Good reminder for organizations to prioritize cybersecurity by patching VPN servers and remote access software, update and use strong passwords with encryption where possible, and enable/require MFA to secure your critical infrastructure.
How do bad actors gain access?
Multiple access points—
Phishing emails with malicious attachments to acquire privileged credentials
Unpatched VPN servers and software
Legacy environment with compromised credentials where MFA is not enabled
More technical explanation —
Attackers used remote protocols SSH and RDP to move laterally to find privileged accounts via credential dumping and ‘pass the hash’ to use stolen password hashes to move laterally through networks.
Have a VMware vCenter Server environment?
Threat actors have used privileged access to reset account passwords for ESXi servers in the VM vCenter server environment. Then use SSH to connect to ESXi servers and deploy ransomware on those servers.
Read article: https://www.zdnet.com/google-amp/article/fbi-warning-this-ransomware-group-is-targeting-poorly-protected-vpn-servers/