Spotlight Report Ransomware.v7 - RiskSense€¦ · ransomware as they emerge. While this report...
Transcript of Spotlight Report Ransomware.v7 - RiskSense€¦ · ransomware as they emerge. While this report...
Through the Lens of Threat and Vulnerability Management
EnterpriseRansomware
S P O T L I G H T
Ransomware remains one of the most damaging cyber threats facing organizations today. Unlike other threats, ransomware’s main goal is to maximize the business and operational pain to the victim enterprise – namely by freezing its data and ability to function. This makes any organization or industry a potential target of ransomware – attackers don’t need data to be valuable for resale onthe black market, it only needs to be valuable to thevictim. And whether due to lost data or the costs ofdowntime and cleanup, the actual damage and loss of aransomware attack are almost always much higher thanthe cost of the ransom itself. The stakes for enterpriseshave been raised even further as insurance claims relatedto ransomware attacks have recently been denied basedon the attribution of an attack.
Defending against such attacks is a top priority for enterprise security teams. This typically includes addressing weaknesses and vulnerabilities that ransomware attacks use, adding detection and response tools, and establishing data backup and recovery plans. However, the only way to truly prevent ransomware damage is to stop the attack before assets are affected and damage is done. Vulnerability management plays a critical role in this area.
Unfortunately, vulnerability management has become one of the most challenging tasks for security and IT teams, who typically have far more vulnerabilities than they could ever hope to patch. To keep pace, teams need to prioritize vulnerabilities based on real-world context such as whether vulnerabilities have been weaponized, their impact to the enterprise, and whether they have active exploits trending in the wild.
This report applies this approach specifically to the problem of ransomware by analyzing the top enterprise
ransomware families and the specific vulnerabilities that they target. The goal is to provide actionable insight, trends, and analysis into some of the vulnerabilities and weaknesses most heavily used by ransomware. At a high level, this analysis includes:
• Key traits of vulnerabilities (CVEs) used byenterprise ransomware, highlighting those thatcould easily be overlooked.
• How vulnerabilities map to specific ransomwarefamilies, highlighting those used by multiplefamilies.
• Which vendors and assets are most targeted byenterprise ransomware for their impact.
• Additionally, we highlight the vulnerabilities thatare being used in active ransomware campaigns or“trending” in the wild based on RiskSense research.This focus on trending vulnerabilities allowsorganizations to focus on the CVEs with thegreatest real-world impact.
For each key finding in the report, we have included a list of relevant vulnerabilities (CVEs) that security and IT teams can leverage in their patch management practice to proactively minimize exposure. Likewise, we provide best practices and guidance that can help to identify and prioritize vulnerabilities with similar traits used by ransomware as they emerge. While this report focuses heavily on specific CVEs, it is important to note that ransomware often targets weaknesses such as improperly secured or exposed services such as SMB and RDP. In addition to analyzing the CVEs tied to these protocols, we have included best practices for reducing their exposure to attack.
Page 1 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Executive Summary
RiskSense Spotlight Report • August 2019
Key Findings
Page 2 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Enterprise Ransomware Hunts High-Value Assets63% (36 out of 57) of the CVEs analyzed were tied to high-value enterprise assets such as servers, application servers, and collaboration tools. 31 of these CVEs were trending in the wild in 2018 or 2019. This notably included versions of Windows Server (5), Oracle JRE and WebLogic Server (5), RedHat’s JBOSS application servers (4), Apache Struts and Tomcat (3), Spring Data (1), Atlassian’s Confluence (1), and Elasticsearch (1). Targeting these and other critical assets allows attackers to maximize business disruption to the victim’s operations and thereby demand higher ransoms. Enterprise ransomware is targeted and focused and it is not as random or opportunistic as small business or consumer-focused ransomware.
The ‘Eternal’ Exploits Remain EternalThe MS17-010 vulnerabilities, first popularized by the EternalBlue exploit and the WannaCry ransomware, continue to be popular with multiple families of ransomware today including Ryuk, SamSam, and Satan ransomware. These wormable vulnerabilities allow attackers to quickly spread from host to host throughout the network. The fact that these vulnerabilities continue to trend in the wild and are used by even the most recent and costliest families of ransomware are clear signs that many organizations still have not patched these important vulnerabilities.
Older Vulnerabilities Causing Big Problems in the WildWhile many organizations often focus on new vulnerabilities, our analysis shows that vulnerabilities from as far back as 2010 continue to be trending with ransomware in the wild. In total, 31.5% of the analyzed vulnerabilities were from 2015 or earlier (18 out of 57), and 16 of those vulnerabilities continue to be trending in 2018 or 2019. Ransomware targeting these vulnerabilities included Gandcrab, SamSam, and the recent Sodinokibi families of ransomware.
100% of the Vulnerabilities Analyzed Enable Remote Code Execution or Privilege EscalationAll of the vulnerabilities analyzed in the dataset either enabled remote code execution (RCE) or privilege
escalation (PE). These traits continue to be highly strategic for attackers and likewise can serve as important attributes for security teams when prioritizing their patching efforts. The very strong correlation with ransomware should further underline the importance of tracking these traits as part of a risk-based vulnerability management program.
Low CVSS Scores Can Carry High Risk 52.6% (30 out of 57) of the ransomware vulnerabilities had a CVSS v2 score lower than 8. Of those, 24 of the vulnerabilities were trending in the wild, and included vendors such as RedHat, Microsoft, Apache, and Oracle. Surprisingly, trending ransomware vulnerabilities had scored as low as 2.6. As a result, organizations that use CVSS scores as their exclusive means to prioritize vulnerabilities for patching will very likely miss important vulnerabilities that are used by ransomware.
Some Vulnerabilities Are Repeat OffendersOur analysis showed that some vulnerabilities had a broader reach than others. 15 vulnerabilities were found that were targeted by multiple families of enterprise ransomware. Additionally, since technology is often reused in multiple products, vulnerabilities often impact more than one vendor. We identified 17 trending vulnerabilities with active exploits in the wild which affected more than one technology vendor.
The Ransomware Top 10Bringing together the various perspectives in the report, we identified a list of 10 vulnerabilities to provide that organizations with a starting point for can leverage to begin their ransomware-focused patching efforts. This list includes:
• 4 vulnerabilities that are both targeted bymultiple families of ransomware and also impactmultiple vendors.
• 9 of the vulnerabilities affect servers.
• 4 are from 2015 or earlier and 2 have a CVSSscore of 5 or less, which could lead to thembeing overlooked.
RiskSense Spotlight Report • August 2019
The information in this report is based on data gathered from a variety of sources including RiskSense proprietary data, publicly available threat databases, as well as RiskSense threat researchers and penetration testers. The overarching goal of this report is to provide a manageable list of CVEs and best practices that address the top families of enterprise ransomware. We hope this can serve as a starting point for organizations who want to take a ransomware-based approach to patching within their vulnerability management program to secure their enterprise and reduce their attack surface. Put simply, most organizations are inundated with more vulnerabilities than they can patch, so we wanted to provide a shortlist of vulnerabilities that focuses on the most damaging ransomware threats.
