This week
Initial Access Brokers (IABs) and the evolving economics of cybercrime
Interesting research from the folks at Digital Shadows into the rise of what they have dubbed ‘Initial Access Brokers’ (IABs). These groups spend their time attempting to gain access to organisations and then sell this proven access to other cyber threat actors. IABs are closely linked with the rise of ransomware operations that are largely now manual operations design to inflict maximum pressure on a victim.
Retail, financial services and technology top the sector chart (below) by count, while engineering and construction, technology and e-commerce commanded the highest prices.
Most targeted industries and the average prices of access. Source: Digital Shadows
I find it an interesting area because of the dynamics on defenders: moving from a broad spread of probabilities towards a more binary outcome of compromised, or not.
There are only a finite number of bad actors in the world and they have a limited bandwidth to carry out nefarious activities. Much is made of the ‘asymmetric threat’ where ‘attackers only need to get It right once’ however in many cases that was also offset by a question of whether you were actually interesting as a target or not.
Automation is helping IABs to improve their efficiency and, crucially, with a low-cost base they are not as fussy about who or what they find. With purely commercial objectives, ransomware operators don’t care about how interesting you are.
This reduction in cost base is a blessing: you don’t need to spend a huge amount of resources to combat this automation. Making sure you have secure any Remote Desktop Protocol (RDP) servers and turning on multi-factor authentication are great ways of sending automated scanning tools a message that you’re not worth the effort. They’re looking for the lowest hanging fruit.
Interesting stats
$7,100 average price asked by network access brokers on criminal forums for proven access to a victims network, according to Digital Shadows [above]
£10M in costs and investment by Hackney Council to recover from the ransomware attack that crippled their services in October last year (vol. 3, iss. 42) hackneycitizen.co.uk
35% of attack investigated by IBM’s X-Force division in 2020 were ‘scan and exploit’, surpassing 31% for phishing ‘for the first time in years’ ibm.com
Other newsy bits
The relationships between different cybercrime operators
An interesting map here of the relationship between different operators and malware from the folks at CrowdStrike and their 2021 Global Threat Report:
crowdstrike.com, also a summary on zdnet.com
Accellion file transfer appliances compromised for 33% of customers
A group claiming to be the ‘CLOP ransomware team’ compromised file transfer devices used by Accellion’s customers to steal sensitive information and attempt to extort them. Companies including aerospace firm Bombardier, law firm Jones Day (who worked for Trump) and Asian telco SingTel have all been listed on the groups ‘leak site’. The vendor’s PR team tried to downplay the attacks, saying there were “fewer than 25 appear to have suffered significant data theft”. The attacks appear to largely be ‘smash and grab’ with little evidence of lateral movement or persistence being established. Mandient has linked the attacks to a criminal attacker they refer to as UNC2546, and that the data was stolen through December 2020 and January 2021. The U.S. Cybersecurity and Infrastructure Agency has published technical details of the vulnerabilities and indicators of compromise. vice.com, cyberscoop.com, zdnet.com, cisa.gov
In brief
Attacks, incidents & breaches
- DDOS attacks on Ukrainian government websites from Russian IP addresses may be retaliation for Egregor arrests bleepingcomputer.com, also reports ‘hacker spy group’ from the Russian Federation for attack on government document management system zdnet.com
- U.S. Federal Reserve suffers ~90 minute outage caused by ‘operator error’ that take down wire transfers and ACH transactions bleepingcomputer.com
- University of Oxford lab investigating COVID-19 compromised by attackers selling access forbes.com
- Ecuadorian finance ministry and largest bank compromised by ‘Hotarus Corp’ bleepingcomputer.com
Threat intel
- Chinese group was using the NSA’s ‘EpMe’ years before Shadow Brokers dumped parts of the NSA’s tooling wired.com, cyberscoop.com
- Ransomware attacks on universities up 100% year on year leveraging pressures from online learning, according to BlueVoyant zdnet.com
- Hackers for hire: Cisco points to grey area between organised cybercriminals and nation state actors scmagazine.com
- ‘Kamacite’ group attempting to maintain persistence within U.S. electric grid, according to Dragos wired.com
- LazyScripter group has been targeting airline industry since 2018, posing as IATA and infecting victims with remote access trojans bleepingcomputer.com
- Ryuk ransomware gains self-spreading, worm-like capabilities to target Windows devices bleepingcomputer.com
Vulnerabilities
- Critical remote code execution vuln in VMware vSphere theregister.com
- Node.js ‘systeminformation’ component patches command injection vulnerability bleepingcomputer.com
Security engineering
- Security of skills for Amazon’s Alexa found lacking in new research study, with checks focussing on initial submission theregister.com
Internet of Things
- Hard-coded key in Rockwell Automation Logix programmable logic controllers allows authentication bypass arstechnica.com
Privacy
- Online trackers starting to use sub-domains to bypass same-origin restrictions on cookies theregister.com
- Insider threat: McDonald’s allegedly monitoring social media to identify restaurant staff that may be ‘Fight for $15’ organisers vice.com
Public policy
- Tech lagging policy: software bugs reportedly keep Arizona inmates jailed past release dates arstechnica.com
- U.S. considering Russian sanctions for Solorigate attack ft.com
Mergers, acquisitions and investments
- RedHat latest to make Kubernetes deal, closing $100M acquisition of StackRox zdnet.com
And finally
It’s not the intern’s fault you got hacked, SolarWinds
Former SolarWinds CEO Kevin Thompson has suggested that the basic ‘solarwinds123’ password on a file server (that may or may not be linked to the wider Solorigate breach) was the fault of an intern. If true — and, hey, we have no reason to doubt Thompson’s testimony — then the company’s culture, practices, technical solutions, or assure activities must also have therefore been pretty spectacularly lax: because nothing says ‘good corporate governance’ like getting the intern to set up the build process for a ~$1Bn software company, and then not checking what or how they did it. The company expects to spend $20M - $25M in 2021 as part of efforts to improve product security. cnn.com, zdnet.com