The IT companies are contemplating over extending this arrangement even after COVID-19 infections reduce. But, most companies agree to cybersecurity threat being a sword hanging over their heads
Rukmini Rao Last Updated: June 10, 2020 | 18:54 IST
In 2019, network infra assets of 47.9% businesses aged or turned obsolete
Ageing and obsolete devices in technology sector at 59.6%
Redirection of spend towards cloud services is resulting in decreased investment
Various sectors across the globe are slowing and in a staggered fashion opening up after nearly five months of lockdown, perhaps with the only exception of information technology sector, which adapted to a different working model to tide over the crisis. The IT companies are contemplating over extending this arrangement even after COVID-19 infections reduce. But, most companies agree to cybersecurity threat being a sword hanging over their heads. However, a recent report by NTT Ltd shows the root cause of cybersecurity threat having substantially increased is perhaps the obsolete or ageing devices.
“The assets of 47.9 per cent organisations were ageing or turning obsolete as a weighted average, representing a significant surge from 2017, when this figure was just 13.1 per cent. Both connectivity and security are being compromised by enterprises leaving obsolete devices on the network,” the report said. While the industry average in the use of obsolete and ageing devices is 47.9 per cent, public sector leads the way with 61.7 per cent, and surprisingly close second is the technology sector with 59.6 per cent of devices either ageing or turning obsolete. On an average, an obsolete device has twice as many vulnerabilities per device (42.2 per cent) compared to ageing (26.8 per cent) and current devices (19.4 per cent). Interestingly, the report says that around 2015-16, businesses started investing and deploying new technology and spending on new devices peaked in 2017 when there were 86.9 per cent of organisations with current (latest) devices. Even as adoption of new wireless infrastructure is on the rise, with an average increase of over 13 per cent year-on-year, ageing and obsolete devices create security vulnerabilities and put businesses at risk of cyber attacks with people logging in from co-working spaces and remote work locations.
One of the biggest reasons behind the lower investment in on-premises infrastructure, according to report, is the growth in cloud spend outpacing that in overall IT spend. This is what is leading to lower investments. Cloud adoption and spend were predicted to grow at a faster rate and in the region of 21-25 per cent CAGR until 2023. “The increase in on-premises, ageing and obsolete devices is partially due to a redirection of spend towards Software-as-a-Service (SaaS) and other cloud services, which results in a decrease in investment in on-premises infrastructure. However, we anticipate that there will be a significant increase in people working from home, even after pandemic reduction measures are lifted,” the report said.
Also Read: Coronavirus treatment cost: Tamil Nadu hospitals can’t charge above Rs 15,000 a day
Also Read: Vizag gas leak: Andhra govt forms committee to probe incident; seeks report by June 22
Microsoft made several security announcements ahead of RSA Conference, including its decision to bring Microsoft Defender to iOS and Android.
Microsoft today announced the general availability of its Threat Protection and Insider Risk Management platforms, as well as the decision to bring Microsoft Defender Advanced Threat Protection to iOS and Android. The announcements come amid a wave of security product news ahead of RSA Conference.
When Microsoft Threat Protection (MTP) arrived in public preview last December, it was described as an “integrated solution” built on the Microsoft 365 security suite: Defender Advanced Threat Protection (ATP) for endpoints, Office 365 ATP for email and collaboration, Azure ATP for identity alerts, and Microsoft Cloud App Security (MCAS) for software-as-a-service applications.
MTP is designed to bring the capabilities of all of these Microsoft systems together into a single tool and, in doing so, to coordinate threat detection and response. It looks across domains to understand a chain of events, pinpoint affected assets, and protect resources. MTP prioritizes incidents for investigation and response, terminates malicious processes on endpoints, and removes mail-forwarding rules an attacker may have put in place. It’s meant to give admins greater visibility, stop attacks from spreading, and automatically fix assets affected in an attack.
Insider Risk Management, built into Microsoft 365 and launched in preview at last year’s Ignite, aims to help security teams address a threat that has become a primary concern among CISOs. It started with an internal demand at Microsoft to use machine learning to detect threats based on user behavior, explains Ann Johnson, corporate vice president of cybersecurity at Microsoft.
