welcome to XRM blog

Keep in touch with latest CRM/ERP articles

To remain competitive your organisation must be efficient across the business process spectrum. To do so you need to take sound decisions based on a balance between the cost and risk. To do so you will be heavily dependent on your content management in itself needs...

image
Blog

Penetration Testing: Three ways to replicate initial access

By Himanshu on 11/8/2023

The majority of ransomware groups concentrate on three typical first access strategies in order to infiltrate vital web applications and infrastructure of businesses and, most likely, sell their most valuable assets. 

  1. Leveraging finely customized phishing attacks

The most popular method used by threat actors to initiate ransomware assaults is phishing. Individuals and staff members at all organizational levels are the main targets of phishing attacks, even if they don't own enough sensitive data to serve as an evil hacker's point of entry into the company's network. An effective technique for teaching staff members to recognize and report cyber threats is to simulate phishing attacks. To find out how to mimic a phishing assault, view this tutorial.

Hackers can obtain an insight into the internal network architecture by granting access to higher privileged devices through the initial access point. They will be able to obtain sensitive data and conduct ransomware assaults on all (susceptible) machines in this way. Organizations might greatly benefit from the assistance of a penetration tester in defending against phishing assaults. The following are some ways they may assist.

Phishing simulation:

A pentester can conduct simulated phishing campaigns within the organization to assess the susceptibility of employees to such attacks. They can find weak points and train staff members on how to better detect and respond to phishing efforts by creating realistic-looking phishing emails and tracking the replies they receive.

Social engineering assessments:

Pentesters can assess the organization's vulnerability to social engineering attacks by using techniques including elicitation, pretexting, and impersonation. They might suggest policies and training courses to improve staff awareness and resilience by evaluating human vulnerabilities.

Security awareness training:

Effective security awareness training programs can be developed and delivered with the help of pentesters. These initiatives seek to inform staff members about the dangers of phishing, the destructive strategies used by attackers, and the procedures they follow to spot and report possible phishing efforts.

  1.  RDP and credential abuse

During the pandemic, home workers' use of remote access solutions increased along with an increase in RDP attacks. Threat actors most frequently utilize the Remote Desktop Protocol (RDP) brute-force method to get into Windows PCs and install malware on them.They use free and open-source port scanning programs to search for open RDP ports on different computers in order to accomplish this. They then carry out their harmful activities using credentials that they have stolen, or brute-forced. Cybercriminals breach the target system by erasing backups, turning off the firewall and antivirus software, or altering configuration settings after they have gained access to it.

  1. Unpatched, exploitable vulnerabilities still lurking in system

Some of the most exploited vulnerabilities include CVE-2020-5902, which affects the F5-BIG-IP and CVE-2021-26084, which impacts the Atlassian Confluence. Ransomware and information theft are two common uses for RCE attacks by malicious hackers. For example, several ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) are linked to the Conti ransomware, which large-scale attacks targeting Microsoft Exchange servers use.

How the Conti playbook works:

The handbook and technical guide that the Conti gang used to instruct affiliate members on how to gain access within a hacked firm, move laterally, and escalate access was disclosed by a member of the Conti ransomware group.

Additionally, they released an archive titled "Manuals for hard workers and software.rar" that includes seven text files with how-to guides for using different hacking tools. It is rare for Ransomware-as-a-Service (RaaS) operations to leak information, but when they do, it usually contains guidelines for popular offensive strategies. These strategies have been employed by the Conti group and other ransomware gangs for a number of years. You can learn more about how ransomware operators carry out their attacks by examining leaked content. Additionally, it will help you become a better pentester Most of the publicly available guides and tools have undergone substantial documentation and improvement. They concentrate on exploring and navigating internal networks.

In order to transmit ransomware to all connected devices, malicious hackers attempt to gain access to a domain controller and domain administrator credentials.Using a technique also used by other threat actors, threat actors will run "adfind.exe," a popular auditing tool, to find workstations on the network and obtain pertinent data about them. ADFind can be used to collect data and create customized escalation procedures.

To improve their chances of a successful lateral transfer, the operators will collect data on job titles, service accounts, and group memberships within the domain after establishing a list of users and machines.The group will use LinkedIn to look for names and job titles if they are unable to quickly obtain this information from the domain. Additionally, since these accounts are probably going to have more access to data or greater rights, it will suggest looking for accounts related to technical, financial, or support functions. Their capacity to extort people grows when access is expanded.
The threat actor searches for domain controllers, enterprise admins, local administrators, domain administrators, and the total number of domains on the network once they are inside. The size of the network will mostly determine the future steps. These attackers are instructed not to turn off particular operating systems or applications since the network is able to identify their existence. Disabling or altering the system firewall to permit RDP connections and activating or modifying the RDP port is a commonly utilized defensive evasion technique.

