Former Ubiquiti dev charged for trying to extort his employer
New malware hides as legit nginx process on e-commerce servers
Nine WiFi routers used by millions were vulnerable to 226 flaws
Emotet now spreads via fake Adobe Windows App Installer packages
Microsoft Edge now bashes Google Chrome when you download it
Phishing actors start exploiting the Omicron COVID-19 variant
Twitter removes 3,400 accounts used in govt propaganda campaigns
Hackers use in-house Zoho ServiceDesk exploit to drop webshells
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.
ProxyShell is the name for a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together.
These vulnerabilities are listed below and were fixed by security updates released in April and May 2021:
Since researchers disclosed the vulnerabilities, threat actors have begun to exploit them to breach servers and install web shells, coin miners, and ransomware.
In a detailed report by Red Canary, researchers analyzed a BlackByte ransomware attack where they saw them exploiting the ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server.
Web Shells are small scripts uploaded to web servers that allow a threat actor to gain persistence to a device and remotely execute commands or upload additional files to the server.
The planted web shell is then utilized to drop a Cobalt Strike beacon on the server, injected into the Windows Update Agent process.
The widely abused penetration testing tool is then used for dumping credentials for a service account on the compromised system.
Finally, after taking over the account, the adversaries install the AnyDesk remote access tool and then proceed to the lateral movement stage.
When conducting ransomware attacks, threat actors commonly use third-party tools to gain elevated privileges or deploy the ransomware on a network.
However, the actual BlackByte ransomware executable plays a central role as it handles both privilege escalation and the ability to worm, or perform lateral movement, within the compromised environment.
The malware sets three registry values, one for local privilege elevation, one for enabling network connection sharing between all privilege levels, and one to allow long path values for file paths, names, and namespaces.
Before encryption, the malware deletes the “Raccine Rules Updater” scheduled task to prevent last-minute interceptions and also wipes shadow copies directly through WMI objects using an obfuscated PowerShell command.
Finally, stolen files are exfiltrated using WinRAR to archive files and anonymous file-sharing platforms such as “” or “”
Although Trustwave released a decryptor for BlackByte ransomware in October 2021, it is unlikely that the operators are still using the same encryption tactics that allowed victims to restore their files for free.
As such, you may or may not be able to restore your files using that decryptor, depending on what key was used in the particular attack.
Red Canary has seen multiple “fresh” variants of BlackByte in the wild, so there’s clearly an effort from the malware authors to evade detection, analysis, and decryption.
Exploiting ProxyShell vulnerabilities to drop ransomware is not new, and in fact, we saw something similar at the start of November by actors who deployed the Babuk strain.
The ProxyShell set has been under active exploitation from multiple actors since at least March 2021, so the time to apply the security updates is well overdue.
If that’s impossible for any reason, admins are advised to monitor their exposed systems for precursor activity such as the deletion of shadow copies, suspicious registry modification, and PowerShell execution that bypasses restriction policies.
Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware
Microsoft Exchange servers hacked in internal reply-chain attacks
Microsoft warns of the evolution of six Iranian hacking groups
Microsoft adds AI-driven ransomware protection to Defender
BlackByte ransomware decryptor released to recover files for free
The planted web shell is then utilized to drop a Cobalt Strike beacon on the server, injected into the Windows Update Agent process.

Hmm.. Windows update as an attack vector? How many holes can there be? Nobody will never know.
Not a member yet? Register Now
Former Ubiquiti dev charged for trying to extort his employer
Nine WiFi routers used by millions were vulnerable to 226 flaws
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Windows 10 21H1 now in broad deployment, available to everyone

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

CISA orders federal agencies to patch Log4Shell by December 24th

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsBugs in billions…

FBI system hacked to email 'urgent' warning about fake cyberattacks

FBI system hacked to email ‘urgent’ warning about fake cyberattacksNew Windows 11…

Garrett walk-through metal detectors can be remotely manipulated

Russian hackers made millions by stealing SEC earning reportsThreat actors steal $80…