The BlackByte ransomware group is now infiltrating corporate networks by exploiting the Proxy Shell vulnerabilities that are patched y Microsoft during April and May 2021 to install web shells, coin miners, and ransomware on compromised Microsoft Exchange servers. Web Shells are short scripts that enable a threat actor to maintain persistence on a device and remotely execute commands or upload additional files to the server by uploading them to a web server. Proxy Shell is the name given to a group of three Microsoft Exchange vulnerabilities that, when chained together, allow unauthenticated, remote code execution on the server. The planted web shells are meant to drop a Cobalt Strike beacon on the server, which is then injected into the Windows Update Agent process and used to leak credentials for a compromised system's service account. Finally, the attackers install the Any Desk remote access tool and go on to the lateral movement stage after getting control of the account. When performing ransomware attacks, threat actors typically use third-party technologies to gain elevated privileges or deliver malware on a network. The BlackByte ransomware executable, on the other hand, is critical in this scenario because it controls both privilege escalation and the ability to worm or move around in the compromised environment. The malware modifies three registry settings: one for local privilege elevation, one for enabling network connection sharing between all privilege levels, and one for allowing long path values for file paths, names, and namespaces. To avoid last-minute interception, the malware deletes the "Raccine Rules Updater" scheduled task and wipes shadow copies directly through WMI objects before encryption using an obfuscated PowerShell command. Finally, the malware archives file with WinRAR and exfiltrate them through anonymous file-sharing platforms such as file.io or anonymfiles.com.
Zscaler ThreatLabz researchers have uncovered a surge in fraudulent websites hosted on popular web hosting and blogging platforms, part of an elaborate strategy to spread malware t...
The Federal Trade Commission (FTC) has announced that it will distribute $5.6 million in refunds to Ring users affected by privacy and security issues. The refunds come as part of ...
In the summer of 2023, the Lazarus Group, a threat actor linked to North Korea, employed its well-known fabricated job lures to deliver a new remote access trojan (RAT) named Kaoli...