SECURITY
Cybercriminals get bolder as impact from SolarWinds and ransomware grows
Cybercriminals get bolder as impact from SolarWinds and ransomware grows
BY MARK ALBERTSON
UPDATED APRIL 15 2021
In 2006, then-U.S. Senator Barack Obama published a book, “The Audacity of Hope,” on his way to winning the White House in 2008. If the cybersecurity community were to write a similar treatise today, the appropriate title would most likely be “The Audacity of Hacks.”
FireEye Inc. held a series of sessions this month to offer a “state of cybersecurity” picture timed with the release of its Mandiant M-Trends 2021 report. One conclusion from the sessions and the report’s findings is that nation states and cybercriminals have become increasingly emboldened over the past year. Hacking has morphed from annoyance and inconvenience into extortion and social disruption on a global scale.
FireEye itself received confirmation of the perilous state of cybersecurity in December when the firm realized that hackers managed to steal its closely guarded Red Team assessment tools used to test customer security. The company’s analysis of how a portion of its crown jewels could be breached led to the discovery of what is now known as the SolarWinds exploit, a sophisticated malware campaign which allowed hackers to infiltrate systems involving at least 100 private companies and multiple U.S. government agencies.
The breach, which reflected extraordinary tradecraft and sophistication according to FireEye, is believed to have been led by the Russian government. The audacious hack has captured the attention of security analysts and government officials around the world, and it has set the stage for what may well be a rocky year ahead.
“What’s different now is the audacity that nation states are using, against a backdrop of a global pandemic,” Sandra Joyce, executive vice president and head of global intelligence at FireEye Mandiant, said during one of the company’s sessions this month. “For everything we see nation states do, the cybercriminals are carefully watching.”
Dwell times decrease
This year’s Mandiant report offered a mix of good news and bad. On the positive side, 59% of security incident investigations by the firm were initially detected by its customers, a 12% increase over the previous year.
In addition, global median dwell time or the duration between when a cybersecurity intrusion begins and when it is discovered, has declined significantly. Back in 2011, dwell time was documented at over a year and now stands at 24 days.
While the pace of detection and security awareness may be improving, the threats themselves have taken on a more ominous tone. Joyce noted that the global pandemic generated a cyber espionage response from nation states, with private patient data being breached in a number of health organizations. When a cyberattack disrupted emergency care at one German hospital last year, a patient died.
“We’ve seen some red lines crossed with attacks on hospitals,” said Joyce. “Now we’re moving into threats against the cloud.”
Vulnerabilities in cloud systems are not new. Yet, what the SolarWinds breach exposed was an ability for attackers to acquire privileged access to run software already installed across platforms, including on-premises servers and virtual machines in the cloud.
The threat actors used a technique that targeted the Security Assertion Markup Language or SAML authentication standard, commonly used to create a trustworthy link between cloud and on-premises systems.
“This is that golden SAML process, it’s basically a golden ticket that can have access throughout the system,” Joyce explained. “What happens now is that attackers grab credentials and start pivoting around in cloud environments. It’s an incredible tactic and not something we’re going to see the end of.”
Ransomware and extortion
Another exploit not likely to end anytime soon is ransomware. The latest M-Trends report documented how cybercriminals were escalating ransomware attacks, which grew from 14% of FireEye’s investigations to 25% in just one year.
The consequences of a successful ransomware attack are rising as well. FireEye believes that ransomware has evolved into multifaceted extortion where bad actors are using a variety of techniques to infiltrate systems, carefully identify the most valuable data assets and coerce payment for the release of encrypted files. Threats for nonpayment include posting stolen data on public websites or providing proprietary information to competitors.
“Ransomware extortion is the latest trend we are seeing right now,” said Yihao Lim, a cyberthreat intelligence analyst for Mandiant Threat Intelligence in Singapore. “This has proven to be very effective. The attacker will take time to study the victim, they are not in a rush.”
One of the key contributors to the rise in ransomware attacks has been that, as with a wide range of tech industry software, the malware is now widely obtainable as-a-service.
Like software-as-a service, RaaS represents the new business model for enterprising hackers. The exploits are often developed by professional programmers with legitimate jobs seeking money on the side, according to one group of security researchers.
Ransomware services are available for monthly or one-time license fees, or on an affiliate basis where the as-a-service provider will receive 25% of the ransom. Some RaaS platforms even offer troubleshooting help desks for support, according to Yihao.
“It reduces the barrier to entry for a lot of bad guys, you can just use the ransomware that’s already available on the platform,” he said. “It’s like a hosting company and you have clients who use the hosting company services. Each of them can hit a number of victims by themselves.”
On the brink
One of the last live technology conferences held in the U.S. in 2020, before the global pandemic closed everything down, was the annual RSA Cybersecurity gathering in San Francisco. Mandiant’s Joyce recalled a feeling at the event that the security industry was teetering on the brink, where the threats had become so serious and sophisticated, it would take a momentous coming together of the private and public sectors to marshal the kind of defense that was needed.
COVID-19 intervened and such a joint effort did not materialize. Joyce and the rest of the cybersecurity community are now left wondering if it ever will.
“It really truly has been unprecedented times,” Joyce said. “This industry is getting burned out. When are governments around the world going to make it harder for threat actors to carry out these missions?”
