A post-mortem of a recent ransomware attack illustrates the continued importance of basic security controls such as patching in withstanding an evolving cybercrime threat. Credit: DC Studio / Shutterstock Security intelligence firm Group-IB reports that attackers from a recently created ransomware group – EstateRansomware – exploited a year old vulnerability (CVE-2023-27532) in backup software from Veeam as part of a complex attack chain. Anatomy of an attack EstateRansomware exploited a dormant account in Fortinet FortiGate firewall SSL VPN appliances to gain initial access. After access was achieved, the group deployed a persistent backdoor, conducted network discovery, and harvested credentials. Exploitation attempts of the CVE-2023-27532 vulnerability in Veeam were followed by activation of a shell and rogue user account creation, Group-IB reports. These rogue user accounts facilitated lateral movement. The attackers made extensive use NetScan, AdFind, and various tools provided by NirSoft to conduct network discovery, enumeration, and credential harvesting. EstateRansomware ultimately deployed its ransomware payload after disabling Windows Defender. A variant of the Lockbit 3.0 ransomware was used to encrypt files and clear logs. LockBit 3.0 shares similarities with other ransomware variants like BlackMatter and Alphv (also known as BlackCat), suggesting possible connections or inspirations between these groups. EstateRansomware The EstateRansomware group first surfaced in April 2024 and is active in attacks in UAE, France, Hong Kong, Malaysia, and the US, according to Group-IB. The group is one of several currently active ransomware groups, many of which take advantage of affiliates to carry out attacks as part of a ransomware-as-a-service business model. “The EstateRansomware group demonstrates a methodical and well-resourced approach to ransomware attacks, especially the amount of pre-exploitation activity involved,” Fearghal Hughes, cyber threat intelligence analyst at ReliaQuest told CSOonline. “This showcases the need for a comprehensive and proactive cybersecurity strategy.” EstateRansomware‘s methodology relies in large part on exploiting unpatched network security vulnerabilities. Martin Greenfield, CEO of continuous controls monitoring firm Quod Orbis, commented, “EstateRansomware is likely to target those organisations that are simply not getting the basics right, like patching, back-ups or ensuring access control is tightened.” He added, “Not doing the basics correctly is the exact reason why so many breaches occur. Organisations must ensure that there are regular and secure backups, your controls should be applied consistently and your whole architecture should be built for failure to make your environment resilient.” Ian Nicholson, incident response head at Pentest People, said, “The ransomware attacks exploiting the Veeam vulnerability (CVE-2023-27532) offer some vital lessons for CSOs. These attacks have certainly highlighted the importance of timely patch management practices. Despite patches being available since March 2023, delayed updates have left systems exposed, allowing attackers to steal credentials and execute remote code.” Estate Ransomware often uses tactics like deploying PowerShell scripts and backdoors such as DiceLoader/Lizar for network reconnaissance, data theft, and lateral movement. “This emphasises the need for proactive monitoring, advanced threat detection solutions, and robust logging to detect and respond to suspicious activities early,” according to Nicholson. “CSOs should incorporate these measures alongside targeted Threat Intelligence to understand threat actor TTPs and mitigate risks more efficiently.” Action plan ReliaQuest provided a five-point action plan to deal with EstateRansomware and similar threats: Prioritizing timely patching of known vulnerabilities, especially those disclosed in widely used software. Adopting a zero-trust approach to network security. Deploy multi-factor authentication for all remote access points and critical systems. Implement network segmentation to limit the spread of ransomware. Ensuring that backup systems are secure, regularly tested, and segmented from the main network. Related content feature 15 infamous malware attacks: The first and the worst Whether by dumb luck or ruthless skill, these malware attacks left their mark on the internet. By Josh Fruhlinger and John Leyden 30 Aug 2024 16 mins Ransomware Cyberattacks Malware news Iranian threat actors targeting businesses and governments, CISA, Microsoft warn Pioneer Kitten and Peach Sandstorm both believed to be state sponsored. By Howard Solomon 29 Aug 2024 7 mins Ransomware Cyberattacks Malware news China’s Volt Typhoon exploits Versa zero-day to hack US ISPs and IT firms The Chinese APT group leveraged the vulnerability to deploy a web shell that stole credentials from Versa Director SD-WAN deployments of ISPs, MSPs, and IT companies. By Lucian Constantin 27 Aug 2024 5 mins Advanced Persistent Threats Technology Industry Cyberattacks feature 10 top anti-phishing tools and services Some of these solutions will help find and stop phishing emails before they can cause damage, while others will find phishers fraudulently using your business's brand. By Tim Ferrill 27 Aug 2024 11 mins Phishing Cyberattacks Malware PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe