Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/11/2021
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Attackers Set Their Sights on SaaS

Ransomware has begun to target data-heavy SaaS applications, open source, and Web and application frameworks.

Ransomware attacks have begun to more heavily target software applications, open source tools, and Web and application frameworks as attackers seek more direct paths to organizations' largest and most important data stores. 

Related Content:

How Ransomware Defense Is Evolving With Ransomware Attacks

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

The ransomware threat landscape has seen tremendous growth in the past few years alone, RiskSense researchers report in a new study, "Ransomware – Through the Lens of Threat and Vulnerability Management." They detected 223 vulnerabilities associated with 125 ransomware families, a massive increase from their 2019 findings of 57 CVEs tied to 19 ransomware families. 

These attackers are diversifying their targets, moving "up the stack" to target software-as-a-service (SaaS) applications and remote technology. Ransomware is now taking over the application layer, explains RiskSense CEO Srinivas Mukkamala, a shift that shows how attackers are adapting as businesses move more of their operations to the cloud.

"This year, what we found even more interesting was it's not [only] touching your SaaS applications, open source software, and open source libraries," he says of ransomware. "It didn't stop there. It started going after the perimeter technologies, like your VPNs, remote access services, and zero trust."

He calls it a "very fast shift." It took attackers several years to begin targeting the application layer; however, it was only within the past two years that researchers noticed the types of exploits attackers used, and the layers they targeted "dramatically changed." 

Data-dense applications are hot targets. SaaS had the highest count of vulnerabilities seen trending with active exploits among ransomware families, researchers point out in their report.

Researchers noticed 18 CVEs tied to ransomware found across WordPress, Apache Struts, Java, PHP, Drupal, and ASP.net, all of which are major components of the Web and application framework space. Open source and related projects are also targets – 19 CVEs tied to ransomware exist in Jenkins, MySQL, OpenStack, TomCat, Elasticsearch, OpenShift, JBoss, and Nomad. Anything that holds a lot of data, or is responsible for the deployment of data, has become appealing to attackers. To Mukkamala, the shift "makes perfect sense."

"Wherever there was data density, we started seeing ransomware go: CRM tools, open source tools that are used in your data pipelines, backup services, remote access services," he adds. "Call it the work-from-home tech frenzy." 

How They're Breaking In
Attackers are also looking for more severe vulnerabilities to reach these targets – namely, those that are capable of remote code execution (RCE) or privilege escalation (PE) when exploited. 

Between 2018 and 2020, more than 25% of CVEs used in ransomware attacks were considered "dangerous," meaning they were capable of RCE or PE and had weaponized exploits. While the number of weaponized vulnerabilities went down overall, the number of RCE/PE flaws increased. Researchers report more than 25% of newly published CVEs pose a higher risk to organizations due to these RCE/PE capabilities.

"They don't need the human intervention anymore," says Mukkamala of the preference for RCE and PE flaws. "They're looking at vulnerabilities that can be remotely exploited – vulnerabilities that will allow them to escalate privileges. That's a very interesting trend we have seen in the last year." 

Nearly all (96%) vulnerabilities used in ransomware attacks were reported in the US National Vulnerability Database (NVD) before 2019. Of these, 120 were actively used in ransomware attacks that trended in the past 10 years, and 87 are currently trending (2018-2020). The largest contributors in ransomware attacks are vulnerabilities disclosed in 2017, 2018, and 2019.

"What we really see is ransomware successfully using software weaknesses, misconfigurations, and coding errors that people are not paying attention to," he explains. While some attackers use zero-days, these are growing rarer as known vulnerabilities continue to prove successful. 

The Ransomware Family Tree Grows
Researchers identified 125 ransomware families using 223 CVEs. Some of the more prominent families include Crypwall, which uses 66 CVEs, Locky (64), Cerber (62), Cryptesla (56), GandCrab (51), Cryptomix (50), Reveton (46), and Waltrix (45). Of the ransomware families detected, 42 only use vulnerabilities reported in 2019 or earlier, with the oldest flaw reported in 2010. 

The number of ransomware families has continued to grow as new players enter the scene, joining old groups that continue to operate. Some, such as Cobralocker and Lokibot, have been running since 2012 and don't show any signs of retiring, researchers note. 

Mukkamala says these groups continue to stay relevant by adding new vulnerabilities and exploits to their arsenals. The tremendous growth in ransomware families shows there are plenty of targets, and plenty of opportunities, for ransomware campaigns to succeed.

"There's so much available," he adds. "Everyone has a piece of the share … there's still a lot of room for these guys, and people are paying. Why wouldn't they stop?"

He advises organizations to defend against evolving ransomware threats by first understanding their exposure. Knowing where they are vulnerable is a key first step in ransomware defense.

"Understand your exposure, map it to your attack surface," he explains. "What is your addressable attack surface, and what is your exposure to it? First do your external and then quickly move to your internal. Do not ignore internal."

Based on this knowledge, IT and security teams will have a better idea of where they need to address areas of exposure to ransomware.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24100
PUBLISHED: 2021-02-25
Microsoft Edge for Android Information Disclosure Vulnerability
CVE-2021-24101
PUBLISHED: 2021-02-25
Microsoft Dataverse Information Disclosure Vulnerability
CVE-2021-24102
PUBLISHED: 2021-02-25
Windows Event Tracing Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-24103.
CVE-2021-24103
PUBLISHED: 2021-02-25
Windows Event Tracing Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-24102.
CVE-2021-24105
PUBLISHED: 2021-02-25
Package Managers Configurations Remote Code Execution Vulnerability