Undoubtedly, the global business space has continuously seen more ransomware attacks than ever before, since 2020. The LockBit ransomware group was mostly deployed all over the world in regard to the number of victims claimed on their data leak site and considering the variants deployed through their affiliates affecting critical infrastructure sectors of Nation states according to Cybersecurity and Infrastructure Security Agency [CISA]
The LockBit ransomware group is said to be the most prolific and disruptive ransomware variants with varying TTPs and it keeps changing since it was first detected in January 2020.
LockBit amounted to about 16% of all ransomware-reported cases in the US in the year 2022 summing up to about 1700 attacks according to the FBI, it is also responsible for 22% of reported ransomware incidents in Canada, 23% in New Zealand and 18% of all reported ransomware incidents in Australia.
Against the common techniques used by most advanced threat actors to exploit zero days, LockBit group and its affiliates have been observed to use common vulnerabilities and exposures, especially older vulnerabilities like CVE-2021-22986 F5 iControl REST unauthenticated Remote Code Execution Vulnerability as well as new vulnerabilities
- CVE-2023-0669: Fortra GoAnyhwere Managed File Transfer (MFT) Remote Code Execution Vulnerability
- CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability
LockBit affiliates have been documented exploiting numerous CVEs, including:
- CVE-2021-44228: Apache Log4j2 Remote Code Execution Vulnerability,
- CVE-2021-22986: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability,
- CVE-2020-1472: NetLogon Privilege Escalation Vulnerability,
- CVE-2019-0708: Microsoft Remote Desktop Services Remote Code Execution Vulnerability, and
- CVE-2018-13379: Fortinet FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) Path Traversal Vulnerability.
A number of open-source tools, power shells and batch scripting have been reported to be used by the ransomware group during their intrusions, for discovery, reconnaissance, remote access, tunnelling, credential dumping, exfiltration and privilege escalation. Among these tools are AnyDesk, 7zip, Advance port scanner, Advance IP scanner, Mimikatz, Mega, Putty, Chocolatey, ExtPassword, FileZilla, LostMyPassword, PasswordFox, Process Hacker, TeamViewer, ThunderShell, WinSCP. Using various ATT&CK techniques for initial access, code execution, privilege escalation, credential access, lateral movement, command and control and exfiltration.
With regard to their Tactics, Techniques, and procedures (TTPs), there are a handful of security controls that organizations could implement to mitigate their antics and destructive cyber activities.
- Consider implementing sandboxed browsers to protect systems from malware originating from web browsing. Sandboxed browsers isolate the host machine from malicious code.
- Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST standards for developing and managing password policies
- Keep all operating systems, software, and firmware up to date.
- Follow the least-privilege best practice
- Implement filters at the email gateway to filter out emails with known malicious indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall [CPG 2.M].
- Install a web application firewall and configure it with appropriate rules to protect enterprise assets.
- Develop and regularly update comprehensive network diagram(s) that describes systems and data flows within your organization’s network
- Enable enhanced PowerShell logging
- Configure the Windows Registry to require UAC approval for any PsExec operations
- Apply local security policies to control application execution (e.g., Software Restriction Policies (SRP), AppLocker, Windows Defender Application Control (WDAC)) with a strict allowlist.
- Restrict NTLM uses with security policies and firewalling.
- Disable unused ports
- Review internet-facing services and disable any services that are no longer a business requirement to be exposed or restrict access to only those users with an explicit requirement to access services, such as SSL, VPN, or RDP. If internet-facing services must be used, control access by only allowing access from an admin IP range [CPG 2. X].
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Regularly verify the security level of the Active Directory domain by checking for misconfigurations
Validate Security Controls
In addition to applying mitigations, exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory is recommended. Also, testing your existing
security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory