Foiling RaaS attacks via active threat hunting

In this Help Net Security podcast, Jon DiMaggio, Chief Security Strategist at Analyst1, talks about the characteristic of attacks launched by Ransomware-as-a-Service (RaaS) gangs and how organizations can prevent them from succeeding.

RaaS attacks

[embedded content]

To make things interesting, Jon’s nine-year-old son is hosting the interview. Below is a transcript for your convenience.

Damien: Hi, I’m Damien DiMaggio, and today I am interviewing Jon DiMaggio, Chief Security Strategist at Analyst1.

Jon: Hi Damien. Thanks for talking with me today.

Today we are talking to Jon about Ransomware-as-a-Service and some of the bad guys behind it. Jon, can you tell us what Ransomware-as-a-Service is?

Jon: Sure, Damien, that’s a great question. So, one of the biggest issues organizations have today is ransomware attacks. Traditionally enterprise ransomware attackers will find a way to initially breach an environment. They’ll “live” in that environment anywhere from days to weeks. We’ve seen as short as three days and as long as two weeks, where the attacker will spend time in the environment using legitimate tools that are already present (“living off the land”), using dual use tools and enumerating and gaining privileges during that time.

Then they use those privileges to turn off and disable security services. This allows the adversary to stage the environment so that when they do execute the ransom payload, it’ll have the most success in encrypting and removing access to customer data. Ransomware-as-a-Service takes this one step further.

Basically, what they do is they sell access to their attacks. So they advertise on dark net forums and marketplaces. And what they do is, you can buy into the service and you can take part in the profit sharing when you help to expose a victim’s environment and they actually pay money.

So, the biggest differentiator here is you have a higher volume of attacks, you have more people involved, you have greater volumes of attacks and shorter timeframes, therefore you bring in a greater amount of profit and by sharing this profit, it’s very appealing and lucrative to cyber criminals.

Interesting. How do these groups differ from traditional ransomware bad guys?

Jon: Well, you know, it’s in the tactics that they use, Damien. One of the tactics that really stands out, and they’re not the only attackers to do it, but they are one of the first to do it, is actually making a copy and stealing the victim’s data prior to the ransomware payload execution.

The benefit that the attacker gets from this is they can now leverage this for additional income. What they do is they threaten the victim to post sensitive information or customer data publicly. And this is just another element of a way to further extort the victim and to increase the amount of money that they can ask for. And now you have these victims that have to worry about not only having all their data taken from them, but actual public exposure.

It’s becoming a really big problem, but those sorts of tactics – as well as using social media to taunt the victim and hosting their own infrastructure to store and post data – all of those things are elements that prior to seeing it used with Ransomware-as-a Service, were not widely seen in traditional enterprise ransomware attacks.

What do they do with the data once they have it?

Jon: The first thing that they do is they go through, and they find some element of it that’s sensitive. Now that could be sensitive email communications, or it could be some sort of secret “sauce” to something that the victim organization provides or does, or it could be sensitive customer information that you wouldn’t want exposed. And they’ll take a small piece of that to dangle in front of the victim to let them know that they’re serious, and they will post it publicly.

They’ll use Twitter to “socialize” the fact that they have this data, they’ll post to text hosting sites, such as Pastebin, or they’ll take screenshots of emails or documents and post to image hosting sites like 4Chan. It’s almost like a propaganda-driven campaign where they’ll really try to put out the message and spread the word that they have access to this organization’s critical information and customer data in order to entice the victim to pay. They want to make sure customers know, they specifically will reach out to customers of some of these organizations in order to increase the pressure and have the victim pay.

So, everything’s about gaining as much money and profit with Ransomware-as-a-Service groups, and they’ve just found different ways to implement and exploit victims outside and beyond traditional ransomware encryption techniques.

Should the victims pay the ransom? And if they do, does the bad guy hold up their end of the deal?

Jon: That’s a good question also. It’s really difficult… You can’t judge a victim by whether or not they pay or not. We always tell people you shouldn’t pay a ransom. If no one paid ransom, you wouldn’t keep having attackers continue these types of attacks. It takes them time, days to weeks, as I mentioned, that they have to spend doing this work in order to get a payout. So if they spent all that time and no one paid for these guys to make additional money, so…

You can’t trust that paying them is going to keep you protected. Organizations are in a bad spot when this happens, and they’ll have to make those decisions on whether it’s worth paying. But traditionally, it’s always best to not get compromised in the first place, which obviously doesn’t help an organization once that’s already happened. But just understand, just because you pay the ransom doesn’t mean that you’re going to get your data back or that it’s not going to be posted publicly later on down the road.

What can companies do to protect themselves from these types of attacks?

Jon: The best time to stop the attack is before the ransomware payload is executed. So, during that time period, those days to weeks where the adversary is staging the environment, that provides an opportunity to detect them. So, when the adversary is using legitimate administrative tools in order to further gain a foothold, that’s the time for defenders to identify it.

So, looking at administrative tool use, looking at who’s using it, looking at the times that they’re using it, looking at what they’re doing with it, all of those are things where there’s an opportunity to prevent that from happening. And we have seen defenders that actually do this well, and they do identify that there is an attack taking place, and they have successfully stopped these ransomware attackers.

But it’s all about the mindset of having very active threat hunting take place, and just not relying on tools and applications to flash red and tell you that something nefarious is going on in your organization. It’s a very proactive approach, and it’s not just looking at the bad stuff, but also looking at the good stuff that organizations need to do, the legitimate tool use.

Damien: Thanks, Jon, it’s been very informative, great job.

Jon: Thank you, Damien.

Malware may trick biologists into generating dangerous toxins in their labs

An end-to-end cyber-biological attack, in which unwitting biologists may be tricked into generating dangerous toxins in their labs, has been discovered by Ben-Gurion University of the Negev researchers.

cyber-biological attack

Malware could replace physical contact

According to a paper, it is currently believed that a criminal needs to have physical contact with a dangerous substance to produce and deliver it. However, malware could easily replace a short sub-string of the DNA on a bioengineer’s computer so that they unintentionally create a toxin producing sequence.

“To regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders which is currently the most effective line of defense against such attacks,” says Rami Puzis, head of the BGU Complex Networks Analysis Lab, a member of the Department of Software and Information Systems Engineering and [email protected]. California was the first state in 2020 to introduce gene purchase regulation legislation.

“However, outside the state, bioterrorists can buy dangerous DNA, from companies that do not screen the orders,” Puzis says. “Unfortunately, the screening guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.”

A weakness in the U.S. Department of Health and Human Services (HHS) guidance for DNA providers allows screening protocols to be circumvented using a generic obfuscation procedure which makes it difficult for the screening software to detect the toxin producing DNA.

“Using this technique, our experiments revealed that that 16 out of 50 obfuscated DNA samples were not detected when screened according to the ‘best-match’ HHS guidelines,” Puzis says.

The synthetic DNA supply chain needs hardening

The researchers also found that accessibility and automation of the synthetic gene engineering workflow, combined with insufficient cybersecurity controls, allow malware to interfere with biological processes within the victim’s lab, closing the loop with the possibility of an exploit written into a DNA molecule.

The DNA injection attack demonstrates a significant new threat of malicious code altering biological processes. Although simpler attacks that may harm biological experiments exist, we’ve chosen to demonstrate a scenario that makes use of multiple weaknesses at three levels of the bioengineering workflow: software, biosecurity screening, and biological protocols. This scenario highlights the opportunities for applying cybersecurity know-how in new contexts such as biosecurity and gene coding.

