The Ransomware Group Tactics which Maximise their Profitability

Article by Greg Foss, Senior Cyber Security Strategist, VMware Carbon Black

Wherever there is disruption, cybercriminals see opportunity. Alongside the devastating health and economic impacts of the global coronavirus pandemic, we have also seen a huge escalation in ransomware attacks as people shifted to working from home. VMware Carbon Black threat researchers have recorded a 900% year on year increase in ransomware attacks in the first half of 2020.

Attacks are not only more frequent, but they are also more sophisticated, as adversaries strive to maximise the revenue potential from each hit. As modular and more extensive malware has become ubiquitous, adversaries are diversifying and adopting more strategic and multi-stage tactics. They’ve identified factors such as high financial and regulatory penalties and reputational damage that offer more leverage to extort money from victims. As a result, it is now easier than ever for criminals with minimal skill to execute highly impactful attacks.

Destructive attacks and the sale of direct access into corporate networks are also rising trends and the lucrative payoff potential from all these is changing how adversaries approach their craft; a typical ransomware attack today is designed to do a lot more than simply encrypt data.

Shift from spray and pray to cultivate and curate – rise of the hands-on ransomware attack

In the past, a ransomware attack typically originated in a phishing email where the victim unwittingly opened an infected document or clicked a link that executed actions to immediately encrypt the environment and demand a ransom. Adversaries launched high volumes attack campaigns, on the assumption that some would make it through defences and pay-day would follow.

The current approach is much more hands-on-keyboard, with the attacker actively involved in orchestrating targeted attacks that will deliver multiple opportunities to monetise the results. In the attacks we’re seeing today, the eventual encryption and ransom demand comes a long way down the line; victims should assume that attackers have been inside their network for a significant period, have mapped out their infrastructure, and have already exfiltrated their most sensitive assets. The new evolution of ransomware attacks involves:

Research Phase: the adversary gathers intelligence about your organization through open-source intelligence gathering (OSINT) – everything from social media, geographical footprint, publicly exposed IP addresses found on Shodan. Paying special attention to organisations employees. All of this helps to establish an attack plan, most commonly targeted towards unsecured edge-devices, with Microsoft’s Remote Desktop Protocol (RDP) being leveraged by far and away

Reconnaissance: Adversaries scan your organisation from the internet, looking at edge devices that could be a potential entry point, extrapolating what the rest of your environment might look like and what resources are worth targeting. They might identify home users with publicly exposed devices and target them with a phishing email, but more typically we see adversaries go after poorly configured edge devices, such as a Windows server with Remote Desktop Protocol exposed and no multifactor authentication in place as an ideal access vector.

Access and Consolidation: On entry, the attacker conducts initial post-exploitation reconnaissance to gain access to a credential and elevate their privileges so they can pivot from the Demilitarised Zone (DMZ) into the internal systems and map out the internal infrastructure. At this point, most ransomware groups we’ve been following will try to back-door additional systems with redundant access to a secondary command and control server, additionally with the goal of infecting the back-up server even getting their payloads deployed within the backups themselves. They probably won’t use this – it’s insurance in case their initial route gets cut off - but from a victim’s perspective, this is something you need to look out for in incident response.

Slow and Steady Data Exfiltration: to avoid triggering the controls companies have in place to prevent large scale data exfiltration, attackers will look for a discreet way to get the data out of the organisation. This might be through a user within the environment, moving files slowly or overtly to a compromised user and offloading the files to another server – such as a compromised web server – which serves as a collection point for the stolen data. Or they might move the data out slowly through protocols such as DNS.

By now the attacker has achieved the first part of their goal. They have stolen data that they can monetise directly, and they have persistence on the victim’s systems. The victim is still unaware and now the attacker starts to plan for the next stage of their attack.

Extortion – Reputations and Data Held to Ransom
This is where we are seeing the convergence of data theft and ransomware. Once attackers launch the encryption phase of the attack, they lock up the victim’s data and demand payment in a traditional ransomware style.

Businesses with good data back-ups and recovery capabilities might be tempted to call the attacker’s bluff – until the extortion starts. Attackers threaten to release parts of the stolen data on the web to publicise the exploit if payment is not forthcoming. So even if the business can recover its data, its reputation and company secrets are still on the line.

The Maze Cartel is an arch-exponent of this technique. When victims don’t pay, they publish stolen data on their website. It is bold and shows the capabilities and power these groups exercise. We’re also seeing these groups collaborating and sharing infrastructure and code, which is making attacks harder to attribute and increasing their overall capabilities.

If the victim bows to pressure and pays the ransom their data has still been breached and is for sale on the dark web, adding another revenue stream for the attacker. Of equal concern should be the fact that the adversary still has a redundant command and control access that they can sell or use to conduct further attacks.

How to Combat Evolving Ransomware Attacks
You have to treat ransomware like you would any other breach – this is someone who is in your environment and they have access to a lot of sensitive data. You need to conduct full incident response and recovery following each of these attacks, looking especially for signs of residual access to your environment following ransomware data theft.

To protect networks, defenders need to deploy endpoint protection, making sure they are blocking ransomware and have layered visibility of what is happening within the network. Understand the details of what your processes are doing and segment your networks effectively so that the scenario described above is not easy for an attacker to achieve.

Watch for evidence of initial access reconnaissance activity, configure alerts for large-scale data exfiltration, look for redundant command and control access and bear in mind that attackers are playing the long game. They are aiming to retain their foothold in the environment for as long as possible, so you might be looking for something that activates on a weekly or even monthly cycle, so its easy to miss. If you have suffered an attack, you should hire an incident response firm to look for these hard-to-find indications that your network is still being curated for future attacks.

It’s important to understand that this new approach is bespoke work. It’s targeted and long-term tradecraft and the pay-off is higher as a result; attackers will use every means at their disposal to get the most return on their efforts and grow their profits in the current highly disrupted environment.

Fintech Cybersecurity Trends in 2021

Article by Beau Peters

When the pandemic struck, online bad actors took it as an opportunity to double-down on their attacks through ransomware, malware, and social engineering. Newly remote workers and remotely connected workplaces had to adapt rapidly to a greater digital threat as well as a public health crisis.

Now, cybersecurity may just be the most important aspect of financial technology (fintech) in the modern world. With 2020 being the worst year on record in terms of files exposed in data breaches, a thorough security approach is necessary to combat modern dangers.

Fintech relies on cybersafety more than any other digital platform. Luckily, new tech trends could help keep our financial data safe even with an increase in risk. Here’s what you should know. 

The Rising Risks
The widespread shift to a work-from-home (WFH) economy left countless networks vulnerable to cyber attacks. Hastily implemented cloud data processes and security needs failing to keep pace with tech innovations have left financial data exposed. Meanwhile, greater reliance on mobile devices for everything from managing our bank accounts to checking credit scores leaves fintech users more at-risk than ever.

Among the many security risks of personal finance technology are the following:

• Hundreds of fintech ventures are funded each year, with little change in the security landscape.
• New users unfamiliar with cybersecurity concerns can inadvertently expose their data.
• Fraud and identity theft are on the rise, with online shopping hacks and COVID-related scams popular among cybercriminals. 

These vulnerabilities and more demonstrate the risk to data in the modern digital world. The coronavirus pandemic only makes the situation worse, as companies look to quickly transition to remote work, often without time for due diligence in instituting security protocols and employee training.

Insider threat is predicted to be the number one risk to data classification in the year ahead, requiring stricter corporate guidelines in data protection and better employee education. The heightened risk of a pandemic economy requires innovative solutions in approaching fintech. Fortunately, emerging trends in the financial technology sector may have the potential to turn the tide of cybercrime and keep our financial data safe. 

Fintech Trends for 2021 and Beyond
Even in the deluge of attacks on our digital systems, defender confidence has remained strong. This is due to the trends shaping the cybersecurity and fintech sectors, applications of intelligent processes that can predictively model attacks and pre-emptively counter them. The fintech industry is rising to meet the increased demand of the modern era, and this means broader benefits and heightened security for all consumers.

Among the trending innovations making fintech more secure, these technologies stand out: 

1. Multi-cloud data storage.

A singularly public cloud storage system may not meet the needs of many financial institutions. Instead, the safety of a private cloud is often preferable. Luckily, multi-cloud solutions offer the best of both worlds, giving businesses greater transparency and security in their data usage while providing a back-up system for vulnerable data.

2. AI fraud detection. 

Financial institutions like MasterCard are adopting artificial intelligence and machine learning processes to predict and prevent fraud. These systems analyze data to rank client risk and examine behaviours, flagging any vulnerabilities. Because an AI can better analyze massive amounts of data to catch unauthorized usage faster, these tools can help secure fintech as 5G connectivity comes to the Internet of Things (IoT). 

