2021 predictions - X-Industry - Red Sky Alliance2024-03-29T01:56:29Zhttps://redskyalliance.org/xindustry/feed/tag/2021+predictionsTrickbot Wishes Happy New Year’s to Allhttps://redskyalliance.org/xindustry/trickbot-wishes-happy-new-year-s-to-all2021-01-07T13:35:02.000Z2021-01-07T13:35:02.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8399725677,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8399725677,RESIZE_400x{{/staticFileLink}}" width="250" alt="8399725677?profile=RESIZE_400x" /></a>Last October 2020, researchers at US security company AdvIntel discovered that one of the Internet’s most troublesome malware platforms, Trickbot, had started testing something rather threatening: probing UEFI firmware chips inside targeted PCs to see whether they were vulnerable to known firmware vulnerabilities. This was only reconnaissance, Trickbot was not infecting the SPI flash chip on which UEFI firmware resides, but the discovery is significant.</p>
<p>UEFI (Unified Extensible Firmware Interface) is the low-level software that has been used to manage the boot process on personal computers, including Windows PCs and Macs, since the old-style BIOS started disappearing ten years ago. Anything capable of compromising a computer at this layer would be powerful in fundamental ways, including being invisible to all mainstream security software. After researching the discovery with research partner Eclypsium, the companies recently published an analysis of what they nicknamed TrickBoot which suggests the answer might be connected to a new and imminent type of ransomware attack.</p>
<p>Today, ransomware is feared for either encrypting data in return for a ransom, threatening to release data in return for a ransom (double extortion), or an unholy mixture of the two. It has also been known to carry out destructive attacks by overwriting hard drives, an approach tried in 2017 by NotPetya variants against Windows machines. This has never caught on with commercial malware, mainly because it achieves little in a ransom context because defenders simply replace or reinstate drives.</p>
<p>Malware able to write to or erase UEFI firmware would be a game-changer. Getting those PCs back up and running would require engineers to visit every PC and probably entail the replacement of the whole motherboard. Unleashed against possibly thousands of machines, or even a few important ones, such a tactic could quickly reduce most organizations to total disruption. Even trying to sanitize machines with any certainty would be a huge task.</p>
<p>P0wn goals - The possibility of targeting the UEFI layer has been common knowledge since Kaspersky Lab discovered serious flaws in the design of the legitimate Computrace/LoJack for Laptops ‘good rootkit’ mobile tracing product in 2014. No new word until 2018 when Arbor Networks chanced upon trojanized versions of the LoJack agent, later called LoJax. Less than three months later, a Slovakian investigation team saw ESET turning up the first example where this had been used to write to UEFI SPI chips in a real attack as part of a fake update sent during a targeted attack. This was attributed to Russian threat group APT28 (STRONTIUM, Sofacy, and Fancy Bear) coincidentally a cousin of the APT 29 attack group blamed for the recent SolarWinds compromise of US Government agencies.</p>
<p>In October 2020, a second UEFI compromise, MosaicRegressor (which uses Hacking Team’s old VectorEDK UEFI code), was discovered by Kaspersky Lab, this time attributed to China or North Korea. As with the ESET attack, this was highly targeted and had been in use for months or even years without being discovered, part of the cyber spy network of nation-state espionage.</p>
<p>Despite only carrying out reconnaissance, the new AdvIntel and Eclypsium UEFI modules are arguably more serious than any of these because it shows that the same idea has now migrated to mass-market malware.<a href="#_ftn1">[1]</a></p>
<p>Trickbot was designed like a jack of all trades, looking to any use that malware might need to add to its business model. UEFI is simply a new and lucrative possibility to achieve that goal. Currently, few analysts are looking at firmware level during post-forensics, a point that highlights how invisible this kind of attack would be to victims unaware of their vulnerability. For cybercriminals, it is as if they have discovered the perfect backdoor that cannot easily be closed or patched.</p>
<p>As chance would have it, the discovery of this new Trickbot capability coincided with the huge October takedown of much of its infrastructure by Microsoft so it is possible the crime group behind it have had other things on their mind than hammering companies with UEFI wiping malware. Still, it seems highly unlikely this spells the end of Trickbot. But even if that were to happen, other groups will surely take up where its coders left off.</p>
