Cybersecurity Week in Review: 9/28
Posted by: GuidePoint Security
We made it to October, folks…. Cybersecurity awareness month. There is A LOT to be aware of and as with every week, I’ve compiled a list of some of the stories over the last seven days that were interesting events and trends in cybersecurity. Let’s dive in and take a look at some of the notable things that have happened over the last week.
Too Good to Be True?
Every day I wake up, there is a new word that I have to learn, and this day is no exception. The word of the day today is Malvertising. Now, just looking at it, I’m sure you can take a crack at what it means, but we will define it here. Malvertising is, in essence, advertisements that contain malware or links to malware-ridden sites. These ads are targeted around what you are looking at, and then attempt to trick you into clicking the link to infect your machine.
Recently, a nasty piece of ransomware, Exorcist 2.0, was found being distributed via malicious ads that redirected victims to a fake software crack site. Now, most of us that have been in the information technology world for some time know that nine out of ten “Keygens” or “Cracks” for software are malware. There are real ones out there for people looking to steal software licenses, and we won’t broach the subject of morality on that, but we know they exist and how they are used. These sites and viruses were embedded deep within RAR files that were downloaded via Torrent or other means, mostly affecting those looking for the specific means to steal software. However, now that the attackers are placing them within advertisements on web pages, the general population is more susceptible to the attack.
The main thing to watch out for is ads that read like, “Windows 10 Activator 2020,” which would lead you to a site that offers the download. Once you click download, you would get an encrypted archive file that is password protected. The password ensures that Chrome or other browsers can’t scan inside the archive. The attacker is using encryption against us and our protections by blinding our scanners to what’s hidden inside. If you do get this far and start the install process, you will find that your files become encrypted instead of installing something, and the ransomware has taken hold. The ransom note is also contained within the encrypted folders with links to Tor payment sites, where one can go to pay the ransom and get information on how to pay. The ransom demands have been seen, ranging from $250-$10,000, depending on the content and amount of files.
The best way to protect yourself from an attack like this is being smart and not clicking on an advertisement claiming to give you free licenses to software. We all know we shouldn’t even try, but the urge to get something free can be enticing. Remember that it is most likely a trick and not worth losing your files or paying out. When presented with scenarios like this, it’s best to remember, if something looks too good to be true, it probably is.
Read the article here.
MITRE Brings Us A New Concept
Most of us know the MITRE ATT&CK framework and probably use it at some point every week. It has become ingrained in our software, concepts, and philosophies in recent years because of its beneficial information. The comprehensive matrix of tactics and techniques is used by just about every security team to classify attacks, attackers, and organizations’ risk. The framework’s great use is to gauge an organization’s visibility into attacks and see one move to the next as the scenario goes deeper into an environment.
Now, MITRE is developing a new knowledge base that goes beyond ATT&CK, called Shield. MITRE Shield is an active defense knowledge base composed of information regarding active defense and adversary engagement. According to MITRE, Shield is still very much in its infancy and is a work in progress. It is being released now because the company feels they have enough to stimulate conversations and concepts for defenders and how they can use the ideas.
Some may be wondering, what is active defense, and why is it important? I say, great question, let’s dig into that. Active defense is defined as, “The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy”, by the U.S. Department of Defense. This means setting up systems and concepts to defend the environment actively rather than reaction-based defense. Some ways of accomplishing this would be with deception-based technology, access controls, system isolation, and many others.
With this new knowledge base, defenders now have some actionable techniques at their disposal to better defend the network and systems they are charged. Some of the concepts require new technologies, like deception tech, but this doesn’t make the ideas less accurate and needed. When we look at the deception concept, it is a pure form of defense by tricking the adversary into believing what we want them to think. This makes it easier to detect them, track them, and root them out more quickly than before. The whole concept of deception in cybersecurity is giving ourselves more high fidelity alerts with decoys or traps that first, lets us know there is something wrong happening, and second, helps us see what actions have been taken on the fake systems. It comes down to if nobody knows about a fake system in the environment, why would someone be trying to log onto it, or if those credentials are not associated with anyone, why are they being used.
Read more about MITRE Shield here.
More Ransomware, More Problems
Being hit with ransomware is certainly no fun. It encrypts your files, the person holding the keys to your files is asking for money, and they usually have a way of propagating themselves throughout a network to other devices. All of that, at the least, is very aggravating, and can be very painful to an organization’s wallet and brand, but not always the most painful part of the ordeal. What really hurts, is when your sensitive information is leaked on the web for all eyes to see.
Recently, a research lab found a new family of ransomware, named Egregor, which is a spinoff of the ransomware Sekhmet. Egregor is an interesting choice for a name, as it is an occult term that represents an entity that arises from a collective group of people.
The group is known to burrow into organizations’ systems, steal their sensitive information, and use Egregor to encrypt all the files collected. Pretty standard stuff at this point, but they take it another step to make getting paid even more critical. According to the ransom note left by the group, if the ransom is not paid within three days, the group will distribute all of the stolen information through mass media so that the companies partners and clients will know they were attacked. The group also leaks a bit of the information beforehand to ensure that the company understands its seriousness. Currently, the group has at least 13 companies listed on their “wall of shame.”
Another side note from the attacker states that they will also help the company after the ransom is paid out by providing recommendations on securing their environment from future attacks. But again, only after the ransom has been paid. How thoughtful.
Read the report here.
Final Words
It seems like every week we see the same tactics and techniques being used by attackers over and over to gain access to our environments. We see the occasional zero-day attack hitting companies and wreaking havoc. Yet, when we dig deeper, the methods used to infiltrate were the same as they have been before. Whether it is email, malicious links, or even advertisements that look legitimate, attackers continue to find ways to evade defenses and get inside networks.
This fact reminds me of a saying that I’ve heard over and over in the cybersecurity industry, “Attackers only have to succeed in their objective 1% of the time”. In contrast, we, as defenders, have to succeed 100% of the time. It puts things into perspective when we talk about fairness and how vital a security team’s job is. Having the right skills, tools, and methodologies in place can make the difference between an intrusion and a breach.
With ransomware becoming more prevalent in our day-to-day work and new ways of socially engineering the attacks, we have to get back to our basics of training and security as a culture and bring in new concepts and ideas to help us to defend our assets better. Using technology like deception gives the defending team the ability to use, in essence, social engineering against the attacker by deploying decoy systems, credentials, active directory artifacts, and more. Using frameworks and knowledge bases like MITRE can help us understand attackers and their next moves better, but knowing the precursor skills is essential and something we cannot leave out of the mix. Training, practice, and the pursuit of knowledge go a long way in security, and we should always take the approach of watch and learn, never forgetting we don’t know everything.
As always, security is an action. We get out what we put into it.