Brace yourself; 2022 promises to bring expanded cyber confrontations as ransomware attacks gain the high ground.
A dangerous increase in ransomware attacks last year caused devastating compromises to government organizations, critical infrastructure, and businesses. Much of the increase resulted from cybercriminals becoming increasingly innovative and bold in their approach.
A report from Positive Technologies late last month found cybercriminals can penetrate 93 percent of local company networks and trigger 71 percent of events deemed ‘unacceptable’ for their businesses.
It takes an average of two days for cybercriminals to penetrate a company’s internal network. Researchers found that all the analyzed companies were susceptible to an intruder gaining full control over the infrastructure once inside the network.
Positive studied results of testing involving financial organizations (29 percent), fuel and energy organizations (18 percent), government (16 percent), industrial (16 percent), IT companies (13 percent), and other sectors.
Bugcrowd on Jan. 18 released its annual Priority One Report that revealed a 185 percent increase in high-risk vulnerabilities within the financial sector. It also revealed the increase in ransomware and the reimagining of supply chains that led to more complex attack surfaces during the pandemic.
Ransomware Out of Control
Ransomware overtook personal data breaches as the threat that dominated cybersecurity news across the world at 2021’s end. Global lockdowns and remote work caused a rush to put more assets online, which led to an increase in vulnerabilities.
These reports show that all companies and organizations are now more susceptible to hacking and must double down on long-term cyber defense. Targets also involve individual consumers.
Ransomware is a major concern for everyone. Attackers can disrupt our daily lives whether they go after hospitals, gas pipelines, schools, or other businesses, warned Theresa Payton, former White House chief information officer and current CEO of cybersecurity consultancy firm Fortalice Solutions.
“Ransomware syndicates have no boundaries and do attack our personal systems and devices as well,” she told TechNewsWorld.
Another Case in Point
Hackers are buying space from major cloud providers to distribute Nanocore, Netwire, and AsyncRAT malware, according to a Jan. 12 Cisco Talos blog.
The threat actor, in this case, used cloud services to deploy and deliver variants of commodity remote access threats (RATs). Those deployments contained information-stealing capability starting around Oct. 26, 2021.
These variants are packed with multiple features to take control of the victim’s environment to execute arbitrary commands remotely and steal the victim’s information, according to Cisco Talos. The initial infection vector is a phishing email with a malicious ZIP attachment.
These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file, or a Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.
To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service.
Researchers Became Hackers
During the assessment of protection against external attacks, Positive Technologies experts breached the network perimeter in 93 percent of cases. This figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure, according to the company’s researchers.
“In 20 percent of our pentesting (penetration testing) projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those,” Ekaterina Kilyusheva, head of research and analytics at Positive Technologies, told TechNewsWorld.
According to Positive’s customers, events involving the disruption of technological processes and the provision of services, plus the theft of funds and important information, pose the greatest danger, she said. In total, Positive Technologies pentesters confirmed the feasibility of 71 percent of these unacceptable events.
“Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.
An attacker’s path from external networks to target systems begins with breaching the network perimeter. It takes two days to penetrate a company’s internal network.
Credential compromise is the main way criminals can penetrate a corporate network for most companies. That high number results mainly because simple passwords are used, including for accounts used for system administration, according to Positive’s report.
Regarding security attacks on financial organizations, they are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks Positive tested, noted Kilyusheva.
“Our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds,” she explained.
Key Cybersecurity Trends
Bugcrowd’s Priority One report spotlighted the key cybersecurity trends of the past year. These include the rise in the adoption of crowdsourced security due to the global shift to hybrid and remote work models and the rapid digital transformation associated with it.
The report reveals that the strategic focus for many organizations across industries has shifted, with the emphasis now on clearing residual security debt associated with that transformation.
Until now, highly advanced maneuvers and clandestine operations defined attack strategies. But this approach started to shift last year toward more commonplace tactics such as attacks on known vulnerabilities.
Diplomatic norms around hacking have weakened to the point where nation-state attackers are now less concerned with being stealthy than in the past, according to Bugcrowd.
Top highlights from the 2022 Priority One Report include:
- Cross-site scripting was the most commonly identified vulnerability type
- Sensitive data exposure moved up to the third position from the ninth on the list of the 10 most commonly identified vulnerability types
- Ransomware went mainstream, and governments responded
- Supply chains became a primary attack surface
- Penetration testing entered a renaissance
An emerging ransomware economy and a continued blurring of lines between state actors and e-Crime organizations are changing the cyber threat landscape, according to Casey Ellis, founder and chief technology officer for Bugcrowd.
“All of which, combined with growing and more lucrative attack surfaces, have made for a highly combustible environment. In 2022, we expect more of the same,” he predicted.
To Pay or Not To Pay?
Cyber experts and some governments used to preach about not paying a ransom. This is still a valid strategy, although not all government officials and cyber experts agree.
Not paying the ransom should be a global goal to disincentivize cybercrime syndicates. We have seen while our Fortalice Solutions team is responding to incidents that victims frequently do not want to pay the ransom, noted Payton. Still, their cyber liability insurance companies may deem it cheaper to pay the extortionists versus paying for a recovery effort. That is problematic.
“If someone has to pay, I do not judge the victim organization or victim shame because that does not solve the issue. But when considering payment, victims should know that payments, which averaged $170,000 (per Sophos research), do not assure full data recovery,” Payton said.
Sophos also found that 29 percent of affected companies failed to recover even half of their encrypted data, with only eight percent achieving full data recovery.
Historically, ransomware has targeted organizations with mission-critical data over individuals. But, if you have ever lost data to an old hard drive failure, you have felt the pain of a ransomware attack, according to Lisa Frankovitch, CEO of network management firm Uplogix.
It is much better to employ security best practices such as two-factor authentication, password managers, and encryption than having to determine if you should pay the ransom or not, she advised.
Impact on End Users
The biggest threat that cyberattacks pose to both businesses and consumers is downtime, noted Frankovitch. Whether your network has been breached or your personal identity has been stolen, the disruption and downtime can be catastrophic.
“Gartner estimates that the average cost of a network outage is over $300,000 an hour,” she told TechNewsWorld.
Regarding security for enterprise networks, The U.S. National Security Agency (NSA) published guidelines on using out-of-band management to create a framework that improves network security by segmenting management traffic from operational traffic.
Ensuring that management traffic only comes from the out-of-band communications path, compromised user devices or malicious network traffic is prevented from impacting network operations and compromising network infrastructure, explained Frankovitch.