BlackCat Targets Microsoft Exchange Signaling a Disturbing New Trend

blackcat pixabay
BlackCat ransomware and its affiliates are now attacking Microsoft Exchange servers through stolen credentials or by exploiting unpatched vulnerabilities, a disturbing trend according to Microsoft.

Guest Editorial by Jon Hencinski, Director, Threat Detection & Response, Expel

On June 13, Microsoft posted this blog, “The many lives of BlackCat ransomware,” detailing the history of one of the most notorious examples of ransomware-as-a-service (RaaS).

Microsoft noted a concerning trend: BlackCat ransomware and its affiliates are now attacking Microsoft Exchange servers through stolen credentials or by exploiting unpatched vulnerabilities.

After gaining access, the attackers launched discovery commands to collect operating system information and determine domain computers, domain controllers, and domain admins in the environment.

Within days, they could sign into specific target devices and exfiltrate information.

(Learn More. Courtesy of Cyber Up To Date and YouTube. Posted week of Jun 23, 2022.)

BlackCat has been a problem in the security world for some time, but this new approach is concerning because Microsoft Exchange is widely used across a range of industries.

Fortunately, Microsoft is aware of the danger and issued guidelines for protecting against this type of ProxyLogon attack as far back as March 2021.

Defending against this vulnerability is relatively simple—if organizations recognize the threat and the steps they need to take to mitigate it.

Understanding and Addressing the Threat

The widespread shift to remote work is a significant factor in this new vulnerability.

Many organizations expose Microsoft Exchange services to the internet to support this new “work from home” reality, along with employee devices like personal laptops and mobile phones.

Any organization using an unpatched version of Microsoft Exchange is at risk—but that’s not all.

Organizations that don’t expose Microsoft Exchange services to the internet can still be in danger. Even offline, unpatched versions of Microsoft Exchange can provide an avenue for ransomware operators to obtain administrative privileges.

This means that even if exploitation of a Microsoft Exchange server isn’t the initial entry point for an attacker, it can still be used as a path to obtain administrator-level privileges. Once an attacker compromises an admin-level account, the potential damage increases significantly.

(The ransomware, dubbed BlackCat, was disclosed by MalwareHunterTeam. “Victims can pay with Bitcoin or Monero,” the researchers said in a series of tweets detailing the file-encrypting malware. “Also looks they are giving credentials to intermediaries” for negotiations. Security researcher Michael Gillespie called it a “very sophisticated ransomware.” Courtesy of 7R0(K-7R and YouTube.)

The first step to addressing this threat?

Make sure all active versions of Microsoft Exchange are fully patched and updated. It isn’t always easy to get employees to click the “update” button and disrupt their workflow, but it’s important to stress that these updates almost always contain critical security patches.

Organizations that believe they may be exposing unpatched Microsoft Exchange services to the internet should also consider temporarily isolating it: block inbound connections over port 443 to reduce the risk of exploitation until all updates are applied. This provides an extra layer of security while the organization ensures any stragglers apply the needed patches.

To seek out potential vulnerabilities, organizations should scan and catalog any services exposed to the internet using a network mapper—like Nmap or services like Shodan.io.

As a best practice, organizations should generally avoid exposing Remote Desktop Services to the internet. From a detection perspective, they should set up alerts for usage of PsExec or any atypical activity from Microsoft Exchange and Internet Information Services (IIS) worker processes using Endpoint Detection and Response (EDR) tools, or a Security Information and Event Management (SIEM) system.

These steps can help organizations avoid exposing themselves to potential danger while also putting them in a good position to detect any threats that slip through the cracks.

Awareness is key

The evolution of BlackCat highlights the importance of remaining aware of current threats.

Attackers are constantly evolving their tactics, and even known threats like BlackCat can change over time. It also highlights the need to keep systems and services up to date with patches and updates, even when those systems are not connected to the internet.

