In this article, Javvad Malik, security awareness advocate at KnowBe4, delves into a recently published report from Analyst1 to determine what the initial access vector or root cause is for most cybercriminal gangs.
Security researchers and practitioners spend countless hours researching cyber criminals and the way they operate to help organisations be better prepared for how to defend against attacks.
Security firm Analyst1 is no different and recently released a 58-page report on all the major ransomware cartels along with a blog post. It is an in-depth read, and worth delving into some more detail to find out how these cartels operate.
The Initial Cause
When reading reports on threat actors, I have always been interested in finding out what the initial access vector, or root cause is for most of these gangs. This was true when I took it upon myself to read 100 threat intelligence reports and outlined the findings in my white paper, “Using Threat Intelligence to Build Data-Driven Defense” in which I tried to determine the initial root cause of most attacks.
As the image below shows, spear phishing was by far the most common attack avenue.
So, I was keen to see what I could glean from the Analyst1 report to see if they had observed similar tactics and techniques of initial access, as did I.
A Spider’s Web
The Analyst1 report looked into five major ‘spider’ groups (spider being CrowdStrike’s naming convention for e-crime related groups).
The initial access vector for all these groups were listed as follows:
Initial infection vector varies:
a. A phishing email delivers a malicious macro-enabled office document that drops commodity malware like IcedID, Qbot or Ursnif.
b. In other instances, the attacker uses brute force tactics to exploit RDP on vulnerable or misconfigured internet-facing devices.
c. The attacker also gains access by exploiting unpatched, vulnerable VPN software.
The attacker sends a phishing email to deliver a malicious macro-enabled office document.
a. Viking Spider uses brute force tactics to exploit vulnerable or misconfigured internet-facing devices running the remote desktop protocol (RDP), leading to initial access.
b. Another initial access tactic Viking Spider used was to exploit vulnerable remote IT management tools such as ConnectWise and Kaseya to gain access, deliver malware and steal victim data from the MSP customer’s environment.
Wizard Spider utilises a spear phishing email with a malicious URL to gain initial entry into victim environments.
The Lockbit Gang
The specifics of the initial compromise with this particular attack chain are unknown, but Lockbit likely uses other common vectors such as phishing emails that deliver malicious lure docs. Interestingly, according to Sophos, the victims they observed had no public (internet) facing systems, but many of their internal systems had poor security hygiene.
a. Similar to the first Lockbit attack chain discussed, Lockbit manages and initiates the attack from one central victim within the target environment.
The SunCrypt Gang
The attacker gains initial access by using multiple vectors. The attacker sent spear phishing emails with malicious attachments or brute-forced RDP connections on victim infrastructure.
Teach a Man to Phish…
The analysis of these ransomware cartels remains consistent with what we have seen previously. Phishing remains the attack avenue of choice for cyber criminals, cartels and nation-state actors.
Next on the list is exploitation of unpatched software or brute-forced RDP connections.
From the perspective of defending against ransomware cartels, investing your security defences against phishing, patching and brute-force attacks remain the three best controls to invest in.