U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Evolution of the LockBit Ransomware operation relies on new techniques

Experts documented the evolution of the LockBit ransomware that leverages multiple techniques to infect targets and evade detection. The Cybereason Global Security Operations Center (GSOC) Team published the Cybereason Threat Analysis Reports that investigates the threat landscape and provides recommendations to mitigate their attacks. The researchers focused on the evolution of the Lockbit ransomware, they detailed two infections occurring […]

Lockbit 2.0 attack chain 2

Experts documented the evolution of the LockBit ransomware that leverages multiple techniques to infect targets and evade detection.

The Cybereason Global Security Operations Center (GSOC) Team published the Cybereason Threat Analysis Reports that investigates the threat landscape and provides recommendations to mitigate their attacks.

The researchers focused on the evolution of the Lockbit ransomware, they detailed two infections occurring at two very different time periods highlighting the evolution of the operations.

Cybereason researchers documented the evolution of the Lockbit ransomware that uses multiple techniques to infect target systems. The ransomware operators are improving their techniques to disable Endpoint detection and response (EDR) tools and other security solutions.

“LockBit operates on a RaaS (Ransomware as a Service) model. The affiliates that use LockBit’s services conduct their attacks according to their preference and use different tools and techniques to achieve their goal. As the attack progresses further along the kill chain, the activities from different cases tend to converge to similar activities.” reads the analysis published by the experts.

Lockbit RaaS enables affiliates to use existing ransomware tools and infrastructure to carry out their own attacks sharing a percentage of the payment.

In the first attack documented by the researchers, which took place in Q4 2021, the affiliates working with LockBit gang used their own malware and tools to compromise the targets. In most of the infections analyzed by the researchers, threat actors compromised the target networks by exploiting a misconfigured service, particularly a publicly opened RDP port. 

Lockbit 2.0 attack chain 1

“In other cases, affiliates would use a more traditional phishing email that will allow them to remotely connect to a network via an employee’s computer, or utilize malicious attachments, downloads, application patch exploits or vulnerabilities to gain access to a network.” continues the report.

Once the threat actors established an initial foothold on the compromised network, they start the reconnaissance activity and credentials extraction using tools such as Mimikatz and Netscan.

The second infection detailed by the researchers took place in Q2 2022. The researchers detailed the various stages of the attack, from the initial compromise, lateral movements, establishing persistence, escalation of privileges, and the final ransomware development.

The attackers leveraged net.exe to create a domain account and elevate their privileges to “domain administrator,” then they used the accounts to achieve persistence and spread on the victim’s network.

The researchers also noticed the use of Ngrok, a legitimate reverse proxy tool that allows the attackers to create a tunnel to servers located behind firewalls.

The threat actors also infected additional machines in the target network with the malware “Neshta,” which is a file infector that injects its malicious code to targeted executable files.

“At this point, the LockBit affiliate had completed all the necessary steps to execute the LockBit payload and commence encryption:

  • Persistence on the network through multiple infected machines
  • Access to top-privilege accounts
  • Collected and exfiltrated victim data 
  • List of most assets through network discovery and scans” concludes the report.
Lockbit 2.0 attack chain 2

The experts also shared Indicators of Compromise, along with Mitre mapping.

Recently, the Lockbit ransomware operation has released LockBit 3.0, which has important noveòties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit)

[adrotate banner=”5″]

[adrotate banner=”13″]