Not so long ago ransomware used to spread through phishing campaigns and more recently by using social engineering to deliver malware and create infections. In the past year, however, we’ve seen some interesting changes regarding the spreading methods of malware and especially ransomware.
Attackers see ransomware as the most advantageous malware since it can give them access to our files and forces the victims of attacks to decide whether they will pay to get the files back or let them go. The preference for ransomware by hackers has helped make ransomware famous, so many companies have begun training their employees to be more aware of this kind of malware. However, training is not enough since attackers are now using common vulnerabilities to infect systems and bypass user interaction.
Here are 3 examples that we’ve recently seen in the wild:
Black Kingdom ransomware – exploits a Pulse Secure VPN vulnerability
This vulnerability was the most severe of several security flaws identified in enterprise VPNs from Pulse Secure.
An arbitrary file read issue, the bug could allow unauthenticated attackers to exfiltrate credentials that could then be used in combination with a remote command injection vulnerability in Pulse Secure products (CVE-2019-11539) to compromise private VPN networks.
Pulse Secure released patches for the identified issues in April 2019 and said in August 2019 that most customers had already installed them. However, it appears that some organizations still haven’t patched their systems.
Netwalker ransomware – Exploits SMBGhost
Known by various names (SMBGhost, CoronaBlue, NexternalBlue, BluesDay), the security flaw can be leveraged by an unauthenticated attacker to spread malware from one vulnerable system to another without user interaction.
SMBGhost affects Windows 10 versions 1909 and 1903, including Server Core. Microsoft patched it in March, warning that exploitation is “more likely” on both older and newer software releases and that it is as critical as can be: maximum severity score of 10.
All an attacker would need to do to exploit the vulnerability is send a specially crafted packet to a targeted SMBv3 server. The result would be similar to the WannaCry and NotPetya attacks from 2017, which used the EternalBlue exploit for SMB v1.
REvil Ransomware – Abuses unpatched, exposed RDP and privilege escalation
REvil ransomware (a.k.a. Sodinokibi), takes advantage of different vulnerabilities, including unpatched, exposed RDP, and privilege escalation. This malware uses vulnerability CVE-2018-8453, which should have been patched almost two years ago (https://support.microsoft.com/en-us/help/4471320). Beyond obtaining administrative access to Active Directory, the attack ciphered server and user files, including those in OneDrive.
What can we do against it?
As we saw in the examples above, attackers were able to abuse product vulnerabilities without any user interaction. This means that the responsibility of securing the product is not in the hands of the end user. Even so, there are a few things that we can do to make it harder for attackers to affect us:
Proper configuration – Most security products are not well configured or integrated with other security products and this lack of misconfiguration can be helpful for attackers. Make sure you configure everything correctly and create the right adaptation for your company.
Test your products – Once a security product is up and running, it’s important to test it out to make sure it does what it is supposed to do. Many times, organizations ignore the importance of product testing and only figure out that the product isn’t working properly after they’ve been hit by a cyber attack.
Patch management – security companies are working hard to detect vulnerabilities in their products and they release patches as soon as possible. Make sure to patch immediately and follow your providers. Those updates are there to protect and fix.
Harden your systems – The worst case is if you get hacked, but you can still cause the attackers some pain if you’ve hardened your system. Simple security policies can make it very difficult for attackers to move laterally and spread in your network. For example, create a GPO that disables macros or block some well-known extensions such as HTA, VBA, Batch, etc.
About Reason Labs
Reason Labs is the threat research arm of Reason Cybersecurity. We play a leading role in researching and exploring cyber threats and advancing the state of cybersecurity intelligence. Reason Labs collects raw data about existing and emerging threats and analyzes that data to deliver actionable insights in real-time.
We leverage the threat intelligence we gather from always-on active sensors, in order to continuously analyze, organize, and add context to evolving cyber activities, attacks and threats. This powerful intelligence network leaves Reason prepared to meet threats head-on.