The company provides a case study of one cyber-criminal gang using Exchange Server flaws in BlackCat ransomware attacks as well as an overview of multiple ransomware gangs that previously used other ransomware.
The FBI in April warned that BlackCat affiliates use previously compromised user credentials to gain initial access to a victim network, but didn't identify Exchange flaws as a point of entry. However, researchers at Trend Micro at the time reported BlackCat affiliates had used the Exchange CVE-2021-31207 flaw initial entry and to install a web shell on the server for remote access.
As Microsoft explains in a new blogpost, BlackCat is a ransomware-as-a-service operation, consisting of multiple actors that may use different tools and techniques.
Thus, no two BlackCat deployments might look the same said Microsoft.
"BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack. Therefore, the pre-ransom steps of these attacks can also be markedly different," it said.
The BlackCat affiliate Microsoft highlights took two weeks to deploy BlackCat after exploiting the unpatched Exchange servers for initial access. It used the PsExec utility to deploy BlackCat. Between those two points, the attackers explored system and network environments and gathered Active Directory account data, dumped and stole credentials, signed into multiple devices using the Remote Desktop Client, and stole data and intellectual property for subsequent double-extortion.
The other incident it details involved attackers using previously compromised credentials to access an internet-facing Remote Desktop server.
Microsoft also notes that more ransomware affiliates are turning to BlackCat.
For example, DEV-0237, which Mandiant calls FIN12, has in the past distributed Hive, Conti, and Ryuk ransomware. Microsoft observed that this group added BlackCat to their list of payloads beginning March 2022.
Also, DEV-0504, a group that uses PsExec to distribute various ransomware strains began distributing BlackCat in December 2021. Previously, it has distributed BlackMatter, Conti, Lockbit 2.0, Revil, and Ryuk.
"In the BlackCat-related incidents we've observed, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers," Microsoft says.
"Therefore, defenders should review their organization's identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible."