The ransomware plague cost the world over $1 billion

Group-IB has presented a report which examines key shifts in the cybercrime world internationally between H2 2019 and H1 2020 and gives forecasts for the coming year. The most severe financial damage has occurred as a result of ransomware activity.

ransomware cost 2020

The past year — a harrowing period for the world economy — culminated in the spike of cybercrime. It was also marked by the rise of the underground market for selling access to corporate networks and an over two-fold growth of the carding market. The stand-off between various pro-government hacker groups saw new players come onto the scene, while some previously known groups resumed their operations.

The report examines various aspects of cybercrime industry operations and predicts changes to the threat landscape for various sectors, namely the financial industry, telecommunications, retail, manufacturing, and the energy sector. The authors also analyze campaigns targeting critical infrastructure facilities, which are an increasingly frequent target of intelligence services worldwide.

Forecasts and recommendations set out seek to prevent financial damage and manufacturing downtimes. Its purpose is also to help companies adopt preventive measures for counteracting targeted attacks, cyber espionage, and cyberterrorist operations.

The cost of ransomware

Late 2019 and all of 2020 were marked by an unprecedented surge in ransomware attacks. Neither private sector companies nor government agencies turned out to be immune to the ransomware plague.

Over the reporting period, more than 500 successful ransomware attacks in more than 45 countries were reported. Since attackers are motivated by financial gain alone, any company regardless of size and industry could fall victim to ransomware attacks.

Meanwhile, if the necessary technical toolsets and data restoring capabilities are not in place, ransomware attacks could not only cause downtime in manufacturing but also bring operations to a standstill.

According to conservative estimates, the total financial damage from ransomware operations amounted to over $1 billion ($1,005,186,000), but the actual damage is likely to be much higher. Victims often remain silent about incidents and pay ransoms quietly, while attackers do not always publish data from compromised networks.

A major ransomware outbreak was detected in the United States, with the country accounting for about 60% of all known incidents. The US is followed by European countries (mainly the UK, France, and Germany), which together make up roughly 20% of all ransomware attacks.

Countries of North and South America (excluding the US) are at 10% and Asian states are at 7%. The top five most frequently attacked industries include manufacturing (94 victims), retail (51 victims), state agencies (39 victims), healthcare (38 victims), and construction (30 victims).

Maze and REvil are considered to have the largest appetite: the operators of these two strains are believed to be behind more than half of all successful attacks. Ryuk, NetWalker, and DoppelPaymer come second.

The ransomware pandemic was triggered by an active development of private and public affiliate programs that bring together ransomware operators and cybercriminals involved in compromising corporate networks.

Another reason for an increase in ransomware attacks is that traditional security solutions, still widely used by a lot of companies on the market, very often fail to detect and block ransomware activity at early stages.

Ransomware operators buy access and then encrypt devices on the network. After receiving the ransom from the victim, they pay a fixed rate to their partners under the affiliate program.

The main ways to gain access to corporate networks include brute-force attacks on remote access interfaces (RDP, SSH, VPN), malware (e.g., downloaders), and new types of botnets (brute-force botnets). The latter are used for distributed brute-force attacks from a large number of infected devices, including servers.

In late 2019, ransomware operators adopted a new technique. They began downloading all the information from victim organizations and then blackmailed them to increase the chances of the ransom being paid.

Maze (who allegedly called it quits not long ago) pioneered the tactic of publishing sensitive data as leverage to extort money. If a victim refuses to pay the ransom, they risk not only losing all their data but also having it leaked. In June 2020, REvil started auctioning stolen data.

Seven new APT groups joined the global intelligence service stand-off

Military operations conducted by various intelligence services are becoming increasingly common. A continuing trend was identified, where physical destruction of infrastructure is replacing espionage. Attacker toolkits are being updated with instruments intended for attacks on air-gapped networks.

The nuclear industry is turning into the number one target for state-sponsored threat actors. Unlike the previous reporting period, during which no attacks were observed, the current one was marked by attacks on nuclear energy facilities in Iran and India.

A blatant attack was attempted in Israel, where threat actors gained access to some of Israel’s water treatment systems and tried altering water chlorine levels. Had it been successful, the attack would have led to water shortages or even civilian casualties.

