As my team are the ‘first responders’ for cyberattacks, we get an interesting perspective on cybersecurity – in terms of exactly what attacks are really hitting organizations and how they affect them, and in terms of understanding the motivations of those launching the attacks. Overwhelmingly, the attacks we see are intended to extort or steal money.
I believe that the threats we will see in 2020 will not be very different to those threats we already know all too well. While my team occasionally deals with some advanced new threats, these are always massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits. Here, I’ll explore the three main types of incident that we see, and share some of the lessons that organizations can learn from them in order to enhance their security.
Email is the delivery method for over a third of the incidents we handle. While this may seem like stating the obvious, the sheer volume of successful attacks launched from malicious emails makes this issue worth examining. We found email-based incidents fall into three categories:
Credential theft is an extremely effective way to penetrate a company. We see many different campaigns, both targeted and mass-mailed. The majority of successful exploits are limited to 2 or 3 users per organization with the attacker extending their reach internally with additional phishing emails, posing as a trusted employee. Most companies do not have protections either to secure against compromised credentials, or block phishing emails – so this is an area that needs attention.
Business email compromise (BEC) is either an extension of credential theft, where the attacker poses as a trusted employee, or when attackers insert themselves into an email conversation either from external or internal sources, and modify key information at the right time such as bank routing information. We have observed this attack to be very successful with multiple customers losing millions of dollars to misrouted payments to an attacker’s bank account. User education is a key part of stopping costly BEC incidents at source.
Dropping bots and malware: any email with an attachment such as an invoice, shipping notice or similar document else that people expect as delivery method is still very effective, simply because many organizations still do not have any advanced controls around email, either on the application or endpoint.
- Find the best anti-virus software here - includes free and paid-for versions
Ransomware still active
Ransomware incidents accounted for around 30% of the incidents we handle – but these are by far the most impactful incidents. Each ransomware case we handle causes significant disruption to customers, from financial losses to business shutdowns that typically lasted anywhere from 5 to 10 days, to weeks of cleanup which included full system rebuilds and brand recovery work. In several cases, losses were measured in millions of dollars and thousands of hours of remediation work.
A key trend we’ve seen in 2019 is the amount of intelligence-gathering that attackers do on their victims. This includes studying SEC filings for the company’s financial position, and using this to scale their ransom demands. While we do not negotiate with actors on payments, in one case a customer’s insurance company interfaced with a threat actor to negotiate a payment.
During those negotiations, the actor informed the insurance company that they knew exactly how much cash on hand the customer had and would not negotiate a lower payment.
Ryuk ransomware has been responsible for the majority of the cases we handled in the first half of 2019. In most of these, Ryuk was never delivered directly, but a cast of other malware was used to serve up the final Ryuk infection.
We typically see infections using Emotet and Trickbot before the deployment of Ryuk: these pre-infections usually start a week or two before Ryuk is delivered, so IT teams should watch out for signs of these stealthy agents. We recommend running a full compromise assessment any time there are signs of intrusion.
Unfortunately for network admins, we typically see ransomware attacks occurring during the weekend or holidays when resources are most limited. So if patching, upgrades and other IT activities wasn’t enough, prepare yourself for a major disruption if you don’t have controls in place to protect against ransomware. If you don’t prepare, expect your weekends and public holidays to be disrupted.
Old attacks, new targets
You would be forgiven for thinking that the attack vectors we have seen for years would eventually die off with the introduction of new controls or technologies. But that’s not the case. 16% of the incidents we handled in Q1 were related to a cast of ‘oldies but goodies’, such as brute force logins, credential stuffing, and attacks against PowerShell and RDP.
The interesting thing is that these attacks are now targeting cloud, rather than legacy network infrastructures. As a result, it’s critical to ensure that you have visibility and control over the cloud services you use, such as SaaS, IaaS and PaaS. In other words, make sure your aaS’s are covered.
We also see EternalBlue vulnerabilities still being actively exploited within customers’ environments. These were exploited by WannaCry and NotPetya, and patches have been available for over two years. We cannot stress enough that rigorous patching is effective in stopping many of the attacks we regularly deal with.
In conclusion, the old tricks that hackers and criminals have used for years are still used in the overwhelming majority of attacks. This means that relatively simple preventative measures can prevent these attacks from causing damage and disruption.
Dan Wiley is the Global Head of Check Point's Incident Response Team.