3. Secure Access Service Edge (SASE) networks.

SASE network architecture, like multi-cloud storage, brings multiple systems together to link security solutions for the greatest effect. This trend in fintech combines wide-area networking with network security services to offer a comprehensive cloud service. As tech consolidation remains a trend among businesses, these solutions can help protect fintech while offering greater functionality, all in one simple package.

4. Blockchain systems.

Blockchains are highly secure and decentralized data flow systems. They offer all but immutable data stored in cryptographic hashes. This makes hacking such a system particularly difficult, as doing so requires decrypting every node in the link. For global finance, these systems make secure and seamless transactions possible, which is why they will likely become a staple of fintech soon. 

5. Regulatory technologies (Regtech). 

As political administrations change and governments increasingly seek to encourage broader cybersecurity regulations, the prominence of regtech can help sustain fintech security. These technologies are built to manage big data usage to ensure compliance with government standards. Often, this includes data encryption and de-identification processes meant to ensure consumer privacy. 

As the pandemic of cybercrime compounds the dangers of the coronavirus pandemic, fintech innovators are moving forward with solutions through technologies like these. From hybrid cloud storage that works to back-up data to regtech that makes compliance with government standards easier, fintech platforms can be better protected on all fronts. 

As a result, consumers will ideally see a more secure future for their financial data. 

A More Secure Future
As innovations like AI and machine learning became a standard of fintech cybersecurity, we can look forward to a world of safer data. This will require, however, highly certified and trained cybersecurity professionals who can assist companies in adopting and maintaining the new fintech.

Right now, the shortage of cybersecurity professionals is estimated to be as high as 3.5 million, and while AI can fill in, it cannot replace the need for human oversight. This makes cybersecurity a career that is more or less safe from automation, like many other careers that will likely remain safe from the practice. Instead of displacing work as AI might do to 20 million-plus manufacturing jobs, artificial intelligence stands to supplement skill shortages to make effective security more accessible.

With trends like blockchain and regtech emerging as helpful tools in the fight against cybercrime, the next step will be training a large enough security workforce to properly integrate this tech for the best results. Then, the potential of fintech tools can be effectively maximized for safer data security in the marketplace.

The Linux Flaw you can't afford to Ignore (CVE-2021-3156)

Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.

CVE-2021-3156 sudo Vulnerability

Last week (26th January 2021) a new critical rated Linux\Unix vulnerability was made public under CVE-2021-3156. Specifically, the vulnerability is within the 'sudo' program, which is an abbreviation of 'superuser do', well that's how I remember it. Sudo is a powerful and fundamental program found within all Linux and Unix distributions, allowing users to execute programs with the security privileges of another user. A typical use of sudo is where you need to run a program with privilege level (i.e. administrator) access rights.

The sudo 'heap overflow' vulnerability was discovered by Qualys researchers, the exploit allows any unprivileged user to gain root level (i.e. administrative) privileges.  Qualys has posted a blog and video which explains and demonstrates the exploitation technique, which as exploits go is fairly quick and easy to do. See CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog

Patches are available

Qualys rightly did not publically disclose the vulnerability until the sudo program author was able to write and release a fixed (patched) version of sudo. The fixed sudo version1.9.5p2 has been made available to download at www.sudo.ws.

Linux vendors have also released patches for the sudo vulnerability, including

• Debian
• Ubuntu
• RedHat
• Fedora
• Gentoo

At the time of writing this post, it has been reported MacOS Big Sur is also vulnerable, but Apple has not released a patch.

The Security Concern
This vulnerability in sudo has been present for nearly 10 years, all sudo versions prior to sudo 1.9.5p2 are to be considered vulnerable. The issue is Linux is embedded everywhere, yet many systems are rarely, and even never updated. From IoT devices to internet-based services, the security of countless devices and web-based services' are dependant upon a secure Linux account privilege model. While their Linux operating systems remain unpatched to prevent exploitation of the CVE-2021-3156 vulnerability, they sit there insecure and waiting to be hacked.

Cyber Security Roundup for February 2021

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, January 2021.

Throughout January further details about the scale and sophistication of SolarWinds suspected nation-state hack came to light. A growing number of cybersecurity vendors like CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks, Qualys and Mimecast all confirming as being targeted in the supply-chain espionage attack. The finger of suspicion is pointing directly at Russia, with the Russian backed hacking group APT29 'Fancy Bear' cited as the culprits by many security researchers and intelligence analysts. US Secretary of State Mike Pompeo and Attorney General Bill Barr both publically stated they believe Moscow are behind the attack, as did the chairs of the Senate and House of Representatives' intelligence committees. 

