Top exploits used by ransomware gangs are VPN bugs, but RDP still reigns supreme

Ransomware attacks targeting the enterprise sector have been at an all-time high in the first half of 2020.

While ransomware groups each operate based on their own skillset, most of the ransomware incidents in H1 2020 can be attributed to a handful of intrusion vectors that gangs appear to have prioritized this year.

The top three most popular intrusion methods include unsecured RDP endpoints, email phishing, and the exploitation of corporate VPN appliances.

RDP — number one on the list

At the top of this list, we have the Remote Desktop Protocol (RDP). Reports from Coveware, Emsisoft, and Recorded Future clearly put RDP as the most popular intrusion vector and the source of most ransomware incidents in 2020.

“Today, RDP is regarded as the single biggest attack vector for ransomware,” cyber-security firm Emsisoft said last month, as part of a guide on securing RDP endpoints against ransomware gangs.

Statistics from Coveware, a company that provides ransomware incident response and ransom negotiation services, also sustain this assessment; with the company firmly ranking RDP as the most popular entry point for the ransomware incidents it investigated this year.

Further, data from threat intelligence company Recorded Future, also puts RDP firmly at the top.

“Remote Desktop Protocol (RDP) is currently by a wide margin, the most common attack vector used by threat actors to gain access to Windows computers and install ransomware and other malware,” Recorded Future threat intel analyst Allan Liska wrote in a report published last week about the danger of ransomware to the US election infrastructure.

Some might think that RDP is today’s top intrusion vector for ransomware gangs because of the current work-from-home setups that many companies have adopted; however, this is wrong and innacurate.

RDP has been the top intrusion vector for ransomware gangs since last year when ransomware gangs have stopped targeting home consumers and moved en-masse towards targeting companies instead.

RDP is today’s top technology for connecting to remote systems and there are millions of computers with RDP ports exposed online, which makes RDP a huge attack vector to all sorts of cyber-criminals, not just ransomware gangs.

Today, we have cybercrime groups specialized in scanning the internet for RDP endpoints, and then carrying out brute-force attacks against these systems, in attempts to guess their respective credentials.

Systems that use weak username and password combos are compromised and then put up for sale on so-called “RDP shops,” from where they’re bought by various cybercrime groups.

RDP shops have been around for years, and they are not something new.

However, as ransomware groups migrated from targeting home consumers to enterprises last year, ransomware gangs found a readily available pool of vulnerable RDP systems on these shops — a match made in heaven.

Today, ransomware gangs are the biggest clients of RDP shops, and some shop operators have even shut down their shops to work with ransomware gangs exclusively, or have become customers of Ransomware-as-a-Service (RaaS) portals to monetize their collection of hacked RDP systems themselves.

VPN appliances — the new RDPs

But 2020 has also seen the rise of another major ransomware intrusion vector, namely the use of VPN and other similar network appliances to enter corporate networks.

Since the summer of 2019, multiple severe vulnerabilities have been disclosed in VPN appliances from today’s top companies, including Pulse Secure, Palo Alto Networks, Fortinet, Citrix, Secureworks, and F5.

Once proof-of-concept exploit code became public for any of these vulnerabilities, hacker groups began exploiting the bugs to gain access to corporate networks. What hackers did with this access varied, depending on each group’s specialization.

Some groups engaged in nation-level cyber-espionage, some groups engaged in financial crime and IP theft, while other groups took the “RDP shops” approach and re-sold access to other gangs.

While some sparse ransomware incidents using this vector were reported last year, it was in 2020 when we’ve seen an increasing number of ransomware groups use hacked VPN appliances as the entry point into corporate networks.

Over the course of 2020, VPNs quickly rose as the hot new attack vector among ransomware gangs, with Citrix network gateways and Pulse Secure VPN servers being their favorite targets, according to a report published last week by SenseCy.

Per SenseCy, gangs like REvil (Sodinokibi), Ragnarok, DoppelPaymer, Maze, CLOP, and Nefilim have been seen using Citrix systems vulnerable to bug CVE-2019-19781 as an entry point for their attacks.

Similarly, SenseCy says ransomware groups like REvil and Black Kingdom have leveraged Pulse Secure VPNs that have not been patched for bug CVE-2019-11510 to attack their targets.

Per Recorded Future, the latest entry on this list is the NetWalker gang, which appears to have started targeting Pulse Secure systems to deployt their payloads on corporate or government networks where these systems might be installed.

With a small cottage industry developing around hacked RDPs and VPNs on the cybercrime underground, and with tens of cyber-security firms and experts constantly reminding everyone about patching and securing these systems, companies have no more excuses about getting hacked via these vectors.

It’s one thing to have an employee fall victim to a cleverly disguise spear-phishing email, and it’s another thing not patching your VPN or networking equipment for more than a year, or using admin/admin as your RDP credentials.