Hacked VPN credentials facilitate disruptive BlackSuit ransomware intrusion

Operations of a high-profile manufacturer have been significantly disrupted by the BlackSuit ransomware gang in an attack that exploited stolen VPN credentials, according to Cyber Security News.

After infiltrating the targeted firm's network through a VPN login obtained following a vishing attack against one of its employees, BlackSuit, also known as Ignoble Scorpius, deployed a DCSync attack to facilitate further credential compromise, a report from Palo Alto Networks Unit 42 researchers.

BlackSuit then leveraged Remote Desktop Protocol, Server Message Block, Advanced IP Scanner, and AnyDesk to facilitate lateral movement and persistence before pilfering more than 400 GB of data from the NTDS.dit database. Hundreds of virtual machines from nearly 60 VMware ESXi hosts were also encrypted by the attackers.

The organization, which has evaded BlackSuit's $20 million ransom demand, has already bolstered its defenses with newer Cisco Adaptive Security Appliance firewalls, multi-factor authentication, network segmentation, NTLM deactivation, and restricted admin access to isolated VLANs.