FBI: Ransomware actors abuse third parties and legitimate system tools for initial access

Pierluigi Paganini November 08, 2023

The FBI published a PIN alert warning of ransomware operators compromising third-party vendors and services for initial access to target environments.

The Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) to warn of ransomware initial access trends and provide recommendations to reduce the attack surface to ransomware attacks.

As of July 2023, the FBI observed ransomware operators exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies that were compromised through legitimate system management tools to elevate network permissions.

The FBI continues to observe ransomware operators abusing third-party vendors and services as an attack vector.

“Between 2022 and 2023, the FBI noted ransomware attacks compromising casinos through third-party gaming vendors. The attacks frequently targeted small and tribal casinos, encrypting servers and the personally identifying information (PII) of employees and patrons.” reported the PIN.

The FBI also reported, as of June 2023, that the Silent Ransom Group (SRG), also known as Luna Moth, had been observed conducting callback phishing data theft and extortion attacks. The threat actors sent victims a phone number in a phishing attempt, often related to pending charges on their accounts. Once the victims called the provided phone number, the attackers instructed them to connect to a legitimate system management tool through a link provided in a follow-up email. The attackers then used these management tools to install other legitimate system management tools that could be exploited for carrying out further malicious activities. The FBI reported that the threat actors compromised local files and network shared drives, exfiltrated victim data, and extorted the affected companies.

The FBI also published recommendations for organizations to improve their security posture in response to these new activity trends.

To be prepared for cyber incidents, organizations should maintain offline backups of data, and regularly maintain backup and restoration, ensure all backup data is encrypted, immutable and cover the entire organization’s data infrastructure, and ensure their backup data is not already infected. The FBI also recommends reviewing the security posture of third-party vendors.

The PIN alert also recommends organizations to document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.

The PIN also emphasizes the need to implement a recovery plan, network segmentation, and monitoring for any suspicious activities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

you might also like

leave a comment