Posts

Ransomware, Critical Infrastructure and COVID-19: Confronting the New Reality of Nation-State Threats

/in /by

Over the past decade, we have seen just how destructive cyberattacks have become. It seems every time we turn around, there are new methods surfacing that can often make us question our decisions and actions, and how we can continue to improve. But while we have seen nation-state attacks become more advanced, especially attacks using lateral movement such as unsanctioned east-west traffic and increased dwell time, there is also a silver lining. We can often learn more from the organizations that have been successful in circumventing even the most sophisticated cyberattacks. This is true even in cases of ransomware, critical infrastructure and the latest attacks – biotech research and COVID-19 vaccines.

Ransomware is consistently a huge challenge for many industries from financial services to healthcare and others, and the data shows a disturbing trend. A recent survey, The State of Ransomware, by the cybersecurity company, Sophos, reveals that 51% of organizations were hit by ransomware in the last year, and hackers succeeded in encrypting the data in 73% of those attacks. However, only 26% of ransomware victims whose data was encrypted got their data back by paying the ransom. And according to Verizon’s Data Breach studies into industrial espionage attacks against the private sector, the volume of nation-state actors increased from being 12% of the perpetrators of such attacks in 2018, to 23% in the 2019 study and to 38% in the 2020 study. There is no escaping the fact that nation-states are increasingly engaged in hacking.

From what I’ve witnessed as a cybersecurity consultant, nation-states are better at hiding than ever before. State hackers use various sophisticated techniques such as acting through proxy layers, avoiding attribution by manipulating data, and using clever toolkits and other means to mislead forensics. One of the best examples of this is the Wannacry ransomware that wreaked havoc across the world in 2017 and throughout 2018. It used EternalBlue, a cyberattack exploit developed by the United States National Security Agency (NSA). It was leaked by the hacker group, Shadow Brokers in April of 2017, just one month after Microsoft released patches for the vulnerability. Wannacry was especially nasty due to its self-propagating nature, meaning it has the ability to move itself from machine to machine, or network to network, spreading the infection entirely on its own.

When Consequences Turn Deadly

Nation-state actors have become brazen in their attacks, and we see evidence of this in the use of many different methods to carry out attacks that have even resulted in fatalities.

In the past, ransomware-focused criminal organizations would avoid targets where human lives would be at risk. But now, even hospitals are seen as acceptable. In September 2020, a ransomware attack on the German Düsseldorf University Clinic led to a death of a patient. German law enforcement is seeking prosecution of the Russian attackers involved in that attack. The same criminal gang was also responsible for attacking and taking down all 250 facilities of US based UHS healthcare.

Nation-state actors have also targeted critical infrastructure that aims to hurt or even kill citizens of the target countries. From April to July of 2020, Israel’s water supplies were threatened three separate times by nation-state hackers (suspected to be Iran). The industrial controls of Israeli water processing facilities were attacked in an attempt to alter the injection of treatment chemicals to unsafe levels. The attack was so disconcerting, a cyber counterattack was levied against Iran (allegedly initiated by Israel) that disrupted port traffic at the Port of Shahid Rajaee.

These examples are a far cry from the typical nation-state attacks of the past – intelligence, influence, disinformation, propaganda and espionage. If we were once under the impression that investing in cybersecurity was strictly a decision based on the risk of data and financial loss, it’s time to reevaluate. We have entered an age where attacks could truly lead to devastating consequences, certainly to enterprise survival and now even to the safety and lives of people.

The Latest Biotech Hit: COVID-19 Vaccine

In the throes of the COVID-19 epidemic the US, Canada and the United Kingdom all reported attempts by Russian and Chinese state actors to steal, manipulate and even obstruct the development of the COVID-19 vaccine. First warnings of such activity came from a joint CISA/FBI PSA to the vaccine research community in May 2020. By July, the US Department of Justice issued an indictment for two Chinese nationals working for the People’s Republic of China. They were not only charged with attempted theft but attempted destruction of vaccine research held in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom.

How We Can Win the War With Segmentation

In cybersecurity, we are constantly inundated with stories of failures. Reports of data breaches seem to be much more popular with the media, while safe, secure organizations that are successfully protecting themselves and blocking attacks aren’t considered headline news. However, this is doing the industry and companies across the world a huge disservice. In a way, we are victims of reverse-survivor bias. While it’s important that we continue to stay vigilant and recognize these threats as real, there are many tangible things that companies and government organizations are currently doing to mitigate threats, minimize damages and recover gracefully.

