FBI Warns of Emerging Ransomware Initial Access Techniques
The FBI has warned that ransomware attackers are targeting third party vendors and services to compromise businesses.
The US security agency highlighted two emerging initial access techniques being utilized by threat actors to infect targets with ransomware as of July 2023:
Exploitation of Vulnerabilities in Third Party Vendors
The FBI observed a rise in ransomware attacks targeting casinos through third-party gaming vendors between 2022 and 2023. These frequently targeted small and tribal casinos, encrypting servers and the personally identifying information (PII) of employees and patrons.
Targeting of Legitimate System Management Tools
The agency also said that attackers are targeting such tools to elevate their network permissions in the target organization. In one campaign cited, the Silent Ransom Group, also known as Luna Moth, began by sending phishing messages to victims containing a phone number, which usually related to pending charges on the victims’ accounts.
Once the target called the phone number, the malicious actors directed them to join a legitimate system management tool via a link provided in a follow-up email. The attackers then used the tool to install other system management tools, which they repurposed for malicious activities. This allowed them to compromise local files and network shared drives, exfiltrate victim data and extort the companies.
How to Defend Against Initial Access Techniques
The FBI set out a range of recommendations for network defenders to protect their organization against these emerging initial access techniques.
- Cyber incident preparation. Maintain offline backups of data and ensure these backups are encrypted and immutable. Organizations should review the security posture of all third-party vendors and review suspicious activities in connections with them.
- Identity and access management. All accounts with password logins should comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies. Phishing-resistant MFA should also be required for services, particularly webmail, VPNs and accounts that access critical systems. User accounts with administrative privileges should be audited, with access controls configured according to the principle of least privilege.
- Protective controls and architecture. Network segmentation should be implemented to prevent the spread of ransomware. Network monitoring tools should be used to identify, detect and investigate abnormal activity on a network. Additionally, antivirus software should be installed and regularly updated on all hosts and remote desktop protocol (RDP) use closely monitored.
- Vulnerability and configuration management. Organizations should keep all operating systems, software and firmware up to date with patches, prioritizing those vulnerabilities contained on the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities catalog. Other recommended measures include disabling unused ports, adding an email banner to external emails, and disabling command-line and scripting activities and permissions.