Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims’ networks.
All this started with a call to action made by Allan Liska, a member of Recorded Future’s CSIRT (computer security incident response team), on Twitter over the weekend.
Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors.
While these bugs have been or still are exploited by one ransomware group or another in past and ongoing attacks, the list has also been expanded to include actively exploited flaws, as security researcher Pancak3 explained.https://www.ad-sandbox.com/static/html/sandbox.html
The list comes in the form of a diagram providing defenders with a starting point for shielding their network infrastructure from incoming ransomware attacks.
Vulnerabilities targeted by ransomware groups in 2021
This year alone, ransomware groups and affiliates have added multiple exploits to their arsenal, targeting actively exploited vulnerabilities.
HelloKitty ransomware targeted vulnerable SonicWall devices (CVE-2019-7481) in July, while REvil breached Kaseya’s network (CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120) and hit roughly 60 MSPs using on-premise VSA servers and 1,500 downstream business customers [1, 2, 3].
The same month, Cring ransomware started encrypting unpatched Fortinet VPN devices (CVE-2018-13379) on industrial sector companies’ networks after a joint FBI and CISA warning that threat actors were scanning for vulnerable Fortinet appliances.
In March, Microsoft Exchange servers worldwide were hit by Black Kingdom [1, 2] and DearCry ransomware as part of a massive wave of attacks directed at systems unpatched against ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
Last but not least, Clop ransomware attacks against Accellion servers (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) that took place between mid-December 2020 and continued in January 2021 drove up the average ransom price for the first three months of the year.
Fight against an escalating ransomware threat
Liska’s and his contributors’ exercise adds to an ongoing effort to fend off ransomware attacks that have plagued worldwide public and private sector organizations for years.
Last month, CISA was joined by Microsoft, Google Cloud, Amazon Web Services, AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon as part of the Joint Cyber Defense Collaborative (JCDC) partnership focused on defending critical infrastructure from ransomware and other cyber threats.
The federal agency also released a new ransomware self-assessment security audit tool in June designed to help at-risk organizations understand if they’re equipped to defend against and recover from ransomware attacks targeting information technology (IT), operational technology (OT), or industrial control system (ICS) assets.