Ransomware tactics are constantly evolving in a never-ending cat-and-mouse game, with defenders adjusting their strategies to either block these attacks or mitigate the damage if they are partially successful. A recent example was an attempted ransomware attack on Adobe's ColdFusion servers, which provides valuable lessons on how to defend against such attacks effectively.
In this attack, the threat actor exploited vulnerabilities in unsupported versions of Adobe's ColdFusion Server software: ColdFusion Server 11. This tactic is common. Attackers often target outdated software due to the lack of security updates and patches. In this case, ColdFusion Server 11 is no longer supported by Adobe, so obtaining a patch from the software maker is unlikely when new vulnerabilities are uncovered.
In this case, the attacker could access the server by exploiting a security hole. Once inside, the attacker probed to see if they could use the server with several entries into the command line to leverage processes specific to ColdFusion. Despite successfully entering the server, the attackers failed to install their payload because the deployed EDR software blocked their attempts.
Still, the ransomware incident is a stark reminder of the importance of implementing robust cybersecurity measures. A layered set of defenses will serve most organizations best. (For more on this, watch the SC virtual summit “Survive or sink? The before, during and after of a ransomware attack.”) To that end, security teams should:
Perform continuous backups: In defending against data breaches, backing up data is essential. In the event of a ransomware attack, having a recent backup will enable restoring systems without paying a ransom to have maliciously encrypted data made available again.
Create and practice an incident response plan: Every organization needs an incident response plan for ransomware attacks and, most likely, digital attacks and disruptions. This plan should be well conceived, practiced, and tested to make sure any response to an incident is effective.
Assess the security team: Organizations without dedicated or even enough saved cybersecurity professionals should consider turning to MSSPs, third-party cybersecurity service providers. These services will improve the organization's protection against ransomware and other threats.
Cyber Insurance: Even the best planned and executed defenses can fail occasionally. While cyber insurance can't protect against everything, it can help reduce the financial impact of an attack, and the insurance broker and company will help assess the organization's security readiness.
Identify and reduce exposure: To ensure every asset is adequately protected, every asset must be identified and inventoried. The more steps an organization can take to reduce its exposure through patch applications, configuration management, segmenting networks into smaller discrete units, and so forth, the more it will go far in mitigating risk.
Prepare for double extortion: Ransomware attackers often target data in what's become known as "double extortion." In an attack involving double extortion, attackers will often demand a ransom to keep data unencrypted and demand a ransom not to publish stolen data online. A sound data security policy is essential and requires more than a backup. Ways to reduce data exfiltration must also be considered.
Maintain living and up-to-date software: When a software maker has end-of-life software, it's time to find a way to move on. A software maker rarely issues a patch for software they're no longer supporting. In this attack, the threat actor attempted to exploit vulnerabilities in unsupported versions of Adobe's ColdFusion Server. This highlights the importance of keeping all software patched. Using discontinued software increases the risk dramatically.
Monitor server activity: Because servers typically have high access levels, sometimes with multiple applications and networks, monitoring their traffic and behavior is essential. As we covered previously, attackers were able to breach the server and soon attempted to try to gain deeper access through entries into the server's command-line interface.
By monitoring the behavior of users and systems accessing the server, organizations can quickly engage and stop threats before much damage is done.
Consider endpoint detection and response (EDR): In a Sophos analysis, the attackers were stopped by the deployed endpoint detection and response software. Had that not successfully blocked the payload from executing, the attackers would have likely been successful with the ransomware attack. This incident highlights how crucial effective endpoint security can be.
Keep privilege levels as low as possible: Without a doubt, compromising credentials is one of the most common ways attackers either gain access to systems or move laterally within an environment they recently compromised. By implementing the principle of least privilege and ensuring that systems and users only have the access levels they need to do their jobs, organizations will go a long way to limiting attacker maneuverability.
While no technology or set of processes will guarantee safety from successful ransomware, among other forms of attacks, the lessons from this attack analyzed by Sophos show that maintaining up-to-date software, monitoring server and endpoint activity, implementing robust cybersecurity defenses, and controlling privileges are among the most essential strategies to defend against ransomware attacks.
