ALPHV Ransomware Affiliate targets vulnerable backup installations to gain initial access

Home/BOTNET, Compromised, Exploitation, malicious cyber actors, Malicious extension, Malware, Ransomware, Targeted Attacks, vulnerability/ALPHV Ransomware Affiliate targets vulnerable backup installations to gain initial access

ALPHV Ransomware Affiliate targets vulnerable backup installations to gain initial access

Mandiant has identified a new affiliate of ALPHV (BlackCat ransomware), identified as UNC4466, that targets publicly exposed Veritas Backup Exec installations that are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE- 2021-27878 for an initial intrusion into the victims’ networks.

Mandiant reveals that in late 2022, UNC4466 gained access to an internet-exposed Windows server, running Veritas Backup Exec version 21.0 using the Metasploit module `exploit/multi/veritas/beagent_sha_auth_rce`. Shortly after, the Metasploit persistence module was invoked to maintain persistent access to the system for the remainder of this intrusion.

After gaining access to the Veritas Backup Exec server, UNC4466 used Internet Explorer – which is installed by default on outdated Windows systems – to download Famatech’s Advanced IP Scanner from its website, hxxps://download.advanced-ip- scanner[.]com.

This program is able to thoroughly scan individual IP addresses ή address ranges for any open ports and provides details such as hostnames, operating system and hardware manufacturer information.

UNC4466 also made use of ADRecon to gather network, account, and host information in the victim’s environment, Mandiant researchers revealed. “When executed by a privileged domain account, ADRecon generates several reports about the Active Directory environment, including the Trusts, Sites, Subnets, password policies, user and computer account listings. These reports can be generated in a variety of formats, including CSV, XML, JSON, and HTML.”

The UNC4466 malicious group relied heavily on the Background Intelligent Transfer Service (BITS) to download a variety of tools that included LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware.

Indicators of Compromise

c590a84b8c72cf18f35ae166f815c9dfSysinternals PSEXEC
4fdabe571b66ceec3448939bfb3ffcd1Advanced Port Scanner

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!