It doesn’t matter if you’re a large pipeline operator or one of the world’s largest meatpackers, financially motivated attackers don’t really care about the impact to your company. Only about lining their pockets at your expense. This story further showcases that you cannot keep all attackers out of your network. Preventative systems are important however they will fail given either enough effort by the adversary or opportunity via a vulnerability. Instrumenting your systems to quickly detect the compromise can give you the edge to minimize impact. This is done by continuously looking for lateral movement across the enterprise, stopping privilege escalation, and protecting Active Directory. If not, the adversary has the advantage in the enterprise by living off the land (using existing tools and user accounts already in place) and will likely accomplish their goals.

2020 was a tough year in the physical world. As it drew to a close, 2021 was looking pretty bright. Not in the cyber realm though. The SolarWinds supply chain breach was uncovered and rolled into 2021 with breach after breach. The Hafnium Exchange, the Florida water system, Bombardier, Acer, JBS, and now the Fujifilm attack. There are many more publicly announced compromises not in this list and many more likely yet undiscovered.

2021 has seen a significant spike in ransomware attacks. The Verizon Data Breach Investigations Report (DBIR) says that ransomware attacks doubled in 2020 and that doesn’t include the spate of attacks seen this year. It’s clear that attackers are working overtime to compromise systems as quickly as possible to steal data and encrypt systems to hold company systems hostage for payment. How is this happening? There are several reasons.

• Misplaced trust with an over reliance on vendor claims that their product will keep you safe. No solution is perfect, and attackers will get into the enterprise if they are determined enough with the resources to back their efforts.
• Complexity in our enterprises continues to increase which increases the level of difficulty in protecting the systems.
• A lack of cyber defenders with the needed skills to understand the environment and detect attacks.      

Adversaries often continue break into systems via simple phishing emails that compromise an initial endpoint. From there, it’s not that difficult for them to masquerade as a legitimate user using the credentials they stole on the infected endpoint. With that users credentials, they do some queries to find targets in the enterprise Active Directory system, steal more credentials with elevated privileges and just rinse and repeat until they have their target acquired internally. Then in the case of Fujifilm and JBS, they can steal corporate data, encrypt systems, and begin the hostage process for a ransom.

To counter these challenges, organizations must understand that they can’t prevent all attacks. This means they must put in place systems that detect lateral movement inside the enterprise, look for privilege escalation, and protect identities and systems such as Active Directory. If not, we’re going to continue to read about these large successful ransomware attacks for the foreseeable future.

The new US Administration took action on Russia today via a White House (WH) Executive Order (EO) punishing them for their nefarious actions in cyberspace and their occupation of Crimea. Sanctions were put in place on specific entities and individuals along with expelling a number of Russian diplomats in Washington DC. One of the more interesting notes from the EO was the specific calling out of the Russian Foreign Intelligence Service as the perpetrator of the SolarWinds supply chain breach with a high confidence level. That level of confidence in attribution from the WH is notable since it hasn’t happened as frequently as the cyber defender community would like to see. In relation to the same EO, the US FBI today also released actions for defenders to take to protect themselves from ongoing Russian activity in cyberspace impacting vulnerabilities in a number of products.

The impact from all the actions taken by the US government? It’s undetermined at this point in time. Although the actions today are badly needed by the US and its allies to hopefully counter Russian aggression, many past efforts, sanctions, and plans, have had little impact. Actions by Russian and Chinese state based actors or their proxies (and other nations) have been taking place for many years and efforts in the past to counter them have stuttered, stalled, or just completely failed. A close-knit global effort is required to have an impact on these government actors and entities to stop their IP theft, meddling in elections, and compromising critical infrastructure.

It’s readily apparent that many nations simply do not have the stomach to stand up to these attacking nations for a number of reasons including their own reliance on them for fossil fuels, technology, and other resources. Unless we are willing to make them an island via isolation, these types of actions will likely continue. The effort from the US government should be applauded for calling them out, however the impact may end up being minimal.