Threat Research

Campaign TrailPost Exploitation Activities on Fortinet Devices: A Network-Based Analysis by Adam Potter

DarkTrace

Summary:

BlackSuit ransomware, detected by Darktrace since late 2023, has targeted various industries in the US, employing double extortion tactics to demand ransoms exceeding USD 500 million. The ransomware is believed to be a spinoff of Royal ransomware and has affected numerous organizations globally. The article outlines several cases of BlackSuit attacks, detailing methods of infiltration, data exfiltration, and the impact on victims.

Keypoints:

  • BlackSuit ransomware emerged in May 2023 and has been linked to Russian and Eastern European hackers.
  • It has infiltrated multiple sectors, including healthcare, education, IT, government, retail, and manufacturing.
  • The ransomware employs double extortion tactics, encrypting files and stealing sensitive data.
  • Ransom demands have exceeded USD 500 million, with individual demands reaching up to USD 60 million.
  • Notable targets include CDK Global, Kadokawa, educational institutions, Octapharma Plasma, and the Brazilian government.
  • Darktrace has documented several cases of BlackSuit attacks, highlighting the sophisticated methods used by attackers.
  • Initial access often involves VPN compromises, phishing, and exploitation of vulnerable applications.
  • Continuous vigilance and robust cybersecurity measures are essential to combat evolving ransomware threats.

MITRE Techniques:

  • Account Manipulation (T1098): Exploits account credentials to maintain persistence.
  • Alarm Suppression (T0878): Disables or alters alarm settings to avoid detection.
  • Application Layer Protocol (T1071): Uses application layer protocols for command and control communication.
  • Automated Collection (T1119): Collects data automatically from compromised systems.
  • Data Encrypted for Impact (T1486): Encrypts data to disrupt operations and demand ransom.
  • Exfiltration Over C2 Channel (T1041): Exfiltrates data through command and control channels.
  • Exploitation of Remote Services (T1210): Exploits remote services for lateral movement within networks.
  • Remote Desktop Protocol (T1021.001): Uses RDP for lateral movement and access to systems.
  • Windows Management Instrumentation (T1047): Utilizes WMI for execution of commands and lateral movement.

IoC:

  • [domain] mystuff.bublup[.]com
  • [domain] bublup-media-production.s3.amazonaws[.]com
  • [ip address] 137.220.61[.]94
  • [ip address] 173.251.109[.]106
  • [ip address] 216.151.180[.]147
  • [file name] zzza.exe
  • [file name] socks5.ps1
  • [file extension] .blacksuit
  • [file name] readme.blacksuit.txt

Full Research: https://darktrace.com/blog/post-exploitation-activities-on-fortinet-devices-a-network-based-analysis

Tags: LATERAL MOVEMENT, PHISHING, WINDOWS, full, PERSISTENCE, INITIAL ACCESS, IMPACT, VPN