The real target isn’t always obvious
A recent report from Telus noted that “Cyberattacks are on the rise in Canada, with 98 per cent of Canadian organizations reporting a cyberattack in the last 12 months. Attacks are frequent, with 25 per cent of organizations experiencing at least one attack per day and most organizations experiencing more than 11–30 attacks per month.”
Another report from research firm Cybereason in April 2022, reports that “three quarters (73 per cent) said their organization was targeted by at least one ransomware attack in the preceding 24 months, compared to just 55 per cent of companies who had been targeted by at least one attack in our 2021 report, a staggering increase of 33 per cent year over year.” The report surveyed close to 1,500 cybersecurity professionals from companies with 700 or more employees, with participants from around the world.
The report also pointed out that most of the organizations (64 per cent) indicated the primary attack vector came from a third-party or supply chain compromise. This follows a warning earlier this year from the FBI and other agencies warning of ransomware attacks that were leveraging Managed Service Providers (MSPs) as their “delivery mechanism.” Both of these confirm a growing trend in which the initial victim of a breach is not the final target.
That does not mean that these unwitting victims have “dodged the bullet.” While they might not experience a ransomware attack, there could be other grave consequences. A few years ago, a small HVAC company was “outed’ as the way in which retail giant Target was hacked. Can a small business survive that adverse publicity?
Another impact has been that, regardless of size or industry, third-party suppliers are increasingly called on demonstrate security compliance in a more rigorous manner than in previous years, a process one executive called “death by compliance.”
Ransomware as a decoy
The security podcast Cyber Security Today had a story which revealed that threat actors may use ransomware attacks “to distract IT from a data theft going on elsewhere in the organization” and to “distract incident responders from what’s really going on.” Host Howard Solomon noted noted that a Chinese gang with the name “Bronze Starlight” was deploying ransomware with a very short lifespan, suggesting that the gang’s “goal is data theft or espionage.”
A story in Tech News Day notes that threat analysts from cybersecurity firm Secureworks have uncovered the activities of two Chinese hacking groups that use ransomware as a decoy for cyber espionage. Ransomware as a decoy allows attackers to cover their tracks, complicate attribution, as well as distracting defenders.
It also notes that a clue of this gang’s presence is the use of a “custom DLL loader called HUI Loader for uploading remote access trojans and Cobalt Strike beacons to compromised computers and servers. That leads to the uploading of ransomware.”
The gang initially compromises networks by exploiting known vulnerabilities in devices, which makes it more difficult to detect, but it should be noted there were often patches available that could have prevented the attack in the first place.
The lesson for cybersecurity defenders is that even if you have exceptional backup and recovery capabilities, you must not get distracted by an initial attack.
Call me, maybe?
In another device oriented breach, actors were reported to have attacked Linux-based Mitel MiVoice VOIP appliances to provide initial access for a potential ransomware attack.
Mitel VOIP devices are used by a large number of organizations in many different sectors for telephony services. These have previously exploited for DDoS amplification attacks.
Security experts at Crowdstrike believe that this attack was part of of a ransomware attack. Fortunately, this attack was detected and stopped, but that there are a large number of vulnerable systems. While there is no official patch, Mitel released a remediation script in April for MiVoice Connect versions 19.2 SP3 and earlier and R14.x and earlier.
The lesson is clearly that patching is essential for all devices – even ones that do not carry data that might be encrypted.
Sourced from an article in Bleeping Computer