“It’s one of those solutions that when we brought it to market, the demand was instant,” she says. Insider Risk Management uses the same technology that classifies and protects 50 billion documents for Microsoft users; it’s meant to bring signals, sensitivity labels, and content into a single view so admins can get a picture of what’s happening and take appropriate action.
Many insider threat cases are not inherently malicious, Johnson explains. In one preview case, an employee had forwarded a work email to their personal email because there was data they wanted to access, and they didn’t realize the email contained confidential proprietary data. In another, the tool picked up on users authenticating into applications from different locations.
The preview process taught Microsoft about how companies approach insider threats, which the company believed would be more of a compliance issue, Johnson says. “What we’ve learned is a lot of customers consider insider risk management solely a SOC problem,” she explains. Going forward, a goal is to add new capabilities to educate customers on how they can integrate insider threat management into their broader risk management platforms.
In addition to making MTP and Insider Risk Management generally available, Microsoft is bringing Defender ATP to Linux in public preview and plans to bring the security platform to Android and iOS later this year. Mobile apps for both platforms will be demonstrated at next week’s RSA Conference. Defender ATP is already available on Windows and Mac platforms.
Among Microsoft’s announcements are changes and capabilities to Azure Sentinel, first debuted in February 2019 and made generally available in September. The cloud-native SIEM narrows down high volumes of signals into the significant incidents security teams should prioritize. In December, Microsoft used Sentinel to evaluate nearly 50 billion suspicious signals and generated 25 high-confidence alerts for the security operations team to investigate.
Microsoft is bringing in new data connectors and workbooks from Forcepoint, Zimperium, Quest, CyberArk, Squadra, and other partners to enable easier data collection. A new connector for Azure Security Center for IoT lets admins onboard data workloads from the Internet of Things into Azure Sentinel from deployments managed in the IoT Hub. It’s also releasing new developer documents, guides, samples, validation criteria, and updated GitHub Wiki.
To show how Azure Sentinel can pull security insights from across the enterprise, Microsoft is letting new and current Azure Sentinel users import Amazon Web Services CloudTrail logs at no additional cost from Feb. 24 through June 30, 2020.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio
Today’s VERT Alert addresses Microsoft’s January 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-866 on Wednesday, January 15th.
In-The-Wild & Disclosed CVEs
While there are no in-the-wild and disclosed CVEs in the January patch drop, there is a lot of discussion around CVE-2020-0601. The vulnerability allows for Elliptic Curve Cryptography (ECC) spoofing due to the way these certificates are validated. This vulnerability was reported to Microsoft by the NSA and rumors in various publications indicate that certain government agencies and enterprises were given advance notice of this vulnerability.
Microsoft has rated this as a 1 (Exploitation More Likely) on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
There were no new advisories released today. However, it is worth mentioning that today marks the final day of support for Windows 7, Windows Server 2008, and Windows Server 2008 R2. These platforms are now considered end of life and (Read more…)
The intelligence in this week’s iteration discuss the following threats: BabyShark, Fraud, Maze Ransomware, North Korea, POS malware, Ransomware, Rowhammer, Ryuk Ransomware, Thallium. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Colorado Town Wires Over $1 Million To BEC Scammers (January 3, 2020)
The Colorado Town Erie has paid over one million dollars in a Business Email Compromise (BEC) scam. Using social engineering, the scammers contacted the Town requesting a change of payment from cheque to electronic transfer for the Erie Parkway Bridge. The town staff accepted the form and did not verify the authenticity of the submission with the construction company, wiring one million dollars to the account. The contact form has been removed from the town’s website, with the local police working with the FBI to investigate the incident, and attempt to recover funds.
Click here for Anomali recommendation
Landry's Restaurant Chain Discloses POS Malware Incident (January 2, 2020)
An infection of Point-of-Sale (POS) malware has been found on Landry’s network. Landry’s, a company that owns many US restaurants, stated they found malware on 63 bar and restaurant networks and was active for at least six months. The company has stated they believe only a small number of customers have been impacted, due to security features implemented following a 2016 attack. Customers are being advised to review bank statements and to look for any suspicious activity.