State-sponsored APT groups are not losing interest in the telecommunications sector. Over the review period, it was targeted by at least 11 groups affiliated with intelligence services. Threat actors’ main goals remain spying on telecommunications operators or attempts to disable infrastructure.

Threat actors have also set a new record in DDoS attack power: 2.3 Tb per second and 809 million packets per second. BGP hijacking and route leaks remain a serious problem as well. Over the past year, nine significant cases have been made public.

Most state-sponsored threat actors originate from China (23), followed by Iran (8 APT groups), North Korea and Russia (4 APT groups each), India (3), and Pakistan and Gaza (2 each). South Korea, Turkey, and Vietnam are reported to have only one APT group each.

According to data analyzed, Asia-Pacific became the most actively attacked region by state-sponsored threat actors. A total of 34 campaigns were carried out in this region, and APT groups from China, North Korea, Iran, and Pakistan were the most active.

At least 22 campaigns were recorded on the European continent, with attacks carried out by APT groups from China, Pakistan, Russia, and Iran. Middle East and Africa were the scene of 18 campaigns conducted by pro-government attackers from Iran, Pakistan, Turkey, China, and Gaza.

Cybersecurity researchers have also detected seven previously unknown APT groups, namely Tortoiseshell (Iran),Poison Carp (China), Higaisa (South Korea), AVIVORE (China), Nuo Chong Lions (Saudi Arabia), as well as Chimera and WildPressure, whose geographical affiliation remains unknown. In addition, six known groups that remained unnoticed in recent years resumed their operations.

Sales of access to compromised corporate networks grow four-fold

Sales of access to compromised corporate networks have been increasing from year to year and peaked in 2020. It is difficult to assess the size of the market for selling access, however, as offers published on underground forums often do not include the price, while some deals are cut in private.

Nevertheless, technologies for monitoring underground forums (which make it possible to see deleted and hidden posts) helped the experts assess the total market size for access sold in the review period (H2 2019 to H1 2020): $6.2 million. This is a four-fold increase compared to the previous review period (H2 2018 to H1 2019), when it totaled $1.6 million.

Surprisingly, state-sponsored attackers joined this segment of the cybercriminal market seeking additional revenue. As such, in the summer of 2020, on an underground forum a seller offered access to several networks, including some belonging to US government departments, defense contractors (Airbus, Boeing, etc.), IT giants, and media companies. The cost of the access to the companies listed was close to $5 million.

In H1 2020 alone, 277 offers of access to corporate networks were put up for sale on underground forums. The number of sellers has also grown. During that period, 63 sellers were active, and 52 of them began selling access in 2020.

For comparison, during all of 2018, only 37 access sellers were active, while in 2019 there were 50 sellers who offered access to 130 corporate networks. In total, the sales of corporate network access grew by 162% compared to the previous period (138 offers against 362).

After analyzing offers of access to corporate networks, experts found correlations with ransomware attacks: most threat actors offered access to US companies (27%), while manufacturing was the most frequently attacked industry in 2019 (10.5%). In 2020, access to state agency networks (10.5%), educational institutions (10.5%), and IT companies (9%) was high in demand.

It should be noted that sellers of access to corporate networks increasingly rarely mention company names, their geographical location and industry, which makes it almost impossible to identify the victim without contacting the attackers.

Selling access to a company’s network is usually only one stage of the attack: the privileges gained might be used for both launching ransomware and stealing data, with the aim of later selling it on underground forums or spying.

Market of stolen credit card data reached almost $2 billion

Over the review period, the carding market grew by 116%, from $880 million to $1.9 billion. The quick growth applies to both textual data (bank card numbers, expiration dates, holder names, addresses, CVVs) and dumps (magnetic stripe data). The amount of textual data offered for sale increased by 133%, from 12.5 to 28.3 million cards, while dumps surged by 55%, from 41 to 63.7 million. The maximum price for card textual data is $150 and $500 for a dump.

Dumps are mainly obtained by infecting computers with connected POS terminals with special Trojans and thereby collecting data from random-access memory. Over the review period, 14 Trojans used for collecting dumps were found to be active.