We focused on the top ransomware families that are known to target enterprises and government organizations as opposed to individuals and identified a set of 57 vulnerabilities that are heavily tied to ransomware threats in these organizations. Next, we identified the most common vectors and vulnerabilities related to ransomware in order to find trends and insights that can help organizations better protect their networks and assets. We also analyzed the dataset to identify
vulnerabilities that were “trending” in either 2018 or 2019. Trending is defined by RiskSense as vulnerabilities that are being actively abused by attackers in the wild. These connections are established by internal RiskSense research, monitoring of hacker forums, Twitter feeds as well as analysis of 3rd party threat intelligence sources.
Additionally, ransomware can often be a secondary payload following a successful exploit and initial malware infection. For example, the Rig exploit has been used to deliver a variety of families of ransomware. For our analysis, we included relevant vulnerabilities for cases where there is a documented link between a particular exploit kit and a ransomware campaign.
However, we intentionally focused on the top enterprise ransomware families and do not claim that this is an exhaustive list of all vulnerabilities related to ransomware. Furthermore, malware campaigns can evolve and adopt different exploits or exploit kits over time. As a result, organizations are encouraged to use this report as a point in time analysis and then apply an ongoing risk-based approach to ransomware that prioritizes vulnerabilities that have been weaponized and are trending in the wild in malware and exploit kits.
Page 3 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Report Methodology
57vulnerabilities Identified that are heavily tied to ransomware threats
$
RiskSense Spotlight Report • August 2019
Page 4 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Executive Summary
Key Findings
Report Methodology
The Enterprise Era of Ransomware
Key Vulnerability Metrics and Risk Factors
A Risk-Based View of Ransomware Vulnerabilities
Analysis of CVSS Scores and Severities
Older Vulnerabilities Are Still Trending
Vulnerabilities by Ransomware Family
Malware Families with the Most Vulnerabilities
Vulnerabilities Shared Across Malware Families
Vulnerabilities by Vendor and Product
Vulnerabilities by Vendor and Product
Vulnerabilities Affecting Servers and Applications
Vulnerabilities Impacting Additional Products
Wormable Vulnerabilities in SMB and RDP
SMB and the ‘Eternal’ Exploits (MS17-010)
RDP and BlueKeep (CVE-2019-0708)
Reducing the SMB and RDP Attack Surface
The Ransomware Top 10
Summary
1
2
3
5
6
6
7
8
10
10
11
12
12
14
15
17
17
18
18
19
20
Table of Contents
RiskSense Spotlight Report • August 2019
This section briefly covers the recent evolution of ransomware, and specifically how it has evolved to target enterprises and the impact of those attacks.
While ransomware has been around for several years, it shot to the forefront of security concerns in 2017 with the release of WannaCry, which quickly affected more than 200,000 victims. WannaCry made use of the EternalBlue exploit related to MS17-010 (CVE-2017-0144). As we will see later in the report, this and the related MS17-010 vulnerabilities continue to play a major role in ransomware attacks today. While WannaCry only netted around $100,000 for the attackers, it was estimated to cause $1 Billion in damages.
While the overall volume of attacks began to drop in 2018, the impact on enterprises has continued to rise. Unlike the opportunistic approach of consumer ransomware, enterprise ransomware has shifted to far more targeted, higher impact malicious attacks that drive higher ransom demands. While ransomware costs in 2017 were estimated at $5 Billion total, the estimates have risen to $11.5 Billion in 2019 even as the overall volume of ransomware attacks has declined. In fact, virtually all of the metrics related to ransomware impact appear to be on the rise according to recent 2019 data from Coveware. The average ransom demands nearly doubled with the rise of more targeted ransomware such as Ryuk, SamSam, and Sodinokibi.
Likewise, between Q4 2018 and Q1 2019, the average downtime from a ransomware attack increased from 6.2 to 7.5 days as ransomware evolved to target backups and encrypt application configuration files.
The ability to drive higher ransoms while also causing greater disruption are direct indicators of the pain these attacks can cause organizations due to downtime, lost employee productivity, lost sales, as well as incident response and recovery costs. As an example, the City of Atlanta was hit by SamSam in 2018, and the final costs are estimated to be in the range of $17 million. Likewise, in May 2019 the City of Baltimore suffered a Robinhood ransomware attack, which is estimated to cost $13 million. Worse still, in some cases, insurance companies are refusing to pay claims related to ransomware attacks based on attack attribution.
These factors pose a staggering amount of financial and operational risk for any organization. While individual attacks vary and malware will continue to evolve, ransomware attacks are predicated on causing significant organizational damage and disruption. Enterprise-focused ransomware continues to evolve, and this alone ensures that ransomware will remain a top concern for the foreseeable future.
Page 5 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
The Enterprise Era of Ransomware
$5 Billion $11.5 Billion
2017
2019
130% INCREASE
Global Ransomware Damage Costs
RiskSense Spotlight Report • August 2019
Key Vulnerability Metrics and Risk Factors
Page 6 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
In this section, we analyze 57 vulnerabilities across a variety of risk metrics in order to highlight areas where important ransomware vulnerabilities could easily fly under the radar, while also providing a model for prioritizing vulnerabilities going forward.
A Risk-Based View of Ransomware VulnerabilitiesIn order to intelligently prioritize vulnerabilities, we need to know real-world, threat-based information as well as data about the vulnerability itself. For example, the vast majority of vulnerabilities are never weaponized, meaning that there are no exploits to take advantage of the vulnerability. Many of those that are weaponized are not used in actual attacks or malware campaigns. In practice, three high-level metrics are often very powerful for honing in on the most important vulnerabilities. These are:
• Weaponized Vulnerabilities – Vulnerabilities which have associated exploit code capable of taking advantage of the vulnerability.
• Strategic Vulnerabilities – Vulnerabilities that allow remote code execution (RCE) or privilege escalation (PE) are highly valuable to attackers and significantly increase the risk of damage to a victim organization.
• Trending Vulnerabilities – These are vulnerabilities that are actively being used in the wild in attacks and malware based on RiskSense research and correlation with 3rd party sources. In this report, we then further refined the list by honing in on the trending vulnerabilities that are used by enterprise ransomware.
The vulnerabilities analyzed in this report range from 2010 to 2019. If we look at all the CVEs released in this time range, we can demonstrate how using the above metrics provides a straightforward, yet powerful model to prioritize vulnerabilities.