Click here for Anomali recommendation MITRE ATT&CK: [MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)
FPGA Cards Can Be Abused For Faster And More Reliable Rowhammer Attacks (January 2, 2020)
A research paper has been released by a team of US and German academics detailing how Field-Programmable Gate Array (FPGA) cards can be exploited in “Rowhammer” attacks. Rowhammer attacks, first noted in 2014, exploit a design flaw in Random Access Memory (RAM) cards that alters data by reading data at high speeds repeatedly, a method referred to as “row hammering”. While RAM manufacturers have put migitations in place to avoid damage from attacks, the academics have identified ways around the mitigations, along with an expansion on using Rowhammer. These include but are not limited to taking over Linux computers, Windows computers, Android devices, remote attacks, and data exfiltration.
Click here for Anomali recommendation MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] File Deletion – T1107
Maze Ransomware Sued For Publishing Victim's Stolen Data (January 2, 2020)
Southwire, a wire and cable manufacturing company located in Georgia, is suing the anonymous operators behind the “Maze” ransomware. The company was attacked in December 2019, with 120GB of data stolen and published when Southwire did not pay a ransom of six million dollars. The lawsuit seeks damages against the Maze operators for encrypting and publishing their data, while the operators are unknown, should the government retrieve monetary damages, Southwire could be privy to an amount. The lawsuit also seeks injunctions against websites such as World Hosting Farm Limited, an Irish web hosting company who hosted the Maze news site and hosted the published Southwire data.
Click here for Anomali recommendation MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)
Chrome Extension Caught Stealing Crypto-Wallet Private Keys (January 1, 2020)
Click here for Anomali recommendation MITRE ATT&CK: [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Data Obfuscation – T1001
US Coast Guard Discloses Ryuk Ransomware Infection at Maritime Facility (December 30, 2019)
The United States Coast Guard (USCG) has disclosed that an infection of Ryuk ransomware took down a maritime facility. In the security bulletin sent out, the USCG state they believe a malicious email containing a link was opened, enabling access to IT network files, which were then encrypted. The attack appears to have disrupted the corporate IT network, camera and physical access control systems and loss of process control monitoring systems. The unnamed port had to close operations for over 30 hours.
Click here for Anomali recommendation MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Spearphishing Link – T1192
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group (December 30, 2019)
Microsoft has filed a court case against suspected North Korean group “Thallium”. The group typically utilize spear phishing as a method to compromise victim accounts, giving them access to calendar, contacts, and emails. The court's ruling has enabled Microsoft to take control of 50 domains the group has been using, meaning the group can no longer use these sites in attacks. Thallium, a suspected North Korean Advanced Persistent Threat (APT) group, have been active since at least 2010, targeting government, non-governmental organizations (NGO) and university employees using legitimate services such as Gmail, Hotmail and Yahoo. While stealing sensitive data, the group use the malware ‘BabyShark’ and ‘KimJongRAT’ in their attacks.
Click here for Anomali recommendation MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link – T1192 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] System Information Discovery – T1082
Special Olympics New York Hacked to Send Phishing Emails (December 30, 2019)
During the Christmas holiday, Special Olympics of New York, a nonprofit that provides athletic competition to those with disabilities had its email server breached. An email was sent to donors of the Special Olympics claiming they would take over one million dollars from their account, directing them to a PDF of the transaction statement. The Special Olympics claim that only the communications system was affected, and not any financial data.
