Written by Allan Liska
Ransomware groups have three main ways of gaining initial access to victim networks: phishing, using stolen credentials, and exploiting known vulnerabilities. One of them is not getting enough attention.
The first two methods of initial access have received a lot of attention. Companies regularly hold phishing awareness training courses for employees and conduct phishing exercises. After it was reported that the initial access vector for the ransomware attack Colonial Pipeline was an old password the ransomware actor, likely found on an underground forum, has also paid more attention to this method. Organizations are investing in multi-factor authentication and taking other steps to reduce the likelihood of a successful credential reuse attack.
This leaves one last method of attack (at least until ransomware groups discover a new attack vector): exploiting security holes. Ransomware groups exploiting vulnerabilities have attracted a lot of attention after the REvil ransomware group or an affiliate a previously unknown vulnerability (known as zero-day) in their attack on customers of Kaseya’s managed service providers.
But the real challenge in exploiting ransomware and vulnerabilities is not zero days, but the well-known vulnerabilities that are often exploited by ransomware groups.
To demonstrate the known vulnerability and ransomware problem, I posted a table similar to the one above on twitter and asked for feedback from other security experts who may have seen a ransomware actor exploit a vulnerability that I had overlooked. The end result was 47 vulnerabilities in 17 technologies. In other words, there is a huge attack surface that ransomware actors are targeting, and given the number of ransomware attacks to date in 2021, they appear to be winning.
This would usually be the part of the comment that you would expect me to tell you to make sure you patch. And yes, you should definitely patch. But everyone is aware of the need to patch. What I think most people are not aware of is the extent of the problem. Those who work in vulnerability management or investigate ransomware are painfully aware of how many vulnerabilities ransomware actors can exploit, but I don’t think most other people are. A new vulnerability emerges, ransomware actors start to exploit this vulnerability weeks or months later, every security professional asks you to patch it, and everyone moves on to the next step.
But there is a deeper problem that needs to be addressed. Ransomware actors and other cyber criminals are becoming increasingly adept at exploiting vulnerabilities and doing so faster. In fact, they often develop vulnerability exploits before most organizations can patch them, which gives ransomware actors a huge advantage.
How can companies gain the upper hand in vulnerability management? It starts with good asset management. You need a complete and up-to-date inventory so that you know if your company has been affected by a new vulnerability.
Prioritize patching not by rating, but by risk. What is the risk to your company if you do not prioritize patching this vulnerability? If the risk is a ransomware attack, this should be a high priority patch.
Finally, share this information with the teams actually doing the patching so they understand why it’s a high priority. My experience with vulnerability management is that telling a story always produces better results than passing on a number. “This vulnerability is rated 10, so it is critical, please patch it,” does not have the same impact as: “Ransomware groups use this vulnerability to gain initial access, encrypt systems, and steal files.” Specifying the severity of a vulnerability in relatable terms will likely ensure that it is prioritized during patching.
I really want to thank everyone around the world, especially twitter user “pancak3lulklz” for his many suggestions that contributed to the table shown above. This has been a great effort by people from across the security community, and hopefully it helps illustrate the scope of one facet of the ransomware attack surface.
#hard #patch #ransomware #problem #StateScoop