LockBit, Hive, and ALPHV/BlackCat affiliates breached an automotive supplier’s systems within two weeks, with two of the attacks occurring within just two hours.
Before the automotive supplier was attacked by the ransomware strains, its security had been compromised by a likely initial access broker (JAB) in December 2022. The attack exploited a misconfiguration of the firewall to breach the domain controller server with a Remote Desktop Protocol (RDP) connection.
The vulnerability was exploited on May 1, after LockBit and Hive ransomware payloads were distributed over the network, whereby the legitimate PsExec and PDQ Deploy tools were used within two hours to encrypt more than a dozen systems during the attack.
In addition to encrypting files, the LockBit ransomware strain also stole and exfiltrated data to the Mega Cloud storage service.
Two weeks after the attack, a BlackCat attacker exploited the same flaw in the company’s management server to install the legitimate Atera Agent remote access solution.
The attackers gained persistence on the network, delivered ransomware payloads and exfiltrated stolen data.
The recovery attempts became complicated after the BlackCat affiliate erased evidence by deleting shadow copies and clearing out the Windows Event Logs on the compromised systems.
Businesses are advised to keep their systems up-to-date and check their environment for backdoors or bugs that attackers can introduce and help them regain access to a network after removal.
The sources for his piece include an article in BleepingComputer.