(Source-welivesecurity.com)
A cybercriminal group, identified as “CosmicBeetle,” has been actively exploiting vulnerabilities in the software systems of small and medium-sized businesses (SMBs) in Turkey, Spain, India, and South Africa. CosmicBeetle cybercrime malicious group’s primary aim is to deploy ransomware, which has shown a pattern of technical flaws, causing significant challenges for the affected companies. According to Slovakian cybersecurity firm ESET, CosmicBeetle cybercrime operates at a relatively low level of sophistication, with its ransomware, named ScRansom, still undergoing frequent updates and changes.
Though the attackers’ methods are unsophisticated, the impact on victims has been notable, with the ransomware causing data encryption errors. In some cases, ESET researchers discovered that multiple encryption routines were run on infected machines, complicating data recovery efforts. Despite the technical hurdles, CosmicBeetle cybercrime continues to pose a risk to businesses worldwide as they refine their ransomware tactics.
Immature Tactics and Unstable Ransomware
ESET’s analysis highlights CosmicBeetle’s limited skills as malware developers. The group’s ransomware, ScRansom, demonstrates a chaotic encryption process, leading to significant technical issues for victims. Jakub Souček, a senior malware researcher at ESET, emphasized that the group’s lack of experience is evident in the encryption mishaps experienced by affected organizations. In one notable case, a victim organization experienced multiple encryption cycles on their systems, leading to data recovery complications.
Souček explains that more seasoned cybercriminal groups prioritize simplicity in their decryption processes to improve success rates and encourage ransom payments. However, CosmicBeetle’s approach remains unpolished, with frequent changes to their ransomware complicating the decryption process for victims. Although the group has developed a working decryptor in its latest iteration, ESET noted that various factors still contribute to the uncertainty surrounding successful decryption.
In an attempt to enhance their reputation, CosmicBeetle cybercrime has tried to imply affiliations with the infamous LockBit ransomware group, hoping to instill confidence in their victims. Additionally, the group has joined the RansomHub affiliate program, often deploying third-party ransomware instead of their custom-made ScRansom.
Targeting Vulnerable SMBs with Outdated Software
CosmicBeetle’s primary tactic involves scanning for and exploiting outdated vulnerabilities in software commonly used by SMBs. These attacks focus on exploiting vulnerabilities in platforms such as Veeam Backup & Replication (CVE-2023-27532) and Microsoft Active Directory (CVE-2021-42278 and CVE-2021-42287), giving attackers significant access to company infrastructure.
Although CosmicBeetle does not exclusively target SMBs, the majority of their victims come from this segment due to their use of vulnerable software and a lack of robust patch management practices. Souček notes that larger companies tend to have better patch management systems in place, leaving smaller businesses more susceptible to these types of attacks. Victims of CosmicBeetle cybercrime span various industries, including manufacturing, pharmaceuticals, legal services, education, and healthcare.
According to ESET’s report, which was published on September 10, the attacks predominantly affect SMBs outside of the EU and the US. CosmicBeetle’s focus on old vulnerabilities makes it easier for them to target businesses with weaker cybersecurity defenses.
Turkey Emerges as a Hotspot for CosmicBeetle Attacks
Among the countries affected, Turkey has emerged as a primary target for CosmicBeetle cybercrime, with the majority of victimized organizations based there. Other countries, such as Spain, India, and South Africa, have also seen a significant number of attacks. While one firm claims to have linked the group to a Turkish software developer, ESET has expressed skepticism about this connection. However, the group’s extensive activity in Turkey has led ESET to believe that CosmicBeetle is likely based in the country or region.
Souček speculates that the group’s familiarity with Turkey may make them more confident in targeting local businesses, while other attacks appear to be opportunistic. The ransomware attacks rely on a combination of factors, including the vulnerability of the target and its perceived value as a ransomware target.
As CosmicBeetle cybercrime continues to refine its methods, the cybersecurity landscape for SMBs remains fraught with risk. Businesses worldwide, particularly those with outdated software and limited patch management capabilities, are urged to bolster their defenses to mitigate the risk posed by this emerging cyber threat.