Focus Mode
Trash

CTI REPORT – LockBit 3.0

iocOne
CTI REPORT – LockBit 3.0
LockBit 3.0 ransomware primarily targets Windows systems, exploiting vulnerabilities in Active Directory and Microsoft Exchange Server. It employs various tactics for initial access, data encryption, and data exfiltration, threatening victims with public data leaks unless ransoms are paid. LockBit has been particularly active in sectors such as healthcare, finance, and critical infrastructure, leveraging advanced techniques to evade detection. Affected: Windows Operating System, Active Directory, Microsoft Exchange Server, healthcare, financial services, manufacturing, energy, critical infrastructure

Keypoints :

  • LockBit 3.0 is designed to exploit vulnerabilities in Windows environments.
  • Targets Active Directory to extract administrator credentials for lateral movement.
  • Specifically aims at Microsoft Exchange Server to disrupt email and encrypt sensitive data.
  • Initial access often achieved through phishing or exploiting RDP vulnerabilities.
  • Data is encrypted using RSA-2048 and AES-256, with unique keys for each file.
  • Employs techniques to exfiltrate sensitive data before encryption as leverage for ransom.
  • Utilizes sophisticated evasion tactics such as code obfuscation and leveraging legitimate tools.
  • Increasingly targeting cloud infrastructures and Linux servers, particularly VMware ESXi.
  • Active in industries like healthcare, finance, manufacturing, and critical infrastructure.
  • Recommends enhancing detection and response mechanisms to combat such threats.

MITRE Techniques :

  • Credential Dumping (T1003) – Uses PowerShell and WMI calls to extract credentials.
  • Exploitation of Remote Services (T1210) – Phishing emails and RDP vulnerabilities are exploited for initial access.
  • Data Encrypted for Impact (T1486) – Employs RSA-2048 and AES-256 encryption for files.
  • Data Exfiltration (T1041) – Sensitive data is exfiltrated using tools like Rclone.
  • Command and Control (T1071) – Establishes communication with C2 servers using HTTPS and TOR for traffic masking.
  • Obfuscated Files or Information (T1027) – Uses dynamic API hashing and encrypted payloads to avoid detection.
  • Insecure Credentials (T1552) – Extracts credentials using Mimikatz.
  • Network Share Discovery (T1135) – Tools like Nmap are used to scan networks and identify services.

Indicator of Compromise :

  • [Vulnerability] CVE-2021–26855
  • [Email] attacker@example.com (example only)
  • [Malware Tool] http://malicious.com/path (example only, not actual)
  • [Tool] Cobalt Strike
  • [Tool] Mimikatz

Full Story: https://medium.com/@muhammetalgan3547/cti-report-lockbit-3-0-33e224e1d8d6?source=rss——cybersecurity-5

Tags: LINUX, EDR, SIEM, CREDENTIAL, DARK WEB, MONITOR, CVE, PHISHING