Image: Pixabay Commons
UPDATED APRIL 15 2021
In 2006, then-U.S. Senator Barack Obama published a book, “The Audacity of Hope,” on his way to winning the White House in 2008. If the cybersecurity community were to write a similar treatise today, the appropriate title would most likely be “The Audacity of Hacks.”
FireEye Inc. held a series of sessions this month to offer a “state of cybersecurity” picture timed with the release of its Mandiant M-Trends 2021 report. One conclusion from the sessions and the report’s findings is that nation states and cybercriminals have become increasingly emboldened over the past year. Hacking has morphed from annoyance and inconvenience into extortion and social disruption on a global scale.
FireEye itself received confirmation of the perilous state of cybersecurity in December when the firm realized that hackers managed to steal its closely guarded Red Team assessment tools used to test customer security. The company’s analysis of how a portion of its crown jewels could be breached led to the discovery of what is now known as the SolarWinds exploit, a sophisticated malware campaign which allowed hackers to infiltrate systems involving at least 100 private companies and multiple U.S. government agencies.
The breach, which reflected extraordinary tradecraft and sophistication according to FireEye, is believed to have been led by the Russian government. The audacious hack has captured the attention of security analysts and government officials around the world, and it has set the stage for what may well be a rocky year ahead.
“What’s different now is the audacity that nation states are using, against a backdrop of a global pandemic,” Sandra Joyce, executive vice president and head of global intelligence at FireEye Mandiant, said during one of the company’s sessions this month. “For everything we see nation states do, the cybercriminals are carefully watching.”
Dwell times decrease
This year’s Mandiant report offered a mix of good news and bad. On the positive side, 59% of security incident investigations by the firm were initially detected by its customers, a 12% increase over the previous year.
In addition, global median dwell time or the duration between when a cybersecurity intrusion begins and when it is discovered, has declined significantly. Back in 2011, dwell time was documented at over a year and now stands at 24 days.
While the pace of detection and security awareness may be improving, the threats themselves have taken on a more ominous tone. Joyce noted that the global pandemic generated a cyber espionage response from nation states, with private patient data being breached in a number of health organizations. When a cyberattack disrupted emergency care at one German hospital last year, a patient died.
“We’ve seen some red lines crossed with attacks on hospitals,” said Joyce. “Now we’re moving into threats against the cloud.”
Vulnerabilities in cloud systems are not new. Yet, what the SolarWinds breach exposed was an ability for attackers to acquire privileged access to run software already installed across platforms, including on-premises servers and virtual machines in the cloud.
The threat actors used a technique that targeted the Security Assertion Markup Language or SAML authentication standard, commonly used to create a trustworthy link between cloud and on-premises systems.
“This is that golden SAML process, it’s basically a golden ticket that can have access throughout the system,” Joyce explained. “What happens now is that attackers grab credentials and start pivoting around in cloud environments. It’s an incredible tactic and not something we’re going to see the end of.”
Ransomware and extortion
Another exploit not likely to end anytime soon is ransomware. The latest M-Trends report documented how cybercriminals were escalating ransomware attacks, which grew from 14% of FireEye’s investigations to 25% in just one year.
The consequences of a successful ransomware attack are rising as well. FireEye believes that ransomware has evolved into multifaceted extortion where bad actors are using a variety of techniques to infiltrate systems, carefully identify the most valuable data assets and coerce payment for the release of encrypted files. Threats for nonpayment include posting stolen data on public websites or providing proprietary information to competitors.
“Ransomware extortion is the latest trend we are seeing right now,” said Yihao Lim, a cyberthreat intelligence analyst for Mandiant Threat Intelligence in Singapore. “This has proven to be very effective. The attacker will take time to study the victim, they are not in a rush.”
One of the key contributors to the rise in ransomware attacks has been that, as with a wide range of tech industry software, the malware is now widely obtainable as-a-service.
Like software-as-a service, RaaS represents the new business model for enterprising hackers. The exploits are often developed by professional programmers with legitimate jobs seeking money on the side, according to one group of security researchers.
Ransomware services are available for monthly or one-time license fees, or on an affiliate basis where the as-a-service provider will receive 25% of the ransom. Some RaaS platforms even offer troubleshooting help desks for support, according to Yihao.
“It reduces the barrier to entry for a lot of bad guys, you can just use the ransomware that’s already available on the platform,” he said. “It’s like a hosting company and you have clients who use the hosting company services. Each of them can hit a number of victims by themselves.”
On the brink
One of the last live technology conferences held in the U.S. in 2020, before the global pandemic closed everything down, was the annual RSA Cybersecurity gathering in San Francisco. Mandiant’s Joyce recalled a feeling at the event that the security industry was teetering on the brink, where the threats had become so serious and sophisticated, it would take a momentous coming together of the private and public sectors to marshal the kind of defense that was needed.
COVID-19 intervened and such a joint effort did not materialize. Joyce and the rest of the cybersecurity community are now left wondering if it ever will.
“It really truly has been unprecedented times,” Joyce said. “This industry is getting burned out. When are governments around the world going to make it harder for threat actors to carry out these missions?”
Image: Pixabay Commons
No comments:
Post a Comment