Ransomware attacks have become increasingly sophisticated, with threat actors leveraging various infection vectors to gain initial access to systems. In this blog, we'll explore three critical infection vectors: RDP (Remote Desktop Protocol), vulnerabilities, and phishing. Understanding these vectors and how they are exploited is crucial to preventing ransomware attacks.
1. Remote Desktop Protocol (RDP)
Why is RDP a Major Threat?
Lack of Awareness: Many organizations do not fully recognize the threat posed by open RDP services.
Critical Servers at Risk: RDP is often left open on critical servers, making them easy targets.
Weak Security Measures: Common issues include weak password policies, no Multi-Factor Authentication (MFA), and no lockout policies.
Key Consideration: Any RDP service exposed to the internet will face constant brute-force attacks. Organizations often avoid lockout policies to prevent legitimate accounts from being locked out, but this opens the door to attackers.
Tracking RDP via Event Logs
Use event IDs to monitor RDP activity. Common event IDs associated with RDP use include.
Restricting RDP Activity
Group Policy Objects (GPOs): Disable RDP on hosts where it is not required.
Firewall Rules: Implement rules to block inbound and outbound RDP traffic based on both port numbers and detected application protocols.
Security Policies: Establish and enforce policies that prohibit unnecessary RDP use.
Verification: Check firewall logs and Windows event logs, especially from an external to internal perspective, to ensure RDP restrictions are effective.
2. Exploiting Vulnerabilities
Understanding Zero-Day Attacks
What is a Zero-Day?: A zero-day vulnerability is an unknown flaw in software with no available patch. However, once a patch is available, it stops being a zero-day.
Case Study - REvil and Kaseya (2021): The REvil group exploited zero-day vulnerabilities in Kaseya's software, leading to widespread attacks.
Why Are Exploits Successful?
Slow Patch Cycles: Organizations often take too long to patch vulnerabilities.
Poor Asset Management: Many companies lack a solid asset management system, leading to unpatched devices and services.
Abandoned Services: Unused and unpatched services create easy entry points for attackers.
Example of Exploits: The Log4Shell vulnerability in 2021 highlighted how unmonitored third-party libraries can become major security risks.
Resources: Track the most exploited vulnerabilities via below link.
Identification: Look for “contextual evidence” when identifying vulnerability exploitation as the infection vector. For example,
non-related process running under a service-related process is a red flag.
Service- and appliance-related processes serving as parents for non related processes is a bad sign.
3. Phishing - The Most Common Infection Vector
How Phishing Works
Email Attacks: Phishing emails aim to deliver malware or harvest credentials. Attackers often bypass MFA by using stolen credentials to log in to remote services like VPNs and RDP.
Malspam Campaigns: These campaigns rely on sheer volume to succeed. Emails may contain malicious attachments (maldocs) or links designed to download malware.
Hunting for Phishing Attachments
Web Browsers: Analyze web browser artifacts using tools like DB Browser to identify downloaded files.
Outlook Content: Cached emails and attachments in Outlook are valuable for hunting phishing artifacts. Malicious processes launched from Office applications are often a tell-tale sign.
(/inetcache/content.outlook/)
Windows Explorer: Look for evidence of ZIP files opened by users, which may contain malware.
Windows Registry: The Windows Registry is a veritable cornucopia of data pertaining to user actions within the operating system. If a user opens a maldoc, they may be required to enable macros. Unsurprisingly, many users take this action without question. When they do, the action is logged in the “Trusted Documents” section of the Registry.
Phishing Links
Direct Downloads: Some phishing emails bypass DNS-level protection by using direct IP addresses or URL shorteners (e.g., bit.ly, tinyurl).
File Sharing Sites: Attackers often use legitimate file-sharing sites like Google Drive or Dropbox to host malicious content, making detection harder.
Mitigation: Organizations should block or at least monitor access to file-sharing sites and flag suspicious activity.
Additional concepts:
The Role of CVEs and Exploit Code in Ransomware Campaigns
Newly Announced CVEs:
Darknet Discussions: Newly disclosed CVEs are often discussed on darknet forums, where threat actors share and sell exploits.
Rapid Spread of POC Code: In today's digital age, Proof of Concept (POC) code spreads quickly on public platforms like GitHub and private channels alike. It's not uncommon for ransomware actors to log into a victim's network, open a web browser, and download tools or POC code from GitHub the same day it becomes available.
Exploits for Sale:
Darknet Marketplaces: While some security researchers publish POC code publicly, threat actors often develop and sell exploit code on darknet marketplaces. Occasionally, researchers purchase this code to bring awareness to the threat, but this also highlights the accessibility of such exploits to malicious actors.
Example - PrintNightmare:
Commodity Malware and Malware as a Service (MaaS)
Commodity Malware:
Infostealers: These are commonly used in ransomware attacks to gather information and lay the groundwork for further exploitation.
MaaS: MaaS has become a significant tool in ransomware campaigns. Originally starting as "banking trojans" or "info stealers," these tools have evolved into what are now often referred to as "loaders," capable of delivering additional payloads onto a compromised machine.
Emotet:
A Notorious Example: Emotet, one of the most well-known MaaS families, had a significant impact on the cyber threat landscape. After a law enforcement raid led to its temporary disappearance, the group re-emerged in mid-2022, revamping its operations.
Cryptolaemus: A group of researchers known as "Cryptolaemus" has dedicated itself to combating the Emotet threat. They regularly post information on Emotet campaigns, including IPs and URLs they have detected. https://x.com/Cryptolaemus
Resource for Live Malware Samples: For live samples of various MaaS families and loaders,
Conclusion
Understanding these infection vectors is crucial for building robust defenses against ransomware. By focusing on key areas such as RDP, vulnerabilities, and phishing, organizations can significantly reduce their risk of falling victim to these attacks. Regular monitoring, patching, and enforcing strict security policies are essential steps in this process.
Comments