Ransomware attackers discovering new methods to weaponize outdated vulnerabilities

Ransomware attackers are discovering new methods to use organizations’ safety weaknesses by weaponizing outdated vulnerabilities.

Combining long-standing ransomware assault instruments with the newest AI and machine learning applied sciences, organized crime syndicates and advanced persistent threat (APT) teams continue to out-innovate enterprises.

A brand new report from Cyber Security Works (CSW), Ivanti, Cyware and Securin reveals ransomware’s devastating toll on organizations globally in 2022. And 76% of the vulnerabilities presently being exploited by ransomware teams have been first found between 2010 and 2019.

Ransomware topping agenda for CISOs, world leaders alike

The 2023 Spotlight Report titled “Ransomware By the Lens of Risk and Vulnerability Administration” recognized 56 new vulnerabilities related to ransomware threats in 2022, reaching a complete of 344 — a 19% enhance over the 288 that had been found as of 2021. It additionally discovered that out of 264 outdated vulnerabilities, 208 have exploits which are publicly obtainable. 

There are 160,344 vulnerabilities listed within the Nationwide Vulnerability Database (NVD), of which 3.3% (5,330) belong to probably the most harmful exploit sorts — distant code execution (RCE) and privilege escalation (PE). Of the 5,330 weaponized vulnerabilities, 344 are related to 217 ransomware households and 50 superior persistent menace (APT) teams, making them extraordinarily harmful.

“Ransomware is high of thoughts for each group, whether or not within the personal or public sector,” stated Srinivas Mukkamala, chief product officer at Ivanti. “Combating ransomware has been positioned on the high of the agenda for world leaders due to the rising toll being positioned on organizations, communities and people. It’s crucial that every one organizations actually perceive their assault floor and supply layered safety to their group to allow them to be resilient within the face of accelerating assaults.”

What ransomware attackers know 

Nicely-funded organized-crime and APT teams dedicate members of their groups to learning assault patterns and outdated vulnerabilities they will goal undetected. The 2023 Highlight Report finds that ransomware attackers routinely fly underneath standard vulnerability scanners’ radar, together with these of Nessus, Nexpose and Qualys. Attackers select which older vulnerabilities to assault based mostly on how nicely they will keep away from detection. 

The research recognized 20 vulnerabilities related to ransomware for which plugins and detection signatures aren’t but obtainable. The research’s authors level out that these embody all vulnerabilities related to ransomware that they recognized of their evaluation throughout the previous quarter, with two new additions — CVE-2021-33558 (Boa) and CVE-2022-36537 (Zkoss).

VentureBeat has discovered that ransomware attackers additionally prioritize discovering corporations’ cyber-insurance insurance policies and their protection limits. They demand ransom within the quantity of the corporate’s most protection. This discovering jibes with a not too long ago recorded video interview from Paul Furtado, VP analyst, Gartner. Ransomware Attacks: What IT Leaders Need to Know to Fight reveals how pervasive this observe is and why weaponizing outdated vulnerabilities is so standard right now.

Furtado stated that “dangerous actors have been asking for a $2 million ransomware cost. [The victim] advised the dangerous actors they didn’t have the $2 million. In flip, the dangerous actors then despatched them a duplicate of their insurance coverage coverage that confirmed they’d protection.

“One factor you’ve acquired to grasp with ransomware, not like another form of safety incident that happens, it places your enterprise on a countdown timer.”

Weaponized vulnerabilities spreading quick

Mid-sized organizations are likely to get hit the toughest by ransomware assaults as a result of with small cybersecurity budgets they will’t afford so as to add employees only for safety.

Sophos‘ latest study discovered that corporations within the manufacturing sector pay the best ransoms, reaching $2,036,189, considerably above the cross-industry common of $812,000. By interviews with mid-tier producers’ CEOs and COOs, VentureBeat has discovered that ransomware attacks reached digital pandemic levels across North America last year and proceed rising.

Ransomware attackers select smooth targets and launch assaults when it’s most troublesome for the IT employees of a mid-tier or small enterprise to react. “Seventy-six p.c of all ransomware assaults will occur after enterprise hours. Most organizations that get hit are focused subsequent instances; there’s an 80% likelihood that you can be focused once more inside 90 days. Ninety p.c of all ransomware assaults are hitting corporations with lower than a billion {dollars} in income,” Furtado suggested within the video interview.

Cyberattackers know what to search for

Figuring out older vulnerabilities is step one in weaponizing them. The research’s most noteworthy findings illustrate how refined organized crime and APT teams have gotten at discovering the weakest vulnerabilities to use. Listed below are a couple of of the numerous examples from the report:  

Kill chains impacting extensively adopted IT merchandise

Mapping all 344 vulnerabilities related to ransomware, the analysis staff recognized the 57 most harmful vulnerabilities that might be exploited, from preliminary entry to exfiltration. A whole MITRE ATT&CK now exists for these 57 vulnerabilities.

