Greetings, esteemed members of the CISO Platform, a beacon of knowledge and collaboration in the realm of information security. Today, we embark on a journey to dissect the modus operandi of ransomware attackers and shed light on their sophisticated strategies for exploiting vulnerabilities. Join us as we unravel the intricate web of factors influencing the prioritization of vulnerabilities, empowering CISOs to fortify their defenses and thwart potential ransomware attacks. In this webinar, Jendra Chan, Head of Research at Fire Compass, will illuminate the path towards proactive vulnerability management and resilience against cyber threats.



Here is the verbatim discussion:

And as I said you know how Target how ransomwares go and use a old vulnerability to Target right now is because they are scanning the whole internet and they are constantly looking for you know where Global attack surface presence of a vulnerability right uh probably initially they didn't priortize it but then as the one as you know they are like around around 50,000 nvd vulnerabilities are there but their attack surface may not be large may not be a significant value a significant size right so there there are various factors that that comes into picture when uh you the ransomwares uh should use these factors to Target to to you know priortize a vulnerability and one of them probably is having uh pres Global attack surface present which means it should have a significant presence on a global scale second probably is easy to exploit uh the vulnerability should be easy to exploit should bypass you know various security controls like sending a HTTP request probably is one of the way to bypass lot of security controls uh because HTP is being used you know very generically all around uh so as I said this the ZK framework which is a Java framework and this is this one libility works very similar to lock 4J in fact right uh so in this vulnerability the user can send again another you know packet another HTP request to to the server respect server and then it actually go and disclose a one disclose uh information related to sensitive files on the on the local instance which may include even credentials and as a result log bit could actually use those credentials to gain access to the system and uh and this uh uh as you can see that it has it has you know the in United States itself with conservative you know queries written restricted queries written there are around 1,000 instances currently being exposed just in United States right now connect now with the Advent of remote working when the workforce is All Around the Globe uh the incidents of using stolen credentials uh and get access to your to the you know network and to some of the systems has increased drastically uh this is because you know the collaboration is now right now not limited to within the parameter of the network uh so as a result you know using the stolen kid initials now where are the stolen credentials coming from these are coming from you know various uh attack and breach databases which were you know published for the last uh maybe you know five to 10 years uh where billions and billions of you know credentials are available on dark web and many of them are being reused by employees you know intentionally non-intentionally uh on other you know systems which probably works in the Enterprise and not only that uh some of the cases of Shadow it lot of cases in Shadow it also comes from you know code Leakes like the developers when they go when they write open source you know tools they uh leave credentials and API keys in the code and make it you know and publish it on the developer or they can also you know leave these credentials in the build in the software build uh such as gen canes or maybe Circle Ci or maybe other you know any other you know cicd platform right so in one of the incidents which has happened last one month back where you know the after uh doing fishing you know once the attacker got access to one of the systems uh one of the devop systems and then they got access to their uh their cicd system what they have found out is they decompiled the build and then in the build itself there were package of credentials being being you know packaged together with the build and as a result they got access to lot of other systems all around.



Understanding Ransomware Tactics:

  • Ransomware attackers leverage old vulnerabilities to infiltrate organizational networks, exploiting weaknesses in global attack surfaces.
  • Factors such as ease of exploitation and bypassing security controls play a pivotal role in the selection of vulnerabilities for targeted exploitation.

Global Attack Surface Presence:

  • Ransomware actors prioritize vulnerabilities with a significant presence on a global scale, maximizing the potential impact of their attacks.
  • A comprehensive understanding of the global attack surface enables organizations to identify and mitigate vulnerabilities proactively.

Ease of Exploitation:

  • Vulnerabilities that are easy to exploit and circumvent security controls are prime targets for ransomware attackers.
  • Techniques such as sending HTTP requests are commonly employed to bypass security measures, highlighting the importance of robust defense mechanisms.

Stolen Credentials and Shadow IT:

  • The proliferation of remote working has led to an increase in incidents involving stolen credentials and Shadow IT.
  • Attackers capitalize on leaked credentials and API keys, as well as vulnerabilities in code repositories and CI/CD platforms, to gain unauthorized access to organizational networks.

Case Studies and Real-World Incidents:

  • Jendra will delve into recent incidents where ransomware attackers exploited vulnerabilities in DevOps systems and CI/CD pipelines to infiltrate organizational networks.
  • These case studies serve as cautionary tales, illustrating the critical importance of securing software development environments and mitigating vulnerabilities at every stage of the development lifecycle.


As we navigate the evolving threat landscape of ransomware, proactive vulnerability management emerges as a critical imperative for organizations seeking to safeguard their digital assets. By prioritizing vulnerabilities based on factors such as global attack surface presence and ease of exploitation, CISOs can effectively mitigate the risk of ransomware attacks and enhance their overall cybersecurity posture. Let us harness the collective wisdom of our community to fortify our defenses, mitigate vulnerabilities, and stay one step ahead of cyber adversaries. Together, we can forge a resilient future in the face of evolving cyber threats.



Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)