CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs

Share this article on:

The DHS Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert about an ongoing Nefilim ransomware campaign, following the release of a security advisory by the New Zealand Computer Emergency Response Team (CERT NZ).

Nefilim ransomware is the successor of Nemty ransomware and was first discovered in February 2020. In contrast to Nemty, Nefilim ransomware is not distributed under the ransomware-as-a-service model. The developers of the ransomware conduct their own attacks and deploy the ransomware manually after gaining access to enterprise networks.

As with other manual ransomware groups, data is stolen from victims prior to deploying the ransomware. The group then threatens to publish or sell the stolen data if the ransom demand is not met. The group responsible for the attacks gains access to enterprise networks by exploiting vulnerabilities in remote desktop protocol (RDP) and virtual private networks (VPNs). The group uses brute force tactics to exploit weak authentication and the lack of multi-factor authentication, and also exploits unpatched vulnerabilities in VPN software.

Once a foothold has been gained in the network, the attackers use tools such as mimikatz, PsExec, and Cobalt Strike for privilege escalation, lateral movement, and to gain persistence and exfiltrate sensitive data.

The group is highly skilled, and their attacks are sophisticated and well crafted. The extent of network infiltration means it is not possible to recover from an attack simply by restoring data from backups. A comprehensive forensic investigation needs to be conducted to fully investigate the attack and ensure backdoors are identified and removed and the attackers are permanently ejected from the network.

All organizations that use remote access systems that have not been properly secured are at risk of an attack. To prevent an attack, it is essential for RDP vulnerabilities to be addressed and for remote access software to be kept fully patched and up to date. Strong authentication should be used and multi-factor authentication should be enabled.

Application whitelisting and network segmentation can reduce the severity of an attack, and it is important for networks and remote access systems to be monitored for signs of unauthorized access. Backups should be regularly performed, and one copy of a backup should be stored securely on an air-gapped device or media that cannot be accessed through the network.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On