Feds Warn About Critical Infrastructure Ransomware Attacks, Vulnerabilities

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Ransomware attacks on critical infrastructure and a surge in exploited vulnerabilities are getting the attention of U.S. cybersecurity agencies, which highlighted the threats in a pair of warnings issued in recent days.

The FBI and U.S. Secret Service issued a detailed advisory on the BlackByte Ransomware as a Service (RaaS) group, which has attacked critical infrastructure industries in recent months, among them government, financial and food and agriculture targets.

And the Cybersecurity and Infrastructure Security Agency (CISA) added 15 more vulnerabilities to its list of actively exploited vulnerabilities.

The warnings come amid rising global tensions over the possibility of a Russian invasion of Ukraine, which itself has been the subject of a number of U.S. cybersecurity advisories in recent weeks, the latest a dramatic revelation of Russian cyber attacks against U.S. defense firms.

Also read: Top Vulnerability Management Tools

BlackByte Ransomware Attack Methods, IoCs

The FBI-Secret Service warning came just ahead of news that the NFL’s San Francisco 49ers had also been hit by BlackByte ransomware.

The ransomware encrypts files on compromised Windows host systems, including physical and virtual servers, the advisory noted, and the executable leaves a ransom note in all directories where encryption occurs, including ransom payment instructions for obtaining a decryption key.

Some victims said the attackers used a known Microsoft Exchange Server vulnerability to gain access to their networks, then deployed tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files.

“In some instances, BlackByte ransomware actors have only partially encrypted files,” the advisory said. “In cases where decryption is not possible, some data recovery can occur.”

A newer version of the ransomware encrypts files without communicating with any external IP addresses. The advisory provided a detailed look at BlackByte indicators of compromise (IoC) and suspicious files and commands to look for.

BlackByte Ransomware Protection Steps

The agencies offered some sound cybersecurity advice for BlackByte that applies pretty generally:

  • Conduct regular backups and store them as air-gapped, password-protected copies offline
  • Implement network segmentation, “such that all machines on your network are not accessible from every other machine”
  • Update antivirus software on all hosts and enable real-time detection
  • Update and patch operating systems, software, and firmware as soon as updates and patches are released
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind, and use multifactor authentication
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity
  • Consider adding an email banner to emails received from outside your organization and disable hyperlinks in received emails
  • Ensure all identified IOCs are input into the network SIEM for continuous monitoring and alerts

Further reading: Best Backup Products for Ransomware and Best Ransomware Removal and Recovery Services 

CISA Vulnerabilities Affect Apple, Oracle and Others

CISA added 15 vulnerabilities to its list of known CVEs (common vulnerabilities and exposures) that hackers are actively exploiting or have exploited. The flaws affect a range of vendors, including widely used products from Apple, Oracle and Microsoft. These flaws represent a considerable risk for enterprises and government agencies, and threat actors use them regularly.

The 15 Vulnerabilities Explained

CISA sorts vulnerabilities by their remediation due date for federal agencies:

