Organisations are at critical risk from Bumblebee Malware Loader
Cybereason issued a global threat report warning global organizations about an increase in Bumblebee loader-based ransomware attacks. The new study focuses on post-exploitation tactics, techniques, and procedures used in attacks. Surprisingly, the loader became the “loader of choice” for Conti Group, one of the world’s most prolific ransomware gangs.
Google’s Threat Analysis Group discovered Bumblebee in March 2022, and Cybereason previously reported on Bumblebee in April 2022. Cybereason is now warning global organizations that Bumblebee attacks must be treated as CRITICAL. Bumblebee has risen to become the loader of choice among most threat actors, according to Cybereason’s global security operations center findings.
Some additional key findings include:
- User-Driven Execution: The majority of Bumblebee infections we’ve seen started with end-users executing LNK files, which use a system binary to load the malware. The malware is distributed via phishing emails that contain an attachment or a link to the malicious archive containing Bumblebee.
- Intensive Reconnaissance and Data Exfiltration: Operators of Bumblebees conduct intensive reconnaissance and redirect the output of executed commands to files for exfiltration.
- Active Directory Compromise: For lateral movement, the attackers compromised Active Directory and used confidential data such as user logins and passwords. It took less than two days from initial access to Active Directory compromise.
- Under Active Development: Threat actors have been transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which appears to be in active development and is the loader of choice for many threat actors.
- Critical Severity: Bumblebee attacks must be treated as critical. According to GSOC findings, the threat actors’ next step is ransomware deployment, and this loader is known for ransomware delivery.
Ransomware attacks can be stopped. Cybereason offers these recommendations to Defenders to reduce their risks:
- Practicing good security hygiene like implementing a security awareness program for employees, assuring operating systems and other software are regularly updated and patched.
- Assuring key players can be reached at any time of day as critical response actions can be delayed during off peak hours, holidays and weekends, when attacks occur during off hours and on weekends and holidays.
- Conducting periodic table-top exercises and drills and including those beyond the security team like Legal, Human Resources, IT Support and all the way up to the Executive Suite is also key to running a smooth incident response.
- Ensuring clear isolation practices are in place to stop any further ingress on the network or spreading of the ransomware to other devices. Teams should be proficient at things like disconnecting a host, locking down a compromised account, and blocking a malicious domain, etc. Testing these procedures with scheduled or unscheduled drills at least every quarter is recommended.
- Evaluating lock-down of critical accounts when possible. The path attackers often take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack.
Deploying EDR on all endpoints. According to Gartner’s Peter Firstbrook, deploying EDR on endpoints is the quickest way for public and private sector businesses to combat the ransomware scourge. However, according to Firstbrook, only 40% of endpoints have EDR.