If you still don’t do the basic security protections, you’ll end up as easy packing for cybercriminals.
For instance, an undisclosed organisation had a security vulnerability that was left unpatched for three years. It left it wide open for a cybercriminal gang to enter in and breach a network, planting ransomware while inside. To clarify, cybersecurity researchers at Forescout investigated and detailed a ransomware attack by Blackcat took place back in March of this year.
Meanwhile, BlackCat ransomware or APPHV as it is also known – has compromised at least 60 victims around the world. As a result, the FBI has released an alert warning people about the activities of this particular ransomware group.
But interestingly in this situation whilst the group have a reputation for running a sophisticated ransomware operation, in this case it was a simple technique that allowed BlackCat to gain initial access to the network. That is to say, BlackCat were able to take advantage of a vulnerability. An SQL injection vulnerability to be precise in an internet-exposed unpatched and end-of-life SonicWall SRA appliance.
Most importantly, since 2019, this vulnerability could have been security patched but hadn’t been. In other words leaving the door open to an easy entry point into the network for the cyber criminals.
Once the criminals gained access to network, they were able to get the usernames and passwords, and this gave them an entry way in to the ESXi servers. After that the ransomware payload was set up.
BlackCat are quite unique from other ransomware groups as they use several techniques not used by other gangs and specifically designed to make them even more successful. For example, quite unusual for malware, the ransomware is written in the Rust programming language which makes it more difficult to detect and examine.
Secondly, based on information found in the target environment, the ransomware uses a unique binary for each victim. And again, this makes it more difficult to detect as the code used is unique for each campaign. In other words, slightly different.
Daniel dos Santos, head of security research at Forescout, says “A unique binary that is not general for each victim makes the detection harder.”
BlackCat ransomware attack back in March was only partially successful as it encrypted servers and files. But the spread was confined to one section of the network because it had been segmented. So, the attackers could only control one area of the network and couldn’t move to others.
Dos Santos said the “segmentation was actually well done in this case and that’s why it was contained.” And secondly, the BlackCat ransomware-as-a-service may have been done by criminals with their L plates on, still learning the how to of attacks.
But regardless of the attacker’s inexperience the malware still infected some servers. Now no ransom amount was paid because of the network segmentation that reduced the ability of the attack to spread. Yet the whole might not have happened at all if the basic security protection were implemented in the first place.
Steps to ensure security protection would include:
- Organisation need to apply the relevant security updates to fix the vulnerability
“Whatever is facing the internet, it’s always important for it to be fully patched, says dos Santos.
- Organisation should monitor their networks for external access from known IP addresses or unusual patterns of behaviour.
- backup their servers regularly. Then, if something happens, the network can be restored to a recent point without needing to pay a ransom.
You may want to consider doing a cyber security risk assessment
