Following the news that:
Coca Cola Investigates Potential Data Breach
Coca Cola is investigating reports of data breach after claim Stormous ransomware group stole data | Daily Mail Online
Security experts commented below.
Security researchers will take some time to sort out whether Stormous is actually a Russian entity, or a group using fake claims and the Russian invasion of Ukraine to help hide its real origins. One thing is certain – ransomware attacks, especially those that use the threat of leaked data, rather than just a payment for encryption keys, will continue to rise. Why? Because it works.
The news about the possible Coco-Cola data breach is certainly worrying. While most will be focusing on the leakage of Coca-Cola’s data, perhaps more concerning is the speed at which the Stormous ransomware group operated during the cyberattack.
The ransomware group put out a poll only last week asking their followers to vote on who should be their next victim, and the gang claimed it took only a few days to breach the company. Threat actors now deploy low-dwell time malware which aims to cause as much damage as possible in the shortest amount of time.
High-speed attacks are becoming increasingly more common, yet too many organisations are overly focused on Machine Learning and traditional Endpoint Detection Response (EDR) technologies as their solution to preventing cyber attacks. However, these solutions detect malicious activity once it has already executed on the network, which leaves the infrastructure exposed during this dwell time. With the speed in which attacks are happening at the moment, as shown in the apparent Coca-Cola attack, these solutions are evidently not enough, and they are in fact compounding a problem that can be easily mitigated.
Technologies, such as deep learning – a subset of AI, are able to stop malware before it can encrypt data. Deep learning delivers a sub-20 millisecond response time, stopping a cyberattack before it can execute and take hold of an organisation’s network. With solutions such as deep learning, organisations will “taste the feeling” of knowing that they are fully protected and can stop cyberattacks before data is stolen.
The concept of ransomware is very different to early iterations of the vector. This particular attack demonstrates that data exfiltration in certain cases can be just as damaging, if not more where confidentiality is of higher importance than availability. Further, the wider consequences of allowing supporters the opportunity to vote on who to attack next displays a brazen disregard to potential law enforcement consequences. Organisations of all sizes should be mindful of all known TTPs associated with this and other groups and incorporate proactive measures in an attempt reduce the risk of being hit next.
On the surface, the removal of the dockershim component in the latest version of Kubernetes seems like a big deal. In reality, it likely won’t impact 99% of Kubernetes users. Docker was initially added when Kubernetes needed container runtime. As K8s has matured, it has become more flexible, pluggable and opinionated, offering multiple interfaces including Container Network Interface (CNI), Container Runtime Interface (CRI), and Container Storage Interface (CSI). CRI has been proven over time in some of the most demanding deployments, meaning the dockershim component was no longer necessary. This is good news for both Kubernetes and Docker, as Docker is about much more than just container runtime. Kubernetes continues to evolve with more innovation and flexibility, making it the platform of choice for developers building cloud native applications.
Ransomware has seen quite a resurgence this year. Threat actors are taking their ability to use social engineering and other forms of trickery to gain access to corporate systems, launch debilitating ransomware software and watch the target squirm. It seems that the majority of ransomware attacks are targeting one of three industries; banking, utilities and retail, but all industries are currently really at risk from attacks.
What is the solution? Enterprises, big or small, need to prepare for this eventuality with robust recovery capabilities (tools and processes) combined with proactive data-centric protection. The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t exfiltrate sensitive data and use that compromised information as further leverage. Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data. And that’s what ransomware is all about—blackmail.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics