12 New Flaws Used in Ransomware Attacks in Q3

ransomware flaws 3Q 2021

The Q3 2021 report revealed a 4.5% increase in CVEs associated with ransomware and a 3.4% increase in ransomware families compared with Q2 2021.

A dozen new vulnerabilities were used in ransomware attacks this quarter, bringing the total number of bugs associated with ransomware to 278. That’s a 4.5 percent increase over Q2, according to researchers.

Five of the newbies can be used to achieve remote code execution (RCE), while two can be used to exploit web apps and launch denial-of-service (DoS) attacks. That’s never good news, but it’s particularly teeth-grinding given that this quarter also saw distributed DoS (DDoS) attacks shatter records, according to a separate study.

The news about the new vulnerabilities that have been pounced on by ransomware operators comes from Ivanti’s Q3 2021 ransomware index spotlight report, published on Tuesday and conducted with Cyber Security Works and Cyware.

Aaron Sandeen, Cyber Security Works CEO, said in a press release that Q3 was a copy-paste of the ransomware trends from the rest of the year. Namely, “We continued to see ransomware attacks aggressively increase in sophistication and frequency in Q3.”

The Early Bird Gets the Worm
The quarterly ransomware analysis also found that ransomware groups are still finding and exploiting zero-day weaknesses before CVEs are hatched and patched. Case in point: The much-reviled REvil ransomware gang found and exploited flaws in Kaseya VSA software as the company’s security team was still working on a trio of patches.

On July 2, the REvil gang wrenched open the three zero-days in Kaseya’s Virtual System/Server Administrator (VSA) platform in more than 5,000 attacks. As of July 5, the worldwide assault had been unleashed in 22 countries, reaching not only Kaseya’s managed service provider (MSP) customer base but also, given that many of them use VSA to manage the networks of other businesses, clawing at those MSPs’ own customers.

Ransomware Numbers Creep Up on All Fronts
The third quarter also saw nine new vulnerabilities with lower severity ratings being associated with ransomware. Also, the Q3 ransomware index update for 2021 identified ransomware groups expanding their attack arsenal with 12 new vulnerability associations in Q3.

Riding Brand-New Bugs, Bearing Shiny New Toys
Q3 analysis also identified five new ransomware families, bringing the total to 151. The new ransomware groups were quick to jump on some of the most dangerous vulnerabilities out there just weeks after they began to trend in the wild, such as PrintNightmare, PetitPotam and ProxyShell.

The techniques being used in ransomware attacks are also getting more sophisticated. One example cited in Ivanti’s analysis is dropper as-a-service – ​​a service that allows technically non-savvy/criminally inclined actors to distribute malware through dropper programs that can execute a malicious payload onto a victim’s computer.

Another is trojan-as-a-service, also known as malware-as-a-service: a service that lets anyone with an internet connection rent customized malware services, allowing them to acquire, implement and cash in on the service, all on the cloud with zero installation.

All bad things seem to be rentable: Ransomware-as-a-service (RaaS), for example, is fueling the spread of ransomware, sparing crook wannabes the need to tangle with code.

Old Wine, New Ransomware Bottles
The report also found that three vulnerabilities dating to 2020 or earlier became newly associated with ransomware in Q3 2021, bringing the total count of older vulnerabilities associated with ransomware to 258: a whopping 92.4 percent of all vulnerabilities tied to ransomware.

The analysis pointed to the Cring ransomware group being a notable example: The gang targeted two older ColdFusion vulnerabilities – CVE-2009-3960 and CVE-2010-2861 – that have been patched for 11 years.

Source: threatpost.com