<p>Some manufacturers make UEFI with baked-in security, yet many others do not. Even secure updating and authentication checks are not standard, which will one day seem like an incredible oversight. Even assessing the level of vulnerability across a billion PCs will be a challenge let alone figuring out mitigation or defense. The irony is that Trickbot’s ability to understand UEFI firmware vulnerability is currently better than any of the victims it might target. </p>
<p>Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities such as Trickbot for over 9 years and maintains a resource library of malware and cyber actor reports. Specifically, our analysts are currently collecting and analyzing the supply chains inside the transportation sector. For many years we have believed the supply chain is the Achilles Heel to the over-all cyber network. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:<br /> <a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.forbes.com/sites/johndunn/2020/12/18/ransomwares-next-nasty-surprise-pay-up-or-well-brick-your-pcs-uefi-firmware/?sh=1e97b8bd28b1">https://www.forbes.com/sites/johndunn/2020/12/18/ransomwares-next-nasty-surprise-pay-up-or-well-brick-your-pcs-uefi-firmware/?sh=1e97b8bd28b1</a></p></div>2021 Cyber Security Predictionshttps://redskyalliance.org/xindustry/2021-cyber-security-predictions2021-01-05T20:18:57.000Z2021-01-05T20:18:57.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8390510860,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8390510860,RESIZE_400x{{/staticFileLink}}" width="250" alt="8390510860?profile=RESIZE_400x" /></a>Our Red Sky Alliance research predictions for 2021 are not necessarily in any order of importance yet presented as what we believe are the most important.</p>
<p><strong>Ransomware…Ransomware… Ransomware</strong></p>
<p>2020 saw a dramatic rise in ransomware activity. While it is difficult to predict specifically what ransomware authors will do next, it can be expected that they will continue to do what has worked well for them in the past if it continues as profitable. Ransomware ‘payment’ amounts saw a 217% rise in 2020 from an average of $84,000 to $234,000. This has been largely due to attackers focusing on large organizations with deep pockets that can afford higher ransom amounts. Also, the usage of cyber extortion insurance policies gives victim organizations the ability to pay higher ransoms. However, this does not mean small organizations are not being targeted. We expect ransoms to continue to rise if victims continue to pay ransom amounts.<a href="#_ftn1">[1]</a> </p>
<p>Ransomware operators will continue to evolve the capabilities of their tools and techniques to remain stealthy and blend in with the victim’s IT infrastructure. Increasingly, ransomware is being deployed manually after an initial intrusion to increase its effectiveness and to remain undetected until the last minute. They are also increasing the speed of their tools so that the encryption of victim data can happen before defenders have a chance to respond. As their capabilities evolve, they will eventually approach the level of nation state actors.</p>
<p>In addition to simply encrypting data and demanding a ransom for the decryption tool, attackers exfiltrated data and threatened to sell it on the black market. In fact, several ransomware variants have dedicated data marketplaces for this. This tactic is very effective and we expect it to continue into 2021.</p>
<p>Ransomware as a business. Cyber criminals are actually becoming very sophisticated and utilizing business analysis techniques to target victim companies. They research their various open-source business statistics and calculate the proper amount of ransom. It used to be, target a company, infect the network with ransomware and then throw out various amounts for a ransom demand. Now they are using busines data to pick a ransom amount that may just cause the decision makers to pay the ransom and get back to operations.<a href="#_ftn2">[2]</a> </p>
<p><strong>RDP Vulnerabilities</strong></p>
<p>2020 also saw an increase in remote work due to the pandemic. As a result, Remote desktop usage saw an increase in attack deployment. Over the past several years, RDP has been exploited by attackers to gain both an initial foothold and also move laterally move through an organization’s IT infrastructure. Internet facing Windows machines that are running the RDP service will be relentlessly subjected to a brute force type attack in an attempt to guess login credentials.</p>
<p>Once compromised, an attacker could use the machine for many different types of attacks including: data theft, lateral movement, crypto-mining, botnet malware, sending spam email, and of course - ransomware.</p>
<p>Internet facing RDP servers are very easy to find using tools such as Shodan, ZoomEye, and Censys. Additionally, login credentials for compromised RDP servers are plentiful and cheaply available for sale on dark web marketplaces. We expect RDP to continue to be an important attack vector to protect.</p>
