The pentesting tool has remote access features similar to that of Cobalt Strike

In a string of ransomware attacks in which ransomware group BlackCat used unpatched or outdated firewalls and VPN services to infiltrate vulnerable networks and systems worldwide across various industries, it has been concluded that a pentesting tool has been added to the group’s arsenal of attack tools.

BlackCat ransomware first emerged in November 2021 as the self-declared newest ‘leader’ in the Ransomware-as-a-Service business. By December that year, the group had pulled off five attacks, of which four involved the exploitation of vulnerabilities in different firewall vendors’ products. Once inside the network, attackers were able to obtain VPN credentials stored on the firewalls to log in as authorized users and then move laterally throughout the systems using the remote desktop protocol.

The attackers also leveraged open source and commercially available tools to create additional backdoors and alternative pathways for remote access to targeted systems. These included TeamViewer, nGrok, Cobalt Strike, and Brute Ratel.

Attacks were avoidable
In the latest spate of attacks across the USA, Europe, and Asia at large corporations operating in different industry segments, targeted firms did share common environmental vulnerabilities that simplified the attackers’ work: outdated systems that could no longer be updated with the latest security patches; a lack of multifactor authentication for VPNs; and flat networks where every machine can see every other machine.

According to Christopher Budd, Senior Manager (Threat Research), Sophos, which disclosed these BlackCat updates: “What we’re seeing with BlackCat and other attacks recently is that threat actors are using tried-and-true methods like attacking vulnerable firewalls and VPNs, because they know these still work. But they show innovation to avoid security defenses, like switching to the newer post-exploitation C2 framework Brute Ratel in their attacks. The common denominator with all these attacks is that they were easy to carry out. In one instance, the same BlackCat attackers had installed cryptominers a month before launching the ransomware.”

The findings bear out the importance of following established security practices; which can still prevent and these thwart attacks, including multiple attacks against a single network, the firm asserts.