Ransomware attacks on the perimeter

July 8, 2020 | Mike Cotton

This blog was written by a guest blogger.

As companies shift more focus to combatting the recent epidemic in ransomware attacks, they are faced with choices on how to best deploy defenses to counter new attacker tactics and stay ahead of the threat.  While much of these efforts focus on system backup and recovery processes, anything that can be done to stop and attacker from gaining an initial foothold on the network (often referred to as an original-entry-point in data breach terminology), substantially reduces the chance of the incident occurring.

While ransomware attackers have traditionally relied on spear phishing emails with malicious attachments and other client-side attacks to gain a network foothold, more advanced ransomware campaigns such as SamSam have continued to adopt a wider variety of skilled attacker tactics including directly probing and exploiting external perimeter services.

The FBI recently highlighted this trend in a public service announcement last month entitled “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations” which highlighted perimeter attacks against remote desktop protocol (RDP) as one of the primary methods of infection.

As someone who works in the vulnerability scanning, penetration testing sphere, I can say that attacker tactics on the perimeter have dramatically improved since the earlier part of the decade with the combination of improved RDP brute forcing libraries in wide distribution, better open source intelligence gathering methods, and leaked credential databases available to help arm these tools.

A recent Shodan query shows over 3.5 million exposed RDP services as of the writing of this blog post and this number has actually trended upwards over the years so this is not a problem going away anytime soon.  The fact that the sorts of small to midsize organizations that tend to have issues with allowing direct perimeter access for remote desktop, also correlate strongly with the typical targets of ransomware campaign make the issue even more pressing.

Some observations on what organizations can do:

1) While various methods of securing or enhancing the protections around RDP services exist, it's really best to ensure it's only directly accessible behind a VPN with strong security protections.  Sometimes companies fall into the methodology of thinking if remote-desktop is patched against vectors like BlueKeep or has things like Network Level Authentication enabled, it's an effective control but the most common wave of attacks are simply targeting weak or stolen credentials sets which these controls do little to mitigate.  Focus on removing the RDP attack surface entirely from the perimeter.

2) Don't fall into the trap of assuming that RDP is the only attack surface that matters (even thought it gets most of the hype).  We've already seen heavy usage of JBoss based exploits by ransomware attackers and that will surely expand as low-hanging fruit from the existing ransomware attack vectors become mined-out.  Security tools such as massscan can be retrofitted by attackers with new probes and payloads to rapidly scan for and target millions of potentially vulnerable systems.

Any vulnerability which allows for code execution on externally facing network services, particularly on Windows systems, will be a primary candidate for this sort of attack vector.

3) Ensure you have a mechanism to ensure proper assessment and monitoring of new cloud-assets or it services as they come online.  Many times companies who otherwise have well secured architectures will use RDP as an ad-hoc solution for a cloud server hosted in a different environment and never bring it in scope for assessment or monitoring.  As companies continue to move away from contiguous network blocks and native IP address space these breakdowns are occurring with greater frequency.

Remember, when locking down networks against broad-focus ransomware style attacks, you don't have to be perfect, but simply present a tough enough target that attackers are forced to move on to others. As a friend of mine frequently reminds me in similar scenarios: "You don't have to outrun the bear, you just have to outrun the other campers".

Mike Cotton

About the Author: Mike Cotton

Mike Cotton is a software architect and security researcher who currently serves as the SVP of Engineering at Digital Defense Inc. He has over 15 years experience in the cybersecurity industry, helping companies of all sizes lock down their networks against data breaches and ransomware attacks. He has been interviewed many times by major outlets such as ThreatPost, ZDNet, DarkReading and others on new and emerging threat and vulnerability vectors and their usage in the wild by attackers.

Read more posts from Mike Cotton ›

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial