Excerpt
LockBit operators and affiliates will find ways to obtain the victim’s initial access rights and use them to deliver encrypted ransomware. The attack methods can be roughly divided into the following methods:
1. Extensive vulnerability scanning . Using Nday vulnerabilities, 1day vulnerabilities, and 0day vulnerabilities to scan assets in batches is often referred to as casting a wide net.
2 Ghost employees in the company . By bribing corporate insiders with money, LockBit has paid millions of dollars to insiders who provided important access to the company, or insiders who clicked on encrypted extortion emails, or who manually ran virus programs. .
3 New 1-day vulnerabilities . Such as Feita firewall CVE-2018-13379 vulnerability, Citrix NetScaler network device vulnerability, VMware log4j2 vulnerability, F5 code execution vulnerability, etc.
4Account passwords sold on the dark web . Including VPN, RDP, corporate email account and password.
5 IAB Estate Sale Permissions . The LockBit organization will purchase the corresponding permissions from IAB attackers.
6 RDP password credentials . Obtained through underground purchase or RDP brute force cracking method
7 VPN Utilization . Through VPN vulnerabilities or weak VPN passwords.
8 social workers fishing . Backdoors are bundled in email attachments, and there are also Office macro processing backdoors.
