One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1796485 |
| Date de publication | 2020-07-08 11:00:00 (vue: 2020-07-08 11:06:14) |
| Titre | Ransomware attacks on the perimeter |
| Texte | This blog was written by a guest blogger. As companies shift more focus to combatting the recent epidemic in ransomware attacks, they are faced with choices on how to best deploy defenses to counter new attacker tactics and stay ahead of the threat. While much of these efforts focus on system backup and recovery processes, anything that can be done to stop and attacker from gaining an initial foothold on the network (often referred to as an original-entry-point in data breach terminology), substantially reduces the chance of the incident occurring. While ransomware attackers have traditionally relied on spear phishing emails with malicious attachments and other client-side attacks to gain a network foothold, more advanced ransomware campaigns such as SamSam have continued to adopt a wider variety of skilled attacker tactics including directly probing and exploiting external perimeter services. The FBI recently highlighted this trend in a public service announcement last month entitled “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations” which highlighted perimeter attacks against remote desktop protocol (RDP) as one of the primary methods of infection. As someone who works in the vulnerability scanning, penetration testing sphere, I can say that attacker tactics on the perimeter have dramatically improved since the earlier part of the decade with the combination of improved RDP brute forcing libraries in wide distribution, better open source intelligence gathering methods, and leaked credential databases available to help arm these tools. A recent Shodan query shows over 3.5 million exposed RDP services as of the writing of this blog post and this number has actually trended upwards over the years so this is not a problem going away anytime soon. The fact that the sorts of small to midsize organizations that tend to have issues with allowing direct perimeter access for remote desktop, also correlate strongly with the typical targets of ransomware campaign make the issue even more pressing. Some observations on what organizations can do: 1) While various methods of securing or enhancing the protections around RDP services exist, it's really best to ensure it's only directly accessible behind a VPN with strong security protections. Sometimes companies fall into the methodology of thinking if remote-desktop is patched against vectors like BlueKeep or has things like Network Level Authentication enabled, it's an effective control but the most common wave of attacks are simply targeting weak or stolen credentials sets which these controls do little to mitigate. Focus on removing the RDP attack surface entirely from the perimeter. 2) Don't fall into the trap of assuming that RDP is the only attack surface that matters (even thought it gets most of the hype). We've already seen heavy usage of JBoss based exploits by ransomware attackers and that will surely expand as low-hanging fruit from the existing ransomware attack vectors become mined-out. Security tools such as massscan can be retrofitted by attackers with new probes and payloads to rapidly scan for and target millions of potentially vulnerable systems. Any vulnerability which allows for code execution on externally facing network services, particularly on Windows systems, will be a primary candidate for this sort of attack vector. 3) Ensure you have a mechanism to ensure pr |
| Notes | |
| Envoyé | Oui |
| Condensat | “high access accessible actually address adopt advanced against ahead allowing allows already also announcement any anything anytime architectures are arm around assessment assets assuming attachments attack attacker attackers attacks authentication available away backup based bear become behind best better blocks blog blogger bluekeep breach breakdowns bring broad brute businesses but campaign campaigns campers can candidate chance choices client cloud code combatting combination come common companies contiguous continue continued control controls correlate counter credential credentials data databases decade defenses deploy desktop different direct directly distribution do: don't done down dramatically earlier effective efforts emails enabled enhancing enough ensure entirely entitled entry environment epidemic even execution exist existing expand exploiting exploits exposed external externally faced facing fact fall fbi focus foothold forced forcing frequency frequently friend from fruit gain gaining gathering gets going greater guest hanging has have heavy help highlighted hoc hosted how hype impact improved incident including infection initial intelligence issue issues it's jboss just last leaked level libraries like little locking low make malicious many massscan matters mechanism methodology methods midsize million millions mine mined mitigate monitoring month more most move much native network networks never new not number observations occurring often one online only open organizations organizations” original other others otherwise out outrun over part particularly patched payloads penetration perfect perimeter phishing point post potentially present pressing primary probes probing problem processes proper protections protocol public query ransomware rapidly rdp really recent recently recovery reduces referred relied remember reminds remote removing retrofitted samsam say scan scanning scenarios: scope secured securing security seen server service services sets shift shodan shows side similar simply since skilled small solution some someone sometimes soon sort sorts source space spear sphere stay stolen stop strong strongly style substantially such surely surface system systems tactics target targeting targets tend terminology testing these things thinking thought threat threaten times tools tough traditionally trap trend trended typical upwards usage use variety various vector vectors vpn vulnerability vulnerable wave we've weak well what when which who wide wider will windows works writing written years |
| Tags | Ransomware Data Breach Vulnerability |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.