Cyber Defenses

Chris Swagler | January 17th, 2024


In a never-ending cat-and-mouse game, ransomware methods are continuously evolving and companies are adjusting their tactics and cyber defenses to prevent the attacks or mitigate the damage if they’re partially successful. Recently, an attempted ransomware attack on Adobe’s ColdFusion servers is one example that can provide valuable lessons for companies on how to effectively protect against these attacks. The threat actors used vulnerabilities in unsupported versions of Adobe’s ColdFusion Server software, ColdFusion Server 11, in the ransomware attack which is a common tactic. Due to a lack of security updates and patches, threat operators frequently target outdated software. Adobe no longer supports ColdFusion Server 11, therefore receiving a patch from the program provider is unlikely when new vulnerabilities are discovered.

The threat operators could gain access to the server in the situation by exploiting a security vulnerability. Once inside, the threat operators could test to see if they could use the server with numerous command line entries to leverage ColdFusion-specific processes. Even though the threat operators were successful in accessing the server, they were unable to install their payload since the deployed EDR software prevented their attempts. Nonetheless, the ransomware incident serves as a reminder of the significance of putting in place strong cybersecurity measures and cyber defenses. Security teams should do the following:

  • Do Regular Backups – Backing up data is critical in defending against data breaches. Having a current backup will allow security teams to restore systems without having to pay a ransom to have encrypted data restored.
  • Developing and Routinely Practicing Incident Response Plans – Companies need to have an incident response strategy in the event of ransomware attacks, digital attacks, and/or disruptions. To ensure that any response to incidents is effective, the plan should be properly thought out, practiced, and tested.
  • Assessing the Security Teams – Companies that don’t have dedicated or enough saved cybersecurity professionals should consider using a cybersecurity company. The cybersecurity companies’ services will strengthen companies’ cyber defenses against ransomware and other cyberattacks.
  • Detecting and Reducing Exposure – Every asset must be identified and inventoried ensuring proper protection. The more actions companies can take to mitigate exposure, including patching applications, managing configuration, and segmenting networks into smaller discrete units, the better.
  • Preparing for Double Extortion – Ransomware threat operators frequently target data in a practice known as “double extortion.” In double extortion attacks, threat operators may frequently demand a ransom to keep data unencrypted and/or not to expose stolen material publicly. A solid data security policy is vital, and it requires more than just backups. Additionally, techniques for reducing data exfiltration must be examined.
  • Maintaining Living and Updated Software – When software companies’ program is no longer supported, it’s time to locate a replacement. A patch for software that’s no longer supported is extremely rare. The threat actor attempted to exploit the vulnerabilities in unsupported versions of Adobe’s ColdFusion Server in the attack. It emphasizes the need to keep all software updated. Users using continued software can significantly increase the risk.
  • Monitoring Server Activities – Monitoring server traffic and behavior is critical since servers often have high access levels, sometimes with numerous applications and networks. Threat operators were able to breach the server and quickly attempted to obtain further access using entries into the server’s command-line interface. Companies can quickly engage and prevent threats by monitoring users’ behaviors and systems accessing the servers.
  • Consider Using Endpoint Detection and Response (EDR) – According to a cybersecurity company’s research, the deployed endpoint detection and response software stopped the threat operators. If the software had not prevented the payload from executing successfully, the threat operators would’ve likely succeeded in their ransomware attack. The incident demonstrates the importance of strong endpoint security.
  • Keeping Privilege Levels Low – One of the most prevalent techniques for threat operators to acquire access to systems or move laterally within previously compromised environments is using compromising credentials. Companies can limit threat operators’ maneuverability by implementing the concept of least privilege and ensuring users and systems only have access levels needed to execute their jobs.

Even though technologies or sets of processes can’t guarantee safety from successful ransomware attacks or other cyberattacks, one cybersecurity company’s analysis of the attack demonstrates that maintaining updated software, monitoring server and endpoint activities, implementing strong cyber defenses, and controlling privileges are the most important strategies companies can utilize in their defense against ransomware attacks. At SpearTip, our engineers and analysts will examine companies’ security posture to improve the weak points in their networks and engage with their people, processes, and technologies to measure the maturity of the technical environments. For all vulnerabilities uncovered, we provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture. Our IR planning engages a three-phase approach, which includes pre-incident, active incident, and post-incident planning processes. In the pre-incident aspect, SpearTip identifies key stakeholders and decision-makers, critical data, and potential access points and then engages in a live test, after which we offer remediation guidance. To benefit companies during an incident, we assist in developing a communications plan designed to detect and isolate the precise threat with a customized strategy map. The post-incident planning process development includes root cause and investigative audit, improvement analysis, and backup recovery.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

New BiBi Wiper Malware
New BiBi Wiper Malware: A Sophisticated Threat to Cybersecurity
12 June 2024
DNS Tunneling
DNS Tunneling: New Tactic To Scan Networks and Track Victims
10 June 2024
Mastermind Behind LockBit Ransomware
Mastermind Behind LockBit Ransomware Unveiled and Charged
07 June 2024
Unchecked User Privileges
Unchecked User Privileges: How to Counter
03 June 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.