Tag

Ransomware

Browsing

The cyber security research company reported on Tuesday that there has been a significant increase in ransomware and distributed denial-of-service attacks from October to November this year.

NCC Group reported a 41% jump in ransomware attacks in November, from 188 in October to 265, making November the most active month for the malware since April.

During the same period in 2021, the report continued, the increase was lower (4%), but the totals were higher – 314 for October and 328 for November.

The report states that the Conti and Payasa gangs probably contributed heavily to the ransomware threat landscape at that time. Both the gangs have either disbanded or are now separate.

Seasonal changes in ransomware attacks are common, noted Marcus Smiley, CEO of Epoch Concepts, an IT solutions provider based in Littleton, Colo.

“Ransomware attacks have increased during the holiday season since at least 2018,” Smiley told TechNewsWorld.

“The simplest explanation is that companies cease operations at the end of the year, making them less vulnerable to cyberattacks than usual,” he said. “This is a logical time to launch new ransomware campaigns.”

“There’s definitely an increased risk of attacks during the holiday season,” said Morgan Demboski, a threat intelligence analyst with IronNet, a network security company in McLean, VA.

“Threat actors attempt to take advantage of a potentially low cyber security posture and response as employees are out for the holidays,” Demboski told TechNewsWorld.

In 2021, there was a decline in ransomware attacks in the fourth quarter as threat actors focused on quality, not quantity, James McQuigan said. A security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“However, this year, there has been an increase in attacks targeting the health care, education and retail sectors,” McQuigan told TechNewsWorld.

A malware for all seasons

In general, attacks can often be tracked back to specific time periods, which makes it difficult to mix them with expected, legitimate communications or maximize the chances of a large payout, explained Mark Guntrip, Senior Director of Cyber ​​Security Strategy at Menlo Security. make capable. , a cyber security company in Mountain View, California.

“Attacks against agricultural companies at harvest time have drawn warnings from the FBI,” Guntrip told TechNewsworld. “There have also been attacks against game makers close to a big launch and candy makers before Halloween and the holidays.”

While there can be seasonal spikes in ransomware attacks, experts say the practice will continue to increase no matter the time of year.

Ransomware Regional Analysis – November 2022

Chart of ransomware attacks by region in November 2022

As seen throughout the year, the top two regions globally targeted by ransomware in November were North America, followed by Europe. (Source: NCC Group Monthly Threat Pulse)


“Ransomware attacks have increased and will continue to increase in 2023,” Guntrip said.

“From attacks on critical infrastructure to individual businesses, it is clear that in today’s threat landscape, no one’s system is secure, and cybercriminals show no signs of slowing their efforts,” he said.

“The level of success and subsequent money paid out following an attack is a clear attraction for threat actors to increase their focus on ransomware,” he added.

extortion is gaining popularity

The increased opportunities are contributing to the rise in ransomware attacks, maintained Smiley. “Today’s organizations have more connected surfaces than ever before, thanks to IoT and remote employment,” he added.

Another factor is motive. “With increasing geopolitical conflict around the world, there is more activity on the part of nation-states and politically driven actors,” he observed.

“Yet another factor,” he said, “is the growing number of ransomware-as-a-service groups that offer their services to less sophisticated cybercriminals for a fee.”

Demboski explained that the “as a service” offering makes ransomware a low-effort, low-risk alternative to generating criminal profit.

“The availability of various ransomware families through Ransomware-as-a-Service, combined with other readily available services such as Phishing-as-a-Service and Initial Access Brokers, has created a great opportunity for cyber criminals to acquire credentials and ready-made Buying access has become much easier for organizations, in essence giving them all the necessary ingredients to launch an effective and damaging ransomware attack,” he said.

A troubling trend that will further fuel ransomware attacks is the use of ransomware for extortion.

“With the opening of ransomware in recent months, there have been several cases of ransoms not being collected after payment and data being held hostage for future extortion,” said Timothy Morris, chief security advisor at Tanium. An endpoint management and security platform in Kirkland, Wash.

“It takes into account the extortion trend,” Morris told TechNewsWorld. “This is easier to deal with than the logistics of ransomware keys and the management of encryption/decryption, which can create technical support issues that damage the criminal syndicate’s ‘reputation’ if they go down.”

DDoS attacks are on the rise

As noted in the NCC report, in October, distributed denial-of-service attacks continued to rise, with November seeing 3,648. A major target among them was the United States with 1,543 attacks.

The reasons for the US being the most targeted include the large attack surface and the current geopolitical tensions in the country, which show no signs of easing, the report pointed out.

It added that given the timing, the US strikes could be aimed at disrupting the midterm elections.

NCC’s Global Head of Threat Intelligence, Matt Hull, predicted that DDoS attacks would continue to increase.

“However, as more organizations become aware of the growing threat, it will be interesting to see how malicious actors who execute DDoS attacks are combated,” he said in a statement. “DDoS is not a new attack type, and preventive and defensive measures are more widely available and affordable than ever.”

DDoS Ransomware Isn’t for the Crowd

While denial-of-service attacks were common with some cybercriminal groups, DDoS attacks related to ransomware have decreased, McQuigan said.

“This action may result in the victim organization being blocked from using the Internet to access the Tor network, making it very difficult to make payments,” he explained.

“If they start denying service,” he continued, “that’s to tell the organization that they are still susceptible to other attacks to continue to pose a threat.”

Data breaches seem to be less of a concern than DDoS attacks compared to malware and phishing because DDoS attacks typically do not result in the theft or loss of sensitive data, observed Casey Ellis, CTO and founder of Bugcrowd, an operator of the Internet. Crowdsourced bug bounty platform.

“While DDoS attacks can cause significant disruption to company operations, they do not pose the same risk to the privacy, integrity, or availability of critical data as other types of cyber attacks,” Ellis told TechNewsworld. “DDoS attacks are less sophisticated and easier to defend against than data breaches, malware and phishing attacks.”

As if defenders of the software supply chain didn’t have enough attack vectors to worry about, they now have a new one: machine learning models.

ML models are at the heart of technologies such as facial recognition and chatbots. Like open-source software repositories, models are often downloaded and shared by developers and data scientists, so a compromised model can have effects on multiple organizations at once.

Researchers from machine language security company HiddenLayer revealed in a blog post on Tuesday how an attacker could use a popular ML model to deploy ransomware.

The method described by the researchers is similar to how hackers use steganography to hide malicious payloads in images. In the case of ML models, the malicious code is hidden in the model’s data.

According to the researchers, the steganography process is quite general and can be implemented on most ML libraries. He added that the process need not be limited to embedding malicious code in models and can also be used to extract data from an organization.

machine learning model hijacking

Image Courtesy of HiddenLayer


Attacks can also be operating system agnostic. The researchers pointed out that OS and architecture-specific payloads can be embedded in the model, where they can be loaded dynamically at runtime depending on the platform.

flying under the radar

Tom Bonner, senior director of adversarial threat research at Austin, Texas-based HiddenLayer, said that embedding malware in ML models provides some advantage to an adversary.

“It allows them to fly under the radar,” Bonner told TechNewsWorld. “This is not a technology that is detected by current antivirus or EDR software.”

“It also opens up new targets for them,” he said. “It’s a direct route into data scientist systems. It’s possible to dump machine learning models hosted on public repositories. Data scientists will pull it down and load it, then it’s patched.”

“These models are also downloaded to various machine-learning ops platforms, which can be very scary because they can have access to Amazon S3 buckets and steal training data,” he continued.

“most of [the] Machines running machine-learning models tend to have bigger, fatter GPUs, so bitcoin miners can be very effective on those systems as well,” he said.

HiddenLayer demonstrates how its hijacked pre-trained ResNet model executed a ransomware sample the moment it was loaded into memory by PyTorch on its test machine.


first mover advantage

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz., often likes to exploit unanticipated vulnerabilities in new technologies.

“Attackers looking for first-mover advantage in these frontiers can enjoy both less preparation and proactive protection by exploiting new technologies,” Clements told TechNewsWorld.

“This attack on machine-language models looks like it could be the next phase of the cat-and-mouse game between attackers and defenders,” he said.

Threat actors will take advantage of whatever vectors they can to carry out their attacks, explained Mike Parkin, senior technical engineer at Vulkan Cyber, a provider of SaaS for enterprise cyber risk remediation in Tel Aviv, Israel.

“It’s an unusual vector that can outperform some common tools if done carefully,” Parkin told TechNewsWorld.

Traditional anti-malware and endpoint detection and response solutions are designed to detect ransomware based on pattern-based behaviors, including virus signatures and monitoring key API, file, and registry requests on Windows for potential malicious activity , Chief Security Officer Morey Haber explained. BeyondTrust, a developer of privileged account management and vulnerability management solutions in Carlsbad, California.

“If machine learning is applied to the delivery of malware such as ransomware, traditional attack vectors and even detection methods can be changed to appear non-malicious,” Haber told TechNewsWorld.

potential for extensive damage

Attacks on machine-language models are on the rise, said Karen Crowley, director of product solutions at Deep Instinct, a deep-learning cybersecurity company in New York City.

“It’s not critical yet, but widespread damage is likely,” Crowley told TechNewsworld.

“In the supply chain, if the data is poisoned so that when the model is trained, the system is also poisoned, then that model can make decisions that reduce rather than strengthen protection,” he explained.

“In the cases of Log4j and SolarWinds, we saw an impact not only on the organization that has the software, but all of its users in that chain,” she said. “Once ML is introduced, the damage can add up quickly.”

Casey Ellis, CTO and founder of BugCrowd, which operates a crowdsourced bug bounty platform, said attacks on ML models could be part of a larger trend of attacks on software supply chains.

Ellis told TechNewsWorld, “Just as adversaries can attempt to compromise the supply chain of software applications to insert malicious code or vulnerabilities, they can also compromise the supply chain of machine learning models to insert malicious or biased data or algorithms.” can also target.

“This can have a significant impact on the reliability and integrity of AI systems and can be used to undermine trust in the technology,” he said.

Publam for Script Kiddies

Threat actors may show increased interest in machine models because they are more vulnerable to people than they thought.

“People have known this was possible for a while, but they didn’t realize how easy it was,” Bonner said. “It’s fairly trivial to put together an attack with a few simple scripts.”

He added, “Now that people have realized how easy it is, this script is in the realm of children.”

Clements agreed that the researchers have shown that it does not require hardcore ML/AI data science expertise to insert malicious commands into training data that can then be triggered by ML models at runtime.

However, he continued, more sophistication is required than run-of-the-mill ransomware attacks that rely primarily on simple credential stuffing or phishing to launch.

“Right now, I think the popularity of the specific attack vector is likely to subside for the foreseeable future,” he said.

“Exploiting this requires an attacker compromising the upstream ML model project used by downstream developers to download pre-trained ML models to the victim, with embedded malicious commands from an unauthenticated source.” exploits,” he explained.

“In each of these scenarios,” he continued, “it appears that there would be much easier and more straightforward ways to compromise the target than simply inserting entangled exploits into the training data.”

Ransomware is the top supply chain risk facing organization today, according to a survey released Monday by ISACA, a consortium of IT professionals with 140,000 members in 180 countries.

The survey, based on responses from more than 1,300 IT professionals with Supply Chain Insights, found that nearly three-quarters of respondents (73%) said ransomware was a major concern when considering supply chain risks to their organizations .

Other major concerns include poor information security with physical or virtual access to information systems, software by suppliers (66%), software security vulnerabilities (65%), third-party data collection (61%) and third-party service providers or vendors. exercises were included. Code or IP (55%).

The increased concern about ransomware can be because it can take a double whammy for an organization.

“First, there is the risk of an attacker finding an attack path into an organization from a compromised vendor or software dependency, as we saw with the SolarWinds and Kasia attacks, which saw a large number of downstream victims travel through that supply chain. impressed,” Chris explained. Clements, vice president of solution architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.

“Then there are secondary effects,” he continued, “where a ransomware gang can steal data stored on a third-party provider and attempt to take out both organizations by threatening to release it publicly if the ransom is not paid. Can do.”

