MOXFIVE Monthly Insights - August 2024
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

Subscribe

August Highlights

August 2024 saw a modest decline in ransomware activity compared to previous months. This seasonal dip isn’t unusual, whether due to threat actors taking a summer break or knowing that targets are busy enjoying the final days of summer. Despite the overall slowdown in activity, groups like Akira continued their operations and threat actors using ransomware services, such as Rhysida, also remained active with their campaigns.

The Healthcare, Professional Services, Manufacturing, and Education sectors remain the top targets for ransomware in 2024. In August, while these industries continued to experience attacks, MOXFIVE also assisted with incidents in less frequently targeted sectors, such as the Food & Beverage and Legal industries.

Akira has emerged as one of the most formidable ransomware groups of 2024, relentlessly targeting industries across the board. This group has demonstrated a preference for exploiting unprotected VPN services and leveraging compromised accounts to gain initial access. Their campaigns have spanned sectors from Healthcare to Manufacturing, often involving sophisticated data exfiltration tactics and encrypting files to disrupt operations. Akira’s methodical approach, coupled with significant ransom demands, has made it a top player in the ransomware landscape this year.

In a recent case, threat actors associated with Akira gained unauthorized access to a target’s environment by leveraging two compromised local accounts to authenticate via a SonicWall SSL VPN appliance that lacked multifactor authentication (MFA). Over four days, the threat actors used Advanced IP Scanner to map the network, packaging sensitive data with WinRAR, and then exfiltrating it through WinSCP. The lack of MFA on the VPN appliance was a critical security control missed that allowed the attackers to maintain prolonged access undetected. This incident underscores the importance of securing remote access services with layered defenses such as MFA.

Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

CVE-2024-23897 is an unauthenticated Local File Inclusion (LFI) vulnerability affecting Jenkins servers, initially identified earlier this year. This vulnerability results from improper input validation, allowing attackers to manipulate parameters and access arbitrary files on the server. Although the vulnerability was disclosed months ago, ransomware groups such as IntelBroker and RansomExx have recently started exploiting it in attacks. Jenkins has provided a security advisory detailing this vulnerability, which can be found here.

Multifactor Authentication (MFA) plays a critical role in protecting organizations from ransomware attacks by adding an extra layer of security beyond just usernames and passwords. As ransomware groups like Akira become more sophisticated, relying solely on traditional login credentials is no longer sufficient. In a recent Akira case, the absence of MFA on a SonicWall SSL VPN appliance allowed the threat actors to gain unauthorized access using compromised credentials, leading to a significant breach. By implementing MFA, organizations can ensure that even if an attacker acquires a password, they will still require another form of verification—such as a one-time code or biometric scan—to compromise the account. Enforcing MFA across all access points can significantly reduce the likelihood of unauthorized access and minimize the risk of ransomware infiltration.


Akira
has been the most active ransomware group, targeting a wide range of industries throughout 2024. The group is known for its “deliverable menu,” allowing victims to select “services” such as decryptors, compromise reports, or data deletion (each incurring an à la carte charge). If the group does not steal data, they will highlight it.

Rhysida is a ransomware group first observed in 2023, operating as a ransomware-as-a-service (RaaS). They have become highly active recently, with MOXFIVE responding to multiple incidents involving this ransomware service, alongside numerous public reports of activity. Check out the MOXFIVE Threat Actor Spotlight highlighting Rhysida here.

RansomHub is a RaaS that emerged in early 2024, quickly becoming a prevalent threat. It offers a unique payment model, providing threat actors with a 90% commission on paid ransoms, making it an attractive option compared to other ransomware services. Check out the MOXFIVE Threat Actor Spotlight highlighting RansomHub here.