Ransomware groups emerging in using initial access brokers

The FBI has warned that ransomware attackers are targeting third party vendors and services to compromise businesses.

Two emerging initial access techniques are being utilized by threat actors to infect targets with ransomware as of July 2023:

Exploitation of Vulnerabilities in Third Party Vendors

Increasing trend seen with ransomware attacks targeting casinos through third-party gaming vendors between 2022 and 2023. These frequently targeted small and tribal casinos, encrypting servers and the personally identifying information (PII) of employees and patrons.

Targeting of Legitimate System Management Tools

Attackers are targeting manaement tools to elevate their network permissions in the target organization.

The Silent Ransom Group, in one of the campaigns, began by sending phishing messages to victims containing a phone number, which is usually related to pending charges on the victims’ accounts.

Once the target called the phone number, the malicious actors directed them to join a legitimate system management tool via a link provided in a follow-up email. The attackers then used the tool to install other system management tools, which they repurposed for malicious activities. This allowed them to compromise local files and network shared drives, exfiltrate victim data and extort the companies.

Recommendations  for network defenders to protect their organization against these emerging initial access techniques.

• Cyber incident preparation. Maintain offline backups of data and ensure these backups are encrypted and immutable. Organizations should review the security posture of all third-party vendors and review suspicious activities in connections with them.
• Identity and access management. All accounts with password logins should comply with NIST standards for developing and managing password policies. Phishing-resistant MFA should also be required for services, particularly webmail, VPNs, and accounts that access critical systems.
• Protective controls and architecture. Network segmentation should be implemented to prevent the spread of ransomware. Network monitoring tools should be used to identify, detect, and investigate abnormal activity on a network.
• Vulnerability and configuration management.  Organizations should keep all operating systems, software, and firmware up to date with patches, prioritizing those vulnerabilities contained on the CISA’s Known Exploited Vulnerabilities catalog.