  1. CVE-2021-36934: Also known as Windows Elevation of Privilege Vulnerability, this vulnerability exists because overly permissive access control lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database, allow threat actors to gain full user rights on a victim’s system. Federal organizations will only have until February 24, 2022 to patch this vulnerability.
  2. CVE-2020-0796: A flaw in Microsoft Server Message Block (SMBv3) allows local privilege escalation and remote code execution, which attackers can exploit to execute code on a target server or client.
  3. CVE-2018-1000861: A vulnerability in the Stapler web framework used by Jenkins (technology for continuous delivery) to handle HTTP requests allows attackers to use crafted URLs to invoke public methods fraudulently.
  4. CVE-2017-9791: A vulnerability in Apache Struts 2, subsequent to the Equifax breach via a Java-based framework to create web applications, that creates opportunities for remote code executions (RCE) attacks caused by using untrusted inputs in the ActionMessage class during development.
  5. CVE-2017-8464: The LNK Remote Code Execution Vulnerability is an RCE vulnerability in Microsoft Windows via crafted .LNK files, which attackers can exploit to gain local user rights on a victim’s system.
  6. CVE-2017-10271: An easily exploitable vulnerability in Oracle’s middleware allows an unauthenticated attacker to compromise and potentially take over the Oracle WebLogic Server.
  7. CVE-2017-0263: Win32k Elevation of Privilege Vulnerability in specific Windows products allows attackers to exploit a failing kernel-mode driver to install programs; view, change, or delete data; or create new accounts with full user rights
  8. CVE-2017-0262: An RCE vulnerability in Microsoft Office can be exploited when a user opens a file with malformed graphics, allowing attackers to create tricked EPS files and take control of the affected system.
  9. CVE-2017-0145: Windows SMB Remote Code Execution Vulnerability in various Windows products allows remote attackers to execute arbitrary code via crafted packets.
  10. CVE-2017-0144: Similar to CVE-2017-0145.
  11. CVE-2016-3088: A remote file upload via a Java-based multi-protocol messaging for Apache (Apache ActiveMQ 5) allows attackers to upload and execute arbitrary files.
  12. CVE-2015-2051: An RCE vulnerability in a specific wired/wireless router via a network device management protocol, known for its buggy implementation (HNAP), allows attackers to execute arbitrary commands via a GetDeviceSettings action.
  13. CVE-2015-1635: An RCE vulnerability in specific versions of Windows (e.g., 7 SP1, 8, 8.1) or Windows Server (2008 R2 SP1, 2012 Gold) allows attackers to execute arbitrary code via crafted HTTP requests.
  14. CVE-2015-1130: An XPC implementation allows authentication bypass and admin privilege escalation in Apple OS X before 10.10.3.
  15. CVE-2014-4404: An RCE vulnerability caused by buffer overflow in old Apple’s products (iOs before 8 and Apple TV before 7) allows attackers to execute arbitrary code in a privileged context.

The list of added and removed entries is a living list and changes as new threats emerge and old ones diminish. And sure enough, no sooner did we finish this article than CISA added nine additional bugs to the list, among them Microsoft, Google Chrome and Adobe flaws. About the only constant in cybersecurity is the need for vigilance to keep up with the ever-changing threat landscape.

A Top Priority for Security Teams

Many of these vulnerabilities have been around for years, but they are actively under attack. CISA strongly recommends updating all software as soon as possible.

With the shortlist of widely exploited vulnerabilities, system administrators and security teams can quickly identify and patch key vulnerabilities to prevent malicious actors from exploiting the weaknesses.

How to Use the CISA Catalog

While CVE-2021-36934 is listed first due to its high severity and due date, the top-ranking vulnerabilities most exploited by attackers do not necessarily have high severity ratings. The CVSS score is just an indicator, and a low score does not mean hackers won’t attack it.

Some vendors already map the CISA catalog to catch vulnerabilities and critical CVEs. For example, mapping for vulnerabilities during scripted checks in continuous delivery and continuous integration (CD/CI) pipelines allows for early and automatic detection.

Aggressive Patching Can Have a Huge Benefit

It’s highly recommended that you follow vulnerability announcements for any products you own, such as those from IBM, Cisco, Google, Microsoft, Apple, Oracle (or other companies), and prioritize those under active exploitation.

IT asset management tools have become critical security tools, with their ability to discover installed products you may have forgotten about.

CISA has ordered federal organizations to apply patches quickly, sometimes with pretty short deadlines (weeks), making exploitable vulnerabilities less easy to find for attackers.

Private organizations are strongly encouraged to follow the same directive to mitigate risks and plan updates, as these vulnerabilities are present in the same products in the private sector.

Read next: Best Patch Management Software

eSecurity Planet editor Paul Shread contributed to this report

Julien Maury Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required