These metrics prove to be particularly valuable when prioritizing vulnerabilities to minimize ransomware. Of course, by definition all vulnerabilities used by ransomware have been weaponized. However, it is worth noting that all vulnerabilities in the data set either enabled remote code execution or privilege escalation, and 49 of the 57 were trending in the wild in 2018 or 2019. This underscores the importance of tracking RCE/PE-capable vulnerabilities. Additionally, we will highlight trending CVEs throughout the report to focus on the vulnerabilities that pose the most immediate, real-world danger.
CVEs From 2010 to 2019
80,6429,092
2,175Vulnerabilities
372
RCE/PEWeaponized CVE
Total CVE Count
CVEs That Matter
Trending
49
Start Here
TrendingEnterprise Ransomware
Key Metrics for Ransomware Vulnerabilities
57/57
57/57
49/57 8
Weaponized
RCE/PE
Trending
RiskSense Spotlight Report • August 2019
Page 7 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Key Vulnerability Metrics and Risk Factors (Continued)
0
5
10
15
20
CVE
Coun
tCV
E Co
unt
Score Range
Score Range
9-10 108-97-86-75-64-53-42-31-20-1
0
2
4
6
8
10
12
9-10 108-97-86-75-64-53-42-31-20-1
Analysis of CVSS Scores and SeveritiesOur analysis shows that while CVSS scores can provide a good start, organizations can easily miss ransomware-related CVEs by relying solely on these scores. We analyzed the dataset both by CVSS v2 and CVSS v3 scores. Since CVSS v3 wasn’t implemented until late 2015, only 40 of the 57 vulnerabilities have CVSS v3 scores.
First, analyzing by CVSS Severity, we see that not all trending vulnerabilities are in the “High” or “Critical” categories. For CVSS v2, there were 8 trending vulnerabilities that had a severity rating lower than High, while for CVSS v3, there were 22 vulnerabilities that were lower than Critical.
CVSS v2 Categories
CVSS v2 Scores
CVSS v3 Scores
Low
Med
ium
Hig
h 41
6
7
1
2
Non-TrendingTrending
Non-Trending Trending
Non-Trending Trending
CVSS v3 Categories
Low
Med
ium
Hig
hCr
itica
l
12
20
3
2
2
1
This same issue persists if we break out the data set by specific CVSS scores. The important point is that patching only vulnerabilities based on a particular CVSS score can leave an organization needlessly exposed to ransomware.
For CVSS v2, 52.6% (30/57) of the vulnerabilities had a score less than 8. This held true for trending vulnerabilities as well with 49.0% (24/49) of the trending CVEs scoring below 8. This included CVEs used by a variety of ransomware families including SamSam, Gandcrab, and Ryuk.
Vulnerabilities with a CVSS v3 score fared somewhat better but remained far from ideal. 37.5% (15/40) of vulnerabilities were 8 or below, while 38.2% (13/34) of trending vulnerabilities scored below 8.
This analysis underscores that organizations should supplement CVSS scores with additional threat-focused metrics such as RCE/PE capability and trending states. We have included the table below to highlight trending CVEs with CVSS v2 and v3 scores that are below 8, as they could easily be overlooked based on their score. Again, we have chosen a score of 8 as an arbitrary cutoff for this list, but organizations are encouraged to always analyze vulnerabilities in a full threat-based context.
Non-Trending Trending
52.6% 49% 37.5%
CVSS v2 CVSS v3
38.2%< 8 < 8
> 8
< 8
> 8
< 8
> 8> 8
RiskSense Spotlight Report • August 2019
Page 8 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Key Vulnerability Metrics and Risk Factors (Continued)
Trending CVEs with Low Scores
CVE-2010-0738
CVE-2010-1428
CVE-2012-0874
CVE-2015-1427
CVE-2015-1701
CVE-2016-0189
CVE-2016-3088
CVE-2016-3298
CVE-2016-7200
CVE-2016-7201
CVE-2017-0147
CVE-2017-10271
CVE-2017-12149
CVE-2017-12615
CVE-2017-8046
CVE-2018-1273
CVE-2018-20250
CVE-2018-2894
CVE-2018-4878
CVE-2018-8120
CVE-2018-8174
CVE-2018-8440
CVE-2018-8453
CVE-2019-2725
CVE CVSS v2 CVSS v3
na
na
na
na
na
7.5
9.8
5.3
7.5
7.5
5.9
7.5
9.8
8.1
9.8
9.8
7.8
9.8
9.8
7
7.5
7.8
7.8
9.8
5
5
6.8
7.5
7.2
7.6
7.5
2.6
7.6
7.6
4.3
5
7.5
6.8
7.5
7.5
6.8
7.5
7.5
7.2
7.6
7.2
7.2
7.5
Name
JBOSS_Application_Server
JBOSS_Enterprise_Application_Platform
JBOSS_Enterprise_Web_Platform
Elasticsearch
Microsoft Windows
Microsoft Jscript
Apache ActiveMQ
Microsoft Windows
Microsoft Edge
Microsoft Edge
Microsoft SMB
Oracle WebLogic_Server
Microsoft SMB
Apache Tomcat
Spring_Data_REST
Spring_Data_Commons
Rarlab WinRAR
Oracle Weblogic_Server
RedHat Enterprise_Linux
Microsoft Windows
Microsoft Windows
Microsoft Windows
Microsoft Windows
Oracle Weblogic_Server
Older Vulnerabilities Are Still TrendingOur analysis shows that older vulnerabilities from as far back as 2010 continue to be actively used in ransomware campaigns today. Overall, 18 of the 57 vulnerabilities analyzed were from 2015 or earlier. Of those 18 vulnerabilities, 16 were still trending in 2018 or 2019. While organizations are often in a rush to patch the latest vulnerabilities, this should serve as a reminder that older weaponized and trending vulnerabilities can actually pose the greatest risk.
RiskSense Spotlight Report • August 2019
Page 9 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Key Vulnerability Metrics and Risk Factors (Continued)
Ransomware Vulnerabilities by Year
2007 2010 2011 2012 2013 2014 2015 2016 2017 2018 20192008 2009
1 0 0 1 0 0 0 2 3 0 10 0
0 2 0 3 3 1 7 8 13 10 20 0
0
5
10
15
Non-TrendingTrending
CVE-2010-1428
CVE-2012-0507
CVE-2012-0874
CVE-2012-1723
CVE-2013-0074
CVE-2013-2551
CVE-2013-4810
CVE-2014-6332
CVE-2015-1427
CVE-2015-1641
CVE-2015-1701
CVE-2015-2419
CVE-2015-5122
CVE-2015-7645
CVE-2015-8651
CVE Vendor
Red Hat
Oracle
Red Hat
Oracle
Microsoft
Microsoft
HP
Microsoft
Elastic
Microsoft
Microsoft
Microsoft
Adobe
Adobe
Adobe
JBOSS_Enterprise_Application_Platform
Oracle JRE
JBOSS_Enterprise_Web_Platform
Oracle JRE
Microsoft Silverlight
Microsoft IE
HP Procurve_Manager
Microsoft Windows
Elasticsearch
Microsoft Office
Microsoft Windows
Microsoft IE
Adobe Flash_Player
Adobe Flash_Player
Adobe Flash_Player
Product
We have included the following list of CVEs to help prioritize older CVEs trending in the wild during 2018 or 2019.
