LAST UPDATED January 13, 2022
As ransomware attackers seek ever-increasing payouts, they naturally want to maximize their spread and target an enterprise’s most valuable assets. This has made an organization’s applications a particularly lucrative target both as an initial infection vector and as a target for ransom.
This has likewise made Web Application and API Protection (WAAP) an integral part of an organization’s ransomware defenses. However, it can be easy for enterprise security teams to focus on endpoint security and overlook the growing role that application security plays in preventing ransomware. So to avoid a potentially costly mistake, let’s look at how organizations should be bringing their WAAP solution into the fight against ransomware.
How to Prevent and Protect Against Ransomware Beyond Endpoints
Ransomware infections are not just about phishing anymore. Instead of luring end users into clicking on a malicious attachment, attackers and Initial Access Brokers (IABs) are increasingly targeting vulnerabilities in the enterprise applications and other infrastructure.
There are several reasons that this makes sense from an attacker’s perspective. Applications are publicly exposed, allowing attackers to proactively find and attack vulnerable applications instead of waiting for an end user to click on an attachment. Applications are also higher-value assets that are inherently more valuable and provide an ideal path for the attack to spread both internally and externally. Let’s take a look at a few real-world examples.
1 – Web Injections and Ransomware
While we often think of SQL and other injection attacks as a way for attackers to steal or manipulate data in an application directly, these same techniques can provide remote code execution and give an attacker shell access to the database or other assets.
Such assets naturally have many back-end connections to internal systems and data sources, often with administrative privileges. This can provide a powerful position for the attacker to spread laterally within the environment. This analysis of the Gandcrab family of ransomware provides a real-world example of how an injection attack against an application is used to gain shell access and lateral movement, and ultimately widespread ransomware within an organization.
These same techniques have been observed in a variety of ransomware attacks in the wild. Most recently a SQL injection vulnerability in a billing application was used to deliver ransomware into organizations. Likewise, ransomware groups have exploited critical RCE vulnerabilities in the Zoho REST API and Atlassian’s Confluence as well.
How your WAAP can help: A WAAP will naturally provide protection from a wide range of injection attacks. An API-native solution such as ThreatX will also be able to decode and prevent injection attacks against APIs. Additionally, behavioral profiling of applications can help security teams identify anomalous behavior that could indicate an application has been compromised by attackers.
2 – XSS, CSRF, and Ransomware
Ransomware gangs can also leverage other traditional vulnerabilities such as cross-site scripting (XSS) and cross-site request forgery (CSRF) in order to gain access to an organization. These techniques can be used for a variety of purposes, but most directly, they can let the attacker steal administrator credentials. A recent Jira vulnerability provides a real-world example of just how quickly an administrator’s credentials can be compromised.
Naturally, an attacker could then use administrator privileges to further compromise the system and pivot deeper into the target network.
How your WAAP can help: Most any modern web application security product should be able to detect and block known XSS and CSRF attacks. Additionally, ThreatX’s attacker-centric and risk-based approach can automatically detect and track threats across multiple phases of an attack. For example, ThreatX could identify bots performing reconnaissance as they look for XSS vulnerabilities in order to identify and stop threats early in the process.
3 – Bot-Based Attacks on Administrator Logins
Ransomware attackers and IABs can also abuse any exposed login pages in order to try and steal administrator credentials without the need for any exploit whatsoever. This can be done by attempting to brute-force a login page or via credential-stuffing attacks using known default credentials or credentials exposed in previous attacks.
These techniques rely on the use of bots and malicious automation in order to test potential username and password combinations. Attackers can easily blend in with normal login behavior by rotating their attempts across different IP addresses and user agents so that it isn’t obvious that a single source is responsible for many login attempts.
How your WAAP can help: ThreatX brings a wealth of techniques together to identify and mitigate bots and malicious automation. The platform automatically performs a variety of advanced fingerprinting techniques that let the solution track attacker infrastructure even as IP address and other traits are changed. Active interrogation and deception techniques further help to distinguish valid end users from malicious automation to ensure that attackers are denied access without inadvertently locking out the true administrators.
Next Steps
Like all threats, ransomware is constantly evolving, and organizations will need multiple, coordinated layers of defense to properly address their risk. And while applications are only a portion of the overall ransomware attack surface, it is a particularly active and growing aspect of the problem. ThreatX brings a unique approach to web application and API protection that combines all of the industry’s best detection and analysis techniques and applies its collective intelligence to every decision. This not only helps organizations stop the ransomware techniques being used today, but also means teams are better prepared to handle new threats and techniques tomorrow.
To learn more about ThreatX and how we can help protect your organization from ransomware, please contact the ThreatX team.