Intelligent CISO Issue 54 | Page 67

S next-generation cybersecurity , has announced in the Sophos X-Ops Active Adversary whitepaper , Multiple Attackers : A Clear and Present Danger , that Hive , LockBit and BlackCat , three prominent ransomware gangs , consecutively attacked the same network .

Hive , LockBit and BlackCat ransomware gangs consecutively attack the same network , Sophos reports

ophos , a global leader in

S next-generation cybersecurity , has announced in the Sophos X-Ops Active Adversary whitepaper , Multiple Attackers : A Clear and Present Danger , that Hive , LockBit and BlackCat , three prominent ransomware gangs , consecutively attacked the same network .

The first two attacks took place within two hours and the third attack took place two weeks later . Each ransomware gang left its own ransom demand and some of the files were triple encrypted .
“ It ’ s bad enough to get one ransomware note , let alone three ,” said John Shier , Senior Security Advisor at Sophos . “ Multiple attackers create a whole new level of complexity for recovery , particularly when network files are triple encrypted . Cybersecurity that includes prevention , detection and response is critical for organisations of any size and type – no business is immune .”
The whitepaper further outlines additional cases of overlapping cyberattacks , including cryptominers , remote access trojans ( RATs ) and bots . In the past , when multiple attackers have targeted the same system , the attacks usually occurred across many months or multiple
John Shier , Senior Security Advisor at Sophos
years . The attacks described in Sophos ’ whitepaper took place within days or weeks of each other – and , in one case , simultaneously – often with the different attackers accessing a target ’ s network through the same vulnerable entry point .
Typically , criminal groups compete for resources , making it more difficult for multiple attackers to operate simultaneously . Cryptominers normally kill their competitors on the same system and today ’ s RATs often highlight bot killing as a feature on criminal forums . However , in the attack involving the three ransomware groups , for example , BlackCat – the last ransomware group on the system – not only deleted traces of its own activity , but also deleted the activity of LockBit and Hive . In another case , a system was infected by LockBit ransomware . Then , about three months later , members of Karakurt Team , a group with reported ties to Conti , was able to leverage the backdoor LockBit created to steal data and hold it for ransom .
“ On the whole , ransomware groups don ’ t appear openly antagonistic
towards one another . In fact , LockBit explicitly doesn ’ t forbid affiliates from working with competitors , as indicated in Sophos ’ whitepaper ,” said Shier . “ We don ’ t have evidence of collaboration , but it ’ s possible this is due to attackers recognising that there are a finite number of ‘ resources ’ in an increasingly competitive market .”
Most of the initial infections for the attacks highlighted in the whitepaper occurred through either an unpatched vulnerability , with some of the most notable being Log4Shell , ProxyLogon and ProxyShell , or poorly configured , unsecured Remote Desktop Protocol ( RDP ) servers . In most of the cases involving multiple attackers , the victims failed to remediate the initial attack effectively , leaving the door open for future cybercriminal activity . In those instances , the same RDP misconfigurations , as well as applications like RDWeb or AnyDesk , became an easily exploitable pathway for follow-up attacks . In fact , exposed RDP and VPN servers are some of the most popular listings sold on the Dark Web . u
intelligent NETWORK SECURITY
www . intelligentciso . com
67