2020 was a banner year for cybercrime, the crowning achievement of which was one of the most significant supply chain hacks in recent years. Already this year, we’ve seen multiple cyber adversaries, such as HAFNIUM, attempting to exploit a growing number of Microsoft Exchange vulnerabilities using a variety of zero-day attacks, including DearCry and other types of ransomware. And recently, a ransomware attack shut down critical infrastructure in the US as part of an ongoing scourge of ransomware.
Complicating these attacks, today’s digital technologies are now interconnected across a broader digital environment. Users, devices and applications now regularly access critical resources and data located in traditional networks, hybrid cloud environments, and from remote locations. And they do so across digital supply chains and with applications that can span organizations, employees, and customers. As a result, the cybersecurity risks resulting from such exploits have never been more significant.
There’s a lot to be learned from these high-profile attacks and a lot to apply to the many other threats out there as well.
Takeaways from DearCry and Similar Attacks
Once a high-profile vulnerability has been disclosed, cyber-criminals will almost immediately attempt to maximize the opportunity; the DearCry ransomware efforts to exploit Microsoft Exchange vulnerabilities demonstrated this. While DearCry and similar attacks may exploit these vulnerabilities now, other exploit campaigns always follow. Research shows that attackers will often continue to target known vulnerabilities for years, with malware such as Mirai (2016) and Gh0st (2009) dominating detections during 2020.
Though each organization’s network environment will vary, all organizations can implement specific steps today to reduce their risk from ransomware and other advanced threats. A key takeaway is to deploy people, technology and processes to quickly gather threat intelligence about active attacks on a network and act on it, using automation wherever possible. It is also important to ensure you are securing the entire attack chain when planning your defense strategy.
Take Steps to Protect Yourself with Hot Patching
Organizations need to step up their active defense against such attacks. The first step for any organization is to take investigative steps to check for signs of compromise and patch those compromised spots. Organizations are always best protected by immediately applying patches. However, bad actors understand that many organizations often take time to apply such patches. This delay is a well-known security gap, and, understandably, cyber-criminals invariably ratchet up their efforts to compromise as many organizations as possible before patches are applied.
Since there are many reasons for delaying patching for all known vulnerable solutions – some environments, updates and patches are never possible – implementing secondary solutions such as intrusion prevention (a strategy known as 'hot patching') is also vital. Supposed you didn’t already have solutions like an intrusion prevention system (IPS) to detect and prevent attacks targeting newly discovered vulnerabilities before these latest attacks. In that case, it’s well past time to implement them. Our threat research team has regularly documented intrusion prevention, reducing the success of attacks.
Don’t Overrate – Stay Vigilant
While the latest high-profile attack will always grab all of the attention, it will certainly not be the last. And the fact is, lower-profile threats can be just as dangerous. Security professionals have to make sure they don’t lose sight of everything else coming their way. Our ongoing threat research shows a strong trend towards zero-day attacks and proxy logons. Exploits targeting the Exchange vulnerabilities weren’t even in the top 10 of volume and spread during this period. It’s these other types of attacks that people also need to be aware of and prepared for.
Ransomware attacks are significantly on the rise—with our threat researchers documenting a seven-fold increase during the last half of 2020—and they cost businesses more than ever, both from an operational and regulatory perspective. Ransomware is also evolving rapidly. One recent variant was smart enough to seek out partitions to find possible hidden partitions set up by systems administrators to hide backup files, showing the destructive nature of this threat. Additionally, cyber-criminals are just as vigilant as any cybersecurity team, constantly keeping an eye out for the latest and weakest link in any attack surface. And that weak link could be people, technology, supply chains or just bad cyber hygiene. Cyber adversaries like to follow the path of least resistance, like water flow – slipping through any crack they can find.
Malware and ransomware attacks achieve a new level of success because they are being crafted and targeted at specific internal systems. As they get better and better at this, the targets of these ransomware attacks are likely to become higher-profile. That increases the reward model for cyber-criminals, and as a result, the risk to all companies everywhere.
All Threats Great and Small
The bigger vulnerabilities and exploits tend to grab the headlines, which makes sense since they include names everyone is familiar with, impact the most people and have the potential for producing the most significant negative impact to those affected. However, organizations need to be cautious about getting tunnel vision when it comes to high-profile attacks. Security strategies must always encompass all threat possibilities, both great and small, based on your own cybersecurity risk profile.