Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/24/2021
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Incidents Continue to Dominate Threat Landscape

Cisco Talos' IR engagements found attackers relied heavily on malware like Zloader and BazarLoader to distribute ransomware in the past three months.

Ransomware operators relied heavily on a handful of commodity Trojans, open source reconnaissance tools, and legitimate Windows utilities to execute many of their attacks during the past quarter, according to data from incidents handled by the Cisco Talos Incident Response (CTIR) team.

The data, collected from customer locations between November 2020 and January 2021, showed attackers continuing to overwhelmingly use phishing emails with malicious documents to deliver Trojans for downloading ransomware on victim systems.

Related Content:

Ransomware, Phishing Will Remain Primary Risks in 2021

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

But unlike in the recent past where the Emotet and Trickbot malware families were the primary vehicles for distributing ransomware, many of the Trojans used for this purpose in the past quarter were commodity tools such as Zloader, BazarLoader, and IcedID. According to the CTIR team, nearly 70% of the ransomware attacks it responded to over the three-month period used these or similar Trojans to deliver ransomware.

"We saw a variety of commodity Trojans used this quarter, as opposed to previous quarters in which Trickbot and Emotet were dominant," says Brad Garnett, general manager of the Cisco Talos Incident Response team.

For enterprises, the trend could spell even more trouble on the ransomware front.

"Commodity Trojans are easy to obtain and possess numerous capabilities for lateral movement, command-and-control communications, etc., which can increase the efficacy of a ransomware attack," Garnett notes.

The CTIR team's data from incident response engagements showed ransomware dominated the threat landscape during the three-month period just like it has for the past the seven straight quarters. The most prolific ransomware families included Ryuk, Vatet, WastedLocker, and variants of Egregor.

As they have in the past, ransomware operators took advantage of several open source and legitimate admin tools and utilities to facilitate attacks, move laterally in compromised networks, hide malicious activity, and take other actions. Some 65% — or nearly two-thirds — of the ransomware incidents the Cisco Talos team responded to involved the use of PowerShell, and 30% of the incidents involved the use of PsExec. Other commonly used free and commercially available and dual-use tools included Cobalt Strike, CCleaner for deleting unwanted files, the open source TightVNC for enabling remote control of Windows and Linux PCs, and compression software such as WinRAR and 7-Zip.

Abusing Legit Tools and Utilities
The CTIR team also encountered several incidents where attackers used open source reconnaissance tools such as the Active Directory (AD) search utility ADFind, the AD information-gathering tool ADRecon, and the Bloodhound tool for visualizing AD environments and finding potential attack paths.

As one example of how ransomware operators are leveraging these tools, the CTIR team pointed to an incident where the attackers, after gaining an initial foothold on the victim network, took advantage of the Group Policy replication feature in Windows AD to install Ryuk ransomware. In that instance, the adversary leveraged PsExec to move laterally and execute remote commands. They eventually obtained domain administrator (DA) credentials and used it to encrypt some 1,000 endpoints and wipe backup indexes.

"Ransomware continues to pose the greatest threat to enterprises," Garnett says. "Phishing remains the most observed infection vector for these attacks, underscoring the importance of email security and phishing training."

In addition, enterprises must enable multifactor authentication where possible, disable legacy protocols, and limit use of powerful Windows tools in trusted accounts.

Ransomware was the predominant threat. But the CTIR team also responded to multiple incidents involving malware distributed via poisoned updates to SolarWinds' Orion network management technology. Some 18,000 organizations worldwide — including several Cisco Talos customers — were impacted in that breach. However, only one of the incidents that Cisco Talos investigated involved post-compromise activity. In that incident, the attackers had set up a PowerShell script that looked like it was designed to receive more code likely for executing malicious activity.

Looking at the current quarter, Garnett expects Cisco Talos will have to respond to more SolarWinds-related incidents because the full scope and impact of that incident is likely larger than what's known so far. He also expects the CTIR team will have to respond to more incidents involving the believed China-based Hafnium group and its recent attacks targeting four critical zero-day vulnerabilities in Microsoft Exchange Server.

"For Hafnium, we are actively supporting customers globally across different sectors and continue to see an uptick in IR services requests from customers [impacted by the attacks]," he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19924
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
CVE-2020-20220
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20227
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
CVE-2020-20245
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20246
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.