Here are seven ways you can protect your organization from nation-state threats:

  1. Better Vulnerability and Patching Regimen:
    Add vulnerability and patching checks to end users, public facing and data center environments, and should be included and automated wherever possible.They should also be incorporated into devops playbooks as new instances are spun out and/or modified. They should be incorporated into switch/route and other infrastructure devices as well, since we’ve seen a rise in focus here among attackers.
  2. Incorporate Multi-factor Authentication:
    Brute force password cracking is one of the easiest direct assaults seen on end user and application environments, yet it’s easy to enforce the use of strong passwords and to implement two factor authentication.
  3. Privileged Accounts and Expiration Controls:
    These can be easily added to overall enterprise security. New attacks often take advantage of the user they ride in on. Or, they can take advantage of an account that should have been used for a specific, scheduled purpose and subsequently deleted. Even with administrative accounts, one could easily work with reduced privileges – only invoking a higher “sudo” when needed.
  4. Certificate Management and Control:
    Many attackers take advantage of poor certificate management to propagate across an enterprise. By taking better control of certificate management you take away the ability of hackers to fool your workloads into trusting them.
  5. Core Service Controls:
    By better securing DNS, Remote Access, Active Directory and other critical enterprise services you prevent attacks from doing major damage.
  6. Micro-segmentation Practices:
    As Zero Trust discusses, the end of the enterprise edge is nigh. We need to move away from the reliance on perimeter firewalls and edge security and instead shore up our software-based segmentation throughout our enterprise workflow. With software-based segmentation, you replace the complexity of VLANs, firewalls and cloud security groups with a platform agnostic, simplified, fast and granular method to segment across your entire environment. Even when applied sparingly you decrease an attacker’s ability to land and even more to move laterally across the environment.
  7. Better and Redundant Backup and Restore Procedures:
    This is especially important today when ransomware and nation-state attacks are concerned. The ability to restore systems means you avoid costly downtime and restore without paying a ransom.

Setting Expectations: Plan, Practice and Survive

Adding to the seven focus areas, by far the most important indicator of whether you’ll succeed or fail, comes down to whether you’ve set expectations within your enterprise. Staff and executives need to accept that at some point you will be breached. They need to understand that it’s not a matter of if but when. With that in mind, you must also have a well thought out and practiced incident response plan that includes non-technical and executive staff. By doing such, you maximize your ability to respond, remediate and to recover gracefully.

While attackers seem so troublesome, we have everything in our grasp to defend against them. With just a little effort we will indeed survive and flourish.

To learn more about how Guardicore can help, get a free attack surface reduction analysis for your organization.

PLEASE_READ_ME: The Opportunistic Ransomware Devastating MySQL Servers

/in /by and

Guardicore Labs uncovers a sophisticated, multifunctional P2P botnet written in Golang and targeting SSH servers.

Read more

Are you Prepared for a Rise in Nation State Attacks and Ransomware in 2020?

/in /by

Once you know what you’re up against, keeping your business safe might be easier than you think. In this blog, we’re going to look at two kinds of cyber threats: nation state cyber attacks and ransomware. Neither is a new concern, but both are increasing in sophistication and prevalence. Many businesses feel powerless to protect against these events, and yet a list of relatively simple steps could keep you protected in the event of an attack.

Staying Vigilant Against Nation State Actors

According to the 2019 Verizon Data Breach study, nation state attacks have increased from 12 percent of attacks in 2017 to 23 percent in 2018.

One of the most important things to recognize about nation state attacks is that it is getting harder to ascertain where these attacks are coming from. Attackers learn to cleverly obfuscate their attacks through mimicking other state actor behavior, tools, and coding and through layers of hijacked, compromised networks. In some cases, they work through proxy actors. This makes the process of attribution very difficult. One good example is the 2018 Olympics in Pyongyang, where attackers launched the malware Olympic Destroyer. This took down the Olympic network’s wireless access points, servers, ticketing system, and even reporters Internet access for 12 hours, immediately prior to the start of the games. While at first, metadata in the malware was thought to attribute the attack to North Korea, this was actually down to manipulations of the code. Much later, researchers realized it was of Russian origin.

