{"id":682,"date":"2024-08-08T17:56:23","date_gmt":"2024-08-08T17:56:23","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=682"},"modified":"2024-08-08T17:56:23","modified_gmt":"2024-08-08T17:56:23","slug":"main-initial-access-vectors-in-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2024\/08\/08\/main-initial-access-vectors-in-ransomware-attacks\/","title":{"rendered":"Main initial access vectors in ransomware attacks"},"content":{"rendered":"

Overview<\/h1>\n

Ransomware attacks represent one of the most critical cyber threats, given the increasing number of organizations affected each month by numerous global operating groups. These attacks disrupt operations, cause reputational and informational losses, and result in significant financial detriments. The attackers aim to encrypt victims’ data, demanding a ransom to restore access and threatening to distribute the information on underground forums if the payment is not made.<\/p>\n

Over time, initial access vectors \u2014methods attackers use to introduce malware into systems\u2014 have evolved significantly. This evolution is driven by changes in the technologies employed by organizations, the security controls implemented, and the new techniques acquired by threat actors.<\/p>\n

During the early rise of ransomware, initial access vectors were relatively simpler, exploiting basic security flaws, exposed credentials, or misconfigurations. A significant factor contributing to this was the greater lack of cybersecurity awareness within organizations. As this awareness has increased, attackers have gradually become more sophisticated in their operations, highlighting the crucial role of education and training in preventing cyber-attacks.<\/p>\n

Examples of early ransomware families are “Reveton<\/em><\/a>” and “CryptoLocker<\/em><\/a>,” primarily spread through phishing emails and malicious downloads from compromised websites. Reveton<\/em>, for instance, disguised itself as a police warning to trick victims into paying a “fine<\/a>“. CryptoLocker<\/em>, on the other hand, was distributed via emails with malicious attachments impersonating legitimate companies, sending fake FedEx and UPS<\/a> notifications that, when opened, infected the victim’s system and encrypted their files.<\/p>\n

As system defenses improved, attackers diversified their TTP (tactics, techniques, and procedures). They began using exploit kits such as Angler <\/em><\/a>and Nuclear<\/em><\/a>, which automated exploiting vulnerabilities in<\/a> outdated<\/a> software<\/a>. For example, the Angler<\/em> exploit kit<\/a> exploited vulnerabilities in Internet Explorer, Silverlight, and Flash Player, among others, and was known for its ability to evade security tools like Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET<\/a>) through sophisticated obfuscation and exploitation techniques.<\/p>\n

Similarly, the Nuclear<\/em> exploit kit was noticeable for its dynamic use of<\/a> payloads<\/a>, adapted to evade signature-based detections and employing advanced techniques to ensure each payload<\/a> was unique for every victim.<\/p>\n

In 2017, the ransomware “WannaCry<\/em><\/a>” marked a significant milestone. This ransomware spread using the EternalBlue<\/em><\/a> exploit, infecting approximately 200,000 computers in 150 countries and causing an estimated of $4 billion in damages. WannaCry demonstrated the potential of ransomware attacks to cause large-scale disruptions and underscored the importance of updating systems.<\/p>\n

Today, the Ransomware-as-a-Service<\/a> (RaaS) business model is the most used by criminal groups. This model features affiliate programs, where affiliates receive assistance to carry out attacks in exchange for a pre-agreed payment or a percentage of the profits from a successful compromise. According to SCILabs’ analysis, this trend has increased the number of ransomware families and threat groups. It is important to note that some threat actors occasionally announce the end of their operations, only to reemerge after a few months with a new name and novel infection techniques. This indicates that the activity of these threat groups is constant.<\/p>\n

The following section addresses the main initial access vectors currently used by threat actors and some reasons why these vectors are exploited.<\/p>\n

What are threat actors’ main initial access vectors to compromise organizations?<\/h1>\n

Threat actors use a variety of initial access vectors to compromise organizations, adapting their TTP to exploit both technological and human vulnerabilities.<\/p>\n

\"\"<\/p>\n

Figure 1 – Main Initial Access Vectors<\/strong><\/p>\n

 <\/p>\n

The following are some of the main methods used:<\/p>\n

 <\/p>\n

Phishing emails, spear-phishing<\/a> and malvertising<\/a><\/strong><\/h2>\n

Phishing emails are one of the most common techniques. Attackers send legitimate emails, deceiving users into clicking on malicious links or downloading infected attachments. These emails can be highly personalized to increase effectiveness, using spear-phishing techniques to target specific individuals within an organization. Additionally, attackers employ malvertising, placing malicious advertisements on legitimate websites or search engines to redirect users to infected pages and automatically download malware without the user\u2019s knowledge.<\/p>\n