Summary and Recommendations
Relevant CVEs
Recommendations
• List of older vulnerabilities trending in the wild
• List of vulnerabilities with lower CVSS scores trending in the wild
Apply a risk-based approach to prioritizing vulnerabilities that includes weaponization, RCE/PE capabilities, and trending intelligence.
RiskSense Spotlight Report • August 2019
Page 10 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Vulnerabilities by Ransomware Family
Next, we analyzed the dataset based on the families of ransomware that target each vulnerability. This gives additional insight into how the respective malware families use vulnerabilities throughout the course of a ransomware attack. For example, even if an attack begins via a phishing email, the attacker may use vulnerabilities to spread laterally within a victim organization or to target high-value servers. Next, we were able to identify priority vulnerabilities that were used by multiple families of ransomware.
Malware Families with the Most VulnerabilitiesSome of the most popular and well-established malware families also happened to leverage the largest overall
number of vulnerabilities. Cerber was found to be the most flexible, using a total of 17 vulnerabilities, 16 of which are trending. Gandcrab was next with 11 vulnerabilities, 9 trending. Both the SamSam and Satan malware tied with 9 vulnerabilities, all of which were trending. PrincessLocker, which runs as a Ransomware-as-a-Service campaign and is tightly associated with the RIG exploit kit had 7 vulnerabilities.
Close behind were two of the newer and more dangerous entrants to the ransomware field – Ryuk and Sodinokibi. These two families have been growing in popularity in 2019 and are notable for targeting enterprises and demanding unusually high ransoms (Coveware).
Non-Trending
Trending
Xbash
Troldesh
Sodinokibi
Satan
SamSam
Ryuk
Princess Locker
Petya
Megacortex
Locky
Lockergoga
Katyusha
JNEC
Gimemo
GandCrab
Cerber
BadRabbit 4
4
4
5
5
7
2
16 1
1
1
1
1
1
1
1
9
9
9
2
Vulnerabilities by Malware Family
RiskSense Spotlight Report • August 2019
Vulnerabilities by Ransomware Family (Continued)
Page 11 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Vulnerabilities Shared Across Ransomware FamiliesNext, we looked to see which vulnerabilities were used by multiple families. Knowing that a particular vulnerability is not only trending in the wild but is also a common target across multiple ransomware families can further help organizations prioritize their patching efforts. The table below shows the vulnerabilities associated with multiple families along with the vulnerable component and risk score.
This confluence of ransomware families also highlights a series of SMB vulnerabilities ranging from CVE-2017-0143 to CVE-2017-0147. These are the MS17-010 vulnerabilities that were originally made infamous by the WannaCry ransomware. These vulnerabilities continue to
be very popular today and are heavily used by multiple families including the recent Ryuk malware to move laterally and infect additional hosts in the network. Additionally, the list includes examples of older vulnerabilities as well as some with low CVSS scores.
Summary and Recommendations
Relevant CVEs Families Vulnerable Element CVSS v2
CVE-2010-0738
CVE-2012-0507
CVE-2012-1723
CVE-2013-0074
CVE-2015-8651
CVE-2016-0189
CVE-2016-1019
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-10271
CVE-2019-2725
CVE-2019-3396
SamSam, Satan
GandCrab, Sodinokibi, Princess Locker, Cerber
Cerber, Locky
GandCrab, Sodinokibi, Princess Locker, Cerber
Cerber, Princess Locker
Cerber, Princess Locker
Locky, Cerber
BadRabbit, Katyusha, Ryuk, SamSam
Satan, Ryuk
BadRabbit, Katyusha, Ryuk, SamSam
BadRabbit, Katyusha, Ryuk, SamSam
BadRabbit, Katyusha, Ryuk, SamSam
Satan, Gandcrab
Cerber, Sodinokibi
Gandcrab, Lockergoga, Megacortex
JBOSS_Application_Server
Sun/Oracle JRE
Sun/Oracle JRE
Microsoft Silverlight
Adobe Flash_Player
Microsoft Jscript
Adobe Flash_Player
SMB
SMB
SMB
SMB
SMB
Oracle WebLogic_Server
Oracle Fusion_Middleware
Atlassian Confluence
5
10
10
9.3
9.3
7.6
10
9.3
9.3
9.3
9.3
4.3
5
7.5
10
Relevant CVEs
Recommendations
List of trending vulnerabilities used by multiple families of ransomware
Prioritize patching of vulnerabilities that are used by multiple families of ransomware
RiskSense Spotlight Report • August 2019
Page 12 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Vulnerabilities by Vendor and Product
Next, we take an asset-centric view of ransomware by looking at the systems, applications, and resources that are being targeted. While Microsoft and Adobe vulnerabilities have long been favorite targets for exploits and malware, our data shows a variety of vendors and products being targeted. Many of the trending vulnerabilities targeted components within high-value systems including critical components within servers.
Vulnerabilities by Vendor and ProductThe 57 vulnerabilities in the report are spread across 12 vendors, which likewise were tied to 33 different products. Microsoft had by far the most vulnerabilities with 27, followed by RedHat (6), Adobe (5), Oracle (5), and Apache (4).
It is important to note that ransomware is targeting the application layer in addition to traditional infrastructure. This means that organizations will need to include Application Security and Open Source Security as part of their vulnerability management strategy. We have summarized some of the key findings for top vendors as follows:
Microsoft – At the application level, Microsoft vulnerabilities were spread across Windows, Edge and Explorer, and Microsoft Office. However, the often-overlooked SMB vulnerabilities are also attributed to Microsoft and were targeted by a variety of families. Likewise, Microsoft Silverlight was targeted by several families including GandCrab, Princess Locker, Cerber, and the recently surging Sodinokibi ransomware. Of the 8 Windows vulnerabilities, 6 were relevant to versions of Windows Server.
RedHat – The RedHat vulnerabilities were primarily tied to the JBOSS application server and its components. Particularly targeted by SamSam and Satan ransomware, these vulnerabilities are important for multiple reasons –
the systems are high-value targets that can warrant steep ransoms, and they are externally facing and exploitable, making them ideal initial infection vectors that can be used to spread ransomware more broadly.
Adobe – The Adobe vulnerabilities were all tied to the Adobe Flash Player. These vulnerabilities were strongly tied to Cerber except for the most recent vulnerability (CVE-2018-15982), which was used by Gandcrab.
