Ransomware campaigns are always on prowl for a path of least resistance to gain initial access and move laterally using well known vulnerabilities.
This is evident from the recent ransomware attacks mounted on different companies recently – Konica Minolta (a technology corporation), Carnival Corp (a cruise operator), Brown-Forman, (an alcohol beverage company), and Canon, (a world leader in imaging technology).
Our analysis indicates an ongoing trend among attackers to reuse old tactics, techniques, and procedures (TTPs). They are employing attack methods to target organizations that are most vulnerable to disruption—organizations that haven’t had time or resources to double-check their security hygiene like installing the latest patches, updating firewalls, checking the privilege levels of users, and endpoints—therefore increasing probability of payoff.
One key observation to note is that Ransomware gangs are adopting and using the MITRE ATT&CK framework. Once attackers have infiltrated a network, they are performing a thorough reconnaissance, adapt privilege escalation, and lateral movement activities based on security weaknesses and vulnerable services they discover in the network. In these attacks, adversaries typically exist on the networks undetected, sometimes for months, and deploy the ransomware payload at a later time.
We saw it coming and warned about these vulnerabilities.
Five months ago, we warned the industry through our cyber risk whitepaper series – where we analyzed the vulnerabilities that exist within technologies and applications that are predominantly used by work from home employees. We analyzed over 187 products and found over 4849 vulnerabilities in popular tech stacks. We also listed the top 3 CVEs (associated with Ransomwares or had the ability for RCE or a PE) that needs to be fixed in each technology.
Courtesy: CSW Cyber Risk in Remote Working
We warned about these ransomware operators and APT groups who found targets in network devices like gateways and VPN appliances to breach into companies to steal information, encrypt and hold it for ransom.
Though the threat groups are different, the ransomware delivered is unique, the one common factor that binds them all is that old vulnerabilities with known exploits were used to deliver the ransomware.
Despite the warning many organizations remained complacent about patches, especially in Pulse Secure VPNs for which the fix was available. Today, the same vulnerabilities are being targeted for ransomware attacks.
The same holds true for unprotected Citrix VPN servers. Citrix revealed a vulnerability in the company’s Application Delivery Controller and Gateway products—commercial virtual-private-network gateways formerly marketed as NetScaler and is used by tens of thousands of companies. The flaw could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request.
In a recent article, Zdnet reported that CISA has warned about Chinese hackers who are targeting F5 Big-IP load balancers, Citrix and Pulse Secure VPN appliances, and Microsoft Exchange email servers associated with major vulnerabilities such as CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688.
Our study tells that these threat actors and APT groups have not invented a new weapon that takes down your infrastructure. They are merely delivering their payload using old vulnerabilities that companies have forgotten to patch or update.
Delivering Ransomware through old vulnerabilities
While many organizations often focus on new vulnerabilities, our analysis shows that vulnerabilities from as far back as 2010 continue to be trending with ransomware in the wild. Around, 31.5% of the analyzed vulnerabilities were from 2015 or earlier (18 out of 57), and 16 of those vulnerabilities continue to be trending in 2018 or 2019. While organizations are often in a rush to patch the latest vulnerabilities, this should serve as a reminder that older weaponized and trending vulnerabilities do pose the greatest risk.
Carnival Corp flagged two vulnerabilities responsible for the attack
- Citrix vulnerability CVE-2019-19781
- Palo Alto Firewall flaw CVE-2020-2021
CVE-2020-2021 is an authentication bypass vulnerability with a CVSSv3.1 score of 10.0 in the Security Assertion Mark-up Language (SAML) authentication in PAN-OS. An unauthenticated, remote attacker could exploit this vulnerability to obtain “protected resources” within a network.
CVE-2019-19781 is a popular vulnerability with threat actors and ransomware gangs. We know that Ragnorok ransomware uses this vulnerability to deliver its payload on unpatched systems. And not just them, Revil, Vated Loader, DoppelPaymer, NOTROBIN, CLOP and Sodinokibi use the same vulnerability in the past.
CVE-2019-11510 in Pulse Secure is also popular vulnerability with ransomware gangs. This vulnerability when exploited allows an unauthenticated remote attacker to send a specially crafted URL and perform an arbitrary file reading. This was exploited in the wild to inject the ‘Sodinokibi’ ransomware as of January 2020.
We called out CVE-2019-19781 and CVE-2019-11510 in our Cyber Risk Series way back in March 2020.
These old vulnerabilities deemed less-than critical are leading to significant security challenges for companies in all industries. Significantly, organizations that use CVSS scores as their exclusive means to prioritize vulnerabilities for patching will miss them — providing threat actors a perfect gateway into their systems.
Additionally, since technology is often reused in multiple products, these vulnerabilities often impact more than one vendor. 15 trending vulnerabilities with active exploits in the wild, affect more than one technology vendor.
Courtesy: Risk Sense Ransomware Report (2019)
36 vulnerabilities out of 57 have been found to be favorites of many ransomware families.
Courtesy: Risk Sense Ransomware Report (2019)
Three years ago, WannaCry ransomware attack taught us a costly lesson. It targeted computers that were not updated. The attack affected more than 200,000 computers across 150 countries, with damages ranging from hundreds of millions to billions of dollars.
Sadly, we haven’t learned our lesson and the warnings issued by CSW and many others have been ignored.
Our goal is to prioritize vulnerabilities and assist in protecting critical services, especially organizations supporting critical infrastructure. Now more than ever, organizations need help with protecting from attacks that can prevent access to critical systems, cause downtime, or steal sensitive information.