Skip to main content

VPN bugs are still the favourite Top Exploits of Ransomware gangs but RDP still reigns supreme

Top exploits used by Ransomware gangs are VPN bugs, but RDP still reigns supreme

While some ransomware groups have heavily targeted Citrix and Pulse Secure VPNs to breach corporate networks in H1 2020, most ransomware attacks take place because of compromised RDP endpoints.

ransomware-istock.jpg

Ransomware attacks targeting the enterprise sector have been at an all-time high in the first half of 2020.

While ransomware groups each operate based on their own skillset, most of the ransomware incidents in H1 2020 can be attributed to a handful of intrusion vectors that gangs appear to have prioritized this year.

The top three most popular intrusion methods include unsecured RDP endpoints, email phishing, and the exploitation of corporate VPN appliances.

RDP — number one on the list

At the top of this list, we have the Remote Desktop Protocol (RDP). Reports from CovewareEmsisoft, and Recorded Future clearly put RDP as the most popular intrusion vector and the source of most ransomware incidents in 2020.

"Today, RDP is regarded as the single biggest attack vector for ransomware," cyber-security firm Emsisoft said last month, as part of a guide on securing RDP endpoints against ransomware gangs.

Statistics from Coveware, a company that provides ransomware incident response and ransom negotiation services, also sustain this assessment; with the company firmly ranking RDP as the most popular entry point for the ransomware incidents it investigated this year.

rdp-attacks-ransomware.png

Further, data from threat intelligence company Recorded Future, also puts RDP firmly at the top.

"Remote Desktop Protocol (RDP) is currently by a wide margin, the most common attack vector used by threat actors to gain access to Windows computers and install ransomware and other malware," Recorded Future threat intel analyst Allan Liska wrote in a report published last week about the danger of ransomware to the US election infrastructure.

ransomware-rdp.png


Some might think that RDP is today's top intrusion vector for ransomware gangs because of the current work-from-home setups that many companies have adopted; however, this is wrong and innacurate.

RDP has been the top intrusion vector for ransomware gangs since last year when ransomware gangs have stopped targeting home consumers and moved en-masse towards targeting companies instead.

RDP is today's top technology for connecting to remote systems and there are millions of computers with RDP ports exposed online, which makes RDP a huge attack vector to all sorts of cyber-criminals, not just ransomware gangs.

Today, we have cybercrime groups specialized in scanning the internet for RDP endpoints, and then carrying out brute-force attacks against these systems, in attempts to guess their respective credentials.

Systems that use weak username and password combos are compromised and then put up for sale on so-called "RDP shops," from where they're bought by various cybercrime groups.

RDP shops have been around for years, and they are not something new.

However, as ransomware groups migrated from targeting home consumers to enterprises last year, ransomware gangs found a readily available pool of vulnerable RDP systems on these shops -- a match made in heaven.

Today, ransomware gangs are the biggest clients of RDP shops, and some shop operators have even shut down their shops to work with ransomware gangs exclusively, or have become customers of Ransomware-as-a-Service (RaaS) portals to monetize their collection of hacked RDP systems themselves.

VPN appliances — the new RDPs

But 2020 has also seen the rise of another major ransomware intrusion vector, namely the use of VPN and other similar network appliances to enter corporate networks.

Since the summer of 2019, multiple severe vulnerabilities have been disclosed in VPN appliances from today's top companies, including Pulse Secure, Palo Alto Networks, Fortinet, Citrix, Secureworks, and F5.

Once proof-of-concept exploit code became public for any of these vulnerabilities, hacker groups began exploiting the bugs to gain access to corporate networks. What hackers did with this access varied, depending on each group's specialization.

Some groups engaged in nation-level cyber-espionage, some groups engaged in financial crime and IP theft, while other groups took the "RDP shops" approach and re-sold access to other gangs.

While some sparse ransomware incidents using this vector were reported last year, it was in 2020 when we've seen an increasing number of ransomware groups use hacked VPN appliances as the entry point into corporate networks.

