BACKGROUND:
Mandiant and Microsoft have identified a new wave of intrusion activity from the threat actor behind the SolarWinds supply chain attacks. While at a smaller scale than what we saw late last year, it’s a new shift – they’re using the reseller community to get to their desired targets. We’ve seen downstream victims in North America and Europe thus far, and the intrusion activity is ongoing.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>The reported low success rate of the 22,868 attacks detected actually makes this a bit of good news. However, there is no mention of how the majority of these attacks were actually prevented. Since the means of attack is through password spraying and phishing, we should be able to assume that these organizations have implemented some basic defences such as security training for their employees and requiring multi-factor authentication when users log on.</p>
<p>This only goes to reinforce the need for organizations to remain ever vigilant. And with the holiday season upon us it will be ever more crucial for retail organizations in particular to ensure that their seasonal staff is properly trained and that they adhere to their security standards even through all the craziness that the holiday season will bring to their businesses.</p>
<p><span lang=\"EN-US\">Ransomware has dominated the threat landscape in 2021, and the frequency of attacks is alarming. It\’s</span> become a highly lucrative profit engine for cybercriminals, and any organisation, big or small, can become a target.</p>
<p><span lang=\"EN-US\">With ransomware incidents against UK businesses doubling in the space of a year, now is the time for organisations to ramp up their defences. Over 90% of malware, including ransomware, is delivered via email – so it’s vital that organisations are aware of the threat posed by phishing in facilitating these attacks. By implementing intelligent email technology, organisations can more effectively protect themselves from the threat of ransomware.</span></p>
<div class=\"gmail_attr\" dir=\"ltr\">What Microsoft’s Nobelium report doesn’t include is the smoking gun pointing from Russia to its targets, but that could exist behind the scenes. The company is, however, suggesting that downstream compromises, which effectively leverage trusted software to begin attack runs, are enabled by upstream identity compromise. Should it be true, this would begin to clear the upstream methodology of Nobelium who attacked SolarWinds and Microsoft alike over the last two years. However, there’s not enough in what they have made public to determine likelihood of accuracy in attributing this to Nobelium and Russia.</div>
<div>
<p>Most companies face terrible consequences for themselves and customers if compromised. However, like following a river delta upstream to a source river, the consequences of compromise downstream get worse. This means that those with the privilege of managing or servicing customers downstream have a responsibility that increases exponentially to do things right. Security isn’t just a “differentiator” for them, it’s a necessity. Managing customers is a privilege, not a right, and it can be lost if resellers don’t get this right now. Today, the supply chain is one of the weakest paths to compromise, inadequately defended in most organisations. However, there is always, by definition, a weakest link. Historically, this has taken the form of either human error via things like poor security controls and phishing or vulnerabilities or weaknesses in hardware and software configuration. Attackers develop methodologies to build exploits on weakest links or, more accurately, weakest paths; but simply blocking these avenues wouldn’t solve the problem. The best chance of success for defenders is to deploy a detection strategy and, specifically EDR or XDR technology that can spot the abuse of trusted software as the starting point of an attack.</p>
</div>
<p>Supply chain attacks will certainly continue their surge in 2022. Suppliers are the Achilles’ Heel of the largest financial institutions, governmental institutions and providers of critical national infrastructure. Compared to frontal attacks against the victims, silence attacks against third parties are generally faster, cheaper and less noisy. Moreover, suppliers may also have access to more data than the victims themselves, for example, by storing more data in backups than contractually allowed or expected. Worse, some suppliers fail to detect sophisticated intrusions and the victims are never even notified about the incident.<u></u><u></u></p>
<p>Attribution of supply chain attacks, likewise, remains a highly complex issue, both technically and legally speaking. Cyber gangs actively cooperate with each other, outsourcing some specific tasks to their accomplices in different countries. Few cyber mercenaries will ever conduct research for new 0day vulnerabilities or create novel stealth trojans, for instance. Instead, they will just buy it from numerous groups specialized in the domain, saving time and money. Furthermore, some nation-state actors may hire several hacking groups and creatively split a task between them. Frequently, cyber gangs are purposely hired from countries like Russia or China to mislead the victim and confuse the investigators. Eventual attribution to a specific person, organization or even country is thus overly problematic. International collaboration and further expansion of such treaties as the Budapest Convention are essential to curb transnational cybercrime.</p>
<p dir=\"ltr\">IT supply chain companies must act now to avoid becoming the next SolarWinds. With Nobelium surveying global organisations for weak points, shoring up security infrastructure is absolutely critical. According to Microsoft researchers, the nation-state adversaries are not leveraging specific vulnerabilities at this time but are using old school credential stuffing and phishing as well as API abuse and token theft in order to gather legitimate account credentials. If successful, lateral movement across the compromised organisation’s network would be the next stage, allowing for data theft, reconnaissance, compromise of customer systems and more. </p>
<p dir=\"ltr\">To prevent these attackers from gaining privileged access and wreaking havoc, organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It\’s vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.</p>
<p dir=\"ltr\">Adversaries are also constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use or carefully crafted phishing emails with compromised documents within. </p>
<p dir=\"ltr\"> </p>
<p dir=\"ltr\">Recent attacks and these new attempts reveal that the traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers like Nobelium having a free reign across a network once they are inside.</p>