The State Of Security (SOS)

2021, July 23    

With the security landscape being more active than usual at the moment, I figured its time for a quick summary of the state-of-play, and what we unfortunately may have coming...

State Sponsored

The concept of state-sponsored attacks isn't something new, but is something that is being called into question a lot as of late. With recent attacks on infrastructure within the U.S. being attributed to Russia and/or China, the cat-and-mouse games are once again being reported on. To be clear, they never stopped, they simply weren't the hot topic of the week. Those who remember their security history will recall how Stuxnet was attributed to foreign powers as a means to destabilise the nuclear programme of a country. While it's easy for the masses to overlook what could be with these types of attacks, for those within the profession its a chilling prospect. The thought of a foreign power deliberately targeting the critical national infrastructure of another, and the loss of life that will undoubtedly follow, is a stark reminder of why we do what we do.

Supply Chain Attacks

Something that myself and many others have been concerned about for a long time finally made the headlines, with Solarwinds being compromised due to a SCA (you can read more here). This type of attack isn't something new, but is something that until late hasn't (publicly at least) taken place at this scale. To add to this (and the many open-source projects that started receiving pull requests for patches containing malicious code while being disguised as package updates), Kaseya also became a victim to an attack (which in turn impacted over 1000 companies). Those familiar with open-source development at scale know that the risk of each project increases with the more 3rd-party packages you leverage, as there simply aren't enough hours in the day/night to review each package (and each code commit) before including the latest update. Sadly, this double-edged sword of not reinventing the wheel does serve as an underpinning to this, and this is before your 3rd-party management solution gets targeted and infiltrated. To quote a favourite security phrase/rule, Trust, but verify, as while your tools should always behave don't take it for granted, and don't become complacent.

Ransomware Is The New Hot Thing (again)

Ransomware isn't something new, and can be traced back to near 30 years ago (look here for a good background lesson). What has changed is the frequency of this type of attack, linked in part of the invent of cryptocurrency and the ability/ease of which to collect your demanded payment. Unregulated digital currency has played an indirect part here, and will continue to do so moving forward. The extortion twist to the latest attacks is somewhat new, with a view of not only requiring payment to provide a means to get your files back, but also to prevent them from being leaked to the public/your competitors. This twist really is one of the worst nightmares of organisations, as files can (in most cases) be recovered from backups (where your ransomware hasn't deleted them), but if your future plans (or worse, your dirty laundry) are put out on display for all to see, it can be the end of an organisation. If anything positive has come from this, its that more organisations are taking their data-access restrictions (RBAC) seriously to try to restrict the flow of data/information within their organisation.

Going Dark

An interesting plot-twist to the ongoing ransomware war is that of REvil going dark, with their sites (including those on the dark web) going offline with no forewarning. While some suspect police/federal involvement, could it be that they have reached a set target for financial gain and are bowing out before getting caught? It's also possible that with the large amounts of money involved, internal rivalry has become a challenge to manage resulting in a hiatus while leadership is reworked. Regardless of the reason, I doubt they have gone for good, and be it under the same name or another, I doubt it will be long before we see them again.

Foothold

One of the biggest concerns I have around the current ransomware attacks that are taking place daily is not that of the ransomware itself (its awful, but this is one of the many reasons we (should) have backups), but what is left behind once the backups are restored or the demand for payment has been paid. The priority focus for most organisations impacted by this type of attack has been to recover the lost data, and where extortion is in play, to avoid having said data released into the public domain. This situation reminds me of a magicians greatest power, misdirection. While backups are restored or data unencrypted to regain operational stability, how many checks are being performed for anything else lurking within the environment. What would it take for a reworked piece of malware that is different enough not to trigger a standard detection to be deployed in all of the chaos? How about all of the seemingly lower-value targets like printers that haven't been updated in some time and are easy targets to gain a foothold within the environment. For the environments with lower security standards, how about the install of remote-access products that the overworked analyst will think is part of a recent deployment by the IT team for remote management?

Future

As with everything that involves capitalism, financial sustainability is always a key motivator. The current approach to ransomware/extortion (that we know of) is to grab what you can, encrypt it so the owner has no access, and charge a fee for its release. The challenge with this model is that once this type of attack has taken place, its unlikely to work a second time with the same organisation. While you can keep going for new targets, the more you attack the more will defend. With many businesses moving to the Software-as-a-Service model, I question at what point attackers will switch (if they haven't already) to an Exfiltration-as-a-Service (EaaS) model. Will we see more attacks that use misdirection to deploy remote access tools within an environment, with the ultimate objective being to gain continuous undetected access to a target environment so that data can be exfiltrated over time to the highest bidder. This approach provides a sustainable business model in the worst of ways, and with malware creators adapting their tools/creations to chain attacks together to gain deeper control over an environment, it may be reality sooner rather than later.