ZD Net -  25 September  2020

A honeypot created by Cybereason to lure cybercriminals and analyze their methods showed that ransomware attacks infiltrate their victims in multiple stages.

Some types of cyberattacks are one-and-done deals where the cybercriminals get in and out quickly after infecting or compromising an organization. Other types of attacks, however, expand over a period of time as they try to impact additional resources within the organization. Using a honeypot, researchers at security firm Cybereason were able to attract multiple criminals using ransomware and follow each stage of an attack.

A honeypot is a network infrastructure built specifically to reel in cybercriminals to see how they behave and carry out a typical attack. In this case, Cybereason devised an extensive network architecture that pretended to be part of an electricity generation and transmission provider's network. As such, this honeypot contained an IT environment, an OT (operational technology) environment, and HMI (human machine interface) management systems.

More about cybersecurity

After the honeypot officially opened for business, it took only three days for cyberattackers to infiltrate the network and fill it with malware, Israel Barak, chief information security officer at Cybereason, told ZDNet. But the attack was carried out in distinct stages as the criminals carefully and stealthily forced their way from one resource to another.

In the first stage, the attackers gained initial access by exploiting publicly accessible remote administration interfaces. Such interfaces are typically designed by network operators to give technical support staff the ability to remotely connect to the network. To invade the network, the attackers were able to brute force the administrator's account password and sign in remotely. After that, the criminals uploaded and ran a PowerShell script to create a backdoor so the attackers could persistently use and abuse the admin account without being detected.

Image: Cybereason

In the second stage, the criminals uploaded more attack tools via PowerShell. One of those was Mimikatz, an open-source tool used to steal user credentials. The stolen credentials were used in an attempt to move laterally across the network to the domain controllers. However, the attempt failed as none of the compromised accounts had permission to access the domain controllers.

In stage three, the attack continued to try to move laterally by leveraging a network scanner to discover additional endpoints. Finally, in the fourth stage, the ransomware launched on all the compromised endpoints.

The ransomware attack against the honeypot shows that cybercriminals use multiple stages to infect as many machines as possible and maximize their profits. Instead of just deploying the ransomware on one system, they'll move laterally throughout the network to hit one machine after another before finally launching the ransomware.

"This finding is consistent with what we have been seeing about ransomware in particular," Javvad Malik, security awareness advocate for KnowBe4, told TechRepublic. "It is no longer a case that criminals will want to infect every machine as soon as possible. Rather ransomware, once broken in, will dial-home so the best strategy can be determined. This includes what to encrypt, the ability of the victim to pay, corrupting backups, and exfiltrating data and credentials."

Beyond just encrypting sensitive files and demanding payment from the victim, ransomware attackers are going further with their threats.

"In this whole process, ransomware is the last to be deployed because it allows the criminals to not only demand payment for the decryption key, but also demand payment to not publicly release or sell data they have exfiltrated," Malik said. "Sometimes they will use the stolen information to attack partners or try to extort customers."

To better protect your organization against ransomware attack, Cybereason serves up the following recommendations:

1. Establish cyber incident response tools and procedures across both IT and OT networks with the goal to minimize Mean-Time-To-Response. Minimizing damage and preventing an ICS (industrial control system) network from being taken offline is essentially the cat-and-mouse game being played by attackers and defenders. To keep hacking groups at bay, organizations need to minimize the time it takes to respond to a threat. This can be achieved by deploying threat hunting services around the clock.
2. Establish unified security operation center and workflows across both IT and OT environments. Operating a unified security operations center (SOC) provides visibility into the IT and OT environments because attackers are looking to use IT environments as gateways into OT environments. Some companies may already have a network operations center (NOC) monitoring the OT environment, but a combined SOC lets operators see all operations as they move through the network.
3. Design and operate with resiliency in mind. Resiliency and security can no longer be an afterthought. As new critical infrastructure systems are built and installed, legacy networks will be retired and taken offline. It is very important for next-generation systems to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead.
4. Partner with experts. Be sure to partner with experts with vast knowledge of ICS threats. The public and private sector need to work together closely to protect this industry. Partner with a security company that can stay ahead of new threats and help operators address issues in real time. 
5. Test, test, test. Regular testing must be a focal point in this sector. Tabletop exercises that enable a red and blue team to role play different catastrophic scenarios and the real-time response to those scenarios is critical when having to actually have to deal with a threat in real time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.

