Since the start of the ransomware epidemic, cybercriminals’ preferred method of attack always been phishing. Email security and user behavior were not advanced as they are today, and people being careless about checking before they click led to many ransomware infections. These days, with the advent of machine learning, AI-based e-mail security such as Barracuda Email Protection, and improved user awareness due to an increase in training and better awareness of security issues, the phishing vector is no longer as effective for ransomware criminals as it used to be.
This has left ransomware gangs with the need to find new attack vectors. As a result, they have started looking at web applications, which are generally under-protected, as one of the more promising targets for their nefarious acts. This has been seen in multiple cases over the last couple of years, notably starting with the ProxyShell vulnerabilities that happened in 2021.
Let's take a quick look at two of the ransomware groups that are now using application vulnerabilities as the preferred attack vector: BlackByte and CL0P.
What you need to know about BlackByte
The BlackByte ransomware group was recently in the news because the Microsoft Incident Response team published an article detailing a five-day window in which these attackers breached a web application and ended up encrypting devices across the environment.
BlackByte gained initial access into the victim’s environment by exploiting the ProxyShell vulnerabilities on unpatched Microsoft Exchange Servers. These vulnerabilities were first discovered in 2021 and have become a rather favorite among attackers who want to get into corporate networks.
The BlackByte group then exploited the vulnerability to attain system leverages on the compromised Exchange Servers. So, clearly the Exchange Servers had not been patched, despite the amount of time that has passed since the vulnerability was uncovered. Then, the BlackByte attackers elevated privileges, created a web shell, and used that web shell to obtain remote control on the Exchange Servers. The Microsoft article goes into great detail about how the persistence was achieved and how data was encrypted and exfiltrated, and it makes for a great read.
However, the thing that matters the most here is the initial access. The initial access was through a public-facing web application — Exchange Server. The reason BlackByte did this is that these web applications are often under-protected. Attackers don't need an end user to click on something to perform their next steps. They can gain access, elevate privileges, deploy a web shell, and start the entire process without an end user clicking on a link. This is what makes web applications a very potent attack vector for ransomware groups.
What you need to know about CL0P
The CL0P ransomware group has also been in the news for over a year for exploiting web vulnerabilities. While they started with sending out phishing emails to deliver ransomware, they’ve since pivoted to using web vulnerabilities to gain initial access. Since 2021, when they first targeted the Accelion File Transfer Appliance, they seem to have moved specifically to using zero-days in similar managed file transfer software — with high-profile hacks of users of GoAnywhere MFT and more recently MOVEit software. This makes sense — what matters most to the ransomware operators is data that is exfiltrated and ransomed.
Ransomware groups these days are much more capable. They are well-funded, well-resourced, and have a large number of “employees.” Gone are the days of waiting for a zero-day to be dropped before they take advantage of it. In the case of the MOVEit vulnerability, it is suspected that CL0P was aware of the zero-day for days before it was publicly announced. The number of organizations breached in each of these attacks is also quite high. Currently the claimed number for the GoAnywhere breach is 135, and for the MOVEit breach it is about 160.
How to stay ahead of attackers
Web applications often harbor zero-days that are unknown for many years before suddenly becoming public in a blaze of infamy. The best way to keep on top of these attacks and prevent becoming a victim to apply patches immediately. However, many admins need time to patch, and they need air cover while they test out and patch their systems. Barracuda Application Protection provides comprehensive Web Application and API Protection for applications hosted anywhere. It prevents OWASP Top 10 web and API attacks, zero-day attacks, DDoS, bots, and much more.