This week we briefed our clients on RansomHub ransomware group's Tactics, Techniques and Procedures (TTP) and new application vulnerabilities from vendors.
KEY TAKEAWAYS
In late August, the FBI and CISA published a joint advisory on the RansomHub ransomware group. While RansomHub has only been around since February 2024, they have already compromised over 210 victims across a variety of industry verticals, including information technology, water management (critical infrastructure), government services, healthcare, emergency services, food and agriculture, financial services, manufacturing, transportation, and communication. They are a Ransomware-as-a-Service (RaaS) group, and have been able to attract affiliates from other high-profile ransomware groups such as LockBit and ALPHV. RansomHub also uses the double-extortion model, where they encrypt data and critical systems and also exfiltrate data to later be published on their leak site.
Initial Access
RansomHub uses a variety of methods to gain initial access. They have been observed using phishing emails, password spraying accounts that have been found in data breaches and exploiting known vulnerabilities on internet-facing devices. These vulnerabilities include:
Discovery
RansomHub affiliates have been observed clearing Windows and Linux logs to inhibit incident response. They have also been observed leveraging Windows Management Instrumentation (WMI) to disable antivirus defenses. The ransomware encryptor itself is often named something benign like "Windows.exe” and is commonly placed in the user's Desktop or Downloads folders.
Privilege Escalation and Lateral Movement
RansomHub affiliates have been observed leveraging multiple common methods for persistence and lateral movement, including: Creating new user accounts, re-enabling disabled accounts, using Mimikatz to harvest Windows credentials and escalate privileges, exploiting CVE-2020-1472 (ZeroLogon) and CVE-2020-0787 (a privilege escalation vulnerability in Windows Background Intelligent Transfer Service (BITS)). Common tools for lateral movement were used including RDP, PsExec, Anydesk, Connectwise, N-Able, Cobalt Strike, and Metasploit.
Data Exfiltration
According to the advisory, the method of exfiltration varies depending on the affiliate conducting the attack. These methods include using PuTTY, Amazon AWS S3 buckets and their associated tools, simple HTTP POST requests, WinSCP, Rclone, Cobalt Strike, and Metasploit.
How to Protect Your Organization
Although RansomHub has had tremendous success compromising several hundreds of organizations in the last several months, all of their TTPs are detectable and preventable. They do not leverage 0-days or any sort of "fully undetectable" custom tooling. All of the vulnerabilities that they exploit for initial access are known and have patches available. Their password-spraying attempts for initial access can easily be prevented with strong, unique passwords and multi-factor authentication (MFA). Robust EDR solutions such as CrowdStrike will detect or prevent most of the methods observed for privilege escalation and lateral movement. Network detection such as PacketWatch will identify large bursts of outbound traffic associated with data exfiltration, regardless of the method used. Simple, solid cybersecurity best practices will go a long way toward thwarting ransomware groups like RansomHub. For a full list of mitigation strategies, readers are strongly encouraged to read the advisory here.
Resources:
Vulnerability Roundup
An improper access control vulnerability, tracked as CVE-2024-40766, has been identified in the SonicWall SonicOS management access and SSLVPN, which can lead to unauthorized resource access and in certain conditions can cause the firewall to crash. Affected versions are SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. As this vulnerability has been confirmed to be exploited in the wild, administrators are urged to patch as soon as possible.
Two critical vulnerabilities in the Cisco Smart Licensing Utility were recently disclosed. Tracked as CVE-2024-20439 and CVE-2024-20440, these vulnerabilities allow for unauthenticated remote attackers to elevate privileges and access sensitive information. CVE-2024-20439 is for an undocumented hard-coded administrative account, and CVE-2024-20440 is for a verbose debug file that contains credentials that can be accessed via the API. One interesting caveat for these vulnerabilities that is described in the Cisco security advisory is that these are not exploitable "unless Cisco Smart Licensing Utility was started by a user and is actively running." Vulnerable versions are 2.0.0, 2.1.0, and 2.2.0, and administrators are urged to update to version 2.3.0.
Fortra recently disclosed CVE-2024-6633 for a hardcoded password in the FileCatalyst Workflow HyperSQL database. This can be exploited by anyone with remote access to the server. These hardcoded credentials can also be leveraged to create new administrative users. The vulnerability affects versions 5.1.6 Build 139 and older. Administrators are urged to upgrade to version 5.1.7 or later. Additionally, per Fortra's advisory, the HyperSQL database is used only to facilitate the installation process, and is not intended for production use. Administrators are urged to configure the server to use an alternative database.
Veeam recently published a security bulletin detailing 18 security vulnerabilities, five of which allow for remote code execution. Other flaws allow for privilege escalation, MFA bypass, and code execution. The vulnerabilities affect the following products and versions:
Administrators are urged to apply the appropriate updates as soon as possible, as Veeam servers are heavily targeted by ransomware groups.
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.