The Black Kingdom ransomware:

In March 2021, the Black Kingdom and DearCry ransomwares targeted unpatched systems against ProxyLogon (CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858) vulnerabilities, affecting over 1.5k Microsoft Exchange servers. The Black Kingdom ransomware was spread by malevolent hackers using a webshell that included a highly complex payload and was typically distributed through the Tor browser.

For each encrypted file, Black Kingdom adds a random file extension, in contrast to other ransomware operations that use a set file extension. Additionally, it encrypts a wide range of file types, including storage drivers, which prevents the compromised systems from rebooting.

Five beneficial strategies to fend off ransomware attacks

Since ransomware attacks have grown more destructive and sophisticated, preventative techniques are essential. These are some suggestions that you may make.

Regular security assessments:

Businesses should be encouraged to carry out routine security and penetration testing evaluations. These tests assist in locating holes in their systems so that proactive fixes can be made.

Multi-factor authentication (MFA):

Wherever possible, promote the usage of MFA, particularly when gaining access to important systems. This provides an additional degree of protection in the event that credentials are stolen.

Backup and disaster recovery:

Insist on the value of consistent backups and a clear disaster recovery strategy. Backups ought to be tested and kept offline to make sure that, in the event of an attack, data can be recovered.

Email filtering and web security:

Encourage the use of web security gateways and sophisticated email filtering systems. These can aid in preventing users from being exposed to harmful attachments and URLs.

Application security:

Promote safe coding procedures and frequent application security evaluations. As we've already observed, application and service vulnerabilities are among the most common entry sites for ransomware.

 

 

Testing Tools
Non Functional Testing
Penetration Testing
Performance Testing
Security Testing
Software Testing
Author
Blog Calendar
Blog Calendar List
2024 Nov  4  1
2024 Aug  4  1
2024 Apr  45  4
2024 Mar  129  4
2024 Feb  224  3
2024 Jan  29  7
2023 Dec  24  6
2023 Nov  351  5
2023 Oct  474  12
2023 Sep  1202  9
2023 Aug  313  6
2023 Jul  46  6
2023 Jun  26  4
2023 May  44  5
2023 Apr  66  5
2023 Mar  182  6
2023 Feb  158  5
2023 Jan  65  4
2022 Dec  95  7
2022 Nov  282  2
2022 Sep  13  1
2022 Aug  32  2
2022 Jun  11  2
2022 May  6  2
2022 Apr  12  2
2022 Mar  2  1
2022 Feb  2  1
2022 Jan  1  1
2021 Dec  4  1
2021 Nov  2  1
2021 Oct  2  1
2021 Sep  14  1
2021 Aug  49  5
2021 Jul  50  4
2021 Jun  1657  5
2021 May  40  3
2021 Apr  2202  3
2021 Mar  208  5
2021 Feb  2553  7
2021 Jan  3769  9
2020 Dec  520  7
2020 Sep  80  3
2020 Aug  767  3
2020 Jul  134  1
2020 Jun  93  3
2020 Apr  89  3
2020 Mar  19  2
2020 Feb  34  5
2020 Jan  47  7
2019 Dec  17  4
2019 Nov  38  1
2019 Jan  23  2
2018 Dec  110  4
2018 Nov  68  3
2018 Oct  18  3
2018 Sep  1221  11
2018 Aug  7  2
2018 Jun  18  1
2018 Jan  70  2
2017 Sep  588  5
2017 Aug  17  1
2017 Jul  17  2
2017 Jun  64  2
2017 May  21  1
2017 Apr  38  2
2017 Mar  138  4
2017 Feb  830  4
2016 Dec  207  3
2016 Nov  917  8
2016 Oct  317  10
2016 Sep  772  6
2016 Aug  39  1
2016 Jun  1883  6
2016 May  112  3
2016 Jan  72  2
2015 Dec  640  6
2015 Nov  4  1
2015 Oct  13  1
2015 Sep  1471  6
2015 Aug  14  1
2015 Jul  129  2
2015 Jun  11  1
2015 May  20  1
2015 Apr  30  3
2015 Mar  80  3
2015 Jan  5343  4
2014 Dec  17  1
2014 Nov  2260  4
2014 Oct  69  1
2014 Sep  107  2
2014 Aug  5319  1
2014 Jul  49  2
2014 Apr  2592  12
2014 Mar  303  17
2014 Feb  222  6
2014 Jan  1510  16
2013 Dec  21  2
2013 Nov  693  2
2013 Oct  256  3
2013 Sep  11  1
2013 Aug  40  3
2013 Jul  214  1
2013 Apr  61  6
2013 Mar  2357  10
2013 Feb  131  3
2013 Jan  350  2
2012 Nov  61  2
2012 Oct  518  10
Tag Cloud
Interested in our services? Still not sure about project details? get a quote