Getty Images/iStockphoto

Ransomware Groups Continue to Leverage Old Vulnerabilities

Ransomware groups are continually going after old vulnerabilities and tried-and-true attack methods to exploit victims.

Researchers observed ransomware groups leveraging vulnerabilities that were multiple years old to exploit their victims, a new report from Cyber Security Works (CSW) explained. The finding illustrates an ongoing trend of threat actors targeting known vulnerabilities and trusted attack methods rather than using and developing new ones.

The report drew on research into ransomware and vulnerability data from multiple threat intelligence feeds and risk analyses.

Since January 2022, researchers have observed a 7.6 percent increase in vulnerabilities tied to ransomware, the report stated.

Notably, 11 of the 22 newly added vulnerabilities linked to ransomware were first disclosed in 2019, “indicating that ransomware groups are on the hunt for vulnerabilities with pre-existing means of exploitation,” the report noted.

This finding aligns with those of the Health Sector Cybersecurity Coordination Center’s (HC3) Q1 2022 report in that it shows a trend of threat actors going after low-hanging fruit. HC3 saw threat actors leveraging legitimate tools and existing weaknesses to exploit victims rather than developing custom malware. HC3 observed threat actors favoring file transfer, remote access, and encryption tools to infiltrate target organizations.

Cybersecurity authorities from the US, the UK, Canada, the Netherlands, and New Zealand recently issued an advisory detailing initial access tactics that threat actors frequently use to infiltrate victim networks and disclosed similar findings.

“Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system,” the advisory stated.

Again, all these trends follow the same school of thought—threat actors are consistently going after pre-existing vulnerabilities and weaknesses, which highlights the need for patch management and proper cyber hygiene.  

In addition to keeping tabs on old and new vulnerabilities, researchers observed increased activity by a select number of notorious ransomware groups. Of the 22 new vulnerabilities associated with ransomware since January 2022, 21 were considered high severity by CVSS V3 standards, and 19 were directly linked to the Conti ransomware gang.

Conti ransomware claimed responsibility for at least 16 cyberattacks against US healthcare entities and first responder networks, prompting multiple advisories by US cybersecurity authorities. In early May, the US State Department announced it would offer a reward of up to $10 million for any information leading to the identification of key leaders in the Conti ransomware group and an additional $5 million for any information leading to an arrest.

The report observed a total of 310 CVEs associated with ransomware in Q1 2022, and 157 of those are being actively exploited by ransomware actors. The BlackCat, LockBit, and AvosLocker ransomware families are also becoming more prominent cyber threats, the report said.

CSW also analyzed 56 healthcare vendors that supply applications, medical devices, and hardware used in hospitals. Of the 846 products analyzed, researchers found 624 unique vulnerabilities, 40 of which had public exploits.

“Healthcare providers must be extremely vigilant in their cybersecurity defense posture,” Srinivas Mukkamala, senior vice president and general manager of security products at Ivanti, explained in the report. Mukkamala predicted that healthcare cyberattacks would continue to increase throughout the year.

Having a thorough cyber incident response plan and maintaining reliable data backups, among other safeguards, can help organizations maintain business continuity and focus on providing quality patient care.

Next Steps

Dig Deeper on Cybersecurity strategies