Blackbyte

Threat Actor updated 6 days ago (2024-09-01T14:17:45.809Z)

Download STIX

Preview STIX

BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. This marks a significant departure from BlackByte's traditional techniques, such as exploiting known vulnerabilities in widely used software like Microsoft Exchange or using phishing and brute-force attacks. The exploitation of this authentication bypass vulnerability allows attackers to gain full administrative access to hypervisors, demonstrating BlackByte's ability to swiftly integrate new vulnerabilities into its toolkit. For the first time, Talos Incident Response (IR) detected a new variant of BlackByte ransomware, dubbed BlackByte NT, in addition to the previously seen LockBit ransomware. The attackers initially compromised a valid account to gain access, escalating privileges quickly once inside the network. Often, they create and manipulate Active Directory domain objects to gain control over critical systems. This new variant reflects BlackByte's evolution towards using advanced programming languages like C/C++ in their encryptor, aiming to make their malware more resistant to detection and analysis through sophisticated anti-analysis and anti-debugging techniques. The self-propagating nature of the BlackByte encryptor presents additional challenges for defenders. Regular hardening and patching of ESXi hosts are required to address vulnerabilities promptly. According to cybersecurity experts, the focused effort by BlackByte and similar threat actors to exploit vulnerabilities in ESXi indicates an intent to compromise the core infrastructure of enterprise networks. As such, BlackByte's pivot, as discovered by Cisco Talos Incident Response, highlights its capacity to rapidly incorporate new vulnerabilities into its toolkit, underscoring the evolving nature of the threat it poses.

Description last updated: 2024-09-01T14:16:11.920Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Conti	3	Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Vulnerability

Malware

Esxi

Credentials

RaaS

Exploit

Exploits

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Akira	Unspecified	3	Akira is a malicious software or malware that has been causing significant damage to various organizations and systems worldwide. The ransomware, known for its persistent and harmful attacks, has successfully infiltrated numerous systems, often without the knowledge of the users, disrupting operatio
Lockbit	Unspecified	3	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc
Karakurt	Unspecified	2	Karakurt is a malicious software (malware) utilized by cybercriminals for data theft and extortion. It was revealed as the data extortion arm of the Conti cybercrime syndicate, with links to ITG23 affiliates. Karakurt has been associated with numerous attacks, including those carried out by Quantum,

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2024-37085	Unspecified	3	None
Proxyshell	Unspecified	2	ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-3447

Source Document References

Information about the Blackbyte Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	6 days ago	Security Affairs newsletter Round 487 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	9 days ago	BlackByte Adopts New Tactics, Targets ESXi Hypervisors
DARKReading	10 days ago	BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
Securityaffairs	10 days ago	BlackByte Ransomware group targets recently patched VMware ESXi flaw CVE-2024-37085
BankInfoSecurity	16 days ago	US Authorities Warn Health Sector of Everest Gang Threats
CERT-EU	6 months ago	Encina Wastewater Authority Cyberattack Claimed By BlackByte
Checkpoint	a year ago	10th July – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Dallas ransomware recovery nearly completed
CERT-EU	a year ago	BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days
BankInfoSecurity	a year ago	Breach Roundup: Zenbleed Flaw Exposes AMD Ryzen CPUs
CERT-EU	a year ago	Microsoft Defender Brings Automated Attack Disruption to Endpoints
CERT-EU	a year ago	Microsoft Defender for Endpoint now stops human-operated attacks on its own \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
CERT-EU	a year ago	The Top 4 Ransomware Vulnerabilities Putting your Company in Danger - Cybersecurity Insiders
CERT-EU	a year ago	Microsoft Defender now auto-isolates compromised accounts
CERT-EU	2 years ago	Russian Ransomware Tasks Rebranded to Keep away from Western Sanctions: Report
Malwarebytes	a year ago	Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight
CERT-EU	a year ago	Hackers impersonates a cybersecurity firm to lock your PC \| Digital Trends
InfoSecurity-magazine	a year ago	Cyber-Attacks Targeting Government Agencies Increase 40%
CERT-EU	a year ago	Akira and BlackByte ransomware group claim attack on Yamaha Music Canada \| IT Security News
CERT-EU	a year ago	PC malware statistics, Q2 2022