Remote Access Vulnerability

Risk:
high
Damage:
high
Platform(s):
Systems Networks
Advisory ID:
ngCERT-2020-0014
Version:
N/A
CVE:
N/A
Published:
July 22, 2020

Summary


Researchers discovered that attackers can access organizations ‘networks through remote access systems to carry out ransomware attack. This is performed through the remote desktop protocol (RDP) and virtual private networks (VPN). The impact of these attacks can be severe on business operations because data are stolen and sold. Also, the recovery from this attacks is very costly to investigate and remediate the compromised network, and restore encrypted files from backup.

Description & Consequence


The Active Ransomware Campaign is a well-crafted and sophisticated ransomware attacks said to be a result of weak authentication, non-use of multi-factor authentication, and unpatched software. Once access is gained to a network through a remote access system, tools such as mimikatz, psexec, and Cobalt Strike is used to escalate privileges, move through the network and establish persistence on the network.

At a successful exploitation, a malicious attacker can cause damages, steal sensitive information and sell them and/or leak them to the public.

Solution


  • Ensure remote access systems are up-to date with security patches.
  • Systems are to be strictly enforced with strong authentications.
  • Mitigate the impact of such attack by hardening the system and network layers to make it harder for attackers to move around your network.
  • Well-configured backups are essential to recovery from any ransomware attack.
  • Ensure the use of passwords encryption systems.
  • Create an account lockout policy.
  • Encrypt data to prevent theft

Reference


Revision


Related Articles