- Updated at
As offensive security pros, we focus on supporting security teams to find and report critical vulnerabilities before cybercriminals do. This means getting more budget for stronger tooling, awareness training, and additional team members to better prevent cyberattacks.
Most ransomware groups focus on three common initial access tactics to gain a foothold within companies’ critical infrastructure and web applications and, probably, sell their most valuable assets.
In this guide, I’ll talk about these tactics (phishing attacks, RDP attacks, and exploitable vulnerabilities) pentesters can use to simulate realistic attack scenarios and apply them in their ethical hacking engagements.
You'll walk away with practical examples and actionable advice on how to effectively replicate these attacks. Plus, you’ll help your customers to create better security awareness inside their organizations.
Let’s jump right in!
1. Leveraging finely customized phishing attacks
Phishing is the most common technique threat actors use to launch ransomware attacks.
The primary target of a phishing attack are individuals and employees at all company levels, even if they don't hold enough sensitive information to be the entry point a malicious hacker uses to break into the company’s network.
A phishing attack simulation is a good strategy to train employees to identify and report cyber threats. You can check out this tutorial to learn how to simulate a phishing attack.
The initial access point can escalate to higher privileged devices so cybercriminals get an overview of the internal network architecture. This way, they have the opportunity to launch ransomware attacks on every (vulnerable) machine and get access to sensitive data.
And what’s the easiest path to get into a network and steal sensitive data? Through emails, of course.
Trend Micro’s Email threat report revealed that phishing attacks saw a 4% growth in 2022, with nearly 7 million detections. On the flip side, DataPront highlights that a new phishing site is created on the internet every 11 seconds.
But let’s see a practical example. ThreatLabz found a widespread phishing attack that targeted Microsoft email customers and used the "Adversary in the Middle" (AiTM) strategy.
This technique involves the attacker intercepting the communication between the client and server during the authentication process. AiTM servers are intermediaries between the intended target and the authentication login page.
When the target fills in their login details into the proxy page, the AiTM server captures and saves the information, then relays it to the legitimate login page, providing a successful login. The victim will perceive the experience as if they logged in directly on the legitimate page.
In addition, both the connections - between the AitM server and the legitimate site, and the victim and the AitM server - are established using the HTTPS protocol. This means that the victim's web browser will display a padlock icon in the address bar, indicating that the connection is secure.
These phishing attacks use man-in-the-middle frameworks such as Evilginx2, Muraena, and Modilshka to provide a proxy server between the user and the target website. It redirects recipients of phishing emails to similar target pages. The purpose is to obtain credentials and MFA information.
Source: Jeffrey Appel’s blog
This allows them to steal credentials, including multi-factor (MFA) information, by acting as a third party - both the client and server - for the victims. In other words, the attacker is positioned in the middle of the authentication process to obtain sensitive information.
To replicate the attack scenario and demonstrate the business risk, you can deploy a malicious server like Evilginx2 which communicates with the phishing site. It can be a website the user frequently utilizes (e.g. Github, Gitlab, Google). For example, Zphisher is an automated tool that offers over 30 templates for common websites.
After the malicious server is built, you can send the URL to the people involved in the simulation and check if it creates any TLS session. If it occurs, the user becomes a victim of your phishing campaign.
A penetration tester can play a crucial role in helping organizations protect themselves from phishing attacks. Here are some ways they can contribute.
Phishing simulation: A pentester can conduct simulated phishing campaigns within the organization to assess the susceptibility of employees to such attacks. By crafting realistic phishing emails and monitoring the responses, they can identify weak points and educate employees on how to better recognize and handle phishing attempts.
Social engineering assessments: Pentesters can employ social engineering tactics, such as impersonation, pretexting, or elicitation to evaluate the organization's susceptibility to such attacks. By assessing human vulnerabilities, they can recommend training programs and policies to enhance employee awareness and resilience.
Security awareness training: Pentesters can assist in developing and delivering effective security awareness training programs. These programs aim to educate employees about phishing risks, the malicious tactics attackers launch, or the steps they take to identify and report potential phishing attempts.
A successful awareness training should include:
best practices for email and web browsing
recognizing suspicious links or attachments
maintaining strong passwords.
2. RDP and credential abuse
RDP attacks surged during the pandemic when home workers' use of remote access solutions also soared.
A brute-force Remote Desktop Protocol (RDP) is the most common method threat actors use to gain access to Windows systems and execute malware on them.
To do that, they work with open-source port scanning tools to check for exposed RDP ports on various machines. Then, they use brute-force tools or stolen credentials to pursue their malicious actions.
After gaining access to the target system, cybercriminals compromise the system by deleting backups, disabling the firewall, and the antivirus software, or changing configuration settings.
Let’s have a look at two practical examples.
Old but still threatening - Dharma attacks via RDP
Most Dharma (and its variants) ransomware attacks use Remote Desktop Protocol access as the main attack vector. Once the computer is infected, Dharma creates registry entries to maintain persistence and encrypts almost every file type.