<p>VPN usage also saw an increase as employees moved to remote work in 2020. The US , DHS CISA organizationreleased several Alerts throughout 2020 warning that attackers were actively exploiting VPN devices. The most distressing thing in these cases were the age of the vulnerabilities being exploited. Some had been public knowledge since the mid-2019 showing a lack of patch deployment. In November 2020, an individual posted publicly a list of nearly 50,000 vulnerable VPNs for one single vulnerability: CVE-2018-13379. Once compromised, an attacker would be able to perform the same types attacks as a compromised RDP server.</p>
<p><strong>Cyber to Physical Ransomware</strong></p>
<p>In September 2020, threat actors attacked University Hospital system in Dusseldorf, Germany – the attack was Ransomware. After affecting more than 30 servers at the facility, the hospital was forced to turn away emergency patients. According to German authorities, this directly resulted in the death of a woman whose care was delayed, because she needed to be transferred to another facility 20 miles away. The death places the cyber crime in a whole different and higher criminal statute category. </p>
<p>Ransomware actors have shown their capabilities of targeting critical infrastructure such as 911 systems, which has had severe consequences both socially and financially. Red Sky Alliance believes this will not slow down in 2021, but will actually increase as attackers understand the willingness of government agencies to pay ransoms.</p>
<p>As Ransomware-as-a-service or RaaS platforms expand, even low skill attackers are able to earn a profit by targeting emergency services and vulnerable cities. Municipalities around the US in states such as Florida, Maryland and California have been taken offline because they are often ill-prepared and have lower budgets for security operations. The consequences of these attacks have gone from financial loss to the loss of emergency services which could potentially result in the loss of human life.</p>
<p>The fact that so many companies have paid ransomware actors so much money during previous attacks means that these attackers now have better resources to attack their targets.</p>
<p>Until these attackers are arrested, prosecuted, and severely punished, they will become more emboldened to take down bigger targets likely resulting in the injury, if not death, of multiple victims. Being that many of the actors are protected by hostile foreign governments, prosecution is very unlikely.</p>
<p><strong>Dark Clouds are Forming</strong></p>
<p>In May 2020, threat actors broke into BlackBaud, a provider of software and cloud hosting solutions, and attempted to encrypt files on the company’s network in a ransomware attack. While the company was able to expel attackers from their systems, the attackers were able to steal some confidential data before being removed. Blackbaud claimed that while the files were not encrypted, they paid the ransom to avoid the disclosure of some of the stolen data. With the increase in data extortion or threatening the release of sensitive data if a ransom is not paid, analysts suspect that the Cloud will become a much bigger target for ransomware attacks.</p>
<p>The increase in companies using cloud technology does not automatically mean an increase in cloud system administrators. This means that many IT teams are learning how to use the Cloud, but not necessarily learning how to keep that data secure. Red Sky Alliance has recently begun monitoring for misconfigured cloud servers, as well as malware that could specifically affect Cloud technology. However, analysts believe that 2021 will see a large spike in attackers targeting Cloud technologies such as Amazon Web Services and Microsoft Azure. Traditional attacks on the Cloud such as crypto-mining and leveraging the Cloud for DDoS attacks are unlikely to decrease in 2021.</p>
<p>If attackers do target the Cloud more successfully in 2021, companies should expect to see the shift from ransoming encrypted files, to ransoming the release of stolen data. As many companies discovered over 2020, the Cloud can help companies significantly but can also provide a major attack surface for attackers looking to steal private data and make a profit. According to Aqua Security's 2020 Cloud Native Threat Report, attacks against cloud systems exploded at the start of 2020 when the company recorded a 250% jump in attacks from the previous year. Red Sky analysts expect to see another increase over 2021. </p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Specifically, our analysts are currently collecting and analyzing underground data stolen from many of the critical infrastructure sectors across the Globe. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings: <a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate">https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report">https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report</a></p>
<p> </p></div>