Vulnerabilities Exploited by Ransomware Gangs
Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims’ networks. The list include security flaws found in products from over a dozen different software and hardware vendors.
An undisclosed number of RaaS affiliates have started using RCE exploits targeting the recently patched Windows MSHTML vulnerability (CVE-2021-40444).
Conti ransomware targeting Microsoft Exchange servers, breaching enterprise networks using ProxyShell vulnerability exploits (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
LockFile leveraged the PetitPotam NTLM relay attack method (CVE-2021-36942) to take over the Windows domain worldwide, Magniber jumped on the PrintNightmare exploitation train (CVE-2021-34527).
HelloKitty ransomware targeted vulnerable SonicWall devices (CVE-2019-7481). REvil breached Kaseya’s network (CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120). FiveHands ransomware was busy exploiting the CVE-2021-20016 SonicWall vulnerability.
QNAP warned of AgeLocker ransomware attacks on NAS devices using an undisclosed flaw in outdated firmware, just as a massive Qlocker ransomware campaign targeted QNAP devices unpatched against a hard-coded credentials vulnerability (CVE-2021-28799). eCh0raix was spotted targeting both QNAP and Synology NAS devices (CVE-2021-28799).
Cring ransomware started encrypting unpatched Fortinet VPN devices (CVE-2018-13379) on industrial sector companies’ networks.
Microsoft Exchange servers were hit by Black Kingdom and DearCry ransomware as part of a massive wave of attacks directed at systems unpatched against ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
Clop ransomware attacks against Accellion servers (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104).
CISA was joined by Microsoft, Google Cloud, Amazon Web Services, AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon as part of the Joint Cyber Defense Collaborative partnership focused on defending critical infrastructure from ransomware and other cyber threats.
The New Zealand Computer Emergency Response Team has also recently published a guide on ransomware protection for businesses. These guide outlines ransomware attack pathways and security controls can be set up to protect from or stop an attack.