Oscar From Alsid
Threat intel report Q3 2020
Oscar From Alsid
Agenda
Q3 2020
Introduction
Top 5 Attack Trends
Ransomware Trends and Statistics
Attack Examples
Introduction
Break the dynamics of most modern threats to enterprises by preventing attacks to spread internally
Provide field-tested products with a seamless end-to-end user experience
A technical expertise recognized worldwide and awarded by numerous prestigious prizes
The features we are proud of
Cutting-edge security technology
Harden, protect, respond
All your practices extended to your most viral IT asset: AD
True real-time
Live exposure visualization, immediate attacks alerts
Step-by-step recommendations
A follow-the-guide approach for ad admins who are new to security
Intelligence-driven, ad-native
Beyond compliance, detect ad-specific attack patterns
Seamless end-to-end user experience
No agents, no privileges
An instant-on application with hardly a footprint on operations
Dashboard-oriented UX
To simplify decision-making and priorization
Simple, no-nonsense architecture
Using standard protocols and proven technologies
Native integrations with your other practices
Turbo-charge your siem, soar, and iam solutions
A comprehensive approach
Anticipate
- Bring vulnerabilities and weaknesses to light
- Prioritize remediations with threat scores and costs estimates
- Harden your directory infrastructure with our step-by-step guides
AD admins, Blue Teams, & Auditors
Detect Attacks
- Detect attacks in true real-time with our AD-specific threat intelligence
- Make AD an integral part of your security practice with SIEM & SOAR integrations
- Enable your Threat Hunters with AD-native investigation capabilities
SOC Analysts & Threat Hunters
Respond To Breaches
- Replay attacks and hunt for patients zero
- Remediate at machine-speed through our orchestration playbooks
- Detect persistence mechanisms and kick them out for good
Incident Responders
TOP 5 attack trends
Main Five Trends
Ransomware as a Service (RaaS)
- Subscription-based malicious model enables even the novice cybercriminal to launch ransomware attacks without much difficulty
- Commonly used by cybercriminals who don’t have much technical knowledge of how to create ransomware. This malicious model allows anyone to become an “affiliate” of an established RaaS package or service
- This vicious model is so enticing to some cybercriminals that you can even see the RaaS provider’s advertisements on the dark web
- You can find a number of RaaS operations in different forms and names on the dark web, including Cerber, Satan, Atom, Hostman, and Philadelphia
Attackers Getting Sloppy and Caught
- Kathryn Nguyen, together with an associate, hacked a 56-year-old person’s cryptocurrency account, transferred the XRP into a Chinese crypto exchange, traded it into Bitcoin, then transferred these coins into multiple wallet addresses… sentenced to 2 years and 3 months in prison
- Tyler C. King, convicted of creating unauthorized admin accounts and giving them access to proprietary company info, real-time access to executives’ email, personal files, and financial records….
