CISA Warning About an Ongoing Ransomware Campaign Exploiting RDP and VPNs Vulnerabilities

The DHS Cybersecurity & Infrastructure Security Agency (CISA) gave a warning concerning a continuous Nefilim ransomware campaign, subsequent to a security bulletin issued by the New Zealand Computer Emergency Response Team (CERT NZ).

Nefilim ransomware is the replacement of Nemty ransomware, which was initially discovered in February 2020. As opposed to Nemty, the Nefilim ransomware is not spread with the ransomware-as-a-service model. The ransomware developers perform their own attacks and manually deploy the ransomware after getting access to enterprise systems.

Just like other manual ransomware gangs, the victim’s data is stolen prior to installing the ransomware. The gang then threatens the victim that it will publish or sell their stolen data when they do not pay their ransom demand. The gang behind the attacks gets access to enterprise systems through vulnerabilities in virtual private networks (VPNs) and remote desktop protocol (RDP). The gang makes use of brute force strategies to take advantage of weak authentication, the absence of multi-factor authentication, and unpatched flaws in VPN software.

The moment the attackers gain a foothold in the network, they use tools like mimikatz, Cobalt Strike and PsExec for lateral movement, privilege escalation, and exfiltration of sensitive information.

The Nefilim ransomware gang is remarkably skilled and deploys advanced and well-crafted attacks. The magnitude of network infiltration indicates that it is impossible to get back from an attack merely by using backups to restore data. A thorough forensic investigation should be done to completely investigate the attack and make sure to identify and eliminate backdoors and throw out the attackers from the network once and for all.

All companies that employ unsecured remote access systems are susceptible to an attack. To avoid an attack, it is important to address RDP vulnerabilities and to fully patch and update remote access software. Strong authentication must be employed and multi-factor authentication must be activated.

Network segmentation and application whitelisting could help minimize the severity of an attack. It is crucial to monitor networks and remote access systems for indications of unauthorized access. Backups must be routinely done, and there must be one backup copy stored safely on an air-gapped device or media with no access to a network.