This Cybersecurity Threat Advisory reviews the latest movements of the BlackCat ransomware gang. They are using the Sphynx encryptor to target Microsoft Azure storage through a recently discovered vulnerability in Azure’s security infrastructure.
The BlackCat (ALPHV) ransomware gang is using stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets’ Azure cloud storage. CSB recommends Azure users take immediate actions such as strengthening access controls, implementing multi-factor authentication, maintaining up-to-date backups, and ensuring timely security patching for all Azure services and systems.
What is the threat?
The BlackCat ransomware gang is using a vulnerability in Azure’s security infrastructure and the new Sphynx encryptor variant to target Azure cloud storage. This poses a significant threat as it can compromise data integrity, disrupt operations, and lead to financial losses for organizations relying on Azure services. It falls into the category of ransomware, encrypting victim data and demanding a ransom for decryption.
To exploit it, attackers first stole a victim’s One-Time Password (OTP) via the LastPass Chrome extension, gaining unauthorized access to a Sophos Central account. From there, they disabled security measures, modified policies, and encrypted systems and Azure cloud storage, appending the .zk09cvt extension to files. Stolen Azure keys encoded using Base64, grant access to the victim’s Azure portal. The threat poses a significant risk to Azure-reliant organizations, potentially leading to data loss, operational disruption, and financial extortion.
Why is it noteworthy?
This threat targets Azure cloud storage, a commonly used and trusted platform for businesses globally. The potential for widespread data loss and operational disruptions can take place. This ransomware gang has consistently garnered recognition as one of the most sophisticated and globally impactful ransomware operations. They are continually honing and adapting its techniques. For instance, in a recent notable development, the gang employed an innovative extortion method, utilizing a dedicated clear web portal to disclose stolen data from a specific victim, enabling affected customers and employees to assess potential data exposure.
Furthermore, the group introduced a data leak API in July, streamlining the process of disseminating stolen information. This week, an affiliate of the gang known as Scattered Spider, claimed responsibility for an attack on MGM Resorts, encrypting over 100 ESXi hypervisors following the company’s decision to shut down its internal infrastructure and reject ransom negotiations. The FBI had issued a warning, underscoring the group’s involvement in successful breaches affecting more than 60 entities worldwide between November 2021 and March 2022. These developments emphasize the gang’s persistent evolution and its substantial impact on global enterprises, warranting heightened vigilance in cybersecurity efforts.
What is the exposure or risk?
A successful attack can lead to the compromise of critical data stored on Azure cloud storage. This can potentially result in data loss, operational disruptions, and financial extortion for organizations relying on Azure services. Microsoft discovered that the new Sphynx encryptor is embedding the Remcom hacking tool and the Impacket networking framework for lateral movement across compromised networks.
During the intrusion, threat actors leveraged various RMM tools (AnyDesk, Splashtop, and Atera), as well as using Chrome to access the target’s installed LastPass vault via the browser extension. This is where they obtained the OTP to access the target’s Sophos Central account, which is used by customers to manage their Sophos products. Organizations with extensive use of Azure cloud storage and related services, as well as entities with weak access controls, inadequate employee training in cybersecurity, or those who have not implemented multi-factor authentication (MFA) as part of their security measures are at risk.
What are the recommendations?
CSB recommends the following actions to limit the impact of a BlackCat Ransomware Attack:
- Enforce MFA for critical accounts and systems, including Azure services. This significantly enhances security by requiring multiple forms of verification.
- Keep all software and systems up to date with the latest security patches to prevent exploitation of known vulnerabilities.
- Review and enhance access control policies, ensuring users have minimal necessary access to Azure resources.
- Conduct regular cybersecurity training to educate employees about phishing and social engineering threats, encouraging them to report suspicious activities.
- Maintain a robust data backup strategy, including off-site and offline backups, to ensure data recovery without paying ransoms in case of an attack.