Our team recently investigated the prominent ransomware attacks reported since the beginning of 2020 in order to draw general conclusions about these attacks and to reveal commonalities between them. We also wanted to better understand the threat they pose and how to protect against it. While examining approximately 180 different ransomware incidents, we found that the most targeted sectors were Technology (11%), Government (10%), Critical Infrastructure (8.6%), Healthcare and Pharmaceutical (8%), Transportation (7%), Manufacturing (6%), Financial Services (5%) and Education (4%). It was also found that Sodinokibi/REvil, Maze and Ryuk are the most active ransomware strains.
A very interesting finding our investigation uncovered was that the operators behind these ransomware attacks commonly abused four notable vulnerabilities, that will be elaborately discussed in this blog post. This highlights the importance of timely installation of security updates as a defense mechanism to minimize the risk of ransomware and other malware attacks.
Here they are: The four top vulnerabilities abused in 2020 ransomware attacks (ordered from the most abused one):
Let’s take a closer look:
The CVE-2019-19781 vulnerability affects remote access appliances manufactured by Citrix, whose products are used by numerous organizations. The vulnerability was publicly disclosed at the end of December 2019 and fixed a month later. The vulnerability affects Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC. Successful exploitation of the vulnerability could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer.
Since the vulnerability was disclosed, it was successfully exploited by threat actors in a significant number of incidents. In January 2020, security researchers reported the REvil gang leveraged the vulnerability in its attack against the Gedia Automotive Group. No technical details about the attack were disclosed, but from the information published by the attackers, it appears the company used the vulnerable products. The Ragnarok ransomware gang also exploited this vulnerability in January 2020. The attackers exploited the vulnerability to download scripts and scan the targeted system for computers vulnerable to the EternalBlue vulnerability.
In February 2020, the cloud company Bretagne Telecom reportedly suffered a cyber-attack by cybercriminals operating the DopplePaymer ransomware. The DopplePaymer gang stated it carried out the attack in the first half of January 2020, when a fix for the vulnerability had still not been released. This suggests the attackers discovered the vulnerability even earlier. At the end of March 2020, it was reported the MAZE ransomware gang had also leveraged the vulnerability in an attack on the cyber insurer company, Chubb.
In a different incident from the beginning of June 2020, it was reported that the IT services giant, Conduent, had also fallen victim to a MAZE gang ransomware attack. According to reports online, MAZE targeted a Citrix server of the company that was not patched or properly updated. On June 22, 2020, it was reported that the Indian conglomerate, Indiabulls, had suffered a cyber-attack carried out by the CLOP ransomware operators. Cyber security company Bad Packets reported that Indiabulls used Citrix NetScaler ADC VPN Gateway, which was vulnerable to CVE 2019-19781. However, the company did not confirm this vulnerability was exploited in the attack. Recently, the New Zealand CERT (CERT NZ) reported that many threat actors are leveraging this vulnerability, and the Nephilim ransomware gang may have also attempted to exploit it.
The CVE-2019-11510 vulnerability affects VPN Pulse Secure products. It allows attackers to remotely access the targeted network, remove multi-factor authentication protections and access the logs that contain cached passwords in plain text. Although the vulnerability has already been publicly disclosed for some time now and patched back in April 2020, many organizations have not yet patched it and remain exposed to attacks.
In recent months, the vulnerability was reportedly successfully exploited in a number of ransomware attack incidents. In two incidents, the attackers gained domain admin privileges and used an open-source remote access software, VNC, to perform lateral movement on the targeted network. Then, the attackers turned off security software and infected the system with the REvil ransomware. The most notable ransomware attack affected Travelex at the end of December 2019. The company did not patch its VPN solution, which allowed the REvil ransomware gang to carry out a successful attack that paralyzed the company’s systems for a number of weeks, persisting into 2020.
In another incident reported in April 2020, the IT systems of several hospitals and government entities in the US were infected with an unknown ransomware by nation-state threat actors. In addition, in June 2020, the operators of the Black Kingdom ransomware reportedly attempted to exploit the vulnerability as well.
The CVE-2012-0158 is an old vulnerability in Microsoft products, but is still one of the most exploited vulnerabilities in recent years, according to the US CERT. In December 2019, our team also reported that it is one of the top 20 vulnerabilities to be patched before 2020, based on the number of times it has been exploited by sophisticated cyber-attack groups operating in the world today. The vulnerability allows the attacker to remotely execute code on the victim’s computer through a specially crafted website, Office or .rtf document.
In recent months, security researchers reported exploitation attempts for the CVE-2012-0158 vulnerability in COVID-19-related attacks. The researchers reported attack attempts against medical and academic organizations in Canada. One of the campaigns included infection attempts with the EDA2 ransomware, a strain of a wider ransomware family, known as HiddenTear. The attackers used an email address that resembles and imitates the legitimate address of the World Health Organization. The phishing emails sent to the targeted organizations contained malicious files designed to exploit this vulnerability to execute code remotely and infect them with the ransomware. An additional phishing campaign attempted to infect victims from the above mentioned organizations with a ransomware dubbed RASOM.
The CVE-2018-8453 resides in the win32k.sys component of Windows, since it fails to properly handle objects in memory. A successful exploitation can allow an attacker to run arbitrary code in kernel mode, install programs; view, change, or delete data; or create new accounts with full user rights.
The Sodinokibi/REvil ransomware was first spotted exploiting CVE-2018-8453 in 2019 in multiple attacks in the Asia-Pacific region, including Taiwan, Hong Kong, and South Korea. In July 2020, it was reported that it was exploited again by the same ransomware gang against Brazilian-based electrical energy company Light S.A. The attackers first demanded a ransom of 106,870.19 XMR (Monero), and after the deadline has passed the ransom doubled to 215882.8 XMR, which amounts to approximately $14 million.
SUMMING UP: THE PATCHING PARADOX
In an ideal world, organizations would patch every new vulnerability once it’s discovered. In real-life, this is impossible. Security analysts responsible for vulnerability management activities face multiple challenges that result in what the industry calls “The Patching Paradox”: common sense tells you to keep every system up to date in order to be protected, but this is not possible due to limited resources, existence of legacy systems and slow implementation of patches. The goal of this analysis is to provide security professionals with an incentive to improve their patching management activities.