Cybercriminals seek to obtain data relating to credit and debit cards issued by US banks: these account for over 92% of all compromised bank cards. Bank card data of bank customers in India and South Korea are the second and third most desirable targets for cybercriminals. Over the review period, the total price of all the bank card dumps offered for sale amounted to $1.5 billion, while textual data – to $361.7 million.

Textual data is collected through phishing websites and PC/Android banking Trojans, by compromising e-commerce websites, and by using JS sniffers. The latter were one of the main instruments for stealing large amounts of payment data over the past year. JS sniffers also became more popular in light of the trend of reselling access to various websites and organizations on underground forums.

Group-IB is currently monitoring the activities of 96 JS sniffer families. This is a 2.5-fold increase compared to the previous reporting period, during which there were 38 families on the company’s radar. According to the findings, over the past year nearly 460,000 bank cards were compromised using JS sniffers.

The threat of bank card data leaks is most acute for retail companies that have online sales channels, e-commerce companies that offer goods and services online, and banks that unwittingly become involved in incidents.

The main scenarios for illegally harvesting bank card data and most frequently attacked countries (the United States, India, South Korea) will remain the same. Latin America might become an increasingly attractive target for carders since it already has mature hacker community experienced in using Trojans for this purpose.

Phishing grows by 118%

Between H2 2019 and H1 2020, the number of phishing web resources found and blocked rose by 118% compared to the previous reporting period. Analysts mention the global pandemic and lockdowns as the main reasons: web-phishing, which is one of the simplest ways to earn money in the cybercriminal industry, attracted those who lost their incomes.

The increased demand for online purchases created a favorable environment for phishers. They quickly adapted to this trend and began carrying out phishing attacks on services and individual brands that previously did not have much financial appeal to them.

Scammers also changed their tactics. In previous years, attackers ended their campaigns after fraudulent websites were taken down and quickly switched to other brands. Today, they are automating their attacks instead and replacing the blocked pages with new ones.

Since the start of the year, there has been a rise in advanced social engineering, namely when multi-stage scenarios are used in phishing attacks. As part of such increasingly popular phishing schemes, threat actors first stake out the victim. They establish contact with the targeted individual (e.g., through a messenger), create an atmosphere of trust, and only then do they direct the victim to a phishing page.

One-time links turned out to be another phishing trend of the past year. After a user receives a link and clicks on it at least once, it will not be possible to obtain the same content again in order to collect evidence. This significantly complicates the process of taking down phishing resources.

Most web-phishing pages mimicked online services (39.6%). Phishers in particular gathered login credentials from user accounts on Microsoft, Netflix, Amazon, eBay, Valve Steam, etc. Online services were followed by email service providers (15.6%), financial organizations (15%), cloud storage systems (14.5%), payment services (6.6%), and bookmakers (2.2%).

The biggest cyber threats organizations deal with today

Microsoft has released a new report outlining enterprise cyberattack trends in the past year (July 2019 – June 2020) and offering advice on how organizations can protect themselves.

Based on over 8 trillion daily security signals and observations from the company’s security and threat intelligence experts, the Microsoft Digital Defense Report 2020 draws a distinction between attacks mounted by cybercriminals and those by nation-state attackers.

The cybercrime threat

In the past year, cybercriminals:

  • Were quick to exploit the fear and uncertainty associated with COVID-19 as a lure in phishing emails, and the popularity of some SaaS offerings and other services
  • Exploited the lack of basic security hygiene and well-known vulnerabilities to gain access to enterprise systems and networks
  • Exploited supply chain (in)security by hitting vulnerable third-party services, open source software and IoT devices and using them as a way into the target organization

More often than not, phishing emails impersonate a well-known service such as Office 365 (Microsoft), Zoom, Amazon or Apple, in an attempt to harvest login credentials.

“While credential phishing and BEC continue to be the dominant variations, we also see attacks on a user’s identity and credential being attempted via password reuse and password spray attacks using legacy email protocols such as IMAP and SMTP,” Microsoft noted.

