In the past several weeks, our analysts were asked their opinions of what they believe will be the most pressing cyber security issues for the upcoming year. I told them that you really can’t be wrong, as the malware used by all levels of hackers – is constantly changing. Our job as cyber security professional is to try our best, based upon what we have seen recently, to identify immediate challenges in our profession.
Are we guessing…… or do we use facts and evidence to make our expectations and predictions? The latter – as I hope we can produce a calculated risk assessment.[1] [2]
Email Spoofing in the Transportation Supply Chain
In the past several years, Red Sky has been tracking Vessel Impersonation – where analysts have seen that various fake entities - all long the transportation supply chain – was used to trick various transportation business related companies into clicking on an attachment and thus get infected with malware. Based on our 3 + years of notifying the maritime industry of these issues, especially given how important these indicators are to the supply chain, it’s a bit troubling that these issues have not been better addressed. Implementing more full-bodied security measures around remote access and supply chain have been priorities for a decade now. The time is now to get serious and address remote access issues and supply chain related attacks. Its only gonna get worse.
Remote Access or Supply Chain Security
The fact that this issue has not been even looked at shocked our analysts the most, especially given how important they both are, and how long the cybersecurity industry has been banging its drum about tackling these issues. Implementing more robust security measures around remote access and supply chain have been priorities for a decade now, and I really thought we’d see broader adoption across industries as things began to return to (some version of) normal as COVID restrictions began easing. Everyone was going to address these problems. But no one did.
According to The 2022 Ponemon Institute State of Cybersecurity and Third-Party Remote Access Risk Report, 54% of organizations experienced a cyberattack in the last 12 months, while 75% of respondents said they’ve experienced a significant increase in security incidents — most often due to credential theft, ransomware, DDoS, and lost or stolen devices. We clearly have a lot of work to do to make enterprise environments — both remote and brick and mortar — more secure.
Ransomware and RaaS
Ransomware is a type of malware. It blocks access to a system or threatens to publish proprietary information. Ransomware perpetrators demand that their victims pay them cash ransoms to unlock systems or return information. Ransomware attacks are costly. They can damage company reputations. Often ransomware can enter a corporate network through a channel that is open with a vendor or a supplier that has weaker security on its network. Companies must audit the security measures that their suppliers and vendors use to ensure that the end-to-end supply chain is secure.
Ransomware attacks are not going away. Why? Cause they are so easy to initiate.
Ransomware as a service or RaaS is now being sold on many Dark web sites. In Figure 1., we show here the LockBit site on 16 December. So now, even a novice hacker, using any number of ransomware tools to attack a company – and with the odds of getting caught – very low – this attack vector will remain constant for 2023.
Figure 1. LockBit RaaS site as seen on 16 December 2022.
Professionalism
Cybercrime is becoming more and more professional. For example, our analysts have seen an increase in as-a-service business models for malware over the past year. As this approach seems to be more profitable for certain groups that have already implemented the business ideas, we will see more business-like methodologies for development and distribution of malware. This new professionalism is not good but somewhat expected, as hacking groups get more and more sophisticated.
Phishing - Duping people and ripping them off has been going on for many, many years. Add technology to this art and you have Phishing – THAT’S with a PH. All of us have received suspicious e-mail, or worse, an email that appears to be legitimate and from a trusted party - but is not. This is known as phishing. Phishing is a major threat to small, medium and even large companies with robust cyber security programs.
This trickery plays on the human element to the entire IT process. Humans are uneducated, in a hurry or outright – lazy. These are the people hackers play upon.
Employee training on how to recognize phony emails, report them to IT and then never open them – these simple steps can really help. IT should join with HR to make sure that cautionary email habits are taught.
Common Sense is Instinct – Enough of it is Genius. This a saying I use when training security professionals. We all have common sense – all through at varying levels. Use your common sense – if an email looks suspicious – it most likely is. Slow down and check the email – even if you have to - God forbid – get on the phone and verify the email. Common sense could greatly benefit your company and may even save your job.
Laws and Regulations
Government move slow - Enterprises Move Faster. When the US issued an executive order in May 2021 to improve the nation’s cybersecurity, it was a huge win for companies across all industries. This is true in many governments – especially in the West. The US order stated that the country “faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The US Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.”
These are political words. Policies and regulations (especially surrounding cybersecurity) rarely function as an immediate fix…..and and last year’s ‘order’ didn’t either. But I guess it’s a starting point in a governmental area that needed and still needs – serious attention. As many say, “Legislation often sets the floor, not the ceiling.”
Government laws and regulations take time to create, pass the laws in the House and Senate (with Governor or President signature) and then successfully enforced and prosecuted cyber-crimes.
Check out Figure 2. and you will see just how complicated getting a Bill to a Law really is. That true on the state of federal levels of government. The enforcement and prosecution is now happening, but still – in my opinion – is just a drop in the bucket. Call your government representatives and tell them to 'shake a leg.'
Figure 2. How a Bill becomes a Law.
Recorded Future recently shared information from Meta that the Spyware and Surveillance for Hire is a growing criminal enterprise. These services – and I use that term cautiously - called the spyware and surveillance-for-hire industry, is “indiscriminately” targeting journalists, activists and political opposition, and growing on a global scale. In a new report published recently by Meta said, it has “continued to investigate and take actions against spyware vendors around the world, including in China, Russia, Israel, the US and India, who targeted people in about 200 countries and territories.”
Meta was one of the first to publicly challenge the spyware industry back in 2019, when it began legal proceedings against an Israeli firm NSO Group for hacking into approximately 1,400 WhatsApp users’ mobile devices.
