AutomotiveSuppliers.pl

An automotive supplier was hit with three separate ransomware attacks while using various ransomware strains and attack strategies, all three threat actors exploited the same security flaw a firewall rule that exposed Remote Desktop Protocol (RDP) on a management server.

The first ransomware organization, known as Lock bit, transmitted its ransomware software via PsExec while also leaking data to the Mega cloud storage service and used Mimikatz to recover passwords.

Lock bit threat actor, the second gang, known as Hive, dropped their ransomware by using RDP to travel laterally.

An ALPHV/BlackCat associate gained access to the network, installed Atera Agent (a trustworthy remote access tool) to establish persistence, then exfiltrated data as the victim restored data from backups.

The threat actor released their ransomware and deleted Windows Event Logs two weeks after the Lockbit and Hive attacks.

As a result of their investigation, Sophos' Rapid Response (RR) team discovered some files that had been encrypted up to five times.

Source: https://news.sophos.com/en-us/2022/08/10/lockbit-hive-and-blackcat-attack-automotive-supplier-in-triple-ransomware-attack/?cmp=30728

"id": "AUT105431122",
"linkid": "automotivesupplierspl",
"type": "Ransomware",
"date": "08/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"