The FBI and CISA warned today of Rhysida ransomware gang's opportunistic attacks targeting organizations across multiple industry sectors. Rhysida, a ransomware enterprise that surfaced in May 2023, quickly gained notoriety after breaching the Chilean Army and leaking stolen data online. Recently, the US Department of Health and Human Services also warned that the Rhysida gang was responsible for recent assaults on healthcare organizations. Today's joint cybersecurity advisory provides defenders with indicators of compromise, detection info, and Rhysida tactics, techniques, and procedures discovered during investigations as of September 2023. "Threat actors leveraging Rhysida ransomware are known to impact 'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors," the two agencies noted. "Observed as a ransomware-as-a-service model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates." Rhysida attackers have also been detected hacking into external-facing remote services using stolen credentials to establish initial access and maintain a presence within victims' networks. This was possible when targeting organizations that didn't have Multi-Factor Authentication enabled by default across their environment. Rhysida malicious actors are known for phishing attacks and exploiting Zerologon, a critical vulnerability enabling Windows privilege escalation within Microsoft's Netlogon Remote Protocol. The FBI and CISA add that affiliates associated with the Vice Society ransomware group, tracked by Microsoft as Vanilla Tempest or DEV-0832, have transitioned to using Rhysida ransomware payloads during their attacks. Check Point Research, and PRODAFT research have noted this shift occurring approximately in July 2023, right after Rhysida first began adding victims to its data leak website. Network defenders are advised to apply mitigations outlined in today's joint advisory to minimize the likelihood and severity of ransomware incidents like Rhysida. At the very least, it is crucial to prioritize patching vulnerabilities under active exploitation, enabling MFA across all services, and using network segmentation to block lateral movement attempts. FBI: Royal ransomware asked 350 victims to pay $275 million. CISA, FBI urge admins to patch Atlassian Confluence immediately. FBI shares AvosLocker ransomware technical details, defense tips. FBI: Dual ransomware attack victims now get hit within 48 hours. CISA warns of actively exploited Juniper pre-auth RCE exploit chain.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000