DHS warns a ransomware activity targeting Remote Access Software
By – MEGHA MALHOTRA
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency issued an alert, urging enterprise organizations to review recent insights from the New Zealand Computer Emergency Response Team (CERT NZ) on a new ransomware campaign targeting enterprise networks through remote access systems.
Malicious actors are actively targeting remote access tools, such as the remote desktop protocol (RDP) and Virtual Private Networks (VPNs) to exploit systems with unpatched vulnerabilities and weak authentication practices.
These were found to be the most common points of entry for attacks that target remote access systems like Remote Desktop Protocol and virtual private networks (VPN).
• Find and eliminate threats with malware removal software.
• Make sure your business is using the most secure VPN software available.
• Maintain secure password protocols with these password managers.
NZ CERT confirmed that hackers have indeed accessed organizations through these vulnerabilities, which have been leveraged for ransomware attack opportunities. As those areas are key weaknesses for many providers in the healthcare sector, the campaign could prove problematic for those organizations.
How Hacker’s commit a ransomware attack on a computer?
Hackers gain access through weak passwords, a lack of multi-factor authentication, or unpatched remote access systems. Citrix remote access technologies, which CISA alerted to earlier this year, are also a common way for hackers to gain access to enterprise networks.
Once inside the network, the threat actors use tools like Cobalt Strike, mimikatz, and psexec to elevate privileges, move laterally across the network, and establish persistence.
“From there, any system on the network may be affected,” NZ CERT officials explained. “The current attacks are believed to be sophisticated and well-crafted. These attacks can have severe impacts on business operations, including data being stolen and sold.”
“Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup,” they added.
Explicit information extracted before being encrypted by hackers
These attackers identify and extract sensitive information from the network before encrypting files. The attack method bears hallmark to earlier campaigns outlined by both Microsoft and CISA. The CISA alert warned hackers were compromising patched VPNs with stolen credentials, and finding success given the prevalence of password reuse.
The Nefilim ransomware variant is commonly used in these attacks, but NZ CERT has also detected other ransomware families. But once the attacker has exfiltrated the targeted data, they move to sell or publicly release the information. The method was first made popular by the Maze hacking group, which often targets the healthcare industry.
What’s worse about the latest campaign is that due to the access hackers are able to obtain in these attacks before the ransomware is deployed, restoring data from backups won’t resolve the problem.
How to stay safe?
1. Victim organizations will then need to employ an in-depth investigation of potentially compromised systems to fully eradicate the hackers from their systems. Additional security measures will also be needed to improve security after the attack.
2. To prevent falling victim, organizations will need to check their remote access systems for signs of unauthorized access. If access is detected, IT or security leaders will need to perform a detail investigation to determine if lateral movement has been accomplished.
3. All systems should be up-to-date with all security patches.
4. IT leaders must ensure strong authentication measures are enforced. NZ CERT also recommended the use of network segmentation and whitelisting for vulnerable platforms, as it makes it more difficult for hackers to move laterally across the network.
5. As stressed by many security leaders, well-configured backups are crucial to recovering from ransomware attacks.
6. Never click on unverified links : Avoid clicking links in spam emails or on unfamiliar websites. Downloads that start when you click on malicious links is one way that your computer could get infected.
7. Do not provide personal information when answering an email, unsolicited phone call, text message or instant message : Phishers will try to trick employees into installing malware, or gain intelligence for attacks by claiming to be from IT. Be sure to contact your IT department if you or your coworkers receive suspicious calls.
8. Use reputable antivirus software and a firewall : Maintaining a strong firewall and keeping your security software up to date are critical. It’s important to use antivirus software from a reputable company because of all the fake software out there.
9. Do employ content scanning and filtering on your mail servers : Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
10. Do not open untrusted email attachments : Never open attachments that ask you to enable macros to view them. If the attachment is infected, opening it will run the malicious macro, giving the malware control over your computer.
11. Never use unfamiliar USBs : Never insert USBs or other removal storage devices into your computer if you do not know where they came from
12. Use a VPN when using public Wi-Fi : Being cautious with public Wi-Fi is a sensible ransomware protection measure. When you use public Wi-Fi, your computer system is more vulnerable to attack. To stay protected, avoid using public Wi-Fi for confidential transactions, or use a secure VPN.