Ransomware operators exploit 3rd-party tools.
By Tim Nodar, CyberWire senior staff writer
Nov 9, 2023

The story of this attack technique is an old one, but it's evergreen in the risk it describes.

Ransomware operators exploit 3rd-party tools.

The FBI has issued a Private Industry Notification outlining recent trends in ransomware attacks, specifically “ransomware actors exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies victimized through legitimate system management tools to elevate network permissions.”

The Bureau notes, “The FBI continues to track reporting of third-party vendors and services as an attack vector for ransomware incidents. Between 2022 and 2023, the FBI noted ransomware attacks compromising casinos through third-party gaming vendors. The attacks frequently targeted small and tribal casinos, encrypting servers and the personally identifying information (PII) of employees and patrons.”

Abuse of remote management tools is old but evergreen.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented on the history of this sort of abuse. “Attacks abusing Internet-accessible remote management portals have been a problem for decades, but it didn't become a primary method of attack until the last few years,” he wrote in emailed comments. “It went from being something that some criminals did some of the time to being a primary method used by many gangs. If you've got a remote management access portal accessible from the Internet, it better be patched, require phishing-resistant MFA to access, VPN, or require a long, complex, and unique password. Else it's likely to be discovered and hacked. When it's a third party that has implemented the remote access portal, you...the primary customer, likely don't even know about it, much less know to make sure it's secured.”