{"id":7851,"date":"2024-07-21T17:52:00","date_gmt":"2024-07-21T17:52:00","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=7851"},"modified":"2024-08-13T11:15:14","modified_gmt":"2024-08-13T11:15:14","slug":"blackmatter-ransomware-that-leverages-smb-ldap-ad","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/","title":{"rendered":"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD"},"content":{"rendered":"\n<p>CISA, NSA, FBI have recently released a joint <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-291a\" target=\"_blank\" rel=\"noreferrer noopener\">advisory <\/a>report with TTPs for BlackMatter ransomware that primarily leverages the SMB (Server Message Block), <a href=\"https:\/\/www.onelogin.com\/learn\/what-is-ldap\" target=\"_blank\" rel=\"noreferrer noopener\">light directory access protocol (LDAP)<\/a>, and <a href=\"https:\/\/cybersecuritynews.com\/active-directory-checklist\/\" target=\"_blank\" rel=\"noreferrer noopener\">AD <\/a>(Active Directory) to identify all the available hosts on the network.\u00a0<\/p>\n\n\n\n<p>While the BlackMatter ransomware was targeting several critical infrastructure entities in the U.S. since July 2021, and this includes two major Food and Agriculture Sector organizations.<\/p>\n\n\n\n<p>CISA, the FBI, and NSA urge all organizations to immediately apply all the recommended mitigations, since, the attacks of this ransomware directly affect consumer access to critical infrastructure services.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ttps-of-blackmatter-ransomware\"><strong>TTPs of BlackMatter Ransomware<\/strong><\/h2>\n\n\n\n<p>The user credentials that were previously compromised, NtQuerySystemInformation, and EnumServicesStatusExW were exploited by the BlackMatter ransomware to list all the running processes and services.<\/p>\n\n\n\n<p>To discover all the hosts in the Active Directory BlackMatter exploits the embedded credentials in the LDAP and SMB protocol. And to identify each host for accessible shares it uses the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function.<\/p>\n\n\n\n<p>From the original compromised host, BlackMatter remotely encrypts the shares\u2019 contents like ADMIN$, C$, SYSVOL, and NETLOGON by leveraging the embedded credentials and SMB protocol.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/DlhrZG2MJHjVuq3HVhv5DqlZKXLfFoPfZ-svZVnTdHPo_QkjsG6-7ryeXmSJUXSASXuSwRAT7G6gojtfihvBUjnF9ytcP8unySFGFNNvDy4HOzaX7Nq97aSAGif1o76EoTxcitfx=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-mitigations\"><strong>Mitigations<\/strong><\/h2>\n\n\n\n<p>Here are the recommended mitigations offered by CISA, the FBI, and NSA mentioned below:-<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement Detection Signatures<\/li>\n\n\n\n<li>Use Strong Passwords<\/li>\n\n\n\n<li>Implement Multi-Factor Authentication<\/li>\n\n\n\n<li>Patch and Update Systems<\/li>\n\n\n\n<li>Limit Access to Resources over the Network<\/li>\n\n\n\n<li>Implement Network Segmentation and Traversal Monitoring<\/li>\n\n\n\n<li>Use Admin Disabling Tools to Support Identity and Privileged Access Management<\/li>\n\n\n\n<li>Implement and Enforce Backup and Restoration Policies and Procedures<\/li>\n<\/ul>\n\n\n\n<p>Moreover, the Director of Cybersecurity at NSA, Rob Joyce stated:-<\/p>\n\n\n\n<p>&#8220;The threat of ransomware goes beyond specific impacts to a victim company \u2014 it has risen to a national security issue. NSA&#8217;s technical skills and threat intelligence will continue to support our partners across government and industry to degrade adversary footholds into networks where they launch the ransomware.&#8221;&nbsp;<\/p>\n\n\n\n<p>&#8220;Employing the mitigations in the joint advisory with CISA and FBI will protect networks and mitigate the risk against BlackMatter and other ransomware attacks.&#8221;<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#d0dbe3\"><strong>You can follow us on&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\" target=\"_blank\">Linkedin<\/a>,&nbsp;<a href=\"https:\/\/twitter.com\/The_Cyber_News\" target=\"_blank\" rel=\"noreferrer noopener\">Twitter<\/a>,&nbsp;<\/strong><a rel=\"noreferrer noopener\" href=\"https:\/\/www.facebook.com\/gbhackersadmin\" target=\"_blank\"><strong>Facebook<\/strong><\/a><strong>&nbsp;for daily Cyber security and hacking news updates<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA, NSA, FBI have recently released a joint advisory report with TTPs for BlackMatter ransomware that primarily leverages the SMB (Server Message Block), light directory access protocol (LDAP), and AD (Active Directory) to identify all the available hosts on the network.\u00a0 While the BlackMatter ransomware was targeting several critical infrastructure entities in the U.S. since [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":7855,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png","fifu_image_alt":"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[41],"tags":[149,151],"class_list":{"0":"post-7851","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-ransomware","8":"tag-cyber-security","9":"tag-cyber-security-news"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.7.1 (Yoast SEO v25.