Oracle – Oracle had 5 vulnerabilities but all were significant. Two were tied to the Oracle JRE, which can affect a wide variety of other products. These were targeted by a variety of ransomware including GandCrab, Sodinokibi, Princess Locker, Cerber, and Locky. Oracle WebLogic Server was another major target with multiple vulnerabilities targeted by Satan, Gandcrab, Cerber, and Sodinokibi.
Apache – Apache vulnerabilities were tied to Apache Struts, Tomcat, and Apache Active MQ. Much like the JBOSS vulnerabilities, the Apache vulnerabilities provide ideal initial infection vectors and also naturally provide attackers with access to extremely high value servers. These assets were targeted by Gandcrab, Cerber, Satan, and Xbash ransomware.
Pivotal – Pivotal software’s three vulnerabilities were alltied to the Spring Data Framework. These vulnerabilitieswere primarily targeted by Satan ransomware. Like many
of the examples above, these vulnerabilities allow an attacker to focus on high-value applications and servers within an organization.
Atlassian – While Atlassian only had one trendingvulnerability against Confluence, it was targeted by several families including Gandcrab, Lockergoga, and Megacortex. Also, Confluence deployments typically represent a highly valuable enterprise data store which would be particularly painful to an organization if it became unavailable.
Total57 Vulns
Adobe 5
Apache 4
Atlassian 2
ConnectWise 1Elastic 1
HP 2
Microsoft 27
Oracle 5
Pivotal Software 2
Rarlab 1
RedHat 6
Samba 1
57
RiskSense Spotlight Report • August 2019
Page 13 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Vulnerabilities by Vendor and Product (Continued)
It is important to note that ransomware is targeting the application layer in addition to traditional infrastructure. This means that organizations will need to include Application Security and Open Source Security as part of their vulnerability management strategy. We have summarized some of the key findings for top vendors as follows:
Microsoft – At the application level, Microsoftvulnerabilities were spread across Windows, Edge and Explorer, and Microsoft Office. However, the often-overlooked SMB vulnerabilities are also attributed to Microsoft and were targeted by a variety of families. Likewise, Microsoft Silverlight was targeted by several families including GandCrab, Princess Locker, Cerber, and the recently surging Sodinokibi ransomware. Of the 8Windows vulnerabilities, 6 were relevant to versions of Windows Server.
RedHat – The RedHat vulnerabilities were primarily tied to the JBOSS application server and its components. Particularly targeted by SamSam and Satan ransomware, these vulnerabilities are important for multiple reasons –
the systems are high-value targets that can warrant steep ransoms, and they are externally facing and exploitable, making them ideal initial infection vectors that can be used to spread ransomware more broadly.
Adobe – The Adobe vulnerabilities were all tied to theAdobe Flash Player. These vulnerabilities were strongly tied to Cerber except for the most recent vulnerability (CVE-2018-15982), which was used by Gandcrab.
Oracle – Oracle had 5 vulnerabilities but all were significant. Two were tied to the Oracle JRE, which can affect a wide variety of other products. These were targeted by a variety of ransomware including GandCrab, Sodinokibi, Princess Locker, Cerber, and Locky. Oracle WebLogic Server was another major target with multiple vulnerabilities targeted by Satan, Gandcrab, Cerber, and Sodinokibi.
Apache – Apache vulnerabilities were tied to Apache Struts, Tomcat, and Apache Active MQ. Much like the JBOSS vulnerabilities, the Apache vulnerabilities provide ideal initial infection vectors and also naturally provide attackers with access to extremely high value servers. These assets were targeted by Gandcrab, Cerber, Satan, and Xbash ransomware.
Pivotal – Pivotal software’s three vulnerabilities were all tied to the Spring Data Framework. These vulnerabilities were primarily targeted by Satan ransomware. Like many
of the examples above, these vulnerabilities allow an attacker to focus on high-value applications and servers within an organization.
Atlassian – While Atlassian only had one trending vulnerability against Confluence, it was targeted by several families including Gandcrab, Lockergoga, and Megacortex. Also, Confluence deployments typically represent a highly valuable enterprise data store which would be particularly painful to an organization if it became unavailable.
Total57 Vulns
Adobe 6
Apache 4
Atlassian 2ConnectWise
Elastic
HP 4
Microsoft 27
Oracle 5
Pivotal Software 3
Rarlab
RedHat 9
Samba
Adobe Flash_Player6
Apache ActiveMQ
Apache Struts2
Apache Tomcat
Atlassian Confluence2
Connectwise ManagedITSyncElasticsearchHP Application_Lifecycle_ManagementHP Identity_Driven_ManagerHP integrated_lights-out_firmwareHP Procurve_Manager
JBOSS_Application_Server3
JBOSS_brms_platform
JBOSS_Enterprise_Application_Platform2
JBOSS_Enterprise_Web_PlatformJBOSS_SOA_Platform
Microsoft Edge3
Microsoft Explorer3
Microsoft Jscript
Microsoft Office3
Microsoft Office
Microsoft Silverlight2
Microsoft Windows8
Oracle Fusion_Middleware
Oracle WebLogic_Server2
Rarlab WinRARRedHat Enterprise_LinuxSamba_
SMB6
Spring_BootSpring_Data_CommonsSpring_Data_REST
Sun/Oracle JRE
57
1111
2
11111111111111111111
RiskSense Spotlight Report • August 2019
Vulnerabilities Affecting Servers and ApplicationsIn total, 36 of the 57 vulnerabilities (63%) used by ransomware directly target servers or other critical enterprise assets. 31 of these vulnerabilities were trending in 2018 or 2019. This focus on high-value assets makes sense as attackers who intend to charge high ransoms will want to target high-value assets.
However, this should serve as a particularly stark reminder for security teams and patch management. These high-value assets may be some of the more challenging to patch due to managing change windows and are often not supported by automatic updates. However, these are the same assets that if compromised can cause the most disruption to the enterprise, and as a result are being actively targeted by ransomware. The table below consolidates the list of vulnerabilities that would most commonly affect servers and applications.
Note that we only included vulnerabilities that were directly tied to servers and applications, and where the attacking behavior applied to typical server use cases. For example, we did not include Flash vulnerabilities or other vulnerabilities that require the victim to visit or interact with a malicious page through a browser. While a server could contain this vulnerability, it does not apply to a common server use case.