Jon Hencinski, Director, Threat Detection & Response, Expel
Jon Hencinski, Director, Threat Detection & Response, Expel

Strong in-network detection tools can keep organizations better protected against savvy attackers who manage to evade existing safeguards.

Through a combination of patching, network mapping, and detection tools, organizations can put themselves in the best possible position to avoid not just BlackCat, but other looming threats.

About the Author

Jon Hencinski is the Director of Detection & Response at Expel, a managed detection and response (MDR) provider. Jon is responsible for overseeing the operations of Expel’s security operating center (SOC) and detection and response engineering.

Jon has over a decade of experience building and leading security teams that lead with tech and data to protect customers and help them win.

Learn More…

(See how SentinelOne mitigates and rolls back BlackCat Ransomware. BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. Current data indicates primary delivery of BlackCat is via 3rd party framework/toolset (aka Cobalt Strike) or via exposed (and vulnerable) applications. Courtesy of SentinelOne and YouTube. Posted on Jan 4, 2022.)

Attivo Networks (a SentinelOne Company) Takes Triple Platinum in 2021 ‘ASTORS’ Awards 

2021 ‘ASTORS’ Awards Luncheon (starting front row, left to right) SIMS Software President & CEO Michael Struttmann; TENEO Risk Advisory Executive Chairman Commissioner Bill Bratton; NEC National Security Systems President Dr. Kathleen Kiernan; TSA Administrator David Pekoske; Fortior Solutions General Counsel Katherine Cowan; NEC Corporation of America Senior Vice President & Chief Experience Officer Raffie Beroukhim; TENEO Risk Advisory Chief of Staff David Cagno; Infragard National Board Member Doug Farber, Lumina Analytics Co-Founder & Chairman Allan Martin, and AMAROK Senior Vice President Sales & Marketing Mike Dorrington.
2021 ‘ASTORS’ Awards Luncheon (starting front row, left to right) SIMS Software President & CEO Michael Struttmann; TENEO Risk Advisory Executive Chairman Commissioner Bill Bratton; NEC National Security Systems President Dr. Kathleen Kiernan; TSA Administrator David Pekoske; Fortior Solutions General Counsel Katherine Cowan; NEC Corporation of America Senior Vice President & Chief Experience Officer Raffie Beroukhim; TENEO Risk Advisory Chief of Staff David Cagno; Infragard National Board Member Doug Farber, Lumina Analytics Co-Founder & Chairman Allan Martin, and AMAROK Senior Vice President Sales & Marketing Mike Dorrington.

American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.

Attivo Networks (First of Three)

Best Identity Detection & Response Solution

  • IDR Suite of Products

  • Attivo Networks®, a leader in identity detection and response, has expanded its portfolio to include cloud identity security.

    Organizations provision human and non-human identities (applications, virtual machines, serverless functions, and such) on the network and in the cloud, which attackers target early in the attack cycle to progress their attacks. 

  • By stealing these identities, they can impersonate authorized users, access resources, move laterally throughout the network and cloud environments, conduct reconnaissance, elevate privileges, identify targets, and compromise data.

Identity security is central to the cybersecurity threat landscape, and the ability to detect and respond to identity-based threats is essential.
Identity security is central to the cybersecurity threat landscape, and the ability to detect and respond to identity-based threats is essential.
  • While many tools intend to keep networks secure, Identity Detection and Response (IDR) gives organizations a critical new weapon in their arsenal to find and fix credential and entitlement weaknesses and detect live attacks on a real-time basis.

  • As modern cybercriminals attempt to exploit vulnerable credentials and entitlements to move through networks undetected, IDR solutions play a meaningful role in stopping them, whereas other tools simply cannot.

  • Attivo Networks IDR Suite of Products can seamlessly extend to the cloud and deliver detailed entitlement visibility for identities – including users, applications, containers, serverless functions, and other assets.

