Analyzing BlackCat Ransomware

SecPro#38:Analyzing BlackCat Ransomware, SSRF Attacks, and the Biggest News in Cybersecurity Today

Here’s another edition of the SecPro. We’ve been drawing on the wisdom of our community to bring you articles analyzing ransomware, mitigating the risks in the software you build, and how to avoid SSRF attacks. There’s plenty to get stuck into, so make sure to check out the full articles on the SecPro website!


  •  Live Box Forensics for BlackCat
  •  OWASP Top 10: A10:2021 – SSRF Attacks
  •  How to Mitigate the Risk of Software Vulnerabilities
  •  Breaking Cybersecurity News
  •  Secret Knowledge: AI & IoT Pentesting

Exploit Detection & Analysis: Live Box Forensics for Black Cat

By Ricoh Danielson 

Ransomware is rapidly becoming a favoured mode of attack by hackers due to the ease with which it can be deployed. A popular form of ransomware is BlackCat, a service that allows anyone to take control of web-based systems and demand cryptocurrency ransom in exchange for providing back control. 

In this post we will learn some techniques that defenders can deploy to protect against an attacker deploying Blackcat on their network. 

How do we defend against ransomware such as Black Cat? 

Analyzing BlackCat Ransomware: The more we move forward into 2022, the more we become aware of not only how to conduct risk mitigation, but also how to conduct cyber ransomware mitigation and the in-depth understanding of it. In light of new cyber ransomware, we need not only to have a defensive proactive plan but also to ensure that we understand our adversaries’ technical capabilities. Let’s discuss more on the extraction part moving forward. 

We can see the below expects of ransomware as a service.   

Analyzing BlackCat Ransomware: Example of Extraction

Analyzing BlackCat Ransomware
Analyzing BlackCat Ransomware

Technical Requirements to Conduct Live Box Digital Forensics

The investigative techniques used during a digital forensic investigation can be very different from traditional investigations that rely mostly on witness statements and other direct evidence. Technological advances have greatly expanded the available means of collecting data, but also raise legal questions about the admissibility of evidence collected in the field. 

The collection of digital evidence – particularly live digital evidence using a process called “live box forensics” – involves many issues that are not commonly addressed by the established rules for document and object preservation. The purpose of this article is to help investigators to understand the potential risks involved in capturing live digital evidence while analyzing BlackCat Ransomware. Also, this post will summarize several potential risks and suggest ways to mitigate them by identifying and implementing legal requirements as well as best practices. 

The exploitation of public keys is a common factor in which the threat actor leverages keys that are not just up to par when it comes to security. Most specifically, VMware ESXi virtual machines are targeted along with the snapshots. 

Analyzing BlackCat Ransomware

Something to note is that the location of %SYSTEM32%\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} is where most of the common directory. CVE-2016-0099 is also used to get back the login bypass.  

Want to read the rest of the article on Analyzing BlackCat Ransomware? Click on the link below and read the rest on the SecPro website!

OWASP: OWASP Top Ten – A10: Server-Side Request Forgery

By Austin Miller

And here we are – the final installment of SecPro’s OWASP Top Ten overview. Having started with the Broken Access Control two months ago, we are ending with Server-Side Request Forgery attacks (SSRFs). And despite this sitting on the bottom rung of the official OWASP Top Ten, the Community poll actually put this at #1!  It just goes to show you that even the lower ranking threats on this list are all too capable of destroying businesses with poor cybersecurity practices. 

What is SSRF? 

SSRFs can be kind of complex. They require the adversary to exploit a function in an application where a request can be replaced without the internal servers validating it. If you would like to practice running an SSRF attack, use OWASP’s Webgoat tool to “steal the cheese”! If not, here’s a quick run through: 

Find an exposed request 

Black hat hacking is a crime – using this methodology against a computer or server that you do not own can lead to serious legal repercussions. All links in the following section are fictional. Any resemblance to real links is coincidental. 

When we interact with web services, applications make requests to servers. In a secure application, these requests are sanitized and validated to ensure there are no injection attacks or request forgeries. Sometimes, those defenses aren’t in place. 

Let’s say we look at a PDF downloader on an unsecured website. The download link may look like this: 

Manipulating the link 

An attack can change the URL so that the downloader contacts another repository on /centralserver, such as: 

Instead of downloading the PDF, now the attack may have access to the central server with admin rights. 

Data exfiltration 

Obviously, it’s not quite that easy – they would still need to find a way to access the server, but the forgery is complete. At this stage, particularly vulnerable servers could send sensitive files stored in the same place as document1.pdf to the adversary or even allow full remote code execution privileges. 

Want to find out more about SSRF attacks? Check out this video guide by hacker Rana Khalil

Want to find out how to defend against our systems against SSRFs at the network and application level? Click the link below and read the rest on the SecPro website.

Community Writers
[Note from the editor: Today marks a huge step forward in making SecPro a community-run newsletter – our first ever community writer article! A huge thanks to Richard for letting us share his writing. If you would like to share your thoughts with the SecPro community, click on the link at the bottom of the page.]

