Ransomware, Critical Infrastructure and COVID-19: Confronting the New Reality of Nation-State Threats

Over the past decade, we have seen just how destructive cyberattacks have become. It seems every time we turn around, there are new methods surfacing that can often make us question our decisions and actions, and how we can continue to improve. But while we have seen nation-state attacks become more advanced, especially attacks using lateral movement such as unsanctioned east-west traffic and increased dwell time, there is also a silver lining. We can often learn more from the organizations that have been successful in circumventing even the most sophisticated cyberattacks. This is true even in cases of ransomware, critical infrastructure and the latest attacks – biotech research and COVID-19 vaccines.

Ransomware is consistently a huge challenge for many industries from financial services to healthcare and others, and the data shows a disturbing trend. A recent survey, The State of Ransomware, by the cybersecurity company, Sophos, reveals that 51% of organizations were hit by ransomware in the last year, and hackers succeeded in encrypting the data in 73% of those attacks. However, only 26% of ransomware victims whose data was encrypted got their data back by paying the ransom. And according to Verizon’s Data Breach studies into industrial espionage attacks against the private sector, the volume of nation-state actors increased from being 12% of the perpetrators of such attacks in 2018, to 23% in the 2019 study and to 38% in the 2020 study. There is no escaping the fact that nation-states are increasingly engaged in hacking.

From what I’ve witnessed as a cybersecurity consultant, nation-states are better at hiding than ever before. State hackers use various sophisticated techniques such as acting through proxy layers, avoiding attribution by manipulating data, and using clever toolkits and other means to mislead forensics. One of the best examples of this is the Wannacry ransomware that wreaked havoc across the world in 2017 and throughout 2018. It used EternalBlue, a cyberattack exploit developed by the United States National Security Agency (NSA). It was leaked by the hacker group, Shadow Brokers in April of 2017, just one month after Microsoft released patches for the vulnerability. Wannacry was especially nasty due to its self-propagating nature, meaning it has the ability to move itself from machine to machine, or network to network, spreading the infection entirely on its own.

When Consequences Turn Deadly

Nation-state actors have become brazen in their attacks, and we see evidence of this in the use of many different methods to carry out attacks that have even resulted in fatalities.

In the past, ransomware-focused criminal organizations would avoid targets where human lives would be at risk. But now, even hospitals are seen as acceptable. In September 2020, a ransomware attack on the German Düsseldorf University Clinic led to a death of a patient. German law enforcement is seeking prosecution of the Russian attackers involved in that attack. The same criminal gang was also responsible for attacking and taking down all 250 facilities of US based UHS healthcare.

Nation-state actors have also targeted critical infrastructure that aims to hurt or even kill citizens of the target countries. From April to July of 2020, Israel’s water supplies were threatened three separate times by nation-state hackers (suspected to be Iran). The industrial controls of Israeli water processing facilities were attacked in an attempt to alter the injection of treatment chemicals to unsafe levels. The attack was so disconcerting, a cyber counterattack was levied against Iran (allegedly initiated by Israel) that disrupted port traffic at the Port of Shahid Rajaee.

These examples are a far cry from the typical nation-state attacks of the past – intelligence, influence, disinformation, propaganda and espionage. If we were once under the impression that investing in cybersecurity was strictly a decision based on the risk of data and financial loss, it’s time to reevaluate. We have entered an age where attacks could truly lead to devastating consequences, certainly to enterprise survival and now even to the safety and lives of people.

The Latest Biotech Hit: COVID-19 Vaccine

In the throes of the COVID-19 epidemic the US, Canada and the United Kingdom all reported attempts by Russian and Chinese state actors to steal, manipulate and even obstruct the development of the COVID-19 vaccine. First warnings of such activity came from a joint CISA/FBI PSA to the vaccine research community in May 2020. By July, the US Department of Justice issued an indictment for two Chinese nationals working for the People’s Republic of China. They were not only charged with attempted theft but attempted destruction of vaccine research held in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom.

How We Can Win the War With Segmentation

In cybersecurity, we are constantly inundated with stories of failures. Reports of data breaches seem to be much more popular with the media, while safe, secure organizations that are successfully protecting themselves and blocking attacks aren’t considered headline news. However, this is doing the industry and companies across the world a huge disservice. In a way, we are victims of reverse-survivor bias. While it’s important that we continue to stay vigilant and recognize these threats as real, there are many tangible things that companies and government organizations are currently doing to mitigate threats, minimize damages and recover gracefully.

