Read Time:1 Minute, 21 Second
Small and mid-sized businesses (SMBs) are increasingly becoming targets of cybercriminals due to weaker security measures and lack of cybersecurity awareness. Cyberattackers often exploit vulnerabilities in outdated software and systems to gain access to valuable data and assets.
CosmicBeetle Threat Actor
ESET researchers have discovered that the CosmicBeetle threat actor group has been actively exploiting old vulnerabilities to target SMBs worldwide. CosmicBeetle uses the ScRansom ransomware to encrypt files and demand payments for decryption.
Exploited Vulnerabilities
The vulnerabilities exploited by CosmicBeetle include:
- EternalBlue (CVE-2017-0144)
- Zerologon (CVE-2020-1472)
- CVE-2023-27532
- CVE-2021-42278
- CVE-2021-42287
- CVE-2022-42475
ScRansom Ransomware
ScRansom is a Delphi-based malware that utilizes a complex encryption scheme to encrypt files. It uses an RSA-1024 key pair for key management and offers five encryption modes: - FAST
- FASTEST
- SLOW
- FULL
- ERASE (rendering files unrecoverable)
Deciphering the Attack
CosmicBeetle has impersonated LockBit and may have connections to RansomHub. The threat actor communicates with victims through email and qTox. The decryption process for ScRansom is slow and error-prone, unlike mature ransomware operations.
Key Takeaways - SMBs must prioritize cybersecurity measures and conduct regular security audits.
- Implement cybersecurity awareness training programs for employees.
- Keep software and systems up to date with the latest security patches.
- Have a comprehensive incident response plan in place.
- Consider partnering with cybersecurity experts to enhance protection.
Conclusion
CosmicBeetle’s targeting of SMBs highlights the importance of cybersecurity vigilance. Businesses must remain informed about emerging threats and take proactive steps to safeguard their sensitive data and operations. By following these measures, SMBs can reduce their risk of falling victim to cyberattacks and ensure business continuity.