“This attack scenario underscores the need to harden the synthetic DNA supply chain with protections against cyber-biological threats,” Puzis says.

“To address these threats, we propose an improved screening algorithm that takes into account in vivo gene editing. We hope this paper sets the stage for robust, adversary resilient DNA sequence screening and cybersecurity-hardened synthetic gene production services when biosecurity screening will be enforced by local regulations worldwide.

Cyber insurance claims on the rise

External attacks on companies result in the most expensive cyber insurance losses, but it is employee mistakes and technical problems that are the most frequent generator of claims by number, according to a report from Allianz Global Corporate & Specialty (AGCS).

cyber insurance claims

The study analyzes 1,736 cyber-related insurance claims worth EUR 660mn (US$ 770mn) involving AGCS and other insurers from 2015 to 2020.

“Losses from incidents such as distributed denial of service (DDoS) attacks or phishing and ransomware campaigns account for a significant majority of the value of cyber claims today,” says Catharina Richter, Global Head of the Allianz Cyber Center of Competence, a part of AGCS.

“But although cyber crime generates the headlines, everyday systems failures, IT outages and human error incidents can also cause problems for companies, even if their financial impact is not, on average as severe. Employers and employees must work together to raise awareness and increase cyber resilience.”

Growth of the global cyber insurance market fueling cyber insurance claims

The number of cyber insurance claims has steadily risen over the last few years, up from 77 in 2016, when cyber was a relatively new line of insurance, to 809 in 2019. In 2020, there were already 770 claims in the first three quarters. This steady increase in claims has been driven, in part, by the growth of the global cyber insurance market which is currently estimated to be worth $7bn according to Munich Re.

The report also highlights that there has been a 70%+ increase in the average cost of a cybercrime to an organization over five years to $13mn and a 60%+ increase in the average number of security breaches.

Losses resulting from external incidents, such as DDoS attacks or phishing and malware/ransomware campaigns, account for 85% of the value of claims analyzed according to the report, followed by malicious internal actions (9%) – which are infrequent but can be costly.

Accidental internal incidents, such as employee errors while undertaking daily responsibilities, IT or platform outages, systems and software migration problems or loss of data account for 54% of cyber claims analyzed by number but, often, the financial impact of these is limited compared with cyber crime. However, losses can quickly escalate in the case of more serious incidents.

Business interruption, the main cost driver behind cyber losses

Business interruption is the main cost driver behind cyber losses, accounting for around 60% of the value of all claims analyzed, followed by costs involved with dealing with data breaches.

Businesses and insurers are facing a number of challenges such as the prospect of more expensive business interruptions, the rising frequency of ransomware incidents, more costly consequences of larger data breaches given more robust regulation and litigation, as well as the impact from the playing out of political differences in cyber space through state-sponsored attacks.

The huge rise in remote working due to the coronavirus pandemic is also an issue. Displaced workforces create new opportunities for cyber criminals to gain access to networks and sensitive information.

Malware and ransomware incidents are already reported to have increased by more than a third since the start of 2020, while coronavirus-themed online scams and phishing campaigns about the pandemic continue. At the same time the potential impact from human error or technical failure incidents may also be heightened.

Ransomware threats surge

Already high in frequency, ransomware incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands.

There were nearly half a million ransomware incidents reported globally last year, costing organizations at least $6.3bn in ransom demands alone. Total costs associated with dealing with these incidents are estimated to be well in excess of $100bn.

“High-end hacking tools are more widely available driven by the growing ‘commercialization of cyber-hacks’. Increasingly, criminals are selling malware to other attackers who then target businesses demanding ransom payments,” says Marek Stanislawski, Global Cyber Underwriting Lead at AGCS.

“However, extortion demands are just one part of the picture. Business interruption can bring the most severe losses – with downtimes becoming longer – while systems and data restoration costs can quickly escalate.”

Business interruption and digital supply chain vulnerability growing

“Whether due to ransomware, human error or a technical fault, the loss of critical systems or data can bring an organization to its knees in today’s digitalized economy,” says Joerg Ahrens, Global Head of Long-Tail Claims at AGCS.

“The inability to access data for an extended period of time can have a significant impact on revenues – for example, if a company is unable to take orders. Similarly, if an online platform is unavailable due to a technical glitch or cyber event, it could bring large losses for companies that rely on it, particularly given today’s increasing reliance on online sales or digital supply chains.”

Data breaches and state-sponsored attacks

The cost of dealing with a large data breach is rising as IT systems and cyber events become more complex, and with the growth in cloud and third-party services. Data privacy regulation, which has recently been tightened in many countries, is also a key factor driving cost, as is growing third-party liability and the prospect of class action litigation.

So-called mega data breaches (involving more than one million records) are more frequent and expensive, now costing $50mn on average, up 20% over 2019.

In addition, the impact of the increasing involvement of nation states in cyber-attacks is a growing concern. Major events like elections and COVID-19 present significant opportunities.

During 2020 Google said it has had to block over 11,000 government-sponsored potential cyber-attacks per quarter. Recent years have seen critical infrastructure, such as ports and terminals and oil and gas installations hit by cyber-attacks and ransomware campaigns.

Symantec Reports on Cicada APT Attacks against Japan

Symantec Reports on Cicada APT Attacks against Japan

Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere.

Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well as custom malware in this attack campaign, including a custom malware — Backdoor.Hartip — that Symantec has not seen being used by the group before. Among the machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines.

The attackers extensively use DLL side-loading in this campaign, and were also seen leveraging the ZeroLogon vulnerability that was patched in August 2020.

Interesting details about the group’s tactics.

News article.

Sidebar photo of Bruce Schneier by Joe MacInnis.

56% of organizations faced a ransomware attack, many paid the ransom

There’s a continued proliferation of ransomware, heightened concerns around nation-state actors, and the need for acceleration of both digital and security transformation, a CrowdStrike survey reveals.

faced ransomware attack

Proliferation of ransomware leads to more frequent payouts, costing millions

Survey data indicates ransomware attacks have proven to be especially effective, as 56% of organizations surveyed have suffered a ransomware attack in the last year. The COVID-19 pandemic catalyzed increasing concerns around ransomware attacks, with many organizations resorting to paying the ransom.

The global attitude shifts from a question of if an organization will experience a ransomware attack to a matter of when an organization will inevitably pay a ransom. Notable findings include:

  • Concern around ransomware attacks continues to increase, with the stark increase in this year’s findings (54%) compared to 2019 (42%) and 2018 (46%).
  • 71% of cybersecurity experts globally are more worried about ransomware attacks due to COVID-19.
  • Among those hit by ransomware, 27% chose to pay the ransom, costing organizations on average $1.1 million USD owed to hackers.
  • The APAC region is suffering the most when paying the ransom with the highest average payout at $1.18 million USD, followed by EMEA at $1.06 million and the U.S. at $0.99 million.

Fear of nation-state cyberattacks can stifle business growth in post COVID-19 world

Nation-state activity continues to weigh heavily on IT decision makers, as 87% of respondents agree that nation-state sponsored cyberattacks are far more common than people think.

As growing international tensions and the global election year have created a nesting ground for increased nation-state activity, organizations are under increased pressure to resume operations despite the increased value of intellectual property and vulnerabilities caused by COVID-19. Key highlights include:

  • Even with the massive rise in eCrime over the course of 2020, 73% believe nation-state sponsored cyberattacks will pose the single biggest threat to organizations like theirs in 2021. In fact, concerns around nation-states have steadily increased, as 63% of cybersecurity experts view nation-states as one of the cyber criminals most likely to cause concern, consistently rising from 2018 (54%) and 2019 (59%).
  • 89% are fearful that growing international tensions (e.g. U.S.-China trade war) are likely to result in a considerable increase in cyber threats for organizations.
  • Approximately two in five IT security professionals believe a nation-state cyberattack on their organization would be motivated by intelligence (44%) or to take advantage of vulnerabilities caused by COVID-19 (47%).

Digital and security transformation accelerated as business priority

In the wake of these threats, cybersecurity experts have accelerated their digital and security transformation efforts to address the growing activity from eCrime and nation-state actors.

While spend on digital transformation continues to trend upward, the COVID-19 pandemic accelerated the timeline for many organizations, costing additional investment to rapidly modernize security tools for the remote workforce. Security transformation rollout findings include:

  • 61% of respondents’ organizations have spent more than $1 million on digital transformation over the past three years.
  • 90% of respondents’ organizations have spent a minimum of $100,000 to adapt to the COVID-19 pandemic.
  • 66% of respondents have modernized their security tools and/or increased the rollout of cloud technologies as employees have moved to work remotely.
  • 78% of respondents have a more positive outlook on their organization’s overarching security strategy and architecture over the next 12 months.

“This year has been especially challenging for organizations of all sizes around the world, with both the proliferation of ransomware and growing tensions from nation-state actors posing a massive threat to regions worldwide,” said Michael Sentonas, CTO, CrowdStrike.

“Now more than ever, organizations are finding ways to rapidly undergo digital transformation to bring their security to the cloud in order to keep pace with modern-day threats and secure their ‘work from anywhere’ operations.

Cybersecurity teams around the globe are making strides in improving their security posture by moving their security infrastructure to the cloud and remaining diligent in their incident detection, response and remediation practices.”

Ransomware still the most common cyber threat to SMBs

Ransomware still remains the most common cyber threat to SMBs, with 60% of MSPs reporting that their SMB clients have been hit as of Q3 2020, Datto reveals.

ransomware SMBs

More than 1,000 MSPs weighed in on the impact COVID-19 has had on the security posture of SMBs, along with other notable trends driving ransomware breaches.

The impact of such attacks keeps growing: the average cost of downtime is now 94% greater than in 2019, and nearly six times higher than it was in 2018 increasing from $46,800 to $274,200 over the past two years, according to Datto’s research. Phishing, poor user practices, and lack of end user security training continue to be the main causes of successful ransomware attacks.

The survey also revealed the following:

  • MSPs a target: 95% of MSPs state their own businesses are more at risk. Likely due to increasing sophistication and complexity of ransomware attacks, almost half (46%) of MSPs now partner with specialized Managed Security Service Providers (MSSPs) for IT security assistance – to protect both their clients and their own businesses.
  • SMBs spend more on security: 50% of MSPs said their clients had increased their budgets for IT security in 2020, perhaps indicating awareness of the ransomware threat is growing.
  • Average cost of downtime continues to overshadow actual ransom amount: Downtime costs related to ransomware are now nearly 50X greater than the ransom requested.
  • Business continuity and disaster recovery (BCDR) remains the number one solution for combating ransomware, with 91% of MSPs reporting that clients with BCDR solutions in place are less likely to experience significant downtime during an attack. Employee training and endpoint detection and response platforms ranked second and third in tackling ransomware.

The impact of COVID-19 on ransomware and the cost of security disruptions

During the pandemic, the move to remote working and the accelerated adoption of cloud applications have increased security risks for businesses. More than half (59%) of MSPs said remote work due to COVID-19 resulted in increased ransomware attacks, and 52% of MSPs reported that shifting client workloads to the cloud increased security vulnerabilities.

As a result, SMBs need to take precautions to avoid the costly disruptions that occur in the aftermath of an attack. The survey also determined that healthcare was the most vulnerable industry during the pandemic (59%).

“Now more than ever organizations need to be vigilant in their approach to cybersecurity, especially in the healthcare industry as it’s managing and handling the most sensitive (and for criminals the most valuable) private data,” said Travis Lass, President of XLCON.

“The majority of our clients are small healthcare clinics, with no in-house IT. As ransomware attacks continue to increase, it’s critical we do everything we can to support them by arming them with best-in-class technology that will fend off malicious attackers looking to take advantage of the already fragile state of the healthcare industry.”

Top three ways ransomware is attacking entities

  • Phishing emails. 54% of MSPs report these as the most successful ransomware attack vector. The social engineering tactics used to deceive victims have become very sophisticated, making it vital for SMBs to offer extensive and consistent end user security education that goes beyond the basics of identifying phishing attacks.
  • Software-as-a-Service (SaaS) applications. Nearly one in four MSPs reported ransomware attacks on clients’ SaaS applications, with Microsoft being hit the hardest at 64%. These attacks mean that SMBs must consider the vulnerability of their cloud applications when planning their IT security measures and budgets.
  • Windows endpoint systems applications. These are the most targeted by hackers, with 91% of ransomware attacks targeting Windows PCs this year.

“The COVID-19 pandemic has accelerated the need for stronger security measures as remote working and cloud applications increase in prevalence,” remarked Ryan Weeks, CISO at Datto.

“Reducing the risk of cyberattacks requires a multi-layered approach rather than a single product – awareness, education, expertise, and purpose-built solutions all play a key role.

“The survey highlights how MSPs are taking the extra step to partner with MSSPs that can offer more security-focused experience, along with a more widespread use of security measures like SSO and 2FA – these are critical strategies businesses and municipalities need to adopt to protect themselves from cyber threats now and in the future.”

Malware activity spikes 128%, Office document phishing skyrockets

Nuspire released a report, outlining new cybercriminal activity and tactics, techniques and procedures (TTPs) throughout Q3 2020, with additional insight from Recorded Future.

malware activity q3 2020

Threat actors becoming even more ruthless

The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.

“We continue to see attackers use newsjacking and typosquatting techniques to attack organizations with ransomware, especially this quarter with the Presidential election and schools moving to a virtual learning model,” said John Ayers, Nuspire Chief Strategy Product Officer.

“It’s important for organizations to understand the latest threat landscape is changing so they can better prepare for current themes and better understand their risk.”

Increase in malware activity

There has been a significant increase in malware activity over the course of Q3 2020; the 128% increase from Q2 represents more than 43,000 malware variants detected a day.

As Emotet made a significant appearance, new features in Emotet modules were discovered, implying the group will likely continue operations throughout the remainder of the next quarter to successfully gauge the viability of these new features.

“Intelligence is key to identifying these top threats like Emotet,” said Greg Lesnewich, Senior Intelligence Analyst, Recorded Future.

“Keeping a vigilant eye on how threats evolve, grow and adapt over time helps us understand how threat actors have been retooling their tactics. It’s more important than ever to consistently have visibility into the threat landscape.”

Additional findings

  • The ZeroAccess botnet made another big appearance in Q3. It resurged in Q2, coming in second for most used botnet, but then went quiet towards the end of Q2, coming back up in Q3.
  • Office document phishing skyrocketed during the second half of Q3, which could be due to the upcoming election, or because attackers have just finished retooling.
  • Ransomware attack on the automotive industry is on the rise. At the end of Q3 2020, references have already surpassed the 2019 total at 18,307, an increase of 79.15% with Q4 still remaining.
  • H-Worm Botnet, also known as Houdini, Dunihi, njRAT, NJw0rm, Wshrat, and Kognito, surged to the top of witnessed Botnet traffic for Q3 from the actors behind the botnet by deploying instances of Remote Access Trojans (RATs) using COVID-19 phishing lures and executable names.

The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

Fraudsters increasingly creative with names and addresses for phishing sites

COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, according to research from F5 Labs.

phishing sites

The report found that phishing incidents rose 220% during the height of the global pandemic compared to the yearly average. The number of phishing incidents in 2020 is now set to increase 15% year-on-year, though this could soon change as second waves of the pandemic spread.

The three primary objectives for COVID-19-related phishing emails were identified as fraudulent donations to fake charities, credential harvesting and malware delivery.

Attackers’ brazen opportunism was in further evidence when certificate transparency logs (a record of all publicly trusted digital certificates) were examined.

The number of certificates using the terms “covid” and “corona” peaked at 14,940 in March, which represents a massive 1102% increase on the month before.

“The risk of being phished is higher than ever and fraudsters are increasingly using digital certificates to make their sites appear genuine,” said David Warburton, Senior Threat Evangelist at F5 Labs.

“Attackers are also quick to jump onto emotive trends and COVID-19 will continue to fuel an already significant threat. Unfortunately, our research indicates that security controls, user training and overall awareness still appear to be falling short across the world.”

Names and addresses of phishing sites

As per previous years’ research, fraudsters are becoming ever more creative with the names and addresses of their phishing sites.

In 2020 to date, 52% of phishing sites have used target brand names and identities in their website addresses. By far the most common brand to be targeted in the second half of 2020 was Amazon.

Additionally, Paypal, Apple, WhatsApp, Microsoft Office, Netflix and Instagram were all in the top 10 most frequently impersonated brands.

By tracking the theft of credentials through to use in active attacks, criminals were attempting to use stolen passwords within four hours of phishing a victim. Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes.

Meanwhile, cybercriminals were also got more ruthless in their bid to hijack reputable, albeit vulnerable URLs – often for free. WordPress sites alone accounted for 20% of generic phishing URLs in 2020. The figure was as low as 4,7% in 2017.

Furthermore, cybercriminals are increasingly cutting costs by using free registrars such as Freenom for certain country code top-level domains (ccTLDs), including .tk, .ml, .ga, .cf, and .gq. As a case in point, .tk is now the fifth most popular registered domain in the world.

Hiding in plain sight

2020 also saw phishers ramp up their bid to make fraudulent sites appear as genuine as possible. Most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to seem more credible to victims. This year, 100% of drop zones – the destinations of stolen data sent by malware – used TLS encryption (up from 89% in 2019).

Combining incidents from 2019 and 2020, 55.3% of drop zones used a non-standard SSL/TLS port were additionally reported. Port 446 was used in all instances bar one. An analysis of phishing sites found 98.2% using standard ports: 80 for cleartext HTTP traffic and 443 for encrypted SSL/TLS traffic.

The future of phishing

According to recent research from Shape Security, which was integrated with the Phishing and Fraud report for the first time, there are two major phishing trends on the horizon.

As a result of improved bot traffic (botnet) security controls and solutions, attackers are starting to embrace click farms.

This entails dozens of remote “workers” systematically attempting to log onto a target website using recently harvested credentials. The connection comes from a human using a standard web browser, which makes fraudulent activity harder to detect.

Even a relatively low volume of attacks has an impact. As an example, Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual fraud rate of 0,4%. That is the equivalent of 56,000 fraudulent logon attempts, and the numbers associated with this type of activity are only set to rise.

Researchers also recorded an increase in the volume of real-time phishing proxies (RTPP) that can capture and use MFA codes. The RTPP acts as a person-in-the-middle and intercepts a victim’s transactions with a real website.

Since the attack occurs in real time, the malicious website can automate the process of capturing and replaying time-based authentication such as MFA codes. It can even steal and reuse session cookies.

Recent real-time phishing proxies in active use include Modlishka2 and Evilginx23.

Phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way. Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users,” Warburton concluded.

“Individuals and organisations also need to be continuously trained on the latest techniques used by fraudsters. Crucially, there needs to be a big emphasis on the way attackers are hijacking emerging trends such as COVID-19.”

Paying a ransom to prevent leaking of stolen data is a risky gamble

Ransomware groups have realized that their tactics are also very effective for targeting larger enterprises, and this resulted in a 31% increase of the average ransom payment in Q3 2020 (reaching $233,817), ransomware IR provider Coveware shared in a recently released report.

They also warned that cases where the attackers exfiltrated data and asked for an additional ransom to delete it have doubled in the same period, but that paying up is a definite gamble.

“Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data,” they noted.

The data cannot be credibly deleted, it’s not secured and is often shared with other parties, they said. Various ransomware groups have posted the stolen data online despite having been paid to not release it or have demanded another payment at a later date.

ransom payment

“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future,” the company said.

“The track records are too short and evidence that defaults are selectively occurring is already collecting. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.”

Other findings

Coveware’s analyst also found that improperly secured Remote Desktop Protocol (RDP) connections and compromised RDP credentials are the most prevalent way in for ransomware gangs, followed by email phishing and software vulnerabilities.

ransom payment

What’s interesting is that the “popularity” of RDP as an attack vector declines as the size of the target companies increases, bacuse larger companies are typically wise enough to secure it. The attackers must then switch to using more pricy means: RDP credentials can be purchased for less than $50, but email phishing campaigns and vulnerability exploits require more effort and time/money – even if they are performed by another attacker who then sells the access to the gang.

“The foothold created by the phishing email or CVE exploit is used to escalate privileges until the attacker can command a domain controller with senior administrative privileges. Once that occurs, the company is fully compromised and data exfiltration + ransomware are likely to transpire within hours or days,” they explained.

Companies/organizations in every industry can be a target, but attackers seem to prefer those in the professional services industry, healthcare and the public sector:

ransom payment

Ryuk ransomware behind one third of all ransomware attacks in 2020

There’s a growing use of ransomware, encrypted threats and attacks among cybercriminals leveraging non-standard ports, while overall malware volume declined for the third consecutive quarter, SonicWall reveals.

ryuk ransomware

“For most of us, 2020 has been the year where we’ve seen economies almost stop, morning commutes end and traditional offices disappear,” said Bill Conner, President and CEO, SonicWall.

“However, the overnight emergence of remote workforces and virtual offices has given cybercriminals new and attractive vectors to exploit. These findings show their relentless pursuit to obtain what is not rightfully theirs for monetary gain, economic dominance and global recognition.”

Key findings include:

  • 39% decline in malware (4.4 billion YTD); volume down for third consecutive quarter
  • 40% surge in global ransomware (199.7 million)
  • 19% increase in intrusion attempts (3.5 trillion)
  • 30% rise in IoT malware (32.4 million)
  • 3% growth of encrypted threats (3.2 million)
  • 2% increase in cryptojacking (57.9 million)

Malware volume dipping as attacks more targeted, diversified

While malware authors and cybercriminals are still busy working to launch sophisticated cyberattacks, the research concludes that overall global malware volume continues steadily decline in 2020. In a year-over-year comparison through the third quarter, researchers recorded 4.4 billion malware attacks — a 39% drop worldwide.

Regional comparisons show India (-68%) and Germany (-64%) have once again seen a considerable drop-rate percentage, as well as the United States (-33%) and the United Kingdom (-44%). Lower numbers of malware do not mean it is going away entirely. Rather, this is part of a cyclical downturn that can very easily right itself in a short amount of time.

Ransomware erupts, Ryuk responsible for third of all attacks

Ransomware attacks are making daily headlines as they wreak havoc on enterprises, municipalities, healthcare organizations and educational institutions. Researchers tracked aggressive growth during each month of Q3, including a massive spike in September.

While sensors in India (-29%), the U.K. (-32%) and Germany (-86%) recorded decreases, the U.S. saw a staggering 145.2 million ransomware hits — a 139% YoY increase.

Notably, researchers observed a significant increase in Ryuk ransomware detections in 2020. Through Q3 2019, just 5,123 Ryuk attacks were detected. Through Q3 2020, 67.3 million Ryuk attacks were detected — 33.7% of all ransomware attacks this year.

“What’s interesting is that Ryuk is a relatively young ransomware family that was discovered in August 2018 and has made significant gains in popularity in 2020,” said SonicWall VP, Platform Architecture, Dmitriy Ayrapetov.

“The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals.

“Ryuk is especially dangerous because it is targeted, manual and often leveraged via a multi-stage attack preceded by Emotet and TrickBot malware. Therefore, if an organization has Ryuk, it’s a pretty good indication that its infested with several types of malware.”

IoT dependency grows along with threats

COVID-19 led to an unexpected flood of devices on networks, resulting in an increase of potential threats to companies fighting to remain operational during the pandemic. A 30% increase in IoT malware attacks was found, a total of 32.4 million world-wide.

Most IoT devices — including voice-activated smart devices, door chimes, TV cameras and appliances — were not designed with security as a top priority, making them susceptible to attack and supplying perpetrators with numerous entry points.

“Employees used to rely upon the safety office networks provided, but the growth of remote and mobile workforces has extended distributed networks that serve both the house and home office,” said Conner.

“Consumers need to stop and think if devices such as AC controls, home alarm systems or baby monitors are safely deployed. For optimum protection, professionals using virtual home offices, especially those operating in the C-suite, should consider segmenting home networks.”

Threat intelligence data also concluded that while cryptojacking (57.9 million), intrusion attempts (3.5 trillion) and IoT malware threats (32.4 million) are trending with first-half volume reports, they continue to pose a threat and remain a source of opportunity for cybercriminals.

Top tasks IT professionals are spending more time on

LogMeIn released a report that reveals the current state of IT in the new era of remote work. The report quantifies the impact of COVID-19 on IT roles and priorities for small to medium-sized businesses.

top tasks IT professionals

The study reveals the massive shift in the day-to-day work of IT professionals, and the broader impact of the transition to remote work for the majority of businesses.

The report uncovers how the budgets, priorities, and functions of IT teams at small and medium-sized businesses continue to be shaped by ongoing global upheaval and uncertainty and provides insights into how IT professionals are adapting their roles and teams to these challenges.

Virtual tasks and security concerns demand more IT time

With the onset of COVID-19, the types of tasks that filled a typical IT team member’s day changed significantly. The research found that 67 percent of respondents said they spend more time on virtual tasks like team web meetings, remotely accessing employee devices (66 percent) and customer web meetings (52 percent).

Security also gained increased focus, with 54 percent spending more time managing IT security threats and 54 percent developing new security protocols. 47 percent of IT professionals are spending 5 to 8 hours per day on IT security, compared to 35% in 2019.

The increased complexities of BYOD and BYOA (Bring-Your-Own-Devices and Access) work environments combined with advancements in cyberattacks have increasingly monopolized the focus of IT professionals.

IT is most worried about a breach

The top IT security concerns continue to be data breaches (cloud, internal, and external), malware, employee behavior, and ransomware. With cloud technology and adoption skyrocketing over the years, fear of a cloud data security breach has increased significantly just in the past two years, with 40% of IT professionals expressing concern in 2018 and 53% citing it as a top security concern in 2020.

Another higher priority concern in 2020 compared to previous years is ‘Rapidly evolving business technology practices’ with 29 percent of IT professionals stating it’s a top security concern in 2020, compared to only 20 percent in 2019.

Lack of budget is the greatest barrier to keeping up with trends in IT

35 percent of IT professionals agree that a lack of budget is the biggest challenge their company is facing in trying to keep up with IT trends. IT training, lack of IT staff, lack of control over a remote workforce, and IT staff resistance to change are all seen as the most common reasons IT teams are struggling to adapt to changes in their field.

With limited budget, IT teams must implement solutions that enable them to do more with less and prioritize implementing tools with security, automation, and monitoring functionality.

Software facilitating remote collaboration and management proved most valuable to IT

Given that it was no longer possible to stop by an employee’s desk to address any issues, 38 percent of IT teams prioritized remote access software first during the COVID-19 pandemic.

With employees working from home, having a way to collaborate with colleagues became mission-critical, so it’s not surprising that one third of IT respondents prioritized meeting and communications software.

“Despite the impact many teams experienced from COVID-19 – from budget, to resource allocation, to project priorities – many teams are now more prepared,” said Ian Pitt, CIO at LogMeIn.

“This data shows that the pandemic has led to improved training for IT and employees, ensuring all employees have the appropriate hardware and software, and even installed multifactor authentication for improved security.”

Attacks on IoT devices continue to escalate

Attacks on IoT devices continue to rise at an alarming rate due to poor security protections and cybercriminals use of automated tools to exploit these vulnerabilities, according to Nokia.

attacks IoT devices

IoT devices most infected

The report found that internet-connected, or IoT, devices now make up roughly 33% of infected devices, up from about 16% in 2019. The report’s findings are based on data aggregated from monitoring network traffic on more than 150 million devices globally.

Adoption of IoT devices, from smart home security monitoring systems to drones and medical devices, is expected to continue growing as consumers and enterprises move to take advantage of the high bandwidth, ultra-low latency, and fundamentally new networking capabilities that 5G mobile networks enable, according to the report.

The rate of success in infecting IoT devices depends on the visibility of the devices to the internet, according to the report. In networks where devices are routinely assigned public facing internet IP addresses, a high infection rate is seen.

In networks where carrier-grade Network Address Translation is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

Cybercriminals taking advantage of the pandemic

The report also reveals there is no let up in cybercriminals using the COVID-19 pandemic to try to steal personal data through a variety of types of malware. One in particular is disguised as a Coronavirus Map application – mimicking the legitimate and authoritative Coronavirus Map issued by Johns Hopkins University – to take advantage of the public’s demand for accurate information about COVID-19 infections, deaths and transmissions.

But the bogus application is used to plant malware on victims’ computers to exploit personal data. “Cybercriminals are playing on people’s fears and are seeing this situation as an opportunity to promote their agendas,” the report says. The report urges the public to install applications only from trusted app stores, like Google and Apple.

Bhaskar Gorti, President and Chief Digital Officer, Nokia, said: “The sweeping changes that are taking place in the 5G ecosystem, with even more 5G networks being deployed around the world as we move to 2021, open ample opportunities for malicious actors to take advantage of vulnerabilities in IoT devices.

“This report reinforces not only the critical need for consumers and enterprises to step up their own cyber protection practices, but for IoT device producers to do the same.”

How tech trends and risks shape organizations’ data protection strategy

Trustwave released a report which depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected.

data protection strategy

Data protection strategy

The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations.

Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the U.S., U.K., Australia and Singapore.

“Data drives the global economy yet protecting databases, where the most critical data resides, remains one of the least focused-on areas in cybersecurity,” said Arthur Wong, CEO at Trustwave.

“Our findings illustrate organizations are under enormous pressure to secure data as workloads migrate off-premises, attacks on cloud services increases and ransomware evolves. Gaining complete visibility of data either at rest or in motion and eliminating threats as they occur are top cybersecurity challenges all industries are facing.”

More sensitive data moving to the cloud

Types of data organizations are moving into the cloud have become increasingly sensitive, therefore a solid data protection strategy is crucial. Ninety-six percent of total respondents stated they plan to move sensitive data to the cloud over the next two years with 52% planning to include highly sensitive data with Australia at 57% leading the regions surveyed.

Not surprisingly, when asked to rate the importance of securing data regarding digital transformation initiatives, an average score of 4.6 out of a possible high of five was tallied.

Hybrid cloud model driving digital transformation and data storage

Of those surveyed, most at 55% use both on-premises and public cloud to store data with 17% using public cloud only. Singapore organizations use the hybrid cloud model most frequently at 73% or 18% higher than the average and U.S. organizations employ it the least at 45%.

Government respondents store data on-premises only the most at 39% or 11% higher than average. Additionally, 48% of respondents stored data using the hybrid cloud model during a recent digital transformation project with only 29% relying solely on their own databases.

Most organizations use multiple cloud services

Seventy percent of organizations surveyed were found to use between two and four public cloud services and 12% use five or more. At 14%, the U.S. had the most instances of using five or more public cloud services followed by the U.K. at 13%, Australia at 9% and Singapore at 9%. Only 18% of organizations queried use zero or just one public cloud service.

Perceived threats do not match actual incidents

Thirty-eight percent of organizations are most concerned with malware and ransomware followed by phishing and social engineering at 18%, application threats 14%, insider threats at 9%, privilege escalation at 7% and misconfiguration attack at 6%.

Interestingly, when asked about actual threats experienced, phishing and social engineering came in first at 27% followed by malware and ransomware at 25%. The U.K. and Singapore experienced the most phishing and social engineering incidents at 32% and 31% and the U.S. and Australia experienced the most malware and ransomware attacks at 30% and 25%.

Respondents in the government sector had the highest incidents of insider threats at 13% or 5% above the average.

Patching practices show room for improvement

A resounding 96% of respondents have patching policies in place, however, of those, 71% rely on automated patching and 29% employ manual patching. Overall, 61% of organizations patched within 24 hours and 28% patched between 24 and 48 hours.

The highest percentage patching within a 24-hour window came from Australia at 66% and the U.K. at 61%. Unfortunately, 4% of organizations took a week to over a month to patch.

Reliance on automation driving key security processes

In addition to a high percentage of organizations using automated patching processes, findings show 89% of respondents employ automation to check for overprivileged users or lock down access credentials once an individual has left their job or changed roles.

This finding correlates to low concern for insider threats and data compromise due to privilege escalation according to the survey. Organizations must exercise caution when assuming removal of user access to applications to also include databases, which is often not the case.

Data regulations having minor impact on database security strategies

When asked if data regulations such as GDPR and CCPA impacted database security strategies, a surprising 60% of respondents said no.

These findings may suggest a lack of alignment between information technology and other departments, such as legal, responsible for helping ensure stipulations like ‘the right to be forgotten’ are properly enforced to avoid severe penalties.

Small teams with big responsibilities

Of those surveyed, 47% had a security team size of only six to 15 members. Respondents from Singapore had the smallest teams with 47% reporting between one and ten members and the U.S. had the largest teams with 22% reporting team size of 21 or more, 2% higher than the average.

Thirty-two percent of government respondents surprisingly run security operations with teams between just six and ten members.

Is poor cyber hygiene crippling your security program?

Cybercriminals are targeting vulnerabilities created by the pandemic-driven worldwide transition to remote work, according to Secureworks.

vulnerabilities remote work

The report is based on hundreds of incidents the company’s IR team has responded to since the start of the pandemic.

Threat level is unchanged

While initial news reports predicted a sharp uptick in cyber threats after the pandemic took hold, data on confirmed security incidents and genuine threats to customers show the threat level is largely unchanged. Instead, major changes in organizational and IT infrastructure to support remote work created new vulnerabilities for threat actors to exploit.

The sudden switch to remote work and increased use of cloud services and personal devices significantly expanded the attack surface for many organizations. Facing an urgent need for business continuity, many companies did not have time to put all the necessary protocols, processes and controls in place, making it difficult for security teams to respond to incidents.

Threat actors—including nation-states and financially-motivated cyber criminals—are exploiting these vulnerabilities with malware, phishing, and other social engineering tactics to take advantage of victims for their own gain. One in four attacks are now ransomware related—up from 1 in 10 in 2018—and new COVID-19 phishing attacks include stimulus check fraud.

Additionally, healthcare, pharmaceutical and government organizations and information related to vaccines and pandemic response are attack targets.

The issue with dispersed workforces

Barry Hensley, Chief Threat Intelligence Officer, Secureworks said: “Against a continuing threat of enterprise-wide disruption from ransomware, business email compromise and nation-state intrusions, security teams have faced growing challenges including increasingly dispersed workforces, issues arising from the rapid implementation of remote working with insufficient consideration to security implications, and the inevitable reduced focus on security from businesses adjusting to a changing world.”

Most US states show signs of a vulnerable election-related infrastructure

75% of all 56 U.S. states and territories leading up to the presidential election, showed signs of a vulnerable IT infrastructure, a SecurityScorecard report reveals.

election infrastructure

Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following, the US election.

Election infrastructure: High-level findings

Seventy-five percent of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below. States with a grade of ‘C’ are 3x more likely to experience a breach (or incident, such as ransomware) compared to an ‘A’ based on a three-year SecurityScorecard study of historical data. Those with a ‘D’ are nearly 5x more likely to experience a breach.

  • States with the highest scores: Kentucky (95) Kansas (92) Michigan (92)
  • States with the lowest scores: North Dakota (59) Illinois (60) Oklahoma (60)
  • Among states and territories, there are as many ‘F’ scores as there are ‘A’s
  • The Pandemic Effect: Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59. Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software.

Significant security concerns were observed with two critically important “battleground” states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating.

The battleground states

According to political experts, the following states are considered “battleground” and will help determine the result of the election. But over half have a lacking overall IT infrastructure:

  • Michigan: 92 (A)
  • North Carolina: 81 (B)
  • Wisconsin: 88 (B)
  • Arizona: 81 (B)
  • Texas: 85 (B)
  • New Hampshire: 77 (C)
  • Pennsylvania: 85 (B)
  • Georgia: 77 (C)
  • Nevada: 74 (C)
  • Iowa: 68 (D)
  • Florida: 73 (C)
  • Ohio: 68 (D)

“The IT infrastructure of state governments should be of critical importance to securing election integrity,” said Alex Heid, Chief Research & Development Officer at SecurityScorecard.

“This is especially true in ‘battleground states’ where the Department of Homeland Security, political parties, campaigns, and state government officials should enforce vigilance through continuously monitoring state voter registration networks and web applications for the purpose of mitigating incoming attacks from malicious actors.

“The digital storage and transmission of voter registration and voter tally data needs to remain flawlessly intact. Some states have been doing well regarding their overall cybersecurity posture, but the vast majority have major improvements to make.”

Potential consequences of lower scores

  • Targeted phishing/malware delivery via e-mail and other mediums, potentially as a means to both infect networks and spread misinformation. Malicious actors often sell access to organizations they have successfully infected.
  • Attacks via third-party vendors – many states use the same vendors, so access into one could mean access to all. This is the top cybersecurity concern for political campaigns.
  • Voter registration databases could be impacted. In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware.

“These poor scores have consequences that go beyond elections; the findings show chronic underinvestment in IT by state governments,” said Rob Knake, the former director for cybersecurity policy at the White House in the Obama Administration.