Here are seven ways you can protect your organization from nation-state threats:

  1. Better Vulnerability and Patching Regimen:
    Add vulnerability and patching checks to end users, public facing and data center environments, and should be included and automated wherever possible.They should also be incorporated into devops playbooks as new instances are spun out and/or modified. They should be incorporated into switch/route and other infrastructure devices as well, since we’ve seen a rise in focus here among attackers.
  2. Incorporate Multi-factor Authentication:
    Brute force password cracking is one of the easiest direct assaults seen on end user and application environments, yet it’s easy to enforce the use of strong passwords and to implement two factor authentication.
  3. Privileged Accounts and Expiration Controls:
    These can be easily added to overall enterprise security. New attacks often take advantage of the user they ride in on. Or, they can take advantage of an account that should have been used for a specific, scheduled purpose and subsequently deleted. Even with administrative accounts, one could easily work with reduced privileges – only invoking a higher “sudo” when needed.
  4. Certificate Management and Control:
    Many attackers take advantage of poor certificate management to propagate across an enterprise. By taking better control of certificate management you take away the ability of hackers to fool your workloads into trusting them.
  5. Core Service Controls:
    By better securing DNS, Remote Access, Active Directory and other critical enterprise services you prevent attacks from doing major damage.
  6. Micro-segmentation Practices:
    As Zero Trust discusses, the end of the enterprise edge is nigh. We need to move away from the reliance on perimeter firewalls and edge security and instead shore up our software-based segmentation throughout our enterprise workflow. With software-based segmentation, you replace the complexity of VLANs, firewalls and cloud security groups with a platform agnostic, simplified, fast and granular method to segment across your entire environment. Even when applied sparingly you decrease an attacker’s ability to land and even more to move laterally across the environment.
  7. Better and Redundant Backup and Restore Procedures:
    This is especially important today when ransomware and nation-state attacks are concerned. The ability to restore systems means you avoid costly downtime and restore without paying a ransom.

Setting Expectations: Plan, Practice and Survive

Adding to the seven focus areas, by far the most important indicator of whether you’ll succeed or fail, comes down to whether you’ve set expectations within your enterprise. Staff and executives need to accept that at some point you will be breached. They need to understand that it’s not a matter of if but when. With that in mind, you must also have a well thought out and practiced incident response plan that includes non-technical and executive staff. By doing such, you maximize your ability to respond, remediate and to recover gracefully.

While attackers seem so troublesome, we have everything in our grasp to defend against them. With just a little effort we will indeed survive and flourish.

To learn more about how Guardicore can help, get a free attack surface reduction analysis for your organization.

SUNBURST Backdoor: Unfolding Information on the SolarWinds Attack Campaign

On December 13th, major news outlets began reporting that a highly-sophisticated supply chain attack had targeted and successfully breached two major U.S. agencies, gaining access to internal email traffic.

Emerging details reveal that threat actors behind this attack campaign gained access to these agencies and other organizations across different verticals and geographies by executing a supply chain attack trojanizing SolarWinds Orion business software updates and using them to distribute malware. The SolarWinds attack campaign post-breach activity has included lateral movement within networks and instances of successful data exfiltration.

FireEye, currently tracking the campaign closely, summarized details about the malware, SUNBURST, in a recent, comprehensive post:

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

Who is impacted by the SolarWinds attack campaign?

While the threat actors have only targeted a portion of the customer base so far, this backdoor gives them potential access to every organization using the vulnerable Solarwinds products. Organizations using any product from the list below should assume network compromise and activate their incident response plans promptly if they have not already.

A known list of affected versions:

  • Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:
  • Application Centric Monitor (ACM)
  • Database Performance Analyzer Integration Module (DPAIM)
  • Enterprise Operations Console (EOC)
  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • Network Performance Monitor (NPM)
  • NetFlow Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SCM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

SolarWinds continues to update the list of affected products. It’s recommended that you verify as soon as possible what software versions you have installed (instructions can be found on the SolarWinds website).

Mitigation Recommendations

New threat and mitigation information continues to emerge. However, we have notified all customers with known instances of Solarwinds Orion software installed on network areas with Guardicore Centra coverage, giving them the following recommendations:

  1. Update your affected software based on the latest SolarWinds recommendations
  2. Until a hotfix is installed, we recommend you immediately limit SolarWinds servers’ communication to and from the internet using a Centra policy Override block rule.
  3. Ring-fence all servers running SolarWinds.
  4. Search the indicators of compromise provided by FireEye in your network to identify possible threat activity. This can be done with Guardicore Insight (available from Guaridocre Centra v35 release).