Based on the latest ransomware threats, Malik has another piece of advice for organizations:

"Even having reliable and up-to-date backups won't help," Malik said, "which is why preventing criminals from gaining a foothold is of utmost importance. The top three controls organizations can deploy would include security awareness training so that users can identify and respond to phishing attacks, MFA (multifactor authentication) to prevent credential compromise, and patching external-facing systems."

www.vsoftsystems.co.za

A honeypot created by Cybereason to lure cybercriminals and analyze their methods showed that ransomware attacks infiltrate their victims in multiple stages.

Some types of cyberattacks are one-and-done deals where the cybercriminals get in and out quickly after infecting or compromising an organization. Other types of attacks, however, expand over a period of time as they try to impact additional resources within the organization. Using a honeypot, researchers at security firm Cybereason were able to attract multiple criminals using ransomware and follow each stage of an attack.

A honeypot is a network infrastructure built specifically to reel in cybercriminals to see how they behave and carry out a typical attack. In this case, Cybereason devised an extensive network architecture that pretended to be part of an electricity generation and transmission provider's network. As such, this honeypot contained an IT environment, an OT (operational technology) environment, and HMI (human machine interface) management systems.

More about cybersecurity

After the honeypot officially opened for business, it took only three days for cyberattackers to infiltrate the network and fill it with malware, Israel Barak, chief information security officer at Cybereason, told ZDNet. But the attack was carried out in distinct stages as the criminals carefully and stealthily forced their way from one resource to another.

In the first stage, the attackers gained initial access by exploiting publicly accessible remote administration interfaces. Such interfaces are typically designed by network operators to give technical support staff the ability to remotely connect to the network. To invade the network, the attackers were able to brute force the administrator's account password and sign in remotely. After that, the criminals uploaded and ran a PowerShell script to create a backdoor so the attackers could persistently use and abuse the admin account without being detected.

Image: Cybereason

In the second stage, the criminals uploaded more attack tools via PowerShell. One of those was Mimikatz, an open-source tool used to steal user credentials. The stolen credentials were used in an attempt to move laterally across the network to the domain controllers. However, the attempt failed as none of the compromised accounts had permission to access the domain controllers.

In stage three, the attack continued to try to move laterally by leveraging a network scanner to discover additional endpoints. Finally, in the fourth stage, the ransomware launched on all the compromised endpoints.

The ransomware attack against the honeypot shows that cybercriminals use multiple stages to infect as many machines as possible and maximize their profits. Instead of just deploying the ransomware on one system, they'll move laterally throughout the network to hit one machine after another before finally launching the ransomware.

"This finding is consistent with what we have been seeing about ransomware in particular," Javvad Malik, security awareness advocate for KnowBe4, told TechRepublic. "It is no longer a case that criminals will want to infect every machine as soon as possible. Rather ransomware, once broken in, will dial-home so the best strategy can be determined. This includes what to encrypt, the ability of the victim to pay, corrupting backups, and exfiltrating data and credentials."

Beyond just encrypting sensitive files and demanding payment from the victim, ransomware attackers are going further with their threats.

"In this whole process, ransomware is the last to be deployed because it allows the criminals to not only demand payment for the decryption key, but also demand payment to not publicly release or sell data they have exfiltrated," Malik said. "Sometimes they will use the stolen information to attack partners or try to extort customers."

