We might think that 2021 would be the year of the ransom note. The subtle exfiltration of data and the further industrialization of recovery and revenue generating software continued worryingly. The number of security incidents has not decreased over the past year, but attack techniques are changing. Goals are shifting, but as always, money is the root of all (cyber) evil. The more things change, the more they stay the same.

The Microsoft hack

Microsoft reported eight different suspected hacking operations by nation states against its software in the past 12 months. It became a victim itself in March. Hafnium is attributed to the state-sponsored Chinese company compromising Microsoft Exchange.

It is believed that up to 30,000 businesses have been affected by this popular corporate email system. The attackers gained access to the on-site servers using stolen credentials and some undiscovered vulnerabilities. They then set up web shells around the infected servers and were able to intercept the e-mail communication.

The Colonial Pipeline Hack

Ransomware was the focus this year. the Colonial pipeline The company operates the largest fuel pipeline in the United States. It was breached in April by compromising a single computer using an employee’s credentials on the dark web. This implies that the employee may have used the same password on multiple websites, not just at work. Once inside, the DarkSide ransomware operators moved sideways across the corporate network and installed their ransomware.

Finally, around 5 a.m. local time on May 7th, administrators began to see demand for ransomware brightening their screens. At 6:10 a.m. local time, the pipeline was shut down for the first time in the company’s 57-year history. This quickly led to a fuel shortage on the US east coast. The pipeline transports 2.5 million barrels of fuel to the US east coast every day, and when news of the problems spread, panic buying began. It took five days for service to be restored.

The security company Mandiant was brought in to investigate and understand the nature and extent of the breach. The $ 4.4 million ransom was paid shortly after the Colonial attack. The perpetrators also exfiltrated more than 100 GB of data, which they threatened to publish if they were not paid.

REvil / Sodinokibi ransomware

Another notable ransomware attack involved the infamous REvil / Sodinokibi ransomware. Just before the July 4th holiday weekend in America, Kaseya Virtual System Administrator (VSA) software users have become infected.

Kaseya is a cloud-based managed service provider (MSP) platform that enables service providers to perform patch management, backups and client monitoring for their customers. Most customers using the cloud version of the service were not affected, but those using local Kaseya software were affected.

Although a small number were directly affected, it is believed that approximately 1,000 downstream organizations were affected. This is a supply chain attack because the affected systems are not infected independently, but rather compromised by the trustworthy software of a third party (in this case Kaseya).

Current estimates suggest that this compromise of Kaseya’s software infected between 800 and 1,500 small and medium-sized businesses with REvil ransomware. This certainly resulted in 800 co-op supermarkets being closed in Sweden. Mandiant was also called in to investigate this incident.

2021: It’s not all bad news

Headlines and stats aren’t generally bad in 2021 so far. Risk Based Security, a US-based cyber risk analytics company, claims publicly reported security breaches were down 24% in the first half of 2021 compared to the same period last year. This decrease appears to be mainly due to incidents outside of the US, as the same report shows that declared violations within the US increased 1.5%.

According to the data, the sheer number of exposed data sets has also decreased. 18.8 billion records were exposed in the first half of 2021 – a decrease of 32% – compared to 27.8 billion records released in the first half of 2020.

This suggests a possible shift in focus for certain highly developed groups. In the ransomware space in particular, criminal groups carefully choose their targets based on their ability to pay higher ransom money. In many cases, this means that less (but more valuable) data is being compromised.

With the added threat of exposing sensitive data as well as the ransomware that has encrypted it, the victim company has a difficult tightrope walk. This unwelcome trend has spawned companies on the Whitehat side that specialize in ransomware negotiation, triage and recovery. On the blackhat side Ransomware-as-a-Service is a booming growth industry.

The problem with LinkedIn

Before the celebrations began that less personal information was revealed, there was one Problem with LinkedIn. Data from 700 million LinkedIn users was posted for sale on a dark web forum in June 2021. That exposure affected 92% of the total LinkedIn user base of 756 million users.

The data was dumped in two waves, first exposing 500 million users – and then a second in which the hacker “God User” boasted of selling a database of 700 million LinkedIn users. It is well known that Chinese hackers attach particular importance to such data, as they can be used to select targets for the exploitation of industrial espionage.

Enter the government agencies

The advertising that Ransomware attracting can be a problem. It offers excellent publicity for the dangers of ransomware and highlights the crippling effects it is having on business. Reports of ransom payments also help convince the next victim of the wisest decision.


Source link
#Hackers #quality #quantity

Leave a Reply