The attackers’ reason for exploiting these legacy authentication protocols is simple: they don’t support multi-factor authentication (MFA). Microsoft advises on enabling MFA and disabling legacy authentication.

Cybercriminals are also:

  • Increasingly use cloud services and compromised email and web hosting infrastructures to orchestrate phishing campaigns
  • Rapidly changing campaigns (sending domains, email addresses, content templates, and URL domains)
  • Constantly changing and evolving payload delivery mechanisms (poisoned search results, custom 404 pages hosting phishing payloads, etc.)

One of the biggest and most disruptive cybercrime threat in the past year was ransomware – particularly “human-operated” ransomware wielded by gangs that target ogranizations they believe will part with big sums if affected.

These gangs sweep the internet for easy entry points or use commodity malware to gain access to company networks and change ransomware payloads and attack tools depending on the “terrain” they landed in (and to avoid attribution).

“Ransomware criminals are intimately familiar with systems management concepts and the struggles IT departments face. Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks,” Microsoft explained.

“They’re aware of when there are business needs that will make businesses more willing to pay ransoms than take downtime, such as during billing cycles in the health, finance, and legal industries. Targeting networks where critical work was needed during the COVID-19 pandemic, and also specifically attacking remote access devices during a time when unprecedented numbers of people were working remotely, are examples of this level of knowledge.”

Some of them have even shortened their in-network dwell time before deploying the ransomware, going from initial entry to ransoming the entire network in less than 45 minutes.

Gerrit Lansing, Field CTO, Stealthbits, commented that the speed at which a targeted ransomware attack can happen is really determined by one thing: how quickly an adversary can compromise administrative privileges in Microsoft Active Directory.

“Going from initial infiltration to total ownership of Active Directory can be a matter of seconds. Once these privileges are compromised, an adversary’s ability to deploy ransomware to all machines joined to Active Directory is unfettered, which explains how an adversary can go from initial infiltration to total ransomware infection in such a short period of time,” he noted.

Finally, to counter the threat of supply chain insecurity, Microsoft advises companiessupply to:

  • Vet their service providers thoroughly
  • Use systems to automatically identify open source software components and vulnerabilities in them
  • Map IoT assets, apply security policies to reduce the attack surface, and to use a different network for IoT devices and be familiar with all exposed interfaces

enterprise cyberattack trends 2020

Nation-state threats

The company has been following and mapping the activities of a number of nation-state actors and has found that – based on the nation state notifications they deliver to their customers – the attackers’ primary targets are not in the critical infrastructure sectors.

Instead, the top targeted industry sectors are non-governmental organizations (advocacy groups, human rights organizations, nonprofit organizations, etc.) and professional services (consulting firms and contractors):

enterprise cyberattack trends 2020

Microsoft found the most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits. Web shell-based attacks are also on the rise.

The report delineates steps organizations can take to counter each of these threats as well as to improve their security and the security of their remote workforce.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling MFA. Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks,” the Microsoft Security Team concluded.

Biomedical orgs working on COVID-19 vaccines open to cyber attacks

In a recently released report by the UK National Cyber Security Centre (NCSC), whose findings have been backed by Canada’s Communications Security Establishment (CSE) and the US NSA and CISA (Cybersecurity and Infrastructure Security Agency), the agency has warned about active cyber attacks targeting biomedical organizations that are involved in the development of a COVID-19 vaccine.

Biomedical cyber attacks

On Friday, BitSight researchers shared the results of a study that looked for detectable security issues at a number of companies who play a big role in the global search for a vaccine, and found compromised systems, open ports, vulnerabilities and web application security issues.

Biomedical orgs under attack

The report details recent tactics, techniques and procedures (TTPs) used by APT29 (aka “Cozy Bear”), which the NCSC and the CSE believe to be “almost certainly part of the Russian intelligence services.”

The agencies believe that the group is after information and intellectual property relating to the development and testing of COVID-19 vaccines.

“In recent attacks (…), the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified,” the report states.

Among the flaws exploited by the group are CVE-2019-19781 (affecting Citrix’s Application Delivery Controller (ADC) and Gateway), CVE-2019-11510 and CVE-2018-13379 (affecting Pulse Secure VPN endpoints and Fortigate SSL VPN installations, respectively) and CVE-2019-9670 (affecting the Synacor Zimbra Collaboration Suite).

