DHS Alerts to Ransomware Campaign Targeting Remote Access Systems
Hackers are targeting enterprise networks through remote access systems, like RDP and VPNs, through unpatched systems and those lacking multi-factor authentication, as a foothold for later ransomware attacks.
By - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency issued an alert, urging enterprise organizations to review recent insights from the New Zealand Computer Emergency Response Team (CERT NZ) on a new ransomware campaign targeting enterprise networks through remote access systems.
Malicious actors are actively targeting remote access tools, such as the remote desktop protocol (RDP) and Virtual Private Networks (VPNs) to exploit systems with unpatched vulnerabilities and weak authentication practices.
NZ CERT confirmed that hackers have indeed accessed organizations through these vulnerabilities, which have been leveraged for ransomware attack opportunities. As those areas are key weaknesses for many providers in the healthcare sector, the campaign could prove problematic for those organizations.
Hackers gain access through weak passwords, a lack of multi-factor authentication, or unpatched remote access systems. Citrix remote access technologies, which CISA alerted to earlier this year, are also a common way for hackers to gain access to enterprise networks.
Once inside the network, the threat actors use tools like Cobalt Strike, mimikatz, and psexec to elevate privileges, move laterally across the network, and establish persistence.
“From there, any system on the network may be affected,” NZ CERT officials explained. “The current attacks are believed to be sophisticated and well-crafted. These attacks can have severe impacts on business operations, including data being stolen and sold.”
“Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup,” they added.
These attackers identify and extract sensitive information from the network before encrypting files. The attack method bears hallmark to earlier campaigns outlined by both Microsoft and CISA. The CISA alert warned hackers were compromising patched VPNs with stolen credentials, and finding success given the prevalence of password reuse.
The Nefilim ransomware variant is commonly used in these attacks, but NZ CERT has also detected other ransomware families. But once the attacker has exfiltrated the targeted data, they move to sell or publicly release the information. The method was first made popular by the Maze hacking group, which often targets the healthcare industry.
What’s worse about the latest campaign is that due to the access hackers are able to obtain in these attacks before the ransomware is deployed, restoring data from backups won’t resolve the problem.
Victim organizations will then need to employ an in-depth investigation of potentially compromised systems to fully eradicate the hackers from their systems. Additional security measures will also be needed to improve security after the attack.
To prevent falling victim, organizations will need to check their remote access systems for signs of unauthorized access. If access is detected, IT or security leaders will need to perform a detail investigation to determine if lateral movement has been accomplished.
All systems should be up-to-date with all security patches, and IT leaders must ensure strong authentication measures are enforced. NZ CERT also recommended the use of network segmentation and whitelisting for vulnerable platforms, as it makes it more difficult for hackers to move laterally across the network.
Lastly, as stressed by many security leaders, well-configured backups are crucial to recovering from ransomware attacks.
Healthcare organizations can also review guidance from the American Medical Association and the American Hospital Association, designed to help entities support the influx in telework and telehealth amid the COVID-19 pandemic.
