BlackCat Preys On Old Firewall/VPN In Devices
Andrew Brandt SophosLabs Principal Researcher, says a ransomware group attacking large organizations with malware called BlackCat has followed a consistent pattern over the past several months.
The threat actors break into enterprise networks by exploiting vulnerabilities in unpatched or outdated firewall/VPN devices, then pivot to internal systems after establishing a foothold from the firewall, he says.
From the five attacks investigated by Sophos since December last year, the attackers made their initial access to the target’s network by exploiting a vulnerability that was first disclosed in 2018 and affected a particular firewall vendor’s product.
“In two others, the attackers targeted a different firewall vendor’s product with a vulnerability that was disclosed last year,” he writes.
In one case, when Sophos incident responders removed the compromised VPN accounts from the firewall and created new username/password combinations.
Subsequently, the attacker just ran the same exploit a second time and was able to extract newly created passwords that were being used in the incident response, and carry on attempting to encrypt machines.