A post-mortem of a recent ransomware attack illustrates the continued importance of basic security controls such as patching in withstanding an evolving cybercrime threat. Credit: DC Studio / Shutterstock Security intelligence firm Group-IB reports that attackers from a recently created ransomware group – EstateRansomware – exploited a year old vulnerability (CVE-2023-27532) in backup software from Veeam as part of a complex attack chain. Anatomy of an attack EstateRansomware exploited a dormant account in Fortinet FortiGate firewall SSL VPN appliances to gain initial access. After access was achieved, the group deployed a persistent backdoor, conducted network discovery, and harvested credentials. Exploitation attempts of the CVE-2023-27532 vulnerability in Veeam were followed by activation of a shell and rogue user account creation, Group-IB reports. These rogue user accounts facilitated lateral movement. The attackers made extensive use NetScan, AdFind, and various tools provided by NirSoft to conduct network discovery, enumeration, and credential harvesting. EstateRansomware ultimately deployed its ransomware payload after disabling Windows Defender. A variant of the Lockbit 3.0 ransomware was used to encrypt files and clear logs. LockBit 3.0 shares similarities with other ransomware variants like BlackMatter and Alphv (also known as BlackCat), suggesting possible connections or inspirations between these groups. EstateRansomware The EstateRansomware group first surfaced in April 2024 and is active in attacks in UAE, France, Hong Kong, Malaysia, and the US, according to Group-IB. The group is one of several currently active ransomware groups, many of which take advantage of affiliates to carry out attacks as part of a ransomware-as-a-service business model. “The EstateRansomware group demonstrates a methodical and well-resourced approach to ransomware attacks, especially the amount of pre-exploitation activity involved,” Fearghal Hughes, cyber threat intelligence analyst at ReliaQuest told CSOonline. “This showcases the need for a comprehensive and proactive cybersecurity strategy.” EstateRansomware‘s methodology relies in large part on exploiting unpatched network security vulnerabilities. Martin Greenfield, CEO of continuous controls monitoring firm Quod Orbis, commented, “EstateRansomware is likely to target those organisations that are simply not getting the basics right, like patching, back-ups or ensuring access control is tightened.” He added, “Not doing the basics correctly is the exact reason why so many breaches occur. Organisations must ensure that there are regular and secure backups, your controls should be applied consistently and your whole architecture should be built for failure to make your environment resilient.” Ian Nicholson, incident response head at Pentest People, said, “The ransomware attacks exploiting the Veeam vulnerability (CVE-2023-27532) offer some vital lessons for CSOs. These attacks have certainly highlighted the importance of timely patch management practices. Despite patches being available since March 2023, delayed updates have left systems exposed, allowing attackers to steal credentials and execute remote code.” Estate Ransomware often uses tactics like deploying PowerShell scripts and backdoors such as DiceLoader/Lizar for network reconnaissance, data theft, and lateral movement. “This emphasises the need for proactive monitoring, advanced threat detection solutions, and robust logging to detect and respond to suspicious activities early,” according to Nicholson. “CSOs should incorporate these measures alongside targeted Threat Intelligence to understand threat actor TTPs and mitigate risks more efficiently.” Action plan ReliaQuest provided a five-point action plan to deal with EstateRansomware and similar threats: Prioritizing timely patching of known vulnerabilities, especially those disclosed in widely used software. Adopting a zero-trust approach to network security. Deploy multi-factor authentication for all remote access points and critical systems. Implement network segmentation to limit the spread of ransomware. Ensuring that backup systems are secure, regularly tested, and segmented from the main network. Related content brandpost Sponsored by Cyber NewsWire Why Training is Critical to Implementing Cisco HyperShield By Cyber NewsWire – Paid Press Release 16 Aug 2024 5 mins Cyberattacks Security news analysis Microsoft Outlook security hole lets attackers in without opening a tainted message The zero-click hole, which was patched by Microsoft Tuesday, could point to far more vulnerabilities in the form-based architecture of Outlook. By Evan Schuman 14 Aug 2024 4 mins Email Security Cyberattacks Vulnerabilities news analysis North Korean group infiltrated 100-plus companies with imposter IT pros: CrowdStrike report The DPRK group’s attempts to exfiltrate data and install RMM tools by posing as US IT workers is one of several examples that show cross-domain analysis is needed to tackle rising identity-based attacks, according to CrowdStrike’s counter By Cynthia Brumfield 06 Aug 2024 8 mins Cyberattacks Threat and Vulnerability Management Cybercrime news Over 13,000 phones wiped clean as cyberattack cripples Mobile Guardian The mobile device management firm has temporarily halted its services to contain the damage and is “investigating the breach.” By Gyana Swain 06 Aug 2024 4 mins Cyberattacks Mobile Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe