It all starts with a tweet from a researcher (Allan Liska from RecordedFuture) announcing that he is compiling a list of vulnerabilities currently being exploited by organised groups in ransomware operations.
It was, and still is, a good idea, so the good side of the Internet began to work and collaborations began to arrive, extending the set of vulnerabilities. In the end, a more or less fixed picture was reached (we all know that in technology, years pass in days):
These are, to a large extent, to blame for many headaches and losses of millions nowadays. This list will change, some CVEs will fall due to exhaustion while new ones will enter and replace the old ones in a perverse cycle that seems to have no end.
If we take a good look at the image, we can see that they correspond to vulnerabilities in products that can reside in the network perimeter of our organisation as well as in the desktop systems or in the cloud.
There is heterogeneity in the classification and it corresponds directly to this other New Zealand CERT publication which illustrates perfectly how a ransomware operation works broadly.:
The above table would enter the first, initial phase, where the first contact takes place. Thus, for example, vulnerabilities affecting Microsoft Office are triggered through the connection “Email -> Malicious Document -> Malware”, while those affecting a product located at the perimeter of the network exposed to the Internet would be in “Exploit software weaknesses”.
The connections do not end here. Vulnerabilities that are specific to operating systems often involve elevation of privileges that guarantee two main things: access and persistence; in the network: “Take control -> …”.
Once they have entered the perimeter, the focus shifts to the discovery of internal systems, exploitation, take control and elevation of privileges. From this point onwards, the company’s value, its data, is sought. And not just live data, but also attempts to wipe out backups, the only viable solution against ransomware once all preventative controls have failed.
Basically, the following three points can be summarised as the basic pillars against which the criminal groups strike:
- Vulnerabilities that allow taking control of the device exposed to the Internet.
- The human factor as a point of failure exploitable by social engineering.
- Poor configuration and implementation.
The technical pillar (exploiting critical vulnerabilities)
In the first case, the control is prevention and warning. As has been said many times, equipment must always be up to date. There is no excuse. If we have a dependency on an endangered technology, it is a countdown until it is replaced. So it is better to advance its replacement than to postpone it indefinitely.
Moreover, it is not just a matter of waiting for the manufacturer’s patch; as soon as we hear of the appearance of a vulnerability, we must put some kind of countermeasure in place to take it for granted that they are going to exploit it while we make our move.
There are infrastructures that are designed to be staked at a particular point on the perimeter, and when that point falls, the consequences are devastating. We cannot place all the responsibility on a single control. The planning of a defence must take for granted that the commitment of that point in the network can occur at any given moment. For a team to be part of an internal network should not engender trust. Imagine a stranger who hangs a name tag on his shirt and walks around the departments of an office as he pleases.
In fact, a handful of vulnerabilities are discovered when he is already wreaking havoc. In other words, a zero-day, which is discovered precisely because of its activity, is not detected by any antiviral solution or the like. There is no signature, it has not been seen before, it is not suspicious and yet it knocks down computers and systems. You have to be mentally and technically prepared to deal with such a blow. You have your computers properly updated and yet they are compromised.
The human pillar (phishing and social engineering in general)
In this case, we are talking about malware that needs the help of a human to act. This is no longer a vulnerability that can directly take control of a computer or at least run as a process. What we have is an unwitting helping hand with a finger that makes the terrible decision to send two keystrokes through the mouse and trigger a cascade of actions that end badly.
That decision is made because false information has been provided that creates a situation perceived as safe by a person. A theatre. The king of this is email, but even now we have operations that are set up and run by posing as managers or department heads. Social engineering works. Always.
Does awareness-raising work as a countermeasure? It is paradoxical. Imagine in the Middle Ages a castle that wants to defend itself against a possible surprise takeover. The sergeant of the guard lectures the watchmen every night to be vigilant. A state of alertness is induced which the soldiers internalise, but which they end up normalising as they see that night after night nothing happens. Until the moment comes when the walls are stormed and they are caught… with their guard down despite the poor sergeant’s constant warnings and harangues.
Perhaps the problem is that we call awareness to what we should call (and do) training. Training is what generates a tailored response to a particular problem. Make your employees understand the problem they face. Give them the opportunity to learn through simulated exercises. If instead of continuous alert the sergeant had trained his men with night raids, they might have interpreted the early signs of an invasion and would not now be under enemy fire.
Social engineering works not because you are not on continuous alert but because you do not know how to identify the right signals to detect that you are walking into a trap. Let’s remember that even in 2021, classic scams like the “pigeon drop” still work.
The Pillar of Carelessness (All (wrong) by default))
This type of breach is somewhere between technical and human failure. The former for bringing to market a product or system with a configuration that is not very demanding in terms of security, and the latter for deploying and integrating without giving importance to changing the parameters or performing the bastioning.
The clearest case is the system with an account with default credentials. There have been (and continue to be) hundreds of well-documented cases. When doing a pentest, there is always the phase of knocking on doors hoping that one of the usual keys will open the door.
A very bleeding case is CVE-2000-1209 or the classic Microsoft SQL Server with the account ‘sa’ and no password (rather, password to ‘null’) that filled audit and pentest reports for many years. In fact, in the early 2000s, several worms exploiting this oversight emerged.
Mirai also had a field day with this kind of oversight. The IoT botnet reached a large number of nodes thanks to a simple list of default accounts on all kinds of network systems, set up and left to their own devices on the Internet.
In the cinema, there is a very famous cliché in which one of the protagonists struggles with a door until he exhausts himself. Then another one of them, with a certain degree of mockery, approaches the door and opens it by simply turning the knob. The image should stick in our minds. We are giving cybercriminals the freedom to turn the knob and open the door.
It’s an example that shows that sometimes it doesn’t take a lot of effort to find a zero-day vulnerability that allows us to execute arbitrary code. They are the worst because it is an evil that could have been avoided in an extremely simple way: by changing the default password to a suitable and robust one.
Usually, this is done for several reasons, for example: rushing to finish things due to poor planning, staff not trained in cyber security, thinking that the manufacturer has a secure default configuration, lack of a security policy (no guidelines, no controls), etc.
As we have seen, ransomware comes in through the door at the slightest opening. Once inside, it makes itself at home, where we let our guard down and finally, when it is perhaps too late, it ruins us in dimensions ranging from a bad afternoon to a complete business shutdown.
Identifying possible avenues of entry and their techniques are fundamental skills to learn in order to plan our defence. Either that or give in to luck and miss out on the lottery, the one that has as its ticket number: “All your files have been encrypted…”.