Reducing attack surface and preventing unauthorized lateral movement can significantly reduce the impact of similar attack campaigns on your organization in the future. To learn more about your risk reduction potential, request an attack surface analysis today.

How Technological Innovation Has Changed Security As We Know It

Technological innovation has changed security as we know it. We live in a fast-paced, digital world, and agile enterprises have embraced the rapid delivery of new technology and digital services as a means to stay competitive. At the center of this transformation is a DevOps model and the move to cloud computing for faster and more efficient delivery of digital services. This transformation has made the pace at which security was delivered in the last 20 years irrelevant. Subsequently, this change makes organizations choose between agility and security. 

I see many organizations who’s pace of innovation is significantly hurt by the legacy firewalls they rely upon for security and compliance. Their DevOps race cars are shackled to old school network security appliances. Sadly, the legacy firewalls are also not very effective in stopping modern threats. So organizations are often both exposed and slow as a result of relying on legacy firewall appliances for security.

Technological innovation and firewall facts

To gain a deeper understanding of our observations, Guardicore sponsored a research project with the Ponemon institute. We surveyed over 600 security professionals in the United States about how they use legacy firewalls in their organizations. One of the most obvious trends we saw was that legacy firewalls are ineffective in protecting applications and data in the cloud. Another big finding was that legacy firewalls kill flexibility and speed. Both of these are clearly detrimental to businesses.

Allow me to explain further. As organizations flock to cloud and hybrid infrastructures, applications often migrate among different environments, increasing inter-segment traffic. The rapid proliferation of applications is creating an ever-larger attack surface for hackers to target. These services bypassed the stateful firewalls on the perimeter as they delivered information and files directly to the end user. 

As for why this is happening, the answer is that legacy firewalls simply haven’t kept up with today’s world. In fact, the last true innovation in firewall appliances was a good 15 years ago, and the IT landscape has profoundly changed since then.

Legacy firewalls are out; software-based segmentation is in

Digital transformation has presented the world of business  with many exciting opportunities. At the same time, it has pushed legacy firewalls way past their originally intended purpose. 

As the first line of defense against outside intrusion, legacy firewalls have been, without question, a boon to the evolution of the internet. However, as data breaches proliferated, organizations quickly realized they couldn’t just protect against outside threats. After all, what would happen once someone got past perimeter defences? Clearly they had to do something to mitigate threats inside their networks and data centers as well. 

This led to the concept of segmentation — the creation of restricted “zones” for groups of applications in the network environment. Network and data center segmentation has typically taken the form of virtual local area networks or VLANs, partitioned and secured by the same firewall technology that enforces north-south traffic at the perimeter. However, as technologies continue to evolve, these methods have become lengthy, costly, and complex. 

Here’s how VLANs work (or don’t)

If you’ve been using VLANs up until now, you’ll know how ineffective they are when it comes to protecting legacy systems. VLANs usually place all legacy systems into one segment. What does that mean? A single breach puts them all of the segments in the line of fire. Yeah – it’s not good.

VLANs rely on firewall rules that are difficult to maintain and do not leverage sufficient automation. This often results in organizations accepting loose policy that leaves your environment open to risk. Without visibility, your security teams can’t enforce tight policy and flows, not only among the legacy systems themselves, but also between the legacy systems and the rest of a modern infrastructure.

It’s time to rethink firewalls

I’m excited to share that here at Guardicore, we are revolutionizing the segmentation field by delivering distributed firewall controls that are completely decoupled from the underlying infrastructure. This modern-day approach removes the most significant obstacles to security efficiency: slow implementation and severe operational impact.

As Buckminster Fuller once said, “We are called to be architects of the future, not its victims.” 

The industry changes we have witnessed over the past three decades are precisely why we founded Guardicore. We ourselves come from a background where we have experienced the same challenges you are experiencing, and we are thrilled to embrace and share the innovations of the future. We continue to hold the vision and the goal of reinventing enterprise security to place greater emphasis on security beyond the traditional network perimeter. This makes our organizations and ultimately, all of us, safer. 

Now is the time to embrace better alternatives to legacy firewalls. Together, let’s enable rapid innovation and digital transformation while also protecting those digital assets that matter most. 

To learn more about the findings in this report and our solution, please download our free ebook, “Rethink Your Firewalls to Meet the Needs of Digital Transformation”. We look forward to sharing this journey to success together. Here’s to technological innovation – and the successful security that supports it!


PLEASE_READ_ME: The Opportunistic Ransomware Devastating MySQL Servers

Guardicore Labs uncovers a sophisticated, multifunctional P2P botnet written in Golang and targeting SSH servers.