demonstrate a high level of expertise and organization. To counter such threats, individuals, businesses, and governments must prioritize cybersecurity measures, including robust firewalls, regular software updates, employee training, and incident response plans. The fight against cybercrime requires constant vigilance in order to stay one step ahead of the attackers.
Reference:
More Stories
Clever Social Engineering Attack Using Captchas
This is really interesting. It’s a phishing attack targeting GitHub users, tricking them to solve a fake Captcha that actually...
US Cyberspace Solarium Commission Outlines Ten New Cyber Policy Priorities
In its fourth annual report, the US Cyberspace Solarium Commission highlighted the need to focus on securing critical infrastructure and...
Cybersecurity Skills Gap Leaves Cloud Environments Vulnerable
A new report by Check Point Software highlights a significant increase in cloud security incidents, largely due to a lack...
Going for Gold: HSBC Approves Quantum-Safe Technology for Tokenized Bullions
The bank giant and Quantinuum trialed the first application of quantum-secure technology for buying and selling tokenized physical gold Read...
This Windows PowerShell Phish Has Scary Potential
Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who...
Infostealers Cause Surge in Ransomware Attacks, Just One in Three Recover Data
Infostealer malware and digital identity exposure behind rise in ransomware, researchers find Read More