Companies defend themselves against ransomware attacks, constantly patching vulnerabilities, disabling the commonly exploited ports (SMB, RDP, etc.) take care of leaked credentials, and do everything they can to defend their assets. What about third parties?
The rise of remote workforces and virtual offices have created new and enticing vectors for cybercriminals to exploit, also verified by these CISA alerts.
The most recent ransomware attack was towards American Bank Systems (ABS), a service provider to US banks and financial institutions resulting in a leak of 53 GB-size data. Avaddon, the ransomware group behind the attack, previously published the 4 GB portion of the database, threatening to publish more in case the ABS did not pay the requested fee.
So it happened! Avadon finally published a 52.57 GB dump, we assume after ABS likely refused to cooperate with the ransom demands. The beneficiaries affected by this attack seem to include multiple banking names and mortgage companies, such as First Federal Community Bank, Rio Bank, Citizens Bank of Swainsboro, First Bank & Trust, etc. ABS provides banking software and systems to facilitate bank processes and compliance requirements.
“Cyber ecosystems” create a target-rich environment for hackers to exploit vulnerabilities with the aim of stealing personal data and identities, and even company secrets as in the case of ABS. After reaching out to ABS, threat actors have gained access to multiple entities in the banking ecosystem.
The compromised data in the published dump includes loan documents, business contracts, private emails, invoices, credentials for network shares, company confidential files, and other personal information.
The below screenshot  shows the already exposed personal information such as customers’ names, Tax ID numbers (likely Social Security Numbers), and loans from ABS.
Third-Party Ransomware On the Rise
Beginning in mid-2020, multiple organizations (mostly healthcare and non-profit organizations) announced breaches one after another. They all had one particular third party in common – Blackbaud.
Blackbaud, a third-party cloud and CRM provider to alumni fundraising and/or donor activities used at non-profits and universities worldwide, experienced a ransomware attack in early May. Blackbaud immediately put a halt to the attack after it was discovered, however, hackers had already been able to remove a copy of a subset of data from Blackbaud’s private cloud environment.
A recent Securities and Exchange Commission (SEC) filing shows more unencrypted information than previously thought has been accessed by hackers in the breach. This included bank account information, Social Security numbers, usernames, and passwords, according to the SEC filing. The largest client affected by the Blackbaud breach was Inova Health System, with 1 million individuals included in the tally. So far, more than 6 million individuals have been affected in total and millions of infringement claimants have filed litigation against the vendor.
Here we see that it is not always the company itself, but third parties that malicious agents target. Third-party attacks also create a ripple effect in cyber ecosystems, affecting multiple organizations in multiple tiers.
The Business of Ransomware as a service
The ransomware industry is booming, as seen in both hacker forums and the dark web.
Cybercriminals weaponize easy-to-use tools that enable malicious actors to execute ransomware attacks. Some provide ransomware as a service. For instance, cybercriminals cracked the latest version of Cobalt Strike, an attack-simulation tool developed for offensive security research purposes. They weaponized the tool to drop ransomware codes inside the organizations .
Any company in any industry whose attack surface is large enough is likely to be the target of a ransomware attack. It can be a large enterprise itself or its third parties, suppliers, software providers, etc. Recently, cybercriminals were able to fake a Microsoft Teams update including a weaponized version of Cobalt Strike. Many organizations that use Microsoft Teams as their go-to online meeting tools were affected by the attack spree .
Cybercriminals now select their target with a wide scan of vulnerabilities and weaknesses, such as open ports that allow remote access, vulnerabilities on servers that allow remote code execution, and phishing and credential stuffing attacks that allow attackers direct access to the systems. Any company that has these attack points may be caught in this scan and automatically become a target of ransomware. If the company is a third-party service provider to a larger institution, it then becomes a gold mine for adversaries.
How to avoid ransomware attacks
Ransomware attacks nowadays are like the Covid-19 virus. You have to mask your assets, but once you are infected, you are infected. Further precautions after you‘re hit by a ransomware attack are only for minimizing the loss.
The insertion points of ransomware attacks to your system can be listed as below:
- Critical open ports that provide remote access (RDP and SMB ports)
- Vulnerabilities with remote code executions
- Employees (through phishing and credential stuffing attacks
- Third-party providers (suppliers, partners, etc.)
***Let’s go one by one on how to close these insertion points.
Critical open ports that provide remote access
Besides regular Firewall and IPS configurations, there are a couple of things that should be done on the networking side to avoid ransomware attacks. Software that allows remote administration is becoming increasingly common and is often used when it is difficult or impractical to be physically near a system in order to use it. There are many types of remote administration tools and methods available such as RDP, VNC, SSH, Telnet, SNMP.
- Verify that only trusted IPs and/or users can assess
- Use strong cryptography and security protocols
- Implement automated audit trails for all system components
Port 445 provides SMB over TCP. Vulnerabilities in SMB Listens on Port is one of the most frequent risks found on networks around the world. Over the years, there have been many security vulnerabilities in Microsoft’s implementation of the protocol or components on which it directly relies. Real-time attack tracking shows that SMB is one of the primary attack vectors for intrusion attempts. For example, the 2014 Sony Pictures attack and the WannaCry ransomware attack of 2017.
- Blocking 445 at the external firewall is relatively easy and solves many problems.
- Disable SMBv1.
- If possible, block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all external boundary devices.
Vulnerabilities that allow remote code executions
The answer to this one is quite easy: Patching. Organizations should use vulnerability scanners and cyber intelligence tools to be informed as early as possible of such vulnerabilities that may be used for ransomware attacks.
Leaked credentials are still the number one asset for hackers to perform credential-stuffing attacks with automated tools. A phishing attack is another. Once they have the privilege to access the systems, they can find the right place to install the ransomware code.
- Monitor leaked credentials with cyber intelligence tools.
- Harden cybersecurity measures on e-mail systems.
- Monitor phishing/fraudulent domains that may target your employees.
- Install endpoint protection.
- Use additional protection on endpoints such as systems that only allow users to download a file in a micro VM.
This is probably the most challenging issue to avoid ransomware attacks. If you have sufficient resources and skills, you may avoid ransomware attacks directly targeting your organization.
How about your third parties? Do you know if your third parties have sufficient resources and skills? If they install the right tools to close the insertion points of ransomware attacks? Are you prepared for the loss of data that you shared with that third party? What third parties have direct access to your systems? All of these questions show the challenge if attackers use a third-party provider to execute a ransomware attack. The old-school third-party risk management methods, such as sending questionnaires and assessing the risk based on the answers, are no longer good enough to avoid these attacks.
- Continuously monitor the cybersecurity posture of your third parties
- Show them how good or bad they look from a hacker’s perspective
- Share a set of goals and tasks such as a strategy report so that they will dazzle about what to do first
- Follow their improvement (a ticketing tool may help) and provide additional information if necessary
If you experience a ransomware attack, you may not be able to provide any services to your customers. It will be a chaotic situation. Having backup data and backup systems help immensely to allow partial operations and still serve your customers. However, ransomware attackers will likely leak your data, therefore be prepared for both data loss and reputation loss.
What’s at stake
Considering what’s at stake, organizations should be aware of the vulnerabilities and weaknesses that can be used for ransomware attacks not only for themselves but also for their third parties. You should continuously monitor these insertion points and assess the ransomware risk.
Featured image by Pixabay