Mandiant Threat Reporting research has recently disclosed 1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information. In 2021, Mandiant Threat Intelligence observed ransomware operators extorting thousands of victims by disclosing terabytes of stolen info on shaming sites. This trend, called “Multifaceted Extortion” impacted over 1,300 organizations from critical infrastructure and industrial production sectors in just one year. In response to these findings, an expert with Gurucul has offered perspectives.
<p>The <span class=\"il\">Mandiant</span> report highlights how ransomware isn\’t a \’one-and-done\’ attack campaign. While ransomware is seemingly focused on getting paid to unlock your sensitive data, <span class=\"il\">threat</span> actors often return multiple times once they are successful at an attack, knowing the victim has paid once. We also knew they often replicate the data for themselves for sale even as they lock organizations out of their own data. However, this additional extortion through threats of posting the already stolen data is another example of how <span class=\"il\">threat</span> actors find ways to extract more out of their victims. It feels like a never-ending cycle for targeted organizations. This reinforces the need to evaluate newer and more advanced technologies beyond current XDR and SIEM platforms as part of ongoing <span class=\"il\">threat</span> detection and response initiatives within security operations to prevent a successful detonation of ransomware. Prioritizing solutions that automate detection, prioritize seemingly random indicators of compromise for further investigation and even automating responses with a high-level of confidence and low impact are critical in deciding where to invest.</p>
<p>While geopolitical factors may decrease the likelihood of a state-sponsored cyberattack during the 2022 Winter Olympics, it is unlikely to reduce the number of consumer-directed cyberattacks from digital third parties. In fact, we are gearing up for a record breaking number: Olympics season always brings a spike in malicious advertising, phishing attacks and corrupted links. Cyber actors take advantage of increased online engagement by targeting channels that consumers use to stay abreast of news and results, leading to identity theft, financial fraud, and more.</p>
<p>During these periods, media and news outlets must prepare themselves for the inevitable onslaught if they wish to protect their visitors and reputation. Digital trust and safety are more important than they have ever been, and complacency is a recipe for disaster.</p>
<p>The IT/OT barrier is more a logical separation than an actual one. Attacks typically start on the IT side and propagate into OT because of improper network segmentation and privilege limitations. In light of this report, focusing on the IT/OT boundary and protecting access to the OT networks is critical because defending against a threat once inside the OT network is much harder. Attackers can not only use IT network compromise to laterally move to OT but can now obtain detailed information and diagrams so they can plan their attack into the OT side.</p>