US government investigators and Microsoft have uncovered additional evidence, confirming the cyberattack started as far back as October 2019, with about 30% of victims having no direct connection to using SolarWinds.  CISA and the National Security Agency updated guidance to address configuration issues in Microsoft’s Office 365, with Microsoft confirming in a blog post it had “detected malicious SolarWinds binaries in our environment”. Mimecast confirmed a related certificate compromise after they were informed by Microsoft as part of their investigative efforts.

The End of Emotet?
There was positive cybersecurity news in January, with the European law enforcement agency Europol, working together with other international police agencies, to take down the Emotet botnet. Emotet is one of the most popular forms of malware used by ransomware cybercriminals to initially gain access into their victim's networks. Europol said in a statement an undisclosed number of servers, computers and other devices used by Emotet had been seized. Check Point commented on the news "Emotet was among the most popular malware variants seen in 2020, accounting for 7% of the organizations attacked for the month of December and 100,000 users every day as Christmas and New Year’s approached. After similar stints on top in September and October, the trojan saw a dropoff in November before roaring back ahead of the holidays."

The demise of Emotet came too late for Hackney Council, following its October ransomware attack by a suspected cybercriminal group, with the Council's staff and residents personal details found posted on the dark web in January. The Cybersecurity and Infrastructure Security Agency (CISA), part of the United States Department of Homeland Security, launched a new educational campaign encouraging governments, schools and private companies to take steps to protect their systems and data from ransomware. The CISA ransomware guidance is certainly of value to the same groups on this side of the pond, with CISA aptly commenting upon the release of guidance 'Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems.”

Cyber Security Careers Advice

I wrote a blog post detailing the Top Ten Cybersecurity Certifications in 2021, which was based on the data from a recent survey of a 90,000+ strong LinkedIn cybersecurity professional group. I also updated the Cyber Security Careers Advice page on The IT Security Expert website.  Also posted on Data Loss Prevention, Artificial Intelligence vs. Human Insight

Bye Bye Flash

Flash Player was finally put to bed by Adobe at the start of the new year after the software giants officially discontinued Flash after years of Flash security problems. Adobe asked users to uninstall the software before it blocked all Flash content from 12 January 2021. 

Flash was first released in 1996, making it possible to operate sophisticated web applications, animations, and games when web browser technology (way before HTML5) was unable and internet connection speeds were slow. Steve Jobs hammered one of the first nails into Flash's coffin ten years ago, openly criticising Flash and banning it from Apple mobile products. On the security front, there has been a whole raft of zero-day and critical vulnerabilities with Flash over the years (e.g.1, 2, 3, 4), with cybercriminals and nation-state groups pouncing on the countless security flaws to remotely execute malicious code and take over computers. 

Adobe has provided instructions for removing Flash on Windows and Mac computers on its website. It has warned: "Uninstalling Flash Player will help to secure your system since Adobe does not intend to issue Flash Player updates or security patches after the end-of-life date.", so make sure to say your final goodbyes or good riddance, but do double-check you have removed Flash from computers, especially if your computer goes back a few years.

Stay safe and secure.

BLOG

• Data Loss Prevention: Artificial Intelligence vs. Human Insight
• The Top Cybersecurity Certifications in 2021
• Cyber Security Roundup for January 2021

NEWS

• SolarWinds Supply Chain Attack Update
• Emotet Botnet Taken Down by International Police
• Hackers post Hackney Council's 'stolen documents'
• Cyber Criminals Publish more than 4,000 stolen Sepa files
• CISA Launches Ransomware Education Programme

VULNERABILITIES AND SECURITY UPDATES

• Adobe Flash Player Officially Discontinued After Years of Security Problems
• Microsoft Patches 83 Vulnerabilities, 10 Rated as Critical
• Apple Patches Three New iOS Zero-Days
• Mimecast Confirms Certificate Compromise by SolarWinds Hackers and Re-issues Certificate
• Users of IoT Products from Three Major Vendors at Risk of DoS Attacks, Data Leaks

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• CISA says Multiple Attacks on Cloud Services bypassed Multifactor Authentication
• BEC Attack Techniques Exploit Microsoft 365 Messages
• Bot ‘FreakOut’ Leverages Three Critical Vulnerabilities to Attack Linux Systems
• Chinese Espionage Group APT27 moves into Ransomware