Attivo Networks (Second of Three)

Best Intrusion Detection & Prevention Solution

  • IDR Suite of Products

  • Attack surfaces have expanded dramatically with the shift toward remote work putting identity at the forefront of security, a major shift from traditional perimeter-based strategies.

  • Organizations must now defend identities across the entire enterprise with identity-based, least-privilege access programs and defenses capable of detecting attack escalation and lateral movement on-premises and in the cloud.

Attivo Networks has leveraged its deep experience in privilege escalation and lateral movement detection to become a significant player in the IDR space. In the last year, the company has secured its leadership position based on its broad portfolio of IDR solutions.
Identity Detection Bundle: Includes ADSecure as part of the EDN® suite, which provides a full Identity Detection and Response (IDR) solution to detect AD attack, protect against credential theft and misuse, visualize attack paths, as well as detection for lateral movement.
  • Attivo Networks has leveraged its deep experience in privilege escalation and lateral movement detection to become a significant player in the Identity Detection and Response space.

  • In the last year, the company has secured its leadership position based on its broad portfolio of capabilities that focus on unprecedented visibility to exposures and misconfigurations of identities and entitlements and early detection of credential theft, misuse, and privileged escalation activities.

(The Attivo ThreatDefend® Platform delivers unparalleled attack prevention, detection, and adversary intelligence collection based on cyber deception and data concealment technologies for an informed defense. The platform efficiently derails attacker discovery, lateral movement, privilege escalation, and collection activities early in the attack cycle across endpoints, Active Directory, and network devices on-premises, in clouds, and on specialized attack surfaces. Courtesy of Attivo Networks and YouTube.)

Attivo Networks (Third of Three)

Best Cloud Security Solution

  • IDEntitleX

  • IDEntitleX is Attivo Networks’ Cloud Infrastructure Entitlement (CIEM) solution, which provides unprecedented visibility for cloud permissions management.

  • Customers gain actionable visibility to cloud identity risks and entitlement exposures so they can address risky entitlements and drift from security policies.

  • This solution makes it easy to identify and reduce risk by providing intuitive and interactive graphical visualizations for cloud identities, roles/permissions, and resources.

IDEntitleX
Identify and reduce risk using the intuitive and interactive graphical visualizations for cloud identities, roles/permissions, and resource. Gain the visibility needed to reduce attack pathways within the cloud environment.
  • Defenders now gain the visibility needed to see misconfigurations and excess permissions attackers can leverage to create attack paths and persistence within the cloud environment.

2021 'ASTORS' Premier Sponsors

*Attivo Networks is also a Returning Premier Sponsor of the Annual ‘ASTORS’ Homeland Security Awards Program for the Fourth Year, and a Multi-Platinum Award Winner in the 2020, 2019, 2018 and 2017 ‘ASTORS’ Awards Programs.

Thomas Richardson, FDNY Chief of Department; Dr. Kathleen Kiernan, President of NEC National Security Systems; and Richard Blatus, FDNY Assistant Chief of Operations at the 2021 ‘ASTORS’ Awards Luncheon at ISC East.

AST Honors Thomas Richardson, FDNY Chief of Department; Dr. Kathleen Kiernan, President of NEC National Security Systems; and Richard Blatus, FDNY Assistant Chief of Operations, at the 2021 ‘ASTORS’ Awards Luncheon at ISC East.

The United States was forever changed 20 years ago on September 11th, and we were fortunate to have many of those who responded to those horrific tragedies join us at the 2021 ‘ASTORS’ Awards Luncheon.

In the days that followed 9/11, the critical needs of protecting our country catapulted us into new and innovative ways to secure our homeland – which is how many of the agencies and enterprise organizations that are today ‘ASTORS’ Awards Champions, came into being.

