BleepingComputer reports that Windows and Linux systems are being targeted by Blacktail's Buhti ransomware operation using leaked LockBit and Babuk ransomware source code.
Attacks by Blacktail on Windows systems involve the use of the Windows LockBit 3.0 builder that would prompt file encryption with the ".buthi" extension, while a Babuk source code-based payload has been leveraged in intrusions against Linux systems, according to a report from Symantec's Threat Hunter team.
Despite reusing leaked ransomware source code, Blacktail's Buhti operation has been leveraging its own Go-based exfiltration tool and network infiltration technique on top of exploiting the PaperCut NG and MF remote code execution vulnerability, tracked as CVE-2023-27350, and the IBM Aspera Faspex flaw, tracked as CVE-2022-47986, said researchers.
Organizations in the U.S., China, Belgium, India, Estonia, Switzerland, Spain, Germany, Ethiopia, and the U.K. have already been impacted by Buhti ransomware attacks, indicating the significant threat of the Blacktail operation, noted Kaspersky researcher Marc Rivero.
Operations of California's Solano Partner Libraries and St. Helena, or SPLASH, continue to be interrupted weeks after the county's library network was targeted by a ransomware attack earlier this month, StateScoop reports.
Several rootkit-like capabilities could be obtained by threat actors through the exploitation of vulnerabilities in Windows' DOS-to-NT path conversion process, including file and process concealment and compromised prefetch file analysis, reports The Hacker News.
Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.