Ransomware Special Reports


Special Report

Working from home has also exac - erbated the number ransomware attacks – in part thanks to the rise in use of external remote services. According to Ioan Peters, managing director and coleader EMEA of Cyber Risk at security services firm Kroll, in Q2 of 2022 there was a 700% increase in the use of external remote services for initial access by attackers. Keegan Keplinger at eSentire’s Threat Response Unit, notes that stolen Virtual Private Network (VPN), Re - mote Desktop Protocol (RDP), and AD credentials are now extremely pop - ular ways for cybercriminals to gain access to a victim’s IT environment.

the very thing that companies were told they needed to keep them safe is now being used against them.” Patch-and-mouse Another entry point for attackers which ransomware authors are keen to cash in on is security flaws in soft- ware, with many releasing malware and zero-day attacks to exploit soft- ware vulnerabilities before vendors and defenders have had a chance to react. Cyril Noel Tagoe, Netacea’s principal security researcher, claims that often with zero day attacks, criminals will reverse engineer critical security updates to identify the vulnerability being patched and exploit unpatched machines. “Many organisations are slow to apply these patches, giving the ransomware authors a decent window of opportunity for exploita - tion,” he explains. Recent vulnerabilities have been reported in Atlassian’s developer tools Confluence; SonicWall’s legacy firm- ware product; in Microsoft Exchange; filetransfer appliance Accellion as well as in VMware’s ESXi servers. Jamie Smith, director and head of cyber security at S-RM adds that he’s still seeing well-known vulnerabilities such as Log4Shell (a flaw in popu- lar Java logging framework Log4j) and ProxyShell (an attack chain that exploits three known vulnerabilities in Microsoft Exchange) being actively exploited. “This indicates that opportunistic threat actors are targeting organisa - tions with gaps in their vulnerability and patch management processes,” he adds. Another reported cyber security con - cern is the use of macros to automate common tasks in Microsoft Office such as spreadsheets or invoices. In industries such as finance, banking, insurance and retail – being able to control spreadsheets with mac - ros is useful, but, because it’s code essentially, it’s something that cyber criminals are taking advantage of. Macro malware (usually delivered via a phishing or spear phishing email or a malicious Zip which the user unwit -

tingly clicks on) hides inside Micro- soft Office files. “Because MS software such as Word and Excel go back many generations the Microsoft suit is vulnerable – and nine out of 10 targets are likely to have this software installed,” says Kevin Bocek, vice president of securi - ty strategy and threat intelligence at Venafi. “A Word or Excel doc might target someone in sales but in engineering you might plant code in a PowerShell to execute a code which includes ransomware,” he adds. While it appears that a lot of legacy Microsoft products are to blame for the recent spate of zero day attacks, Qualys UK CTSO Paul Baird believes that the onus should be on firms to update software and keep an asset list. “It’s very easy to point the finger at Microsoft but any software with the right vulnerabilities could poten - tially allow cyber criminals access to your corporate network. It could be an Apache Web Server, Microsoft Exchange server or an obscure FTP server most people have never heard of,” he says. “Companies must know all the soft - ware that they have, and how up to date that software is. With this asset list in place and continuously up - dated, teams can be sure that they are protected against all potential threats,” he adds. Baird’s point hammers home the point that knowing yourself (your own organisations’ vulnerabilities and “...any software with the right vulnerabili - ties could potentially allow cyber criminals access to your corporate network” Paul Baird, Qualys

Hugh Raynor, cloud security lead at Surecloud Raynor adds that firms are open to danger when – deliberately or oth - erwise – they expose their remote desktop protocol services to the internet, to enable connectivity. “Attackers conduct massive scans of the internet looking for the ports as - sociated with these RDP servers,” he warns, “and once they find one, they will send thousands of login attempts to these devices using arbitrary us - ername and password combinations that they have collated from breach - es, or had success with before.” KnowBe4’s Grimes adds that the biggest surprise for him has been the abuse of unpatched VPN software, both server and the client side – “…


Powered by