Skip to content

Threat intel report Q3 2020

Agenda

Q3 2020

Introduction

Top 5 Attack Trends

Ransomware Trends and Statistics

Attack Examples

Introduction

 

Break the dynamics of most modern threats to enterprises by preventing attacks to spread internally

 

Provide field-tested products with a seamless end-to-end user experience

 

A technical expertise recognized worldwide and awarded by numerous prestigious prizes 

The features we are proud of

Cutting-edge security technology

Harden, protect, respond
All your practices extended to your most viral IT asset: AD

True real-time
Live exposure visualization, immediate attacks alerts

Step-by-step recommendations
A follow-the-guide approach for ad admins who are new to security

Intelligence-driven, ad-native
Beyond compliance, detect ad-specific attack patterns

Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making and priorization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your siem, soar, and iam solutions

A comprehensive approach

Anticipate

  • Bring vulnerabilities and weaknesses to light
  • Prioritize remediations with threat scores and costs estimates
  • Harden your directory infrastructure with our step-by-step guides

AD admins, Blue Teams, & Auditors

Detect Attacks

  • Detect attacks in true real-time with our AD-specific threat intelligence
  • Make AD an integral part of your security practice with SIEM & SOAR integrations
  • Enable your Threat Hunters with AD-native investigation capabilities

SOC Analysts & Threat Hunters

Respond To Breaches

  • Replay attacks and hunt for patients zero
  • Remediate at machine-speed through our orchestration playbooks
  • Detect persistence mechanisms and kick them out for good

Incident Responders

TOP 5 attack trends

Main Five Trends

1

Ransomware as a Service (RaaS)

2

Attackers Getting Sloppy and Caught

3

Maze Ransomware Cartel Grows

4

Ransomware Causing Actual Deaths

5

Ransomware Negotiators

Ransomware as a Service (RaaS)

  • Subscription-based malicious model enables even the novice cybercriminal to launch ransomware attacks without much difficulty
  • Commonly used by cybercriminals who don’t have much technical knowledge of how to create ransomware. This malicious model allows anyone to become an “affiliate” of an established RaaS package or service
  • This vicious model is so enticing to some cybercriminals that you can even see the RaaS provider’s advertisements on the dark web
  • You can find a number of RaaS operations in different forms and names on the dark web, including Cerber, Satan, Atom, Hostman, and Philadelphia

Attackers Getting Sloppy and Caught

  • Kathryn Nguyen, together with an associate, hacked a 56-year-old person’s cryptocurrency account, transferred the XRP into a Chinese crypto exchange, traded it into Bitcoin, then transferred these coins into multiple wallet addresses… sentenced to 2 years and 3 months in prison
  • Tyler C. King, convicted of creating unauthorized admin accounts and giving them access to proprietary company info, real-time access to executives’ email, personal files, and financial records…. 
    sentenced to 57 months in prison
  • Andrew Miller, pleaded guilty to one count of conspiracy and two counts of computer fraud for actions committed between 2008 and 2011, when he was part of the Underground Intelligence Agency hacking group… sentenced to 18 months in prison
  • Joseph Sullivan, Uber’s former chief security officer has been charged with leading an alleged attempt to cover up a 2016 hack that exposed the personal information of 57 million app users and drivers… 
    charged with obstruction of justice and misprision of a felony

Maze Ransomware Cartel Grows

  • June 2020, ransomware gangs teamed up to extort victims in a shared platform, as well as to share tactics and intel
  • August 2020, SunCrypt also joined the Maze cartel to join the forces working together to go after big companies
  • Today the Maze cartel includes at a minimum: LockBit, Ragnar Locker, and now SunCrypt
  • Before joining the cartel, SunCrypt had little communication or interaction with Maze, now they have a two-way communication channel with them
  •  SunCrypt joined the cartel to help with the volume, stating, “They just can’t handle all the available field of operations. Our main specialization is ransomware attacks”
  • Like any cartel, the goal is to make money and control. SunCrypt clearly stated that they “share revenue from the successful operation”
  • IP address range, 91.218.114[.]31, has been tied to both Maze and SunCrypt
  • Interestingly, Maze has on many occasions denied that they are in any way related to SunCrypt

Ransomware Causing Actual Deaths

  • Dusseldorf University Clinic was hit by attackers in mid-September
  • Forensics found that the incident exploited a vulnerability in a “widely used commercial add-on software”, which was not mentioned specifically
  • Immediately after the attack the IT systems at the hospital gradually “crashed”, preventing access to hospital data
  • This caused an immediate halt to all operations
  • A woman needing emergency attention was transported to a neighboring hospital in Wuppertal for treatment
  • The additional delay (60 minutes) was deadly, as the woman died due to the additional time to transport her 20 minutes to the neighboring hospital
  • Police used the contact details in the ransom message to inform the attackers of the death due to the attack
  • The attackers provided a digital decryption key, stopped the extort of funds, and have not responded since

Ransomware Negotiators

  • Negotiators can help scale down financial demands, arrange tricky cryptocurrency payments, and help with data restoration
  • Often negotiators are technical specialists or former law enforcement officers who are trained in the art of hostage and terrorist negotiations
  • One negotiator remembers a negotiation where the initial demand was $80 million, which was reduced to $45 million, and ultimately paid nothing. The hacker was inexperienced and most likely used RaaS
  • The city of Florence, Alabama, hired a ransomware negotiator and was able to reduce the ransom by 25%, as well as extend the payment deadline through the weekend
  • Steve Holt, Mayor of Florence, AL – “We have a million-dollar system, we have IT professionals in it. But [the hackers] didn’t come at us with brute force, they just found an opening and got in,” he said. “Anybody can unknowingly, unwittingly, open an email that they shouldn’t have opened.”

Ransomware Trends and Statistics

Non-compliant Victims Data is Posted on Web

  • University Hospital, Newark, New Jersey
  • SunCrypt ransomware leaked 1.7GB of the 240GB of data stolen
  • Authorization forms, driver’s licenses, SSNs, DOBs, and records about the Board of Directors were posted online

Non-compliant Victims Data is Posted on Web

  • LG and Xerox
  • Maze ransomware leaked 50.2GB of LG’s data and 25.8GB of Xerox’s data
  • Closed-source firmware for phones and laptops, and customer support operations data were leaked

Universities Targeted as Students Return

  • “The U.K. National Cyber Security Centre (NCSC), has issued an alert about a surge in ransomware incidents targeting educational institutions, urging them to follow the recently updated recommendations for mitigating malware attacks.”
  • Many suggestions were made to ensure security was in place, but at the top of the list was “Effective vulnerability management and patching procedures”

Reasons for the increased attacks on education include:

  • Volume of personal data – birthdates, SSN, direct deposit, etc.
  • Data is kept a long time

Statistics

Cybercrime will cost the world $6 trillion by 2021

A ransomware attack will succeed every 11 seconds by 2021

 

It takes 196 days, on average, to identify a data breach (6.5+ months)

It takes 196 days, on average, to identify a data breach (6.5+ months)

33% of breaches were due to a phishing attack

5% of a company’s folders are properly protected

62% of cybersecurity pros say their team is understaffed

Chances of becoming a victim of a cyberattack: 25%

Top 5 cyberthreats

  • Ransomware
  • Phishing
  • Data leak
  • Cyber hacking
  • Insider threat

Attack examples

Comments are closed.