Quarterly Briefing: Threat Actor Using Unpatched Vulnerabilities

32% of ransomware attacks start with an unpatched vulnerability, and these have the greatest business impact. In our weekly ”Top 5 Hacker-Relevant Vulnerabilities" series, we report on vulnerabilities that are particularly pertinent to threat actors. As part of this ongoing effort, we will provide quarterly recaps on selected threat actors, associated breaches, and the vulnerabilities they exploit.

Third Quarter 2024

Threat Actor: LockBit

Threat Actor Whois: LockBit operates primarily as a Ransomware-as-a-Service model. This threat actor has become one of the most notorious and successful ransomware groups in recent years. It first emerged around 2019 and has undergone multiple iterations (e.g., LockBit 2.0, LockBit 3.0), improving its techniques with each version. Its primary goal is to deploy ransomware on a victim’s network to encrypt data, extort ransom payments, and threaten to leak the victim’s sensitive information. LockBit is not known for favoring big hunt targets, nor does it have specific industries it likes to target. In February, international law enforcement seized LockBit’s infrastructure, and arrests were made in connection with the coordinated international operation. However, less than one week later, the ransomware group relaunched its operation

Threat Actor Key Characteristics:

Ransomware-as-a-Service: LockBit provides its ransomware tools to affiliates (other cybercriminals) who carry out the attacks. These affiliates receive a percentage of the ransom payment, with LockBit taking a cut
Double Extortion: Like many modern ransomware groups, LockBit employs double extortion, meaning it not only encrypts the victim’s files but also threatens to release sensitive data if the ransom isn’t paid
Highly Automated and Fast: LockBit ransomware is known for its high level of automation, which makes it faster to spread across the network and encrypt files

Selected Security Breaches Associated with Threat Actor: LockBit has been responsible for numerous high-profile breaches, targeting various industries and organizations around the globe. Some notable victims include Evolve Bank and Trust (2024), Boeing (2023), Thales Group (2022), Mercedes-Benz USA (2021), and Accenture (2021). These attacks demonstrate the group’s ability to infiltrate organizations across different sectors. In the third quarter of 2024, LockBit continued its assault on numerous companies. Below is a small list of selected breaches associated with LockBit sourced from Blackfog. While some incidents have been publicly disclosed, many remain undisclosed:

Victim Name	Victim Information	Victim Location
Kulicke & Soffa	Semiconductor manufacturer	Singapore
KBC Zagreb	University hospital center	Croatia
Wattle Range Council	Local government	Australia
Clay County Indiana	Local government	USA
Federated Co-Operatives	Co-operative federation	Canada
Real Hospital Português de Beneficência	Private hospital	Brazil
Lothar Rapp	Contractor	Germany
Customs Support Group	Customs broker	Netherlands
Akanea	Software company	France
Barking Well Media	Media company	Greece
Luis Oliveras	Food product supplier	Spain
Exol Lubricants	Lubricant manufacturer	UK
GB Ricambi SpA	Machinery manufacturer	Italy

Selected MITRE ATT&CK Techniques Used by Threat Actor for Initial Access: LockBit is known to use the following techniques to gain initial access to its victims’ IT infrastructure:

Selected Vulnerabilities Exploited by Threat Actor: LockBit affiliates have been documented exploiting numerous CVEs, including:

Vulnerable Product	Vulnerability
Citrix VPN (Bleed)	CVE-2023-4966, CVE-2019-19781
PaperCut MF/NG	CVE-2023-27350
Fortra GoAnyhwere	CVE-2023-0669
Microsoft Exchange (ProxyLogon, ProxyShell)	CVE-2021-2685, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
Apache (Log4j2)	CVE-2021-44228
F5 BIG-IP and BIG-IQ	CVE-2021-22986
Pulse Secure VPN	CVE-2019-11510
Microsoft RDP	CVE-2019-0708
Fortinet VPN	CVE-2018-13379

Further Reading: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a