<p>Additionally, Bleeping Computer today reported <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUcfM7ygZdlhLwgiUDjXv2UxBw6FbR7fTMD-2Be64u1UsS35x5F0tplq59KuzxyF3At-2BKGfcR26AWONO2T-2FlqF9UBeSHYEM1jN1qeRK5YE0HZ0uVU-2F8qseZ8r14gM3rtYnBx-2B-2BgVTP-2BKq7Fzo36V2FKt8g-3D-0ZZ_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2BxhZyhxZBSuwUNPCBL6GvaBRbvD7Sxhs4COhHvF0zbzWdUqWttvgpn1rCpFIMaNowZJM-2FDI0ut-2FSZgeg9Rdu914-2FaC7kM1FqSAfibvjun7CZ1ahSfNzxH3754gj67sEGmwwj1UME05Z1Ca58kIRcTxZ8PQb1FKEdJD2NoadKIAPivDr7UBVMglL1S3QRe61GkoXB1yKTxUJoQCK-2Fksf9reAgdGgOh4Ozbei7ylRvd2pTx-2F\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUcfM7ygZdlhLwgiUDjXv2UxBw6FbR7fTMD-2Be64u1UsS35x5F0tplq59KuzxyF3At-2BKGfcR26AWONO2T-2FlqF9UBeSHYEM1jN1qeRK5YE0HZ0uVU-2F8qseZ8r14gM3rtYnBx-2B-2BgVTP-2BKq7Fzo36V2FKt8g-3D-0ZZ_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2BxhZyhxZBSuwUNPCBL6GvaBRbvD7Sxhs4COhHvF0zbzWdUqWttvgpn1rCpFIMaNowZJM-2FDI0ut-2FSZgeg9Rdu914-2FaC7kM1FqSAfibvjun7CZ1ahSfNzxH3754gj67sEGmwwj1UME05Z1Ca58kIRcTxZ8PQb1FKEdJD2NoadKIAPivDr7UBVMglL1S3QRe61GkoXB1yKTxUJoQCK-2Fksf9reAgdGgOh4Ozbei7ylRvd2pTx-2F&source=gmail&ust=1643899514930000&usg=AOvVaw2cZU03T0qc_U0W_K78ufzQ\">German petrol supply firm Oiltanking paralyzed by cyber attack</a>. Oiltanking is the main distributor who supplies Shell gas stations in Germany.</p>
<p>The use of cyberattacks for achieving nation-state or criminal gang aims continues to increase. This is reminiscent of the Colonial Pipeline attack where cyberattacks on critical infrastructure companies, even if on the IT side, can lead to issues in critical infrastructure. Attackers do not always have to infiltrate OT systems, bringing down the IT side of the house can cause enough disruption to achieve their end goals – whether that is a ransom payment or a geopolitical.</p>
<p>Finally, researchers with Immersive Labs have <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc82GOVLXfpy3cA3HsnSOEzFW1I7hXDG-2FaZI6cHX8OdeYOEZTB6c4so-2BPgMMRyxz0y0f0dERgv4YFZqq5ZEsTExRDKyWT6-2FGZ9RYxBQzrVXb3FerEDhuIWIP3ZK9cz928aKUXJuzR3MDDjfOoqidiD8-3DHxp7_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2BxhZyhxZBSuwUNPCBL6GvaBRbvD7Sxhs4COhHvF0zbzWdUqWttvgpn1rCpFIMaNowZJM-2FDI0ut-2FSZgeg9Rdu914-2FaiLVOnHESrKPMwnVGC7BcA7k5HSt3lZfBkaK5nsUVsgul91KvXJ9GVHqrtXomXXnxZ5ZY-2B-2BgC-2FqfY10eB5ad4A04ZaxIVwA0ZkvU3VXZ7hND4bR-2FlvL-2FhKrO2KOrk7FapS1lpVh-2FAHHdq2CnDq7Ilu\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUc82GOVLXfpy3cA3HsnSOEzFW1I7hXDG-2FaZI6cHX8OdeYOEZTB6c4so-2BPgMMRyxz0y0f0dERgv4YFZqq5ZEsTExRDKyWT6-2FGZ9RYxBQzrVXb3FerEDhuIWIP3ZK9cz928aKUXJuzR3MDDjfOoqidiD8-3DHxp7_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2BxhZyhxZBSuwUNPCBL6GvaBRbvD7Sxhs4COhHvF0zbzWdUqWttvgpn1rCpFIMaNowZJM-2FDI0ut-2FSZgeg9Rdu914-2FaiLVOnHESrKPMwnVGC7BcA7k5HSt3lZfBkaK5nsUVsgul91KvXJ9GVHqrtXomXXnxZ5ZY-2B-2BgC-2FqfY10eB5ad4A04ZaxIVwA0ZkvU3VXZ7hND4bR-2FlvL-2FhKrO2KOrk7FapS1lpVh-2FAHHdq2CnDq7Ilu&source=gmail&ust=1643899514930000&usg=AOvVaw2tYyJ486pCxDGRc4L5n_T0\">disclosed</a> a vulnerability bug in SureMDM, a popular mobile device platform, which could lead to compromises on every device running the platform within the targeted enterprise. The issue included a lack of default authentication between the agent running the host and the server where attacks could potentially register fake devices and intercept job regquests containing sensitive data.</p>