Click here for Anomali recommendation MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link – T1192 | [MITRE ATT&CK] Spearphishing Attachment – T1193
Source: National Cyber Security – Produced By Gregory Evans New research reveals alarming Windows 10 ‘Clop’ app-killing threat Getty The Federal Bureau of Investigation (FBI) issued a high-impact threat warning to U.S. businesses and organizations on October 2, 2019. That threat was ransomware, and the FBI warned that cybercriminals “upgrade and change their techniques to […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans by Dan Kobialka • Dec 27, 2019 Kaspersky, a Russian antivirus and anti-malware solutions provider, has integrated Kaspersky Anti Targeted Attack threat detection capabilities into its Kaspersky Web Traffic Security offering. In doing so, organizations can leverage Kaspersky Web Traffic Security in combination with Kaspersky Anti […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans First amendment rights in the United States only go so far. Shout “fire” in a crowded room for thrills or threaten to kill someone and you will find yourself on the wrong side of the First Amendment interpretation of what constitutes free speech. Joseph Cecil Vandevere […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans In late November the Avast Threat Labs team discovered cyberattacks that exploited Brazilian users’ routers to send them to phishing pages designed to look like actual websites the victim wanted to visit. In this case, sites included Brazilian banking, and news sites, as well as Netflix. […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans The intelligence in this week’s iteration discuss the following threats: Backdoors, Cryptocurrency, Data breaches, Malware, and Trojans. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1: IOC Summary Charts. These […]
View full post on AmIHackerProof.com
Ransomware is changing the threat landscape yet again, though this time it isn’t with malicious code.
A spike in ransomware attacks against municipal governments and healthcare organizations, coupled with advancements in the back-end operations of specific campaigns, have concerned security researchers and analysts alike. The trends are so alarming that Jeff Pollard, vice president and a principal analyst at Forrester Research, said he expects local, state and city governments will be forced to seek disaster relief funds from the federal government to recover from ransomware attacks.
“There’s definitely been an uptick in overall attacks, but we’re seeing municipality after municipality get hit with ransomware now,” Pollard said. “When those vital government services are disrupted, then it’s a disaster.”
In fact, Forrester’s report “Predictions 2020: Cybersecurity” anticipates that at least one local government will ask for disaster relief funding from their national government in order to recover from a ransomware attack that cripples municipal services, whether they’re electrical utilities or public healthcare facilities.
Many U.S. state, local and city governments have already been disrupted by ransomware this year, including a massive attack on Atlanta in March that paralyzed much of the city’s non-emergency services. A number of healthcare organizations have also shut down from ransomware attacks, including a network of hospitals in Alabama.
The increase in attacks on municipal governments and healthcare organizations has been accompanied by another trend this year, according to several security researchers: Threat actors are upping their ransomware games.
Today’s infamous ransomware campaigns share some aspects with the notable cyberattacks of 20 years ago. For example, the ILoveYou worm used a simple VB script to spread through email systems and even overwrote random files on infected devices, which forced several enterprises and government agencies to shut down their email servers.
But today’s ransomware threats aren’t just using more sophisticated techniques to infect organizations — they’ve also built thriving financial models that resemble the businesses of their cybersecurity counterparts. And they’re going after targets that will deliver the biggest return on investment.
The McAfee Labs Threats Report for August showed a 118% increase in ransomware detections for the first quarter of this year, driven largely by the infamous Ryuk and GandCrab families. But more importantly, the vendor noted how many ransomware operations had embraced “innovative” attack techniques to target businesses; instead of using mass phishing campaigns (as Ryuk and GandCrab have), “an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP [remote desktop protocol] and virtual network computing,” the report stated.
Raj SamaniChief scientist, McAfee
“The concept of ransomware is no longer the concept that we’ve historically known it as,” Raj Samani, chief scientist at McAfee, told SearchSecurity.
Sophos Labs’ 2020 Threat Report, which was published earlier this month, presented similar findings. The endpoint security vendor noted that since the SamSam ransomware attacks in 2018, more threat actors have “jumped on the RDP bandwagon” to gain access to corporate networks, not just endpoint devices. In addition, Sophos researchers found more attacks using remote monitoring and management software from vendors such as ConnectWise and Kaseya (ConnectWise’s Automate software was recently used in a series of attacks).
John Shier, senior security advisor at Sophos, said certain ransomware operations are demonstrating more sophistication and moving away from relying on “spray and pray” phishing emails. “The majority of the ransomware landscape was just opportunistic attacks,” he said.
That’s no longer the case, he said. In addition to searching for devices with exposed RDP or weak passwords that can be discovered by brute-force attacks, threat actors are also using that access to routinely locate and destroy backups. “The thoroughness of the attacks in those cases are devastating, and therefore they can command higher ransoms and getting higher percentage of payments,” Shier said.
