Quartals-Briefing: Bedrohungsakteure und ungepatchte Schwachstellen
01.10.2024
ENTRYZERO
32% der Sicherheitsvorfälle durch Ransomware-Angriffe starten mit ungepatchten Schwachstellen, die zu geschäftskritischen Folgen führen. In unserem wöchentlichen Briefing zu den fünf relevantesten Schwachstellen für Hacker haben wir über Schwachstellen berichtet, die für Bedrohungsakteure von Bedeutung sind. In dieser fortlaufenden Serie werden wir vierteljährliche Rückblicke auf ausgewählte Bedrohungsakteure sowie die damit verbundenen Sicherheitsvorfälle und ausgenutzten Schwachstellen bereitstellen.
Third Quarter 2024
Threat Actor: LockBit
Threat Actor Whois: LockBit operates primarily as a Ransomware-as-a-Service model. This threat actor has become one of the most notorious and successful ransomware groups in recent years. It first emerged around 2019 and has undergone multiple iterations (e.g., LockBit 2.0, LockBit 3.0), improving its techniques with each version. Its primary goal is to deploy ransomware on a victim’s network to encrypt data, extort ransom payments, and threaten to leak the victim’s sensitive information. LockBit is not known for favoring big hunt targets, nor does it have specific industries it likes to target. In February, international law enforcement seized LockBit’s infrastructure, and arrests were made in connection with the coordinated international operation. However, less than one week later, the ransomware group relaunched its operation
Threat Actor Key Characteristics:
- Ransomware-as-a-Service: LockBit provides its ransomware tools to affiliates (other cybercriminals) who carry out the attacks. These affiliates receive a percentage of the ransom payment, with LockBit taking a cut
- Double Extortion: Like many modern ransomware groups, LockBit employs double extortion, meaning it not only encrypts the victim’s files but also threatens to release sensitive data if the ransom isn’t paid
- Highly Automated and Fast: LockBit ransomware is known for its high level of automation, which makes it faster to spread across the network and encrypt files
Selected Security Breaches Associated with Threat Actor: LockBit has been responsible for numerous high-profile breaches, targeting various industries and organizations around the globe. Some notable victims include Evolve Bank and Trust (2024), Boeing (2023), Thales Group (2022), Mercedes-Benz USA (2021), and Accenture (2021). These attacks demonstrate the group’s ability to infiltrate organizations across different sectors. In the third quarter of 2024, LockBit continued its assault on numerous companies. Below is a small list of selected breaches associated with LockBit sourced from Blackfog. While some incidents have been publicly disclosed, many remain undisclosed:
Victim Name | Victim Information | Victim Location |
---|---|---|
Kulicke & Soffa | Semiconductor manufacturer | Singapore |
KBC Zagreb | University hospital center | Croatia |
Wattle Range Council | Local government | Australia |
Clay County Indiana | Local government | USA |
Federated Co-Operatives | Co-operative federation | Canada |
Real Hospital Português de Beneficência | Private hospital | Brazil |
Lothar Rapp | Contractor | Germany |
Customs Support Group | Customs broker | Netherlands |
Akanea | Software company | France |
Barking Well Media | Media company | Greece |
Luis Oliveras | Food product supplier | Spain |
Exol Lubricants | Lubricant manufacturer | UK |
GB Ricambi SpA | Machinery manufacturer | Italy |
Selected MITRE ATT&CK Techniques Used by Threat Actor for Initial Access: LockBit is known to use the following techniques to gain initial access to its victims’ IT infrastructure:
Selected Vulnerabilities Exploited by Threat Actor: LockBit affiliates have been documented exploiting numerous CVEs, including:
Vulnerable Product | Vulnerability |
---|---|
Citrix VPN (Bleed) | CVE-2023-4966, CVE-2019-19781 |
PaperCut MF/NG | CVE-2023-27350 |
Fortra GoAnyhwere | CVE-2023-0669 |
Microsoft Exchange (ProxyLogon, ProxyShell) | CVE-2021-2685, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 |
Apache (Log4j2) | CVE-2021-44228 |
F5 BIG-IP and BIG-IQ | CVE-2021-22986 |
Pulse Secure VPN | CVE-2019-11510 |
Microsoft RDP | CVE-2019-0708 |
Fortinet VPN | CVE-2018-13379 |
Further Reading: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a