Page 14 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Vulnerabilities by Vendor and Product (Continued)
Source ProductVulnerability ID
CVE-2010-0738
CVE-2010-1428
CVE-2012-0507
CVE-2012-0874
CVE-2012-0874
CVE-2012-0874
CVE-2012-0874
CVE-2012-1723
CVE-2013-4810
CVE-2013-4810
CVE-2013-4810
CVE-2014-6332
CVE-2015-1427
CVE-2015-1701
CVE-2016-0189
CVE-2016-3088
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148
CVE-2017-10271
CVE-2017-12149
CVE-2017-12615
CVE-2017-5638
CVE-2017-8046
CVE-2017-8046
CVE-2018-11776
CVE-2018-1273
CVE-2018-2894
CVE-2018-4878
CVE-2018-8120
CVE-2018-8440
CVE-2018-8453
CVE-2019-2725
CVE-2019-3396
JBOSS_Application_Server
JBOSS_Enterprise_Application_Platform
Sun/Oracle JRE
JBOSS_Enterprise_Web_Platform
JBOSS_Enterprise_Application_Platform
JBOSS_brms_platform
JBOSS_SOA_Platform
Sun/Oracle JRE
HP Procurve_Manager
HP Identity_Driven_Manager
HP Application_Lifecycle_Management
Windows Server
Elasticsearch
Windows Server
Microsoft Jscript
Apache ActiveMQ
Microsoft SMB
Microsoft SMB
Microsoft SMB
Microsoft SMB
Microsoft SMB
Microsoft SMB
Oracle WebLogic_Server
JBOSS_Application_Server
Apache Tomcat
Apache Struts
Spring_Data_REST
Spring_Boot
Apache Struts
Spring_Data_Commons
Oracle Weblogic_Server
RedHat Enterprise_Linux
Windows Server
Windows Server
Windows Server
Oracle Fusion_Middleware
Atlassian Confluence
RiskSense Spotlight Report • August 2019
Vulnerabilities Impacting Additional ProductsOur analysis found 19 CVEs overall and 17 trending CVEs that had a downstream impact on other technology vendors. It is important to remember that vulnerabilities can impact other vendors and products that reuse or include the vulnerable component. For example, the Oracle JRE is used in a variety of other products, which would likewise need to be patched. This can give certain vulnerabilities an unexpected breadth within an organization that can be easy to miss.
To get a better view of this issue, we further analyzed Common Platform Enumeration (CPE) data to identify
vulnerabilities that affect additional vendors. A vulnerability in Samba affected the most vendors, however it should be noted that the particular CVE is not currently trending in the wild. However, the Oracle JRE vulnerabilities impacted 12 additional vendors and a wide variety of individual products. Likewise, Apache Tomcat and the various RedHat vulnerabilities had a notably large reach. The remote exploitability of these vulnerabilities and their ability to directly target servers and applications should make them priorities for patching. The table below summarizes the CVEs that had a downstream impact on other vendors.
Page 15 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Vulnerabilities by Vendor and Product (Continued)
ADOBE
CVE-2016-2118
15CVE-2012-1723
13CVE-2015-7645
6CVE-2015-8651
6CVE-2016-4117
6
CVE-2016-1019
6CVE-2015-5122
5
CVE-2018-4878
5
CVE-2007-1036
5CVE-2013-0874
4
CVE-2012-4810
4
CVE-2010-0738
3
CVE-2010-1428
2
CVE-2015-1427
2
CVE-2018-11776
2
CVE-2017-5638
2
CVE-2018-15982
3
CVE-2017-12615
9
CVE-2012-0507
12
Non-Trending Trending
ORACLE
Adobe Flash_
Player
Samba
Sun/Oracle JRE
SAMBA
HPHP Procurve_Manager
APACHE
ELAS
TIC
Apache Tomcat • Apache Struts
Elas
ticse
arch
JBOSS_Application_Server
RedHat Enterprise_Linux
JBOSS_Enterprise_Application_Platform
JBOSS_Enterprise_W
eb_Platform
REDHAT
15 products impacted by CVE-2016-2118AmazonCanonicalCentosDebianF5
FedoraprojectFermilabFreebsdGentooHuawei
NovellOracleRedHatSambaSlackware
3.&
,-$4"
2&)
*0,
&-"
'(
&5&
6",
&7&
18(
&77
)(
&2)
&**
9&,
1&,",
91&
)
1(,2
"*
19*1
"
1",,(
12#9
*(
-('9&
,
()&*2
91*(
&.1
8:; :(-
".&7.
"<(1
2
:(.59
)&'
:.(('*
-
=(,2
""
=""=
)(
87 80&
#(9
<'"*
*
<0,9
7(.
5&,-.
9>&
591.
"*":
2
,">())
".&1)
(
*&5'
&
12 products impacted byCVE-2012-0507
13 products impacted byCVE-2012-1723
5 products impacted byCVE-2015-5122
6 products impacted byCVE-2016-7645
CVE-2016-8651CVE-2016-1019CVE-2016-4117
3 products impacted byCVE-2018-15982
AdobeFreebsdGentooGoogleNovellRedHat
AdobeFreebsdRedHat
AdobeGentooGoogleNovellRedHat
SunAmazonAppleCanonicalCentosDebianFermilab
GentooMandrivaNovellOracleRedHatVmware
SunAppleCanonicalCentosDebianGentoo
NovellOracleRedHatSuseUbuntuVmware
2 products impacted byCVE-2015-1427
3 products impacted byCVE-2010-0738
HPJuniperRedHat
4 products impacted by CVE-2012-0874
5 products impacted byCVE-2018-4878
AdobeFreebsdGentooGoogleRedHat
ElasticsearchFreebsd
9 products impacted byCVE-2017-12615
2 products impacted by CVE-2018-11776 2 products impacted by CVE-2017-5638ApacheCisco
ApacheOracle
ApacheCentosFedoraprojectFermilabFreebsd
HuaweiOracleRedhatVirtuozzo
5 products impacted byCVE-2007-1036
CiscoHpJbossRedhatSymantec
4 products impacted byCVE-2013-0874
HpJbossRedhatSymantec
2 products impacted byCVE-2010-1428
JuniperRedHat
HpJbossRedhatSymantec
RiskSense Spotlight Report • August 2019
Page 16 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Vulnerabilities by Vendor and Product (Continued)
Summary and Recommendations
• List of trending vulnerabilities targeting servers and applications
• Vulnerabilities affecting additional vendorsRelevant CVEs
Recommendations • Prioritize vulnerabilities that can target servers and applications• Be aware of vulnerabilities that can impact additional vendors and products
Vendor Product
Tren
ding
Sun
Ado
be
amaz
on
apac
he
appl
e
cano
nica
l
cent
os
cisc
o
debi
an
elas
ticse
arch
f5
fedo
rapr
ojec
t
ferm
ilab
free
bsd
gent
oo
goog
le
hp
huaw
ei
jbos
s
juni
per
man
driv
a
nove
ll
orac
le
redh
at
Sam
ba
slac
kwar
e
suse
sym
ante
c
ubun
tu
virt
uozz
o
vmw
areVulnerability ID
CVE-2016-2118
CVE-2012-1723
CVE-2012-0507
CVE-2017-12615
CVE-2015-7645
CVE-2015-8651
CVE-2016-1019
CVE-2016-4117
CVE-2007-1036
CVE-2015-5122
CVE-2018-4878
CVE-2012-0874
CVE-2013-4810
CVE-2010-0738
CVE-2018-15982
CVE-2010-1428
CVE-2015-1427
CVE-2017-5638
CVE-2018-11776
Samba
Oracle
Oracle
Apache
Adobe
Adobe
Adobe
Adobe
RedHat
Adobe
RedHat
RedHat
HP
RedHat
Adobe
RedHat
Elastic
Apache
Apache
Samba
Sun/Oracle JRE
Sun/Oracle JRE
Apache Tomcat
Adobe Flash_Player
Adobe Flash_Player
Adobe Flash_Player
Adobe Flash_Player
JBOSS_Application_Server
Adobe Flash_Player
RedHat Enterprise_Linux
JBOSS_Enterprise_Web_Platform
HP Procurve_Manager
JBOSS_Application_Server
Adobe Flash_Player
JBOSS_Enterprise_Application_Platform
Elasticsearch
Apache Struts
Apache Struts
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Gra
nd T
otal
15
13
12
9
6
6
6
6
5
5
5
4
4
3
3
2
2
2
2
x
x
x
x
x x x x x x
x x x x x x
x x x x x x
x
x
x
x x
xx x
x x x x
x x x
x
x
x x
x x x
x
x x
x
x x
x
x
x
x x
x
x x x x x
x x x x x
x x x x x x x x
x x x x x x x x x x x x
xxxxxxxxx x x
x x x x x x x x x x x x x x
RiskSense Spotlight Report • August 2019
Page 17 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Wormable Vulnerabilities in SMB and RDP
However, in spite of their highly publicized nature and availability of patches, the MS17-010 vulnerabilities persist within enterprise networks and continue to be used by multiple families of ransomware today including Ryuk, SamSam, Satan, BadRabbit, and Katyusha. Ryuk, which is one of the more recent families of ransomware, is notable for demanding very high ransoms of $100,000 or more.
