Phishing emails, RDP abuse, and exploitation of software vulnerabilities. That's the unholy trio of top initial ransomware infection vectors, according to a new joint advisory -- warning of increasing ransomware sophistication -- from the UK's NCSC, US's CISA and Australia's ACSC published February 9, 2022.
Sophistication or not, those three routes into organisations remain disturbingly familiar and emphasise the extent to which security hygiene and culture are critical in building a better-defended businesses.
(When it comes to easily brute-forced RDP credentials or other passwords, Microsoft noted this week that in Azure Active Directory its observe 50 million password attacks daily, yet only 20% of users and shockingly just 30% of global admins are using strong authentications such as multi-factor authentication.)
The three agencies -- which said that in 2021 they observed an "increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally" -- also warned that in the US attackers are moving away from "big game" and redirecting ransomware efforts toward mid-sized victims.
Chris Wallis, Founder of Intruder -- a vulnerability management and attack surface monitoring platform -- noted to The Stack that the report suggests companies are yet to find ways to defend against the "same old story" threat vectors, adding: "The causes could be diverse, from insufficient budget or senior management buy-in to outdated practices like the 'annual pentest', or the difficulty of defending from attacks like phishing.
" What's most interesting to me is the shift in the US away from big-game toward mid-size businesses, who now have the government warning them that they are officially in the ransomware threat actors' crosshairs, so it may be wake-up time for a lot of organisations who previously hoped that their size would protect them" he added.
The top 3 ransomware infection vectors: How to address them
Security professionals suggest that gamifying phishing exercises can help buy-in, with prizes and score-tables for the best performing staff and clearly outlined actions to address regular poor-performers.
Veeam CISO Gil Vega, for example, told The Stack in an earlier interview that in a previous role he had "created a trophy system where when employees did the right thing, we were sending them tiny gold trophies — we were sending those things all over the globe! "I travelled extensively with that company and in every office I ever visited, those trophies were prominently displayed — people really loved being rewarded for identifying these problems. We went pretty goofy, with different style trophies; it probably went a bit overboard," he said wryly.
On patching, the agencies urged companies this week to regularly check for end of life (EOL) notifications, and prioritize patching known exploited vulnerabilities, adding: "In cloud environments, ensure that virtual machines, serverless applications, and third-party libraries are also patched regularly, as doing so is usually the customer’s responsibility. Automate software security scanning and testing when possible. Consider upgrading hardware and software, as necessary, to take advantage of vendor-provided virtualization and security capabilities.
CISA added: "If you use RDP or other potentially risky services, secure and monitor them closely. Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
"Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports. Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations," CISA said.
The three agencies also warned that in 2021 ransomware developers increasingly targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software, noting: "Ransomware threat actors also targeted cloud accounts, APIs, and data backup and storage systems to deny access to cloud resources and encrypt data. In addition to exploiting weaknesses to gain direct access, threat actors sometimes reach cloud storage systems by compromising local (on-premises) devices and moving laterally to the cloud systems. Ransomware threat actors have also targeted cloud service providers to encrypt large amounts of customer data."