Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools

Cyber Security Threat Summary:
According to a new advisory from the FBI, the agency noted that ransomware actors continue to gain access through third-party vendors and services. Between 2022 and 2023, the FBI observed ransomware attacks compromising casinos through third-party gaming vendors. In particular, small and tribal casinos were targeted, with the threat actors encrypting the PII data of employees and patrons which would be held for ransom payments. The exploitation of third-party vendors and services signifies the need for organizations to conduct a thorough risk assessment of vendors before onboarding as well as regular assessments of security measures and protocols employed by the vendor to reduce the risk and impact of ransomware attacks.

Security Officer Comments:
The FBI also notes that threat actors are taking advantage of legitimate system management tools to elevate network permissions and compromise systems. For instance, earlier this year, the Silent Ransom Group conducted callback phishing data theft and extortion attacks by notifying victims of “pending charges” on their accounts and requesting a callback as soon as possible. If the victim calls back, the actors will then direct the victim to install a legitimate system management tool which can be leveraged by the attackers to gain access to the victim’s system and compromise local files and the network shared drives. To combat the misuse of such tools, the FBI recommends organizations implement listing policies for applications and remote access that only allow systems to execute known and permitted programs. Organizations have also been advised to document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.