sb-eu logo
Story image

Hackbusters! Reviewing 90 days of cybersecurity incident response cases

23 May 2019

Article by Check Point's Emergency Response Team global head, Dan Wiley.

Being the ‘first responders’ for cyber attacks gives an interesting perspective on cybersecurity – in terms of how attacks impact organisations, and in terms of understanding the motivations of those launching the attacks.  

The overwhelming majority of attacks are intended to extort or steal money; and the organisations are most concerned with restoring their disrupted business processes, or fixing the breaches.  Here are three main types of incident during Q1 2019, and some of the lessons that organisations can learn from them in order to enhance their security.

Email exploits 

Email was the delivery method used in 36% of the incidents in Q1.  While this may seem like stating the obvious, the sheer volume of successful attacks launched from malicious emails makes this issue worth examining. Email-based incidents fall into three categories: 

Credential theft is an extremely effective way to penetrate a company. Many different campaigns, both targeted and mass-mailed during Q1. The majority of successful exploits were limited to two or three users per organisation with the attacker extending their reach internally with additional phishing emails, posing as a trusted employee.  Most companies do not have protections either to secure against compromised credentials, or block phishing emails – so this is an area that needs attention.

Business email compromise (BEC) is either an extension of credential theft, where the attacker poses as a trusted employee, or when attackers insert themselves into an email conversation either from external or internal sources, and modify key information at the right time such as bank routing information.  This attack has been very successful with multiple customers losing millions of dollars to misrouted payments to an attacker’s bank account.  User education is a key part of stopping costly BEC incidents at source.

Dropping bots and malware:  any email with an attachment such as an invoice, shipping notice or similar document else that people expect as delivery method is still very effective, simply because many organisations still do not have any advanced controls around email, either on the application or endpoint.

Ransomware still active

Ransomware incidents accounted for 30% of the incidents in Q1 – but were by far the most impactful incidents.  Each ransomware case caused significant disruption to customers, from financial losses to business shutdowns that typically lasted anywhere from 5 to 10 days, to weeks of cleanup which included full system rebuilds and brand recovery work. In several cases, losses were measured in millions of dollars and thousands of hours of remediation work.  

A key trend in Q1 was the amount of intelligence-gathering that attackers had done on their victims.  This included studying SEC filings for the company’s financial position, and using this to scale their ransom demands. While we do not negotiate with actors on payments, in one case a customer’s insurance company interfaced with a threat actor to negotiate a payment.  During those negotiations, the actor informed the insurance company that they knew exactly how much cash on hand the customer had and would not negotiate a lower payment.  

Ryuk ransomware was responsible for the majority of cases. In most of these, Ryuk was never delivered directly, but a cast of other malware was used to serve up the final Ryuk infection. Typically infections use Emotet and Trickbot before the deployment of Ryuk:  these pre-infections usually start a week or two before Ryuk is delivered, so IT teams should watch out for signs of these stealthy agents.  It is recommended to run a full compromise assessment any time there are signs of intrusion.

‘Dharma’ infections have also surpassed SamSam as the most prolific RDP (Remote Desktop Protocol) ransomware. Threat actors identify open RDP servers and either perform a brute force login attack or utilise phished credentials to gain access to RDP servers.  Once on the server, the attacker obtains elevated privileges and moves laterally to plant Dharma on network endpoints.

Unfortunately for network admins, ransomware attacks typically occur during the weekend or holidays when resources are most limited.  So if patching, upgrades and other IT activities wasn’t enough, prepare yourself for a major disruption if you don’t have controls in place to protect against ransomware. If you don’t prepare, expect your weekends and public holidays to be disrupted.

Old attacks, new targets

You would be forgiven for thinking that the attack vectors that have been around for years would eventually die off with the introduction of new controls or technologies. But that’s not the case.  16% of the incidents in Q1 were related to a cast of ‘oldies but goodies’, such as brute force logins, credential stuffing, and attacks against PowerShell and RDP.  The interesting thing is that these attacks are now targeting cloud, rather than legacy network infrastructures.  As a result, it’s critical to ensure that you have visibility and control over the cloud services you use, such as SaaS, IaaS and PaaS. In other words, make sure your aaS’s are covered.

EternalBlue vulnerabilities still being actively exploited within customers’ environments. These were exploited by WannaCry and NotPetya, and patches have been available for over two years. Rigorous patching is effective in stopping many of the attacks we regularly deal with.   

In conclusion, while there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits. Relatively simple preventative measures can prevent the vast majority of these attacks from happening – or at worst, contain them so they have minimal impact on the business.

Story image
Gartner: Security leaders must balance risk, trust and opportunity
Security and risk leaders must focus on balancing risk, trust and opportunity to help maintain the ability of their organisations to function.More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
Phishing scam imitates SharePoint & OneNote for nefarious clicks
Sophos researchers say that the attackers take a slightly different approach to the standard ‘fake login’ phishing email.More
Story image
Yubico launches latest YubiKey with NFC & USB-C support
Yubico has released a new hardware authentication key, designed to provide security through both near-field communication (NFC) and USB-C connections and smart card support.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More