BlackByte Ransomware Exploits New VMware ESXi Vulnerability in Latest Attack
On August 28, 2024, Cisco Talos Incident Response (Talos IR) released a detailed threat spotlight report on the BlackByte ransomware group, revealing the group's adaptation of newly disclosed vulnerabilities to enhance their attack capabilities.
Introduction
On August 28, 2024, Cisco Talos Incident Response (Talos IR) released a detailed threat spotlight report on the BlackByte ransomware group, revealing the group's adaptation of newly disclosed vulnerabilities to enhance their attack capabilities. The report highlights BlackByte's use of an authentication bypass vulnerability, CVE-2024-37085, in VMware ESXi to propagate their ransomware alongside their established methods of bypassing security protections through vulnerable drivers.
Report Overview
BlackByte, a ransomware-as-a-service (RaaS) group believed to be an offshoot of the notorious Conti group, has been active since mid-2021. The group is known for strategically using vulnerable drivers to evade security controls, deploying self-propagating ransomware, and leveraging legitimate system binaries as part of its attack chain. Over time, BlackByte has consistently refined its tradecraft, incorporating a mix of Go, .NET, and C++ languages in their ransomware binaries to improve resilience against detection.
In a recent investigation by Talos IR, BlackByte attackers gained initial access to a victim's network using valid credentials via the organization's VPN. While telemetry limitations obscured the exact method used to obtain these credentials, Talos IR speculates that brute-force attacks or previously compromised credentials might have played a role. The compromised account, featuring a weak password and primary naming convention, lacked multi-factor authentication (MFA), facilitating the attack.
After establishing initial access, the attackers escalated privileges by compromising Domain Admin-level accounts. These accounts were used to gain control over VMware ESXi hypervisors by exploiting CVE-2024-37085. This authentication bypass vulnerability allows attackers to elevate privileges on ESXi hosts. Within days of the vulnerability's disclosure, BlackByte had incorporated it into their attack arsenal, demonstrating their agility in adapting to new opportunities.
Talos IR observed that BlackByte's ransomware binary, now updated to append the file extension "blackbytent_h" to encrypted files, deploys four vulnerable drivers during execution. This marks an increase from the previously observed two or three drivers, highlighting the group's ongoing efforts to enhance their ransomware's propagation capabilities.
The BlackByte group's attacks pose a significant threat to organizations, particularly those in the manufacturing sector, which accounted for over 32% of the group's known victims. Using a newly disclosed vulnerability in VMware ESXi underscores the broader risk of ransomware groups quickly adopting emerging exploits, leading to potentially severe consequences for unpatched or misconfigured systems.
Insights and Analysis
Cisco Talos' analysis emphasizes the importance of swift and comprehensive vulnerability management to mitigate the risks posed by groups like BlackByte. Incorporating newly disclosed vulnerabilities into ransomware operations is a stark reminder of the dynamic nature of cyber threats and the need for organizations to stay ahead of attackers through proactive security measures.
To defend against the evolving tactics of ransomware groups like BlackByte, organizations should consider the following measures as a baseline in defence in depth.
- Implement Multi-Factor Authentication (MFA)
- Audit and Harden VPN Configurations
- Monitor Privileged Accounts
- Limit NTLM Usage
- Disable SMBv1 and Enforce SMB Signing
- Deploy and Secure EDR
The BlackByte ransomware group's rapid exploitation of newly disclosed vulnerabilities like CVE-2024-37085 highlights the critical need for organizations to maintain a robust and adaptive security posture. By implementing proactive measures and staying vigilant against emerging threats, organizations can reduce their risk of falling victim to increasingly sophisticated ransomware attacks.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd | File Hash | Hash of the vulnerable driver file RtCore64.sys. |
| 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5 | File Hash | Hash of the vulnerable driver file DBUtil_2_3.sys. |
| 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91 | File Hash | Hash of the vulnerable driver file zamguard64.sys. |
| 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427 | File Hash | Hash of the vulnerable driver file gdrv.sys. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Valid Accounts: Domain Accounts | T1078.002 | Compromise of valid domain accounts for initial access to the environment. |
| Initial Access | Valid Accounts: Local Accounts | T1078.003 | Compromise of valid local accounts for initial access to the environment. |
| Discovery | Remote System Discovery | T1018 | Adversary attempts to discover remote systems within the network. |
| Discovery | File and Directory Discovery | T1083 | Adversary searches through directories and files to find critical information. |
| Persistence | Create Account: Domain Account | T1136.002 | Adversary creates a new domain account for persistence in the environment. |
| Execution | User Execution | T1204 | Adversary executes malicious code via user interactions. |
| Execution | System Services: Service Execution | T1569.002 | Adversary executes code by creating or modifying system services. |
| Privilege Escalation | Create or Modify System Process | T1543 | Adversary escalates privileges by modifying system processes. |
| Privilege Escalation | Domain Policy Modification | T1484.001 | Adversary modifies domain policies to escalate privileges. |
| Privilege Escalation | Domain Modification | T1484 | Adversary makes modifications to the domain infrastructure. |
| Privilege Escalation | Account Manipulation | T1098 | Adversary manipulates account settings for privilege escalation. |
| Lateral Movement | Remote Services: SMB/Windows Admin Shares | T1021.002 | Adversary uses SMB or Windows Admin Shares for lateral movement. |
| Lateral Movement | Remote Services: Remote Desktop Protocol | T1021.001 | Adversary uses Remote Desktop Protocol for lateral movement. |
| Lateral Movement | Exploitation of Remote Services | T1210 | Adversary exploits vulnerabilities in remote services to move laterally. |
| Resource Development | Stage Capabilities | T1608 | Adversary stages capabilities for further attacks. |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | Adversary disables or modifies security tools to evade defenses. |
| Defense Evasion | Modify Registry | T1112 | Adversary modifies the system registry for evasion or persistence. |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | Adversary deletes files to remove indicators of compromise. |
| Defense Evasion | Exploitation for Defense Evasion | T1211 | Adversary exploits vulnerabilities to evade defenses. |
| Impact | System Shutdown/Reboot | T1529 | Adversary causes a system shutdown or reboot to interrupt operations. |
| Impact | Data Encrypted for Impact | T1486 | Adversary encrypts data to render it inaccessible and demand a ransom. |
References
James Nutland
Comments ()