Remote Access Infra Remains Riskiest Corp. Attack Surface www.darkreading.com/cyber-ris…

From Microsoft’s Remote Desktop Web Access to Palo Alto’s Global Protect and from Cisco’s VPN services to general remote login portals, stealing credentials to target remote access is perhaps the most popular technique used by ransomware groups. Once compromised, such services can be used as gateways to the corporate networks and quickly lead to data exfiltration and eventual ransomware deployment, says Irina Nesterovsky, chief research officer for KELA.

“Obtaining such credentials and successfully accessing those platforms — either due to lack of MFA or bypassing it — allows the actors a foothold into an organization’s network, which they can then further expand using different tools and reconnaissance,” she says. “KELA observed the Black Basta ransomware actors discussing the sourcing of specifically login credentials to VPN and remote access portals in the context of a ransomware operation — it is very clear what such credentials are abused for.”

The Black Basta group is hardly alone. In fact, ransomware groups in general gravitate to using remote access credentials and targeting risky Internet-accessible portals. In a report released on March 11, cyber insurer Coalition found that two-thirds of businesses have at least one login panel exposed to the Internet, and those companies are three times more likely to suffer a ransomware incident. Of the claims processed by Coalition, 45% involved VPN appliances, and 23% included remote desktop software.