Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Crime network behind the $100 million MGM Resorts breach and the publication of topless images of breast cancer patients has adopted new attack tactics to infect corporations and public entities with their ransomware: Google software ads and malware made from genuine IT tools
BY eSentire Threat Response Unit (TRU)
November 14, 2023 | 7 MINS READ
Security researchers with eSentire, a top global cybersecurity solutions provider, are warning that Russian-speaking affiliates of the ransomware gang ALPHV/BlackCat are attacking corporations and public entities in the Americas and Europe. In the past three weeks, we have seen these affiliates attempt to breach a law firm, a manufacturer, and a warehouse provider within our customer network, alongside attacking other companies. However, their attacks were intercepted and shut down by eSentire’s security research team, the Threat Response Unit (TRU). ALPHV/BlackCat threat actors typically achieve initial access into their victims’ IT networks through one of three ways: valid credentials, exploitation of remote management and monitoring services, and browser-based attacks. This year, however, one of the affiliates has expanded into malvertising to execute browser-based attacks.
This affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP and Cisco AnyConnect, to lure business professionals to attacker-controlled websites. Thinking they are downloading legitimate software, the business professionals are actually downloading the Nitrogen malware. Nitrogen is initial-access malware that leverages Python libraries for stealth. This foothold provides intruders with an initial entry into the target organization’s IT environment. Once the hackers have that initial foothold, they can then infect the target with the malware of their choosing. In the case with this attack campaign, the target victims are being infected with the ALPHV/BlackCat ransomware, according to Keegan Keplinger, Senior Threat Intelligence Researcher with TRU.
According to TRU, the malvertising attacks they shut down in the past three weeks on behalf of the law firm and manufacturer are a continuation of a June 2023 campaign, where an affiliate of the ALPHV/BlackCat Ransomware gang was observed using malicious ads to distribute the Nitrogen malware, which led to the ALPHV/BlackCat ransomware. eSentire was the first cybersecurity company to identify and name the Nitrogen malware in June 2023. TRU named the malicious software after an artifact found in the naming conventions used by the threat actors.
Nitrogen is labeled as initial access malware because it is malicious software that threat actors use to gain entry to a target victim’s IT environment. Nitrogen malware is unique in that it uses highly obfuscated Python libraries to bypass security controls. Python libraries enhance the functionality and capabilities of Python code programs. They are pre-written collections of code that provide a wide range of functions, classes, and tools for specific tasks, making it easier for developers to build complex applications without starting from scratch. Because Python libraries are legitimate tools, they typically do not raise any suspicions with security defenders. The additional layer of obfuscation acts to slow down analysts and security researchers in reversing and pinpointing the attack path taken by the malware once active in the operating system. See more technical details around Nitrogen here.
The ALPHV/BlackCat ransomware group and its affiliates are typically observed to be Russian-speaking, and various security teams report that the core ALPHV/BlackCat operators are based in Russia. The gang first appeared on the ransomware scene in November 2021. According to the FBI, the ALPHV/BlackCat gang compromised 60 businesses and public entities between November 2021 and March 2022. At the time of this reporting, in 2023, ALPHV/BlackCat lists 170 victims on their name and shame page, ranking them the third most active ransomware gang behind Cl0p & LockBit.
Some of ALPHV/BlackCat’s recent and most publicized attacks include MGM Resorts, which is comprised of 19 U.S. properties, including the Bellagio, Mandalay Bay, and the Cosmopolitan. The attack caused considerable chaos at the resorts, forcing guests to wait hours to check in and crippling electronic payments, digital key cards, slot machines, ATMs, and paid parking systems. MGM Resorts reported that they expect a $100 million hit to its third-quarter results due to the breach.