Over the course of 2020, VPNs quickly rose as the hot new attack vector among ransomware gangs, with Citrix network gateways and Pulse Secure VPN servers being their favorite targets, according to a report published last week by SenseCy.

Per SenseCy, gangs like REvil (Sodinokibi), Ragnarok, DoppelPaymer, Maze, CLOP, and Nefilim have been seen using Citrix systems vulnerable to bug CVE-2019-19781 as an entry point for their attacks.

ransomware-pulse.png


Similarly, SenseCy says ransomware groups like REvil and Black Kingdom have leveraged Pulse Secure VPNs that have not been patched for bug CVE-2019-11510 to attack their targets.

Per Recorded Future, the latest entry on this list is the NetWalker gang, which appears to have started targeting Pulse Secure systems to deployt their payloads on corporate or government networks where these systems might be installed.

ransomware-pulse.jpg


With a small cottage industry developing around hacked RDPs and VPNs on the cybercrime underground, and with tens of cyber-security firms and experts constantly reminding everyone about patching and securing these systems, companies have no more excuses about getting hacked via these vectors.

It's one thing to have an employee fall victim to a cleverly disguise spear-phishing email, and it's another thing not patching your VPN or networking equipment for more than a year, or using admin/admin as your RDP credentials.

Comments

Post a Comment

Popular posts from this blog

How to secure PayPal

How to secure PayPal By- Aarti Jatan Your online finances need proper protection. Learn how to secure your PayPal account. With hundreds of millions of users around the world, PayPal has long been an international leader in the electronic payments industry. But as we know, money never fails to attract fraud, especially now, with as much of life as possible taking place online. Here is what you need to do to stay safe when sending or receiving money through PayPal. How secure is PayPal? As a matter of fact, PayPal is quite a reliable platform that maintains a high level of security — and keeps improving it. Thus, the company has an official program deploying white hat hackers to unearth vulnerabilities (the so-called bug bounty), under which it has already paid out almost $4 million since 2018. The program also covers several other services owned by PayPal, such as Venmo. PayPal also treats its users’ data responsibly: It did have one reliably reported leak, in 2017, but the leak invol...
Post a Comment
Read more

A DEEP DIVE INTO THE OFFICIAL DOCKER IMAGE FOR PYTHON

  A DEEP DIVE INTO THE OFFICIAL DOCKER IMAGE FOR PYTHON The official Python image for Docker is quite popular, and in fact I recommend one of its variations as a base image . But many people don’t quite understand what it does, which can lead to confusion and brokenness. In this post I will therefore go over how it’s constructed, why it’s useful, how to use it correctly, as well as its limitations. In particular, I’ll be reading through the python:3.8-slim-buster variant, as of August 19, 2020 , and explaining it as I go along. Reading the Dockerfile The base image We start with the base image: FROM debian:buster-slim That is, the base image is Debian GNU/Linux 10, the current stable release of the Debian distribution, also known as Buster because Debian names all their releases after characters from Toy Story. In case you’re wondering, Buster is Andy’s pet dog . So to begin with, this is a Linux distribution that guarantees stability over time, while providing bug fixes. The slim...
Post a Comment
Read more

Five regular checks for SMBs

Five regular checks for SMBs By- Aarti Jatan Five things that, if neglected, can cost SMBs dearly. It is not always economically viable for small and medium-size businesses to maintain a dedicated IT security team, so it often happens that one person is in charge of monitoring the entire infrastructure. Sometimes he or she is not even a permanent, full-time employee. Sure, a good administrator can do a lot, but even a pro might miss something, particularly if issues are mounting and time is short. So, it’s worth establishing a few habits. Here are our Top 5 regular checks. Renew the corporate site security certificate Any website that requests or processes user data must have an SSL certificate. It protects information entered by visitors from being intercepted, and almost all modern browsers  warn  users that sites without an SSL certificate are insecure. That can scare off potential customers. Your website most likely has an SSL certificate, but its validity period is limite...
Post a Comment
Read more