As if the cyber landscape wasn’t already complicated enough, now these predators are like a pack of wolves feeding on businesses that have already been attacked. Cyber Security Experts used to say, It’s not a matter of whether you’ll be attacked, but when. Now they’re saying, It’s not a matter of when you’ll be attacked, but how often.
Cyberattack Victims Often Attacked by Multiple Adversaries
In excerpts from an article by Security Week, they wrote,“Victims are often attacked by multiple adversaries – usually, in rapid succession but sometimes simultaneously. Further analysis now suggests the aphorism ‘it’s not if, but when you are attacked’ should be expanded with the extension, ‘and how often.’
Multiple attacks are not new, but historically they tend to be separated by months or years. “Now,” John Shier, senior security advisor at Sophos said, “we’re talking days, weeks, or months – in one case just hours.” A new analysis from Sophos looks at the possible reasons for this evolution in attack frequency.
The report, Multiple attackers: A clear and present danger (PDF), provides several specific multiple-attack case studies.
Cryptominers
The first attack is often from a cryptominer. “What we often see,” said Shier, “is that whenever there’s a new vulnerability that is easy to exploit, perhaps with proof-of-concept code, the cryptominers are rapidly all over it.”
Cryptominers gain access, deliver their code and walk away. This is usually done programmatically and wherever possible; and it may include code to take down competing miners that might also be residents. But because they are often the first in a sequence of attacks, cryptominers shouldn’t be tolerated as an unthreatening annoyance.
‘Cryptominers,’ suggested Shier, ‘should be considered as the canary in the coal mine – an initial indicator of almost inevitable further attacks.’ The vulnerability that allowed access should immediately be sought and remediated before the same path is abused by more destructive attacks – often the delivery of RATs followed by the installation of ransomware.
Initial Access Brokers
The implication here is that the same vulnerability is found or obtained by multiple actors at the same time. Much of the Sophos analysis seeks to understand this mechanism – and a big part of the conclusion is that it is down to the work of the initial access brokers (IABs).
In a separate report published August 4, 2022, Sophos investigated the Genesis IAB – one of the more advanced marketplaces. “The attacker appeal of Genesis’ collection isn’t the size of its data aggregation; it’s the quality of the stolen information that Genesis offers and the service’s commitment to keeping that stolen information up to date,” reports Sophos. Access to a single victim might be purchased by multiple different actors for different purposes in a short period of time.
This explains the usual sequence of attacks, starting from those that require relatively little expertise (cryptomining) and expanding over a short period to those attackers that surveil, move laterally, and finally detonate malware (ransomware).
Multiple ransomware attackers
One surprising element of the current increase in both frequency and speed of attacks is that different ransomware attackers may be found in the same victim at the same time.
These attackers are likely to be aware of other’s presence, but it does not prevent either from continuing. It is the most recent encryptor that will stand the greater chance of receiving a payout. Sophos has found no evidence of collusion between different gangs.
The conclusions from the Sophos study are complicated and disturbing. Threat actors discover the presence of new vulnerabilities by rapidly scanning the internet. Vulnerabilities become public knowledge – even with proof-of-concept code – faster than many companies can patch them.
More complex malware such as ransomware may follow. This is not the result of some master coordinating criminal plan, but the confluence of several factors: organizations’ inability to patch new vulnerabilities fast enough and protect credentials; increasing sophistication and automation by the criminal element; and the sheer and growing number of attackers. As such, the current increase in the number of attacks is likely to continue.”
You might be saying to yourself… That sounds like something out of a Hollywood movie. It could never happen to my business. That’s exactly the type of thinking that has gotten some of our Canadian communities in trouble.
Past successes prompt hackers to target SW Ontario communities
In an article by Strathroy, they wrote, “It’s as if there’s ‘blood in the water,’ a London-based technology analyst says.
Like sharks sniffing out a meal, hackers from around the globe are targeting vulnerable computer systems in Southwestern Ontario, Carmi Levy said a week after the area’s latest cyber attack in St. Marys in Perth County.
