On May 26, 2023, Symantec released information about a recently identified and rapidly expanding ransomware operation known as Buhti. The Buhti operation uses both Linux and Windows systems and targets organizations worldwide. The operation exploits recent vulnerabilities for initial access and exploits custom tools to steal victim files. They use LockBit and Babuk variants to target both Linux and Windows, with the Blacktail group using a custom information stealer written in Golang.
Exploiting Vulnerabilities
The Blacktail group has been observed exploiting CVE-2023-27350, a PaperCut NG/MF flaw that has been exploited since mid-April. The result was the installation of Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise. The attackers were able to use these tools to steal data and ultimately deliver the ransomware payload to multiple computers on the targeted network. They also exploited CVE-2022-47986, a YAML deserialization bug in IBM Aspera Faspex, whereby remote code execution was also achieved.
Targets
Kaspersky senior security researcher Marc Rivero reported that Buhti was observed targeting organizations in Belgium, China, the Czech Republic, Estonia, Ethiopia, France, Germany, India, Spain, Switzerland, the UK, and the US. The group is using LockBit 3.0 and Babuk variants to exploit vulnerabilities, targeting both Linux and Windows systems on a global scale.
Recommendations
In light of this information, it is more important than ever that organizations take proactive measures to ensure their cybersecurity is up to standard. This means staying up to date with the latest patches, training their staff, and ensuring their IT systems are up to date and secure. Data breaches caused by ransomware attacks can have devastating consequences, and while organizations must be vigilant, governments and companies also have a responsibility to cooperate to prevent and prosecute these attacks.
<< photo by Alejandro Novoa >>
You might want to read !
- The Emergence of CosmicEnergy Malware and the Threats to the Electric Power Grid
- Malware Attacks in the Age of Remote Work: Navigating the Aftermath.
- The Significance of Bank of Ghana’s SOC and its Impact on Threat Intelligence Sharing.
- “Revolutionizing TLS Certificate Management: Google Cloud’s New Automation Capability”
- “Advancing Cybersecurity: NCC Group’s Open Source Tools Empower Developers and Pentesters”
- The Implications of COSMICENERGY Malware on Power Grids: A Commentary.
- The Evolution of Buhti Ransomware Gang: Analyzing the Utilization of Leaked LockBit and Babuk Code
- The Vulnerability Lurking in Your Inboxes: Zero-Day Used to Breach Email Security Gateways, Barracuda Warns
- The Significance of Data Breach Notifications: Analyzing Apria Healthcare’s Notification to 2 Million People of Years-Old Data Breaches.
- “Satori Ups Its Game in Data Security with Posture Management and Data Store Discovery Features”
- PharMerica’s Major Breach Raises Concerns Over Healthcare Data Security
- “Ransomware Thievery on the Rise: New Group Emerges Online and Claims 2.5 TB of Stolen Data”
