Hacking group is on a tear, hitting US critical infrastructure and SF 49ers

By | February 14, 2022
A helmet for the San Francisco 49ers football team.

A couple of days after the FBI warned that a ransomware group called BlackByte had compromised critical infrastructure in the US, the group hacked servers belonging to the San Francisco 49ers football team and held some of the team’s data for ransom.

Media representatives for the NFL franchise confirmed a security breach in an emailed statement following a post on BlackByte’s dark web site, on which the hacker group attempts to shame and scare victims into making big payouts in exchange for a promise not to leak the data and to provide a decryption key that allows the data to be recovered. The recent post made available for download a 379MB file named “2020 Invoices” that appeared to show hundreds of billing statements the 49ers had sent partners including AT&T, Pepsi, and the city of Santa Clara, where the 49ers play home games.

A busy three months

In an emailed statement, franchise representatives said investigators were still assessing the breach.

“While the investigation is ongoing, we believe the incident is limited to our corporate IT network,” the statement said. “To date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.”

The team said it notified law enforcement and is working with third-party cybersecurity firms to perform the investigation. “[W]e are working diligently to restore involved systems as quickly and as safely as possible,” the statement said.

On Friday, the FBI and the Secret Service issued a joint statement warning that BlackByte, a group first spotted last year, has been on a hacking spree over the past three months and that it has successfully breached an array of sensitive networks.

“As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food and agriculture),” the advisory stated. “BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.”

Shells, bugs, and print bombs

BlackByte first surfaced last July, when people discussed it in a Bleeping Computer forum. An early version of BlackByte’s ransomware contained a flaw that exposed encryption keys used to lock up victims’ data. The bug allowed security firm Trustwave to release a decryptor tool that recovered data for free. An updated version fixed the bug.

An analysis published by security firm Red Canary said the hacking group was able to hack some of its victims by exploiting ProxyShell, the name of a series of vulnerabilities in Microsoft Exchange Server. The vulnerabilities allow hackers to gain pre-authentication remote code execution. From there, bad actors could install a shell that pipes commands to the compromised server. A host of adversaries—with nation-state-backed hackers from Iran among them—have exploited the vulnerabilities. Microsoft patched them last March.

Another characteristic of BlackByte, Red Canary said, was its use of “print bombing.” This feature caused all printers connected to an infected network to print ransom notes at the top of each hour that said, “Your [sic] HACKED by BlackByte team. Connect us to restore your system.”

The joint advisory issued by the FBI and Secret Service didn’t identify any of the organizations that have been breached by BlackByte. The advisory also provided a list of indicators admins and security personnel can use to determine if networks have been compromised by the group. It’s not unusual for ransomware hackers to remain in compromised networks for weeks as they work to worm their way in. Admins should use the indicator list as soon as possible to determine if their networks have been hacked.