Compromised proxy servers can be employed as pipes for launching attacks, circulating malicious software, and engaging in illegal activities while covering up the actual origins of traffic. 

There is also a risk of further infiltration into the network through any proxy server where vulnerabilities have been found.

Cybersecurity researchers at ASEC recently discovered that a ransomware actor exploited the proxy server of a CoinMiner attacker.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Ransomware Actor Exploited CoinMiner

Cyberattacks target not just companies but threat actors themselves.

A CoinMiner group’s proxy server used to control an infected botnet was exposed, allowing a ransomware actor’s RDP scan attack to infiltrate and infect the botnet with ransomware. 

The initial CoinMiner breach likely involved scanning for MS-SQL server administrator (sa) accounts, using xp_cmdshell to install a backdoor downloading the CoinMiner malware from a C2 server. 

This demonstrates how the infrastructures of threat actors can become compromised targets themselves.

An exposed reverse RDP proxy server was set up by the CoinMiner group using a modified Fast Reverse Proxy tool to enter their infected bots.

However, this exposed proxy server became a target for an RDP port scanning and brute force attack launched by ransomware actors.

The absence of login restrictions allowed the ransomware actor to gain admin access via the proxy and then move laterally before distributing ransomware throughout the CoinMiner botnet and network with tools.

CoinMiner is a threat actor to whom, for a specific ransomware attacker, it could have been either deliberate or coincidental that his RDP scan attack included using a proxy server.

Hypothesis 1:-

The proxy server was just another target with an exposed RDP port, as the ransomware actor had seen it accidentally.

Hypothesis 2:-

Since systems that had been compromised previously are more likely to contain vulnerabilities this time around, the ransomware actor decided to target systems attacked by other actors, which the attacker knew very well were proxies.

The repeated access into the affected system attached to the proxy suggests that the ransomware actor may have noticed strange behavior, indicating they were traversing between compromised systems.

Usually, rather than directly targeting and exploiting other actors’ infrastructure, threat actors trade credentials, malware, and services on dark web markets.

However, when assessing the attacks that use compromised infrastructures of other actors unknowingly, it is not easy to tell apart which individual behaviors and intentions are involved within this scenario.

If such cases become more common, threat actors may begin intentionally hacking each other’s infrastructure to launch more effective attacks by leveraging these systems and resources.

There is an emerging trend in which different groups of actors purposely infiltrate rival groups’ infrastructure, which could considerably complicate attribution and defense.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

The post Ransomware Actor Exploited CoinMiner Attacker’s Proxy Server appeared first on Cyber Security News.

Many ransomware operators utilize flaws or known common vulnerabilities and exposures (CVE). Additionally, many businesses might not be aware that a ransomware threat actor is using a weakness in their network.

 As mandated by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Ransomware Vulnerability Warning Pilot (RVWP) in January 2023 to assist organizations in overcoming this possible blind hole.

“Through the RVWP, CISA determines vulnerabilities that are commonly associated with known ransomware exploitation and warns critical infrastructure entities of those vulnerabilities, helping to enable mitigation before a ransomware incident occurs,” CISA said.

New Resources Added To The RVWP

Currently, the agency has made two new resources available through the RVWP to assist businesses in locating and removing security flaws known to be abused by ransomware operators.

A new column named “known to be used in ransomware campaigns” has been added to the known exploited vulnerabilities (KEV) catalog. 

This column shows if CISA knows that a vulnerability has been linked to ransomware for current vulnerabilities and any future vulnerabilities to be added to the catalog.

In addition, CISA has created a second new RVWP resource that acts as a companion list of misconfigurations and security flaws that have been known to be leveraged in ransomware operations.

This list will assist organizations in swiftly identifying the services that ransomware threat actors are known to utilize, enabling them to put mitigation or compensation policies in place.

Over 800 susceptible devices with internet-accessible vulnerabilities frequently linked to well-known ransomware operations have received alerts from CISA’s RVWP.

“To identify these systems, we use existing services, data sources, technologies, and authorities, including our free cyber hygiene vulnerability scanning service,” CISA explains.

The RVWP has helped all key infrastructure sectors, including the Education Facilities subsector, particularly the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors.

Organizations who enroll in CISA’s vulnerability scanning service receive faster and more targeted notifications – and it’s free for any organization in the United States.

Hence, to immediately minimize their chance of being affected by ransomware, CISA urges all organizations to check the updated KEV catalog and list of misconfigurations and vulnerabilities.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

The post CISA to Flag Vulnerabilities & Misconfigurations Exploited in Ransomware Attacks appeared first on Cyber Security News.