The group also uses spear-phishing to obtain authentication credentials to internet-accessible login pages for target organizations.

After achieving persistence through additional tooling or legitimate credentials, APT 29 uses custom malware (WellMess and WellMail) to execute arbitrary shell commands, upload and download files, and run commands or scripts with the results being sent to a hardcoded Command and Control server. They also use some malware (SoreFang) that has been previously used by other hacking groups.

The report did not identify the targeted organizations nor did it say whether the attacks were successful and whether any information and IP has been stolen.

Biomedical orgs open to cyber attacks

As many security researchers pointed out, Russian cyber espionage groups aren’t the only ones probing these targets, so these organizations should ramp up their security efforts.

BitSight researchers have recently searched for security issues that attackers might exploit. They’ve looked at 17 companies of varying size that are involved in the search for a COVID-19 vaccine, and found:

  • 25 compromised or potentially compromised machines (systems running malware/bots, potentially unwanted applications, spam-sending machines and computers behaving in abnormal ways) in the past year
  • A variety of open ports (i.e., exposed insecure services that should be never exposed outside of a company’s firewall): Telnet, Microsoft RDP, printers, SMB, exposed databases, VNC, etc., which can become access points into a company’s network
  • Vulnerabilities. “14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.”
  • 30 web application security issues (e.g., insecure authentication via HTTP, insecure redirects from HTTPS to HTTP, etc.) that could be exploited by attackers to eavesdrop on and capture sensitive data, such as credentials, corporate email, and customer data.

“These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern,” the researchers pointed out.

“It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.”

NSA warns about Sandworm APT exploiting Exim flaw

The Russian APT group Sandworm has been exploiting a critical Exim flaw (CVE-2019-10149) to compromise mail servers since August 2019, the NSA has warned in a security advisory published on Thursday.

Sandworm CVE-2019-10149

“When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” they said.

The script would then attempt to add privileged users, disable network security settings, update SSH configurations to enable additional remote access, and execute an additional script to enable follow-on exploitation.

About Exim and the flaw

Exim is a mail transfer agent (MTA) that is commonly used for Unix-based systems and comes pre-installed on some Linux distributions.

It is the most widely used MTA and is deployed on over half of all Internet-facing mail servers.

While its efficient and highly configurable, its widespread use makes it a common target for attackers, who are always on the lookout for vulnerabilities that can be exploited. And, in Q2 2019, there were a few, including the most critical one: CVE-2019-10149.

Its existence was disclosed in June 2019, after a patch was provided for the supported versions and for a few that are now supported anymore.

Soon after, attackers started exploiting it to compromise Linux servers and instal cryptocoin miners on them, and Microsoft warned about a Linux worm leveraging the flaw to target Azure virtual machines (VMs) running affected versions of Exim.

Mitigation and detection

The NSA has provided mitigation advice as well as indicators of compromise so that organizations can protect themselves and check whether they’ve been targeted by the Sandworm attackers (aka the BlackEnergy APT, aka Telebots), which have in the past been linked to cyber-espionage campaigns targeting NATO, the EU, the White House, a variety of US ICS operators, and Ukranian energy companies, organizations in the financial sector and news media companies.

First and foremost, admins are advised to update their Exim installations to the latest stable release (v4.93) to mitigate this and other vulnerabilities.

“Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used,” the NSA said, and advised system administrators to continually check software versions and update as new versions become available.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message,” they explained.

Sandworm CVE-2019-10149

Admins and IT security employees can detect and/or block exploitation of the flaw by using specific Snort rules, check traffic logs for emails with a recipient containing “${run”, and routinely check for unauthorized system modifications.

The NSA provided IP addresses and domains that were associated with the Sandworm attacks and offered additional advice on how to apply multiple defensive layers to protect public facing software such as MTAs.

APT attacks targeting Linux, Windows and Android remained undetected for nearly a decade

Five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and mobile devices running Android while remaining undetected for nearly a decade, according to BlackBerry.

