Are you blocking websites today? If you are, they are most likely sites such as file sharing, public email, social media, and other non-business related websites.If you do not have a web filtering solution or have avoided blocking websites for the sake of keeping your employees happy, you should reconsider.
Many of these sites, especially file sharing and social media have been used for malicious file or content hosting. Either you have been the victim or know of someone who was infected by one of these means. Recently we’ve seen an uptick in the use of paste sites to deliver multi-staged ransomware attacks.
What is a paste site? Paste sites, also known as text-storage sites, are a type of online content hosting service where users can store plain text. Although the use of paste sites are not new, the reasons for which they are used, has evolved. Paste sites date back to the early 90’s when users wanted to share large chunks of text-based data. Fast forward to over five years ago, they served as a dumping ground for breached data such as email addresses and passwords. More recently these paste sites have been used to host content in multi-staged ransomware attacks.
Why is this an issue? In many ransomware related events it was common to be breached by a macro infected document that was delivered by email, clicking on malicious link that dropped a file on your computer, or a threat actor gaining access to an internet facing machine with remote desktop enabled. Due to many of the old methods being detected and prevented, threat actors had to evolve their delivery methods. What they developed were multi-staged attacks. It should be known that the concept of multi-staged attacks is not new at all, and that it has been around for a while.
The way multi-stage attacks work (in layman’s terms) is malware/ransomware is broken up into several pieces and then reassembled at a later time. The way paste sites are being used is, threat actors are hosting “instructions”(a.k.a. code) that are being called by the the initial infection software that gets downloaded to a computer (loader). These instructions typically include other actual code, or point to other websites where malicious content is hosted and then automatically downloaded. Once the initial infection software has collected all of the pieces of the ransomware, it is reassembled and then the ransomware infection begins. The reason multi-staged attacks are used is simply to prevent detection by anti-virus solutions, and make it more difficult for malware reverse engineers to determine how an attack happened.
So what should you be doing to further reduce your exposure to ransomware infections? Block paste sites! In the office there usually isn’t a need for it. If you have developers or IT folks, ensure some controls are put around what they do to ensure potential access to paste sites doesn’t present a big risk to the business. Here are a list of the most common paste sites to consider blocking:
Here is a paste with the list of sites: https://pastebin.com/RupVAFAY.
(There has to be a little humor in this post)
pastebin.com
paste2.org
pastie.org
dpaste.com
paste.pocoo.org
pastie.textmate.org
paste.bradleygill.com
etherpad.com
textsnip.com
gist.github.com
pastebin.ca
squadedit.com
ideone.com
codepad.org
tinypaste.com
vyew.com
cl1p.net
copytaste.com
justpaste.it
drop.io
snipt.net
pastee.org
heypasteit.com
slexy.org
pastebay.org
pastehtml.com
codeupload.com
snipsource.com
dragbox.org
chopapp.com
drupalbin.com
paste.xinu.at
nopaste.info
privatepaste.com
snipplr.com
paste.org.ru
paste.pocoo.org
friendpaste.com
paste.lisp.org
codekeep.net
dumpz.org
snippets.dzone.com
everfall.com/paste
source.virtser.net
codesnipp.it
ivpaste.com
hpaste.org
9url.us
tidypub.org
lettur.com
sebsauvage.net/paste