Dec 1, 2021
0 0

Microsoft Exchange servers hacked to deploy BlackByte ransomware

Written by

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs
EwDoor botnet targets AT&T network edge devices at US firms
Android banking malware infects 300,000 Google Play users
Finland warns of Flubot malware heavily targeting Android users
Bulletproof hosting founder imprisoned for helping cybercrime gangs
Advance your career with this Microsoft Azure Admin Exam Prep Bundle
Microsoft fixes installation issues in new Windows 11 dev build
Malicious Android app steals Malaysian bank credentials, MFA codes
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.
ProxyShell is the name for a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together.
These vulnerabilities are listed below and were fixed by security updates released in April and May 2021:
Since researchers disclosed the vulnerabilities, threat actors have begun to exploit them to breach servers and install web shells, coin miners, and ransomware.
In a detailed report by Red Canary, researchers analyzed a BlackByte ransomware attack where they saw them exploiting the ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server.
Web Shells are small scripts uploaded to web servers that allow a threat actor to gain persistence to a device and remotely execute commands or upload additional files to the server.
The planted web shell is then utilized to drop a Cobalt Strike beacon on the server, injected into the Windows Update Agent process.
The widely abused penetration testing tool is then used for dumping credentials for a service account on the compromised system.
Finally, after taking over the account, the adversaries install the AnyDesk remote access tool and then proceed to the lateral movement stage.
When conducting ransomware attacks, threat actors commonly use third-party tools to gain elevated privileges or deploy the ransomware on a network.
However, the actual BlackByte ransomware executable plays a central role as it handles both privilege escalation and the ability to worm, or perform lateral movement, within the compromised environment.
The malware sets three registry values, one for local privilege elevation, one for enabling network connection sharing between all privilege levels, and one to allow long path values for file paths, names, and namespaces.
Before encryption, the malware deletes the “Raccine Rules Updater” scheduled task to prevent last-minute interceptions and also wipes shadow copies directly through WMI objects using an obfuscated PowerShell command.
Finally, stolen files are exfiltrated using WinRAR to archive files and anonymous file-sharing platforms such as “” or “”
Although Trustwave released a decryptor for BlackByte ransomware in October 2021, it is unlikely that the operators are still using the same encryption tactics that allowed victims to restore their files for free.
As such, you may or may not be able to restore your files using that decryptor, depending on what key was used in the particular attack.
Red Canary has seen multiple “fresh” variants of BlackByte in the wild, so there’s clearly an effort from the malware authors to evade detection, analysis, and decryption.
Exploiting ProxyShell vulnerabilities to drop ransomware is not new, and in fact, we saw something similar at the start of November by actors who deployed the Babuk strain.
The ProxyShell set has been under active exploitation from multiple actors since at least March 2021, so the time to apply the security updates is well overdue.
If that’s impossible for any reason, admins are advised to monitor their exposed systems for precursor activity such as the deletion of shadow copies, suspicious registry modification, and PowerShell execution that bypasses restriction policies.
Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware
Microsoft Exchange servers hacked in internal reply-chain attacks
Microsoft warns of the evolution of six Iranian hacking groups
Microsoft adds AI-driven ransomware protection to Defender
BlackByte ransomware decryptor released to recover files for free
Not a member yet? Register Now
Microsoft Defender scares admins with Emotet false positives
DNA testing firm discloses data breach affecting 2.1 million people
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.