Battling Ransomware One Tag At A Time

In October 2023 — as part of the Ransomware Vulnerability Warning Pilot (RVWP) — CISA began tagging entries in their Known Exploited Vulnerabilities (KEV) catalog. This field designates whether exploits for a given vulnerability are known to be used in ransomware attacks. Ransomware has disrupted critical services, businesses, and communities worldwide, and many organizations are working diligently to get ahead of these attacks to prevent losses, disruptions, and exposures.

We’ve talked about this topic before, but today we dig a bit deeper into the topic with some specific guidance as to how your organization can fight the good fight against these foes by leveraging the power of GreyNoise tags.

GreyNoise Tags vs. Ransomware

As scores of organizations who use them know, GreyNoise tags are a signature-based detection method that categorizes internet noise into actionable intelligence. As of this writing, we’ve observed recent activity in 63 tags that CISA has identified as being used in association with ransomware attacks. The figure at the beginning of this post shows the frequency and volume of this opportunistic activity. One striking feature of this activity is the diversity of targeted platforms.

In the case of internet-facing attack campaigns, one might assume that vulnerabilities targeted by ransomware actors would lean towards remote access technologies. The chart and our data that backs it up shows that almost no technology category is safe from these types of attacks. Collaboration tools, such as Atlassian Confluence or JetBrains TeamCity; email platforms, such as Microsoft Exchange; software that powers application middleware services, such as Jboss and WebLogic; or, even devices that are intended to help elevate safety and resilience, such as SonicWall, Ivanti, Citrix, and Fortinet are all regularly targeted.

If you use any of these technologies, knowing when new activity is seen can be helpful in shoring up defenses and readying response activities. By leveraging GreyNoise platform features, such as our Alerts and block lists, security teams can, respectively, determine if more focus should be placed on monitoring key systems and preventing opportunistic harm. With the noise weeded out, response teams can focus their attention on similar activity that is likely to be more targeted, which may also mean by more capable adversaries. And, because we play incredibly well with a host of other security tools, teams can also save time, and use our intelligence within familiar environments.

The Long, Sporadic Tail Of Ransomware Tag Activity

Another striking feature of our ransomware tag activity chart is the diversity of activity. Cloud deployments top the list, with attackers looking to take advantage of misconfigurations that may arise in these highly dynamic environments. Broad and commonly deployed technologies are also regular targets, since these systems can also become victims of errant misconfigurations, especially when restored from unpatched backups.

However, as we move down the list, the frequency becomes far more sporadic, and many involve only single hosts vs. botnet armies. This can be due to attacker familiarity, or individual actors keying off results from well-timed Censys or Shodan searches that show newly exposed vulnerable configurations. If your organization uses any of these components, there truly is no rest from vigilance.

The Ransomware GNQL Listicle

To help defenders get a leg up on these attacks, the list below has links to each individual tag that’s known to be used in ransomware attacks. At each tag page, you can find the block list URL which you can use to immediately weed out the opportunistic noise. Wrap one or more of them inside a GNQL query, such as tags:"F5 BIG-IP iControl RCE Attempt", and you can set up an alert to notify you when new activity is seen, especially in generally dormant tags.

• Adobe ColdFusion LFI Attempt
• Adobe XML External Entity Injection Attempt
• Apache ActiveMQ RCE Attempt
• Apache HTTP Server Path Traversal Attempt
• Apache Log4j RCE Attempt
• Apache Struts CVE-2017-5638 Worm
• Atlassian Confluence Server Authentication Bypass Attempt
• Atlassian Confluence Server CVE-2022-26134 OGNL Injection Attempt
• Atlassian Confluence Server OGNL Injection Attempt
• Atlassian Confluence Server Privilege Escalation Attempt
• Atlassian Confluence Template Injection Attempt
• Azure OMI RCE Attempt
• Azure OMI RCE Check
• Citrix ADC Netscaler CVE-2023-4966 Information Disclosure Attempt
• Citrix ADC Netscaler CVE-2023-4966 Information Disclosure Check
• Citrix NetScaler LFI
• DotCMS File Upload Attempt
• DotNetNuke Remote Code Execution Attempt
• Drupal CVE-2018-7600 Worm
• Exchange ProxyNotShell Vuln Check
• Exchange ProxyShell Vuln Attempt
• Exchange ProxyShell Vuln Check
• F5 BIG-IP TMUI RCE Vuln Check
• F5 BIG-IP iControl CVE-2021-22986 RCE Attempt
• F5 BIG-IP iControl RCE Attempt
• ForgeRock OpenAM Pre-Auth RCE Vuln Check
• FortiOS Authentication Bypass Attempt
• FortiOS Info Disclosure CVE-2018-13379
• GPON CVE-2018-10561 Router Worm
• IBM Aspera Faspex RCE Attempt
• Ivanti EPMM (MobileIron Core) Authentication Bypass Attempt
• Jboss Application Server CVE-2017-12149 Check
• JetBrains TeamCity Authentication Bypass Attempt
• MOVEit CVE-2023-34362 Attempt
• MOVEit Transfer Scanner
• Oracle WebLogic CVE-2017-10271 Worm
• Oracle Weblogic CVE-2019-2725 Crawler
• Oracle Weblogic CVE-2019-2725 Worm
• PaperCut Authentication Bypass Check
• PaperCut RCE Attempt
• ProxyLogon SSRF Vuln Check
• Pulse Secure VPN File Disclosure
• QNAP CVE-2022-27593 Attempt
• QNAP QTS and Photo Station LFI Attempt
• QNAP walter SSH Backdoor Attempt
• SMBGhost Vuln Checker
• Sitecore RCE Attempt
• SonicWALL SRA SQL Injection Attempt
• SonicWALL SRA SQL Injection Vuln Check
• SonicWall SRA 4600 SQL Injection Attempt
• Spring Data Commons RCE CVE-2018-1273
• TerraMaster NAS api.php RCE Check
• Tomcat Backdoor Upload Attempt CVE-2017-12615
• Tomcat Backdoor Use Attempt CVE-2017-12615
• VMWare VCSA File Upload Check
• VMWare vRealize Operations SSRF
• VMware Workspace ONE RCE Attempt
• VMware vCenter RCE Attempt
• VMware vCenter RCE Vuln Check
• VMware vSphere Client RCE Attempt
• WSO2 API Manager File Upload Attempt
• Zoho ManageEngine RCE Attempt
• Zoho ManageEngine RCE CVE-2022-47966 Attempt

Find Out More

If you're curious as to just how GreyNoise researchers craft our tags we have a three-part webinar series that discusses the makeup of our tags, walks you through how we discover what needs to be tagged, and illustrates how AI is empowering the creation of new tags and detections:

• Webinar Series - Session 1/3 - Tags 101: GreyNoise Detection Engineering: Introduction To "Tags"
• Webinar Series - Session 2/3 - GreyNoise Detection Engineering: Under The Hood
• Webinar Series - Session 3/3 - Tags 301: GreyNoise Detection Engineering AI: Leave No Interaction Untagged

Not a GreyNoise customer — yet? See how much time GreyNoise may be able to save your organization, and how many hours your defenders can save with our ROI calculator.

‍Sign up and take our platform for a free enterprise trial to see all the features and data available.