Ransomware teams can use kill chains to use vulnerabilities that span 81 merchandise from distributors equivalent to Microsoft, Oracle, F5, VMWare, Atlassian, Apache and SonicWall.

A MITRE ATT&CK kill chain is a mannequin the place every stage of a cyberattack will be outlined, described and tracked, visualizing every transfer made by the attacker. Every tactic described throughout the kill chain has a number of strategies to assist an attacker accomplish a selected purpose. This framework additionally has detailed procedures for every approach, and catalogs the instruments, protocols and malware strains utilized in real-world assaults.

Safety researchers use these frameworks to grasp assault patterns, detect exposures, consider present defenses and observe attacker teams.

APT teams launching ransomware assaults extra aggressively

CSW noticed greater than 50 APT teams launching ransomware assaults, a 51% enhance from 33 in 2020. 4 APT teams — DEV-023, DEV-0504, DEV-0832 and DEV-0950 — have been newly related to ransomware in This autumn 2022 and mounted crippling assaults.

The report finds that one of the crucial harmful traits is the deployment of malware and ransomware as a precursor to an precise bodily battle. Early in 2022, the analysis staff noticed escalation of the battle between Russia and Ukraine with the latter being attacked by APT teams together with Gamaredon (Primitive Bear), Nobelium (APT29), Wizard Spider (Grim Spider) and Ghostwriter (UNC1151) focusing on Ukraine’s essential infrastructure. 

The analysis staff additionally noticed Conti ransomware operators overtly declaring their allegiance to Russia and attacking the US and different nations which have supported Ukraine. We imagine this development will proceed to develop. As of December 2022, 50 APT teams are utilizing ransomware as a weapon of alternative. Amongst them, Russia nonetheless leads the pack with 11 confirmed menace teams that declare origin in and affiliations with the nation. Among the many most infamous from this area are APT28/APT29.

Many enterprise software program merchandise affected by open-source points

Reusing open-source code in software program merchandise replicates vulnerabilities, such because the one present in Apache Log4j. For instance, CVE-2021-45046, an Apache Log4j vulnerability, is current in 93 merchandise from 16 distributors. AvosLocker ransomware exploits it. One other Apache Log4j vulnerability, CVE-2021-45105, is current in 128 merchandise from 11 distributors and can also be exploited by AvosLocker ransomware.  

Extra evaluation of CVEs by the analysis staff highlights why ransomware attackers reach weaponizing ransomware at scale. Some CVEs cowl most of the main enterprise software program platforms and purposes.

One is CVE-2018-363, a vulnerability in 26 distributors and 345 merchandise. Notable amongst these distributors are Crimson Hat, Oracle, Amazon, Microsoft, Apple and VMWare.

This vulnerability exists in lots of merchandise, together with Home windows Server and Enterprise Linux Server, and is related to the Cease ransomware. The analysis staff discovered this vulnerability trending on the web late final yr. 

CVE-2021-44228 is one other Apache Log4j vulnerability. It’s current in 176 merchandise from 21 distributors, notably Oracle, Crimson Hat, Apache, Novell, Amazon, Cisco and SonicWall. This RCE vulnerability is exploited by six ransomware gangs: AvosLocker, Conti, Khonsari, Night time Sky, Cheerscrypt and TellYouThePass.

This vulnerability, too, is a focal point for hackers, and was discovered trending as of December 10, 2022, which is why CISA has included it as a part of the CISA KEV catalog.

Ransomware a magnet for knowledgeable attackers

Cyberattacks utilizing ransomware have gotten extra deadly and extra profitable, attracting probably the most refined and well-funded organized crime and APT teams globally. “Risk actors are more and more focusing on flaws in cyber-hygiene, together with legacy vulnerability administration processes,” Ivanti’s Mukkamala advised VentureBeat. “Right now, many safety and IT groups battle to determine the real-world dangers that vulnerabilities pose and, due to this fact, improperly prioritize vulnerabilities for remediation.

“For instance,” he continued, “many solely patch new vulnerabilities or these disclosed within the NVD. Others solely use the Frequent Vulnerability Scoring System (CVSS) to attain and prioritize vulnerabilities.”

Ransomware attackers proceed to search for new methods to weaponize outdated vulnerabilities. The various insights shared within the 2023 Highlight Report will assist CISOs and their safety groups put together as attackers search to ship extra deadly ransomware payloads that evade detection — and demand bigger ransomware funds.