You're reading from Windows Ransomware Detection and Protection

Product type Book

Published in Mar 2023

Publisher Packt

ISBN-13 9781803246345

Pages 290 pages

Edition 1st Edition

Languages

Concepts

Cybersecurity

Author (1):

Marius Sandbu

Table of Contents (16) Chapters

Preface

1. Part 1:Ransomware Basics

2. Chapter 1: Ransomware Attack Vectors and the Threat Landscape

3. Chapter 2: Building a Secure Foundation

4. Part 2:Protect and Detect

5. Chapter 3: Security Monitoring Using Microsoft Sentinel and Defender

6. Chapter 4: Ransomware Countermeasures – Windows Endpoints, Identity, and SaaS

7. Chapter 5: Ransomware Countermeasures – Microsoft Azure Workloads

8. Chapter 6: Ransomware Countermeasures – Networking and Zero-Trust Access

9. Chapter 7: Protecting Information Using Azure Information Protection and Data Protection

10. Part 3:Assume Breach

11. Chapter 8: Ransomware Forensics

12. Chapter 9: Monitoring the Threat Landscape

13. Chapter 10: Best Practices for Protecting Windows from Ransomware Attacks

14. Index

Why subscribe?

15. Other Books You May Enjoy

Attack vectors

So far, we have taken a closer look at some of the attacks and tactics that different ransomware operators are using. Now, let’s take a closer look at some of the main attack vectors that most ransomware operators use to gain initial access.

An attack vector is best described as one of the paths that an attacker can use to try and gain access to an environment.

For ransomware attackers to be able to distribute the payload, they must go through different stages before they can launch the attack. The main attack pattern is where the attackers first gain initial access using one of the different attack vectors, which may be a compromised end user machine or infrastructure. Then, they use different techniques to try and move around the network using credentials that allow them to access other parts of the network or utilize some form of vulnerability. Then, they use different tooling or scripts to give them persistent access to the environment. Once they have been able to gain full access to the environment, they use scripts or other methods to run the payload across the infrastructure to gain further access:

Figure 1.2 – The typical attack pattern in a ransomware attack

So, how do they get their foot in the door of our infrastructure?

The following are some of the main methods.

Exploiting known vulnerabilities

This is where attackers utilize some form of vulnerability in an external service. This could be that the attacker is trying to gain access using some form of Remote Code Execution (RCE). In the last few years, we have seen many different vulnerabilities that have been used to launch ransomware attacks. Some of the products that have been victims of these attacks are as follows:

Citrix ADC
Microsoft Exchange
Fortinet
Pulse VPN
SonicWall

Important note

A good source for seeing some of the known traffic patterns that I’ve been using for years is Bad Packets on Twitter, which has a good feed that looks at current traffic that is trying to abuse vulnerable endpoints across different services. I recommend that you add that as a source to pay attention to: https://twitter.com/bad_packets. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has made a list of known exploited vulnerabilities that can be found here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

One of the biggest vulnerabilities that was disclosed last year was ProxyShell, which used multiple vulnerabilities within Microsoft Exchange. Many security researchers were quick to provide proof-of-concept exploits using simple Python/PowerShell scripts, as seen here: https://github.com/horizon3ai/proxyshell.

This chain of vulnerabilities could allow attackers to access mailboxes stored in Exchange and also provide web shell access to the Exchange Client Access servers.

Vulnerabilities are not only used for initial access but are also used to do lateral movement. In the summer of 2021, a new vulnerability was disclosed that was a weakness in the Print Spooler service (also known as PrintNightmare) within Windows that allowed attackers to run privileged file operations on the operating system.

This meant that attackers could run arbitrary code with system privileges, both locally and remotely. Attackers that had managed to compromise an end user machine could use this vulnerability to gain further access to the infrastructure, such as domain controllers that were running the Print Spooler service.