APT groups

The report provides further insight into pervasive economic espionage operations targeting intellectual property, a subject that the Department of Justice recently said is the focus of more than 1000 open investigations in all of the 56 FBI field offices.

Most large organizations rely on Linux

The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks.

While the majority of the workforce has left the office as part of containment efforts in response to the COVID-19 outbreak, intellectual property remains in enterprise data centers, most of which run on Linux.

Linux runs nearly all of the top 1 million websites online, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).

Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. The report examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead for operations” across a wide swath of targets.

“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, Chief Product Architect at BlackBerry.

“These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”

APT groups: Other key findings

The APT groups examined in this report are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.

The APT groups have traditionally pursued different objectives and focused on a wide array of targets; however, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned.

The research identifies two new examples of Android malware, continuing a trend seen in a previous report which examined how APT groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.

One of the Android malware samples very closely resembles the code in a commercially available penetration testing tool, yet the malware is shown to have been created nearly two years before the commercial tool was first made available for purchase.

The report examines several new variants of well-known malware that are getting by network defenders through the use code-signing certificates for adware, a tactic that the attackers hope will increase infection rates as AV red flags are dismissed as just another blip in a constant stream of adware alerts.

The research also highlights a shift by attackers towards the use of cloud service providers for command-and-control and data exfiltration communications which appear to be trusted network traffic.

Kwampirs threat actor continues to breach transnational healthcare orgs

The Kwampirs (aka Orangeworm) attack group continues to target global healthcare entities in this time of crisis, the FBI has warned.

Kwampirs

“Targeted entities range from major transnational healthcare companies to local hospital organizations,” the Bureau noted.

“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”

Kwampirs

This is the third FBI private industry notification since the beginning of the year about the group’s activities and the modular Kwampirs RAT it uses.

According to the alert:

  • The attack group first establishes a broad and persistent presence on the targeted network and then delivers and executes the Kwampir RAT and other malicious payloads
  • Kwampirs actors have successfully gained and sustained persistent presence on victim networks for a time period ranging from three to 36 months
  • The Kwampir RAT is modular and, depending on the target, different modules are dropped. But it seems that the threat actors main goal is cyber espionage
  • Significant intrusion vectors include: lateral movement between company networks during mergers and acquisitions; malware being passed between entities through shared resources and internet facing resources during the software co-development process; and software supply chain vendors installing infected devices on the customer/corporate LAN or customer/corporate cloud infrastructure.

“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI added.

While the Kwampirs/Orangeworm threat actors is considered to be an APT (Advanced Persistent Threat), it is currently unknown whether they are state-backed.

What is known is that they don’t go after PII, payment card data, and are not interested in destroying or encrypting data for ransom – though, according to the FBI, several code-based similarities exist between the Kwampirs RAT and the Shamoon/Disstrack wiper malware.

The group also doesn’t limit their targeting to healthcare and software supply chain organizations. To a lesser extent, they go after companies in the energy and engineering industry as well as financial institutions and prominent law firms, across the United States, Europe, Asia, and the Middle East.

Defense and post-infection remediation

The notice delivers best practices for network security and defense to be incorporated before infection, recommended post-infection actions and identifies residual Kwampirs RAT host artifacts that can help companies to determine if they were a victim.

Indicators of compromise and YARA rules to identify Kwampirs malware have been provided in separate documents.

SANS ISC handler (and Dean of Research at the SANS Technology Institute Twitter) Johannes Ullrich notes that Kwampirs will likely enter an organization’s network undetected as part of a software update from a trusted vendor.

“Anti-malware solutions will detect past versions. But do not put too much trust in anti-malware to detect the next version that is likely tailored to your organization,” he added, and offered helpful advice for writing abstracted detection signatures that might come in handy.

While not recently updated, the MITRE ATT&CK entry for the Kwampirs malware may also be helpful. For more technical details about the malware, you might want to check out ReversingLabs’s recent analysis.