To better protect your organization against ransomware attack, Cybereason serves up the following recommendations:

1. Establish cyber incident response tools and procedures across both IT and OT networks with the goal to minimize Mean-Time-To-Response. Minimizing damage and preventing an ICS (industrial control system) network from being taken offline is essentially the cat-and-mouse game being played by attackers and defenders. To keep hacking groups at bay, organizations need to minimize the time it takes to respond to a threat. This can be achieved by deploying threat hunting services around the clock.
2. Establish unified security operation center and workflows across both IT and OT environments. Operating a unified security operations center (SOC) provides visibility into the IT and OT environments because attackers are looking to use IT environments as gateways into OT environments. Some companies may already have a network operations center (NOC) monitoring the OT environment, but a combined SOC lets operators see all operations as they move through the network.
3. Design and operate with resiliency in mind. Resiliency and security can no longer be an afterthought. As new critical infrastructure systems are built and installed, legacy networks will be retired and taken offline. It is very important for next-generation systems to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead.
4. Partner with experts. Be sure to partner with experts with vast knowledge of ICS threats. The public and private sector need to work together closely to protect this industry. Partner with a security company that can stay ahead of new threats and help operators address issues in real time. 
5. Test, test, test. Regular testing must be a focal point in this sector. Tabletop exercises that enable a red and blue team to role play different catastrophic scenarios and the real-time response to those scenarios is critical when having to actually have to deal with a threat in real time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.

Based on the latest ransomware threats, Malik has another piece of advice for organizations:

"Even having reliable and up-to-date backups won't help," Malik said, "which is why preventing criminals from gaining a foothold is of utmost importance. The top three controls organizations can deploy would include security awareness training so that users can identify and respond to phishing attacks, MFA (multifactor authentication) to prevent credential compromise, and patching external-facing systems."

www.vsoftsystems.co.za

Security experts have given an insight into how a targeted ransomware attack took down the network of a food and drink manufacturer after hackers took advantage of common security vulnerabilities.

The crooks used a phishing attack and took advantage of a number of vulnerabilities – from old hardware to default passwords – to first deploy Emotet and Trickbot malware before delivering the Ryuk ransomware and attempting to extort a fee from the victim to restore the network.

In this case, the organisation didn't opt to pay the ransom – something that authorities discourage and would only fund additional attacks by cyber criminals – but instead had security experts come in to examine the network and restore functionality within 48 hours.

"This was a targeted attack. This is targeting organisations such as this one which, if they don't have the security retainer or IT staff, the initial reaction would be to give into the ransomware attack because they want to return their operations quickly," Bindu Sundaresan, director at AT&T cybersecurity, told ZDNet.

AT&T investigated the attack and helped the unnamed manufacturer get back online without giving into a ransom demand while also experiencing the least amount of disruption to production as possible. But the company likely would not have fallen victim if basic security vulnerabilities hadn't allowed the initial stages of the attack to happen.

Ryuk, like some other forms of ransomware, is deployed as the final stage in a three-pronged attack that also delivers Emotet and Trickbot. Emotet started life as a banking trojan before evolving into a botnet that is leased out to deliver other malware, which in this case is the Trickbot trojan.

Trickbot is a powerful form of malware that provides attackers with a full backdoor into compromised systems, including the ability to move around networks, issue commands and steal additional data.

After this the Ryuk ransomware is downloaded onto the network by the hackers because cyber criminals view it as the quickest and easiest way to make money from a compromised network.

While many ransomware campaigns now start with targeting remote ports, this one began with a phishing attack.

"A user was sent a Microsoft Word document as part of a phishing campaign. It was labelled as an invoice and this user downloaded the document, then malicious code executed a PowerShell command that downloaded an Emotet payload," Sundaresan explained.

PowerShell commands generally aren't required by users who don't need administrator rights, so if PowerShell had been disabled for those who don't need it, the cyberattack could've been cut off at this point.

After Emotet formed the initial part of the attack, gaining a foothold in the network the next step was to use the Trickbot malware to steal login credentials for corporate accounts and cloud services to gain access to other parts of the network.

By exploiting this cycle, cyber criminals were able to gain control of over half the network, before eventually delivering the Ryuk ransomware.