Given the wormable nature of these vulnerabilities and that they remain targets for some of the most recent and damaging malware, organizations should heavily prioritize patching efforts for the following CVEs. Additionally, since
these vulnerabilities are used by ransomware to move laterally and spread within a network, it is important that all vulnerable devices are patched, not just those exposed to the internet.
In addition to the many vulnerabilities analyzed thus far, Server Message Block (SMB) and Remote Desktop Protocol (RDP) have played an incredibly important role in the evolution of ransomware and remain a focal point for attackers today. In this section, we will look at specific vulnerabilities as well as important security best practices for these protocols to reduce the exposure to ransomware.
SMB and the ‘Eternal’ Exploits (MS17-010)In April of 2017, the Shadow Brokers released the now infamous exploit known as EternalBlue, which targeted a vulnerability in SMB. The wormable nature of this vulnerability allowed an attacker to easily spread from host to host, infect additional devices, and move laterally
within a network. In response, Microsoft issued Security Bulletin MS17-010, which cited several vulnerabilities spanning CVE-2017-0143 through CVE-2017-0148. In May of the same year, the WannaCry ransomware outbreak used the EternalBlue exploit against CVE-2017-0144, to spread from host to host within a network. Hundreds of thousands of devices were impacted globally in the attack. The same vulnerability was once again targeted a month later in the June Petya/NotPetya attacks.
Of note, RiskSense researchers were instrumental in high-lighting how additional ‘Eternal’ exploits could be applied to other operating systems and also published the firstopen source scanner for MS17-010 on May 17th of 2017.
CVE Relevant Ransomware Families
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148
BadRabbit, Katyusha, Ryuk, SamSam
Ryuk, Satan
BadRabbit, Katyusha, Ryuk, SamSam
BadRabbit, Katyusha, Ryuk, SamSam
BadRabbit, Katyusha, Ryuk, SamSam
Petya
WannaCryMassive Attack
30 days 27 days
11 12 1 2 3 4 5 6 7
11 12 1 2 3 4 5 6 7
8
8
CVE & Patch ReleasedApril 21, 2017
RiskSense Analysis Warns of a Massive Cyber Attack
3.14.2017 4.14.2017
5.12.2017
3.14.2017 4.14.2017 6.27.2017
Exploit Released
PetyaMassive Attack
45 days
RDP and BlueKeep (CVE-2019-0708)Much like MS17-010, which affects SMB, the recent BlueKeep vulnerability (CVE-2019-0708) represents a wormable vulnerability for RDP. Proof-of-concept code for the vulnerability has been demonstrated, and it is widely anticipated that exploits will eventually be seen in the wild. On 21 May 2019 RiskSense was the first to release an open source scanner for BlueKeep, which quickly found that approximately 1 million devices were exposed and vulnerable.
Additionally, moew wormable RDP vulnerabilities were found affecting the Microsoft Remote Desktop service in August of 2019. This includes CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226.
There are two important take-aways from this information. First, organizations should prioritize patching for CVE-2019-0708. Secondly, organizations should not be exposing RDP and SMB externally in the first place.
Reducing the SMB and RDP Attack SurfaceWhile much of the analysis in this paper is focused on specific CVEs related to ransomware, we would be remiss not to underline general security best practices for SMB
and RDP. As a matter of course, neither SMB nor RDP should be exposed to the internet. However, using Shodan we can see that roughly 1.8 million SMB ports are exposed on the internet, and 7.6 million RDP ports are likewise exposed. This basic exposure has been heavily utilized by a variety of ransomware families. The SamSam family of ransomware in particular is well-known for gaining access to networks by simply brute-forcing exposed RDP ports. This means that ransomware will often gain access not by exploiting a CVE, but by finding lapses in basic network security hygiene.
Enterprises should scan their environments and close any exposed SMB or RDP ports. In cases where the organization requires RDP to be exposed, security teams should take strong measures to securing the service including but not limited to:
• Ensure strong password policies• Prioritized patching for related vulnerabilities• Move the service to a non-standard port• Implement a lockout policy after repeated login failures• Implement multi-factor authentication• Implement strict access control rules
RiskSense Spotlight Report • August 2019
Page 18 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Wormable Vulnerabilities in SMB and RDP (Continued)
However, in spite of their highly publicized nature and availability of patches, the MS17-010 vulnerabilities persist within enterprise networks and continue to be used by multiple families of ransomware today including Ryuk, SamSam, Satan, BadRabbit, and Katyusha. Ryuk, which is one of the more recent families of ransomware, is notable for demanding very high ransoms of $100,000 or more.
Given the wormable nature of these vulnerabilities and that they remain targets for some of the most recent and damaging malware, organizations should heavily prioritize patching efforts for the following CVEs. Additionally, since
these vulnerabilities are used by ransomware to move laterally and spread within a network, it is important that all vulnerable devices are patched, not just those exposed to the internet.
