{"id":130505,"date":"2023-06-29T09:00:00","date_gmt":"2023-06-29T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=130505"},"modified":"2023-06-27T16:02:14","modified_gmt":"2023-06-27T23:02:14","slug":"patch-me-if-you-can-cyberattack-series","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/29\/patch-me-if-you-can-cyberattack-series\/","title":{"rendered":"Patch me if you can: Cyberattack Series"},"content":{"rendered":"\n

Many organizations utilize third-party apps for identity security solutions to automate and unburden overtaxed IT admins from tedious tasks that employees can perform via self-service without IT assistance. But in September 2021, our researchers observed threat actors exploiting one such third-party app at several US-based entities. The vulnerability was publicly reported on September 6, 2021 as CVE-2021-40539 Zoho ManageEngine ADSelfService.1<\/sup> The application in question was a multifactor authentication, single sign-on, and self-service password management tool to help eliminate password reset tickets that create unnecessary, tedious work for IT admins. Bad actors exploited a patch vulnerability in the app, using it as an initial vector to gain a foothold in networks and perform additional actions including credential dumping, installing custom binaries, and dropping malware to maintain persistence. At the time of disclosure, RiskIQ observed 4,011 instances of these systems active and on the internet.<\/p>\n\n\n\n

To learn more about this cyberattack series and how to protect your organization, please read the third cyberattack series report<\/a>. The report provides detailed information about the vulnerability, how it was exploited, and how organizations can mitigate the risk. It also includes recommendations for how organizations can improve their security posture to prevent similar attacks in the future.<\/p>\n\n\n\n

Examining the remote ransomware attack<\/h2>\n\n\n\n

In the third installment of our ongoing Cyberattack Series, we examine this remote access ransomware attack and look at how Microsoft Incident Response<\/a> thwarted it. We then delve further into the details with a timeline of events and how it all unfolded\u2014using reverse engineering to learn where and when the threat actor first targeted the vulnerable server. We also explore the proactive steps that customers can take to prevent many similar incidents, and the actions necessary to contain and recover from attacks once they occur.<\/p>\n\n\n\n

More than half of known network vulnerabilities found in 2021 were found to be lacking a patch. Plus, 68 percent of organizations impacted by ransomware did not have an effective vulnerability and patch management process, and many had a high dependence on manual processes versus automated patching capabilities. With today\u2019s threat landscape, it was only a matter of time before this zero-day vulnerability was exploited.<\/p>\n\n\n\n

To compound the issue, the ways in which threat actors are working together now makes patch exploits more likely than ever before. Not only are attacks happening faster, they\u2019re more coordinated. We have also observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability. Threat actors are organized and cooperating to exploit vulnerabilities faster, and this adds to the urgency that organizations face to patch exploits immediately.<\/p>\n\n\n\n

The \u201ccommoditization\u201d of vulnerabilities<\/h2>\n\n\n\n

While zero-day vulnerability attacks often initially target a limited set of organizations, they are quickly adopted into the larger threat actor ecosystem. This kicks off a race for threat actors to exploit the vulnerability as widely as possible before their potential targets install patches. Cybercrime as a Service or Ransomware as a Service websites routinely automate access to compromised accounts to ensure the validity of compromised credentials and share them easily. One set of cybercriminals will gain access to a compromised app then sell that access to multiple other bad actors to exploit.<\/p>\n\n\n\n

The importance of cybersecurity hygiene<\/h2>\n\n\n\n

The most effective defenses against ransomware include multifactor authentication, frequent security patches, and Zero Trust principles across network architecture. Attackers usually take advantage of an organization\u2019s poor cybersecurity hygiene, from infrequent patching to failure to implement multifactor authentication.<\/p>\n\n\n\n

Cybersecurity hygiene becomes even more critical as actors rapidly exploit unpatched vulnerabilities, using both sophisticated and brute force techniques to steal credentials, then obfuscating their operations by using open source or legitimate software. Zero-day exploits are both discovered by other threat actors and sold to other threat actors, then reused broadly in a short period of time leaving unpatched systems at risk. While zero-day exploitation can be difficult to detect, actors\u2019 post-exploit actions are often easier to notice. And if they\u2019re coming from fully patched software, it can act as a warning sign of a compromise and minimize impact to the business.<\/p>\n\n\n\n

Read the report<\/a> to go deeper into the details of the attack, including the threat actor\u2019s tactics, the response activity, and lessons that other organizations can learn from this case.<\/p>\n\n\n

\n\t
\n\t\t
\n\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\"Security\t\t\t\t<\/div>\n\t\t\t\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Examining a ransomware attack<\/h2>\n\n\t\t\t\t\t
\n\t\t\t\t\t\t

Learn how Microsoft Incident Response thwarted a remote access ransomware attack.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t