Posts Tagged

The US government has been forced to issue an alert to healthcare providers of a major new ransomware campaign that may impair their ability to treat COVID-19 patients.

The joint alert, issued by the FBI and Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), claimed that attackers using the Ryuk variant were targeting the sector with TrickBot malware.

Originally designed as a banking Trojan, TrickBot is now one of the most prolific pieces of malware around, offering a suite of functionality for various use cases including crypto-mining and POS data harvesting.

The alert warned of a relatively new Anchor_DNS module added by its authors which helps attackers use DNS tunnelling to keep C&C comms hidden and exfiltrate data seamlessly from high-profile targets. Anchor has already been used by North Korea’s Lazarus Group to steal data from victims.

The Ryuk variant has been around since 2018 and often threat actors deploy off-the-shelf tools such as Cobalt Strike and PowerShell Empire to steal credentials and maintain persistence. They also deploy “living off the land” techniques such as use of PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) to move laterally, the CISA warned.

According to reports, an Eastern European cybercrime gang known as “Wizard Spider” is likely behind this latest campaign, which hit six hospitals in the same day including incidents in Oregon, New York and California. Some patients are apparently being forced to divert to other facilities as a result.

Mandiant CTO, Charles Carmakal, branded the gang, also known as UNC1878, “one of the most brazen, heartless, and disruptive threat actors” he’s ever seen.

“Ransomware attacks on our healthcare system may be the most dangerous cyber security threat we’ve ever seen in the United States. Patients may experience prolonged wait time to receive critical care,” he added.

“Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline. As hospital capacity becomes more strained by COVID-19, the danger posed by this actor will only increase.”

New data from SonicWall released today claimed that Ryuk now represents a third of all ransomware attacks so far this year, with detections soaring from around 5000 up to Q3 2019 to over 67 million over the past year.

The threat to healthcare is nothing new: Microsoft warned of an uptick in targeted APT-style ransomware attacks during the early days of the COVID-19 crisis.

Employee awareness is seen as the biggest area of weakness for firms’ cybersecurity strategies over the past few months of mass remote working during COVID-19, according to a new study.

Secure storage firm Apricorn received over 23,500 responses from a poll of its Twitter followers in October exploring business preparedness during the pandemic.

Over 30% said that employee education was the area most in need of improvement at their organization. Home workers may be more distracted than they would otherwise be in the office, IT support feels more remote and devices or PCs may be less well secured, presenting increased cyber-risk to organizations.

New Mimecast research out this week revealed that nearly half (45%) of remote workers open emails they consider to be suspicious while 73% use their corporate devices for personal matters, potentially exposing it to cyber-threats.

“IT and security teams had to scramble to respond to this crisis and in doing so, left a lot of companies wide open to breach. Nine months into employees working remotely, some know already that they have been attacked. Others think they may have been but can’t be sure,” argued Apricorn’s EMEA managing director, Jon Fielding.

“In the same way that we had to learn how to protect ourselves from illness and modify our behavior, we had to also learn how to protect our data outside of the firewall and more importantly, to remain vigilant about it.”  

However, improving staff security awareness and education may not be that easy.

Trend Micro research from earlier this year revealed that remote workers continue with their bad habits whilst claiming that: they feel more conscious of their organization’s cybersecurity policies (72% ) since lockdown began; they take IT instructions seriously now (85%); and that cybersecurity is partly their responsibility (81%).

According to Apricorn, 40% of employees felt that they were not fully prepared to work at home securely and productively, with 18% claiming they lacked the right technology and 16% saying they were not sure how to. A fifth (20%) said they were still not able to work remotely. 

Another popular US restaurant franchise appears to have been on the receiving end of a major point of sale (PoS) data breach, with dark web traders claiming to have three million cards to sell.

Threat intelligence firm Gemini Advisory analyzed data uploaded to infamous carding forum Joker’s Stash and revealed that Dickey’s Barbecue Pit is the affected restaurant chain.

It said that customers in around a third of locations, 156 of 469, across 30 states may have had their cards compromised between July 2019 and August 2020.

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of PoS device and processors that they utilize,” said the vendor.

“However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.”

The dark web seller advertising the cards, BlazingSun, has not uploaded the entire stash yet, and will likely continue to add compromised data over the next few months, Gemini Advisory said.

