“The threat actor tied to the ransomware campaign described by Forescout appears to be using a familiar set of tools seen in past ransomware activity,” he said, “while adapting their initial access techniques. When the LockBit 3.0 builder leaked in 2022, numerous groups began using it for their own independent campaigns, and this threat actor appears to be doing the same. Additionally, the structure of the ransom note bears similarities to that of other groups such as the now-defunct BlackCat/ALPHV ransomware variant. This illustrates how the threat actors hiding behind ransomware group names rebrand and adapt as their incentives and alliances evolve over time.”
Edge devices increasingly attractive targets
This research highlights that edge devices, including routers, VPN gateways, and others, are an increasingly attractive target for threat actors, Sai Molige, Forescout’s senior manager of threat hunting, said in an email. He said that CISOs and their security teams can take several steps to identify and assess potential risks in their environment.
They can perform threat modeling on edge devices to better understand the exposure rate and the extent of an intrusion if and when it occurs, he noted. Once security teams have a full understanding of the implementation and function of these edge devices, they can:
