Sunday, 16 October 2022

Triple extortion and IBM’s X-Force Threat Intelligence Index 2022

IBM Security X-Force, IBM’s in-house team of cybersecurity experts and remediators, produces a report each year looking at the most urgent security statistics and trends.

For the first time in five years, the report found that manufacturing outpaced finance and insurance in the number of cyberattacks levied against these industries, extending global supply chain woes. The report says that manufacturers have a low tolerance for downtime, and ransomware actors are capitalizing on operational stressors exacerbated by the pandemic. About 1 in 4 attacks on this sector were from ransomware.

In terms of statistics, 47% of attacks were vulnerability exploitation, 40% phishing, 7% removable media, and brute force and stolen credentials were both at 3%.

The report goes on to suggest that as defences grow stronger, malware gets more innovative. Attackers are increasingly using cloud-based messaging and storage services to blend into legitimate traffic. And some groups are experimenting with new techniques in encryption and code obfuscation to go unnoticed.

The report advises that maintaining properly hardened systems, enacting effective password policies, and ensuring policy compliance is critical to maintaining a robust cloud security posture.

The report goes on to say that triple extortion is an increasingly popular tactic for encrypting and stealing data, while also threatening to expose the data publicly and engage in a distributed denial of service (DDoS) attack against the affected organization unless a ransom is paid.

Ransomware gangs are also looking to their primary victim’s business partners to pressure them into paying a ransom to prevent their own data leakages or business disruptions caused by a ransomware attack.

Multi-factor authentication (MFA) can decrease the risk of several different types of attack, including ransomware, data theft, business email compromise (BEC), and server access. But BEC is rising in geographical regions where MFA is seemingly less common, like Latin America.

X-Force research confirms that zero trust principles can decrease organizations’ susceptibility to BEC. The good news is that identity and access management technologies are making MFA implementation easier.

Phishing was 2021’s top infection vector, and the brands that were most imitated in phishing kits are among the largest and most trusted companies, eg Microsoft, Apple, and Google.

Four out of 10 attacks start with phishing, however, the report found that adding vishing (or voice phishing) to a targeted phishing campaign makes the effort three times as effective as a classic phishing campaign.

Particularly noticeable, the report says, is the huge growth in Internet of Things (IoT) malware activity in the past year. The number of vulnerabilities related to IoT devices increased by 16% year on year, compared to a growth rate of only 0.4% for vulnerabilities overall. For industrial control systems, the rise was even more dramatic at 50%. This highlights the vulnerability of the manufacturing and energy sectors.

Malware targeting Linux environments rose dramatically in 2021, which is possibly correlated to more organizations moving into cloud-based environments, many of which rely on Linux for their operations.

The report found that ransomware remains the leading type of attack, although it decreased as a share of overall attacks. The REvil operation accounted for a whopping 37% of ransomware attacks that X-Force remediated last year before the gang shut down in October 2021. Members of the gang were arrested, but many ransomware groups that disband later re-emerge under new names. The frequency of ransomware attacks tends to shift throughout the year, often increasing in May and June. Ransomware attacks appear to decrease in late summer or early autumn, with January having the lowest amount of activity.

Looking at ransomware, it's clear that hackers are adding new features to their code all the time, not only to make more money from their victims, but also to overcome countermeasures employed by defending organizations.

To start with, hackers would simply encrypt the data at their victim organization and demand a ransom to decrypt it. Since 2019, various ransomware software variants have exfiltrated the data and encrypted it. The target organization then had to pay a ransom to get the decryption key and pay a ransom, to prevent the bad actors publishing their data online. This is double extortion. In the past couple of years, attacks have moved on to triple extortion attacks.

With a triple extortion attack, the hackers have realized that organizations don't work in isolation, they are connected to other companies that supply them with goods or are their customers. That means ransom demands can now be directed at those suppliers or customers. The hackers can also threaten distributed denial-of-service (DDoS) attacks, or they might threaten to leak to the media information about the attack and the information they have obtained (as mentioned above).

A DDoS attack overwhelm a targeted server, service, or network by flooding it with Internet traffic. It does this using compromised computers as sources of attack traffic. Normal traffic can't get through because of the 'traffic jam' blocking the target.

The first documented example of triple extortion occurred in 2020, when Vastaamo, a Finnish physiotherapy provider, was hacked. Ransom demands were sent to Vastaamo’s clients, whose details had been exfiltrated.

The main takeaway from the X-Force report is that any organization using a computer can be vulnerable to cyber-attacks, including ransomware, which was the top attack type in 2021. Security teams need to recognize that the supply chain can be vulnerable to attack. And staff need to be trained regularly to watch out for phishing attacks using well-known brands. In addition, the cloud is not that safe because hackers are familiar with vulnerabilities associated with Linux, which is often used for cloud computing.

No comments: