BACKGROUND:

A new report- Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound from Coveware ’s Quarterly Ransomware Report, Coveware notes “Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data.” The report notes 77% of attacks now include threats of sensitive data leaks such as financial or healthcare data. Experts with Byos, Veridium, and YouAttest offer thoughts.

Subscribe
Notify of
guest
3 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Matias Katz
Matias Katz , CEO
InfoSec Expert
April 29, 2021 2:44 pm

<p>RDP is a great technology, but because of its power, attackers have been leveraging it heavily as an entry point into corporate networks for attacks such as ransomware. While the issue at the surface looks to be with RDP itself, it\’s actually about how networks are architected – flat networks with minimal segmentation and those that focus on perimeter-based security will always be victims of these types of attacks.</p> <p> </p> <p>Networks have since evolved to become hyper-connected with a proliferation of different types of devices, which demands a new approach to securing them. Edge micro-segmentation is a new concept where instead of having networks broken down into a few large segments, they are filled with endpoints that are each on their own protected \"micro-segment,\" and security is applied to the traffic as it enters and exits this micro-segment. This means that there is no exposure of any endpoint within the network, and even if one endpoint does become infected, it won\’t be able to spread laterally because of the layer of isolation that the micro-segment provides to each endpoint.</p> <p> </p> <p>How does this relate to RDP? The layer of abstraction created by the micro-segment means that RDP services no longer be directly visible on the network, only to the people with access inside the micro-segment.</p> <p> </p> <p>The primary difference is that with edge micro-segmentation, all access requests are initiated by the micro-segment already inside the network, so there are no inbound connections to be initiated by the attackers. Administrators can still access their endpoints remotely, but only by specified ports and protocols, without breaking the isolation in the local network.</p> <p> </p> <p>In order to compromise the micro-segmented endpoint, an attacker would have to first find a way into the endpoint, then they would have to find a way of communicating back to their C2 without the micro-segment being able to pick up on that traffic.</p>

Last edited 1 year ago by Matias Katz
Rajiv Pimplaskar
InfoSec Expert
April 29, 2021 2:46 pm

<p>These findings highlight the growing danger of ransomware extortion as a key cybersecurity threat.  Ransomware attacks have increased by over 72% during the past year.  The abrupt shift to remote work since the COVID19 pandemic has resulted in a rise in the use of home computers several of which were already infected for some time.  Threat actors use key loggers and other means to steal or guess Usernames and Passwords in an attempt to spoof the system into admitting them as a genuine user.  Virtual Private Networks (VPNs) cannot offer protection against such attacks.  Prevention is a lot easier than cure and companies and users should look to embrace password-less authentication methods such as “phone as a token” and/or FIDO2 security keys.  These methods eliminate the potential of credential theft and improve security.  Also, ransomware attacks tend to seek lateral movement in search of Personally Identifiable Information (PII).  Eliminating passwords makes this much harder and enables faster recovery from such incidents.  Finally, end-users are also happier as these solutions have less friction and are easier to use.</p>

Last edited 1 year ago by Rajiv Pimplaskar
Garret F. Grajek
InfoSec Expert
April 29, 2021 2:48 pm

<p>Ransomware is just the same distribution of malware as many other attack types, utilizing the same attack mechanism and most of the same vulnerabilities, but with a different payload. The payload is an executable that usually encrypts the desired data and then plants a \"ransom\" message to the enterprise with a promise to unencrypt the data for a monetary exchange – usually in some form of cryptocurrency. One variant is where the data is not encrypted, but snippets are sent to prove the hacker has stolen the data and will make it public if money is not sent. That snippet typically contains sensitive PII or PHI to up the ante.</p> <p> </p> <p>The important fact is that the hack itself, the scanning, the enumeration, the vulnerability assessment, the escalation of privileges and the lateral movement across the enterprise all follow the classic Cyber Kill Chain steps. As enterprises defending against these attacks, we must adhere to practices and procedures that are known to mitigate these attempts.  </p> <p> </p> <p> A key is to stop credential stealing and privilege escalation of stolen credentials. Privilege escalation allows the hacker to obtain access to more network and data segments, and to execute the commands to communicate back to their C2s for exfiltration of data or downloading of ransomware payload.</p> <p> </p> <p>Knowing who has access to what and at what privilege level is paramount for the enterprise.</p>

Last edited 1 year ago by Garret F. Grajek
Information Security Buzz
3
0
Would love your thoughts, please comment.x
()
x