The most used vulnerabilities and tools of hackers


External remote access services are still the main vector for ransomware groups hacking corporate networks. Moreover, there is a noticeable surge in the use of phishing and vulnerabilities in a public application for data theft and extortion.

According to Group-IB, attackers target Remote Desktop Protocol (RDP) servers for initial access to the network. Also, attackers often use compromised credentials to attack the infrastructure from the inside.

According to a Group-IB report, last year, ransomware gangs developed exploits for recently discovered security problems in public applications. Among the most used vulnerabilities are:

  • CVE-2021-20016
    (SonicWall SMA100 SSL VPN);
  • CVE-2021-26084 (Atlassian Confluence);
  • CVE-2021-26855
    (Microsoft Exchange);
  • CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104 (Accellion FTA);
  • CVE-2021-30116 (Kaseya VSA);
  • CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 (Microsoft Exchange);
  • CVE-2021-35211

According to a recent joint report by Cyber Security Works, Securin, Cyware and Ivanti, the number of vulnerabilities associated with ransomware attacks increased to 310 in the first quarter of 2022. However, not all errors are new. Half of the vulnerabilities were discovered back in 2019. For many of them, there are publicly available exploits that greatly facilitate the work of attackers.

According to Group-IB, the groups published information about 3,500 victims, 1,655 victims were from the United States. The most aggressive campaigns in 2021 were LockBit (670 victims), Conti (640 victims) and Pysa (186 victims).

According to a study by the Digital Forensics and Incident Response company (DFIR), out of 700 cyberattacks last year, 63% of the cases involved data leakage. Last year, the average amount of repurchase was $247 thousand. Data exfiltration remains a powerful hacker tactic, and some groups have even created their own tools to sell to their partners.

Among the methods of attackers is the use of command interpreters and scripts, as well as remote services, which are part of all attacks. In addition, cybercriminals also used various methods to detect remote systems, steal credentials, and disable security features.

Of the most used tools, SoftPerfect Network Scanner is the most popular. In second place is a common tool for the post-operation stages of Cobalt Strike Beacon with a wide range of actions (script execution, keylogging, file downloading).

According to Oleg Skulkin, head of the DFIR group, the merger of Tactics, Techniques, and Procedures (TTP) due to the transition of affiliated entities from one operation to another makes it difficult for security specialists to track the methods of an attacker. However, identifying the main trends using the MITRE [email protected] matrix should make it easier to prepare for incidents with ransomware.

Start a discussion …