Access through credential stuffing

Credential stuffing is where the attackers automate the process of injecting stolen username and password pairs or just try to log in against different online services. Most end users are creatures of habit and tend to reuse their usernames and passwords across many third-party services or websites. When those third-party services get breached, the end user’s information – or worse, credentials – gets compromised. In many cases, attackers dive into the different data sources from those attacks to see whether they can find any reusable credentials that they can use to try and access any external services that an organization might have.

One good way of seeing whether you have leaked credentials is by using the online service https://haveibeenpwned.com, where you can enter your email address and it will check through the different data sources to see whether your information has been leaked and what kind of data sources it was contained in.

haveibeenpwned.com also has a free domain notification service, which means that you can get notified if one of your users within a domain was in a data breach, which I also highly recommend that you sign up for.

Other services can provide similar features to detect whether a username or password has been comprised, such as the following:

F-Secure ID PROTECTION
Google Password Manager
Microsoft Edge Password Monitor

In addition to this, many attackers are also carrying out phishing attacks with the aim of harvesting credentials, such as sending end users to a fake Office 365 site to collect usernames and passwords.

A new attack method that is becoming more and more common is the use of OAuth phishing against Azure Active Directory (AD), where attackers send spoofed Microsoft 365 login pages. When the user clicks on the link to provide the application access, the end user is greeted with a Permissions requested dialog:

Figure 1.3 – OAuth permission screen for a phishing attack

If the user clicks on Accept, the attacker will be able to get access to their profile in Office 365, which might also include access to emails and files, depending on what kind of permissions are granted.

Access through brute-force attacks

One of the most common attack vectors that we see is brute-force attacks on misconfigured services, such as attacks on a Windows server that is publicly exposed with Remote Desktop Protocol (RDP) enabled. This can also be any exposed service that has weak security mechanisms, such as a lack of MFA, which RDP has by default, making it susceptible to attacks.

With one customer I was working with, the initial point of compromise was an exposed Windows Server in Azure that had a public IP address and RDP enabled. Since the machine was also domain-joined and had a weak local administrator account password, it did not take a lot of time for the attackers to guess the correct combination of usernames and passwords and gain access to the environment.

As we have also seen that in cloud-based environments, attackers often have a predefined set of credentials that they use when they are doing brute-force attacks for known IP ranges. Azure environments typically use a combination of usernames such as AZADMIN/AZUREADMIN/AZURE with different combinations of passwords. An automated attack typically starts within minutes of when the machines come online in Azure.

Access through a compromised workstation or end user machine

One of the most common entry points of ransomware attacks is through a compromised end user machine. This is usually triggered when the user opens an attachment that they received or by visiting a website and from there running some form of executable.

This mostly happens because an end user receives malicious attachments from a phishing email, or by drive-by downloads. The malicious content can be a Word document containing scripts or other malicious content or Excel documents with macros.

These phishing emails are usually delivered in short campaigns. Over 60 days, Akamai observed more than 2,000 million unique domains associated with malicious activity. Of those, close to 90% had a lifespan of fewer than 24 hours, and 94% had a lifespan of fewer than 2 days. Therefore, it makes it extremely difficult to block using DNS protection services. Palo Alto also states that the majority of (close to 70%) Newly Registered Domains (NRDs), where there are an average of 140,000 domains created yearly that are associated with malicious or suspicious traffic.

The phishing emails and attachments either use malicious scripts or macros that typically contain the use of a vulnerability to be able to get access to the machine. In most cases, it requires that the end user opens the attachment and enables the content or triggers the macros. However, in August 2021, Microsoft identified a small number of attacks that were using a RCE vulnerability in MSHTML, which is the HTML engine built into Windows.

This specific vulnerability only required that the user viewed the file or document in Windows Explorer to trigger the payload to run.

Another example that I saw during COVID and with people working from home was that many employees would use their work machines directly connected to their home router, in doing so getting a public IP address on their machine from the ISP. This meant that they became susceptible to brute-force attacks if, for instance, RDP was enabled on their client machine. Make sure that RDP/SMB is not enabled and outbound firewall rules are in place unless they are specifically needed.