"Malware like this wants to get the most bang for its buck and go after organisations that are at the point where they feel like they need to give in due to the damage it's costing to their network, the valuable data that's being held – so they have a sense of urgency," said Sundaresan.

However, the attack could have been much worse, given Ryuk had not compromised the entire network but about 60% of it, including ordering and billing applications. This was in part because security personnel were about to contain the attack after being called in by the manufacturer.

"The ability to contain it and the response time was crucial. The ability to contain the incident is the key to recover from it and having the business up and running before it got to the crucial databases," Sundaresan explained.

Within 48 hours, much of the business was back up and running again – crucially without having given into paying a ransom demand to criminals. However, two days of downtime would have been costly to the organisation and restoring the network isn't likely to have been cheap either – plus there's the prospect of having to upgrade security in the aftermath, so attackers don't strike again.

And like many organisations that fall victim to cyberattacks, this one could've prevented itself from falling victim to ransomware by ensuring that cybersecurity hygiene was well managed – but there were simple-to-fix vulnerabilities that attackers were able to take advantage of.

For example, the vulnerabilities that Emotet, Trickbot and Ryuk take advantage of have been known about for a long time and critical security updates have been issued to protect users – but despite these updates being years old, there are organisations that still haven't applied them.

"Microsoft has put out patches but patch management and security hygiene still remain issues for organisations," said Sundaresan, who added that this ransomware attack could've also been prevented if strong passwords and multi-factor authentication had been used to secure systems.

"A lot of this can be prevented. If they didn't have default password and end-of-life machines, a lot of this would've been prevented."

And when it comes to cyberattacks, prevention is the best cure, because not only does it stop your organisation from falling victim to ransomware or other malware, the cost of securing the network in advance is almost certainly going to be less expensive than having to do it in the aftermath of an incident – especially if the attack disrupts operations or causes reputational damage that could keep customers away.

So while it might potentially seem expensive, it could be very much worth having security experts from outside the organisation come in to examine the network before damage can be done – and not after.

"Get a security assessment done from an offensive attacker point of view, you don't want to be just doing the security initiatives from compliance or internal testing – it's not enough. You have to get your network tested using multiple attack vectors and you have to do it objectively with full penetration testing," Sundaresan said.

Because ultimately, ransomware – be it Ryuk or another family – is still out there and still remains a threat because too many organisations aren't following the security basics. And until this is fixed, ransomware will remain a problem.

www.vsoftsystems.co.za

Ransomware has been one of the most prolific cyber threats facing the world throughout 2019, and it's unlikely to stop being a menace any time soon. 

Security

Organisations from businesses and schools to entire city administrations have fallen victim to network-encrypting malware attacks that are now demanding hundreds of thousands of dollars in bitcoin or other cryptocurrency for the safe return of the files.

While law enforcement recommends that victims don't give into the demands of cyber criminals and pay the ransom, many opt to pay hundreds of thousands of dollars because they view it as the quickest and easiest means of restoring their network. That means some of the criminal groups operating ransomware campaigns in 2019 are making millions of dollars.

But what is now one of the major cyber scourges in the world today started with much more humble origins in December 1989 with a campaign by one man that would ultimately influence some of the biggest cyberattacks in the world thirty years later.

The first instance of what we now know as ransomware was called the AIDS Trojan because of who it was targeting – delegates who'd attended the World Health Organization AIDS conference in Stockholm in 1989.

Attendees were sent floppy discs containing malicious code that installed itself onto MS-DOS systems and counted the number of the times the machine was booted. When the machine was booted for the 90th time, the trojan hid all the directories and encrypted the names of all the files on the drive, making it unusable.

Victims saw instead a note claiming to be from 'PC Cyborg Corporation' which said their software lease had expired and that they needed to send $189 by post to an address in Panama in order to regain access to their system.

It was a ransom demand for payment in order for the victim to regain access to their computer: that made this the first ransomware.

