Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns
This list provides information on weaknesses and misconfigurations that are commonly exploited by threat actors in ransomware campaigns. This list is different from the KEV catalog as it contains information not CVE based.
|
CWE/Misconfiguration/ Vulnerable Service |
Commonly Used Port/s |
Short Description |
CPG Action |
|
Remote Desktop Protocol (RDP) |
3389 |
RDP can be used in a ransomware attack typically by port 3389 by attackers who gain unauthorized access to a target system through weak or compromised RDP credentials. An effective way to mitigate weaknesses in RDP is to use multi-factor authentication (MFA) to add an extra layer of security. |
2.C, 2.E, 2.G, 2.T, 2.U, 3.A |
|
File Transfer Protocol (FTP) |
20; 21; 1024 |
FTP protocol can be exploited by actors targeting FTP servers on port 21, data transfer on port 20, or using high ports like 1024 for unauthorized access and data manipulation, and often leveraging default passwords and hard-coded credentials to gain initial access. Consider using SSH File Transfer Protocol (SFTP) port 22 to encrypt data during transmission, to enhance security. |
2.K, 2.T, 2.W, 3.A |
|
TELNET |
23 |
Telnet is a network protocol relying on cleartext userid/password to authenticate users to the device being accessed. Threat actors are able to intercept cleartext Telnet network traffic to capture and use userids and passwords of legitimate users. These credentials are then used by the Threat Actors to gain initial access to IT systems and network devices. Remote attackers can also start a telnet service without authorization via an undocumented HTTP request. This weakness in the passing of cleartext credentials can be mitigated by using SSH to encrypt the Telnet session; thereby making it more difficult for Threat Actors to capture legitimate user credentials. |
2.N, 2.O. 2.Q, 3.A |
|
Server Message Block (SMB) |
139, 445 |
Server Message Block (SMB) is a communication protocol created by Microsoft to share access of files and printers across a network. Similar to the Telnet protocol addressed above, the SMBv1rotocol communicates in clear text, meaning threat actors are able to intercept and capture the full content of SMB sessions. SMBv2 and later include enhancements for security and encryption, using encryption protocols like SMB Encryption or SMB Signing. The cleartext SMB weakness can be mitigated by upgrading to the latest version of SMB and communicating SMB traffic over an encrypted Virtual Private Network (VPN) to protect the confidentiality of files and data. |
2.K, 2.T, 2.W |
|
Virtual Network Computing (VNC) |
5900 |
VNC (Virtual Network Computing) is a graphical desktop sharing system that allows users to remotely work on another computer. It works by transmitting the keyboard and mouse events from your local machine to the remote machine over an unencrypted connection, meaning anyone can eavesdrop on the network to gain access to the data and view it easily. Running VNC over a VPN will encrypt the connection and help prevent Threat Actor’s ability to eavesdrop on the network. |
2.C, 2.E, 2.G, 2.T, 2.U, 3.A |
