This holiday season our SOC analysts have observed a sharp uptick in cyber threat activity. Specifically, they’ve seen a rise in attempted ransomware attacks, which started during the American Thanksgiving holiday period (November 25–31, 2024) and are expected to continue throughout the holiday season. We’re sharing details on the threat actors involved, their tactics, as well as recommendations to give you knowledge and tools to proactively strengthen your security against evolving threats.
Key Threat Groups
BlackSuit (formerly “Royal”)
Known for targeting critical infrastructure sectors, including healthcare, government, and manufacturing, BlackSuit employs data exfiltration, extortion, and encryption techniques, according to a Cybersecurity and Infrastructure Security Agency (CISA) advisory.
Common attack vectors include:
Phishing emails and malicious websites
Exploitation of unsecured virtual private networks (VPNs) lacking multi-factor authentication (MFA)
Disabling antivirus software to exfiltrate data before encrypting systems
Black Basta
Operating as a ransomware-as-a-service (RaaS), Black Basta affiliates have targeted over 500 entities in 2024 alone in North America, Europe, and Australia, according to CISA. Key tactics:
Vishing: Impersonating help desk technicians via phone to access networks
Using malicious remote management tools to gain entry and escalate attacks
LevelBlue Observations of Threat Actor TTPs and How to Fortify Security
In recent weeks, our SOC team has observed threat actors using the following tactics to launch attacks:
Tactic
Recommendations
Exploitation of a VPN portal that is not enforcing MFA to gain initial access
Enforce MFA for VPN connections and geo-fence your VPN portal(s)
Patch VPN devices. Historically we have observed these external-facing network appliances be compromised
The use of vishing (impersonating a “help desk” team member) to gain initial access to end-user workstations, which then gives the attacker access to the larger network (emails and text messages are also being leveraged for credential collection and malware deployment)
Two numbers LevelBlue has identified to be involved in incidents are 1-844-201-3441 and 304-718-2459
Provide employees with training and education on vishing attacks and the common lures that may be used
Implement a process of verification for both help desk employees and employees being called during legitimate IT support scenarios
Direct employees to report suspicious communications immediately to a supervisor and security leadership
The use of Rclone, WinSCP, and other file transfer tools to exfiltrate data from environments
Block the installation or execution of common attacker tools that do not have a designated function within your network, or strictly enforce the exceptions for allowing the usage
Exploitation of vulnerabilities across common software/applications to escalate privileges
Vulnerabilities for VMware, Microsoft Exchange, Microsoft SharePoint, and other self-hosted applications are being particularly targeted to gain administrator or even root access within environments
Patch software per vendor recommendations and review your organization’s vulnerability scanning and patching schedule
Maintain good records of applications and operating systems running within your environment, and enable notifications for when patch notifications, emails, or news updates come out about these applications and operating systems
The use of Remote Desktop Protocol (RDP), Window Remote Management (WinRM), and Remote Monitoring Management (RMM) tools for lateral movement
Block any external to internal RDP attempts and disable RDP on hosts that do not need it
Limit RDP and WinRM traffic from segments of the network that do not require that type of west/east traversal. This can also apply to other protocols and overall network traffic as well, stop an attacker’s lateral movement
Block the installation or execution of RMM tools that are not explicitly used by your organization. Note that RMM tools have been observed in almost every ransomware-related incident the LevelBlue SOC team has investigated. Blocking the installation or execution of these tools will significantly decrease the effectiveness of an attack
Other Proactive Cybersecurity Measures
Enhance Employee Awareness
While employees might be enjoying more festivities this time of year, it’s important to communicate the urgency of heightened vigilance during the holiday season. Educate employees on recognizing and reporting suspicious communications. And provide clear guidance on verifying IT support contacts.
Validate Security Controls and Address Potential Exposures
Stay on top of patching and ensure public-facing assets are secured through MFA. We’re here to help identify potential security gaps and exposures. Take advantage of a 30-day free trial with LevelBlue’s Vulnerability Management service.
Protect Against Malicious Sites and Emails
If you do not already have email security, secure remote access, or secure web gateway protections in place, consider adding them. LevelBlue provides flexible, managed service delivery options with a choice of leading technologies. These services can help protect employees from phishing attempts and malicious sites as well as help control and manage access to applications.
Fortify Endpoint Security
More than 75% of organizations say they have experienced at least one cyberattack due to unknown, unmanaged, or poorly managed devices.[1] LevelBlue Managed Endpoint Security with SentinelOne protects diverse endpoints, including laptops, servers, desktops, and cloud workloads, from evolving threats. Pair this service with LevelBlue Managed Threat Detection and Response to cover your entire attack surface. We also offer several tiers for an incident response retainer, giving customers access to additional response, forensics, and recovery support.
Finally, it may be tempting to let tasks linger this time of year, but as we all know, cybercriminals will use that to their advantage. Address security concerns immediately, so they do not compound and grow more severe. The holidays are a busy time for everyone, including threat actors. Use our support services during this season and beyond to fortify your cyber operations and ensure your organization remains safe.
Contact LevelBlue
info@levelblue.com
More Stories
Supply Chain Attack Targets Key Ethereum Development Tools
A new supply chain attack targets Ethereum tools, exploiting npm packages to steal sensitive data Read More
New PhishWP Plugin Enables Sophisticated Payment Page Scams
The PhishWP plugin enables scammers to create fake payment pages, stealing sensitive data via Telegram Read More
Chinese Hackers Double Cyber-Attacks on Taiwan
Taiwan’s security service said government networks faced 2.4 million attacks in 2024, most of which are attributed to Chinese state...
Privacy of Photos.app’s Enhanced Visual Search
Initial speculation about a new Apple feature. Read More
New Infostealer Campaign Uses Discord Videogame Lure
Threat actors are tricking victims into downloading malware with the promise of testing a new videogame Read More
Scammers Drain $500m from Crypto Wallets in a Year
Scam Sniffer claims that threat actors used wallet drainers to steal $494m from victims in 2024 Read More