Ransomware attacks on critical infrastructure and a rise in exploited vulnerabilities are attracting the attention of US cybersecurity agencies, which highlighted the threats in a pair of warnings issued in recent days.
The FBI and the US Secret Service have issued a detailed opinion on the BlackByte Ransomware as a Service (RaaS) group, which has attacked critical infrastructure industries in recent months, including government, financial, food and agriculture targets.
And the Cybersecurity and Infrastructure Security Agency (CISA) added 15 other vulnerabilities to its list of actively exploited vulnerabilities.
The warnings come amid growing global tensions over the possibility of a Russian invasion of Ukraine, which itself has been the subject of a number of US cybersecurity advisories in recent weeks.
Also Read: Best Vulnerability Management Tools for 2022
BlackByte Ransomware, IoC Attack Methods
The FBI-Secret Service warning came just before news broke that the NFL’s San Francisco 49ers had also been hit by BlackByte ransomware.
The ransomware encrypts files on compromised Windows host systems, including physical and virtual servers, notes the notice, and the executable leaves a ransom note in all directories where encryption takes place, including payment instructions ransom to get a decryption key.
Some victims said attackers used a known vulnerability in Microsoft Exchange Server to gain access to their networks, then deployed tools to move laterally through the network and elevate privileges before exfiltrating and encrypting files.
“In some cases, BlackByte ransomware actors only have partially encrypted files,” the advisory reads. “In cases where decryption is not possible, data recovery may occur.”
A newer version of the ransomware encrypts files without communicating with any external IP addresses. The advisory provided a detailed overview of BlackByte Indicators of Compromise (IoCs) and suspicious files and commands to look for.
BlackByte Ransomware Protection Steps
The agencies offered some sound cybersecurity advice for BlackByte that applies fairly generally:
- Perform regular backups and store them as isolated, password-protected copies offline
- Implement network segmentation, “so that not every machine on your network can be reached from every other machine”
- Update anti-virus software on all hosts and enable real-time detection
- Update and patch operating systems, software, and firmware as soon as updates and patches are released
- Examine domain controllers, servers, workstations, and active directories for new or unrecognized user accounts
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind, and use multi-factor authentication
- Disable unused remote access/RDP (Remote Desktop Protocol) ports and monitor remote access/RDP logs for unusual activity
- Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.
- Ensure that all identified IOCs are entered into the SIEM network for continuous monitoring and alerts
Further Reading: Best Ransomware Backup Products and Best Ransomware Removal and Recovery Services
CISA vulnerabilities affect Apple, Oracle and others
CISA added 15 vulnerabilities to its list of known CVEs (common vulnerabilities and exposures) that hackers are actively exploiting or have exploited. The flaws affect a range of vendors, including widely used products from Apple, Oracle and Microsoft. These flaws pose a significant risk to businesses and government agencies, and threat actors regularly use them.
The 15 vulnerabilities explained
CISA sorts vulnerabilities by their remediation due date for federal agencies:
- CVE-2021-36934: Also known as the Windows Elevation of Privilege Vulnerability, this vulnerability exists because overly permissive access control lists (ACLs) on several system files, including the Security Accounts Manager database ( SAM), allow hackers to gain full user rights on a victim’s system. Federal organizations will only have until February 24, 2022 to patch this vulnerability.
- CVE-2020-0796: A flaw in Microsoft Server Message Block (SMBv3) allows local elevation of privilege and remote code execution, which attackers can exploit to execute code on a target server or client.
- CVE-2018-1000861: A vulnerability in the Stapler web framework used by Jenkins (continuous delivery technology) to handle HTTP requests allows attackers to use specially crafted URLs to fraudulently invoke public methods.
- CVE-2017-9791: A vulnerability in Apache Struts 2, resulting from the breach of Equifax via a Java-based framework for building web applications, which creates opportunities for remote code execution (RCE) attacks caused by the use of ‘untrusted entries in ActionMessage class during development.
- CVE-2017-8464: The LNK remote code execution vulnerability is an RCE vulnerability in Microsoft Windows through specially crafted .LNK files, which attackers can exploit to gain local user rights on a victim’s system.
- CVE-2017-10271: An easily exploitable vulnerability in Oracle middleware allows an unauthenticated attacker to compromise and potentially gain control of Oracle WebLogic Server.
- CVE-2017-0263: Win32k Elevation of Privilege Vulnerability in Specific Windows Products Allows Attackers to Exploit a Faulty Kernel-Mode Driver to Install Programs; view, modify or delete data; or create new accounts with full user rights
- CVE-2017-0262: An RCE vulnerability in Microsoft Office can be exploited when a user opens a file with malformed graphics, allowing attackers to create booby-trapped EPS files and gain control of the affected system.
- CVE-2017-0145: The Windows SMB remote code execution vulnerability in various Windows products allows remote attackers to execute arbitrary code through specially crafted packets.
- CVE-2017-0144: Similar to CVE-2017-0145.
- CVE-2016-3088: A remote file download via Java-based multi-protocol messaging for Apache (Apache ActiveMQ 5) allows attackers to download and execute arbitrary files.
- CVE-2015-2051: An RCE vulnerability in a specific wired/wireless router via a network device management protocol, known for its buggy implementation (HNAP), allows attackers to execute arbitrary commands via a GetDeviceSettings action.
- CVE-2015-1635: An RCE vulnerability in specific versions of Windows (eg, 7 SP1, 8, 8.1) or Windows Server (2008 R2 SP1, 2012 Gold) allows attackers to execute arbitrary code via specially crafted HTTP requests.
- CVE-2015-1130: An XPC implementation allows bypassing authentication and escalating administrator privileges in Apple OS X before 10.10.3.
- CVE-2014-4404: An RCE vulnerability caused by a buffer overflow in older Apple products (iOs before 8 and Apple TV before 7) allows attackers to execute arbitrary code in a privileged context.
The list of added and removed entries is a living list and changes as new threats emerge and old ones decline.
A top priority for security teams
Most of these vulnerabilities have been around for years, but they are being actively attacked. CISA strongly recommends updating all software as soon as possible.
With the shortlist of widely exploited vulnerabilities, system administrators and security teams can quickly identify and patch key vulnerabilities to prevent malicious actors from exploiting weaknesses.
How to use the CISA catalog
While CVE-2021-36934 is listed first due to its high severity and due date, the top vulnerabilities most exploited by attackers do not necessarily have high severity ratings. The CVSS score is only an indicator, and a low score does not mean that hackers will not attack it.
Some vendors already map the CISA catalog to detect vulnerabilities and critical CVEs. For example, mapping vulnerabilities during scripted checks in continuous delivery and continuous integration (CD/CI) pipelines enables early and automatic detection.
Aggressive patches can have a huge advantage
It is strongly recommended that you follow vulnerability announcements for all products you own, such as those from IBM, Cisco, Google, Microsoft, Apple, Oracle (or other companies), and prioritize those that are actively exploited.
IT asset management tools have become essential security tools, with their ability to discover installed products that you may have overlooked.
CISA has ordered federal organizations to apply patches quickly, sometimes with fairly short deadlines (weeks), which makes exploitable vulnerabilities less easy for attackers to find.
Private organizations are strongly encouraged to follow the same guideline to mitigate risk and plan updates, as these vulnerabilities are present in the same private sector products.
Read next: Best patch management software for 2022
eSecurity Planet Editor Paul Spread contributed to this report