Posts

Are you Prepared for a Rise in Nation State Attacks and Ransomware in 2020?

Once you know what you’re up against, keeping your business safe might be easier than you think. In this blog, we’re going to look at two kinds of cyber threats: nation state cyber attacks and ransomware. Neither is a new concern, but both are increasing in sophistication and prevalence. Many businesses feel powerless to protect against these events, and yet a list of relatively simple steps could keep you protected in the event of an attack.

Staying Vigilant Against Nation State Actors

According to the 2019 Verizon Data Breach study, nation state attacks have increased from 12 percent of attacks in 2017 to 23 percent in 2018.

One of the most important things to recognize about nation state attacks is that it is getting harder to ascertain where these attacks are coming from. Attackers learn to cleverly obfuscate their attacks through mimicking other state actor behavior, tools, and coding and through layers of hijacked, compromised networks. In some cases, they work through proxy actors. This makes the process of attribution very difficult. One good example is the 2018 Olympics in Pyongyang, where attackers launched the malware Olympic Destroyer. This took down the Olympic network’s wireless access points, servers, ticketing system, and even reporters Internet access for 12 hours, immediately prior to the start of the games. While at first, metadata in the malware was thought to attribute the attack to North Korea, this was actually down to manipulations of the code. Much later, researchers realized it was of Russian origin.

These ‘false flag’ attacks have a number of benefits for the perpetrators. Firstly, the real source of the threat may never be discovered. Secondly, even if the correct attribution is eventually found, the news cycle has died down, the exposure is less, and many people may not believe the new evidence.

This has contributed to nation state actors feeling confident to launch larger and more aggressive attacks, such as Russian attacks on Ukrainian power grids and communications, or the Iranian cyber-attack APT 33, that recently took down more than 30,000 Saudi oil production laptops and servers.

Ransomware often Attacks the Vulnerable, including Local Government and Hospitals

State sponsored attacks have the clout to do damage where it hurts the most, as seen by the two largest ransomware attacks ever experienced, WannaCry and NotPetya. These were created using what was allegedly a stolen US NSA tool kit called EternalBlue, as well as a French password stealer called Mimikatz.

This strength, combined with the tight budgets and flat networks of local governments and healthcare systems, is a recipe for catastrophe. Hospitals in particular are known for having flat networks and medical devices based on legacy and end-of-life operating systems. According to some estimates, hospitals are the targets of up to 70% of all ransomware incidents. The sensitive nature of PII and health records and the direct impact on safety and human life makes the healthcare industry a lucrative target for hackers looking to get their ransom paid by attacking national infrastructure.

As attackers become increasingly brazen, and go after organizations that are weak-placed to stand up to the threat, it’s more important than ever that national infrastructure thinks about security, and takes steps to handle these glaring gaps.

Shoring Up Your Defenses is Easier Than You Think

The party line often seems to be that attackers are getting smarter and more insidious, and data centers are too complex to handle this threat. It’s true that today’s networks are more dynamic and interconnected, and that new attack vectors and methods to hide these risks are cropping up all the time. However, what businesses miss, is the handful of very achievable and even simple steps that can help to limit the impact of an attack, and perhaps even prevent the damage occurring in the first place.

Here’s what enterprises can do:

  • Create an Incident Response Plan: Make sure that anyone can understand what to do in case of an incident, not just security professionals. Think about the average person on your executive board, or even your end users. You need to assume that a breach or a ransomware attack will happen, you just don’t know when. With this mindset, you’ll be more likely to create a thorough plan for incident response, including drills and practice runs.
  • Protect your Credentials: This starts with utilizing strong passwords and two-factor authentication, improving the posture around credentials in general. On top of this, the days of administrative rights are over. Every user should have only the access they need, and no further. This stops bad actors from escalating privileges and moving laterally within your data center, taking control of your devices.
  • Think Smart on Security Hygiene: Exploits based on the Eternal Blue tool kit – the Microsoft SMB v1 vulnerability, were able to cause damage because of a patch that had been released by Microsoft by May 2017. Software vulnerabilities can be avoided through patching, vulnerability testing, and certification.
  • Software-Defined Segmentation: If we continue the mindset that an attack will occur, it’s important to be set up to limit the blast radius of your breach. Software-defined segmentation is the smartest way to do this. Without any need to make infrastructure changes, you can isolate and protect your critical applications. This also works to protect legacy or end-of-life systems that are business critical but cannot be secured with existing modern solutions, a common problem in the healthcare industry. Also unlike VLANs and cloud security groups these take no physical infrastructure changes and take hours not months to implement.

Following this Advice for Critical Infrastructure

This advice is a smart starting point for national infrastructure as well as enterprises, but it needs more planning and forethought. When it comes to critical infrastructure, your visibility is essential, especially as you are likely to have multiple platforms and geographies. The last thing you want is to try to make one cohesive picture out of multiple platform-specific disparate solutions.

It’s also important to think about modern day threat vectors. Today, attacks can come through IP connected IoT devices or networks, and so your teams need to be able to detect non-traditional server compute nodes.

Incident response planning is much harder on a governmental or national level, and therefore needs to be taken up a notch in preparation. You may well need local, state, and national participation and buy-in for your drills, including law enforcement and emergency relief in case of panic or disruption. How are you going to communicate and share information on both a local and international scale, and who will have responsibility for what areas of your incident response plan?

