Tuesday 9th June 2020

BLOG: Why are big-game hunting ransomware groups targeting remote access vulnerabilities?

The cybercriminal shift towards big-game hunting – going after bigger, more secure targets in tailored operations and potentially extract larger ransoms – has been one of the defining features of the threat landscape in recent years. These breaches have caused significant and lasting damage at a large number of companies, causing severe operational disruption and tanking share prices.

These attacks are driven by three main shifts – the shift towards identifying suitable vulnerabilities by scanning and enumeration; the access provided by these vulnerabilities; and the continued opportunity to exploit them. This article explains these developments and their causes, and covers how companies can mitigate these tactics by better understanding their estate from a threat actor’s perspective.

Big-game hunting ransomware groups have focused on exploiting vulnerabilities in remote working tools and systems, VPN gateways, Remote Desktop Services, Desktop Virtualisation Services and Firewall administration. The first key reason as to why ransomware operators have been seeking to target these vulnerabilities is because they are relatively easy to identify. Because they largely exist to provide access into corporate networks and resources, these services tend to sit at the edge of networks, rather than behind firewalls or other control environments.

As a result of this position, they are easier for attackers to identify by using mass scanning tools. This allows for the identification and prioritisation of targets in a way that targeting other vulnerabilities – for example attempts to exploit unpatched vulnerabilities in the Microsoft Office suite via phishing emails with weaponised attachments – does not; and in turn allows the adversaries to focus their time and resources on potentially susceptible targets.

Figure 1: The availability of tools to scan for these vulnerabilities also reduces the barriers to entry for adversaries looking to exploit them[1]

This is one reason why we have seen a significant increase in the proportion of intelligence reports since the start of 2020 in which scanning/enumeration is the primary infection vector.

Figure 2: Infection vectors from 2015-2019 (top) and 2020 (bottom) highlight the increased prominence of scanning/enumeration as an infection vector

Highly-tailored spear phishing efforts remain among the most effective means of gaining a foothold on a target network. However, numerous factors are seeing the decline in efficacy of conducting conventional phishing attacks at scale:

  • Increased employee awareness
  • Increased use of mobile devices, which are typically less vulnerable and less integrated with corporate networks
  • The broader adoption of signature-based systems and sandboxes in email applications
  • Increased efficacy at internal patching of Microsoft internal networks

A second key factor driving the targeting of these vulnerabilities is the level of access they provide when exploited. They can give attackers immediate access to the core business network and a very large number of current user and administrator credentials (usernames and passwords). Valid credentials can in turn enable persistence, as the attacker doesn’t need to run malicious code or escalation of privilege actions which might trigger security software or IT security staff’s attention.

The stealth allows the attackers time to create new admin accounts – which can become commodities themselves  and exploited for a variety of purposes. Crucially, the attackers can use the access to build up a detailed understanding of the organisation to ensure they have access to all the operationally critical systems before undertaking the final stage of deploying the ransomware.

 A number of these vulnerabilities have been exploited recently in high-profile incidents:

  • Pulse Secure VPN Gateway CVE-2019-11510.[2] Used in the Travelex attack.
  • Citrix Application Delivery Controller, Citrix Gateway CVE-2019-19781[3] suspected of being used in the ransomware[4] attack on the Toll Group, a large Australian transport and logistics company. This attack[5] also demonstrated the difficulty in recovery as they were hit a second time in May[6], potentially due to the persistence on the network with these attacks where remote access portals are attacked.
  • Microsoft Remote Desktop Services CVE-2019-0708 was announced and patched on 14th May 2019. This is an unauthenticated remote code execution vulnerability affecting Windows 7 and Server 2008 devices. Once an exploit was released in September 2019 attackers, began to exploit it, and by November, large numbers of unpatched machines were being compromised.[7]

Figure 2: Our Cyber Risk Rating tool has detected these frequently targeted vulnerabilities as they appear on companies’ networks

The third key factor is the lifetime of these vulnerabilities, which provides adversaries with continued opportunities to exploit them. As the detection graphs from our Cyber Risk Rating tool show, although many organisations reacted rapidly to remediate vulnerabilities as soon as possible, others struggled with this process, leaving themselves susceptible to attack. The difficulty of identifying and regularly scanning your attack surface to understand it from an attacker’s perspective is one issue, as is the continued existence of shadow IT or infrastructure thought to have been deprecated that can potentially provide a foothold for attackers. Both of these factors are especially pertinent during the current pandemic – particularly as the capability of security teams is diminished.

Looking forward, we anticipate these other vulnerabilities will also result in usable exploits and similar attacks:

  • Sophos XG Firewalls impacted by CVE-2020-12271
  • Zoho ManageEngine servers impacted by CVE-2020-10189
  • Microsoft SharePoint servers impacted with CVE-2019-0604

These vulnerabilities are already being used by other types of attackers,[8] including crypto miners, and cyber espionage groups,[9] but not yet by the human operated ransomware crews.

As always, mitigating the threat from this shift requires a threat-led and risk-based approach. Risk holders and boards need oversight tools to allow them to verify that their own IT operations and critical third party IT operations teams are actually patching and securing these systems. This is where real-time passive vulnerability and threat reporting services can help.

They will show the vulnerable systems as the attackers see them, they detect the attackers’ discussions of new vulnerabilities, exploits and targets. They give a unique independent view of an organisation’s attack surface over time and convert this into accessible metrics that can be easily understood and processed by senior risk holders. These tools are critical to managing the risk and verifying its proper management.


[1] https://github.com/trustedsec/cve-2019-19781/

[2] https://nvd.nist.gov/vuln/detail/CVE-2019-11510

[3] https://www.us-cert.gov/ncas/alerts/aa20-031a

[4] https://twitter.com/bad_packets/status/1224481106654715904?s=20

[5] https://www.itnews.com.au/news/toll-group-tight-lipped-on-alleged-ransomware-attack-537437

[6] https://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/

[7] https://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6

[8] https://news.sophos.com/en-us/2020/04/26/asnarok/

[9] https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/

A threat-led intelligence approach is essential for understanding how sophisticated nation-state groups will continue to adapt their targeting and tactics, techniques and procedures. To better understand cyber threats to your own organisation, click here.


Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.