BlackByte ransomware group is leveraging a newly discovered VMware ESXi vulnerability and VPN access to launch a new wave of attacks. Cisco Talos reveals the group’s tactics, urging organizations to patch systems, implement MFA, and enhance security measures to mitigate risk.
The notorious BlackByte ransomware group is at it again, employing new tactics to target businesses worldwide. Recent investigations by Cisco Talos have revealed that the group is now actively exploiting a recently patched vulnerability in VMware ESXi hypervisors, demonstrating their ability to quickly adapt to new exploits and security vulnerabilities.
The vulnerability in discussion is identified as CVE-2024-37085, which allows attackers to bypass authentication and gain control of vulnerable systems. However, in addition to exploiting this vulnerability, BlackByte has also been observed using a victim’s authorized remote access mechanism, such as a VPN, instead of relying on commercial remote administration tools. This strategy allows them to operate with less visibility and potentially evade security monitoring systems.
Another alarming development is the group’s use of stolen Active Directory credentials to self-propagate their ransomware. This means that they can spread the infection within a network much faster and more efficiently, increasing the damage potential.
According to Cisco Talos’s research shared with Hackread.com ahead of publishing on Wednesday, August 28, 2024, researchers believe that BlackByte is more active than their public data leak site suggests. The site only displays a small fraction of the attacks they have successfully launched, potentially masking the true extent of their operations.
Here are the 5 top most targeted industries targeted by the BlackByte ransomware group:
- Manufacturing
- Transportation/Warehousing
- Professionals, Scientific & Technical Services
- Information Technology
- Public Administration
Nevertheless, researchers have urged organizations to prioritize patching systems, including VMware ESXi hypervisors, implement multi-factor authentication (MFA) for all remote access and cloud connections, VPN configurations should be audited, and access to critical network segments should be restricted.
It is also important to limit or disable the use of NTLM by opting for more secure authentication methods. Deploying reliable endpoint detection and response (EDR) solutions can greatly improve security.
Additionally, a comprehensive security strategy should include proactive threat intelligence and incident response capabilities to effectively protect systems against threats like BlackByte and similar attacks.
