Lifecycle of a ransomware attack: Initial access

Where the attacker looks for a way into the network.

In the first phase of the attack the attacker is simply looking to gain a foothold in the organisation’s network, wherever that might be. In the majority of incidents we see initial access is gained in one of three ways. Each of these pathways requires slightly different defensive controls to protect against.

How the attacker looks for a way into the network

CERT individual Lifecycle elements

No matter which pathway the attacker attempts to gain initial access, our goal is to have controls that will let us detect that activity and prevent it. At all stages of an attack we cannot stop what we cannot detect. This is why logging and alerting is seen in all phases, and on virtually every pathway.

Using compromised credentials to access remote services

In this pathway an attacker gains credentials to log in to remote access services such as a VPN or RDP server. These are commonly gained either through phishing or where passwords have been leaked in credential dumps and reused on those services. Some attackers also attempt brute-forcing of credentials to target weak and easy to guess usernames and passwords.

ATT&CK® Techniques

Commonly attacked services:

  • VPN
  • RDP

The first step in defending against these types of attacks is to identify and reduce the number of possible targets. Making sure you have accurate information with all services that can be accessed over the internet is fundamental to defending those services. In many organisations this exercise has uncovered previously unknown services or services which were thought to have been decommissioned.

Once you have a complete list, enforcing multi-factor authentication on all internet-exposed services is one of the easiest and most effective security controls to prevent unauthorised access. In addition, logging and alerting any unusual activity on these services can alert you to a potential attack so you can respond before they gain access. Providing all of your staff a password manager can help reduce password reuse and promote using long, strong and unique passwords on all services. This helps protect against password guessing or password spraying attacks.

CERT NZ is aware that some attackers have been using Virtual Private Server (VPS) or proxy endpoints in the same country as their intended victim in order to bypass geoblocking or other conditional access controls.

Exploiting vulnerable systems

Over the years we have seen a significant number of ransomware incidents that started with attackers exploiting vulnerabilities in internet-exposed services. These have often been in remote access systems such as VPNs as well as other internet-exposed services such as Microsoft Exchange. WannaCry and NotPetya both exploited vulnerabilities in Windows SMB implementation to spread across the Internet.

These vulnerabilities are frequently exploited quickly after disclosure or sometimes even before the vulnerability has been disclosed. Attackers often use multiple vulnerabilities together (“chaining” the vulnerabilities) so while a single vulnerability may not be severe, the combination allows an attacker to gain access to the system.

ATT&CK® Techniques

Technologies commonly exploited:

  • SSL VPN (Pulse, Fortinet, Citrix, SonicWall and more)
  • Microsoft Exchange
  • Telerik UI based web interfaces

The primary defence against this attack vector is timely patching of internet facing services. Patching internet-exposed systems should be the number one priority as attackers move quickly to exploit newly discovered vulnerabilities. As a baseline, security updates should be applied within 48 hours of being released, with an emergency process to allow for immediate patching as soon as you receive notification of active exploitation. A good logging and alerting system can assist you in determining whether there have been any attempts (successful or otherwise) to exploit vulnerabilities in your systems.

Notifications may be received from vendors or as advisories from CERT NZ.

Subscribe to CERT NZ's advisories.

Deliver malware via email

The third commonly used vector is to deliver malware (including families such as Trickbot, or Qakbot) via email. These emails will either have an attachment or a link to download a malicious document  usually in the form of a .doc or .xls. If this is opened and macros are allowed to execute, it is able to run its payload and attempt to load malware on the computer where the document was opened.

ATT&CK® Techniques

Common malware types distributed this way:

Several of the critical controls help in defending against this attack vector. If macros are not able to run, most malicious documents will be unable to deliver the malware payload. Even if the macros are allowed to run, application allowlisting or modern endpoint protection/EDR tools may be able to detect and alert or even block this activity. Controls such as EDR need to be supported with logging and alerting on unusual activity for your security team to investigate.

Common malware families do change over time. Good endpoint protection tools will be kept up to date with the latest information about behaviour of different malware families. This can block the activity or alert you when such activity is observed in your environment.

The right combination of defences for your organisation will make it difficult for an attacker to get in. However it is important not to rely on a single defensive layer. Other initial access vectors such as supply chain attacks highlight the need to be prepared to deal with an attacker that has gained access to your network. Read on to find out how the critical controls can help prevent an attacker from gaining access to your entire network.

Next phase: Consolidation and preparation