‘Cybercriminals globally are … focusing their efforts on geographic areas where previous attacks have succeeded,’ Levy said. ‘When one weakness is discovered by one cybercriminal, they all tend to flock toward that same space.’
A ransomware attack reported in St. Marys recently crippled the town’s computers and forced a network shutdown to protect sensitive data.
Whether that shutdown was successful is still being investigated. The town has hired cybersecurity experts from Deloitte Canada to conduct a forensic audit and officials have said this week they will wait for the results before releasing more information.
In the meantime, however, St. Marys has become one of many victims in what seems to be a developing hotspot for cyber criminals.
An attack on Stratford’s computer systems in 2019 led the city to pay a ransom of more than $75,000 in Bitcoin, a digital currency.
That same year, an attack in Woodstock ended up costing taxpayers more than $667,000 even though the city never paid a ransom. Instead, the bulk of the cost came from hiring outside experts and paying staff overtime to help the city rebuild its computer networks.
Although it wasn’t believed to be a ransomware attack, personal information about more than 300 people, some of it highly sensitive, was compromised by a ‘cyber-security incident’ earlier this year that knocked out Elgin County’s website and email system for nearly a month.
Outside of the southwest, town officials in Midland paid a ransom to reclaim data after hackers held their computer systems hostage for 48 hours in 2018. That attack happened five months after a similar incident in Wasaga Beach, about 38 kilometers away.
It isn’t likely these cyber attacks are coincidences, said Ann Cavoukian, one of Canada’s top privacy experts.
‘The inference is that these smaller towns … are not devoting the strength they need to devote to securing the data that they have,’ said Cavoukian, a former Ontario privacy commissioner and now executive director of Global Privacy and Security By Design Centre. ‘It poses a great threat and it concerns me that municipalities are not taking the measures necessary to secure their data.
‘They don’t seem to understand the enormous threat that this presents if (IT systems are) not strongly secured, strongly encrypted.’
Cybersecurity issues are on the radar of the Association of Municipalities of Ontario, the not-for-profit organization that represents the province’s 444 municipal and regional governments.
Judy Dezell, the director of AMO’s Enterprise Centre, said in an email the organization provides guidance about how municipalities should be investing in IT infrastructure, including strong password policies, encrypting data, installing software updates, and creating offsite data backups. This is important because ‘with fewer companies offering cyber insurance for municipalities, it’s taxpayers that will pick up costs related to cyber attacks,’ Dezell said.
Similar work is being done by the Canadian Centre for Cyber Security, a child agency of the Communications Security Establishment in Ottawa.
‘Municipal governments control a range of assets that are of interest to cyber threat actors, including financial information and payment systems, data about citizens, partners and suppliers, and services to constituents,’ spokesperson Evan Koronewski said. ‘As a general rule, the more Internet-connected assets an organization has, the greater the cyber threat it faces. And more generally, a regional municipality’s cyber-security resources are often more limited than a large organization.’
The Canadian government does not recommend paying ransoms, Koronewski added, because there’s no guarantee a cybercriminal will comply and ‘any ransom payment fuels the ransomware model.’
Despite these efforts, both Levy and Cavoukian said the frequency of cyber-attacks being reported in small Ontario municipalities is evidence that more needs to be done to protect personal information and taxpayer dollars in those communities.
‘Because this is the universal problem that affects all municipalities, it behooves them to put their heads together and work at a provincewide level or even a national level … rather than try to deal with this on their own,’ Levy said. ‘Cybersecurity is not something that you want to be flying solo on. You really do need to have a comprehensive organization, a regional response to it.’
‘If it isn’t a priority at that level, it needs to be’.”
More organizations taking multiple hits from cyberattacks
In an article by The Register, they wrote, “BLACK HAT Security experts spent years warning enterprises to expect cyberattacks and to plan their defenses accordingly, now Sophos researchers are saying organizations shouldn’t be surprised if they get attacked multiple times.
