One of the main tips & guidance from the Cybersecurity and Infrastructure Security Agency (CISA) is to “Keep Calm and Patch On.” CISA emphasizes addressing vulnerabilities twice in this section. Two out of the four tips focus on the importance of finding and addressing vulnerabilities.
For many organizations, that’s easier said than done. Vulnerability management has become a pain point for overburdened security teams who have thousands of vulnerabilities and find it difficult to decide where to start. The process to find, analyze and prioritize the most actively exploitable vulnerabilities is still time-consuming and decentralized for many security teams.
At the same time, the ransomware threats are real. In summer 2022, a Cyber Security Alert (CSA) published jointly by the FBI and CISA as part of their ongoing #StopRansomware campaign outlined the known tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), as well as recommended mitigation strategies for the Zeppelin ransomware targeting organizations with a ransomware double-header. The Zeppelin actors would both encrypt systems and steal data to sell or publish.
Zeppelin is part of the VegaLocker ransomware family used to support ransomware-as-a-service (RaaS) cyber operations. The VegaLocker ransomware family includes other ransomware strains such as Jamper, Storm, or Buran. The Zeppelin threat actors have been targeting primarily large companies in the United States and Europe. From 2019 through 2022, this has included industries such as defense, education, manufacturing, healthcare, and technology. The Zeppelin threat actors usually request Bitcoin payments in amounts ranging from a few thousand dollars to over $1 million.
The Zeppelin actors are following a multi-vector attack model. They gain access to victim networks via remote desktop protocol (RDP) exploitation. RDP servers are often vulnerable with default passwords. The actors also exploit SonicWall firewall vulnerabilities and use phishing campaigns to trick users into clicking on attachments that appear as document links. Once inside the network, actors map systems, data, and backups before deploying their attacks. With many Zeppelin attacks, traditional ransomware encrypted systems are combined with a secondary threat to sell or publically release sensitive data if the ransom is not paid. These types of ransomware attacks are much more potent when dealing with multiple impacts – encrypted systems and data and the threat of publicly releasing sensitive information.
If you have not already, check out the recommended Zeppelin mitigations in the CISA alert and take steps to protect your organization from lingering IOCs. To stop attacks like Zeppelin in the future, the advice is clear.
- Prioritize remediating known exploited vulnerabilities.
- Train users to recognize and report phishing attempts.
- Enable and enforce multi-factor authentication.
How Does the ThreatConnect Platform Help With Vulnerability Prioritization and Remediation?
Organizations can leverage threat intelligence in the ThreatConnect Platform to quickly prioritize and remediate vulnerabilities, which is the number one action item on CISA’s list of proactive mitigation measures for stopping future ransomware attacks like Zeppelin.
To do this, ThreatConnect collects real-time intelligence from the CISA Known Exploited Vulnerabilities Catalog and Google Project Zero, as well as other feeds and sources, enriching it with insights from sources such as the National Vulnerability Database (NVD) and the global ThreatConnect community, to deliver a full picture of vulnerabilities in the environment. Threat Intelligence Operations (TI Ops) teams have a clear dashboard showing vulnerabilities prioritized by those that are being actively exploited in order to take fast action.
TI Op teams and their colleagues in other security roles like vulnerability management get a full picture of each vulnerability in a single record with severity, affected products, attack vectors, related vulnerabilities, reports, signatures, indicators, TTPs, and more. The Threat Graph feature easily creates visual representations of relevant vulnerability information and impact on the organization, making it easier to understand the potential associations and relationships in the environment.
Through low-code automation, organizations can reduce the burden on overworked security teams by automating manual, often repeated tasks which also speeds up vulnerability remediation. And to promote information-sharing and maximize collaboration, TI Ops teams can generate tailored, on-demand, real-time reports with all the necessary information stakeholders need about critical vulnerabilities and their impacts.
Learn How ThreatConnect Can Speed Up Your Time to Remediate
Learn more and see a demonstration of how ThreatConnect enables vulnerability prioritization in this webinar.
Or reach out to us at firstname.lastname@example.org to see how we can help you use ThreatConnect to track, prioritize and get the detail you need on the most actively exploitable vulnerabilities to stop ransomware attacks.