Cyber insurance and security services company Coalition has a new report that pointed out the most frequent preliminary access vectors in ransomware attacks. According to a review of claims, Coalition identified compromised perimeter security devices like a virtual private network (VPN) or firewall as the most frequently used technology in 6 of 10 ransomware attacks. The most frequently compromised products were perimeter security devices from Cisco, Fortinet, Palo Alto, and SonicWall Networks. Two of the 10 ransomware attacks involved remote desktop software programs. 80% of the attacks involved Microsoft’s Remote Desktop Protocol (RDP). Email was the 3rd most exploited solution, and most email-linked breaches were caused by social engineering attempts like phishing.
The most frequent attack vector was compromised credentials, usually for VPNs and RDP, which give threat actors privileged use of internal systems. A review of activity records showed that 42% of attacks employed brute force tactics. The attackers had thousands of unsuccessful attempts before guessing the right username and password. Credentials may be compromised in different ways, like through phishing attacks or malware infections. Although Coalition could not exactly know how credentials were exposed in non-brute force attacks, new reports from cybersecurity companies have pointed out the growing threat from info stealer malware. Microsoft reported recently about an infostealer campaign by the Storm-0408 threat group, which uses malvertising to reroute users to malware uploaded on GitHub. Microsoft monitored a million infostealer infections through the campaign.
To use compromised credentials, at least one online-exposed login panel is necessary. Information from customers seeking cyber insurance indicated that 65% had a minimum of one exposed login section. The following are the most frequently discovered exposed logins:
- Cisco VPN+ gadgets (10%)
- Sonicwall VPNs (9%)
- Microsoft email (8%)
- VPNs and VPN+ devices from Palo Alto Networks
- Fortinet and Citrix (6%-7%).
Compromised credentials for a Citrix panel with no multifactor authentication allowed BlackCat ransomware to access Change Healthcare’s system in February 2024. As per the Coalition, Citrix panels with the wrong configuration resulted in around $1 billion losses in 2024, higher than the other CVE.
The most popular are CVEs in Fortinet, Ivanti, and Cisco system devices, and Microsoft’s Exchange Email Server vulnerabilities. The second most popular attack vector was vulnerability exploits. Many vulnerabilities were exploited for preliminary access. The third most popular attack vector was social engineering, using email to contact employees. These attacks stole credentials through phishing, deceiving workers into downloading malware under the guise of genuine software or using drive-by malware downloads, and simply deceiving workers into setting up remote access software programs, just like in tech support scams.
Based on Coalition, the best way to protect against ransomware attacks is to target the riskiest safety issues to lessen the possibilities of a breach. That means keeping track of the attack surface to identify breached login panels and services, repairing zero-day vulnerabilities in Internet-facing technology immediately, providing cybersecurity and HIPAA training to employees, employing 24/7 tracking of systems, and responding immediately to any possible breach.
