top of page
Search

Ransomware Series (Part 2) - How did they get in?




In the ever-evolving landscape of cybersecurity, we've recently witnessed a surge in cyber threats, with compromised user credentials emerging as the most prevalent attack vector.


The vulnerabilities associated with user credentials extend beyond the traditional realms, encompassing successful phishing campaigns, brute force attacks on weak passwords, and the fallout from data breaches affecting major entities like Optus, Medibank, and numerous others. As organizations grapple with the increasing sophistication of cyber adversaries, the importance of securing user credentials cannot be overstated. This blog post unravels the intricacies of these threats and offers practical insights to fortify your organization's defenses, ensuring a robust shield against malicious actors in the digital realm.


User credentials are generally compromised through:


  1. Successful interaction with a user through a Phishing email;

  2. Weak passwords being brute forced (guessed by a computer program);

  3. Credentials being stolen in other data breaches (i.e. Optus, Medibank and many others).

Password reuse is also an issue faced by many organisations. During a recent engagement the password 'Spring2022!' was chosen at random to test against all users with a surprising outcome that it worked for 22 accounts. We ran the same password test using 'Password1' and that worked for 4 accounts.


Once valid user credentials are known, your external facing systems such as webmail, email and remote access are vulnerable if there is no additional form of authentication (MFA/2FA).

Internet facing services, servers with vulnerabilities and cloud service misconfigurations are also very common entry points for attackers. The ProxyShell and ProxyLogon vulnerabilities that were found in Microsoft’s Exchange email servers in 2021 caused havoc.  There are still security patches being released with two new zero-day vulnerabilities recently identified in Exchange email servers.


When a newly discovered security vulnerability is found it is common to see malicious code developed within hours. That means that security vulnerability patches must be applied within <48 hours if an exploit exists.  


The key takeaways from this blog post ?


  1. Enforce strong passwords;

  2. Implement MFA;

  3. Consider end point monitoring for malicious activity; and

  4. Monitor security updates and apply as an urgent priority.

In our next blog post, we will talk about how to determine if data has been stolen during a compromise.  


Feel free to contact us if you would like any further information.


bottom of page