Jeremiah Dewey, senior director of managed services and head of incident response at Rapid7, said his company began getting more calls about ransomware attacks with higher ransomware demands. “This year, especially earlier in the year, we saw ransomware authors determine that they could ask for more,” he said.
With the volume of ransomware attacks this year, experts expect that trend to continue.
The ransomware economy
Samani said the new strategies and approaches used by many threat groups show a “professionalization” of the ransomware economy. But there are also operational aspects, particularly with the ransomware-as-a-service (RaaS) model, that are exhibiting increased sophistication. With RaaS campaigns such as GandCrab, ransomware authors make their code available to “affiliates” who are then tasked with infecting victims; the authors take a percentage of the ransoms earned by the affiliates.
In the past, Samani said, affiliates were usually less-skilled cybercriminals who relied on traditional phishing or social engineering tactics to spread ransomware. But that has changed, he said. In a series of research posts on Sodinokibi, a RaaS operation that experts believe was developed by GandCrab authors, McAfee observed the emergence of “all-star” affiliates who have gone above and beyond what typical affiliates do.
“Now you’re seeing affiliates beginning to recruit individuals that are specialists in RDP stressing or RDP brute-forcing,” Samani said. “Threat actors are now hiring specific individuals based on their specialties to go out and perform the first phase of the attack, which may well be the initial entry vector into an organization.”
And once they achieve access to a target environment, Samani said, the all-stars generally lie low until they achieve an understanding of the network, move laterally and locate and compromise backups in order to maximize the damage.
Sophos Labs’ 2020 Threat Report also noted that many ransomware actors are prioritizing the types of data that certain drives, files and documents encrypt first. Shier said it’s not surprising to see ransomware campaigns increasingly use tactics that rely on human interaction. “What we’ve seen starting with SamSam is more of a hybrid model — there is some automation, but there’s also some humans,” he said.
These tactics and strategies have transformed the ransomware business, Samani said, shifting it away from the economies of scale-approach of old. “All stars” affiliates who can not only infect the most victims but also command the biggest ransoms are now reaping the biggest rewards. And the cybercriminals behind these RaaS operations are paying close attention, too.
“The bad guys are actively monitoring, tracking and managing the efficiency of specific affiliates and rewarding them if they are as good as they claim to be,” Samani said. “It’s absolutely fascinating.”
Silver linings, dark portents
There is some good news for enterprises amid the latest ransomware research. For one, Samani said, the more professional ransomware operations were likely forced to adapt because the return on investment for ransomware was decreasing. Efforts from cybersecurity vendors and projects like No More Ransom contributed to victims refusing to pay, either because their data had been decrypted or because they were advised against it.
As a result, ransomware campaigns were forced to improve their strategies and operations in order to catch bigger fish and earn bigger rewards. “Return on investment is the key motivator to the re-evolution or rebirth of ransomware,” Samani said.
Another positive, according to Shier, is that not every ransomware campaign or its affiliates have the necessary skills to emulate a SamSam operation, for example. “In terms of other campaigns implementing similar models and techniques, it’s grown in the past 18 months,” he said. “But there are some limitations there.”
On the downside, Shier said, cybercriminals often don’t even need that level of sophistication to achieve some level of success. “Not everyone has the technical expertise to exploit BlueKeep for an RDP attack,” he said. “But there’s enough exposed RDP [systems] out there with weak passwords that you don’t need things like BlueKeep.”
In addition, Samani said the ransomware operations that earn large payments will be in a position to improve even further. “If you’ve got enough money, then you can hire whoever you want,” Samani said. “Money gives you the ability to improve research and development and innovate and move your code forward.”
In order to make the most money, threat actors will look for the organizations that are not only most vulnerable but also the most likely to pay large ransoms. That, Samani said, could lead to even more attacks on government and healthcare targets in 2020.
Shier said most ransomware attacks on healthcare companies and municipal governments still appear to be opportunistic infections, but he wouldn’t be surprised if more sophisticated ransomware operations begin to purposefully target those organizations in order to maximize their earnings.
“[Threat actors] know there are organizations that simply can’t experience downtime,” Shier said. “They don’t care who they are impacting. They want to make money.”