Vulnerabilities Now Top Initial Access Route For Ransomware

Cyber Security Threat Summary:
Cybersecurity insurance provider Corvus reports that ransomware actors are switching tactics and are choosing to exploit vulnerabilities rather than leverage phishing emails to breach victim organizations. Analyzing metrics from claims data this year, Corvus was able to examine threat actor activity. The company claims that vulnerability exploitation rose as an initial access method from nearly 0% of ransomware claims in H2 2022 to almost a third in the first half of 2023.

While the number is likely skewed by the massive extortion attacks resulting from the exploitation of the MOVEit and GoAnywhere file transfer software attacks, their data still shows a change in tactics across the ransomware landscape.

Security Officer Comments:
Cybersecurity insurance providers likely have the best metrics surrounding ransomware attacks, as many victims are not publicly announced, and ransomware tactics and extortion attempts are not always disclosed outside of the insurance provider.

Corvus also noted that exposed cryptographic keys is another increasingly popular way for threat actors to compromise organizations. Based on their metrics, 7% of ransomware victims had at least one exposed secret, with the most common being Google API keys, JSON web tokens, Shopify domain keys, and keys for AWS S3 buckets. “But not all exposures are equal. Some do not give threat actors much to work with, and may never pose a problem for the organizations that exposed them. For about 1% of the organizations we studied, however, we located exposed keys that our security experts consider to be ‘critical’ and require immediate attention,” the firm explained.

Social engineering still remains a common tactics, and was seen in nearly half of all claims as of Q3 2023, which is up from last year, when it was seen around 35-38%. This makes social engineering responsible for nearly three times more claims than the next largest category, which is breaches at vendors or other third parties.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.