Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In October, the team provided a threat intelligence review, discussed notable vulnerabilities and trends, and offered a closer look at Akira ransomware.
Threat Intelligence Review
The Director of Incident Response, introduced the webinar with a few high-level cyber trends. He reviewed the evolution of ransomware from the early days when the primary entry method was email attachments to today’s more sophisticated techniques including stealing credentials and social engineering tactics. Ransomware groups like BlackCat, also known as AlphaV, use tactics such as posing as an employee when calling a company help desk for assistance or logging in to an endpoint detection and response device to gain access. Other notable shifts in entry methods include social engineering on phishing attacks, watering hole attacks, and living-off-the-land techniques. He recommended that all companies enable multifactor authentication (MFA) at all levels to help keep threat actors out of their networks. He also discussed the importance of putting a baseline policy in place for approved IT management tools.
He explained the geographical shift and political realignment of ransomware groups since the start of the Russia-Ukraine war. The original groups have fractionalized, realigned, and stabilized. Now, as winter approaches, he expects a spree of cyberattacks to occur, particularly from Eastern Europe.
Recently, companies that had data stolen by Royal ransomware — and even companies that paid the ransom — are seeing re-extortion, where a new group shows up with the old data set and demands payment. He stressed the importance of finding the vulnerability at the perimeter associated with the initial attack to avoid having a second group come in using that same initial vulnerability. Overall, he predicts an increase in ransomware attacks due to more vulnerabilities, social engineering, and email delivery and highly suspects that ransomware attacks will reach an all-time high in the coming months.
Vulnerabilities and trends
The Vulnerability Management Team Lead looked at vulnerabilities and trends from the prior month, noting that “September was a remarkable month and not in a good way.” As many as 2,100 vulnerabilities were disclosed, and 22 vulnerabilities were high risk. Of those 22, 14 were zero-day vulnerabilities, which is the largest number of zero days in the past 12 months. These zero days impacted products from Microsoft, Apple, Adobe, Google, WordPress, Progress, and JetBrains.
He discussed each of the zero-day vulnerabilities, providing basic guidance on how the vulnerability impacts the victim’s network and how to remediate it:
- Pegasus spyware. CVE-2023-41064 and CVE-2023-41061 chain together to deploy Pegasus spyware. The spyware is a zero-click attack that does not require the user to click on a link or enter credentials since delivery of the message accomplishes the threat actor’s goal.
- Microsoft vulnerabilities. CVE-2023-36082 is a privilege elevation vulnerability that impacts Microsoft Streaming Service Proxy. CVE-2023-36761 allows a threat actor to masquerade as an authorized user to gain access to sensitive data under that user’s account.
- Libvpx. This vulnerability affects Chrome browsers and impacts video encoding libraries. The vulnerability can be remediated by updating Chrome, Microsoft Edge, Firefox, and Chrome-based browsers. In addition, Signal, Telegram, and 1Password can be affected. To remediate these products, update the individual products and incorporate the new patch library.
- WebP Codec. More than 700 known applications are impacted by this video encoding library vulnerability, including Facebook, YouTube, Gmail, older versions of Microsoft Office, Gimp, and ImageMagick. All must be updated to remediate the vulnerability.
- Cisco ASA and FTD. This vulnerability is a brute-force attack against a Cisco virtual private network (VPN) where MFA is not enabled and there is no limit to the number of username-password attempts. Once accessed, the threat actor can establish a clientless SSL VPN session on the targeted device. The VMP team lead recommended upgrades and patches to remediate. He also reviewed Cisco’s mitigation suggestions including limiting the number of allowed consecutive failed logins, disallowing clientless SSL VPN protocol, setting simultaneous logins for users to zero, and using dynamic access policies to stop VPN tunnels.
The SOC Operations Lead provided a closer look at Akira ransomware, which first appeared as ransomware as a service in March. The commonly used initial threat vector of compromise (CVE-2023-20269) affects Cisco VPN products where MFA is not enabled. The primary targets for Akira ransomware are companies in the materials, manufacturing, and finance industries, usually small businesses of less than 200 employees in the United States and Canada.
He explained that the Pondurance team has observed Akira ransomware in action. In each instance, Akira used Cisco AnyConnect without MFA as the primary compromised vector and all login pages were available with internet key exchange version 2 authentication enabled. In addition, no backdoor was installed after exploitation in 85% of the detections, but the threat actor used AnyDesk remote desktop application when a backdoor was installed. Once inside, the threat actor typically used living-off-the-land tactics for credential dumping and traded data using WinRAR and WinSCP.
Akira ransomware uses identifiable tactics, techniques, and procedures (TTPs) within a network. He outlined those TTPs and discussed the type of evidence the Pondurance team looks for:
- Persistence – creation of a domain-level account or an account where the threat actor can log in at will
- Defense evasion – off-the-shelf tools such as PowerTool and KillAV that disable antivirus-related processes
- Discovery – tools such as PCHunter, SharpHound, net Windows, and IP scanners
- Credential access – tools used to scrape credentials, such as Mimikatz and LaZagna
- Laternal movement – internal remote desk protocol connections
- Command and control – remote desktop or management tools, such as Radmin, AnyDesk, or RustDesk, installed on an endpoint
- Exfiltration – WinRAR, WinSCP, and FileZilla uploads
The SOC Operations Lead also reviewed the controls that Pondurance has implemented and explained the preventative steps that companies can take to help minimize the risk of Akira ransomware. The steps include implementing training to help users identify phishing emails and other attacks, patching devices, enabling multifactor authentication, and auditing permissions of user accounts.
The Pondurance team will host another webinar in November to discuss new cybersecurity activity. Check back next month to read the summary.
Experiencing a breach? Contact Us
Emergency IR Hotline: 888.385.1720