Broadcast United

REPORT YOUR STORY HERE !

logo space

Reading: Cisco Talos: Uncovering the main ransomware TTPs
REGISTER
  • Loading stock data...
AD PLACEMENT

UPLOAD YOUR STORY HERE

LOGO SPACE

  • Loading stock data...
AD PLACEMENT
United States Minor Outlying Islands

Cisco Talos: Uncovering the main ransomware TTPs

Broadcast United News Desk
Broadcast United News Desk
Cisco Talos: Uncovering the main ransomware TTPs
Cisco Talos: Uncovering the main ransomware TTPs

[ad_1]

Contents
Ransomware attack chain: What Cisco Talos researchers learnedFirst steps of a ransomware actorThe second step of the ransomware actorsThe third step of ransomware actorsStep 4 of a ransomware actorThe fifth step a ransomware attacker might takeMust-read safety reportsThe three most commonly abused vulnerabilities14 Notable TTPs of Ransomware GroupsHow to Mitigate the Ransomware Threat

Cisco Talos analyzed the top 14 Ransomware The security firm revealed the most common vulnerabilities exploited by ransomware attackers between 2023 and 2024.

Ransomware attack chain: What Cisco Talos researchers learned

Ransomware actors almost all use the same attack chain.

Infographic showing a typical ransomware attack chain.
A typical ransomware attack chain. Image source: Cisco Talos

First steps of a ransomware actor

The first step for threat actors is to gain access to the target entity. To achieve this goal, ransomware actors use different techniques – one of the most common is social engineering the target by sending emails containing malicious files or links that will run malware on the target system. The malware will then allow the attackers to deploy more tools and malware to achieve their goals. Multi-factor authentication can be bypassed Various techniques are used at this point, either because of poor MFA implementation or because valid credentials are already in hand.

Talos also reports that a growing number of ransomware alliances are scanning internet-facing systems for vulnerabilities or misconfigurations that could allow them to compromise them. Unpatched or legacy software is particularly risky.

The second step of the ransomware actors

The second step is to gain persistence in case the initial attack vector is discovered; persistence on a system is usually achieved by modifying Windows registry keys or enabling auto-start execution of malicious code at system startup. Local, domain, and/or cloud accounts can also be created to achieve persistence.

The third step of ransomware actors

In the third step, the threat actor scans the network environment to gain a better understanding of the infrastructure’s internals. During this step, valuable data that can be used for ransom can be identified. In order to successfully gain access to all parts of the network, attackers often use tools to elevate their privileges to an administrator level in addition to tools that allow for network scanning. Common tools used to perform these tasks include Living Off the Earth Binary Also known as LOLbins, because they are native executable files of the operating system, they are less likely to cause alarm.

Step 4 of a ransomware actor

Attackers prepare to collect and steal sensitive data, which they typically compress using utilities such as 7-Zip or WinRAR, and then exfiltrate to attacker-controlled servers using remote monitoring and management tools or more custom tools such as StealBit or Exabyte, created by the LockBit and BlackByte ransomware groups.

The fifth step a ransomware attacker might take

If the goal is data theft or ransom, the operation ends. If the goal is to encrypt data, the attacker needs to test the ransomware in the environment—that is, check the delivery mechanism and the communication between the ransomware and the C2 server—and then launch it to encrypt the network and notify the victim that they have been breached and need to pay the ransom.

The three most commonly abused vulnerabilities

Cisco Talos reports that three vulnerabilities in public-facing applications are commonly exploited by ransomware threat actors.

  • CVE-2020-1472 AKA Zerologon exploits a vulnerability in the Netlogon remote protocol that allows attackers to bypass authentication and change computer passwords in the domain controller’s Active Directory. This vulnerability is widely used by ransomware attackers because it allows them to access a network without authentication.
  • CVE-2018-13379The Fortinet FortiOS SSL VPN vulnerability enables path traversal, allowing an attacker to access system files by sending specially crafted HTTP packets. VPN session tokens could potentially be accessed this way and could be used to gain unauthenticated network access.
  • CVE-2023-0669The GoAnywhere MFT vulnerability allows attackers to execute arbitrary code on target servers using the GoAnywhere hosted file transfer software. This is the latest vulnerability listed by Cisco Talos in its advisory.

All of these vulnerabilities allow ransomware actors to gain initial access and manipulate systems to run more malicious payloads, install persistence, or facilitate lateral movement within an infected network.

download: Benefits and best practices of cybersecurity From TechRepublic Premium

14 Notable TTPs of Ransomware Groups

Cisco Talos observed TTPs used by 14 of the most prevalent ransomware groups based on attack volume, impact on customers, and atypical behavior.

Infographic showing ransomware groups ranked by the number of victims they have on leak sites.
Ransomware groups ranked by number of victims on leak sites. Image credit: Cisco Talos

A key finding regarding TTPs shows that many of the most prominent groups prioritize establishing an initial compromise and evading defenses in their attack chains.

Ransomware threat actors often obfuscate malicious code by packing and compressing it, and modifying the system registry to disable security alerts on endpoints or servers. They may also block certain recovery options for users.

Cisco Talos researchers highlighted that the most common credential access technique is to dump the LSASS memory contents to extract plain text passwords, hashed passwords, or authentication tokens stored in memory.

Another trend in C2 activity is the use of commercial tools such as RMM applications. These applications are often trusted by the environment and allow attackers to blend in with corporate network traffic.

How to Mitigate the Ransomware Threat

First, patches and updates must be applied to all systems and software; this ongoing maintenance is necessary to reduce the risk of vulnerabilities being exploited.

strict Password Policy And MFA must be implemented. Complex and unique password MFA must be set up and enforced for every user, so an attacker with valid credentials still cannot access the target network.

Best practices need to be applied to harden all systems and environments. Unnecessary services and features should be disabled to reduce the attack surface. Additionally, the number of public-facing services must be limited as much as possible to reduce exposure to the internet.

The network should be segmented using VLANs or similar technologies. Sensitive data and systems must be isolated from other networks to prevent lateral movement of attackers.

The endpoint must be Security Information and Event Management Systemand Endpoint Detection and Response Or the need to deploy expanded detection and response tools.

Disclosure: I work at Trend Micro, but the opinions expressed in this article are my own.

[ad_2]

Source link

Share This Article
Previous Article FY25 Budget – Federal Credit Supplement, U.S. Government Budget, FY25 FY25 Budget – Federal Credit Supplement, U.S. Government Budget, FY25
Next Article Official memorial for Congressman John Lewis to begin Saturday Official memorial for Congressman John Lewis to begin Saturday
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *