Chris Swagler | December 24th, 2021

Cloud Ransomware

Ransomware and software and service supply-chain attacks dominated the news over the past year. Criminal enterprises primarily commit ransomware attacks to make a quick buck, while software and supply-chain attacks, on the other hand, have been the domain of nation-states seeking to expand intelligence-gathering capabilities. There is a possibility that these approaches will converge and that convergence will occur in the cloud. One example is the ransomware attack that leveraged Kaseya software. It was a different kind of supply-chain attack because the supply chain consisted of the managed security service providers (MSSPs) hosting Kaseya software on behalf of their customers. Kaseya itself was not breached (unlike SolarWinds); all the action occurred downstream.

Why are ransomware and the supply chain merging? Historically, what began as nation-state techniques made their way into penetration testing and red teaming tools before becoming standardized in attacks carried out by profit-seeking threat actors. There’s no reason to believe that the same will not occur with the cloud. Therefore, it’s useful to consider tools and techniques used in supply-chain attacks as foreshadowing the future of ransomware attacks.

Nation-states have the time and human capital to invest in supply-chain efforts, so the environment’s complexity or relatively unknown nature is not a significant barrier. Most nation-state attacks include cloud components that frequently mix and match traditional on-premises attack steps with cloud-based attack steps. A prime example was the SolarWinds attack in which Cozy Bear (the Russian SVR) waited for software updates and the infected Orion servers to call home after breaching SolarWinds, and painstakingly developing and inserting a payload into the Orion software. Following that, threat actors carefully selected high-value targets to pursue. One common approach observed across multiple targets was attackers stealing the SAML certificate-signing key. The ultimate goal was to impersonate an authenticated user attempting to access data in Office 365 or other software-as-a-service (SaaS) delivered applications.

Recently, the same threat actor (known as Nobelium by Microsoft) attacked MSSPs to gain access to administrative account credentials. They were used in the Azure Active Directory (AD) to create accounts and forwarded to victims’ on-premise AD, once again utilizing the cloud. This attack takes place against the backdrop of security monitoring within its traditional scope, including data center, cloud, federated identity, and endpoint observations. In general, most companies’ security monitoring doesn’t successfully connect these scopes together, giving advanced attackers an advantage. Traditional security counts on any suspicious behavior in one scope not leading to elevated concern in the next as they move through networks.

A majority of widely publicized ransomware attacks have been relatively minor. Ransomware groups use industry-standard tool chains favored by penetration testers and red teams, including Mimikatz, Cobalt Strike, and BloodHound, to launch attacks on traditional IT environments. Generally, there’s little reliance on zero-day vulnerabilities, except for Kaseya in which the threat actors burned a couple of Kaseya VSA server zero-days. Vulnerabilities exploited during a cyberattack are usually well-known vulnerabilities for which patches are already available, but the target has yet to apply them. The EternalBlue exploit became the prime example during the internal propagation of WannaCry in 2017. Microsoft released the patch in March and the WannaCry outbreak occurred in May.

The pandemic accelerated the migration of data and applications to the cloud, which has been underway for years. As valuable data migrates to the cloud, whether into SaaS applications or public cloud stacks, threat actors follow given fewer opportunities for on-premises attacks. Detailed information on how clouds work and how to attack them is becoming commoditized due to supply-chain attacks. The ability to attack will no longer be limited to nation-states once the money is moved to the cloud.

The important questions with most attacks are what will be the initial point of entry and how will threat actors expand their initial foothold to gain access to valuable data. Analysts have already seen multiple entry points for cloud-based attacks:

Lateral movement (from entry point to targeted data) in the cloud involves stolen or impersonated credentials or the use of available APIs. Cloud systems include powerful APIs, especially for privileged credentials, allowing threat actors to move quickly towards their ultimate goals.

With ransomware groups becoming more creative and sophisticated with their methods, especially using cloud-based ransomware attacks, it’s crucial for companies to remain vigilant with the current threat landscape and regularly update their cloud-based network security. At SpearTip, our Pre-Breach Assessment focuses on real-world events and goes beyond simple audit checks to target vulnerabilities that could lead to compromises. The assessment helps protect companies from data loss, financial loss, and reputation loss. Additionally, it reveals blind spots and provides high-value remediation opportunities as we examine a company’s entire security posture from the top down. Our ShadowSpear Platform’s Cyber Threat Hunting assesses a company’s networks for potential ransomware threats and uncovers zero-day vulnerabilities to resolve and remediate any threats before they manifest within an environment.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.