Then, after executing the ransomware payload, it uninstalls the security software on the system. It also maintains persistence by copying itself to startup folders and adding references to the autorun keys.
This is a very common attack vector due to the higher number of vulnerabilities found in the RDP service.
One key aspect is to reduce the attack surface by understanding how your organization uses RDP and where you can eliminate unused connections without impacting business productivity.
Check the TCP/UDP 3389 port and see if the connection is open. To do this, you can perform an automatic enumeration using Nmap such as:
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 <IP>
This scan checks for the DoS vulnerability, the available encryption, and grabs the NTLM Windows info.
After the enumeration step, try to brute force the RDP accounts using our Password Auditor, which does password spraying and discovers weak credentials in web forms.
Another helpful example worth mentioning is the Shadow Attack, which allows a remote attacker to view the victim's desktop without their consent.
To check if your system is vulnerable to this type of vulnerability, use the open-source AutoRDPwn tool.
Focus on monitoring and securing RDP with tools such as an intrusion detection system (IDS). Use an effective and easy-to-deploy backup strategy to reduce the losses generated by an eventual malware infection.
VectorStealer - the evasive malware targeting RDP files
VectorStealer is a type of malware discovered in the cybercrime community, which steals .rdp files containing sensitive information related to RDP sessions. Stealing these files can enable threat actors to carry out RDP hijacking. Thus, they get unauthorized remote access to a victim's system without requiring credentials.
Malware researchers at Cyble Research and Intelligence Labs initially spotted the VectorStealer. It allows cybercriminals to perform RDP hijacking.
They try to gain unauthorized remote access using a web panel and a Telegram channel.
The web panel generates the stealer payload, which doesn’t require advanced programming skills. These web panels have user-friendly interfaces and offer various customization options. It includes defining what actions the malware should perform and configuring its behavior.
Once you generate the malware, threat actors can use it to exfiltrate sensitive information from the victim's system using SMTP, Discord, or Telegram.
Source: Cyble blog
The malware inside a phishing email contains a malicious document (MalDoc) as an attachment. Once the victim opens it, a prompt appears asking the user to enable the macro. If the user succeeds in allowing it, it executes malicious activities on the victim's computer.
Watch this video demo to learn how you can use Sniper Auto-Exploiter to simulate client-side attacks in your pentests.
If it’s successfully executed, the macro code will de-obfuscate a PowerShell script and run it with the Shell() function. The PowerShell script includes code, which can download the next stage payload from a remote server and save it under the name "ks.exe".
As VectorStealer is often distributed through phishing emails or malicious downloads, pentesters can conduct simulated phishing campaigns to assess the susceptibility of employees to such attacks. By identifying weaknesses and educating employees on recognizing and avoiding phishing attempts, you can reduce the risk of VectorStealer infections.
In addition, they can also evaluate the ability of endpoint security solutions to detect and mitigate VectorStealer infections. This includes antivirus software evaluation, intrusion detection/prevention systems, and endpoint protection platforms. By identifying any gaps or misconfigurations, companies enhance their endpoint security posture.
3. Unpatched, exploitable vulnerabilities still lurking in systems
Here is a chart that highlights a list of ransomware groups exploited for initial access.
In many cases, RCE attacks allow malicious hackers to steal confidential information or install ransomware.
For example, several ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) are linked to the Conti ransomware, which large-scale attacks targeting Microsoft Exchange servers use.
How Conti ransomware impacted over 40 companies in one month
Conti ransomware works by immediately encrypting files and changing their file extension.ODMUA. It attempts to spread over the network to other computers using the SMB port (445 or 139). The SMB port is a common entry point abused in ransomware attacks.
If exploited successfully, it leaves a ransom note on every folder with the filename conti_readme.txt / readme.txt.
The Irish healthcare system is another victim of the Conti ransomware. It started with an HSE workstation user who opened a Microsoft Excel file attached to a phishing email and sent it to him two days before the attack.
The malicious actor gained access to the IT system and continued to operate until the detonation of the Conti ransomware, two months later. This attack resulted in the encryption of 80% of Ireland's HSE IT systems.
The prolific Conti ransomware gang also used the Log4Shell exploit to gain access to internal VMware vCenter Servers and encrypt vulnerable machines.
How the Conti playbook works
In 2021, a member of the Conti ransomware group leaked the manual and technical guide used by the Conti gang to train affiliate members on how to access, move laterally, and escalate access inside a hacked company.
They also published an archive called “Manuals for hard workers and software.rar” which contains 7 text files with instructions on how to use various hacking tools. Leakages from Ransomware-as-a-Service (RaaS) operations are uncommon and include instructions for standard offensive tactics and methods. The Conti group and other ransomware gangs used these tactics in previous attacks for several years.
Leaked content will give you more insights into how ransomware operators perform their attacks. It will also help improve your pentesting skills.