Our keynote speaker TSA Administrator David Pekoske delivered a moving and timely address on the strategic priorities of the 64,000 member TSA workforce in securing the transportation system, enabling safe, and in many cases, contactless travel, and more (Be sure to see Interview.)
TSA Administrator David Pekoske addressing attendees at the 2021 ‘ASTORS’ Awards Luncheon in New York City on November 17, 2021. (Be sure to see AST Exclusive Interview, facilitated by Dr. Kathleen Kiernan HERE.)

Our 2021 keynote speaker featured a moving and informative address from TSA Administrator and Vice-Admiral of the United States Coast Guard (Ret), David Pekoske; to our attendees who traveled from across the United States and abroad, on the strategic priorities of the 64,000 member TSA workforce in securing the transportation system, enabling safe, and in many cases, contactless travel.

Commissioner Bill Bratton signing copies of his latest work, ‘The Profession: A Memoir of Community, Race, and the Arc of Policing in America,’ at the 2021 ‘ASTORS’ Awards Presentation Luncheon. (Be sure to see AST Exclusive Interview with Comm Bratton, facilitated by Dr. Kathleen Kiernan HERE.)

Legendary Police Commissioner William Bratton of the New York Police Department, the Boston Police Department, and former Chief of the Los Angeles Police Department was also live at the event, meeting with attendees and signing copies of his latest work ‘The Profession: A Memoir of Community, Race, and the Arc of Policing in America,’ courtesy of the generosity of our 2021 ‘ASTORS’ Awards Premier Sponsors.

The 2022 ‘ASTORS’ Awards Program is Proudly Sponsored by New PLATINUM SPONSOR: NEC National Security Systems (NSS), New Premier Sponsors Rajant Corporation, and guardDog AI, and returning Sponsors to date, Automatic Systems, RX Global, and SIMS Software!

The continually evolving ‘ASTORS’ Awards Program will emphasize the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders. #MentorshipMatters

So be on the lookout for exciting upcoming announcements of Speakers, Presenters, Book Signing Opportunities, and Attendees at the 2022 ‘ASTORS’ Awards Presentation Luncheon in November of 2022 in New York City!

Nominations are currently being accepted for the 2022 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.

Comprehensive List of Categories Include:

Access Control/ Identification Personal/Protective Equipment Law Enforcement Counter Terrorism
Perimeter Barrier/ Deterrent System Interagency Interdiction Operation Cloud Computing/Storage Solution
Facial/IRIS Recognition Body Worn Video Product Cyber Security
Video Surveillance/VMS Mobile Technology Anti-Malware
Audio Analytics Disaster Preparedness ID Management
Thermal/Infrared Camera Mass Notification System Fire & Safety
Metal/Weapon Detection Rescue Operations Critical Infrastructure
License Plate Recognition Detection Products COVID Innovations
Workforce Management Government Security Programs And Many Others to Choose From!

Don’t see a Direct Hit for your Product, Agency or Organization?

Submit your category recommendation for consideration to Michael Madsen, AST Publisher at: mmadsen@americansecuritytoday.com.

Team TSA
Honoring the 20th anniversary of the Transportation Security Administration (Team TSA at the 2021 ‘ASTORS’ Awards Presentation Luncheon.)

In 2021 over 200 distinguished guests representing Federal, State and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields which included:

Representing NEC at the 2021 'ASTORS' Awards Luncheon -Stacey Brown, SVP Raffie Beroukhim, Dr. Kathleen Kiernan, 2021 'ASTORS' Industry Leader of the Year; Christopher Gillyard, Rachel Sisk, and Frank Sangiorg
Representing NEC Corporation at the 2021 ‘ASTORS’ Awards Luncheon at ISC in New York City – NEC Director of Marketing Stacey Brown, NEC Senior Vice President Raffie Beroukhim, NEC NSS President Dr. Kathleen Kiernan, the 2021 ‘ASTORS’ Extraordinary Industry Leadership & Innovation Person of the Year; NEC NSS Regional Sales Director Chris Gillyard, NEC NSS Executive Assistant Rachel Sisk, and NEC Regional Sales Director Frank Sangiorgi