In a 23-page report released this week in time for Black Hat, the researchers unwind the multiple factors that are fueling a rise in the number of entities hit by more than one attack. For instance, in one case, a company was the victim of three ransomware attacks over two weeks.
‘In recent months, we’ve noticed an uptick in the number of cases where organizations have been attacked multiple times,’ wrote Matt Wixey, principal technical editor and senior threat researcher at Sophos. ‘Some attacks take place simultaneously; others are separated by a few days, weeks, or months. Some involve different kinds of malware, or double – even triple – infections of the same type.’
Some of this falls at the feet of the organizations themselves, which too often fail to address vulnerabilities and misconfigurations after the first attack, opening the door to ensuing attacks, according to the report.
Other factors are features of a rapidly evolving cybercrime environment, with different threat groups exploiting high-profile vulnerabilities like ProxyShell and Log4Shell, interdependence among groups, the rise of ransomware-as-a-service, and growing ‘coopetition’ among the cybercrime gangs.
‘Whatever the root cause, multiple attacks can be devastating for victims,’ Wixey wrote. ‘Not only do they complicate remediation and business continuity plans, but the financial, reputational, and psychological impacts can be overwhelming. Just when you think that the worst has finally happened – and you now know for certain that it’s ‘when,’ and not ‘if’ – you’re hit with another attack.’
In cases that Sophos’s Managed Detection and Response and Rapid Response teams have investigated recently, there is usually a gap of about six weeks between attacks when an enterprise is hit multiple times.
In most instances, the root causes of multiple attacks are the failure to address significant software or hardware vulnerabilities and, after an attack, not dealing with the misconfigurations left in place by earlier attacks.
‘But there’s a little more complexity to it than that,’ he explains. ‘There’s often a specific sequence of exploitation – cryptominers (a proverbial canary in the coal mine) arrive first, followed by wormable botnet builders (such as Mirai), then malware delivery systems (webshells and/or [remote access trojans]), who may feed data to Initial Access Brokers (IABs), and finally, ransomware.”
IABs do what their name suggests, gaining initial access to compromised systems. They then sell that access to other threat groups that use it to launch their own attacks.
John Gunn, CEO of authentication technology vendor Token, told The Register, ‘Victims of simultaneous attacks will be less likely to pay and may not be able to pay multiple attackers a full ransom. As such, you can expect IABs to charge a premium for first rights or exclusive rights for a target organization.’
Some of these are interdependent, such as IABs enabling ransomware attacks. Others co-exist, such as cryptominers and ransomware, which have disparate objectives and don’t interfere with each other. At the same time, organizations can be hit with multiple ransomware attacks because such threat groups often don’t care if others are attacking the same enterprise. In one case, Sophos saw the same attacker using first Conti ransomware and then Hive within days of each other against the same victim.
In another incident on May 1, after initial access was gained via the Remote Desktop Protocol (RDP) and Mimikatz was used for stealing credentials, a company was hit by a Lockbit ransomware attack. Less than two hours later, a Hive ransomware affiliate attacked the same company, and two weeks later the organization was attacked a third time by a BlackCat ransomware group.
- Cisco admits corporate network compromised by gang with links to Lapsus$
- Meta privacy red team lead: Does your business know its privacy adversaries?
- Boffins rate npm and PyPI package security and it’s not good
- Ex-CISA chief Krebs calls for US to get serious on security
All three gangs used the same misconfigured RDP server to gain access. Sophos later found some files that had been encrypted by all three attackers, Wixey says.
The mixture of so many threat groups is a driver of the rise of multiple attacks on organizations, according to Peter Mackenzie, Sophos director of incident response.
‘It’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry,’ Mackenzie said in a statement.
Competition is something enterprises want to keep in mind. Some operators, such as cryptominers, include code in their malware that will remove competitive malware from the systems they infect. Others, like ransomware groups, aren’t worried about the competition and at times will intentionally or incidentally help other attackers by leaving open backdoors or misconfigurations for others to use.
