Microsoft Exchange servers hacked to deploy BlackByte ransomware


The BlackByte ransomware gang is now attacking corporate networks by exploiting Microsoft Exchange servers using ProxyShell vulnerabilities.

ProxyShell is the name of a set of three Microsoft Exchange vulnerabilities that allow unauthenticated remote code execution on the server when chained.

These vulnerabilities are listed below and have been addressed by security updates released in April and May 2021:

Since researchers disclosed the vulnerabilities, threat actors have started exploiting them to breach servers and install web shells, coin miners, and ransomware.

BlackByte starts using ProxyShell

In a detailed report from Red Canary, researchers analyzed a BlackByte ransomware attack where they saw them exploit ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server.

Web Shells are small scripts uploaded to web servers that allow a malicious actor to gain persistence on a device and remotely execute commands or upload additional files to the server.

Example of a webshell
Example of a webshell
Source: BleepingComputer

The crashed web shell is then used to drop a Cobalt Strike tag on the server, injected into the Windows Update Agent process.

The widely abused penetration testing tool is then used to dump the credentials of a service account on the compromised system.

Finally, after taking over the account, opponents install the AnyDesk remote access tool and then move on to the sideways move step.

BlackByte is still a serious threat

When carrying out ransomware attacks, malicious actors typically use third-party tools to gain elevated privileges or deploy the ransomware over a network.

However, the BlackByte ransomware executable plays a central role as it handles both privilege escalation and the ability to deworm or perform lateral movements in the compromised environment.

The malware sets three registry values, one for local elevation of privilege, one to enable network connection sharing between all privilege levels, and one to allow long path values ​​for file paths, names and files. namespaces.

Prior to encryption, the malware removes the “Raccine Rules Updater” scheduled task to prevent last minute interceptions and also clears shadow copies directly through WMI objects using an obscured PowerShell command.

Finally, stolen files are exfiltrated using WinRAR to archive files and anonymous file sharing platforms such as “” or “”.

Although Trustwave released a decryptor for the BlackByte ransomware in October 2021, operators are unlikely to still use the same encryption tactics that allowed victims to restore their files for free.

As such, you may or may not be able to restore your files using this decryptor, depending on the key used in the particular attack.

Red Canary has seen several “new” variants of BlackByte in the wild, so there is clearly an effort by malware writers to evade detection, analysis, and decryption.

From ProxyShell to ransomware

Exploiting vulnerabilities in ProxyShell to remove ransomware is nothing new, and in fact, we saw something similar in early November among the players who deployed the Babuk strain.

The ProxyShell bundle has been actively operated by multiple players since at least March 2021, so it is high time to apply security updates.

If this is not possible for some reason, administrators are advised to monitor their exposed systems for any precursor activity such as deleting shadow copies, suspicious modification of the registry, and running PowerShell that bypasses restriction policies.

Source link


About Author

Comments are closed.