Quartals-Briefing: Bedrohungsakteure und ungepatchte Schwachstellen

32% der Sicherheitsvorfälle durch Ransomware-Angriffe starten mit ungepatchten Schwachstellen, die zu geschäftskritischen Folgen führen. In unserem wöchentlichen Briefing zu den fünf relevantesten Schwachstellen für Hacker haben wir über Schwachstellen berichtet, die für Bedrohungsakteure von Bedeutung sind. In dieser fortlaufenden Serie werden wir vierteljährliche Rückblicke auf ausgewählte Bedrohungsakteure sowie die damit verbundenen Sicherheitsvorfälle und ausgenutzten Schwachstellen bereitstellen.

Third Quarter 2024

Threat Actor: LockBit

Threat Actor Whois: LockBit operates primarily as a Ransomware-as-a-Service model. This threat actor has become one of the most notorious and successful ransomware groups in recent years. It first emerged around 2019 and has undergone multiple iterations (e.g., LockBit 2.0, LockBit 3.0), improving its techniques with each version. Its primary goal is to deploy ransomware on a victim’s network to encrypt data, extort ransom payments, and threaten to leak the victim’s sensitive information. LockBit is not known for favoring big hunt targets, nor does it have specific industries it likes to target. In February, international law enforcement seized LockBit’s infrastructure, and arrests were made in connection with the coordinated international operation. However, less than one week later, the ransomware group relaunched its operation

Threat Actor Key Characteristics:

• Ransomware-as-a-Service: LockBit provides its ransomware tools to affiliates (other cybercriminals) who carry out the attacks. These affiliates receive a percentage of the ransom payment, with LockBit taking a cut
• Double Extortion: Like many modern ransomware groups, LockBit employs double extortion, meaning it not only encrypts the victim’s files but also threatens to release sensitive data if the ransom isn’t paid
• Highly Automated and Fast: LockBit ransomware is known for its high level of automation, which makes it faster to spread across the network and encrypt files

Selected Security Breaches Associated with Threat Actor: LockBit has been responsible for numerous high-profile breaches, targeting various industries and organizations around the globe. Some notable victims include Evolve Bank and Trust (2024), Boeing (2023), Thales Group (2022), Mercedes-Benz USA (2021), and Accenture (2021). These attacks demonstrate the group’s ability to infiltrate organizations across different sectors. In the third quarter of 2024, LockBit continued its assault on numerous companies. Below is a small list of selected breaches associated with LockBit sourced from Blackfog. While some incidents have been publicly disclosed, many remain undisclosed:

Selected MITRE ATT&CK Techniques Used by Threat Actor for Initial Access: LockBit is known to use the following techniques to gain initial access to its victims’ IT infrastructure:

• T1190: Exploit Public-Facing Application
• T1078: Valid Accounts
• T1566: Phishing

Selected Vulnerabilities Exploited by Threat Actor: LockBit affiliates have been documented exploiting numerous CVEs, including:

Further Reading: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a