In a joint notice on cybersecurity, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) wanted to alert US users (and not only) about an increasingly widespread ransomware threat.
We are talking about AvosLocker, a RaaS system that uses legitimate software and open source code to compromise corporate systems and exfiltrate data from them. The FBI has observed threat actors using PowerShell, web shell e script batch personalized to move laterally on the network, increasing your privileges and disabling security systems.
According to experts, among the many tools adopted by AvosLocker, there are:
- Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy and remote administration tools Atera Agent for backdoor access;
- Utilities of network tunneling open source, come The neck e Chisel;
- Attack emulation framework such as Cobalt Strike e Sliver;
- Lazagne e Mimikatz for the collection of credentials;
- FileZilla e Rclone for data exfiltration.
Additional tools were used during the AvosLocker attacks, with unsuspecting software such as Notepad++, RDP Scanner e 7zip.
Another component of AvosLocker attacks is a malware called NetMonitor.exewhich presents itself as a legitimate process and, according to experts, presents itself as a completely legitimate tool at first glance.
How to protect yourself from AvosLocker?
CISA and FBI recommend that organizations implement application control mechanisms for monitor software executionincluding theoretically reliable programs.
Part of the best practices for defending against threat actors are restrictions on the use of remote desktop servicescome RDPlimiting the number of login attempts and implementing themulti-factor authentication to avoid cases of phishing.
Keep the updated software to the latest version, use password longer and safer, archive them in a hash format remain the constant recommendations of security experts.
The current cybersecurity advisory adds to information provided in an earlier one published in mid-March, which noted that some AvosLocker ransomware attacks exploited vulnerabilities in servers Microsoft Exchange. This is nothing new, given that just a few days ago attacks occurred in this context.