While shutting down the initial attack, enterprises need to ensure that no malicious code is left behind, according to Wixey.
‘As odd as it may sound, we could easily see scenarios where the ‘first-in’ attacker assumes the role of defending the victim network from follow-on attacks in order to protect their ability to realize the full ransom payout potential,’ Gunn adds.
Disclosures of major vulnerabilities also creates a land rush among various threat groups looking to exploit them. The ProxyLogon and ProxyShell flaws disclosed last year saw cryptominers, RATs, botnets, “clipper” malware – which swaps crypto wallet addresses on a victim’s clipboard – and eventually ransomware all taking advantage.
It highlights the need for enterprises to update everything and prioritize the most dangerous bugs first, Wixey wrote. That means focusing on critical bugs impacting an organization’s specific software stack and high-profile vulnerabilities that may affect its technology.
Organizations also need to ensure misconfigurations are fixed, particularly after an attack.
‘Cryptominer operators, IABs, and ransomware affiliates always look for exposed RDP and VPN ports, and they’re among the most popular listings on most criminal marketplaces,’ he wrote. ‘If you do need remote access and/or management over the internet, put it behind a VPN or a zero-trust network access solution that uses [multi-factor authentication] as part of its login procedure’.”
Multiple attackers increase pressure on victims, complicate incident response
In excerpts from an article by Sophos, they wrote, “We’re seeing organizations being hit by multiple attackers. Some attacks take place simultaneously; others are separated by a few days, weeks, or months. Some involve different kinds of malware, or double – even triple – infections of the same type.
Today, Sophos X-Ops is released the latest Active Adversary white paper: Multiple Attackers: A Clear and Present Danger. In the paper, we take a deep dive into the problem of multiple attackers, exploring how and why organizations are attacked several times. Recent case studies from our Managed Detection and Response (MDR) and Rapid Response (RR) teams provide insight into the how, and exploring cooperation and competition among threat actors helps explain the why.
Our key findings are:
- The key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack
- Multiple attacks often involve a specific sequence of exploitation, especially after big, widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware
- While some threat actors are interdependent (e.g., IABs later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access
- Historically, threat actors have been protective of their infections, to the extent of kicking rivals off compromised systems
- Ransomware actors, despite occasionally tangling with each other, seem less concerned about competition, and sometimes adopt strategies that directly or indirectly benefit other groups
- Certain features of the underground economy may enable multiple attacks – for instance, IABs reselling accesses, and ransomware leak sites providing data that other threat actors can later weaponize
- Some of the case studies we analyze include a ransomware actor installing a backdoor that was later abused by a second ransomware group; and an incident where one organization was attacked by three ransomware groups in the space of a few weeks, all using the same misconfigured RDP server to gain access. After the dust had settled, Sophos discovered some files which had been encrypted by all three groups
At this stage there’s only anecdotal evidence to suggest that multiple attacks are on the rise, but, as Sophos’ Director of Incident Response, Peter Mackenzie, notes: “This is something we’re seeing affecting more and more organizations, and it’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.”
Key takeaways for organizations
Multiple attacks not only complicate incident response, but also place additional pressure on victims – whether that’s through more than one ransom demand or just the sheer technical difficulty of trying to recover from two or more attacks in a short space of time.
In the white paper we provide best practice security guidance, as well as the following eight actionable takeaways to help organizations lower the risk of falling victim to multiple attackers:
Takeaway 1: Update absolutely everything
It sounds simple, but: Update everything. One of our key findings is that cryptominers, webshells, and backdoors deployed by IABs, often come first when a vulnerability has been disclosed, and the latter typically try to operate stealthily – so you might think you’ve avoided an attack, when in fact there’s already malware on your system. That might be compounded (in a subsequent attack) by ransomware. Patching early is the best way to avoid being compromised in the future – but it doesn’t mean you haven’t already been attacked. It’s always worth checking that your organization wasn’t breached prior to patching.
