[BreachExchange] Researchers compile list of vulnerabilities abused by ransomware gangs

[Sophia Kingsbury]

https://www.bleepingcomputer.com/news/security/researchers-compile-list-of-vulnerabilities-abused-by-ransomware-gangs/

Security researchers are compiling an easy-to-follow list of
vulnerabilities ransomware gangs and their affiliates are using as initial
access to breach victims' networks.

All this started with a call to action made by Allan Liska, a member of
Recorded Future's CSIRT (computer security incident response team), on
Twitter over the weekend.

Since then, with the help of several other contributors that joined his
efforts, the list quickly grew to include security flaws found in products
from over a dozen different software and hardware vendors.

While these bugs have been or still are exploited by one ransomware group
or another in past and ongoing attacks, the list has also been expanded to
include actively exploited flaws, as security researcher Pancak3 explained.

The list comes in the form of a diagram providing defenders with a starting
point for shielding their network infrastructure from incoming ransomware
attacks.

Vulnerabilities targeted by ransomware groups in 2021

This year alone, ransomware groups and affiliates have added multiple
exploits to their arsenal, targeting actively exploited vulnerabilities.

For instance, this week, an undisclosed number of ransomware-as-a-service
affiliates have started using RCE exploits targeting the recently patched
Windows MSHTML vulnerability (CVE-2021-40444).

In early September, Conti ransomware also began targeting Microsoft
Exchange servers, breaching enterprise networks using ProxyShell
vulnerability exploits (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

In August, LockFile started leveraging the PetitPotam NTLM relay attack
method (CVE-2021-36942) to take over the Windows domain worldwide, Magniber
jumped on the PrintNightmare exploitation train (CVE-2021-34527), and
eCh0raix was spotted targeting both QNAP and Synology NAS devices
(CVE-2021-28799).

HelloKitty ransomware targeted vulnerable SonicWall devices (CVE-2019-7481)
in July, while REvil breached Kaseya's network (CVE-2021-30116,
CVE-2021-30119, and CVE-2021-30120) and hit roughly 60 MSPs using
on-premise VSA servers and 1,500 downstream business customers [1, 2, 3].

FiveHands ransomware was busy exploiting the CVE-2021-20016 SonicWall
vulnerability before being patched in late February 2021, as Mandiant
reported in June.

QNAP also warned of AgeLocker ransomware attacks on NAS devices using an
undisclosed flaw in outdated firmware in April, just as a massive Qlocker
ransomware campaign targeted QNAP devices unpatched against a hard-coded
credentials vulnerability (CVE-2021-28799).

The same month, Cring ransomware started encrypting unpatched Fortinet VPN
devices (CVE-2018-13379) on industrial sector companies' networks after a
joint FBI and CISA warning that threat actors were scanning for vulnerable
Fortinet appliances.

In March, Microsoft Exchange servers worldwide were hit by Black Kingdom
[1, 2] and DearCry ransomware as part of a massive wave of attacks directed
at systems unpatched against ProxyLogon vulnerabilities (CVE-2021-26855,
CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).

Last but not least, Clop ransomware attacks against Accellion servers
(CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) that took
place between mid-December 2020 and continued in January 2021 drove up the
average ransom price for the first three months of the year.

Fight against an escalating ransomware threat

Liska's and his contributors' exercise adds to an ongoing effort to fend
off ransomware attacks that have plagued worldwide public and private
sector organizations for years.

Last month, CISA was joined by Microsoft, Google Cloud, Amazon Web
Services, AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks,
and Verizon as part of the Joint Cyber Defense Collaborative (JCDC)
partnership focused on defending critical infrastructure from ransomware
and other cyber threats.

The federal agency also released a new ransomware self-assessment security
audit tool in June designed to help at-risk organizations understand if
they're equipped to defend against and recover from ransomware attacks
targeting information technology (IT), operational technology (OT), or
industrial control system (ICS) assets.

CISA provides a Ransomware Response Checklist for organizations that have
been hit by a ransomware attack, advice on how to protect against
ransomware, and answers to frequently asked questions about ransomware.

The New Zealand Computer Emergency Response Team (CERT NZ) has also
recently published a guide on ransomware protection for businesses.

CERT NZ's guide outlines ransomware attack pathways and illustrates what
security controls can be set up to protect from or stop an attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210920/a5200496/attachment.html>