Businesses must now defend against ransomware attackers exploiting legitimate software, writes Andy Thompson, pictured, Offensive Research Evangelist at researchers CyberArk Labs.
The year 2023 was yet another highly impactful one for ransomware attack, with over 72 per cent of businesses worldwide affected and cyber-attackers making millions of pounds in the first six months alone. As a result, more bad actors globally have started looking for new ways to exploit legitimate software to inject malware – aiming to continue this cash stream into 2024.
Misusing the tools that companies already use can help attackers go unnoticed during their initial investigations, as well as assist them in gaining more privileges and maintaining a persistent presence. When combined with ransomware as a service (RaaS), this approach makes it easier for attackers to conduct malicious activities without having to create their own malware. It eliminates the need for specialised skills, resources and time, allowing more adversaries to enter the scene and cause greater harm.
Not only do cybercriminals target business software, but they also take advantage of weaknesses in Open Source Software (OSS). They insert their own harmful elements into OSS and even use it instead of creating custom malware. A recent warning from the US Cybersecurity and Infrastructure Security Agency (CISA) highlights that the Lockbit operation is using legitimate, free software for various malicious activities, such as exploring networks, accessing remotely, tunnelling, stealing credentials and taking files.
If attackers use legitimate tools, conventional endpoint security solutions are unlikely to detect them unless there are behaviour analytics capabilities that can identify unusual logins, privilege escalation, program execution or other risky activities.
Exploiting software
Ransomware actors increasingly use legitimate software to their advantage at various stages of the attack lifecycle. They employ many different tactics, techniques and procedures to advance their missions, including the examples highlighted below.
Initial Infection:
Securing initial access presents a diverse range of options for attackers. Some opt for exploiting vulnerabilities, utilising common vulnerability exploitations (CVEs) against susceptible targets. Others resort to stealing, forging, altering or manipulating cookies from users’ web sessions. Alternatively, they employ phishing emails to deceive users into downloading genuine applications.
Persistence:
Attackers leverage legitimate software to establish backdoors, ensuring persistence and command and control. This involves manipulating these tools to bypass Multi-Factor Authentication (MFA), modify, or disable existing security tools to avoid detection, from terminating endpoint detection and response (EDR)- protected processes to modifying/deleting registry keys or configuration measures. In instances like the RMM ransomware attacks mentioned earlier, threat actors utilised portable executables within the software to gain access without requiring local admin privileges or a complete software installation.
Many default software programs on a machine become potential targets for hijacking, guaranteeing the execution of malicious programs. Application features such as task schedulers are also abused for maintaining persistence, launching programs or scripts at specified times.
Privilege Escalation:
User Account Control (UAC) protects Windows operating systems, prompting admin credentials for any attempt to run a program as an administrator. While most ransomware doesn’t demand admin rights, attackers often focus on bypassing UAC to elevate access and establish persistence.
Lateral Movement:
Certain tools inadvertently facilitate malicious privilege escalation and lateral movement. Examples include AdFind, a command-line query tool for Active Directory, and AdvancedRun, enabling privilege escalation by altering settings before running software. Additionally, various Windows features functioning as remote procedural call (RPC) servers become vulnerable points for lateral movement when abused by attackers.
Encryption:
Encryption serves both as a protective tool and a weapon. Encryption tools hide data from unauthorised users, but attackers can also weaponise them as ransomware. Legitimate access to encrypted data can be compromised to bypass encryption controls.
Data Exfiltration:
Ransomware operators employing double-extortion techniques often use legitimate backup tools or similar programs for data exfiltration. Recent research by CyberArk Labs noted the use of Discord, a popular collaboration app, for data exfiltration via webhooks. Malicious actors are also adapting their tools to target multiple platforms and operating systems. For instance, they employ the cross-platform language Rust to target Linux. macOS is not exempt, with attackers exploiting Find My iPhone to infect Apple devices.
The crucial role of application control in ransomware defence
This trend underscores the fact that endpoints play a central role in ransomware attacks, emphasising the importance of least privilege and behavioural analytics. An identity-centric defence-in-depth approach, encompassing fundamental security controls such as endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR) email security and patching, is crucial. Application control emerges as the linchpin – regardless of the ransomware variety, prevention hinges on the ability to execute or deploy ransomware.
