Ransomware Attacks: Automation Speeds Vulnerability Exploitation

Researchers have observed A ransomware affiliate dubbed 'ShadowSyndicate' conducting reconnaissance scans searching for targets vulnerable to a recently disclosed directory traversal vulnerability in the aiohttp Python library (CVE-2024-23334).

‍

Exploitation of the vulnerability that can allow threat actors “unauthorized access to arbitrary files on the system, even when symlinks are not present.”

‍

“ShadowSyndicate is an opportunistic, financially-motivated threat actor, active since July 2022, who was linked with various degrees of confidence to ransomware strains such as Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play,” Bleeping Computer reports.

‍

“Unfortunately, open-source libraries are often used in outdated versions for extended periods due to various practical issues that complicate locating and patching them. This makes them more valuable to threat actors, who leverage them in attacks even after years have passed since a security update was made available.”

‍

Takeaway: Vulnerabilities in widely used open-source offerings can be a significant issue, especially because an organization may not even know they are at risk.

‍

Threat actors are getting better at taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions. Automation means ransomware operators can simply hit more victims faster.

‍

Patching is already a challenge in many instances, as a patch may need to be thoroughly tested before going into production, but in many cases with open-source code, an organization may not even be aware it is being employed in their environment, leaving the organization at risk.

‍

The Log4J vulnerability from a few years back is a great example, where thousands of organizations had to scramble to determine if they were at risk for the Log4Shell exploit because they didn’t even know if they were using Log4j at the time the Log4Shell vulnerability was disclosed.  

‍

Combine the difficulty in determining exposure and patching against it with the fact that ransomware operators are becoming more adept at rapidly automating processes to identify and exploit both new and old vulnerabilities, and the stage is set for mass compromise.

‍

For example, in 2023, the Cl0p ransomware gang went on an unprecedented spree compromising more than 1000 organizations in rapid succession vulnerable to a patchable flaw in the MoveIT file sharing program.

‍

Th recently disclosed vulnerability in the aiohttp library and how quickly ransomware operators have showed signs they are potentially preparing to exploit it provides a real-time glimpse into how they are automating aspects of their attacks to compromise targets en masse:

• January 28, 2024: aiohttp releases version 3.9.2 that mitigates a vulnerability (CVE-2024-23334) that can allow unauthenticated users access to files on vulnerable servers (perfect for ransomware operators)
• February 27, 2024: researcher releases proof-of-concept (PoC) exploit for the vulnerability
• February 28, 2024: a video is posted to YouTube with step-by-step exploitation instructions
• February 29, 2024: researchers report exploitation attempts targeting CVE-2024-23334 which increased rate into March

‍

Within days of a PoC exploit being released – and just one month after a patch had been released -ransomware operators were already leveraging automated scans to identify vulnerable targets.

‍

It can be assumed that these threat actors are not going to stop at reconnaissance, and that it will only be a matter of time before they have automated exploitation of the vulnerability long before many organizations even know they are at risk, as we saw in the Cl0p MoveIT campaign.

‍

There are only two reasons for an organization to not patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. Organizations who wanted to patch but couldn’t is where the real work needs to be done.

‍

It can also be assumed that once an organization has determined they are at risk, an even longer process of patching against the vulnerability would begin, giving attackers a log runway with which to exploit the bug.

‍

Patching systems can be highly complex for some organizations. To avoid breaking critical business systems, patches often need to be applied in development environments and tested extensively prior to production.  

‍

Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied. In many cases it can be months or more of work to do before they can be protected

‍

But for the others - those who could patch but didn’t - there is really no excuse. If we could first address this issue of the “low hanging fruit” who offer attackers a ripe target via poor security protocols, we could certainly make a big dent in this growing threat.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.