The ransomware group known as BlackCat (ALPHV) has recently been using stolen Microsoft accounts and a newly identified encryptor called Sphynx to target Azure cloud storage. Sophos X-Ops incident responders discovered this during an investigation into a breach. The attackers used a variant of the Sphynx encryptor that supports custom credentials. They gained access to a Sophos Central account by stealing a One-Time Password (OTP) and then disabled Tamper Protection and modified security policies. The OTP was obtained by stealing it from the victim’s LastPass vault using the LastPass Chrome extension.
After gaining access, the attackers proceeded to encrypt the systems of Sophos customers and remote Azure cloud storage, adding the .zk09cvt extension to all locked files. They successfully encrypted 39 Azure Storage accounts. The attackers infiltrated the victim’s Azure portal by using a stolen Azure key, which provided them access to the targeted storage accounts. The keys used in the attack were injected into the ransomware binary after being encoded using Base64.
The attackers also utilized multiple Remote Monitoring and Management (RMM) tools, such as AnyDesk, Splashtop, and Atera, throughout the intrusion. The Sphynx variant was first discovered by Sophos in March 2023 during an investigation into a data breach that shared similarities with another attack described in an IBM-Xforce report published in May. The report mentioned the use of the ExMatter tool to extract stolen data in both instances.
Microsoft also recently found that the new Sphynx encryptor incorporates the Remcom hacking tool and the Impacket networking framework for lateral movement across compromised networks.
BlackCat/ALPHV, which emerged as a ransomware operation in November 2021, is suspected to be a rebrand of DarkSide/BlackMatter. The group initially operated as DarkSide and gained global attention after breaching Colonial Pipeline, leading to scrutiny from international law enforcement agencies. They rebranded as BlackMatter in July 2021 but had to abruptly halt operations in November when their servers were seized and a decryption tool was developed by security firm Emsisoft to exploit a vulnerability in the ransomware.
BlackCat/ALPHV is known for being one of the most sophisticated and high-profile ransomware groups targeting enterprises worldwide. They continuously adapt and refine their tactics. For example, last summer they employed a new extortion approach where they used a dedicated clear web website to leak the stolen data of specific victims, allowing the victims’ customers and employees to check if their data had been exposed. In July, they introduced a data leak API to streamline the dissemination of stolen data.
Recently, one of the group’s affiliates, tracked as Scattered Spider, claimed responsibility for an attack on MGM Resorts. The company’s internal infrastructure was taken down, and in response, they encrypted more than 100 ESXi hypervisors. The company refused to negotiate a ransom payment.
In April, the FBI issued a warning that BlackCat/ALPHV was behind successful breaches of more than 60 entities worldwide between November 2021 and March 2022.
CyberSec84 | Cybersecurity news. 
Leave a comment