Unfortunately, 2022 has been yet another notable year for cyber attacks. Twitter, Uber, Rockstar Games, Cisco, U-Haul, Okta, Microsoft, Block, Capital One, and Marriott are just a few examples of major organizations who’ve admitted to being hacked this year. So, how did it happen? Let’s take a look at these threats and gain an understanding of what corporations are facing right now in the cyber realm.
There’s no doubt that ransomware is the go-to method for most hacking groups today. Ransomware in Q1 2022 was twice the total of 2021. The reasoning behind this is because it pays well and helps popularize the hacker group’s name. It’s estimated that the cost of ransomware worldwide will be roughly $20B this year alone.
RAAS or Ransomware As A Service. A growing number of these groups are offering their ransomware as a rentable service. This means that lesser known (or capable) hackers can rent the software to launch attacks against their own desired targets. This is worrisome in that it allows people who wouldn’t typically have the skills to launch attacks to do so, and thus increases the total number and scope of attacks.
Some ransomware gangs are now presenting themselves as a penetration testing company. While a legitimate pentesting organization would never launch a full-scale attack on a company they have no agreement with, that is exactly what these groups do. After successfully compromising a target, they present themselves as professionals and request a payment for their “service”. While I’ve not seen any of them who offer reporting of the vulnerabilities used, that would still not legitimize unwarranted compromise of a company’s system – and then to ask for payment is madness.
With that, let’s talk about the most prominent ransomware of the year, LockBit.
Initial Access
All attacks begin with an initial access to a target. Ransomware is no different from other methods of attack at this stage. Attackers look for a primary entryway into an applications infrastructure, and from there, can launch malware, ransomware, steal or destroy data, etc. LockBit, like a growing number of ransomware offerings, is offered as a RAAS. This means that it’s not used by a single entity and the method of initial access can vary widely. One example seen in honeypot environments is the attempt to brute force web servers running outdated services. Once the services are enumerated, the attackers begin launching brute force attacks against administrator accounts in hopes of gaining full access to the system. In essence, they’re swinging for the fence – they don’t want to bunt. In the event that they cannot gain admin access, they don’t quit. The operators will take whatever access they can get and use post-exploitation frameworks to escalate their privilege and move around the network to build reconnaissance.
Deployment
Once proper access is obtained, the ransomware is deployed, and the trouble begins. LockBit is designed to propagate itself throughout the network to as many machines as possible. Once one host is owned, it calls out to every other machine and commands them to run a PowerShell (or similar) command which downloads and executes the ransomware on that machine, and the loop continues.
The Note
The ransom note is placed in every directory on each system as Restore-My-Files.txt. The note is very typical in that it dissuades the victim from trying any method of recovering the files and demands payment in crypto currency. If no payment is made, the system will remain encrypted and the information will be leaked online. It then gives instructions to download Tor browser, visit their .onion address, and follow the payment instructions.
Targets
Where there was once an unspoken agreement among attackers to not touch hospitals, schools, and other institutions, that’s just not the case anymore with RAAS. Where most hacker groups only target large, for-profit organizations, the evolution of RAAS has enabled lone actors to aim these cyber weapons at whomever they please. It’s imperative that we keep systems up to date, use strong antivirus software, use unique passwords, and when possible, do penetration tests.
I touched on social engineering in a previous blog post, but we can still touch on it here.
Of all things cyber, this is my favorite aspect to study. At the end of the day, an organization is only as secure as its least well-trained employee. Companies can (and should) spend a considerable amount of money on security tools and teams, but, if an attacker is able to hack the people of the company, they need not tamper with systems to gain access.
Phishing (and all of its variations) is the most prevalent form of social engineering. This is when an attacker sends a message and pretends to be someone else to gain information from you. You can almost always identify a phishing scheme from two things: a sense of urgency from the person, and a request for information or money.
If you look closely at a large number of high profile breaches over the last few years, many of them begin with social engineering. These attacks are effective and, like most hacker related things, there are numerous tools that are growing more sophisticated by the day. Did you even know that there are frameworks and tools for social engineering? There are. Kali Linux comes with them built in, and they walk fledgling hackers step-by-step on how to launch a successful social engineering attack.
Like most things security, training is very important to recognize social engineering attacks. With the number of massive breaches that start with this method, every organization should plan and train for this type of attack.
I’m sure you’ve heard the term “Patch Tuesday”, and if you haven’t, it’s the second Tuesday of each month where Microsoft releases its latest software updates. Oftentimes these are security related and shouldn’t be missed. While Patch Tuesday and similar updates ensure your OS is up to date, breaches often happen from the applications running on the OS.
In some businesses, applications aren't patched for certain reasons or without significant effort and cost. When this happens, this leaves vulnerabilities open to attack. When apps aren’t patched for months or years, the exploits mature. This means hackers build automated tooling around these exploits, which again means that the barrier to entry for less talented hackers is much lower, and thus the likelihood of an attack increases.
Misconfigurations are as dangerous as unpatched software. These can include default login credentials for hardware and software, which can be found on vendor websites, and in numerous pentesting tools. Misconfigured permissions, features, ports, services, pages, accounts, error handling, and security headers are all common ways that attackers gain access to systems. To prevent this, consult with the vendor about how to properly configure the application or system you’re using, or have a third-party conduct a test and provide a report of their findings.
Credential stuffing is where an attacker uses stolen or purchased login information, and tries them on applications and systems across the internet. This may be one you’re not familiar with, but it’s very popular among attackers due to its high success rate.
So, let’s say that X company was recently hacked and their database containing emails and passwords was dumped online. An attacker can purchase this dump of information and then “stuff” them into other apps and services. Or, let’s say Bob Smith fell victim to a phishing email, and an attacker nabbed his password. If Bob uses that same email and password on some or all of his accounts online, and he doesn’t use MFA or 2FA, Bob is in trouble because attackers can use credential stuffing to try to access his other accounts online.
This attack is unfortunately highly successful because users have a bad habit of reusing login credentials, not enabling MFA or 2FA, and not using a password manager. CISA leader Jen Easterly was recently quoted saying that, “implementing MFA can make you 99% less likely to get hacked”. That’s a big statement from an important leader in cyber.
An insider, as defined by CISA is, “Any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems”. An insider threat is, “an insider who uses their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities…”
The threat of a rogue insider is always a lurking and complex possibility. We can see here and here that organizations experience these scenarios regularly. The reasoning can vary widely for why someone would want to cause harm to an organization they belong(ed) to, but typically it’s when things aren’t going well at work, they’ve been fired, or they’re recruited by a criminal group or nation-state who’s offered them money in exchange for data, information, or some criminal act. There is also the possibility of a non-malicious insider threat, which would be best described as an incompetent employee with a high level of access who would unintentially cause harm to an orgranization.
Knowing that these types of incidents exist, it’s best to recognize them before they happen. Violence, harassment, bullying, threatening behavior, or incompetence are all signs of what could become an insider threat.