ALPHV/BlackCat also recently named McClaren Health Care as a victim. It is one of Michigan’s largest healthcare systems and is made up of hospitals, clinics, and healthcare facilities. McClaren administrators reported that the ALPHV/Black Cat threat actors accessed various data from 2.2 million patients. Among the type of data includes full name, SSNs, date of birth, healthcare insurance information, Medicare/Medicaid information, billing data, and treatment and prescription information. The ALPHV/BlackCat ransomware group also recently claimed to have hacked Clarion, a global manufacturer of audio and video equipment for cars and other vehicles, and the hotel chain Motel One.
When digging into ALPHV/BlackCat’s lineage, TRU discovered that ALPHV/BlackCat has connections to the former BlackMatter ransomware group, whose ransomware code is said to be a combination of the notorious DarkSide and REvil ransomware software. Additionally, these ransomware operations have all counted FIN7, a sophisticated cybercrime group, among their affiliates.
Readers might recall that the DarkSide ransomware operators were responsible for compromising the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S., which resulted in their pipeline systems being taken offline in May 2021.
Several of REvil’s high-profile attacks include global computer manufacturers Acer and Quanta, top Mexican bank, CIBanco, Chilean bank, BancoEstado, and one of the entertainment industry’s largest law firms, Grubman Shire Meiselas & Sacks. At the time of their breach, this firm represented Lady Gaga, Madonna, Bruce Springsteen, Jessica Simpson, and Mariah Carey, among others.
One might ask, “Why are the ALPHV/BlackCat ransomware operators and their affiliates so despicable?” It is the lengths these threat actors will go to force their victims to pay their ransom demands. In February of this year, ALPHV/BlackCat hackers broke into one of the largest healthcare networks in Pennsylvania, the Lehigh Valley Health Network. It is estimated that the hackers stole data on approximately 500 patients, and for some of the patients this data included medical data, social security numbers, banking information, name, address, birthdate, etc., which the threat actors threatened to release on their data leak site. In March, the hackers went even further with their extortion attempts, shocking both security defenders and healthcare professionals around the world.
The ALPHV/BlackCat threat actors published photos of “topless” female breast cancer patients on their leak site after the health group refused to pay a $1.5 million ransom following their February attack. The clinical images were used by Lehigh Valley Health Network as part of radiotherapy treatment for their cancer patients. In July, the ALPHV/BlackCat gang went so far as to provide an API for their leak site to increase visibility for their attacks.
While much of cybersecurity user awareness training is still focused on malicious email attachments, browser-based malware downloads have usurped email as a primary method of initial cyber infection access for hands-on ransomware intrusions. As previously mentioned, in this Nitrogen campaign, users are infected when they go looking for popular, legitimate software to download and then click through on a Google Ad that renders to a malware site instead. The software lures TRU has observed the threat actors using in the Nitrogen campaign include Advanced IP Scanner, WinSCP, Slack, and Cisco AnyConnect. Additionally, TRU has observed ALPHV ransomware stemming from Gootloader attacks, another successful browser-based initial access malware known to target law firms.
Known examples of ransomware-associated initial access malware that leverage browser-based attacks include Gootloader, SocGholish, BatLoader, and now Nitrogen. Nitrogen uses an obfuscated python framework that leverages DLL side loading. Interestingly, ALPHV has been observed as an end-game for at least two of these browser-based initial access pieces of malware: Gootloader and Nitrogen.
Since 2020, Cobalt Strike has been growing as the primary intrusion tool leveraged by ransomware affiliates. In response, the security community quickly developed detections and threat- hunting paradigms around Cobalt Strike. In turn, threat actors have begun to shift to new intrusion tools, including leveraging Remote Monitoring and Management (RMM) tools and remote access software (AnyDesk, TSDService, Atera and ConnectWise ScreenConnect™) and new intrusion frameworks (Sliver and Brute Ratel). In at least one Nitrogen incident, TRU observed a full buffet of Intrusion Frameworks being used by the ALPHV/BlackCat threat actors: Cobalt Strike, Sliver, and Brute Ratel.
If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.