These ‘false flag’ attacks have a number of benefits for the perpetrators. Firstly, the real source of the threat may never be discovered. Secondly, even if the correct attribution is eventually found, the news cycle has died down, the exposure is less, and many people may not believe the new evidence.

This has contributed to nation state actors feeling confident to launch larger and more aggressive attacks, such as Russian attacks on Ukrainian power grids and communications, or the Iranian cyber-attack APT 33, that recently took down more than 30,000 Saudi oil production laptops and servers.

Ransomware often Attacks the Vulnerable, including Local Government and Hospitals

State sponsored attacks have the clout to do damage where it hurts the most, as seen by the two largest ransomware attacks ever experienced, WannaCry and NotPetya. These were created using what was allegedly a stolen US NSA tool kit called EternalBlue, as well as a French password stealer called Mimikatz.

This strength, combined with the tight budgets and flat networks of local governments and healthcare systems, is a recipe for catastrophe. Hospitals in particular are known for having flat networks and medical devices based on legacy and end-of-life operating systems. According to some estimates, hospitals are the targets of up to 70% of all ransomware incidents. The sensitive nature of PII and health records and the direct impact on safety and human life makes the healthcare industry a lucrative target for hackers looking to get their ransom paid by attacking national infrastructure.

As attackers become increasingly brazen, and go after organizations that are weak-placed to stand up to the threat, it’s more important than ever that national infrastructure thinks about security, and takes steps to handle these glaring gaps.

Shoring Up Your Defenses is Easier Than You Think

The party line often seems to be that attackers are getting smarter and more insidious, and data centers are too complex to handle this threat. It’s true that today’s networks are more dynamic and interconnected, and that new attack vectors and methods to hide these risks are cropping up all the time. However, what businesses miss, is the handful of very achievable and even simple steps that can help to limit the impact of an attack, and perhaps even prevent the damage occurring in the first place.

Here’s what enterprises can do:

  • Create an Incident Response Plan: Make sure that anyone can understand what to do in case of an incident, not just security professionals. Think about the average person on your executive board, or even your end users. You need to assume that a breach or a ransomware attack will happen, you just don’t know when. With this mindset, you’ll be more likely to create a thorough plan for incident response, including drills and practice runs.
  • Protect your Credentials: This starts with utilizing strong passwords and two-factor authentication, improving the posture around credentials in general. On top of this, the days of administrative rights are over. Every user should have only the access they need, and no further. This stops bad actors from escalating privileges and moving laterally within your data center, taking control of your devices.
  • Think Smart on Security Hygiene: Exploits based on the Eternal Blue tool kit – the Microsoft SMB v1 vulnerability, were able to cause damage because of a patch that had been released by Microsoft by May 2017. Software vulnerabilities can be avoided through patching, vulnerability testing, and certification.
  • Software-Defined Segmentation: If we continue the mindset that an attack will occur, it’s important to be set up to limit the blast radius of your breach. Software-defined segmentation is the smartest way to do this. Without any need to make infrastructure changes, you can isolate and protect your critical applications. This also works to protect legacy or end-of-life systems that are business critical but cannot be secured with existing modern solutions, a common problem in the healthcare industry. Also unlike VLANs and cloud security groups these take no physical infrastructure changes and take hours not months to implement.

Following this Advice for Critical Infrastructure

This advice is a smart starting point for national infrastructure as well as enterprises, but it needs more planning and forethought. When it comes to critical infrastructure, your visibility is essential, especially as you are likely to have multiple platforms and geographies. The last thing you want is to try to make one cohesive picture out of multiple platform-specific disparate solutions.

It’s also important to think about modern day threat vectors. Today, attacks can come through IP connected IoT devices or networks, and so your teams need to be able to detect non-traditional server compute nodes.

Incident response planning is much harder on a governmental or national level, and therefore needs to be taken up a notch in preparation. You may well need local, state, and national participation and buy-in for your drills, including law enforcement and emergency relief in case of panic or disruption. How are you going to communicate and share information on both a local and international scale, and who will have responsibility for what areas of your incident response plan?

Learning from the 2018 Olympics

Attacks against local government, critical infrastructure and national systems such as healthcare are inevitable in today’s threat landscape. The defenses in place, and the immediate response capabilities will be the difference between disaster and quick mitigation.

