A recent CISA #StopRansomware advisory highlights how organizations can mitigate BianLian ransomware by limiting RDP connections and other permissions. This should come as no revelation. It should be basic cybersecurity hygiene, but this pattern of attack has been established.
In 2022, Forescout analyzed ContiLeaks, which revealed the world’s most profitable ransomware family preferred to target Active Directory/Domain Controller permissions through RDP backdoors. If VPN and RDP are the keys to the kingdom, then Domain Controllers are the crown.
Organizations need to evolve their understanding of risk beyond vulnerability management to proactively discover misconfigurations and remediate basic cyber hygiene issues.
From Conti to BianLian: Ransomware Attacks Target Privileged Access
In 2022, a Twitter account dubbed ContiLeaks published the private chats, tutorials and tools used by the Conti ransomware family. When security researchers analyzed Conti’s “hacker quickstart guide” they discovered that Conti described legitimate services such as VPN and RDP as an “ideal backdoor” because they hide malicious traffic and ensure that attackers remain unnoticed. They also noted that networking protocols, such as DNS, TCP, and HTTPS, can also be used to establish initial access.
Furthermore, analysis of ContiLeaks revealed that Active Directory and Domain Controllers within Windows-based networks were the target for their attacks because they enable lateral movement and can often be compromised to gain full control of the network. Active Directory is easily exploited because it is commonly misconfigured.
Likewise, a 2023 CISA #StopRansomware alert about the BianLian ransomware group recommended prioritizing these mitigations:
- Strictly limit the use of RDP and other remote desktop services
- Disable command-line and scripting activities and permissions
- Restrict usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version
CISA reports that BianLian is gaining initial access from RDP credentials, which may be obtained from phishing attacks or initial access brokers. The FBI has observed BianLian creating and/or activating local administrator accounts and changing the password to those accounts. BianLian uses PowerShell to disable anti-virus tools, such as Windows Defender and Anti-Malware Scan Interface (AMSI), even going so far as to modify the Windows registry to disable tamper protection.
Beyond Conti and BianLian, there are many other ransomware attacks that have exhibited similar behavior. The main takeaway is to understand that these attacks are primarily targeting RDP and VPN credentials to establish initial access with the ultimate goal of gaining privileged access to Active Directory or Windows Domain Controllers.
How to Discover and Remediate Privileged Identity and Access Risks
When it comes to discovering and remediating risks such as misconfigurations or exposed credentials, vulnerability management is not enough. To be clear, vulnerability management is still a fundamental component of a risk management program, especially when it seems like major supply chain vulnerabilities get reported on a consistent basis. The point is not to replace vulnerability management, but rather to expand risk management to include what should be basic cybersecurity hygiene.
CISA recommends auditing remote access tools (i.e., RDP) and logs for signs of unauthorized access. Best practices for RDP security include closing unused RDP ports, enforcing account lockouts after too many login attempts, and implementing multi-factor authentication (MFA).
Furthermore, CISA recommends reviewing Active Directory and Windows Domain Controllers for new and unrecognized accounts, auditing users accounts with administrative privileges, and enrolling domain admin accounts in a protected users’ group to prevent the caching of password hashes.
Network monitoring solutions can deliver visibility into the state of these risks by creating and assessing inventories and manifests, as well as monitoring other commonly overlooked misconfigurations, such as misconfigured encryption. The main challenge with misconfigurations is not that they are difficult to fix, but that they are difficult to discover in the first place.
Beyond discovering and remediating privileged identity and access risks in the first place, cybersecurity teams can also implement stronger identity and access management controls. Behavioral monitoring can detect suspicious activity from new or unknown IP addresses and devices. Network segmentation can prevent lateral movement of attacks to minimize the blast radius of attacks.
In the face of an ongoing ransomware menace, cybersecurity teams may be drawn to the allure of shiny new solutions, but the evidence suggests that most ransomware attacks tend to target low-hanging fruit. Attackers will always be drawn toward the path of least resistance, but the good news is that if cybersecurity teams are able to implement some basic cybersecurity hygiene when it comes to remote access and privileged accounts, a little bit of effort goes a long way toward preventing an attack.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email editor @ hstoday.us.