Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Black Basta. Show all posts
Threat actors
Backups Black Basta Cyber Attacks Cyberattack Encryption Ransomware attack Threat actors

Rheinmetall Hit by BlackBasta Ransomware: Disruption to Arms Production

Arms manufacturer Rheinmetall has recently confirmed that it fell victim to a ransomware attack orchestrated by the BlackBasta ransomware group. The cyberattack has caused significant disruption to the company's operations, including its arms production capabilities.

Rheinmetall, a prominent German defense contractor, specializes in manufacturing a wide range of military and security equipment. The attack on such a high-profile player in the defense industry underscores the growing threat of ransomware attacks targeting critical infrastructure and sensitive sectors.

The BlackBasta ransomware group, known for its aggressive tactics and targeting of large organizations, has been identified as the perpetrator of the attack. The group employs sophisticated techniques to infiltrate and encrypt the victim's systems, demanding a ransom payment in exchange for the decryption keys.

Rheinmetall has not disclosed the specific ransom amount demanded by the attackers or whether it has chosen to engage in negotiations. However, the incident highlights the potentially devastating impact that ransomware attacks can have on crucial industries, potentially leading to operational disruptions and financial losses.

The immediate consequences of the attack have been felt within Rheinmetall's production facilities, causing delays and interruptions to ongoing arms manufacturing processes. The company has initiated an extensive investigation to assess the extent of the breach and mitigate any potential long-term damage to its operations and reputation.

In response to the attack, Rheinmetall has taken immediate measures to contain the breach and secure its systems. It has engaged external cybersecurity experts to assist in the recovery process and strengthen its defenses against future threats. Additionally, the company has implemented stringent security protocols and is enhancing employee training on cybersecurity best practices.

The incident involving Rheinmetall serves as a stark reminder to organizations across all sectors of the critical importance of maintaining robust cybersecurity measures. Ransomware attacks continue to evolve in sophistication and scale, targeting both public and private entities. The consequences of a successful attack can be severe, ranging from financial losses to reputational damage and even threats to national security.

Organizations must adopt a proactive approach to cybersecurity, including regular system updates, robust backup procedures, and comprehensive incident response plans. By prioritizing cybersecurity measures, organizations can minimize the risk of falling victim to ransomware attacks and other cyber threats.
Read more »
Vulnerabilities
Black Basta Cyberattack malware Vulnerabilities

Cyberattack by Black Basta Gang Using Qakbot Malware

 


In an aggressive and widespread campaign, Black Basta malware is using Qakabot malware - also referred to as QBot or Pinkslipbot - as its initial vector of compromise, which is an.IMG file. This campaign has targeted 10 to 15 different customers over the last two weeks, with a majority of the focus being on US-based companies.

In a threat advisory published by Cybereason Global SOC (GSOC) on November 23, the threat advisory states that the infection is typically initiated by spam or phishing emails that contain malicious links, with Black Basta mainly using Qakbot to stay active on victims’ networks by deploying malicious URL links as their primary method of spreading the infection. 

"The Black Basta ransomware gang is using Qakbot malware to construct an initial point of entry within a target organization's network, allowing it to move laterally and further infiltrate the network," according to the report. 

There have been several groups that have augmented the functionality of Qakbot with additional modules. These groups have been demonstrated to be useful for information theft, backdoors, and website downloaders. A new method of delivering Qakbot's malicious payload has been adopted, and it is no longer delivering it using JavaScript. Instead, it uses Visual Basic. SS

Researchers noted that during the compromise of the domain controller, the threat actor also used Cobalt Strike to gain remote access to the server. This was done to capture data from the machine. The attacker then released ransomware, which in turn disabled security mechanisms such as intrusion detection and prevention and anti-virus programs. 

In the report, the frequency with which attacks take place is highlighted as one of the most concerning aspects. Having gained access to domain administrators' privileges within two hours of obtaining them, ransomware was deployed and was able to be extracted within half a day. 

