Image source: Shutterstock
Many are also striking quickly after gaining initial access, a new report shows.
Ransomware actors increasingly deployed adversary in the middle (AiTM) tactics to steal credentials and session cookies for initial access to target environments over the past year, according to new research from Secureworks.
AiTM attacks are similar to man in the middle (MiTM) attacks where a threat actor positions themselves between a victim and an application to either eavesdrop on or to impersonate one of the two parties.
In many of the AiTM attacks that Secureworks observed, the ransomware actor deployed a reverse proxy hosting a spoof landing page between a target user and a website the user might want to visit. The attackers used phishing kits to get unsuspecting users to enter their credentials and MFA token into the spoof landing page which they then used to access the target service.
As SentinelOne describes it, AiTM attacks often involve threat actors actively manipulating data they intercept to modify packet contents, or to inject a malicious payload or to alter data in transit. Adversaries have typically deployed AiTM attacks for use cases like financial fraud, e-commerce manipulation and cyber-espionage.
Tips for protecting against AiTM attacks include using phishing resistant authentication, implementing strong TLS and SSL-based encryption for data in transit, using digital certificates to authenticate websites and secure connections and keeping systems regularly updated.
For more on AiTM attacks and how to protect against them:
- Understanding How Adversary-in-the-Middle (AITM) Attacks Work
- What is an AitM (Adversary-in-the-Middle) Attack?
Here are 3 other takeaways from the Secureworks report:
- Many ransomware attacks happen quickly after initial access: More than 50% of the incidents that Secureworks observed involved dwell times of less than 28 hours. In one-third of the intrusion’s attackers deployed ransomware in less than one day—meaning initial detection and response are vital to protecting against the threat.
- Unpatched vulnerabilities were the top initial access vector: Threat actors frequently exploited un-remediated vulnerabilities in Internet facing edge devices to gain an initial foothold on a victim environment. Among the most targeted devices were products from Fortinet, Palo Alto Networks, Cisco, Ivanti, F5 and Citrix. The most frequently targeted vulnerability was CVE-2023-4966 in Citrix NetScaler ADC and NetScaler Gateway when configured as a VPN virtual server, ICA Proxy, CVPN or RDP Proxy. Other popular vulnerabilities included CVE-2023-3519 also in Citrix ADC and Gateway; CVE-2024-21887 a command injection flaw in Ivanti Connect Secure and Ivanti Policy Secure; and CVE-2023-48788, a SQL injection flaw in Fortinet’s FortiClient technology.
- The number of active ransomware operators grew by 30%: Secureworks interpreted that data point as a sign of increased fragmentation among ransomware operators. Here’s Secureworks on why that matters for defenders: “As smaller groups look to become established, it means there is less repeatability and structure in how they operate, and organizations need to continue to remain alert for a wider variety of tactics.”
The biggest ransomware players were:
- LockBit which accounted for 17% of listings on so-called “name and shame” sites.
- PLAY, which doubled its victim count and emerged as the second most active ransomware group.
- RansomHub: A new group that surfaced a week after one of several law-enforcement takedowns of LockBit and quickly established itself as a major player in the ransomware space with 7% of listed victims.
Additional Info:
LockBit Indicators of Compromise
- https://www.rewterz.com/threat-advisory/lockbit-ransomware-active-iocs
- https://otx.alienvault.com/pulse/646087013f41b1c66b008650
If you are a LockBit victim:
If you are one of the 1,800 LockBit victims so far in the US, the FBI may be able to help. The law enforcement agency has over 7,000 LockBit keys in its possession that previous victims may be able to use to recover data from past attacks. The FBI has provided a LockBit Victim Reporting Form which victims can use to contact the agency’s Internet Crime Complaint Center (IC3). (Note: The link points to the IC3’s main landing page for filing complaints rather than a specific form for LockBit victims).
PLAY Indicators of Compromise
RansomHub Indicators of Compromise