Learning from the 2018 Olympics

Attacks against local government, critical infrastructure and national systems such as healthcare are inevitable in today’s threat landscape. The defenses in place, and the immediate response capabilities will be the difference between disaster and quick mitigation.

The 2018 Olympics can serve as proof. Despite Russia’s best attempts, the attack was thwarted within 12 hours. A strong incident response plan was put into place to find the malware and come up with signatures and remediation scripts within one hour. 4G access points had been put in place to provide networking capabilities, and the machines at the venue were reimaged from backups.

We can only hope that Qatar 2022 is already rehearsing as strong an incident response plan for its upcoming Olympics, especially with radical ‘semi-state actors’ in the region such as the Cyber Caliphate Army and the Syrian Electronic Army who could act as a proxy for a devastating state actor attack.

We Can Be Just as Skilled as the Attackers

The attitude that ‘there’s nothing we can do’ to protect against the growth in nation state attacks and ransomware threats is not just unhelpful, it’s also untrue. We have strong security tools and procedures at our disposal, we just need to make sure that we put these into place. These steps are not complicated, and they don’t take years or even months to implement. Staying ahead of the attackers is a simple matter of taking these steps seriously, and using our vigilance to limit the impact of an attack when it happens.

Want to understand more about how software defined segmentation can make a real difference in the event of a cyber attack? Check out this webinar.

IResponse to IEncrypt

Guardicore Labs provided assistance in a ransomware investigation. We analysed the decryption process of the IEncrypt ransomware and provided a safe-to-use version of the attackers’ decryptor.

SambaCry, the Seven Year Old Samba Vulnerability, is the Next Big Threat (for now)

The Samba team released a patch on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems. Samba is commonly included as a basic system service on other Unix-based operating systems as well.
This vulnerability, indexed CVE-2017-7494, enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions.

Musing on Ransomware and Other Sophisticated Attacks

Everyone has something to write about ransomware. One can not open a mobile device or a news site without getting notification about some new ransomware-related content.  There’s a good reason: The recent events, media attention and to a certain degree, the public’s panic around the WannaCry ransomware attack are driving a lot of interest and even increase the […]

Ransomware Attacks Targeted Hundreds of MySQL Databases

Hundreds of MySQL databases were hit in ransomware attacks, which were described as “an evolution of the MongoDB ransomware attacks” in January, there were tens of thousands of MongoDB installs erased and replaced with ransom demands. In the new attacks, targeted MySQL databases are erased and replaced with a ransom demand for 0.2 bitcoin, which is currently equal to about $234.

0.2 BTC Strikes Back, Now Attacking MySQL Databases

Last week we first tweeted that the GuardiCore Global Sensor Network (GGSN) has detected a wide ransomware attack targeting MySQL databases. The attacks look like an evolution of the MongoDB ransomware attacks first reported earlier this year by Victor Gevers. Similarly to the MongoDB attacks, owners are instructed to pay a 0.2 Bitcoin ransom (approx. $200) to regain access to their content. We saw two very similar variations of the attack using two bitcoin wallets. In this post we will describe in detail the attack flow and provide some recommendations on how to protect your databases from similar attacks along with attack IoCs. Read more

GuardiCore Expands Threat Detection and Response Capabilities to Cover More Attack Types Aimed at Data Centers and Clouds

Adds Reputation Services, Ransomware Mitigation and Intuitive Segmentation Policy Creation to Award-Winning GuardiCore Centra™ Security Platform

San Francisco, CA and Tel Aviv, Israel – GuardiCore, a leader in data center and cloud security, today announced it has expanded the threat detection capabilities of its Centra Security Platform to now include reputation analysis and ransomware mitigation, enabling its customers to more quickly detect active breaches, including ransomware attacks and dormant or hidden threats lurking in modern data centers and clouds.

Read more

Four Good Reasons to Visit GuardiCore at RSA Conference 2017

GuardiCore is changing the way organizations secure their internal data centers and clouds, with cutting edge technology that helps our customers rapidly detect and respond to active breaches. We would love the opportunity to show you how. Yes, we know everyone at RSA is busy. An overwhelming number of vendors. Too many meetings. Late night after-hour parties. But while you are there, we encourage you to take 15 minutes to visit us in booth #N4321. Here are four good reasons why.

Read more

Advanced Data Centre Security the Key for Under Fire Transport Sector

Cyber attacks against the transport sector are nothing new. Those of you with long memories will recall how the SoBig virus caused major disruption to the US rail network all the way back in 2003. But the sheer breadth and persistence of threats facing the industry today is largely unprecedented. Just recently San Francisco’s “Muni” transport agency was on the receiving end of a ransomware infection which  caused Muni to take its payment systems offline for two days, allowing Muni riders to travel for free, costing the transportation system a few days of lost revenue.

It’s yet another reminder that when it comes to transportation, attacks on the data centre must be detected and remediated as quickly as possible to minimise their impact.

Read more

What’s Behind the Continuous Increase in Breaches?

This is part 3 of a 4-part series examining data breaches, what they cost, why they are increasing in frequency, and what you can do about them.

In our September 6, 2016 post, we broke down the issue of dwell time, and its impact on the financial impact of a breach. In this blog we look at what’s behind the continuous increase in breaches.

Read more