ABB, Leading Tech Provider, Hit by Black Basta Ransomware Attack - 1

ABB, Leading Tech Provider, Hit by Black Basta Ransomware Attack

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

Swiss multinational corporation ABB, a prominent technology provider specialising in electrification and automation, faced operational disruptions due to a ransomware attack known as Black Basta.

With headquarters in Zurich, ABB employs around 105,000 individuals and anticipates sales of $29.4 billion in 2022. Its services encompass industrial control system (ICS) and supervisory control and data acquisition (SCADA) system development, catering to clients such as Volvo, Hitachi, and municipalities like Nashville and Zaragoza.

ABB , a company with over 40 engineering, manufacturing, research, and service facilities in the United States, has a strong presence serving various federal agencies such as the Department of Defense, U.S. Army Corps of Engineers, and departments including Interior, Transportation, Energy, United States Coast Guard, and the U.S. Postal Service. However, on May 7th, ABB experienced a cyber attack orchestrated by the Black Basta ransomware gang, a cybercrime group that emerged in April 2022.

The attack affected numerous computers, particularly the Windows Active Directory, leading to the compromise of sensitive information. In response, ABB promptly halted customers’ VPN access to prevent further spread of the malware.

A confidential source confirmed an attack on ABB, which has reportedly led to project delays and disruptions in factories. When contacted for comment, ABB declined to respond. The cybercrime group Black Basta, known for its Ransomware-as-a-Service (RaaS) operation, had been targeting companies since April 2022. By collaborating with the QBot malware operation, they distributed Cobalt Strike to compromise devices, allowing Black Basta to infiltrate business networks and spread across multiple devices.

The Black Basta ransomware group, associated with the financially motivated criminal organization FIN7 (Carbanak), has expanded its operations to include a Linux encryptor specifically designed to target VMware ESXi virtual machines hosted on Linux servers. Researchers have linked FIN7 to this ransomware gang. The threat actors have targeted various organizations, including the American Dental Association, Sobeys, Knauf, and Yellow Pages Canada, among others, since the campaign’s inception.

RapperBot DDoS Botnet Ventures into Cryptojacking, Poses New Cyber Threats - 2

RapperBot DDoS Botnet Ventures into Cryptojacking, Poses New Cyber Threats

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

FortiGuard Labs, a renowned cybersecurity research team, has recently discovered fresh instances of the ongoing RapperBot campaign, which has been active since January 2023. RapperBot, a notorious malware family primarily targeting Internet of Things (IoT) devices, has been in circulation since June 2022.

Previous reports from FortiGuard Labs shed light on the campaign in August 2022 and December 2022, highlighting its focus on exploiting weak or default SSH or Telnet credentials to amplify its botnet for launching devastating Distributed Denial of Service (DDoS) attacks. However, in this latest wave of attacks, the threat actors behind RapperBot have taken a step further by delving into cryptojacking, specifically targeting Intel x64 machines.

At the outset, they implemented an independent Monero cryptominer alongside the standard RapperBot binary. Yet, towards the end of January 2023, they consolidated both functionalities into a single bot, integrating miner capabilities. This article will delve into the modifications observed in this new campaign and provide a comprehensive technical analysis of the upgraded RapperBot variant empowered with cryptojacking capabilities.

FortiGuard Labs has recently disclosed an updated variant of RapperBot, a malware strain that is now utilizing the XMRig Monero miner specifically designed for Intel x64 architectures. The cybersecurity firm has revealed that this campaign, which primarily focuses on Internet of Things (IoT) devices, has been active since January.

FortiGuard Labs has uncovered new information regarding the integration of a miner’s code within RapperBot malware, which uses double-layer XOR encoding to conceal mining pools and Monero mining addresses.

The bot retrieves mining configuration from the C2 server, with multiple pools and wallets for resilience and employs two mining proxies to add complexity to tracking. RapperBot switches to public mining pools if C2 is inaccessible and terminates competitor miners. The latest version uses two-layer encoding for C2 communication to avoid detection by network traffic monitors.

Randomized request intervals and sizes make exchanges stealthier. To protect against such malware, users should keep software up to date, disable unnecessary services, change default passwords, and use firewalls.