Major vulnerabilities used in ransomware attacks

ransomware

Cybercriminals use ransomware, a type of malware, to disrupt their victims’ businesses. Important files are encrypted by ransomware into an unreadable state, and a ransom payment is required to decrypt them.

The value of the encrypted data and the number of infected systems are frequently inversely correlated with ransom demands: the higher the stakes, the higher the price.

The most harmful ransomware trend for 2021 and 2022 is supply chain attacks. A vendor breach (typically involving software or other technology providers) allows for second-stage attacks on businesses that depend on the vendor’s goods.

Phishing emails, exploiting holes in remote administrator or virtual private network (VPN) tools, brute-force attacks, and the use of credentials that have been stolen are just a few of the intrusion vectors that attackers use to access systems. Supply chain attacks are yet another way to break into a company.

Following initial access, threat actors gather information about victims’ infrastructure and move laterally across network systems, escalating privileges and establishing persistence mechanisms as necessary, cataloging crucial data to steal or encrypt, and depositing ransomware payloads for later execution.

In a double extortion attack, the attackers will then steal private information to use as a secondary extortion method to raise the ransom demands. This lessens the victims’ leverage because, even if they can recover the encrypted data from backups, they will still be at risk of having the stolen data leaked by cyber criminals.

The ransomware is then installed and run by the attackers, encrypting specific files on network-connected systems. To increase the number of files it can encrypt, ransomware typically kills databases and security software-related processes. Additionally, shadow copy backups are typically removed from the system to prevent file recovery. Before encrypting files, some ransomware families will reboot the compromised system in Windows Safe Mode. After file encryption, victims receive a ransom note with instructions on paying and having their files decrypted.

This post will explore some of the major vulnerabilities used for ransomware attacks.

ProxyLogon vulnerabilities

The ransomware families BlackKingdom and DearCry combined four ProxyLogon vulnerability exploits to gain access to and encrypt their victims’ networks. This method has enabled hackers to hack into Microsoft Exchange servers, steal email, and install additional backdoors. Exchange’s server-side request forgery (SSRF) vulnerability, the Unified Messaging service’s insecure deserialization vulnerability, Exchange’s post-authentication arbitrary file write vulnerability, and CVE-2021-27065 are among the ProxyLogon vulnerabilities. Microsoft fixed these flaws in March 2021.

An ordinary attack chain that enables attackers to run remote code over uncovered port 443 is as follows: The CVE-2021-26855 vulnerability is used by attackers to get around Microsoft Exchange authentication and pose as a user. Any file in the directory that is readable without authentication and for which no authentication is required is sent a modified POST request by the attacker. Using the CVE-2021-26858 or CVE-2021-27065 vulnerabilities, the attacker logs in to the Exchange control panel (ECP) and overwrites any file on the targeted system. With the help of a web shell and these exploits, an attacker can use the Exchange server to run remote code.

ProxyShell exchange vulnerability

The Conti ransomware uses Microsoft Exchange Server’s vulnerability to enter the victim’s network. The Microsoft Exchange Server remote code execution vulnerability, the Microsoft Exchange Server elevation of privilege vulnerability, and the Microsoft Exchange Server security feature bypass vulnerability are all present in ProxyShell exchange vulnerabilities. Between April and May 2021, Microsoft patched these vulnerabilities, but Conti still targets unpatched servers to run remote code. In this report, the breakdowns of the ransomware gangs BlackByte, AvosLocker, and Hive show the ransomware’s infection chain. These vulnerabilities are also targeted by the LockFile ransomware during its distribution.

PrintNightmare

Ransomware authors use the PrintNightmare vulnerabilities to attack Windows systems. The PrintNightmare flaws are a combination of CVE-2021-34527 and CVE-2021-34481, remote code execution flaws in the Windows print spooler service that allow attackers to remotely execute code with SYSTEM privileges by improperly handling privileged file operations.

The point-and-print feature on Windows systems has a vulnerability that enables non-privileged users to update or install remote printers. In July and August 2021, Microsoft issued updates for PrintNightmare that fixed the flaws. A ransomware group used PrintNightmare flaws in one attack to drop Vice Society ransomware. Attackers used PrintNightmare to their advantage in a different campaign and released Magniber ransomware.

SonicWall SMA 100

Using unauthenticated, specially crafted queries, attackers could access login credentials and sessions and compromise vulnerable appliances, according to a January 2021 SonicWall confirmation of a SQL injection vulnerability in their Secure Mobile Access SMA 100 Series product. SonicWall patched it in February 2021. The UNC2447 threat group used this vulnerability to attack a targeted network and introduce the FIVE HANDS double extortion ransomware into victims’ systems, which led to the discovery of the issue. The threat actor entered using the zero-day vulnerability and dropped the SOMBRAT backdoor along with other tools, such as Cobalt Strike beacons, Adfind, BloodHound, Mimikatz, PC Hunter, and Rclone, to establish a foothold, conduct surveillance, and exfiltrate data. By dropping and running the FIVE HANDS ransomware at the end of the attack, UNC2447 attempted to extort money by threatening to post the encrypted data on hacker forums by encrypting the system’s data.

QNAP NAS device

The Quality Network Appliance Provider (QNAP) network-attached storage (NAS) and Synology NAS devices were the targets of a new eCh0raix ransomware variant. The attack chain in QNAP NAS devices used the vulnerability CVE-2021-28799, which the attacker exploited. A QNAP NAS device running HBS 3 (hybrid backup sync) has been reported to have an improper authorization vulnerability that enables remote device login.