CosmicBeetle Exploiting Old Vulnerabilities To Attack SMBs All Over The World

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Hackers target SMBs (Small and mid-sized businesses) primarily as they are often easier to compromise with due to weaker security measures and a lack of cybersecurity awareness.

Many SMBs do not conduct regular security audits or have comprehensive incident response plans which makes them attractive targets for threat actors seeking to exploit vulnerabilities.

Cybersecurity researchers at ESET recently discovered CosmicBeetle has been actively exploiting the old vulnerabilities to attack SMBs all over the world.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

CosmicBeetle Exploiting Old Vulnerabilities

ESET researchers have affirmed that CosmicBeetle threat actor has been deploying ScRansom ransomware globally.

It’s a Delphi-based malware that targets SMBs across various sectors, exploiting the following vulnerabilities:-

  • EternalBlue (CVE-2017-0144)
  • Zerologon (CVE-2020-1472)
  • Others (CVE-2023-27532, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475)

ScRansom uses a complex encryption scheme like AES-CTR-128 for file encryption, with an RSA-1024 key pair (RunKeyPair) and a hardcoded RSA public key (MasterKeyPair) for key management.

Encryption scheme utilized by the latest ScRansom samples (Source – ESET)

It partially encrypts files based on extensions, appends data including a “Decryption ID,” and renames files with a “.Encrypted” extension.

The malware offers five encryption modes, and they are “FAST,” “FASTEST,” “SLOW,” “FULL,” and “ERASE,” with the last rendering files unrecoverable.

ScRansom terminates specific processes and services, and its GUI-based operation includes debug features.

User interface of ScRansom (Source – ESET)

CosmicBeetle has impersonated LockBit, using their leaked builder, and may be affiliated with RansomHub.

Researchers said that the group’s toolset includes ScHackTool, ScInstaller, ScService, ScPatcher, and the recently separated ScKill for process termination.

Communication with victims occurs via email and qTox, utilizing the Tox protocol for encrypted messaging. ScRansom’s decryption process is slow and error-prone, unlike the mature ransomware operations.

From infected machines, it requires victims to collect multiple Decryption IDs and from the attacker obtain corresponding “ProtectionKeys.”

The decryptor lacks the MasterKeyPair.Private key that relies solely on these ProtectionKeys. On each encrypted device, the decryptor must be run manually by the victims by inputting the correct ProtectionKey for each Decryption ID.

Further, this process is complicated by instances where the “ScRansom” is executed multiple times on a single machine and generates additional IDs.

Besides this, the ERASE encryption mode may permanently destroy some files. In one case, a victim with 31 Decryption IDs couldn’t fully recover their data.

While this might happened due to missing IDs, incomplete key provision, or permanent file destruction. This approach differs from sophisticated ransomware like LockBit Black, which typically includes the decryption key in a single executable for easier recovery.

CosmicBeetle’s method is technically complicated which reduces the likelihood of successful decryption and full data recovery even after ransom payment.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar