FBI Shares Intel on Emerging Initial Access Techniques Used by Ransomware Gangs
The Cyber Division of the Federal Bureau of Investigation (FBI) has issued a private industry notification that includes details of emerging techniques that are being used by ransomware gangs to gain initial access to victims’ networks. The FBI has identified several ransomware trends that are emerging or continuing and have been used in multiple attacks since July 2023 to gain initial access to networks. Several attacks have involved the exploitation of vulnerabilities in vendor-controlled remote access to casino servers, and companies have been victimized through legitimate system management tools to elevate network permissions.
The Silent Ransom Group (aka Lunar Moth) has been conducting phishing attacks using messages containing a phone number that must be called to prevent a pending charge to an account. This type of attack is known as callback phishing and has been popular with ransomware gangs since 2022. Since the emails contain no malicious content other than a phone number, the emails are not blocked by email security solutions and often reach their intended targets. To stop the pending account charge, the victim is required to download and install a legitimate system management tool, which is used by the threat actor to access their device. The threat actor can then access local files and shared drives and exfiltrate data. The victim is then extorted.
The FBI recommends all organizations implement the suggested mitigations to harden their defenses against these attacks. The key to defending against these attacks is preparation. Organizations should ensure they maintain offline backups of data, encrypt their backup data, and implement an incident response and recovery plan. Reviews should be conducted of the security posture of all third-party vendors, with priority given to those that have network access. The FBI recommends implementing listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy, and to document and monitor external remote connections.
Identity and access management controls are vital. All accounts that require passwords should comply with National Institute of Standards and Technology (NIST) password standards and phishing-resistant multifactor authentication should be implemented for webmail, virtual private networks, and accounts that access critical systems. Domain controllers, servers, workstations, and active directories should be reviewed for unrecognized accounts, user accounts should be audited, and time-based access should be set for accounts at the admin level and higher.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Protective controls and architecture should include the segmenting of networks, the identification, detection, and investigation of abnormal activity and potential traversal with a networking monitoring tool, antivirus tools capable of real-time detection of threats, and close monitoring of the use of remote desktop protocol (RDP).
It is important to ensure that all software, operating systems, and firmware are kept up to date, unused ports and protocols are disabled, command-line and scripting activities and permissions are disabled, devices are properly configured with security features enabled, and for Server Message Block (SMB) Protocol to be restricted. Controls should also be implemented to improve email security, such as adding a banner to all external emails and disabling hyperlinks in emails.
