FortiGuard Labs Perspectives
Last year cast a bright spotlight on cybersecurity with the risks that surfaced due to the rise of remote work. The year was capped off by one of the most significant supply chain hacks in recent years. Now in 2021 we have cyber adversaries attempting to exploit Microsoft Exchange Server vulnerabilities with DearCry ransomware. Cybersecurity risk has never been greater as everything is interconnected in a larger digital environment.
Three members of Fortinet’s FortiGuard Labs team – Derek Manky, Aamir Lakhani, and Douglas Santos – offer perspective on ransomware and recent cyberthreat trends, with a goal of better understanding the level of threat and what organizations should do.
DearCry ransomware is a new malware campaign where threat actors are leveraging known vulnerabilities in Microsoft Exchange Server to install ransomware. The ransomware has been identified as DoejoCrypt/DearCry.
Derek - Among the types of attacks that keep security professionals up at night – it is ransomware for sure, and the threat shows no signs of slowing down. Our latest global Threat Landscape Report showed that ransomware activity jumped an astounding sevenfold in the second half of 2020 when compared with the first six months.
The recent DearCry ransomware attempting to exploit Microsoft Exchange vulnerabilities shows that once a high profile vulnerability has been disclosed, cybercriminals will attempt to maximize the opportunity. While it is DearCry today, other campaigns will follow suit later.
For now though, the first step for any organization with a Microsoft Exchange server, is to take investigative steps to check for signs of compromise and patch. Microsoft has released patches for these vulnerabilities.
Douglas - I agree. With the number of new zero-day vulnerabilities out there, and the number of water-hole attacks using these zero-day exploits, the next big hack could be a website visit away. Even with the latest security controls in place, if you have a zero-day breach you are going to have to rely on all three pillars of a robust cybersecurity program – people, processes, and technology – to identify the threat as soon as it breaks out. Anti-exploit and EDR (endpoint detection and response) solutions are excellent tools for discovering malware on an endpoint device before it migrates to the network and then shares that information downstream. An ISFW (internal segmentation firewall) can then apply dynamic segmentation to quarantine the host. And SOAR (security orchestration, automation, and response) can quickly create remediations around that newly gathered intelligence.
Aamir - The reality is, ransomware is not complex and sophisticated malware. Ransomware and many other types of malware take advantage of vulnerabilities. Zero-day vulnerabilities by their very nature are difficult to protect against that is why patching critical flaws is very important. When vulnerabilities are released, it is often only a short time before they are weaponized, and their code is leaked on the Internet. What happens next is multiple attackers trying to create malware or malware code other attackers can use to incorporate into web shells for remote exploits, ransomware, or other attacks.
However, this actually makes it much more dangerous because the threshold of knowledge that attackers must possess is low, which means that ransomware toolkits can be downloaded from the Internet and modified with minimum programming knowledge. Volume-wise, there are other threats that may be more prevalent. But ransomware is a leading threat based on the impact it has within an organization, as one ransomware attack can completely shut down a business.
Aamir - Some organizations have a hard time patching devices. When out-of-band patches, which are sometimes the most critical patches, are released organizations have to divert resources to investigating and testing the patches. Often, users have administrative rights on their system to ease the burden and costs of management and IT support staff, but that makes it difficult to automate patches and updates. And in large, mobile environments, getting users to apply patches can be difficult because of things like geographic disparity. However, if these problems were to be solved, most ransomware simply would not be effective.
Derek - For ransomware in general, the problem is not just awareness – it is rooted in human behavior. Awareness and action are two very different things. In addition to broad brush attacks that target everyone, emails are also being cleverly written to target specific types of individuals at an organization, either directly, or through a technique where they insert phishing emails into an active email thread to increase the likelihood of it being clicked on, called email thread hijacking. But regardless of who is being targeted, everyone is susceptible to a carefully crafted email arriving when they are just distracted enough to not be paying attention.
Derek - What has been on the rise, and what I predicted to get worse, are the more targeted ransomware attacks that cost businesses more from an operational and regulatory perspective. Attackers are constantly keeping an eye out for the weakest link in security. That could be people, technology, supply chains, or bad cyber hygiene. Cyber adversaries like to follow the path of least resistance, like the flow of water – finding any crack they can to slip through. Malware and ransomware attacks in general are a completely different game now because these attacks are being targeted and specifically crafted to certain internal systems. Another factor contributing to the growing attacks on businesses and enterprise organizations is the ready availability of Ransomware-as-a-Service (RaaS) offerings, which is something I predicted years ago would happen as an evolution of ransomware. The targets of ransom will become higher profile. Meaning, the risk is rising moving forward – and ransom is becoming more targeted, meaning a higher reward model for cybercriminals.
Douglas - Yes, but I also believe that we still may see yet another mass ransomware exploit, such as the one we experienced with WannaCry, simply because there are a lot more ‘wormable’ vulnerabilities out there. It’s just a matter of time. The recent DearCry ransomware attempting to exploit Microsoft Exchange Server vulnerabilities is the latest example to reach global attention.
Aamir - I think we will see a rise in ransomware attacks. There are many people in IT that are working under more stress and more pressure than before. Additionally, other industries, such as healthcare and some types of manufacturing and transportation, are under more pressure than before to keep their networks up and running. Attackers understand that these industries might rather pay a ransom rather than deal with any slowdown or shutdown in their operations. If the device of a remote worker can be compromised, it can become a conduit back into the organization’s core network, enabling the spread of malware to other remote workers.
Derek - While each network environment is different, there are steps any organization can begin to implement today to reduce their risk from ransomware and other advanced threats. A key takeaway is to leverage people, technology, and processes to quickly gather threat intelligence about active attacks on a network and act on it, using automation where possible.
Threat intelligence demonstrates an unprecedented cyber threat landscape where cyber adversaries work to maximize the constantly expanding attack surface to scale threat efforts around the world. DearCry ransomware is a reminder of this. The good news is that most organizations have their long-term remote worker strategy in place. Therefore, now is a perfect time to review the steps outlined above, conduct a thorough review of security policies, and make necessary adjustments. Every step taken now to tighten down policies and practices is a threat potentially averted.