How to prioritize IT security projects

If you’re an IT security professional, you’re almost certainly familiar with that sinking feeling you experience when presented with an overwhelming number of security issues to remediate. It’s enough to make you throw your hands up and wonder where to even begin.

prioritize IT security projects

This is the crux of the problem that develops in the absence of effective security prioritization. If you aren’t prioritizing cybersecurity risks effectively, you’re not only creating a lot of extra work for your team and yourself – you’re also needlessly exposing your organization to IT security attacks.

For better, faster and more robust protection, smart prioritization is an absolute must. Unfortunately, prevailing conditions in the IT space have long worked against this goal.

Why prioritization metrics are lacking

For many years, IT security attacks have been enabled by a haphazard approach toward prioritization. Here’s what we mean: IT security is highly complex and perpetually changing; given the extraordinary number of variables and the dynamic nature of the landscape, it’s difficult for security personnel to make optimal decisions – or to even understand the best processes for making those decisions.

Compounding this problem is the fact that prioritization metrics have historically been under-emphasized. Organizational security leaders are bombarded with marketing messages touting the virtues of one product over another, yet they receive much less assistance with the task of prioritization. Additionally, prioritization metrics are not uniform across the industry, so IT staff will often hear contradictory information.

Making this problem even more acute are the conventional challenges that accompany any IT security team. Resources are limited, decisions must be made about where to apply those resources, and team members are typically overworked and moving in a dozen directions.

How should IT teams prioritize risk?

The simplest way to implement an effective prioritization strategy is to develop a basic framework that can be followed and adjusted as needed. The following is one such example:

  • Risk identification.
  • You can’t prioritize effectively if you don’t understand what makes you vulnerable. Control risks, systemic risks, integration risks – all of these categories (and more) must be accounted for.

  • Risk assessment.
  • Once you’ve identified all potential risks, it’s time to assess the likelihood and probable impact of these risks. Risks that fall into the high likelihood, high probable impact bucket should obviously move to the front of the remediation list. It’s possible to define these risks in both qualitative and quantitative terms, and organizations often choose to create a ranking matrix based on a numerical scoring model.

  • Risk management.
  • With risks identified and assessed, the next step is developing processes to address existing vulnerabilities and protect against future risks. This may include more frequent training and improved IT hygiene, vulnerability scans, penetration testing etc.

Harnessing the power of automation for prioritization

The state of IT security has never been more precarious. Advanced Persistent Threats (APTs), often state-sponsored, can embed themselves in a security environment, move laterally, and steal an organization’s critical assets without being detected for months. Cloud migration – and the challenges of handling on prem/cloud risks in an integrated manner – has created new attack paths while greatly increasing the demands placed on modern organizational security teams.

These developments exacerbate the already tough mandate for IT security pros: they must be right every time, and the attackers need only be successful once. This doesn’t mean that hackers can operate with an entirely free hand; they, too, must pick and prioritize their spots. If your security is robust enough relative to other targets, attackers may judge it to be more trouble than it is worth, especially when there are so many other lightly guarded networks, devices, etc.

Automation is the critical weapon in this game of attack and defend, as it allows attackers to maximize their resources and probe for the most vulnerable targets at scale. For defenders, automation plays an equally essential role. IT security penetration testing does an excellent job of uncovering weak spots, yet it’s also highly manual and episodic. When you aren’t actively red teaming IT security, your environments are exposed. An automated solution – such as a modern Breach and Attack Simulation (BAS) platform – can help ensure 24/7, 365 security.

These automated solutions also come with another added benefit: they make effective prioritization simple in an industry that struggles with the practice. A fully automated BAS solution can identify all attack vectors can exploit and protect critical assets, whether on prem or in the cloud. These solutions work by launching controlled simulations that mimic the likeliest attack path hackers will take, making them an invaluable tool in APT IT security. Breach and attack simulations run continuously, using automation to provide non-stop protection. In essence, it’s like having a highly skilled red team that never takes a moment off.

Equally important, advanced BAS solutions offer prioritized remediation of security gaps. As we’ve seen above, this is a critical feature for today’s security teams, who are facing extraordinary challenges – and need all the help they can get.

The takeaway

Given the enormity of the threat posed by APTs, IT prioritization should be a key organizational mandate. By following the steps outlined above, you can put your security team in the best possible position to win.