Old Vulnerabilities, New Ransomware Attacks: A Dangerous Combo
Let’s talk some more about just how relentless and opportunistic are ransomware hijackers. For starters, the number of critical security vulnerabilities associated with ransomware increased nearly five percent to 278 from 266 in the third quarter of 2021, a recent report by security provider Ivanti said.
Next, consider this: The number of trending vulnerabilities actively exploited in attacks by ransomware crews rose by 4.5 percent to 140 and along with five new families (a 3.4 percent rise) drove the total to 151, according to Ivanti’s Q3 2021 Spotlight Report, compiled jointly with security providers Cyware and CyberSecurityWorks (CSW).
In Q3, new ransomware groups are capitalizing on dangerous vulnerabilities ahead of patches or workarounds, such as:
- PrintNightmare, a remote code execution vulnerability in Windows.
- PetitPotam, which hackers can potentially use to attack Windows domain controllers or other Windows servers.
- ProxyShell, vulnerabilities for Microsoft Exchange servers that allows hackers to bypass authentication and execute code as a privileged user.
Ransomware syndicates also plumbed new techniques, such as dropper-as-a-service that enables small operatives to drop payloads on a victim’s computer, and malware-as-a-service that enables anyone with an internet connection to easily obtain and deploy customized malware in the cloud, the report said.
Old Vulnerabilities, New Ransomware Attacks: The Data
New vulnerabilities overwhelmingly are not what lights up ransomware crews, Ivanti said. Of particular note, the volume of vulnerabilities identified before 2021 associated with ransomware stands at 258, amounting to more than 92 percent of all security flaws tied to the malware, the report said. For example, in Q3, the Cring ransomware group targeted two older vulnerabilities, CVE-2009-3960 and CVE-2010-2861, that have had patches for over a decade.
While organizations are continually reminded how vital is timely patch management to mitigate known and critical vulnerabilities, the report also revealed that ransomware groups are continuing to find and leverage zero-day vulnerabilities, even before the CVEs (Critical Vulnerabilities and Exposures) are added to the National Vulnerability Database (NVD) and patches are released.
As a case in point: In the high-profile Kaseya VSA hack, REvil exploited a vulnerability in the MSP-centric security management provider’s software as it was actively working on a patch. The Kaseya attack by REvil brings up two important facts about ransomware gangs, Ivanti said, and also serves as advice for system administrators and IT security teams:
- The continuing trend of ransomware groups exploiting zero-day vulnerabilities even before the NVD publishes them.
- A need for an agile-patching cadence that addresses vulnerabilities as soon as they are identified, rather than waiting for a regular sprint cycle.
Here is Ivanti’s analysis of the vulnerabilities:
- Of the 12 vulnerabilities newly associated with ransomware, five belong to the most dangerous exploit category—remote code execution. Four others are capable of exploiting web applications, of which two can be manipulated to launch denial-of-service (DoS) attacks.
- Three CVEs belong to CWE-269, a weakness that leads to improper management of privileges and is often capitalized by ransomware groups.
- The newly added vulnerabilities include three critical severity vulnerabilities, each with a CVSS (critical vulnerability security score) of 9.8, acquired by the Sodinokibi, Conti, and LockFile families. Four of these vulnerabilities (CVE-2021-1675, CVE-2021-34473, CVE-2021-34523, and CVE-2021-34527) have been found trending with active exploits in the wild during Q3.
“Ransomware groups continue to mature their tactics, expand their attack arsenals, and target unpatched vulnerabilities across enterprise attack surfaces,” Srinivas Mukkamala, Ivanti security products senior vice president, said. “It’s critical that organizations take a proactive, risk-based approach to patch management and leverage automation technologies to reduce the mean time to detect, discover, remediate, and respond to ransomware attacks and other cyber threats.”
DHS Orders Vulnerability Fixes
Meanwhile, in a related effort launched in early November 2021, the Department of Homeland Security’s (DHS) cyber unit ordered federal agencies to immediately fix hundreds of known hardware and software vulnerabilities already exploited by threat actors to attack government networks and systems.
The rare binding operational directive (BOD 22-01), issued by the Cybersecurity and Infrastructure Security Agency (CISA) relates to the agency’s working catalog of nearly 300 security flaws it wants fixed that “carry significant risk to the federal enterprise.” The order holds important implications for managed security service providers (MSSPs), including:
- MSSP Leaders: MSSPs that proactively patched government systems before the order arrived could potentially solidify their reputations within and across U.S. government agencies.
- MSSP Laggards: Government-focused MSSPs late to the patching effort could be left scrambling to close agency vulnerabilities.
- MSSP Opportunists: MSSPs that are seeking to enter the federal market or expand their vertical market footprint can pitch vulnerability assessment and patch management services.
The BOD covers about 90 known security flaws identified this year alone and roughly another 200 observed in use by hackers dating to 2017, and applies to federal, executive branch, departments and agencies.