Takeaway 2: Prioritize the worst bugs first
But how can you patch early, and how do you know what to patch? Prioritizing can be a big ask, given how many vulnerabilities are disclosed (18,429 in 2021, more than 50 a day on average, and the greatest number of reported vulnerabilities ever disclosed during a calendar year). So focus on two key elements: 1) critical bugs affecting your specific software stack, and 2) high-profile vulnerabilities that could affect your technology. There are paid services that offer vulnerability intelligence, but there are also free tools that let you set up custom alerts for particular products. Bug Alert is a non-profit service that aims to give early warning of high-impact bugs. Monitoring ‘infosec Twitter’ is also recommended, as that’s where many prominent vulnerabilities are discussed when first released. Or you could use CVE Trends, which collates data from several sites to show the most-talked-about vulnerabilities.
Takeaway 3: Mind your configurations
Misconfigurations – and a failure to remediate them after an attack – are a leading cause of multiple exploitations. Cryptominer operators, IABs, and ransomware affiliates always look for exposed RDP and VPN ports, and they’re among the most popular listings on most criminal marketplaces. If you do need remote access and/or management over the internet, put it behind a VPN and/or a zero-trust network access solution that uses MFA as part of its login procedure.
Takeaway 4: Assume other attackers have found your vulnerabilities
Threat actors don’t operate in isolation. IABs might resell or relist their products, and ransomware affiliates may use multiple strains – so one vulnerability or misconfiguration can lead to multiple threat actors seeking to exploit your network.
Takeaway 5: Don’t slow-walk addressing an attack in progress
Being listed on a leak site may attract other, opportunistic threat actors. If you’re unfortunate enough to be hit with a ransomware attack, take immediate action, in conjunction with your security teams and incident response provider(s), to close the initial entry point and assess what data has been leaked, as part of your wider remediation plan.
Takeaway 6: Ransomware plays nicely with ransomware
Many threat actors have traditionally been competitive, to the point of kicking each other off infected systems, and that’s still true today when it comes to cryptominers and some RATs. But ransomware doesn’t seem to follow this trend and may proceed to encrypt files even if other ransomware groups are on the same network – or operate in a mutually beneficial way so that one group exfiltrates and the other encrypts.
Takeaway 7: Attackers open new backdoors
Some attackers may introduce further vulnerabilities after gaining access or create deliberate or unintentional backdoors (including the installation of legitimate software), which a subsequent threat actor can exploit. So while it’s crucial to close off the initial infection vector, it’s also worth considering a) other weaknesses and misconfigurations that could be used to gain access, and b) any new ingress points that may have appeared.
Takeaway 8: Some attackers are worse than others
Not all ransomware strains are equal. Some have capabilities and features that may complicate attempts to respond to and investigate others – another reason to try to avoid becoming a victim of multiple attacks.
Conclusion
In an increasingly crowded and competitive threat environment, the problem of multiple attackers is likely to grow, with more threat actors coming into the mix and exploiting the same targets – either deliberately or unintentionally.
For organizations, this means that rapidly responding to attacks, applying patches, fixing misconfigurations – and checking for backdoors that attackers might have installed prior to any entry points being closed – will become more and more important.
Multiple attackers are bad news for analysts and responders too, complicating incident response, threat intelligence, and security monitoring. In one of the case studies we explore in the report, for example, one ransomware group wiped Windows Event Logs – which not only deleted traces of that group’s activities, but also those of the two ransomware groups which had attacked the network previously. In another case study, one threat actor was likely an affiliate of two separate ransomware groups.
The threat actors themselves –particularly ransomware actors – will at some point have to decide how they feel about cooperation: whether to fully embrace it or become more competitive. Going forward, some groups might deliberately team up, so that one group’s tactics complement another’s. Or we might see ransomware become more like cryptominers – actively searching for, and terminating, rivals on infected hosts. At the moment, however, it’s an uncertain area – one which we hope our report will shed some light on.”
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca