Home > Articles

This chapter is from the book

This chapter is from the book

Ransomware and Cyber Extortion: Response and PreventionRansomware and Cyber Extortion: Response and Prevention

Learn More Buy

This chapter is from the book

This chapter is from the book

Ransomware and Cyber Extortion: Response and PreventionRansomware and Cyber Extortion: Response and Prevention

Learn More Buy

3.2 Entry

In the entry phase, the adversary gains a foothold inside the victim’s technology environment. While this may mean that the adversary gains access to a computer inside the victim’s network, it could also be a cloud-based resource such as a virtual machine, a hosted application such as email, or a remote system such as an employee’s personal computer. Whatever the point of entry, the adversary will leverage this initial access during the next phase (expansion) to spread throughout the environment.

Common methods of entry include:

  • Phishing: The adversary sends an email, text, or other message designed to trick the victim into taking an action that gives the adversary information and/or access to the victim’s environment.

  • Remote logon: The adversary successfully gains access to an interactive session via a remote logon interface such as Remote Desktop Protocol (RDP), using credentials that have been guessed, stolen, purchased, or otherwise obtained.

  • Software vulnerability: A vulnerability is found in the victim’s Internet-facing applications, servers, or network equipment.

  • Technology supplier attack: The adversary has access to a supplier’s technology resources (such as a software provider or managed service provider [MSP]), whether legitimately or through compromise, and leverages this to gain access to the victim’s environment.

Let’s discuss how adversaries execute each entry method, and highlight the corresponding opportunities for detection and effective response techniques.

definition_box_al1348795.jpg

Definition: Indicators of Attack and Compromise

Throughout this book, we will refer to the terms “indicators of attack” and “indicators of compromise.” Here are their definitions to set the stage:

  • Indicators of attack (IoA): Evidence that an adversary is attempting to gain unauthorized access to devices or services. It can include detections of multiple failed login attempts, exploitation attempts, and more.

  • Indicators of compromise (IoC): Evidence of successful unauthorized access, such as logs of successful authentication, IDS/IPS alerts, or other system behaviors indicative of suspicious activity.

Sources of evidence may include log alerts, forensic artifacts, or system behavior. See Chapter 6 for more detail regarding sources of evidence.

3.2.1 Phishing

Cyber extortion events often start with a phishing attack, in which the adversary sends a message designed to trick the intended victim into taking an action, such as clicking on a link or opening an infected attachment. Phishing kits, which automate the attack process, often sell for $5 to $15 on the dark web.

Phishing attacks can be conducted via any form of messaging, from email to SMS messages to social media. (Carrier pigeon, anyone?3) However, cyber extortionists typically aim to get a foothold within an organization’s network, and email is the most widely used method for transmitting messages from external to internal senders in these types of environments.

3.2.1.1 Remote Access Trojans

The payload of phishing messages is often a remote access Trojan (RAT), which is a software utility designed to enable an adversary to remotely control or access a computer system.

The features of RATs vary widely, but typically they enable an adversary to do the following:

  • Establish a communication channel between the compromised endpoint and a controlling server

  • View data about the infected computer

  • Control the infected computer remotely

  • Evade detection

Sophisticated RATs can include advanced capabilities, enabling the adversary to take the following steps:

  • Automatically steal sensitive information from the victim’s computer, such as credit/debit card numbers, stored passwords, computer system information, and more

  • Interactively log on using Virtual Network Computing (VNC) or a similar program

  • Produce reports of user activity, account balances, web history, and more

  • Execute advanced privilege escalation attacks and facilitate the adversary’s lateral movement

  • Install addition malware (including ransomware)

  • Leverage the victim’s computer(s) to attack other organizations

Malicious Swiss Army knives such as Emotet and Trickbot rely on phishing campaigns to deliver their malware, which adversaries leverage to gain persistent access, steal information, and distribute other threats. The presence of a RAT is often a precursor of a cyber extortion attack.

Traditionally, RATs are delivered via social engineering attacks such as phishing emails, malicious websites, or compromised applications. The adversary who installs a RAT may conduct cyber extortion, or sell or rent access to other criminals, who in turn may choose to conduct cyber extortion themselves.

Opportunities for Detection

When an extortion attack starts with phishing, typically a user device is “patient zero,” the first system entered by the adversary. From there, the adversary establishes persistence, which typically involves a reverse shell of some kind (since most devices are blocked by the firewall from direct inbound Internet access). The adversary then leverages stolen credentials or unpatched vulnerabilities to escalate their account privilege, move laterally, and spread throughout the environment.

Specific indicators include the following:

  • Warnings and alerts in email security software: In some cases, the suspicious email may be automatically quarantined; in others, the email is sent along with a warning to the users, email administrator, or both. The user’s email system may also insert a warning in the subject or body of an email if the email meets certain criteria that are in line with characteristics of a phishing attack.

  • User report: A user may report the phishing message to the response team. When this happens, IT staff should quickly look for other users who received the same or similar phishing emails and remove those emails from other users’ inboxes. If any user clicked on a link or attachment in the suspected email, this should activate the organization’s incident response processes to ensure that any resulting infection is contained.

  • Malware sample: By analyzing a malware sample, you can often match it to specific known phishing campaigns or hacker groups and obtain lists of additional indicators to search for in the affected environment.

  • Email application logs: Application logs may contain warnings related to emails that have been processed, or alerts on blocked attempts, which can help you identify high-risk users, periods of unusual activity, changes in user risk profiles, and more.

  • Antivirus log entries: When a user clicks on a link or attachment in a phishing email and downloads or runs malware, it may generate an antivirus software alert.

  • Event logs: Similarly, when a user clicks on a link or attachment in a phishing email that results in code execution, it may generate records of unusual activity such as privileged command execution, scheduled task creation, or application and service starts or stops.

3.2.2 Remote Logon

Many cyber extortion attacks occur because the adversary gained access to a remote logon interface, such as an RDP platform. Quite often, cyber extortionists purchase stolen credentials on the dark web from an initial access broker rather than stealing or guessing them.4 Then, the extortionists use these credentials to gain a foothold in the network and deploy their attack.

There are good reasons why “open” RDP services have traditionally been the root cause of a large percentage of extortion attacks:

  • No special tools are needed to gain remote access to the service.

  • RDP is a common protocol that often does not trigger alerts, particularly if it is actively used by employees or an IT administrator.

  • The adversary can often pivot through the compromised computer to gain access to other systems using RDP inside the network.

Many organizations use RDP or other remote access tools so that employees can log in to their workstations from home or while traveling, or so IT administrators or vendors can access an internal network remotely at all hours. This is also—and unfortunately— convenient for adversaries, who frequently steal credentials or use password-spraying attacks to gain unauthorized access.

The vast supply of stolen passwords available for free or for sale on the dark web has fueled these attacks. By the summer of 2020, researchers had identified more than 15 billion stolen username and password combinations on the dark web.5 At the time of this writing, stolen RDP credentials sell for $16 to $24 each.6

Many people reuse the same password for multiple accounts.7 Adversaries leverage this tendency by conducting “credential stuffing” attacks, in which they take stolen credentials and attempt to use them on a wide variety of logon interfaces. When they successfully log in to another account, they can either leverage it themselves or sell access to the newly compromised account.

In 2020, the COVID-19 pandemic suddenly created a rush to remote work. In response, many organizations rapidly enabled remote access with little security oversight, and were compromised as a result.

Opportunities for Detection

Common signs of remote authentication attack or compromise include the following:

  • Failed logon attempts: When an adversary conducts password spraying or credential stuffing attacks, there are often repeated failed logons (sometimes followed by a successful logon). This can occur at the perimeter, or it can occur within the network as the adversary attempts to move laterally. Unfortunately, many networks are not configured to record or report failed logon attempts on Microsoft Windows hosts within their network, meaning that an adversary can automate attempts to authenticate within the network without being detected.

  • Unusual successful logon attempts: These may include logins at odd times or places, distinct user-agent strings, and “impossible travel” alerts notifying of logons from geographically distant locations in a quick succession.

  • Creation of new accounts: Such accounts may suddenly be used for remote access.

3.2.3 Software Vulnerability

Adversaries routinely search for exploitable vulnerabilities in widely used software and leverage these to launch cyber extortion attacks, as seen in the Kaseya attacks, as well as adversaries’ response to the ProxyShell and Log4j vulnerabilities (among many others). In the case of Accellion, the Cl0p group was able to exploit a critical vulnerability in Accellion FTA devices and steal sensitive data affecting more than 9 million individuals, resulting in a $8.1 million class-action settlement in January 2022.8

The “Shodan.io” search engine, which indexes Internet-connected devices, can be used by adversaries and defenders alike to identify potentially vulnerable Internet-facing services.

Timely patch deployment can dramatically reduce the risk of a perimeter device compromise. However, IT administrators are often unaware that their specific firmware or software version is vulnerable, particularly in organizations that have limited resources for IT management. Furthermore, zero-day vulnerabilities exist for perimeter devices, and may be incorporated into high-end exploit kits before the manufacturer has time to identify the issue.

Opportunities for Detection

Common signs of attack via perimeter software vulnerability include the following:

  • Alerts on port or vulnerability scans on perimeter devices (although this is a normal occurrence, so it’s important to review such alerts carefully and resist the urge to be lulled into complacency)

  • Strange error messages relating to that application or system, performance degradation (processes that overwhelm the processor or memory), or system/application crash

  • Unexpected outbound connections from servers or even workstations

  • Unusual and unrecognized processes or applications running on perimeter systems

Case Study: VPN Vulnerability

A school district in the Midwest was infected with the Dharma ransomware, circa 2021. All of its primary servers were down. While the district managed to hobble along and hold classes, all administrative functions were effectively halted: payroll, supply ordering, bill payment, and so on.

How did the hackers break in? Two things had gone wrong. First, the FortiGate VPN/firewall on which the school district relied had a terrible vulnerability. A patch had been released more than 8 months prior to the attack, but the school district had never applied it. Second, the local administrator accounts on the servers and workstations all shared the same passwords. Once the adversary hacked one system, they were able to log in to all the rest using standard remote access tools. RDP was available to the local administrator, which made the adversary’s job even easier.

Once inside, the adversary worked very quickly to encrypt the systems. They logged in for only a few minutes at a time—just long enough to install the ransomware and log out. Once the VPN was compromised, it took only 15 to 20 minutes for the adversaries to detonate ransomware on the primary servers. They didn’t bother touching the workstations at all.

Luckily, the school district had backups that were offline and off network, and that were not encrypted. Even so, it took 10 days to get its systems back up and running. Unfortunately, the servers held large volumes of private student information, including medical, mental health, and disciplinary data. The district was required to launch an investigation to determine the risk of a data breach.

Forensic investigators were able to determine that the attack was largely automated. The interactive logons were extremely short and not long enough to support any significant data acquisition or access. This was consistent with most Dharma attacks up to this point. A specialized team of data breach attorneys concluded that there was very low risk of data exposure, and the incident did not meet the definition of a data breach.

3.2.4 Technology Supplier Attack

Frighteningly, the entry point for a cyber extortion attack may be a supplier, such as an IT provider, MSP, equipment vendor, or cloud provider. In 2019, 22 towns in Texas were hit with a devastating REvil ransomware attack, which was traced back to their common MSP.9 After infiltrating the MSP’s network, the adversary leveraged the MSP’s normal remote administration tool, ConnectWise Control, to deploy the ransomware throughout customer networks. Thanks to an effective backup and recovery strategy and strong response plan, the towns’ operations were successfully restored within a week.10

Cloud providers, too, suffer ransomware attacks that can dramatically impact customers. In May 2020, Blackbaud, a leading provider of cloud-based fundraising software, was hit with a ransomware attack. Customers were notified in July and told that “the cybercriminal removed a copy of a subset of data from our self-hosted (private cloud) environment … we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”11

Blackbaud’s ransom payment was little consolation to the thousands of customers who stored sensitive data in the cloud, many of whom were required to conduct their own investigations—often at their own expense. Without direct access to evidence, however, their response was hampered. Within just a few months, Blackbaud had been sued in 23 proposed class-action lawsuits, received approximately 160 claims from customers and their attorneys, and been hit with inquiries from a plethora of government agencies and regulators.12

Opportunities for Detection

Customers typically have little visibility into the operations and risk management practices of suppliers, even those that have a high level of access to their sensitive data or network resources. They also have no way to directly detect an intrusion into supplier networks and must rely on suppliers to implement effective detection capabilities to prevent the spread of ransomware.

Visible signs of a supplier compromise may include the following:

  • Unusual logins or activity from supplier accounts

  • Spam emails originating from a supplier’s address

  • Unusually slow service or full outages

  • Notification or media reports of a cybersecurity compromise relating to the supplier

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020