In February 2022, a Joint Cybersecurity Advisory was issued by key agencies in the United States (CISA, FBI, and the NSA), Australia’s Cybersecurity Center (ACSC), and the United Kingdom’s National Cyber Security Center identifying recent trends in the sophistication of ransomware. The advisory noted that the tactics and techniques used by threat actors, and the overall sophistication they exhibit, continue to become an increased threat to business and government globally. The alert was based, in part, on 14 observed incidents targeting 16 critical infrastructure sectors within the United States.
The advisory observed behaviors and trends by threat actors in 2021 to include:
- Gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting vulnerabilities. Phishing emails, RDP exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents in 2021. Once a ransomware threat actor has gained code execution on a device or network access, they can deploy ransomware. We’ve covered the problems with the RDP protocol being breached during our quarterly threat reports.
- Using cybercriminal services-for-hire. The market for ransomware became increasingly “professional” in 2021, and the criminal business model of ransomware is now well established. In addition to their increased use of ransomware-as-a-service (RaaS), ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals.
- Sharing victim information. Eurasian ransomware groups have shared victim information with each other, diversifying the threat to targeted organizations. For example, after announcing its shutdown, the BlackMatter ransomware group transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0.
- Shifting away from targeting perceived high-value organizations in the United States and moving towards mid-sized victims. In the first half of 2021, cybersecurity authorities in the United States and Australia observed ransomware threat actors targeting perceived high-value organizations and/or those that provide critical services in several high profile incidents. This changed within the United States in the latter part of 2021 after the breakup of several major ransomware networks. Threat actors targeting businesses within the United States appeared to move their energy more towards medium sized business. The ACSC observed ransomware continuing to target Australian organizations of all sizes, including critical services and “big game,” throughout 2021. Similarly, the NCSC-UK observed targeting of UK organizations of all sizes throughout the year, with some “big game” victims. Overall victims included businesses, charities, the legal profession, and public services in the Education, Local Government, and Health Sectors.
- Diversifying approaches to extorting money. After encrypting victim networks, ransomware threat actors increasingly used “triple extortion” by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident.
Further, the advisory notes that ransomware crime groups have increased their impact by:
- Targeting the cloud. Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data.
- Targeting managed service providers. Ransomware threat actors have targeted managed service providers (MSPs). MSPs have widespread and trusted access into multiple client organizations. By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise. Cybersecurity authorities in the United States, Australia, and the United Kingdom assess there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.
- Attacking industrial processes. Although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes.
- Attacking the software supply chain. Globally, in 2021, ransomware threat actors targeted software supply chain entities to subsequently compromise and extort their customers. Targeting software supply chains allows ransomware threat actors to increase the scale of their attacks by accessing multiple victims through a single initial compromise.
- Targeting organizations on holidays and weekends. The FBI and CISA observed cybercriminals conducting increasingly impactful attacks against U.S. entities on holidays and weekends throughout 2021. Ransomware threat actors may view holidays and weekends— when offices are normally closed—as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations. For more information, see joint FBI-CISA Cybersecurity Advisory, Ransomware Awareness for Holidays and Weekends.
The advisory covers recommended mitigations that can reduce the likelihood of a successful attack and the impact of any ransomware incidents. These include keeping operating systems and software up to date with timely updates and patching. Cautions about the use of RDP are also mentioned. Even today many organizations have RDP servers sitting on their networks, perhaps never used, with default passwords in place! Emphasis is also placed on user training to raise awareness among users about visiting potentially malicious websites, clicking on suspicious links, and opening suspicious attachments. Finally, well known defensive techniques such as implementing network segmentation, end-to-end encryption and many more are extensively covered in the advisory.
DNS is a core part of your defense
DNS is almost always in the kill chain of most cyberattacks, including ransomware, and can be used as a C&C channel, and for malware download and/or data exfiltration. Your clouds, on-premise resources, IT/OT environments and remote/roaming workers all need DNS security as a way to monitor and protect against cyberattacks.
Attackers may, in some cases, use malicious domains and IP addresses that could already have a reputation and may be identified by using threat intelligence on your DNS infrastructure. In addition, the behavior and context of DNS queries may provide the essential indicators you need to identify and stop a zero day attack and more advanced threats.
It is important to remember that standard security controls and technologies such as next-gen firewalls, IPS, and gateways do not monitor DNS for detecting malicious communications. These security controls, while very important, often cannot stop specific attacks such as DNS data exfiltration. Worse yet, they are not able to detect the subtle threats from newly registered and observed domains that could be used to launch attacks. DNS security provides visibility and protection against such threats, which is especially important in today’s uncertain environment where there is an increase in cyberattacks associated with nation states.
DNS security is designed to prevent users’ connection to malicious destinations and detect anomalous behavior in the networks, advanced persistent threat activity, botnet communications, DNS tunneling, and data exfiltration. BloxOne Threat Defense, Infoblox’s DNS security solution, combines advanced analytics based on machine learning, highly accurate and aggregated threat intelligence and automation to detect and prevent a broad range of threats, including ransomware, phishing, data exfiltration, DGA families, look-alike domain use, and many others. Integration with Security Orchestration Automation and Remediation (SOAR) systems, ITSM solutions, vulnerability scanners and other security ecosystems for automated remediation is an important capability of DNS security.
DNS logs also contain a wealth of information for a more efficient incident response. DNS logs are a highly effective way to see what resources a client has been accessing historically. DHCP fingerprint and IPAM metadata provide contextual information on compromised devices such as type of device, OS information, network location and current and historical IP address allocations. All this information helps with event correlation and determining the scope of an ongoing breach, while tying DNS requests to a device and user.
In light of the likely sources of these attacks, it is important to note that BloxOne Threat Defense also addresses EECN IPs. This is a policy-based feed containing IPs of countries in Eastern Europe and China that are often regularly cited sources of cyberattacks seeking intellectual property or other sensitive or classified data, as well as theft of credit card or financial information. It is natural to expect their presence in the midst of the ongoing barrage of ransomware activity.
Let’s not forget that DNS security is a mainstream security control. A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.
To find out more about how Infoblox can help please reach out to us via https://info.infoblox.com/contact-form/.