Exploitation of known vulnerabilities in public-facing apps is now the main entry vector for ransomware, with CVEs in Zoho ManageEngine, Microsoft Exchange Server, Citrix and Cisco VPN highlighted. Attackers are expanding toolsets (including BYOVD) and adapting to disruption, signaling a persistent and evolving threat. #Noberus #StealBit #HopToDesk #TrueSightKiller #GhostDriver #Conti
Keypoints
- The main infection vector for recent ransomware incidents is exploiting known public-facing vulnerabilities, including CVE-2022-47966 (Zoho ManageEngine), Exchange Server vulnerabilities, Citrix Bleed (CVE-2023-4966), and Cisco VPN-related CVEs.
- There is a growing use of dual-use tools and Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software and facilitate operations.
- New tools appearing in ransomware campaigns include HopToDesk, TrueSightKiller, GhostDriver, and StealBit, reflecting a broader toolkit beyond traditional ransomware.
- Noteworthy techniques include Esentutl-based credential dumping and DPAPI credential dumping used to obtain sensitive credentials.
- Ransomware remains a persistent, adaptive threat in 2024 and beyond, with actors reorganizing to counter disruption and pursue payload deployment.
- Protection guidance remains available via Symantec Protection Bulletin, emphasizing ongoing defense updates.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to compromise systems by exploiting publicly facing vulnerabilities; “The evidence from recent ransomware investigations suggests that exploitation of known vulnerabilities in public facing applications is now the main vector for ransomware attacks.”
- [T1003] Credential Dumping – Esentutl – “Dumping credentials using the Windows command-line tool that provides database utilities for the Extensible Storage Engine (ESE). A known technique, in recent weeks attackers have been using it to dump browser credentials.”
- [T1003.001] DPAPI Credential Dumping – “Using malicious tools to extract and decrypt sensitive user credentials stored using Microsoft’s Data Protection API (DPAPI).”
- [T1562.001] Disable Security Tools – “Tools leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique are also currently popular among attackers.”
- [T1021.001] Remote Services – HopToDesk – “HopToDesk: A publicly available remote desktop tool… Remote desktop tools are frequently used by ransomware actors, with the most popular being: Atera, AnyDesk, and Splashtop.”
- [T1041] Exfiltration – StealBit – “StealBit appeared to have fallen out of favour among LockBit affiliates for some time. However, usage of the tool resumed in early 2024, where it was deployed in two separate LockBit attacks.”
Indicators of Compromise
- [File hash] StealBit-related IOCs – 7ebe51d5a48cc3c01878e06c6db3f4f0189c4f9788bfe57b763b03f4ab910e26, ce26642327aa55c67a564f695ae3038d5afee9b8d14bb5146bf30dd0f1af24e5 and 2 more hashes
Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-attacks-exploits