“For instance, combatting COVID-19 requires the federal government to rely on the apparatus of the states. It suggests the need for a massive influx of funds as part of any future stimulus to refresh state IT systems to not only ensure safe and secure elections, but save more lives.”

A set of best practices for states

  • Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting
  • Have an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity: defined as confidentiality, integrity, and availability of all processed information
  • States should establish clear lines of authority for updating the information on these sites that includes the ‘two-person’ rule — no single individual should be able to update information without a second person authorizing it
  • States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes

Microsoft and partners cut off key Trickbot botnet infrastructure

Two weeks after someone (allegedly the US Cyber Command) temporarily interrupted the operation of the infamous Trickbot botnet, a coalition of tech companies headed by Microsoft has struck a serious blow against its operators.

Trickbot botnet

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” shared Tom Burt, corporate VP, Customer Security and Trust, Microsoft.

About Trickbot and the Trickbot botnet

Trickbot, which dates back to 2016, was originally a banking trojan, but due to its modular nature it is now capable of much more: gathering saved and entered credentials, browser histories, network and system information, installing a backdoor, harvesting email addresses, running various commands on a Windows domain controller to steal Active Directory credentials, launching brute force attacks against selected Windows systems running a RDP connection exposed to the Internet, and downloading and loading ransomware on the infected computer.

The malware is often delivered through spam and spear phishing campaigns, and occasionally through the Emotet botnet.

“In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims’ networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that ‘the relationship between Emotet [another botnet], Ryuk and Trickbot is considered one of the most notable in the cybercrime world’,” Symantec (Broadcom) researchers noted.

“Trickbot has infected over a million computing devices around the world since late 2016. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives,” Burt explained, and noted that beyond infecting end user computers, Trickbot has also infected a number of IoT devices, such as routers.

Disruption attempts

Since late September, Trickbot has been hit twice by (then-unknown) attackers.

According to Brian Krebs, they first pushed out a new configuration file to Windows computers infected with Trickbot, instructing them to consider 127.0.0.1 (a “localhost” address) their new control server.

A week later, they did it again, but at the same time, “someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records,” apparently in an attempt to “dilute the Trickbot database and confuse or stymie the Trickbot operators.”

These efforts, which were subsequently revealed to have been mounted by the US Cyber Command, did not permanently affect the botnet.

But the technical and legal efforts lead by Microsoft and supported by FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Broadcom’s Symantec division are expected to considerably affect the botnet’s operation.

After gathering enough information about the botnet’s operation and C&C servers, Microsoft went to the United States District Court for the Eastern District of Virginia, which then court granted approval for Microsoft and partners to “disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”

The operation will be followed by further action by ISPs and CERTs around the world, who will attempt to reach Trickbot victims and help them remove the malware from their systems.

“This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place,” Burt pointed out.

“While our work might not remove the threat posed by TrickBot, it will raise the cost of doing business for the criminal gang behind the botnet because they will be forced to divert resources away from exploitation activities in order to rebuild the parts of their infrastructure that we disrupted,” the Black Lotus Labs team noted.

The anatomy of an endpoint attack

Cyberattacks are becoming increasingly sophisticated as tools and services on the dark web – and even the surface web – enable low-skill threat actors to create highly evasive threats. Unfortunately, most of today’s modern malware evades traditional signature-based anti-malware services, arriving to endpoints with ease. As a result, organizations lacking a layered security approach often find themselves in a precarious situation. Furthermore, threat actors have also become extremely successful at phishing users out of their credentials or simply brute forcing credentials thanks to the widespread reuse of passwords.

A lot has changed across the cybersecurity threat landscape in the last decade, but one thing has remained the same: the endpoint is under siege. What has changed is how attackers compromise endpoints. Threat actors have learned to be more patient after gaining an initial foothold within a system (and essentially scope out their victim).

Take the massive Norsk Hydro ransomware attack as an example: The initial infection occurred three months prior to the attacker executing the ransomware and locking down much of the manufacturer’s computer systems. That was more than enough time for Norsk to detect the breach before the damage could done, but the reality is most organization simply don’t have a sophisticated layered security strategy in place.

In fact, the most recent IBM Cost of a Data Breach Report found it took organizations an average of 280 days to identify and contain a breach. That’s more than 9 months that an attacker could be sitting on your network planning their coup de grâce.

So, what exactly are attackers doing with that time? How do they make their way onto the endpoint undetected?

It usually starts with a phish. No matter what report you choose to reference, most point out that around 90% of cyberattacks start with a phish. There are several different outcomes associated with a successful phish, ranging from compromised credentials to a remote access trojan running on the computer. For credential phishes, threat actors have most recently been leveraging customizable subdomains of well-known cloud services to host legitimate-looking authentication forms.

anatomy endpoint attack

The above screenshot is from a recent phish WatchGuard Threat Lab encountered. The link within the email was customized to the individual recipient, allowing the attacker to populate the victim’s email address into the fake form to increase credibility. The phish was even hosted on a Microsoft-owned domain, albeit on a subdomain (servicemanager00) under the attacker’s control, so you can see how an untrained user might fall for something like this.

In the case of malware phishes, attackers (or at least the successful ones) have largely stopped attaching malware executables to emails. Most people these days recognize that launching an executable email attachment is a bad idea, and most email services and clients have technical protections in place to stop the few that still click. Instead, attackers leverage dropper files, usually in the form of a macro-laced Office document or a JavaScript file.

The document method works best when recipients have not updated their Microsoft Office installations or haven’t been trained to avoid macro-enabled documents. The JavaScript method is a more recently popular method that leverages Windows’ built-in scripting engine to initiate the attack. In either case, the dropper file’s only job is to identify the operating system and then call home and grab a secondary payload.

That secondary payload is usually a remote-access trojan or botnet of some form that includes a suite of tools like keyloggers, shell script-injectors, and the ability to download additional modules. The infection isn’t usually limited to the single endpoint for long after this. Attackers can use their foothold to identify other targets on the victim’s network and rope them in as well.

It’s even easier if the attackers manage to get hold of a valid set of credentials and the organization hasn’t deployed multi-factor authentication. It allows the threat actor to essentially walk right in through the digital front door. They can then use the victim’s own services – like built-in Windows scripting engines and software deployment services – in a living-off-the-land attack to carry out malicious actions. We commonly see threat actors leverage PowerShell to deploy fileless malware in preparation to encrypt and/or exfiltrate critical data.

The WatchGuard Threat Lab recently identified an ongoing infection while onboarding a new customer. By the time we arrived, the threat actor had already been on the victim’s network for some time thanks to compromising at least one local account and one domain account with administrative permissions. Our team was not able to identify how exactly the threat actor obtained the credentials, or how long they had been present on the network, but as soon as our threat hunting services were turned on, indicators immediately lit up identifying the breach.

In this attack, the threat actors used a combination of Visual Basic Scripts and two popular PowerShell toolkits – PowerSploit and Cobalt Strike – to map out the victim’s network and launch malware. One behavior we saw came from Cobalt Strike’s shell code decoder enabled the threat actors to download malicious commands, load them into memory, and execute them directly from there, without the code ever touching the victim’s hard drive. These fileless malware attacks can range from difficult to impossible to detect with traditional endpoint anti-malware engines that rely on scanning files to identify threats.

anatomy endpoint attack

Elsewhere on the network our team saw the threat actors using PsExec, a built in Windows tool, to launch a remote access trojan with SYSTEM-level privileges thanks to the compromised domain admin credentials. The team also identified the threat actors attempts to exfiltrate sensitive data to a DropBox account using a command-line based cloud storage management tool.