Fortunately, the encryption used by the trojan was weak, so security researchers were able to release a free decryption tool – and so started a battle that continues to this day, with cyber criminals developing ransomware and researchers attempting to reverse engineer it.

But after this, it wasn't for another 20 years that ransomware as we know it now first started to emerge; and those first attacks were still simple compared with ransomware today.

A common form of this kind of ransomware was the 'Police Locker' attack, which if downloaded – often from peer-to-peer downloads sites, or websites hosting pirate or adult material – would change the user's desktop to a note claiming to be from law enforcement, which stated the machine had been locked due to suspected unlawful activity.

No encryption was actually used in these attacks and in many cases the locker could be removed by rebooting the computer – but for some, the fear-factor pushed them into paying up a few hundred dollars.

While Police Lockers reached their peak between about 2010 and 2012, they haven't disappeared – but they were superseded by what we recognise as 'real' ransomware.

"2012 to 2014 was kind of the Wild West of ransomware, it was a new idea and the general public wasn't aware of what it was and didn't understand what was going on. You had everything from the screen lockers to the ones with file encryption," says Michael Gillespie, ransomware researcher at Emsisoft.

It was at this point that ransomware turned towards encrypting files, so as to really turn the screw on victims, although it was rare for the ransom demands to be more than a few hundred dollars as the targets were still mostly home users – and because the ransoms were paid in standard currencies, it wasn't the most covert operation.

But the Bitcoin boom helped change everything and soon criminals distributing ransomware were demanding their ransoms should be paid in cryptocurrency because transactions are more difficult to trace than those made with regular currency, making those behind the attacks more difficult to uncover.

By 2016, ransomware-as-a-service had become common, with the creators of malware families like Cerber leasing out the ability to conduct attacks in return for a cut off the profits. It proved to be a successful business model and by the end of the year, ransomware variants ranked among the most common malware families.

Slowly but surely, the ransomware attacks were shifting their focus, with many of the professional criminal organisations turning away from attacking home users in favour of targeting businesses and public sector organisations, encrypting entire networks and making off with tens of thousands of dollars.

Despite this, ransomware still remained somewhat under the radar outside information security circles, but in May 2017, that changed forever with the arrival of WannaCry ransomware.

On that day, people at organisations around the world found themselves faced with a message demanding a ransom payment in exchange for the safe return of their files. WannaCry was spreading around the world with the help of EternalBlue, a leaked NSA hacking tool that had been made public months earlier.

The damage would have been much wider if security researchers hadn't found the killswitch for the attack, which was later blamed on North Korea. However, even if organisations did pay the ransom, there was no mechanism for retrieving the files – the attack seemed to be purely destructive in nature.

Just weeks later, something similar happened when NotPetya - an attack mostly likely launched by the Russian military intelligence - also hit targets around the world. It looked like ransomware, but acted like a destructive wiper.

But despite the high-profile nature of both these incidents, that wasn't the end of ransomware as organisations continued to leave their networks open to compromise by cyber attackers who'd soon find yet another new way to make ransomware even more powerful – and more lucrative – than before, as hackers realised they could spread the malware with more than just phishing attacks.

"WannaCry was the paradigm shift. Because then people realised they could combine lateral movement with a strong payload like ransomware," says Max Heinemeyer, director of threat hunting at Darktrace.

Since then, cyber criminals pushing ransomware have grown bolder and the attacks have gotten much bigger. Now, when entire networks are compromised by hackers, ransomware has become a means of monetizing the attack.

By combining attacks against internet-facing ports, the use of stolen credentials, lateral movement across the network and other techniques, attackers will snake their way through the network until they've compromised everything possible, before finally unleashing the ransomware and taking everything down – often including servers and backups.

This has led to ransomware becoming an extremely lucrative business, with attackers regularly demanding six-figure sums for the decryption key – and despite the numbers involved, 2019 has seen many organisations opt to pay the ransom.

In many cases, it's seen as the lesser of two evils – because restoring the network from scratch could take weeks and not only could it cost as much, the organisation will lose large amounts of business all the time the network is down. So victims pay up, demonstrating to attackers that ransomware works.