How to Mitigate the Risk of Software Vulnerabilities

By Richard S.

What are vulnerabilities in cyber security?

A secure software development framework (SSDF) of fundamental, sound secure software development practices based on established secure software development practices.

Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure the software being developed is well secured.

Following these practices should help software developers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Software consumers can reuse and adapt the practices in their software acquisition processes.

A software development life cycle (SDLC) is a formal or informal methodology for designing, creating, and maintaining software. There are many models for SDLCs, including waterfall, spiral, agile, and Development and Operations (DevOps).

Regardless of which SDLC model is used to develop software, secure software development practices should be integrated throughout it for three reasons:

  • to reduce the number of vulnerabilities in released software
  • to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities
  • to address the root causes of vulnerabilities to prevent future recurrences

Want to read the rest? Click the button below to find the full text and help support writers in the SecPro community!

Cybersecurity News: News Bytes


A breakdown of the most interesting new CVEs that appeared this week. 

  • CVE-2022-23131 – Zabbix has been shown to allow the compromise of complete networks thanks to poorly configured client-side sessions. This vulnerability was discovered by the team at Sonar Source and is considered high risk. For anyone using Zabbix, install the latest update (Zabbix 6.0.0beta2) and be sure to check that your monitoring software is not giving the adversary an easy way to track your metrics. 
  • CVE-2021-44521 – An exploit in Apache Cassandra allows users to “escape the sandbox” and execute arbitrary code remotely. If you use Apache Cassandra but have stuck to the default configurations, you should be safe. However, certain custom configurations will cause havoc if they remain unpatched. Update your systems and ensure that your systems do not allow sandbox escaping to protect your data. Thanks to the team at JFrog for discovering this vulnerability.
  • CVE-2022-24086 – Poor input validation controls allow users to exploit Magento Open Source and Adobe Commerce and could lead to remote code execution from an unauthenticated user. Updating your Magento Open Source or Adobe Commerce installations is the best way to tighten up what data can make it to your servers. 

Hack Attack 

A quick look at the global hacking community and how they have been working – both black hat and white hat. 

  • The controversial “Freedom Convoy” in Canada has led to hackers to expose the names of a many donors to the cause through a weakness found in an improperly configured Amazon-hosted S3 bucket. The hack has released 50GBs of sensitive data to be exposed to the internet. This story has raised the question whether it is ever acceptable to use black hat techniques (outside of red team investigations). Many commenters on popular social media website Reddit found the situation controversial to say the least!
  • In the wake of North Koreans stealing a large amount of cryptocurrency over the past year, an American security researcher known as P4x has knocked the limited North Korea internet offline. Due to the US government’s inaction towards suspected targeted attacks on security researchers, P4x took business into their own hands and launched a DDoS against the outdated technology used by the Hermit Kingdom. 


The rise in phishing is something that all cybersecurity professionals should be aware of. How are they operating? What should we be on the lookout for? 

  • Egress has reported a 232% increase in phishing emails that rely on LinkedIn impersonations. Using effective impersonation techniques – down to the subject and pictures used in the emails – the adversary has managed to con many people looking to get back on the career ladder after the disastrous effects of Coronavirus on the job market. It seems that cybercriminals are using these phishing attacks to rob credentials and attack credential stuffing attacks against a variety of organizations. 
  • More alarmingly, the FBI is now reporting that victims of business email compromise (BEC) attacks are being impersonated in live calls. By whale phishing for CEOs and other highly influential individuals within organizations, the hackers are gaining access to video call software such as Microsoft Teams and Zoom and then using deep fake technology to trick unsuspecting colleagues into sharing sensitive information.

Secret Knowledge: Building Your Security Arsenal

Here’s another edition of Secret Knowledge, with plenty of tools to help you test AI and IoT devices. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.

AI & IoT Pentesting  

adi0x90/attifyos: AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded. 

rizinorg/rz-ghidra: This is an integration of the Ghidra decompiler and Sleigh Disassembler for rizin. It is solely based on the decompiler part of Ghidra, which is written entirely in C++, so Ghidra itself is not required at all and the plugin can be built self-contained. 

intel/meta-intel-iot-security: A collection of loosely related OpenEmbedded layers providing several security technologies. 

EddOliver/TechCare: TechCare Baby Safe, an IoT solution to improve security and access to neonates, with Face recognition using Thundercomm’s AI kit 

New & Trending Tools  

clj-holmes/clj-holmes: A CLI SAST (static application security testing) tool to find vulnerable Clojure code via rules that use a simple pattern language. 

raverrr/plution: A prototype pollution scanner using headless Chrome, by David Bate. By default uses a hardcoded payload that can detect 11 of these cases. 

testifysec/witness: A pluggable framework for supply chain security by TestifySec

cado-security/rip_raw: A small tool to analyse the memory of compromised Linux systems that enables you to analyse systems without needing to generate a profile, by Cado Security’s Chris Doman.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.