How does it work? <\/strong>Attackers send emails that appear to come from trustworthy sources but actually impersonate organizations. These emails contain malicious links or attachments designed to trick victims into revealing credentials or downloading malware. In the case of malvertising, malicious ads on legitimate websites redirect users to malicious pages that download malware.<\/p>\n

Why does it happen?<\/strong> These techniques exploit social engineering, a form of psychological manipulation that preys on people’s emotions and trust. Attackers can customize emails based on information gathered about the victim, increasing the likelihood of success. In addition, by leveraging malicious ads and personalizing their campaigns during tax seasons, mortgage payments, and government processes, to name a few, threat actors have more opportunities to compromise victims.<\/p>\n

\"\"<\/p>\n

Figure 2 – Example of a phishing email used by GlobeImposter<\/em><\/a> ransomware operators<\/strong><\/p>\n

\"\"<\/p>\n

Figure 3 \u2013 Malvertising campaign<\/strong><\/p>\n

Compromised websites<\/strong><\/h2>\n

It is common for threat actors to use compromised websites to distribute malware and gain access to victims’ systems.<\/p>\n

How does it work?<\/strong> Attackers compromise legitimate websites by inserting malicious code into their pages. This can happen through vulnerabilities in the website’s software, such as an HTTP Apache<\/a> server, outdated plugins, or unauthorized access to the website’s administration panel due to weak passwords. Once compromised, the website can redirect visitors to malicious pages or directly download malware onto their devices without their knowledge.<\/p>\n

Why does it happen?<\/strong> This technique is effective because users trust legitimate websites. Attackers exploit this trust to silently and massively distribute malware. Additionally, many websites do not conduct application security testing<\/a>, leading to vulnerabilities in their source code: the lack of updates and security patches on website platforms makes them easy targets for compromise.<\/p>\n

\"\"<\/p>\n

Figure 4 \u2013 Message showed by compromised website<\/a><\/strong><\/p>\n

Vulnerabilities exploiting<\/strong><\/h2>\n

Threat actors seek out and exploit vulnerabilities in outdated or unpatched software, especially in remote applications or those exposed to the internet.<\/p>\n

How does it work? <\/strong>Attackers conduct reconnaissance on organizations’ internet-exposed infrastructure, identifying and exploiting vulnerabilities in outdated or poorly configured software. They use or develop exploits for these vulnerabilities, gaining unauthorized access to systems.<\/p>\n

Why does it happen?<\/strong> Many organizations do not apply security patches promptly, leaving known vulnerabilities exposed. Remote applications and internet-exposed services, such as web servers and databases, are frequent targets. Furthermore, exploit kits can quickly detect and exploit<\/a> these gaps before implementing necessary updates.<\/p>\n

\"\"<\/p>\n

Figure 5 – CVE-2022-30190, “Follina” exploit example<\/strong><\/p>\n

Brute Force Attacks and stolen credentials<\/strong><\/h2>\n

By exploiting weak or reused passwords, attackers can perform brute force attacks to gain access to user accounts. Additionally, stolen credentials from data breaches, known as data leaks or combos, are used to access corporate systems.<\/p>\n

How does it work? <\/strong>Attackers use automated tools to try multiple combinations of usernames and passwords until they find a valid one. They may also use stolen credentials from previous data breaches.<\/p>\n

Why does it happen?<\/strong> The reuse of passwords and the lack of robust password policies facilitate these attacks. Compromised credentials obtained through malware are often sold on underground markets, Telegram groups, or cybercriminal forums, providing attackers with a ready-made database to exploit.<\/p>\n

\"\"<\/p>\n

Figure 6 \u2013 Brute Force attack example<\/strong><\/p>\n

Infostealers<\/strong><\/h2>\n

Infostealers are a type of malware designed to steal sensitive information (such as passwords, financial data, and other personal data stored on infected devices). Threat actors use them to download and execute other threats, including ransomware.<\/p>\n

How does it work?<\/strong> This malware is installed on the victim’s device, typically through phishing emails, malicious downloads, or by exploiting software vulnerabilities. Once installed, it collects sensitive information and sends it to the attacker without the victim’s knowledge. In some cases, it also downloads additional malware.<\/p>\n

Why does it happen?<\/strong> The lack of EDR (Endpoint Detection and Response) tools or antivirus software, as well as the download of unverified software, facilitate infostealers to be spread. The stolen data is sold on underground markets and cybercriminal forums, providing attackers with privileged information that can be used to gain initial access and commit fraud.<\/p>\n

\"\"<\/p>\n

Figure 7 \u2013 Fake office installer to deploy an infostealer<\/a><\/strong><\/p>\n

