Threat Intel Report Q4 2020
A comprehensive approach
Anticipate threats
Proactively harden your directory infrastructure
Uncover vulnerabilities and weak configurations to maintain strong security boundaries
AD admins, blue teams, and auditors
Detect attacks
Detect attacks in real time with our AD-specific threat intelligence
Make AD an integral part of your security practice with SIEM and SOAR integrations
Enable your threat hunters with AD-native investigation capabilities
SOC analysts and threat hunters
Respond to breaches
Replay attacks and hunt for patient zero
Remediate at machine-speed through our orchestration playbooks
Detect persistence mechanisms and kick them out for good
Incident responders
The features we are proud of
Cutting-edge security technology
Harden, detect, respond
All your practices extended to your most vital IT asset: Active Directory
True real-time
Live exposure visualization, immediate attack alerts
Step-by-step recommendations
A follow-the-guide approach for AD admins new to security
Intelligence-driven, AD-native
Beyond compliance, detect AD-specific attack patterns
Seamless end-to-end user experience
No agents, no privileges
An instant-on application with hardly a footprint on operations
Dashboard-oriented UX
To simplify decision-making
and prioritization
Simple, no-nonsense architecture
Using standard protocols and proven technologies
Native integrations with your other practices
Turbo-charge your SIEM, SOAR, and IAM solutions
Top 5 attack trends
Q4 2020
Double extortion ransomware
Healthcare devices
Zerologon
Persistence
Vaccine distribution attacks
Double extortion
ransomware
- Attackers realize that if they don’t get paid, they can post data online
- Proprietary or embarrassing data on the internet puts pressure on the organization to pay, especially when healthcare patient data
- More than 1000 companies had data posted online after not paying
- Research shows that double extortion ransomware will increase in 2021
- Research also shows that 2021 will include automated and different double extortion ransomware tactics
- Targets will most likely be large, wealthy organizations
- Cloud providers might also be targets
Healthcare devices
- GE devices were attacked and breached
- Devices were not secured at installation
- Devices not included in security vulnerability or pentest
- Audits typically consist of normal PCs and servers, while “other devices” are forgotten
- In many cases, IT can’t do the updates or perform the patching, as the vendor does these tasks
- Devices are managed remotely, so insecure protocols are often used (e.g. FTP and Telnet)
- The IT staff must request that security issues be addressed; this takes time and effort with potentially 100+ devices
“GE puts default password in radiology devices, leaving healthcare networks exposed”
Dan Goodin
Ars Technica
Zerologon
- Hacking group Cicada exploiting Zerologon vulnerability
- Focusing on Japanese companies
- Targeting automotive organizations, as part of industrial cyberespionage
- Pharma and engineering are also targets
- Cicada was initially using enumeration and lateral movement techniques
- First exploited in August 2020
- Tracked as CVE-2020-1472
- Affects Windows Server’s Netlogon Remote Protocol, an authentication component of Active Directory
- Patch was released, but many have not installed the patch
- Installing the patch protects you from this attack!
- How to detect CVE (2020-1472) and enrich data / track malicious activity using Alsid (information alerting alerting-syslog cve2020-1472 how-to-trigger 2.7.x zerologon)
Persistence: Spotify
- December 9, 2020 – 3rd data breach in 2020 following April 9 and November 12 attacks
- Common attack techniques are thought to be used, including phishing, credential stuffing, password spraying, and brute-force
Persistence: U.S.
Government
- December 2020: multiple agencies detect breaches
- March 2020: compromises at numerous U.S. agencies
- June 2019: US planted malware capable of disrupting the Russian electrical grid
- Federal data breach was persistent for past 8 – 9 months
- National Nuclear Security Administration and DOE were also breached
Vaccine distribution attacks
- Healthcare and pharma were hit hardest in 2020 by ransomware attacks
- The FBI warned about vaccine-related malicious attacks
- Physical – stealing the actual vaccine en route
- Logical – disrupting the vaccine delivery and/or application
- The ransomware disruption is not only affecting the vaccine, but also normal treatments such as those for cancer
- Attacks are coming from Russia and China
- Reports indicate that about 1/3 of healthcare is paying the ransom, as they feel life is in the balance
- Others are not paying and instead replacing all computers/network
Healthcare and Pharma are easier targets:
- High-profile
- Many endpoints (some not protected)
- Lagging behind on securing the network and devices
- Value of data on the dark web
- M&A
FireEye, SolarWinds,
and Microsoft
FireEye revealed they were attacked and breached on December 13. The attack was on the Orion network monitoring software, built by SolarWinds. A backdoor was planted in the Orion network. The backdoor software was named “Sunburst” and has been labeled as “potentially the biggest intrusion in our history” by FireEye CEO. Original Orion code alteration was in October 2019, with backdoor being added in March 2020.
List of organizations attacked… so far
second-stage attacks as part of the SolarWinds Orion supply chain attack
“…only about 50 organizations or companies… that are genuinely impacted by the threat actor”
– FireEye CEO
- U.S. Commerce
- Homeland Security
- U.S. State
- Treasury Dept
- Energy Dept
- National Institutes of Health
- Belkin
- Cisco
- Intel
- Nvidia
- Microsoft VMWare
Sunburst details
- Russian hacking group is the suspect behind the attack
- The attackers entered the SolarWinds infrastructure and inserted a backdoor in a software update for the Orion network software
- Sunburst gains access by “abusing credentials”, and it comes in many forms
- Uses credentials to access data and install additional software
Sunburst suspected in Microsoft mail attack
- Microsoft warned CrowdStrike of failed attempts to access and read email
- All signs point this is tied back to the SolarWinds breach
Investigation revealed:
- An Azure account was making “abnormal calls” to Microsoft cloud API
- The account was used by CrowdStrike to manage Microsoft Office licensing
- However, Crowdstrike does not use Microsoft mail!
- Trojanized versions of Orion were successfully blocked
- Microsoft, FireEye, and GoDaddy all blocked attackers in late December
- Seizing the avsvmcloud[.]com domain
- List of organizations running Sunburst was discovered by decrypting some of the information being sent to attackers
- Backdoor was built to “phone home” approximately every two weeks
- After a phone home, additional malware was often installed to map the network, exfiltrate data, and/or deploy additional tools for persistence
Lessons learned from SolarWinds
- Patch systems
- Secure and monitor privileged accounts
- Secure against lateral movement
- Secure against privilege escalation
- Secure the main IAM systems
- Deploy technologies that can maintain security
- Deploy security solutions that don’t require privileges or agents
Attack examples
- Pray.com — Data breach: https://threatpost.com/10m-impacted-pray-com-data-exposure/161459/
- JM Bullion — Data breach: https://www.techradar.com/news/this-could-be-the-most-expensive-data-breach-ever
- Ohio University — Software breach: https://www.govtech.com/security/Ohio-University-Systems-Left-Vulnerable-in-Software-Breach.html
- Dental Care Alliance — Ransomware: https://healthitsecurity.com/news/third-party-vendor-dental-care-alliance-breach-impacts-1m-patients
Our solutions
Provide field-tested products
with a seamless end-to-end user experience
Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally
A technical expertise recognized and awarded worldwide