GSOC observed that a threat actor in more than one attack disabled DNS services locking the victim out of the network, and making it more difficult for him to recover from the attack. 

"Taking all of these observations into consideration, we recommend that security and detection teams keep an eye out for this campaign, which can quickly deteriorate IT infrastructure," the report reads. 

Organizations are advised to take proactive measures such as identifying and blocking malicious network connections, resetting Active Directory access, engaging in incident response efforts, and cleaning up compromised machines, as described in the report. 


Adding capabilities to Qakbot's operations 


There has been an uptick in operations by the Qakbot group lately. Over the past couple of years, they have infected systems, installed attack frameworks, and sold access to other groups, including the Black Basta group. 

As the company continues to expand its access-as-a-service network, it has managed to compromise hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, enabling the organization to conduct more attacks. 

Several Qakbot operators were observed using DLL sideloading to deliver malware. This is a technique that allows legitimate and malicious files to be placed together in the same directory to escape detection. 

Black Basta is backed by the FIN7 label 


As one of the most prolific ransomware families in recent years, Black Basta is making its ransomware as a service offering available on underground forums in several countries, which means there may be multiple operators with access to Black Basta in their toolkit, making it difficult to attribute the virus to any particular operator. 

While the group has been operating since at least February, it was only discovered two months later that its existence had been detected. A VMware ESXi virtual machine running on a Linux server must be infected with the application to encrypt files in a specific volume folder. As a global organization, the group targets English-speaking countries both domestically and internationally. 

Black Basta is one of the most prominent cybercrime operations that has emerged recently, and according to researchers at SentinelOne, it has been associated with FIN7, a group of financially motivated cybercriminals estimated to have stolen well over $1.2 billion since its inception in 2012.
Read more »
Ransomware
Black Basta Conti Ransomware Cyber Attacks IBM X-Force Ransomware

IBM X-Force Finds New Ransomware Group Black Basta

IBM Security X-Force has been keeping an eye on Black Basta, the latest ransomware gang that first surfaced in April 2022. Until now, Black Basta has claimed to attack over 29 different targets in various industries via double extortion techniques. In double extortion, the threat actors execute ransomware along with stealing data and blackmail to post it publicly unless their ransom demands are not met. 

The data discourse points of these ransomware attacks take place on a data leak website called Tor network. To make the victim pay the ransom, the Black Basta group progressively publishes the stolen data on the leak site. The group is still in the early phase of its organization, X-Force has not found any pieces of evidence of distributing the malware or hiring threat actors on underground platforms or the dark web. 

Due to similarities in operations and no affiliation attempts, experts believe that the Black Basta group is a new version of Conti gan, infamous ransomware groups already having various affiliates. But Conti group recently announced that it has no links with the Black Basta ransomware group. X-Force is currently finding the relationship between these two. 

Black Basta ransomware gang works at a very high pace, it hardly alerts the cybersecurity defenders and by the time they realize, the damage has already been done. Experts say it doesn't seem that Black Basta is attacking specific industries or verticals. But for organizations that collect data in large quantities can become a victim of extortion attacks like personally identifiable information (PII), financial credentials, sensitive information, etc are easy targets for attackers.  

Concerned users can read IBM X-Force Definitive Guide to Ransomware and follow some basic guidelines:

  • Having routine backups, both online and offline, a robust backup mechanism helps in recovery from a ransomware attack. 
  • Build a plan to protect against unauthorized data theft, especially as it concerns uploading vast amounts of data to trusted cloud platforms that threat actors might exploit. 
  • Apply user behavior analytics to predict security incidents. If triggered, assume a breach happened- audit, monitor, and act quickly on the attack associated with privileged accounts and groups. 
  • Implement two-factor authentication on each remote access point into an organization network- special attention should be given to disabling or secure remote desktop protocol (RDP) access. Various ransomware attacks in the past were able to exploit weak RDP access to have early access into a network.

Read more »
Subscribe to: Posts (Atom)