A side story, while I was the Director of a midwestern Fusion Center – and that was close to 10 years ago, I was actually introduced to an Israeli company that could take over cell phones. They looking for an avenue to sell this spyware product inside the US (though they called it by its commercial name - not Spyware). They actually took over a cell phone in from our us. After being in law enforcement for over 28 years, I told them that taking over cell phone operations in the US equated to a wiretap…..which was illegal unless granted through a Title 3 federal Search Warrant. Well, needless to say, that meeting ended out meeting right then and there. Later I learned that this same spyware product had been allegedly used in other countries – even some allegedly connected to various political assassinations. So, if your cell phone starts acting up……well, you may have a problem.
It's easy – Go and Rust
Our analysts have seen a marked increase in malware written in languages, such as Go or Rust. Why is this? Well, these languages tend to be written in a way that can be easier to grasp. Easy provides more hackers to operate. These languages also tend to be more portable, in that they can be written once, and then compiled for different architectures natively.
Another words, you can write the program once, compile it for most architectures on just one machine – then you are foo to the races. This as opposed to needing to make a Windows version, and then a Linux version, and then an ARM version. Easy, right?
Iot
In 2020, 61% of companies were using some sort of IoT (or Internet of Things), and this percentage continues to increase – year by year. I read recently that some Chinese products sent to Western countries can be used as listening devices so China can gauge our Western American cultures. This may make you look at your toaster a bit differently. I’m joking of course, but IoT is a serious issue.
With the expansion of IoT in everyday life - security risks will continue to grow. IoT vendors are notorious for implementing little to no security on their devices. Company IT teams can combat this threat by vetting IoT vendors upfront, before purchase, in the request for proposal process for security and by resetting IoT security defaults on devices, so they conform to corporate standards. With easy in using IoT technology, complacency often sets in. This again, the hackers use to their advantage.
BTW - The US Food and Drug Administration (FDA) is currently pushing for the US Congress to provide more funding and support for efforts to address the cybersecurity protections of medical devices – which many medical devices operate with IoT technology.
Data Compromise Increase
The number of data compromises have increased drastically since 2005 (as shown on the graph). This Chart only indicates compromises from first half of 2022 and may not account for incidents like Nelnet or Twitter, as as such the 2022 stats are lower than 2021. Increases in cloud infrastructure technology due to work-from-home situations (which is the new norm).
And organizations continuing with remote work will only compound current issues with potentially misconfigured environments unintended to shadow API endpoints.
Further, layoffs at big organizations, i.e., Twitter, Meta, Amazon, HP, Cisco, could end up inhibiting ideal security protocols for the future.
Data Poisoning and AI
Artificial intelligence (AI) is and will open up new possibilities for companies in every critical infrastructure sector and industry. Unfortunately, the bad guys know this too.
Serious examples of data poisoning in AI systems have started to appear in research and in various levels of technology development. In data poisoning, a malicious actor finds a way to inject corrupted data into an AI system that will skew the results of an AI inquiry, potentially returning an AI result to company decision makers that is false.
Think of the potential ramifications for medicine, military systems or even politics. The recent cyber allegations of voter fraud is on the forefront and just and example of alleged data poisoning. The health and safety of our US public is vulnerable and at risk and this issue must take on serious scrutiny.
Experts agree that one way to protect against it is to continuously monitor your AI results. If you suddenly see a system trending significantly away from what it has revealed in the past, it’s time to look at the integrity of your data.
A Part of Cyber Resiliency
Some have questioned, why I even bring this up. But all IT, cyber, networks, cell phones (and yes, your brand new EV) – all rely on electricity. If there is no electricity; there is no cyber. This so evident regarding last week’s Bomb Cyclone storm and the millions of victims without power. And that was from nature. Think of an actual attack on our electric grid.
Three weeks ago, the US Cybersecurity and Infrastructure Security Agency (CISA) released the Resilient Power Best Practices for Critical Facilities and Sites. The link is on the screen. This document supports emergency and continuity IT managers with guidelines, analysis, background material, and references to increase the resilience of backup and emergency power systems during all durations of power outages.[3]
Improving power resilience can help the nation withstand and recover rapidly from deliberate attacks, accidents, natural disasters, as well as unconventional stresses, shocks, and threats to our economy and democratic system. This document focuses on metrics, methods and technologies to improve the resilience of backup and emergency generation sources, fuel quality and availability, energy storage, renewable energy, and includes mitigations against cybersecurity, physical security, and electromagnetic events. Let’s keep the electricity flowing.
Working Together to make a Difference
In my humble opinion, the only way we will overcome the escalating scourge of cyber attacks – is to create a united front from Government to Business – and back. Inside businesses, the IT dept needs to work close with the HR folks and the physical security professionals. Once this three legged stool is created, the C-Suite need to take cyber security seriously. We can’t wait for government to save the day – we all have to join together to make our systems more secure. .
Until we get everyone on the same security page – all levels of hacking groups will continue to create havoc.
Lets’ do it for 2023.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Bill Schenkelberg compiled this report, with the help of Red Sky Alliance Analysts: Nathan Burnham, JD Thomason and Matt Weidner. We’d additionally like to thank IRWire and InfoSecurity for their prediction input. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://itwire.com/guest-articles/company-news/prevention-of-cyber-threats-is-ultimately-the-best-cure-202212051045.html
[2] https://www.infosecurity-magazine.com/blogs/trends-from-2022-predictions-for/
[3] https://www.fema.gov/emergency-managers/national-preparedness/continuity/toolkit
Comments