sentenced to 57 months in prison - Andrew Miller, pleaded guilty to one count of conspiracy and two counts of computer fraud for actions committed between 2008 and 2011, when he was part of the Underground Intelligence Agency hacking group… sentenced to 18 months in prison
- Joseph Sullivan, Uber’s former chief security officer has been charged with leading an alleged attempt to cover up a 2016 hack that exposed the personal information of 57 million app users and drivers…
charged with obstruction of justice and misprision of a felony
Maze Ransomware Cartel Grows
- June 2020, ransomware gangs teamed up to extort victims in a shared platform, as well as to share tactics and intel
- August 2020, SunCrypt also joined the Maze cartel to join the forces working together to go after big companies
- Today the Maze cartel includes at a minimum: LockBit, Ragnar Locker, and now SunCrypt
- Before joining the cartel, SunCrypt had little communication or interaction with Maze, now they have a two-way communication channel with them
- SunCrypt joined the cartel to help with the volume, stating, “They just can’t handle all the available field of operations. Our main specialization is ransomware attacks”
- Like any cartel, the goal is to make money and control. SunCrypt clearly stated that they “share revenue from the successful operation”
- IP address range, 91.218.114[.]31, has been tied to both Maze and SunCrypt
- Interestingly, Maze has on many occasions denied that they are in any way related to SunCrypt
Ransomware Causing Actual Deaths
- Dusseldorf University Clinic was hit by attackers in mid-September
- Forensics found that the incident exploited a vulnerability in a “widely used commercial add-on software”, which was not mentioned specifically
- Immediately after the attack the IT systems at the hospital gradually “crashed”, preventing access to hospital data
- This caused an immediate halt to all operations
- A woman needing emergency attention was transported to a neighboring hospital in Wuppertal for treatment
- The additional delay (60 minutes) was deadly, as the woman died due to the additional time to transport her 20 minutes to the neighboring hospital
- Police used the contact details in the ransom message to inform the attackers of the death due to the attack
- The attackers provided a digital decryption key, stopped the extort of funds, and have not responded since
Ransomware Negotiators
- Negotiators can help scale down financial demands, arrange tricky cryptocurrency payments, and help with data restoration
- Often negotiators are technical specialists or former law enforcement officers who are trained in the art of hostage and terrorist negotiations
- One negotiator remembers a negotiation where the initial demand was $80 million, which was reduced to $45 million, and ultimately paid nothing. The hacker was inexperienced and most likely used RaaS
- The city of Florence, Alabama, hired a ransomware negotiator and was able to reduce the ransom by 25%, as well as extend the payment deadline through the weekend
- Steve Holt, Mayor of Florence, AL – “We have a million-dollar system, we have IT professionals in it. But [the hackers] didn’t come at us with brute force, they just found an opening and got in,” he said. “Anybody can unknowingly, unwittingly, open an email that they shouldn’t have opened.”
Ransomware Trends and Statistics
Non-compliant Victims Data is Posted on Web
- University Hospital, Newark, New Jersey
- SunCrypt ransomware leaked 1.7GB of the 240GB of data stolen
- Authorization forms, driver’s licenses, SSNs, DOBs, and records about the Board of Directors were posted online
Non-compliant Victims Data is Posted on Web
- LG and Xerox
- Maze ransomware leaked 50.2GB of LG’s data and 25.8GB of Xerox’s data
- Closed-source firmware for phones and laptops, and customer support operations data were leaked
Universities Targeted as Students Return
- “The U.K. National Cyber Security Centre (NCSC), has issued an alert about a surge in ransomware incidents targeting educational institutions, urging them to follow the recently updated recommendations for mitigating malware attacks.”
- Many suggestions were made to ensure security was in place, but at the top of the list was “Effective vulnerability management and patching procedures”
Reasons for the increased attacks on education include:
- Volume of personal data – birthdates, SSN, direct deposit, etc.
- Data is kept a long time
Statistics
Cybercrime will cost the world $6 trillion by 2021
A ransomware attack will succeed every 11 seconds by 2021
It takes 196 days, on average, to identify a data breach (6.5+ months)
It takes 196 days, on average, to identify a data breach (6.5+ months)
33% of breaches were due to a phishing attack
5% of a company’s folders are properly protected
62% of cybersecurity pros say their team is understaffed
Chances of becoming a victim of a cyberattack: 25%
Top 5 cyberthreats
- Ransomware
- Phishing
- Data leak
- Cyber hacking
- Insider threat
Attack examples
- U.S. Dept of Veterans Affairs: Breach– source [EN]: https://www.iheart.com/content/2020-09-15-personal-information-of-46000-veterans-compromised-after-va-data-breach/
- Razer: Data breach – source [EN]: https://www.thesouthafrican.com/technology/razer-data-breach-information-september-2020/
- Long Island Hospital: Ransomware – source [EN]: https://www.itsecurityguru.org/2020/09/23/long-island-hospital-experiences-data-breach/
- 37 Healthcare Facilities: Data breach – source [EN]: https://www.hipaajournal.com/august-2020-healthcare-data-breach-report/