Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Technology & Solutions
Threat Landscape
Vulnerabilities

FBI: Ransomware hackers continuously using third-party access, legitimate system tools

November 08, 2023
FBI: Ransomware hackers continuously using third-party access, legitimate system tools

The Federal Bureau of Investigation (FBI) published Tuesday a Private Industry Notification (PIN) to highlight ransomware initial access trends, as hackers continue to gain access through third parties and legitimate system tools. The agency detailed that new trends included ransomware hackers exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies victimized through legitimate system management tools to elevate network permissions.

“As of July 2023, the FBI noted several trends emerging or continuing across the ransomware environment and is releasing this notification for industry awareness,” the FBI said in its latest publication, shared by the American Hospital Association. 

The agency detailed that it continues to track reporting of third-party vendors and services as an attack vector for ransomware incidents. “Between 2022 and 2023, the FBI noted ransomware attacks compromising casinos through third-party gaming vendors. The attacks frequently targeted small and tribal casinos, encrypting servers and the personally identifying information (PII) of employees and patrons,” it added.

The latest notification follows the agency’s FBI alert highlighting emerging ransomware trends that are impacting the same victims and identified data destruction trends. As of July this year, the FBI noted that these new trends included multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks. Organizations are encouraged to implement the recommendations in the ‘Mitigations’ section to reduce the likelihood and impact of ransomware incidents.

The notification said that as of June this year, the Silent Ransom Group (SRG), also called Luna Moth, conducted callback-phishing data theft and extortion attacks by sending victims a phone number in a phishing attempt, usually relating to pending charges on the victims’ account. 

“Once the victims called the provided phone number, malicious actors directed them to join a legitimate system management tool via a link provided in a follow-up email,” the FBI disclosed. “The threat actors then used the management tools to install other legitimate system management tools that can be repurposed for malicious activity. The actors then compromised local files and the network shared drives, exfiltrated victim data, and extorted the companies.”

The FBI recommends that network defenders apply various mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by ransomware. These actions include preparing for cyber incidents, identity and access management, protective controls and architecture, and vulnerability and configuration management. 

Organizations must maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and that backup data will be accessible when it is needed. They must ensure that all backup data is encrypted, immutable (that is, cannot be altered or deleted), and covers the entire organization’s data infrastructure. Additionally, they must ensure that backup data is not already infected, review the security posture of third-party vendors and those interconnected with the organization, and ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.

Furthermore, organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation. They must also implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location such as a hard drive, other storage device, or the cloud.

All accounts with password logins are required to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies. They also require phishing-resistant multi-factor authentication for all services to the extent possible, review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts, and audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. 

They must also implement time-based access for accounts set at the admin level and higher, and segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between, and access to, various subnetworks and by restricting adversary lateral movement. 

Organizations must Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. 

Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. They must also install, regularly update, and enable real-time detection for antivirus software on all hosts, in addition to securely monitor remote desktop protocol (RDP) use. 

Organizations must also adopt timely patching as an efficient and cost-effective step an organization can take to minimize its exposure to cybersecurity threats. They should prioritize patching of vulnerabilities on CISA’s Known Exploited Vulnerabilities catalog. Additionally, they must disable unused ports, consider adding an email banner to emails received from outside the organization, disable hyperlinks in received emails, and disable command-line and scripting activities and permissions.

In September, the FBI released an alert highlighting emerging ransomware trends that are impacting the same victims and identified data destruction trends. As of July this year, the FBI noted that these new trends included multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings