In a recent security incident, Sophos detected the most recent variant of the BlackCat/ALPHV variant, named Sphynx. This version introduces new functionalities and has been employed to encrypt Azure Storage accounts.
In this incident, The attackers managed to infiltrate a victim's Sophos Central account and successfully encrypted 39 Azure Storage accounts.
Modus operandi
- After gaining unauthorized access to the victim's Sophos Central account by using a stolen OTP, the BlackCat gang proceeded to disable the Tamper Protection feature and made alterations to the security policies.
- These actions were made possible by pilfering the OTP from the victim's LastPass vault through the LastPass Chrome extension.
- Following this breach, the attackers proceeded to encrypt the systems belonging to the Sophos customer as well as their remote Azure cloud storage.
- They also added the ".zk09cvt" extension to all the files that they locked.
In addition to these activities, the attackers employed several Remote Monitoring and Management (RMM) tools, including AnyDesk, Splashtop, and Atera, throughout the intrusion.
A bit on Sphynx
In July, Microsoft discovered Sphynx which incorporated the Impacket networking framework and the Remcom hacking tool. - A deep dive by IBM Security X-Force revealed that Sphynx has updated capabilities, enabling the BlackCat ransomware to evade detection efficiently.
- For instance, changes have been made to the command line arguments.
- In earlier versions, the ransomware operated by using the "-access-token" parameter for execution. However, Sphynx eliminates this parameter and introduces a set of more intricate arguments.
BlackCat in news
- In 2023, ALPHV and Cl0P emerged as the most frequent ransomware groups targeting U.K organizations with £10 million (~ $12 million) in bank assets, replacing Karakurt as the leading ransomware threat against large organizations.
- In July, the FIN8 group was found disseminating the BlackCat ransomware via a new variant of its Sardonic backdoor.
The bottom line
In this incident, the usage of Sphynx raises significant concerns. To fortify defenses against such threats, organizations should consider enhancing their MFA mechanisms, closely monitoring and patching vulnerabilities in third-party extensions, and continually updating their cybersecurity protocols to adapt to evolving ransomware TTPs.