“Gemini sources have also determined that the payment transactions were processed via the outdated magstripe method, which is prone to malware attacks,” it concluded. “It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s.”

After the shift to EMV, merchants which continue to process magstripe could face legal action and fines if breached. The practice is far more common in the US, which made the switch to more secure cards relatively late compared to much of Western Europe, which is why PoS breaches like this still occur.

Other big names compromised in this way over the past year include convenience store chain Wawa, Planet Hollywood parent company Earl Enterprises and Rutter’s, another convenience store brand.

There’s a significant movement in cybersecurity right now that is seeing organizations approach the problem of cyber defense through the eyes of an attacker. This is very different to the check-box approach often associated with standard security or compliance frameworks – and it requires specialist expertise. However, when properly applied, the attacker mindset helps to lift theoretical security off the clipboard and into the real world. It’s an old cyber truism that hackers don’t care about the compliance accreditations of their targets, so adopting the attacker mindset is crucial in actually understanding what your attacker does care about. Rule #1 – know your enemy.

The first question to answer when applying the attacker mindset is ‘what are our critical assets and who is motivated to attack us?’ Script kiddies, hacktivists, criminals and nation-state actors have differing ranges of both skill and persistence – and also carry different motivations to attack. Understanding this allows us to choose an appropriate lens through which to view cyber defense.

Attack motivation

For example, most large organizations, or those in specific sectors, hold assets that carry value to a nation state. In some cases, this is obvious – IP, financial and economic data, High Net Worth investments or cross-border M&A, to name some examples. Then there’s those organizations that present attractive geopolitical targets – such as power, utilities, government and media – where a disruptive cyberattack from a nation state would serve to undermine, sow uncertainty and potentially do actual harm.

So, let’s say we are a bank and we need to defend against a nation state level actor. Taking our attacker mindset to the next level, we would understand the threat to be three-fold. The attacker wants to:

1. Steal information (either mass data harvesting or specific economic or corporate transaction data)
2. Steal money (in the case of nation-states this has mainly been limited to North Korea, however some state aligned cyber groups also moonlight for personal gain)
3. Cripple the financial ecosystem within its target country

These three scenarios all involve different objectives, critical assets, and attack paths to these assets that an attacker would have to follow. Viewing this process through the eyes of an attacker can help us to understand where our defenses are strong, where they are weaker – and what we need to do in order to secure ourselves against each scenario.

In order to address our environment through the eyes of a state-level threat actor, we need to ensure we have this same skills and experience – either in house (tough because of the scarcity of ex-nation-state attacker resource) or through a specialist security supplier (again tough because you never really know what, or who, you are buying in until it is too late).

Defining a nation-state level attacker

• First up – pragmatism. This may seem the opposite of what the media would have us believe (state-level cyber attacks are not all about lasers and zero-days) – but a pragmatic approach to breaching an organization is crucial. As a cyber-operative in a state-cyber program, you’ve been given an objective, and it is your job to execute that objective with the resources available. Normally this means starting with the cheapest attacks to execute, and working up through complexity and value until an expensive zero-day attack is applied if the target warrants it. This is important to understand on the defensive side, as we can assess how much and how far we need to frustrate the attacker until they potentially move on elsewhere. If we feel our threat model doesn’t warrant an attacker burning through such an expensive resource, then we can set our defenses accordingly lower. On the other hand, if our critical assets warrant an attacker using a zero-day to get in, then we have to think about defense-in-depth and multiple layers of detection and response in order to catch the threat actor before they reach their final objective.

• Secondly – persistence. Nation-state level threats are often referred to as ‘Advanced Persistent Threats’, or APT – and often it is the ‘Persistent’ that sets them aside from the rest. This has important ramifications from a cyber-defense perspective. We live in an age where cybersecurity – and pentesting in particular – is becoming commoditized, with small-scope, one off exercises lasting a few days deemed enough to tick the compliance box. Nothing could be further from how a persistent attacker actually operates. The attacker doesn’t care that only 10 days were in scope for your annual pentest when it might take them 12 days to get in. The attacker certainly doesn’t care which systems couldn’t be assessed because they are in a sensitive production environment. Adopting the attacker mindset means turning this on its head – answering the question – ‘how far is the attacker willing to go to achieve their objective’?

• Thirdly – deep-level technical expertise and creativity. The more technically capable you are, and the more creative you can be as an attacker – the wider the attack surface you have to work with and the higher your chance of success in a shorter time. As defenders, we need have a clear understanding of where these technical vulnerabilities are in order to know where an attacker might strike. If our grasp of these vulnerabilities and their potential is more limited than that of an attacker, then we are always going to be on the back foot.

• Lastly, and perhaps most importantly – big-picture, holistic thinking. This goes back to the pragmatism point, in that the attacker will leverage whatever they can in order to achieve an objective, in ways that someone without an attacker background might not consider. An attacker will assess the entire organization – how its business units interact with each other, the employees, the supply chain – even the senior executives and VIPs (and their families) in order to find a weakness to exploit. This suddenly seems a far cry from an annual pentest – but are critical to address if we are to take the attacker’s viewpoint. Just this week, it was reported a Tesla employee was approached by a Russian criminal gang and offered $1million in order to install malware at the Nevada factory. Last year, over 50 percent of cyber breaches occurred through the supply chain. Social engineering at the highest level of business remains endemic. While defending all of these might seem an impossible task, understanding the threat is the first step and lifting defensive maturity by even a little can be enough to deter or frustrate an attacker.

Adopting the attacker mindset is one of the most effective tools we have in modern cyber-defense, and it applies to all sizes of organization facing every kind of threat. Anyone can be subject to a cyberattack – and it’s imperative to fully understand the level of risk faced by the business. And the only way to really view this, is through the eyes of an attacker.

Over the last couple of weeks, I’ve been chatting with people at four multi-national companies I work with who’ve seen productivity and revenue increase during the COVID-19 pandemic. They have been surprisingly consistent about why they’ve benefited from this New Normal. I’ve also been following some of the schools that have done as well and interestingly, for once, education seems to be ahead of the curve with its more-aggressive technology use. 

Digital transformation

The enterprises and schools that have managed to do ok during and after the spring coronavirus lockdown, were those farther down the digital transformation path than others. As you would expect, it has been easier for them to shift admin rolls off-premises and support massive numbers of employees off-site. If you’ve primarily removed the need for people to do things in the office, in person, then where people reside has less impact on operations. The more companies had adopted updated administration, security, and maintenance tools, the better and faster the shift to work-from-home became.

And those same companies were able to see benefits of the move more quickly. An important part of this is that these more advanced tools provide more granular feedback, so the company could make the adjustments needed to adapt to the New Normal efficiently. 

Empowered HR

In all cases, HR for these firms had already stepped out of its compliance role into a role that’s far more strategic. One of the significant issues was the care of these remote employees and management’s ability to deal with those that needed more oversight or more motivation. Where firms had already been aggressive at instrumenting employees and managers, the move to remote work immediately showcased shortfalls in oversight, training, and management. HR, already engaged as a support organization, could step in strategically to help move management processes to the new normal. 

The result: these firms had less downtime, fewer unplanned absences, and far greater collaboration and productivity than firms where HR remained stuck in compliance mode.

Interestingly, part of the reason performance rose is that managers shifted to much higher engagement with their employees, and delivered a greater focus on employee development. This suggests to me that, regardless of whether employees are in the office or home, they would significantly benefit from this change. It’s interesting that the pandemic has driven a change that likely should have already occurred. 

Though most of the companies now expect they’ll remain work-from-home operations, it does make me wonder if these practices — used for on-premise workers — might see an even more significant benefit.

Virtualization

Virtualization is where the successful firms and schools differed. Many of the successful schools I looked at already had, before the pandemic, a significant number of students learning from home due to disabilities or health problems. The most advanced were using a virtualized desktop solution to control and better manage the remote-learning experience. They just needed to scale that up after school closings — and were more successful in switching to remote school work (and keeping the teachers focused on the class instead of tech support). Schools don’t have the resources most companies enjoy, so this ability to pivot to what remains a very low-overhead technology was critical to their ability to effectively embrace change. 

There remain connectivity and bandwidth issues, in large part because of the mess of consumer hardware that’s created significant management problems for most schools. I should add that most companies that rushed into BYOD to provision employees seem to be switching back to enterprise-focused desktop hardware standards. Because diversity in hardware isn’t a good thing for support costs, whether at school or in the office. 

Wrapping up

What is fascinating to me is that in just a few months, we’ve gone from believing everyone needs to work in the office to everyone needs to be remote, when the ideal solution is likely nuanced and the best solution may be a blend of the two.  Binary solutions, particularly those that go from one extreme to the other, are generally suboptimal because they often, as in this case, result from some external and often transitory cause. Rather than deciding whether it is better to work on-premise or at home, we should capture the data that we need to make that decision when on-premise again becomes viable. Let data drive the result. 

In the end, this pivot to work-at-home showcased, perhaps better than any other example, why digital transformation is essential. It is foundational to agility, and in a changing world, agility can make the difference between survival and failure. I also find it fascinating that education has moved more aggressively to desktop virtualization than industry. (Given their minimal support capabilities and the benefits of virtualization, I probably shouldn’t be surprised.)  Still, it showcases a path to lower cost and lower overhead for the market in general. And since kids grow up to be managers, maybe that’s the lesson they’ll take with them someday into the workplace.

Over half of global organizations have suffered a data breach during the COVID-19 crisis, with even more arguing that they need to shift to a zero-trust model to bolster security, according to Forrester.

A new report commissioned by Cloudflare and set to be officially released on Wednesday, Leaders Are Now Committed To Zero Trust, reveals the challenges impacting organizations during the pandemic.

Based on a poll of over 300 global security decision makers at mid and large-sized businesses, it highlights how revenue and planning (64%), customer engagement (53%) and the shift to distributed working (52%) have had the biggest impact so far in 2020.

Despite the majority of respondents claiming to have invested in new devices for work from home (WFH) employees, updated security policies and adopted new security tools for remote workers, over half (58%) still suffered a data breach. A third (33%) were hit by infrastructure outages, with a similar number (29%) struck by ransomware.

Many security bosses admit that VPNs are a major bottleneck, leading to slow connections (46%). Most (54%) say they’ve struggled to maintain these during the shift to WFH. At the same time they’re concerned over staffing shortfalls (80%), apps and data exposed to the public internet (76%) and little management over end user devices (64%).

They admit that legacy network security tools are no longer effective (64%) but have been overwhelmed by rapid migration to the cloud (80%).

The answer for many is a zero-trust approach predicated on the notion of “never trust always verify” and supported by technologies such as multi-factor authentication, network segmentation and endpoint security.

Over three-quarters (76%) of respondents want to move to this model, and even more (81%) say their organization is committed to migrating to this approach in time. However, similar numbers (75%) say they’re struggling to do so due to the complexities of user access at their organization.

The report chimes with a Tanium study from earlier this year which revealed that global firms struggled with the shift to mass remote working due to a lack of visibility into endpoints and challenges around patching.

Although 85% said they felt ready for the shift to remote working, 98% admitted they were caught off guard by security challenges in the first two months, with overwhelmed VPNs (22%) frequently cited as a problem.

Unreliable home broadband connectivity is the primary technical challenge businesses are having to deal with as remote working continues during the COVID-19 pandemic.

That’s one takeaway from a survey of 100 C-level executives and IT professionals in the US by Navisite designed to highlight the biggest headaches for organizations providing IT services to workers since offices began to close in March.

Around half (51%) of those surveyed said they experienced some “IT pains” during the rapid shift to support home workers, while almost a third (29%) continue to face technical challenges.

At the same time, the majority (83%) now expect to continue with remote work policies when pandemic restrictions are lifted.

Top concern for long-term WFH: The need for broadband

Ensuring employees can carry out their work at home over a longer period presents some concerns for organizations. Chief among these is poor internet bandwidth, an issue cited by nearly half (49%) of the respondents.

With meetings being held using video apps such as Zoom and Microsoft Teams — in addition to the deployment of a range of collaboration and productivity tools —unreliable internet connections have caused headaches.

“If you have poor home internet performance, it can cause problems with the quality of the video and audio on those videoconference platforms, which prevents people from getting work done and effectively engaging and collaborating,” said Navisite CEO Mark Clayman. 

“It’s also an issue when you consider the many systems, applications and the amount of data now located in the cloud — poor internet bandwidth can hinder access and performance with the tools employees use daily.”   

One common challenge: an employee may not be the only person in the household placing high demands on bandwidth.  “This is especially true when both telework and remote schooling are occurring simultaneously,” said Karyn Price, a senior industry analyst at Frost & Sullivan.

“Some solutions, like remote SD-WAN, can assist by allocating bandwidth to a user’s highest-priority applications, but can have the unintended consequence of a student getting kicked out of a virtual school platform because Mom or Dad is on a conference call.”

Security and compliance

The second biggest worry, cited by 46% of respondents, is maintaining security and compliance for remote workers.

According to Navisite, more than a third (36%) of respondents said they were unprepared for the shift to remote work. And the rush to workers outside the office at unprecedented levels likely resulted in IT teams skipping over normal security protocols.

“The goal was, ‘Get everyone online now,’” said Clayman. “This haste could potentially expose security gaps for organizations, and these gaps need to be addressed — both to protect the integrity of a business and its IT systems and data, and to ensure compliance with industry and local regulations.” 

Price pointed to cloud-based services that can help overcome such issues. For example, Desktop-as-a-Service and Workspace-as-a-Service can provide secure access to corporate data and services, and can be deployed, configured and managed centrally.

“This enables the business to ensure that security and compliance profiles and appropriate access restrictions are maintained, and that data is not housed on local, or possibly personal, devices that are not protected,” she said.  

“Usage of these sorts of solutions have increased since March 2020, and we expect that trend to continue.”

WFH worries: staffing resources and user negligence, but not cost

Other concerns cited include: home use negligence or inappropriate use of corporate devices (20%); staffing resources needed to manage large numbers of remote users (13%); management tools to support remote users (12%); and fears of overloading enterprise remote access solutions (11%).

Lowest on the list was cost, which was cited by 10% of respondents.

“Given that the work-from-home trend is likely here to stay in some capacity well beyond COVID, we’re finding that organizations have already shifted their cost models to account for this change, and are now more focused, as the survey highlights, on making the experience more secure and seamless,” said Clayman.    

Price said the finding matches data with Frost & Sullivan’s research, which shows that if a cloud product meets business requirements, cost concerns are less apparent.

“In a pandemic era, investing in robust remote-work solutions will yield business benefits in terms of business continuity, continued productivity, and ultimately, the ability of the business to thrive during these unique times,” she said.

At the same time, Price noted that businesses have become less reactive in their procurement.

“Businesses that initially engaged their cloud or managed service provider and said, ‘Give me whatever solution will get me up and running’ in the beginning of the pandemic are now taking a more thoughtful approach, much as enterprises are doing with cloud in general,” she said.

“They are being more strategic about how they deploy remote work technology solutions, as well as to how they manage corporate digital transformation as a whole.”

Ransomware was the most observed threat in 2020, according to a global corporate investigations and risk consulting firm based in New York City.

Kroll‘s proprietary data on cyber incident response cases shows that ransomware attacks accounted for over one-third of all cases as of September 1, 2020. 

While this particular form of malware has struck organizations of all sizes across every sector this year, Kroll has observed that the three industries most targeted with ransomware were professional services, healthcare, and technology.

Over a third of cyber-attacks observed by Kroll in 2020 can be attributed to three main ransomware gangs.

“Ryuk and Sodinokibi, perennially the most observed form of ransomware attack in Kroll’s cases, have been joined by Maze as the top three ransomwares so far in 2020, comprising 35% of all cyber-attacks,” said a spokesperson for Kroll.

Business email compromise was almost as prevalent as ransomware, accounting for 32% of cyber-attacks observed by Kroll.

A new tactic of ransomware gangs observed this year by Kroll was the exfiltration and publication of the victim’s data.

“Many ransomware variants have added exfiltration and publication to their bag of tricks over the course of the year, and over two-fifths (42%) of Kroll’s cases with a known ransomware variant are connected to a ransomware group actively exfiltrating and publishing victim data,” said Kroll’s spokesperson.

In nearly half (47%) of the ransomware cases observed by Kroll, threat actors leveraged open remote desktop protocol (RDP) and Microsoft’s proprietary network communications protocol to begin their attacks.

Just over a quarter (26%) of cases were traced back to a phishing email, while 17% were linked to vulnerability exploits, including but not limited to Citrix NetScaler CVE-2019-19781 and Pulse VPN CVE-2019-11510.

“We have seen a predictable surge in cyber-attacks so far in 2020 as the COVID-19 pandemic has given malign actors increased opportunities to cause havoc,” said Devon Ackerman, managing director and head of incident response at Kroll North America. 

“The ongoing evolution of ransomware creators is constantly shifting the goalposts for those trying to defend data and systems, so vigilance must remain at the top of CIO’s to do list.”