For example, the leaked manuals include guides on how to:
connect to hacked networks via RDP using a Ngrok secure tunnel
dump passwords from Active Directories (NTDS dumping)
delete shadow volume copies
install the Metasploit pen-testing framework on a virtual private server (VPS)
The majority of the exposed manuals and tools have extensive documentation and refinement. They focus on discovering internal networks and moving within them.
Malicious hackers try to get domain administrator credentials and access to a domain controller, which would enable them to spread ransomware to all linked devices.
Threat actors will execute ‘adfind.exe’, a commonly used auditing tool, to discover machines on the network in addition to relevant information about them – a tactic employed by other threat actors. You can use ADFind to gather the information and build your escalation steps.
After identifying a list of users and machines, the operators will gather information about job titles, service accounts, and group memberships within the domain to enhance their chances of successful lateral movement.
If the group cannot easily glean this information from the domain, they will use LinkedIn to search for names and job titles. It will also advise searching for accounts associated with technical, financial, or support functions as they are likely to have higher privileges or access to data. When access is extended, it increases their ability to extort victims.
Once inside a network, the threat actor looks for domain controllers, local administrators, domain admins, enterprise admins, and the total number of domains across the network. The size of the network will largely dictate the next steps. These attackers receive instructions not to disable specific software or operating systems because the network can detect their presence.
A widely used defense evasion technique is disabling or modifying the system firewall in order to allow RDP connections to enable or change the RDP port:
Source: Conti Leaked Playbook
What’s more, the ransomware group can use a Command and Control (C&C) tactic to get remote access to the victim’s machine. This technique features an automated script that downloads AnyDesk and creates a temporary user on the system, which will host the C&C connection.
It looks like this:
The Black Kingdom ransomware
Unpatched systems against ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858) vulnerabilities were the target of the Black Kingdom ransomware and DearCry ransomware back in March 2021, which affected approximately 1.5k Microsoft Exchange servers.
Malicious hackers deployed the Black Kingdom ransomware via a webshell with a very sophisticated payload, commonly sent through the Tor browser.
Unlike other ransomware attacks with a fixed file extension, Black Kingdom appends a random file extension for every encrypted file. It also encrypts many file types, such as storage drivers, which makes the infected systems unable to reboot.
How Cring ransomware targets vulnerable Fortinet instances
In April 2021, the Cring ransomware group exploited an unpatched vulnerability (CVE-2018-13379) found in Fortinet VPN devices to encrypt companies’ networks. Once executed on the target system, Cring actively disables all processes and services that could prevent file encryption, while also eliminating backup files.
As a result, the victim encounters challenges during the restoration process.
The group behind the Clop ransomware took credit for a series of recent cyber attacks leveraging a newly found security flaw in GoAnywhere MFT, a tool for secure file transfer. The flaw, which is linked to CVE-2023-0669, lets malicious hackers execute remote code on unpatched instances of GoAnywhere MFT that have their administrative console exposed online.
Reports show that the Russian-backed group targeted over 130 organizations, including Tennessee's Community Health Systems. Their actions led to the exposure of the personal and health data of more than 1 million patients by exploiting GoAnywhere.
Clop quickly claimed responsibility for the attacks and alleged data exfiltration, which occurred over a 10-day period.
The group also claimed to encrypt healthcare systems using ransomware payloads, but didn’t provide any evidence to support these statements.
If you want to get a bigger picture of the initial access and how it works, including examples of tactics ransomware gangs use, watch Adrian Furtuna’s 2022 Defcamp talk:
5 helpful ways to prevent ransomware attacks
Ransomware attacks have become increasingly sophisticated and damaging, making prevention strategies crucial. Here are some recommendations you can provide:
Regular security assessments: You should encourage companies to conduct regular security and penetration testing assessments. These tests help identify weaknesses in their systems, which can then be addressed proactively.
Multi-factor authentication (MFA): Encourage the use of MFA wherever possible, especially for accessing critical systems. This adds an extra layer of security even if passwords are compromised.
Backup and disaster recovery: Stress the importance of regular backups and a well-defined disaster recovery plan. Backups should be stored offline and tested to ensure data recovery is possible in case of an attack.
Email Filtering and web security: Recommend advanced email filtering solutions and web security gateways. These can help prevent malicious attachments and links from reaching users.
Application security: Encourage secure coding practices and regular security assessments for applications. As we’ve seen before, one of the most popular entry points for ransomware is the vulnerabilities in applications and services.
Prioritizing incident response to ransomware is key to prevention
All the above examples of ransomware incidents emphasize the role of penetration testers in rolling out awareness campaigns to better protect their customers. These practical scenarios highlight the importance of prioritizing critical assets and preventing such attacks.
From their hands-on experience, they can also recommend which offensive security programs and tools work best for any company and help them allocate resources to combat these cyberattacks.
We’re dealing with a volatile ecosystem where things constantly change. It’s essential to apply proactive security assessments, constant patches, and invest in awareness training.