BlackCat Preys On Old Firewall/VPN In Devices

BlackCat Preys On Old Firewall/VPN In Devices

 Andrew Brandt SophosLabs Principal Researcher, says a ransomware group attacking large organizations with malware called BlackCat has followed a consistent pattern over the past several months.

The threat actors break into enterprise networks by exploiting vulnerabilities in unpatched or outdated firewall/VPN devices, then pivot to internal systems after establishing a foothold from the firewall, he says.

From the five attacks investigated by Sophos since December last year, the attackers made their initial access to the target’s network by exploiting a vulnerability that was first disclosed in 2018 and affected a particular firewall vendor’s product.

“In two others, the attackers targeted a different firewall vendor’s product with a vulnerability that was disclosed last year,” he writes.

In one case, when Sophos incident responders removed the compromised VPN accounts from the firewall and created new username/password combinations.

Subsequently, the attacker just ran the same exploit a second time and was able to extract newly created passwords that were being used in the incident response, and carry on attempting to encrypt machines.

Read the full story here