Fortunately, they were able to identify and clean up the malware quickly. However, without the victim changing the stolen credentials, the attacker could have likely re-initiated their attack at-will. Had the victim deployed an advanced Endpoint Detection and Response (EDR) engine as part of their layered security strategy, they could have stopped or slowed the damage created from those stolen credentials.

Attackers are targeting businesses indiscriminately, even small organizations. Relying on a single layer of protection simply no longer works to keep a business secure. No matter the size of an organization, it’s important to adopt a layered security approach that can detect and stop modern endpoint attacks. This means protections from the perimeter down to the endpoint, including user training in the middle. And, don’t forget about the role of multifactor authentication (MFA) – could be the difference between stopping an attack and becoming another breach statistic.

ATM cash-out: A rising threat requiring urgent attention

The PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention.

ATM cash-out

What is the threat?

An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.

Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

How do ATM cash-out attacks work?

An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems.

The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.

With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

Who is most at risk?

Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices?

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools.

What are some prevention best practices?

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS.

Three common mistakes in ransomware security planning

As the frequency and intensity of ransomware attacks increase, one thing is becoming abundantly clear: organizations can do more to protect themselves. Unfortunately, most organizations are dropping the ball. Most victims receive adequate warning of potential vulnerabilities yet are woefully unprepared to recover when they are hit. Here are just a few recent examples of both prevention and incident response failures:

  • Two months before the city of Atlanta was hit by ransomware in 2018, an audit identified over 1,500 severe security vulnerabilities.
  • Before the city of Baltimore suffered multiple weeks of downtime due to a ransomware attack in 2019, a risk assessment identified a severe vulnerability due to servers running an outdated operating system (and therefore lacking the latest security patches) and insufficient backups to restore those servers, if necessary.
  • Honda was attacked this past June, and public access to Remote Desktop Protocol (RDP) for some machines may have been the attack vector leveraged by hackers. Complicating matters further, there was a lack of adequate network segmentation.

Other notable recent victims include Travelex, Blackbaud, and Garmin. In all these examples, these are large organizations that should have very mature security profiles. So, what’s the problem?

Three common mistakes lead to inadequate prevention and ineffective response, and they are committed by organizations of all sizes:

1. Failing to present risk in business terms, which is crucial to persuading business leaders to provide appropriate funding and policy buy-in.

2. Not going deep enough in how you test your ransomware readiness.

3. Insufficient DR planning that fails to account for a ransomware threat that could infect your backups.

Common mistake #1 – Failing to present security risk in business terms to get funding and policies

I was reminded of just how easy it is to bypass basic security (e.g., firewalls, email security gateways, and anti-malware solutions) when I recently watched a ransomware attack simulation: the initial pre-ransomware payload got a foot in the door, followed by techniques such as reverse DNS lookups to identify an Active Directory service, that has the necessary privileges to really do some damage, and finally Kerberoasting to take control.

No organization is bulletproof, but attacks take time – which means early detection with more advanced intrusion detection and a series of roadblocks for hackers to overcome (e.g., greater network segmentation, appropriate end-user restrictions, etc.) are crucial for prevention.
This is not news to security practitioners. But convincing business leaders to make additional security investments is another challenge altogether.

How to fix mistake #1: Quantify business impact to enable an informed cost-based business decision

Tighter security controls (via technology and policy) are friction for the business. And while no business leader wants to fall victim to ransomware, budgets are not unlimited.

To justify the extra cost and tighter controls, you need to make a business case that presents not just risk, but also quantifiable business impact. Help senior leadership compare apples to apples – in this case, the cost of improved security (capex and potential productivity friction) vs. the cost of a security breach (the direct cost of extended downtime and long-term cost of reputational damage).

Assessing business impact need not be onerous. Fairly accurate impact assessments of critical systems can easily be completed in one day. Focus on a few key applications and datasets to get a representative sample, and get a rough estimate of cost, goodwill, compliance, and/or health & safety impacts, depending on your organization. You don’t have to be exact at this stage to recognize the potential for a critical impact.

Below is an example of the resulting key talking points for a presentation to senior leadership:

ransomware security planning

Source: Info-Tech Research Group, Business Impact Analysis Summary Example, 2020

Common mistake #2 – Not going deep enough in testing ransomware readiness

If you aren’t already engaged in penetration testing to validate security technology and configuration, start now. If you can’t secure funding, re-read How to fix mistake #1.

Where organizations go wrong is stopping at penetration testing and not validating the end-to-end incident response. This is especially critical for larger organizations that need to quickly coordinate assessment, containment, and recovery with multiple teams.

How to fix mistake #2: Run in-depth tabletop planning exercises to cover a range of what-if scenarios

The problem with most tabletop planning exercises is that they are designed to simply validate your existing incident response plans (IRP).
Instead, dive into how an attack might take place and what actions you would take to detect, contain, and recover from the attack. For example, where your IRP says check for other infected systems, get specific in how that would happen. What tools would you use? What data would you review? What patterns would you look for?

It is always an eye-opener when we run tabletop planning with our clients. I’ve yet to come across a client that had a perfect incident response plan. Even organizations with a mature security profile and documented response plans often find gaps such as:

  • Poor coordination between security and infrastructure staff, with unclear handoffs during the assessment phase.
  • Existing tools aren’t fully leveraged (e.g., configuring auto-contain features).
  • Limited visibility into some systems (e.g., IoT devices and legacy systems).

Common mistake #3 – Backup strategies and DR plans don’t account for ransomware scenarios

Snapshots and standard daily backups on rewritable media, as in the example below, just aren’t good enough:

ransomware security planning

Source: Info-Tech Research Group, Outdated Backup Strategy Example, 2020

The ultimate safety net if hackers get in is your ability to restore from backup or failover to a clean standby site/system.

However, a key goal of a ransomware attack is to disable your ability to recover – that means targeting backups and standby systems, not just the primary data. If you’re not explicitly guarding against ransomware all the time, the money you’ve invested to minimize data loss due to traditional IT outages – from drive failures to hurricanes – becomes meaningless.

How to fix mistake #3: Apply defense-in-depth to your backup and DR strategy

The philosophy of defense-in-depth is best practice for security, and the same philosophy needs to be applied to your backups and recovery capabilities.

Defense-in-depth is not just about trying to catch what slips through the cracks of your perimeter security. It’s also about buying time to detect, contain, and recover from the attack.

Achieve defense-in-depth with the following approach:

1. Create multiple restore points so that you can be more granular with your rollback and not lose as much data.

2. Reduce the risk of infected backups by using different storage media (e.g., disk, NAS, and/or tape) and backup locations (i.e., offsite backups). If you can make the attackers jump through more hoops, it gives you a greater chance of detecting the attack before it infects all of your backups. Start with your most critical data and design a solution that considers business need, cost, and risk tolerance.

3. Invest in solutions that generate immutable backups. Most leading backup solutions offer options to ensure backups are immutable (i.e., can’t be altered after they’re written). Expect the cost to be higher, of course, so again consider business impact when deciding what needs higher levels of protection.

Summary: Ransomware security planning

Ransomware attacks can be sophisticated, basic security practices just aren’t good enough. Get buy-in from senior leadership on what it takes to be ransomware-ready by presenting not just the risk of attack, but the potential extensive business impact. Assume you’ll get hit, be ready to respond quickly, test realistically, and update your DR strategy to encompass this fast-evolving threat.