FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, one of this year’s most prolific ransomware families.
That’s the conclusion of researchers at SentinelOne based on what they say are various similarities in the tactics, techniques, and procedures between the Black Basta campaign and previous FIN7 campaigns. Among them are similarities in a tool for evading endpoint detection and response (EDR) products; similarities in packers for packing Cobalt Strike beacon and a backdoor called Birddog; source code overlaps; and overlapping IP addresses and hosting infrastructure.
Zbirka orodij po meri
SentinelOne’s investigation into Black Basta’s activities also unearthed new information about the threat actor’s attack methods and tools. For example, the researchers found that in many Black Basta attacks, the threat actors use a uniquely obfuscated version of the free command-line tool ADFind for gathering information about a victim’s Active Directory environment.
They found Black Basta operators are exploiting last year’s Natisni Nightmare ranljivost v storitvi Windows Print Spooler (CVE-2021-34527) In ZeroLogon napaka iz leta 2020 v Windows Netlogon Remote Protocol (CVE-2020-1472) in many campaigns. Both vulnerabilities give attackers a way to gain administrative access on domain controllers. SentinelOne said it also observed Black Basta attacks leveraging “NoPac,” an exploit that združuje dve kritični pomanjkljivosti v zasnovi imenika Active Directory od lani (CVE-2021-42278 in CVE-2021-42287). Napadalci lahko izkoriščanje uporabijo za stopnjevanje privilegijev od navadnega uporabnika domene vse do skrbnika domene.
SentinelOne, which began tracking Black Basta in June, observed the infection chain beginning with the Qakbot Trojan-turned-malware dropper. Researchers found the threat actor using the backdoor to conduct reconnaissance on the victim network using a variety of tools including AdFind, two custom .Net assemblies, SoftPerfect’s network scanner, and WMI. It’s after that stage that the threat actor attempts to exploit the various Windows vulnerabilities to move laterally, escalate privileges, and eventually drop the ransomware. Trend Micro earlier this year identified the Qakbot group as prodaja dostopa do ogroženih omrežij za Black Basta in druge operaterje izsiljevalske programske opreme.
“We assess it is highly likely the Black Basta ransomware operation has ties with FIN7,” SentinelOne’s SentinelLabs said in a blog post on Nov. 3. “Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.”
Sofisticirana grožnja z izsiljevalsko programsko opremo
Operacija izsiljevalske programske opreme Black Basta se je pojavila aprila 2022 in je do konca septembra zahtevala vsaj 90 žrtev. Trend Micro je izsiljevalsko programsko opremo opisal kot ki imajo sofisticirano rutino šifriranja ki verjetno uporablja edinstvene binarne datoteke za vsako od svojih žrtev. Številni njegovi napadi so vključevali tehniko dvojnega izsiljevanja, kjer akterji groženj najprej izločijo občutljive podatke iz okolja žrtve, preden jih šifrirajo.
V tretjem četrtletju 2022 Okužbe z izsiljevalsko programsko opremo Black Basta so predstavljale 9 % vseh žrtev izsiljevalske programske opreme, s čimer je na drugem mestu za LockBitom, ki je še naprej daleč najpogostejša grožnja z izsiljevalsko programsko opremo – s 35-odstotnim deležem vseh žrtev po podatkih Digital Shadows.
“Digital Shadows has observed the Black Basta ransomware operation targeting the industrial goods and services industry, including manufacturing, more than any other sector,” says Nicole Hoffman, senior cyber-threat intelligence analyst, at Digital Shadows, a ReliaQuest company. “The construction and materials sector follows close behind as the second most targeted industry to date by the ransomware operation.”
FIN7 has been a thorn in the side of the security industry for a decade. The group’s initial attacks focused on credit and debit card data theft. But over the years, FIN7, which has also been tracked as the Carbanak Group and Cobalt Group, has diversified into other cybercrime operations as well, including most recently into the ransomware realm. Several vendors — including Digital Shadows — have suspected FIN7 of having links to multiple ransomware groups, including REvil, Ryuk, DarkSide, BlackMatter, and ALPHV.
“So, it would not be surprising to see yet another potential association,” this time with FIN7, Hoffman says. “However, it is important to note that linking two threat groups together does not always mean that one group is running the show. It is realistically possible the groups are working together.”
Glede na SentinelLabs nekatera orodja, ki jih operacija Black Basta uporablja v svojih napadih, kažejo, da FIN7 poskuša ločiti svojo novo dejavnost izsiljevalske programske opreme od stare. Eno takšnih orodij je prilagojeno orodje za izogibanje obrambi in oslabitev, za katerega se zdi, da ga je napisal razvijalec FIN7 in ni bilo opaženo pri nobeni drugi operaciji izsiljevalske programske opreme, je povedal SentinelOne.
- blockchain
- kriptokurrency denarnice
- kripto izmenjava
- kibernetska varnost
- cybercriminals
- Cybersecurity
- Temno branje
- oddelek za domovinsko varnost
- digitalne denarnice
- požarni zid
- Kaspersky
- zlonamerna programska oprema
- Mccafee
- NexBLOC
- platon
- platon ai
- Platonova podatkovna inteligenca
- Igra Platon
- PlatoData
- platogaming
- VPN
- spletna varnost