Because of this – and the way ransomware distributors rarely get brought to justice – ransomware has become more problematic than ever and the issue will continue into 2020. 

But by doing one simple thing, organisations of all sizes could counter the threat posed by ransomware attacks: making sure they have offline backups of their systems and make sure that those backups are regularly tested.

"It's Schrödinger's backup: the state of a backup isn't known until you have to restore from it: you need to know if it's going to save you if something happens," said Gillespie.

"Sometimes people don't want to pay for IT in general, they don't want to pay for a storage safety net they might never use – but there are options and in the grand scheme of things it's better for you," he added.

If organisations secure their networks against attacks and ensure there are backups available if the worst happens, they don't have to pay the ransom – and if people aren't paying ransoms, cyber criminals will stop seeing ransomware as lucrative.

Maybe if these lessons are learned now, ransomware won't be plaguing businesses over the next 30 years – but unfortunately, it's likely to get worse before it gets better.

www.vsoftsystems.co.za

 

The cabinet’s decision to open the country’s borders on 1 October 2020 to “most” countries is a significant milestone in placing the sector on the irreversible path towards full recovery, says Tourism minister Mmamoloko Kubayi-Ngubane.

On this date, all travellers from the African continent and from countries outside the African continent with a low rate of Covid-19 infection and transmission, will resume.

Speaking at a World Tourism Day event on Sunday (27 September), Kubayi-Ngubane said South Africa’s data shows a downward trend in the risk of virus spread.

“South Africa is arguably amongst the safest tourist destinations in the world. We are hopeful that South Africans will continue to social distance, wear masks and take all the necessary precautions to protect themselves so that we can continue to reduce the spread of the virus,” she said.

Kubayi-Ngubane said that as part of the recovery, it will be critical for us to focus on protecting and rejuvenating the supply side of the market.

“The public and private sector will have to find ways of working together to ensure business continuity, aligning the value-chain to new biosecurity standards, as well as investment facilitation and market access,” she said.

“The rising domestic demand which will soon be augmented by the international market when we open the borders will have be met by sufficient supply side infrastructure. This is a very critical element of our road to recovery.”

On the mend

Kubayi-Ngubane said that since government opened inter-provincial travel under level 2 lockdown, shed has been travelling across the various provinces visiting establishments and meeting with travellers and establishment owners.

“I am happy to report that many of the establishments are ready to reopen if not already opened and South Africans are very keen to travel their own country,” she said.

“Across the country South Africans are sending me messages and pictures of their tourism experiences. South Africans are taking their families and friends to adventures, for game drives, hiking and other kinds of memorable tourism experiences that our country has to offer.

“After six months of lockdown, South Africans are going all out to rediscover their country.”

The minister said that the ‘vibrancy’ of the domestic tourism sector is in line with government’s recovery plan which envisages that a recovery will happen in phases.

“In this regard, we predicted that the recovery will start with domestic tourism, then regional land and air markets, and lastly, resumption of world-wide international travel,” she said.

 

Travel list

Transport minister Fikile Mbalula says that South Africa will adopt a risk-based system in selecting which countries will be allowed to travel into South Africa and which countries South African citizens will be allowed to fly to.

Mbalula said that government will largely adopt same approach that was used before South Africa entered into a level 5 lockdown, with countries categorised as ‘high-risk’ or ‘low-risk’ for travel purposes.

“For instance, if you take the whole of the United States it will probably be high risk, and we will then deal with it as such. Whereas the UAE will likely be seen as a low-risk country,” Mbalula said.

The Transport minister indicated that the government will look at placing entire countries or regions on the high-risk list due to the possibility of connecting.

Using the example of the United States, he said it was possible for passengers to board and fly anywhere from New York, to Miami or Los Angeles. This means that the country is as a whole as a risk.

However, he said that the government will also take a ‘differentiated approach’ and formulate its list on a country-by-country basis, based on the current coronavirus situation.

www.samigration.com