In addition to the many vulnerabilities analyzed thus far, Server Message Block (SMB) and Remote Desktop Protocol (RDP) have played an incredibly important role in the evolution of ransomware and remain a focal point for attackers today. In this section, we will look at specific vulnerabilities as well as important security best practices for these protocols to reduce the exposure to ransomware.
SMB and the ‘Eternal’ Exploits (MS17-010)In April of 2017, the Shadow Brokers released the now infamous exploit known as EternalBlue, which targeted a vulnerability in SMB. The wormable nature of thisvulnerability allowed an attacker to easily spread from host to host, infect additional devices, and move laterally
within a network. In response, Microsoft issued Security Bulletin MS17-010, which cited several vulnerabilities spanning CVE-2017-0143 through CVE-2017-0148. In May of the same year, the WannaCry ransomware outbreak used the EternalBlue exploit against CVE-2017-0144, to spread from host to host within a network. Hundreds of thousands of devices were impacted globally in the attack. The same vulnerability was once again targeted a month later in the June Petya/NotPetya attacks.
Of note, RiskSense researchers were instrumental in high-lighting how additional ‘Eternal’ exploits could be applied to other operating systems and also published the firstopen source scanner for MS17-010 on May 17th of 2017.
and RDP. As a matter of course, neither SMB nor RDP should be exposed to the internet. However, using Shodan we can see that roughly 1.8 million SMB ports are exposed on the internet, and 7.6 million RDP ports are likewise exposed. This basic exposure has been heavily utilized by a variety of ransomware families. The SamSam family of ransomware in particular is well-known for gaining access to networks by simply brute-forcing exposed RDP ports. This means that ransomware will often gain access not by exploiting a CVE, but by finding lapses in basic network security hygiene.
Enterprises should scan their environments and close any exposed SMB or RDP ports. In cases where the organization requires RDP to be exposed, security teams should take strong measures to securing the service including but not limited to:
• Ensure strong password policies• Prioritized patching for related vulnerabilities• Move the service to a non-standard port• Implement a lockout policy after repeated login failures• Implement multi-factor authentication• Implement strict access control rules
RDP and BlueKeep (CVE-2019-0708)Much like MS17-010, which affects SMB, the recent BlueKeep vulnerability (CVE-2019-0708) represents a wormable vulnerability for RDP. Proof-of-concept code for the vulnerability has been demonstrated, and it is widely anticipated that exploits will eventually be seen in the wild. On 21 May 2019 RiskSense was the first to release an open source scanner for BlueKeep, which quickly found that approximately 1 million devices were exposed and vulnerable.
Additionally, new wormable RDP vulnerabilities were found affecting the Microsoft Remote Desktop service in August of 2019. This includes CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226.
There are two important take-aways from this information. First, organizations should prioritize patching for CVE-2019-0708. Secondly, organizations should not be exposing RDP and SMB externally in the first place.
Reducing the SMB and RDP Attack SurfaceWhile much of the analysis in this paper is focused on specific CVEs related to ransomware, we would be remiss not to underline general security best practices for SMB
Summary and Recommendations
Vulnerability Type Recommendations
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148
CVE-2019-0708
• Scan for and remove internet-facing SMB and RDP wherever possible• Prioritize patching to the MS17-010 vulnerabilities• Apply strong security controls to RDP access
RiskSense Spotlight Report • August 2019
Page 19 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
The Ransomware Top 10
By bringing together the various perspectives used in this report, we can zero in on a list of 10 very high priority vulnerabilities. This should in no way discount the importance of the many other vulnerabilities analyzed in the report, but rather give organizations a very short and manageable starting point for ransomware-based patching efforts.
Note that the table below is listed chronologically based on the CVE and not by importance or priority. The first 3 vulnerabilities all affect multiple vendors, are targeted by multiple families, all affect servers, and all are older CVEs. CVE-2010-0738 is also a particularly low scoring vulnerability. The final 6 vulnerabilities are the MS17-010 vulnerabilities. The wormable nature of these vulnerabilities means that they can have a particularly devastating impact to an enterprise if left unpatched.
Top 10 CVEs Source Affects Servers CVSS v2
CVE-2010-0738
CVE-2012-1723
CVE-2012-0507
CVE-2015-8651
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148
JBOSS_Application_Server
Sun/Oracle JRE
Sun/Oracle JRE
Adobe Flash_Player
SMB
SMB
SMB
SMB
SMB
SMB
Targeted by Multiple Ransomware Families
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Impacts Multiple Vendors
Yes
Yes
Yes
Yes
No
No
No
No
No
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
5
10
10
9.3
9.3
9.3
9.3
9.3
4.3
9.3
RiskSense Spotlight Report • August 2019
Page 20 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management
Summary
We hope that this report provides organizations with prescriptive and usable insights that can help to protect their assets from being exposed to ransomware and drive an efficient approach to vulnerability and patch management. While any threat-based analysis will naturally represent a specific point in time, we hope that the lessons and methodologies contained in the report continue to provide guidance even as ransomware and attack campaigns adapt and evolve.
In particular we have seen how some of the vulnerabilities that ransomware uses the most can fly under the radar due to age or low CVSS score. This should serve as a reminder that CVSS scores should be just one of several contexts we consider when evaluating a vulnerability. Ultimately, insights from threats in the wild provide the most reliable context for driving good security decisions. As a result, organizations should always be aware of which vulnerabilities have actually been weaponized and are actively being used by attackers in the wild.
This real-world context also clearly shows how enterprise ransomware targets higher value assets such as server and application infrastructure where attacks are likely to cause the most damage. The need to
schedule change windows can make these assets the most challenging and time-consuming to patch for enterprise IT teams. However, it is important to remember that the inconvenience of these patching efforts are nominal compared to the disruption and loss due to a successful ransomware attack.
Lastly, teams should be aware of the vulnerabilities where ransomware congregates the most. Multiple families of ransomware can target the same vulnerabilities for a variety of reasons. The vulnerability may be particularly easy to target and used in readily available exploit kits. The vulnerability may be particularly valuable such as wormable exploits that allow attackers to quickly spread through a victim network. In either case, these confluences of ransomware behavior should serve as a vivid indicator of risk for an enterprise, and should be prioritized accordingly.
By analyzing vulnerability metrics and characteristics, real-world threat context, and an understanding of the impact to organization, security leaders can make risk-based decisions based on the content of this report that result in smarter patching decisions. Even with limited resources a more effective approach can be obtained to address the growing enterprise ransomware threat.
RiskSense Spotlight Report • August 2019
© 2019 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Spotlight_Ransomware_20191014
RiskSense – the industry’s most comprehensive risk-based vulnerability management and prioritization platform
Contact us today to learn more about RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | risksense.com
SCHEDULE A DEMOCONTACT US READ OUR BLOG
RiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense.
About RiskSense
RiskSense Spotlight Report • August 2019