Cybersecurity Awareness Month is an excellent time to reflect on some of the emerging and key trends from the past year. There’s been no shortage of security headlines for us to reflect on, many of which are detailed on our Talos Threat Intelligence blog. These three key issues particularly catch my eye and deserve our attention.
The supply chain
Prior to 2021, supply chain attacks were assumed to exclusively be a tool for sophisticated state-sponsored threat actors only. The resources and knowledge required to compromise a software vendor and integrate malicious code were thought to be beyond the reach of criminal threat actors.
In July 2021, this assumption was smashed. The REvil ransomware was distributed through the exploitation of a previously unidentified vulnerability in the server code of Kaseya VSA, a system monitoring and administration tool. Threat actors abused the vulnerability to distribute their malicious code as a trusted update distributed from the compromised server to the client systems managed by the tool. With the malicious fake agent installed, the software then writes a legitimate, but exploitable, old version of a Windows Defender application to disk, eventually using it to execute the ransomware. Hence, the disk is encrypted from a trusted and signed application, running from a trusted directory.
The impact of the attack was wider than might be first imagined. Kaseya VSA is often used to administer large numbers of systems across a wide variety of organizations. Hitting the servers inside Managed Service Providers meant that one breached server affected many organizations. Bringing many businesses to a halt means more potential ransom payments for the bad guys to collect, and will therefore be a tempting tactic for many other attackers in the future.
In many ways, well-resourced APT actors act as thought leaders for the rest of the threat landscape, showing what an ambitious and effective threat actor can achieve. It is possible that the criminal actors who carried out the Kaseya attack may have had some kind of state support or protection, or they may have achieved the attack entirely through their own efforts. In either case, it is likely that we will be seeing further instances of supply chains being used to distribute malware in the future.
Stealing computing resources for profit
Criminal threat actors are motivated by profit. One of the most successful business models that they have created is that of ransomware, where a system can be brought to a halt by encrypting data and requiring payment to bring the system back to its normal state.
Although lucrative, this model is very abrupt. Victims can notice the system compromise very quickly and must resolve the situation to continue their normal function. However, there are weaknesses in this model for the attacker. The revenue stream relies on continually finding new victims, which takes time and resources. If the compromise is only a minor inconvenience to the victim, and in the absence of a working backup, the victim may choose just to re-image the system.
Persistence on a compromised system may offer more opportunity to extract value than the single-shot approach of ransomware. Appropriating resources from compromised systems was a tactic implemented by many of the first botnets. In these attacks, the botnet controller stole resources including network bandwidth through sending spam, or launching denial-of-service attacks from the systems of their infected victims.
In recent years, attackers have developed cryptominers to steal computing resources from compromised systems. Mining cryptocurrencies requires large amounts of computing power to solve the cryptographic challenges necessary to acquire new cryptocurrency tokens. Developing and operating the legitimate computing facilities to achieve the calculations necessary is expensive.
However, stealing these resources is easy. Hence, we see the development of cryptomining malware that sit as a background process on compromised systems, stealing resources to earn the bad guys money. Although the profit from a single system is small, the attackers may persist on compromised systems for extended periods of time and control large numbers of affected systems.
The increasing deployment of smart systems and devices in our homes and workplaces effectively means that we are installing many small network-connected computing devices without necessarily considering how we will defend and monitor these devices. One thing is certain: Bad guys will seek to compromise and extract value from these systems, almost certainly by stealing their computing power and network connectivity.
Keep your finger on the pulse
The past two years have seen the long-term trends of increased remote working and the use of cloud-delivered services massively accelerated due to remote working during the COVID-19 pandemic. With users and the systems they access outside of the traditional office environment, the question of how to authenticate users has become increasingly important.
Usernames and passwords have never been a particularly secure mechanism of verifying users’ identities. Users are prone to disclosing their usernames and passwords in response to the socially engineered cues of phishing attacks. Studies have shown that users will even willingly disclose their password in return for a chocolate treat. The continued use of legacy systems, poor choices in system implementation, or bad hashing algorithms has also allowed attackers to collect vast numbers of usernames and plaintext password pairs.
Using multi-factor authentication offers an additional layer of security. These approaches, including Cisco Duo, require users to authenticate with an additional login method such as responding to an alert on their mobile device. Personal phones are excellent for authenticating users, since users are quick to notice when their phones are not nearby, and these devices are frequently secured by biometrics, such as a fingerprint.
However, biometric recognition relies on a secure “chain of custody.” The device that reads the fingerprint must be secure, the software that interfaces with the fingerprint device must be secure, as must the connection that relays the result to the authenticating system. None of this can be taken for granted.
We have shown that it is possible to 3-D print a fingerprint that will fool fingerprint reading systems with consumer-grade 3-D printing equipment and nothing more than a scan of the user’s fingerprint. This means that any well-resourced threat actor could develop fingerprint cloning techniques to fool biometric recognition.
While biometrics offer an additional avenue of authentication, we should all be cognizant of the fact that the world of biometrics also opens up the possibility for new types of attacks.
As our use of technology and the capabilities of threat actors evolve, so does the landscape of threats that we face. At Talos, we continuously monitor the threat landscape, our threat intelligence helps power Cisco’s security portfolio. Our incident response analysts are available both to resolve cybersecurity incidents when they happen, to share our expertise to ensure that organisations face as few incidents as possible, and to prepare in advance so that incidents are resolved quickly and easily.
Technology and the bad guys’ tactics will keep changing, as such we must ensure that our secure postures are adequate for the threats that we face.