BlackByte Ransomware Breach: Can’t Forget Compliance Basics
On Sunday, Feb. 13, the NFL’s San Francisco 49er organization issued a statement confirming they experienced a network security incident. Shortly after the incident, BlackByte ransomware gang listed the 49ers as one of their alleged victims. The 49ers franchise didn’t confirm if ransomware was involved, but it did state that only the corporate IT network was affected. As with all breaches, one commonality eventually appears: vulnerabilities.
While vulnerabilities are both system-centric and people-centric, ultimately it takes system-level vulnerabilities for the adversary to traverse around the environment, performing reconnaissance, navigating under the radar of today’s monitoring solutions and SIEMs, and deploying malicious payloads.
Unpatched devices leave your network vulnerable
The 49ers’ hack is no different, as it was disclosed that the attackers exploited three Microsoft Exchange vulnerabilities patched by two Microsoft knowledge bases (KB) from April and May, collectively known as ProxyShell:
- CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
After successfully exploiting this trifecta of vulnerabilities in succession to gain access to the email environment, the attackers established persistence via Cobalt Strike. The adversary then obtained the credential store and used elevated privileges to install a remote desktop solution, AnyDesk, which was used to spawn the ransomware throughout the environment.
While there were multiple aspects to this breach, there are two main areas where minor changes could have kept the adversary from being successful.
- First, patch, patch, patch. Ensure you have complete awareness of what’s on the network, especially what is internet facing or is in the DMZ. Ensure every device is patched in a timely fashion.
- Next, shut down remote desktop protocol (RDP). AnyDesk leveraged RDP to traverse the network laterally, navigating from system to system to execute the requisite scripts to deploy the ransomware.
You can’t patch devices that you can’t see
Patching can be hard as it initially relies upon knowledge of the device’s existence and then awareness of the patching status of the device, which typically relies on agent-based communications. But, agents break and that awareness isn’t there, often leaving organizations in the dark without a process to close the loop on those exceptions to the patching process. You’re then left in a situation like the 49ers where an internet-facing server was left unpatched.
Forescout provides visibility into every device on the network and will help ensure agents required for analysis of patching compliance are working properly. Additionally, Forescout will alert when easily exploited ports such as those associated with RDP are open. If you want to level the playing field against ransomware gangs and other bad actors, be sure you have the right players on your team.
Shawn Taylor is the vice president of Threat Defense at Forescout.