Summary:
The BlackByte ransomware group has been observed likely exploiting a newly patched vulnerability (CVE-2024-37085) in VMware ESXi hypervisors, while simultaneously leveraging various vulnerable drivers to bypass security protections. This group, active since the second half of 2021, has continuously refined its TTPs to enhance its ransomware operations. Cisco Talos, in a detailed report, notes that BlackByte employs a wormable ransomware encryptor that can self-propagate across networks and utilizes the "bring your own vulnerable driver" technique to disable security defenses by terminating security processes.

In a recent attack investigated by Cisco Talos, BlackByte is believed to have gained initial access to a victim's network through brute-forced credentials used to access the organization's VPN. After gaining access, the attackers escalated their privileges and exploited the CVE-2024-37085 vulnerability to gain administrative control over VMware vCenter servers. This exploitation allowed the attackers to create and add new accounts to an Active Directory group named ESX Admins, granting them control over virtual machines, host server configurations, and access to system logs, diagnostics, and performance monitoring tools.

Cisco Talos assesses that the threat actor is likely more active than publicly reported, with only an estimated 20-30% of victims being disclosed. The exact reason for this underreporting is unclear, but it suggests that the group's impact may be significantly larger than what is currently known.


Security Officer Comments:
The group’s rapid exploitation of the VMware vulnerability within days of its public disclosure underscores the speed at which threat actors incorporate newly discovered vulnerabilities into their arsenal. This marks a potential shift in BlackByte's approach, as they move from previously established methods to more opportunistic attacks. BlackByte's history includes exploiting public-facing vulnerabilities, such as ProxyShell in Microsoft Exchange Server, to gain initial access, with a notable preference for avoiding systems using Russian or Eastern European languages. The group is known for employing double extortion tactics, using a data leak site on the dark web to pressure victims into paying ransoms. Multiple variants of BlackByte ransomware have been identified in the wild, written in different programming languages, including C, .NET, and Go. Notably, the group has been evolving its ransomware, transitioning to more complex languages like C/C++ to incorporate advanced anti-analysis and anti-debugging techniques, making detection and analysis more challenging for security researchers.

Suggested Corrections:

IOCs:
https://blog.talosintelligence.com/...d-vulnerabilities-to-support-ongoing-attacks/

• Implement MFA for all remote access and cloud connections. Prioritize “verified push” as the MFA method over less secure options such as SMS or phone call.
• Audit VPN Configuration. Confirm that legacy VPN policies are removed, and that authentication attempts not matching a current VPN policy are denied by default. Restrict VPN access to only necessary network segments and services, limiting exposure of critical assets like Domain Controllers.
• Set up alerts for any changes in privileged groups, such as the creation of new user groups or addition of accounts to domain administrators. Ensure that administrative privileges are granted only when necessary and routinely audited thereafter. A Privileged Access Management (PAM) solution may be used to streamline control and monitoring of privileged accounts.
• Limit or disable the use of NTLM where possible and enforce more secure authentication methods like Kerberos instead. Limit the rate of authentication attempts and failures on public-facing and internal interfaces to prevent automated authentication scanning.
• Disable SMBv1 and enforce SMB signing and encryption to protect against lateral movement and malware propagation.
• Deploy EDR clients to all systems throughout the environment. Configure an administrator password on EDR clients to prevent unauthorized tampering or removal of the client.
• Disable vendor accounts and remote access capabilities when not actively in use.
• Create detections for unauthorized configuration changes that may be made on various systems in the environment, including changes to Windows Defender policies, unauthorized changes to Group Policy Objects, and creation of unusual scheduled tasks and installed services.
• Develop and document procedures for enterprise password reset to ensure that all user credentials can be reset quickly and completely. Include procedures for rolling critical Kerberos tickets in this documentation.
• Harden and patch ESX hosts to reduce the attack surface of these critical servers to the extent possible, and ensure that newly-discovered vulnerabilities are corrected as quickly as possible.

Link(s):
https://thehackernews.com/2024/08/blackbyte-ransomware-exploits-vmware.html

https://blog.talosintelligence.com/...d-vulnerabilities-to-support-ongoing-attacks/