 <\/p>\n

Abuse of VPN, Citrix, and RDP<\/strong><\/h2>\n

Attackers exploit weak configurations or vulnerabilities in VPN, Citrix, and RDP services to gain unauthorized access to internal networks and sensitive data.<\/p>\n

How does it work?<\/strong> With the increasing adoption of remote work, Remote Desktop Protocol (RDP) and other remote access technologies with poor security configurations have become key targets. Attackers look for exposed RDP, VPN, or Citrix servers and use tools that automate brute-forcing of passwords to gain entry or exploit critical vulnerabilities to access corporate networks. Once inside, they can move laterally through the network, steal data, and deploy malware. Specifically for RDP, attackers exploit misconfigured settings or weak credentials to access systems remotely.<\/p>\n

Why does it happen? <\/strong>Misconfigurations, lack of multi-factor authentication, and the failure to promptly apply security patches facilitate these attacks. Immediate application of security patches is crucial to prevent attackers from exploiting these vulnerabilities and penetrating corporate networks.<\/p>\n

\"\"<\/p>\n

Figure 8 – Example of RDP exploits search in Kali Linux<\/a><\/p>\n

Pirated software<\/strong><\/h2>\n

Pirated software refers to legitimate software that has been intentionally modified to bypass licensing checks. This type of software can include backdoors or malware and is often distributed through unofficial channels or low-trust domains.<\/p>\n

How does it work?<\/strong> The infected software is installed on users’ devices, providing attackers with remote access and control over the compromised systems. This can lead to the installation of other types of malware, such as info stealers and ransomware.<\/p>\n

Why does it happen?<\/strong> Excessive trust in software sources and the lack of independent verification of updates are key factors that allow pirated software to spread. It’s essential to independently verify updates to ensure the security of your systems and prevent the infiltration of corporate and personal systems by attackers.<\/p>\n

\"\"<\/p>\n

Figure 9 \u2013 Pirated software example<\/strong><\/p>\n

Supply chain attacks<\/strong><\/h2>\n

Attackers compromise software suppliers or third-party service providers to insert malware into legitimate software updates, affecting multiple organizations simultaneously. This attack is dangerous because it can infiltrate internal systems through a trusted channel, as seen in the SolarWinds case<\/a>.<\/p>\n

How does it work?<\/strong> Attackers compromise software suppliers or third-party service providers to insert malware into legitimate updates distributed to multiple clients.<\/p>\n

Why does it happen?<\/strong> Organizations often trust the integrity of their suppliers and do not independently verify software updates. This creates a backdoor that attackers can exploit to infiltrate multiple systems simultaneously.<\/p>\n

\"\"<\/p>\n

Figure 10 \u2013 Supply chain attack example<\/strong><\/p>\n

 <\/p>\n

Exploitation of Internet of Things (IoT<\/a><\/strong>) Services<\/strong><\/h2>\n

Attackers exploit vulnerable IoT devices, add them to botnets<\/a>, and orchestrate various types of attacks, such as Distributed Denial of Service (DDoS<\/a>).<\/p>\n

How does it work?<\/strong> Attackers look for poorly configured IoT services and devices, using tools to brute-force entry with weak passwords or by exploiting specific vulnerabilities.<\/p>\n

Why does it happen?<\/strong> The massive adoption of remote work has increased the attack surface. Insecure configurations and the lack of multi-factor authentication in remote access services provide attackers a direct route to the organization’s internal systems.<\/p>\n

\"\"<\/p>\n

Figure 11 – Framework used at times to exploit IoT in Kali Linux<\/a><\/strong><\/p>\n

Social engineering<\/strong><\/h2>\n

Social engineering methods have evolved to become more sophisticated. They include phone calls, text messages, and fake profiles on social networks to deceive employees and obtain confidential information or access to systems. Attackers may impersonate suppliers or business partners to gain the victim’s trust.<\/p>\n

How does it work?<\/strong> Threat actors use social engineering techniques to deceive victims, including creating fake profiles on social networks, making fraudulent phone calls, and using other OSINT <\/a>(Open Source Intelligence) methods to obtain confidential information or system access.<\/p>\n

Why does it happen?<\/strong> Attackers exploit human psychology and trust in social interactions. The personalization and perceived authenticity of these attacks make them particularly effective.<\/p>\n

\"\"<\/p>\n

Figure 12 \u2013 Social engineering tools in Kali Linux<\/a><\/strong><\/p>\n

Insiders (Abuse of Trust)<\/strong><\/h2>\n

Abuse of trust refers to situations in wich an insider within an organization or system uses their position or privileged access to act harmfully. For example, an employee with access to confidential data might leak that information or intentionally deploy malware.<\/p>\n

How does it work?<\/strong> It can manifest in various ways:<\/p>\n