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD - Cyber Security News<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD\" \/>\n<meta property=\"og:description\" content=\"CISA, NSA, FBI have recently released a joint advisory report with TTPs for BlackMatter ransomware that primarily leverages the SMB (Server Message Block), light directory access protocol (LDAP), and AD (Active Directory) to identify all the available hosts on the network.\u00a0 While the BlackMatter ransomware was targeting several critical infrastructure entities in the U.S. since [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-21T17:52:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-13T11:15:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png\" \/>\n<meta name=\"author\" content=\"Balaji N\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/balaji_gbh\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Balaji N\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD - Cyber Security News","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/","og_locale":"en_US","og_type":"article","og_title":"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD","og_description":"CISA, NSA, FBI have recently released a joint advisory report with TTPs for BlackMatter ransomware that primarily leverages the SMB (Server Message Block), light directory access protocol (LDAP), and AD (Active Directory) to identify all the available hosts on the network.\u00a0 While the BlackMatter ransomware was targeting several critical infrastructure entities in the U.S. since [&hellip;]","og_url":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_published_time":"2024-07-21T17:52:00+00:00","article_modified_time":"2024-08-13T11:15:14+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png","type":"","width":"","height":""}],"author":"Balaji N","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png","twitter_creator":"@https:\/\/twitter.com\/balaji_gbh","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Balaji N","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/"},"author":{"name":"Balaji N","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/0ad7770df28fe608567609e4ba1c4da2"},"headline":"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD","datePublished":"2024-07-21T17:52:00+00:00","dateModified":"2024-08-13T11:15:14+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/"},"wordCount":369,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png?w=728&resize=728,380&ssl=1","keywords":["cyber security","cyber security news"],"articleSection":["Ransomware"],"inLanguage":"en-US","copyrightYear":"2024","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/","url":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/","name":"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD - Cyber Security News","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png?w=728&resize=728,380&ssl=1","datePublished":"2024-07-21T17:52:00+00:00","dateModified":"2024-08-13T11:15:14+00:00","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/#primaryimage","url":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png?w=728&resize=728,380&ssl=1","contentUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png?w=728&resize=728,380&ssl=1","width":"728","height":"380","caption":"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/blackmatter-ransomware-that-leverages-smb-ldap-ad\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"CISA, NSA, FBI Released Advisory with TTPs For BlackMatter Ransomware That leverages SMB, LDAP, AD"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World&#039;s #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/0ad7770df28fe608567609e4ba1c4da2","name":"Balaji N","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8075aac45cdbf0aae6572d8039978c587715d33d6b330539092189c91804f031?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8075aac45cdbf0aae6572d8039978c587715d33d6b330539092189c91804f031?s=96&d=mm&r=g","caption":"Balaji N"},"description":"BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief &amp; Co-Founder - Cyber Security News &amp; GBHackers On Security.","sameAs":["https:\/\/www.linkedin.com\/company\/cybersecurity-news\/","https:\/\/x.com\/https:\/\/twitter.com\/balaji_gbh"],"url":"https:\/\/cybersecuritynews.com\/author\/balaji\/"}]}},"jetpack_featured_media_url":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-HT1U6T6FW4w\/YXGoGOxQiwI\/AAAAAAAAPGc\/3C9Hk9LkpfQjCamYImcHZB7lABZcZf7gQCLcBGAsYHQ\/s16000\/CISA%252C%2BNSA%252C%2BFBI%2BReleased%2BAdvisory%2Bwith%2BTTPs%2BFor%2BBlackMatter%2BRansomware.png?w=728&resize=728,380&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/7851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=7851"}],"version-history":[{"count":3,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/7851\/revisions"}],"predecessor-version":[{"id":74454,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/7851\/revisions\/74454"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/7855"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=7851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=7851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=7851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}