“The other side of the coin is that a ransomware attack on an organization’s supply chain can cause significant operational disruption if the third party it depends on is unable to provide services because of a cyberattack,” he told TechNewsWorld. .

leader ignorance

Those attacks on the software supply chain can have a ripple effect on the physical supply chain. Eric Krone, security awareness advocate for KnowBe4, a security awareness training provider in Clearwater, Fla., said, “Ransomware contributes to significant disruptions in the already taxing supply chain when the systems that manage the creation and delivery of goods and services are compromised. is taken offline.”

“This could affect the ordering and tracking of inventory of materials needed to make the item, could affect the tracking of the status of items needed to fill orders and could cause problems with customers receiving materials, their could create shortages for customers,” he told TechNewsWorld.

“In a world of on-time order fulfillment, any delay can affect the supply chain, affecting more and more people along the way,” he said.

Nearly a third of the IT professionals surveyed (30%) disclosed that the leaders of their organizations did not have an adequate understanding of supply chain risk. “The fact that it was only 30% was somewhat encouraging,” ISACA Board of Directors Rob Clyde told TechNewsWorld. “A few years ago this number would have been much higher.”

“I think a lot of ignorance comes from underestimating the number of dependencies and their criticism of how an organization operates,” Clements said.

“These third-party tools, by their nature, often require administrative rights for many, if not all, of the customer’s devices they interact with, meaning that only one of these vendor’s agreements is for their customer. Might be enough to completely compromise the atmosphere.”

“Likewise, there is often an ignorance of how much organizations rely on third-party vendors,” he adds, “most organizations do not have a ready-to-go fallback plan if a major provider such as their email The communications platform had to have an extended outage.”

pessimistic vein

Even in situations where leaders understand the risks to their supply chains, they will not make mistakes in terms of security. “In situations where companies have to choose between security and development, every time you see them choosing growth,” says Casey Bisson, head of product and developer relations for BlueBracket, a cybersecurity services company in Menlo Park, Calif. he said.

“It comes at the risk of their customers. It comes at the risk of the company itself,” he told TechNewsWorld. “But increasingly, we’re starting to see executives being held accountable for those choices.”

The ISACA survey also found a strong vein of pessimism among IT professionals about the security prospects of their supply chains. Only 44% indicated they had high confidence in the security of their organization’s supply chain, while 53% expected supply chain issues to remain the same or get worse over the next six months.

ISACA Survey Results Top Supply Chain Risks

Source: Isaka | Understanding Supply Chain Security Gaps | 2022 Global Research Report

One of the more surprising findings of the survey was that 25% of organizations said they had experienced a supply chain attack in the past 12 months. “I didn’t think it would be anywhere near that high,” Clyde said.

“While many organizations have experienced cyberattacks in the past 12 months, I didn’t think there would be many to blame for a supply chain problem. If we had asked this question many years ago, it would have been a much smaller number. , “They said.

Meanwhile, more than eight in 10 of tech experts (84%) said their supply chains needed better governance than they do now.

“It just doesn’t work the way we try to authenticate supply chain partners today,” said Andrew Hay, COO of Lares, an information security consulting firm in Denver.

“We either generate an arbitrary score based on external scan data and IP-based confidence or we try and force them to fill out 100 or more questions on a spreadsheet,” he told TechNewsWorld. “Neither accurately reflects how secure an organization is.”

need for auditing

Many factors come into play when trying to secure a supply chain, said Mike Parkin, a senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk prevention in Tel Aviv, Israel.

“Organizations only have full visibility into their own environments, which means they have to trust that their vendors are following best practices,” he told TechNewsWorld. “This means they are required to cover contingencies when a third party vendor breach occurs or has a build process that severely restricts the damages that can occur if it occurs.”

“It is even more complicated when an organization needs to deal with multiple vendors to compensate for shortages or disruptions,” he continued. “Even with the right risk management tools, it can be difficult to account for everything in play.”

Krone said there should be some trust in suppliers; However, if administration is extended to verify what organizations tell us, as opposed to relying on responses to a questionnaire, a system of auditing should be established.

“This will inevitably increase costs, something that many organizations work hard to keep as low as possible in order to remain competitive,” he said.

“While this may be easy to justify for critical government or military systems, it can be a hard sell for traditional suppliers,” he said. “To add to the challenges, it may be difficult or impossible to impose a regime on foreign suppliers of goods and materials. This is not an easy challenge to tackle and will remain a topic of discussion for a long time.