How hackers exploit poor application security in ransomware attacks

Print Friendly, PDF & Email

Ransomware attacks have become so prevalent and dangerous that they are now being treated as terrorist attacks. As we have mentioned earlier in this series, the best approach to this threat is to assume you will be attacked and, if the attack is successful, have a plan in place to NOT pay the ransom. This blog post addresses the importance of sound web application security in preventing a successful attack.

It’s important to understand that application security is as critical as email security in defending against ransomware and other malware. The Open Web Application Security Project (OWASP) works to raise public awareness around the most common application vulnerabilities that can be exploited in a ransomware attack.

One recent example is the REvil ransomware supply chain hack that came to light last week. Vulnerabilities in a public-facing internet MSP application were exploited to spread ransomware to their customers. In this case, because the application had deep permissions, the ransomware was able to spread quite easily and have a significant impact before it was stopped. This type of hack could happen through any of your internet-facing applications—attackers hack into the application and then move laterally to wreak havoc. A similar scenario can occur if you leave your RDP systems open to the internet—even if you change the default port. Attackers use harvested credentials against such RDP systems to try to infect the entire network with ransomware through this unprotected attack vector.

How a ransomware attack can unfold

Here is another scenario: An imaginary yet realistic series of steps that an attacker might execute to exploit poor application security to create a successful ransomware attack. The attack is going to attempt a common coupon scam by riding on the reemerging wave of browser coupon plugins.

Step 1.  The attacker creates a website that mimics a legitimate coupon website. The attacker impersonates a popular coupon site, which is relatively straightforward using domain impersonation and automated web scraping. Let’s call this fake site Website X.

Step 2. The attacker probes for one or more of the OWASP top 10 vulnerabilities to steal credentials from a legitimate but poorly protected company website, which we’ll call Website Y. Vulnerabilities like broken authentication and sensitive data exposure allow the hacker to harvest user credentials and other sensitive information from the Website Y.

Step 3. The attacker uses the stolen credentials to begin a credential stuffing attack against a legitimate e-commerce website, which we’ll designate Website Z. This is an automated attack that can be run slowly over multiple weeks. This attack attempts to match stolen credentials to real accounts at these sites.

Step 4. If the attack finds a match and the hacker can log in to a victim’s account, the next step is to use that account to post reviews of popular products on Website Z. A common example in this step is “This product is great! Save 50% off this price with this coupon by clicking here.” The link to the coupon takes the visitor to the Website X, the fake website from step one.

Step 5. The potential victims log onto Website Z and proceed to click through the product review, following the link to Website X, unaware that they have been taken to a scam site unless they look extremely carefully at the domain name, URL, site certificate, and other details. Victims who trust the site then provide their contact information in exchange for the coupon. The attacker now has the address of someone expecting an email from that website. The attacker is gaining the victim’s trust, and the victim has lowered their guard.

Step 6. The victim receives a personalized email about the product and the coupon, with an attachment that the victim is told to install for the coupon to work. This attachment may be an executable or a browser extension that uses JavaScript to carry out the attack. Because this email is thoroughly customized and is expected by the recipient, it is likely to be allowed through traditional email defenses. The victim’s operating system prompts them not to install untrusted executables, but at this point the victim likely has complete trust in the attacker and clicks through.

Step 7. The victim installs the attachment, and the ransomware attack is launched. Several types of attacks can be launched once an executable is installed, for example infecting the master boot record, encrypting the file system table, and even preventing the operating system from booting. Shortly after that, the demand for payment will be delivered to the victim. The attacker will usually try to expand this attack and harvest more credentials and any other data that can be found on the network. When this is completed, the ransomware will encrypt the network data.

In this example, the ransomware only succeeds because application security vulnerabilities on multiple websites allowed the convincing scenario to be constructed—the web scraping of a legitimate site in step one, the credentials stolen in step two, the credential stuffing in step three, the comment spam and malicious URL in steps four and five, and the installation of the executable in step seven. Proper application security at any of these steps could have stopped this attack.

Ransomware only succeeds because application security vulnerabilities on multiple websites allowed the convincing scenario to be constructed.Click To Tweet

How to defend against these types of attacks

One of the best ways to deploy application security is with a web application firewall (WAF). Look for a solution that has the following features:

  • Easy to deploy and customize to your environment: A WAF cannot fully protect you if you are not able to configure it for your environment.
  • Scalable: Business growth, digital transformation, and other factors can increase the demand on your applications and websites. Your WAF should be able to grow with your business as needed.
  • Comprehensive protection against advanced threats: OWASP Top Ten protection and application-layer DDoS protection are the table stakes one should expect from a good WAF. For complete protection, look for a solution that defends against zero-day attacks, credential stuffing, data-leakage, malicious bots, and more.
  • Easy to update: A WAF should have regular firmware updates to improve the security and capabilities of the device. A hosted solution that updates automatically without administrator intervention is ideal.
  • Continuous threat inteligence: New attacks are developed every day, and they can spread around the world within a matter of hours. Your WAF should receive real-time updates on these attacks and employ machine learning to adapt to variants.

Barracuda Web Application Firewall and WAF-as-a-Service do all of this and more. The intuitive, easy-to-use interface and flexible deployment architecture help you secure your applications in minutes. To quickly try out Barracuda WAF-as-a-Service, with no wait period or sales calls, try our Test Drive on the Azure Marketplace. The Test Drive allows Microsoft Azure customers to explore the product and features without a subscription or a demo license.

To start a Test Drive, visit the WAF-as-a-Service page in the Azure Marketplace. Select ‘Test Drive’ and complete the setup form. This provisions a new WAF-as-a-Service account with a lab guide and a full-featured test environment for you to explore. Most people can get through everything in about an hour, but you have a full four hours for the Test Drive before it expires. If you would like more time you can return to the WAF-as-a-Service page in the Azure Marketplace and start a free 30-day trial with a demo license.

Scroll to top