Hackbusters! Reviewing 90 days of cybersecurity incident response cases
Article by Check Point's Emergency Response Team global head, Dan Wiley.
Being the 'first responders' for cyber attacks gives an interesting perspective on cybersecurity – in terms of how attacks impact organisations, and in terms of understanding the motivations of those launching the attacks.
The overwhelming majority of attacks are intended to extort or steal money; and the organisations are most concerned with restoring their disrupted business processes, or fixing the breaches. Here are three main types of incident during Q1 2019, and some of the lessons that organisations can learn from them in order to enhance their security.
Email exploits
Email was the delivery method used in 36% of the incidents in Q1. While this may seem like stating the obvious, the sheer volume of successful attacks launched from malicious emails makes this issue worth examining. Email-based incidents fall into three categories:
Credential theft is an extremely effective way to penetrate a company. Many different campaigns, both targeted and mass-mailed during Q1. The majority of successful exploits were limited to two or three users per organisation with the attacker extending their reach internally with additional phishing emails, posing as a trusted employee. Most companies do not have protections either to secure against compromised credentials, or block phishing emails – so this is an area that needs attention.
Business email compromise (BEC) is either an extension of credential theft, where the attacker poses as a trusted employee, or when attackers insert themselves into an email conversation either from external or internal sources, and modify key information at the right time such as bank routing information. This attack has been very successful with multiple customers losing millions of dollars to misrouted payments to an attacker's bank account. User education is a key part of stopping costly BEC incidents at source.
Dropping bots and malware: any email with an attachment such as an invoice, shipping notice or similar document else that people expect as delivery method is still very effective, simply because many organisations still do not have any advanced controls around email, either on the application or endpoint.
Ransomware still active
Ransomware incidents accounted for 30% of the incidents in Q1 – but were by far the most impactful incidents. Each ransomware case caused significant disruption to customers, from financial losses to business shutdowns that typically lasted anywhere from 5 to 10 days, to weeks of cleanup which included full system rebuilds and brand recovery work. In several cases, losses were measured in millions of dollars and thousands of hours of remediation work.
A key trend in Q1 was the amount of intelligence-gathering that attackers had done on their victims. This included studying SEC filings for the company's financial position, and using this to scale their ransom demands. While we do not negotiate with actors on payments, in one case a customer's insurance company interfaced with a threat actor to negotiate a payment. During those negotiations, the actor informed the insurance company that they knew exactly how much cash on hand the customer had and would not negotiate a lower payment.
Ryuk ransomware was responsible for the majority of cases. In most of these, Ryuk was never delivered directly, but a cast of other malware was used to serve up the final Ryuk infection. Typically infections use Emotet and Trickbot before the deployment of Ryuk: these pre-infections usually start a week or two before Ryuk is delivered, so IT teams should watch out for signs of these stealthy agents. It is recommended to run a full compromise assessment any time there are signs of intrusion.
'Dharma' infections have also surpassed SamSam as the most prolific RDP (Remote Desktop Protocol) ransomware. Threat actors identify open RDP servers and either perform a brute force login attack or utilise phished credentials to gain access to RDP servers. Once on the server, the attacker obtains elevated privileges and moves laterally to plant Dharma on network endpoints.
Unfortunately for network admins, ransomware attacks typically occur during the weekend or holidays when resources are most limited. So if patching, upgrades and other IT activities wasn't enough, prepare yourself for a major disruption if you don't have controls in place to protect against ransomware. If you don't prepare, expect your weekends and public holidays to be disrupted.
Old attacks, new targets
You would be forgiven for thinking that the attack vectors that have been around for years would eventually die off with the introduction of new controls or technologies. But that's not the case. 16% of the incidents in Q1 were related to a cast of 'oldies but goodies', such as brute force logins, credential stuffing, and attacks against PowerShell and RDP. The interesting thing is that these attacks are now targeting cloud, rather than legacy network infrastructures. As a result, it's critical to ensure that you have visibility and control over the cloud services you use, such as SaaS, IaaS and PaaS. In other words, make sure your aaS's are covered.
EternalBlue vulnerabilities still being actively exploited within customers' environments. These were exploited by WannaCry and NotPetya, and patches have been available for over two years. Rigorous patching is effective in stopping many of the attacks we regularly deal with.
In conclusion, while there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits. Relatively simple preventative measures can prevent the vast majority of these attacks from happening – or at worst, contain them so they have minimal impact on the business.