The 2018 Olympics can serve as proof. Despite Russia’s best attempts, the attack was thwarted within 12 hours. A strong incident response plan was put into place to find the malware and come up with signatures and remediation scripts within one hour. 4G access points had been put in place to provide networking capabilities, and the machines at the venue were reimaged from backups.

We can only hope that Qatar 2022 is already rehearsing as strong an incident response plan for its upcoming Olympics, especially with radical ‘semi-state actors’ in the region such as the Cyber Caliphate Army and the Syrian Electronic Army who could act as a proxy for a devastating state actor attack.

We Can Be Just as Skilled as the Attackers

The attitude that ‘there’s nothing we can do’ to protect against the growth in nation state attacks and ransomware threats is not just unhelpful, it’s also untrue. We have strong security tools and procedures at our disposal, we just need to make sure that we put these into place. These steps are not complicated, and they don’t take years or even months to implement. Staying ahead of the attackers is a simple matter of taking these steps seriously, and using our vigilance to limit the impact of an attack when it happens.

Want to understand more about how software defined segmentation can make a real difference in the event of a cyber attack? Check out this webinar.

IResponse to IEncrypt

/3 Comments/in /by and

Guardicore Labs provided assistance in a ransomware investigation. We analysed the decryption process of the IEncrypt ransomware and provided a safe-to-use version of the attackers’ decryptor.

Read more

SambaCry, the Seven Year Old Samba Vulnerability, is the Next Big Threat (for now)

/4 Comments/in /by and

The Samba team released a patch on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems. Samba is commonly included as a basic system service on other Unix-based operating systems as well.
This vulnerability, indexed CVE-2017-7494, enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions.

Read more

Musing on Ransomware and Other Sophisticated Attacks

/in /by

Everyone has something to write about ransomware. One can not open a mobile device or a news site without getting notification about some new ransomware-related content.  There’s a good reason: The recent events, media attention and to a certain degree, the public’s panic around the WannaCry ransomware attack are driving a lot of interest and even increase the […]

Read more

Ransomware Attacks Targeted Hundreds of MySQL Databases

/in , /by

Hundreds of MySQL databases were hit in ransomware attacks, which were described as “an evolution of the MongoDB ransomware attacks” in January, there were tens of thousands of MongoDB installs erased and replaced with ransom demands. In the new attacks, targeted MySQL databases are erased and replaced with a ransom demand for 0.2 bitcoin, which is currently equal to about $234.

Read Article

0.2 BTC Strikes Back, Now Attacking MySQL Databases

/4 Comments/in /by

Last week we first tweeted that the GuardiCore Global Sensor Network (GGSN) has detected a wide ransomware attack targeting MySQL databases. The attacks look like an evolution of the MongoDB ransomware attacks first reported earlier this year by Victor Gevers. Similarly to the MongoDB attacks, owners are instructed to pay a 0.2 Bitcoin ransom (approx. $200) to regain access to their content. We saw two very similar variations of the attack using two bitcoin wallets. In this post we will describe in detail the attack flow and provide some recommendations on how to protect your databases from similar attacks along with attack IoCs. Read more

GuardiCore Expands Threat Detection and Response Capabilities to Cover More Attack Types Aimed at Data Centers and Clouds

/in , /by

Adds Reputation Services, Ransomware Mitigation and Intuitive Segmentation Policy Creation to Award-Winning GuardiCore Centra™ Security Platform

San Francisco, CA and Tel Aviv, Israel – GuardiCore, a leader in data center and cloud security, today announced it has expanded the threat detection capabilities of its Centra Security Platform to now include reputation analysis and ransomware mitigation, enabling its customers to more quickly detect active breaches, including ransomware attacks and dormant or hidden threats lurking in modern data centers and clouds.

Read more

Four Good Reasons to Visit GuardiCore at RSA Conference 2017

/in /by

GuardiCore is changing the way organizations secure their internal data centers and clouds, with cutting edge technology that helps our customers rapidly detect and respond to active breaches. We would love the opportunity to show you how. Yes, we know everyone at RSA is busy. An overwhelming number of vendors. Too many meetings. Late night after-hour parties. But while you are there, we encourage you to take 15 minutes to visit us in booth #N4321. Here are four good reasons why.

Read more