Blackpoint Cyber, a managed detection and response (MDR) services provider that works closely with MSPs, has discovered new tactics, techniques and procedures (TTPs) attributed to BlackCat ransomware-as-a-service (RaaS) threat actors.
In each instance, Blackpoint detected lateral movement of BlackCat threat actors across unprotected devices, the company indicated. The threat actors used T1021.001, Remote Desktop Protocol (RDP), and T1021.002, SMB/Windows Admin Shares, to infiltrate these devices and deploy malicious enterprise software.
BlackCat threat actors deployed Total Software Deployment (TSD), a remote management tool commonly used by MSSPs, MSPs, and ITSPs, during their attacks, Blackpoint said. Also, Blackpoint noted that these threat actors used ScreenConnect (a.k.a. ConnectWise Control) for remote control and lateral movement.
In addition, BlackCat threat actors exploited free versions of TSD and ScreenConnect, Blackpoint stated. TSD can be downloaded without any checks. Meanwhile, ScreenConnect only requires an end-user to provide an email address, password and name of their preferred ScreenConnect URL.
FBI Issues BlackCat Warning
In its report, the FBI offered several recommendations to protect against BlackCat attacks, such as:
- Review domain controllers, servers, workstations and active directories for new or unrecognized user accounts.
- Back up data regularly and password-protect backup copies offline.
- Use network segmentation.
- Require administrator credentials to install software.
- Establish a recovery plan to maintain and retain multiple copies of data and servers in a physically separate, segmented and secure location.
- Update and patch operating systems, software and firmware frequently.
- Utilize multi-factor authentication (MFA).
BlackCat is a ransomware family created in the Rust programming language that is delivered via third-party frameworks and toolsets. To date, cybercriminals have used BlackCat attacks to compromise at least 60 entities worldwide, the FBI indicated.
Also of note: The CISA in May 2022 issued this cyber warning to MSPs and service providers.