Corporate firms, the majority of which return year to year to build upon their record of accomplishment include:

AlertMedia, Allied Universal, AMAROK, ATI Systems, Attivo Networks, Axis Communications, Automatic Systems of America, BriefCam, Canon U.S.A., Fortior Solutions, guardDog.ai, Hanwha Techwin of America, HID Global, Mark43, IPVideo Corporation, Konica Minolta Business Solutions, Lumina Analytics, NEC National Security Systems, NICE Public Safety, OnSolve, PureTech Systems, Quantum Corporation, Rave Mobile Safety, Regroup Mass Notification, Robotic Assistance Devices, Rajant Corporation, SafeLogicSenstar Corporation, ShotSpotter, Singlewire Software, SolarWinds Worldwide, Teledyne FLIR, Valor Systems, and Wiresecure, just to name a few!

Register for the 2022 ‘ASTORS’ Luncheon Today

In a typical year, DEAC Sabatino oversees the facilitation of legitimate travel for more than 410 million travelers in the air, land, and maritime environments.
Deputy Executive Assistant Commissioner (DEAC) Diane J. Sabatino of the Office of Field Operations, U.S. Customs and Border Protection (CBP).

American Security Today is delighted to announce, that Deputy Executive Assistant Commissioner (DEAC) Diane J. Sabatino of the Office of Field Operations, U.S. Customs and Border Protection (CBP), will be the opening keynote speaker at the much-anticipated 2022 ‘ASTORS’ Awards Presentation Luncheon, on Wednesday, November 16th, 2022.

American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.

To take advantage of this exclusive luncheon opportunity to invite your team, guests, clients, and show visitors to a gourmet, affordable, plated meal event in the heart of New York City, for a fabulous networking opportunity!

Go to https://americansecuritytoday.com/product/awards-luncheon/ to secure your seat or reserve a table. ***Limited space available so Register Today. There will be no on-site registrations.

The 2021 ‘ASTORS’ Awards Program surpassed expectations with a record number of nominations received from industry leaders and government agencies, and drew over 200 attendees to the ‘ASTORS’ Awards Presentation Banquet – an exclusive gourmet luncheon and networking opportunity which filled to capacity, before having to turn away late registrants.

Your ‘ASTORS’ Awards Luncheon registration includes complimentary attendee access to ISC East where you can meet the world’s most innovative suppliers and cyber experts, immerse yourself in hands-on tech and learn from world-renowned speakers and thought-leaders.

Why American Security Today?

The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast-changing security landscape.

American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.

American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.

Harness the Power of the Web – with our 100% Mobile Friendly Publications

AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.
AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.

AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.

‘PROTECTING OUR NATION, ONE CITY AT A TIME’

AST Reaches both Private & Public Experts, essential to meeting these new challenges.

Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.

American Security Today

These experts are from Government at the federal, state, and local level as well as from private firms allied to the government.

AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.

AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.

Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.

(See just a few highlights of American Security Today’s 2021 ‘ASTORS’ Awards Presentation Luncheon at ISC East. Courtesy of My Pristine Images and Vimeo.)

To learn more about ‘ASTORS’ Homeland Security Award Winners solutions, please see the 2021 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2021 ‘A Year in Review’.

The Annual CHAMPIONS edition includes a review of Annual ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.

It serves as your Go-To Source throughout the year for The Best of 2021 Products and Services endorsed by American Security Today, and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.

From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware and Networking Security – Just to name a few), the 2021 ‘ASTORS’ CHAMPIONS EDITION has what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.

It also includes featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2021 ‘ASTORS’ Awards Program.

  • For a complete list of 2021 ‘ASTORS’ Award Winners, begin HERE.

For more information on All Things American Security Today, as well as the 2021 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

  • Provides named sources
  • Reported by more than one notable outlet
  • Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.