Threat intel report Q4 2020
Derek Melber – Microsoft MVP & Technical Director

2020 is a tough year for cybersecurity.
The Alsid Research Team is hard at work compiling the findings and forecasts you need for the months to come.
A comprehensive approach
Anticipate Threats
Proactively harden your directory infrastructure
Bring vulnerabilities and weak configurations to light and maintain strong security boundaries through time
AD admins, Blue Teams, & Auditors
Detect Attacks
Detect attacks in true real-time with our AD-specific threat intelligence
Make AD an integral part of your security practice with SIEM & SOAR integrations
Enable your Threat Hunters with AD-native investigation capabilities
SOC Analysts & Threat Hunters
Respond To Breaches
Replay attacks and hunt for patients zero
Remediate at machine-speed through our orchestration playbooks
Detect persistence mechanisms and kick them out for good
Incident Responder
The features we are proud of
Cutting-edge security technology

Harden, protect, respond
All your practices extended to your most viral IT asset: AD

True real-time
Live exposure visualization, immediate attacks alerts

Step-by-step recommendations
A follow-the-guide approach for ad admins who are new to security

Intelligence-driven, ad-native
Beyond compliance, detect ad-specific attack patterns
Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making and priorization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your siem, soar, and iam solutions
Top 5 attack trends
2020 Q4: Main five tendencies
Double-extorsion Ransomware
Healthcare – Devices
Zerologon
Persistence
Vaccine Distribution Attacks
Healthcare
Devices
- GE Devices attacked and breached
- Devices were not secured at installation
- Devices not included in security vulnerability or pentest
- Audits typically consist of normal PCs and servers, and “other devices” forgotten
- In many cases, IT can’t do the updates or perform the patching as the vendor does these tasks
- Devices are managed remotely, so often insecure protocols are used (e.g. FTP and Telnet)
- The IT staff must take action to request for security issues to be addressed, which takes time and effort, especially with potentially 100+ devices
Double-extorsion
Ransomware
- Attackers realize that if they don’t get paid, they can post data online
- Proprietary or embarrassing data on the Internet puts pressure on the organization to pay
- Especially when it is healthcare patient data
- More than 1000 companies had data posted online after not paying
- Research shows that double-extorsion ransomware will increase in 2021
- Research also shows that 2021 will include automated and different double-extorsion ransomware tactics
- Most likely the targets will be large and wealthy organizations
- Cloud providers might also be targets
“GE puts default password in radiology devices, leaving healthcare networks exposed”
Dan Goodin
GE Healthcare
Zerologon

- First exploited in August 2020
- Tracked as CVE-2020-1472
- Affects Windows Server’s Netlogon Remote Protocol, an authentication component of Active Directory
- Patch was released, but many have not installed the patch
- Installing the patch protects you from this attack!
- How to detect CVE (2020-1472) and enrich data / track malicious activity using Alsid (information alerting alerting-syslog cve2020-1472 how-to-trigger 2.7.x zerologon)
- Hacking group “Cicada” exploiting Zerologon vulnerability
- Focusing on Japanese companies
- Focusing on automotive organizations, as part of industrial cyberespionage
- Pharma and engineering also targets
- Cicada was initially using enumeration
- and lateral movement techniques
Persistence: Spotify
- Common attack techniques are thought to be used:
- Phishing
- Credential Stuffing
- Password spraying
- Brute-force
- December 9, 2020 – 3rd data breach in 2020
- April 9, 2020
- November 12, 2020
Persistence: U.S.
Government
- December 2020 – Multiple agencies detect breaches
– March 2020 – compromises at numerous U.S. agencies - June 2019 US planted malware capable of disrupting the Russian electrical grid
- Federal data breach was persistent for past 8 or 9 months
- National Nuclear Security Administration and DOE also breached
Vaccine Distribution Attacks
- Healthcare and Pharma have been hit hardest in 2020 with ransomware attacks
- The FBI warned about vaccine-related malicious attacks
- Physical – stealing the actual vaccine en route
- Logical – disrupting the vaccine delivery and/or application
- The ransomware disruption is not only affecting the vaccine, but also normal treatments such as those for cancer
- Attacks are coming from Russia and China
- Reports are indicating that about 1/3 of healthcare is paying the ransom, as they feel life is in the balance
- Others are not paying and instead replacing all computers/network
- Healthcare and Pharma are easier targets:
- High profile
- Many endpoints (some not protected)
- Lagging behind on securing the network and devices
- Value of data on the dark web
- M&A
Fireeye, solarwinds,
and Microsoft
FireEye revealed they were attacked and breached on Dec. 13. The attack was on the Orion network monitoring software, built by SolarWinds. A backdoor was planted in the Orion network. The backdoor software has been named “Sunburst”. Labeled as “potentially the biggest intrusion in our history” by FireEye CEO. Original Orion code alteration was in October 2019. And backdoor was added in March 2020
List of Organizations Attacked… So Far

second-stage attacks as part of the SolarWinds Orion supply chain attack
…only about 50 organizations or companies… …that are genuinely impacted by the threat actor”, according to FireEye CEO
• U.S. Commerce
• Homeland Security
• U.S. State
• Treasury Dept
• Energy Dept
• National Institutes of Health
• Belkin
• Cicso
• Intel
• Nvidia
• Microsoft VMWare
Sunburst Details
- Russian hacking group is the suspect behind the attack
- The attackers entered the SolarWinds infrastructure and inserted a backdoor in a software update for the Orion network software
- Sunburst gains access by “abusing credentials”, and it comes in many forms
- Uses credentials to access data and install additional software

Sunburst Suspected
Microsoft Mail Attack
- Microsoft warned Crowdstrike of failed attempts to access and read email
- All signs point this is tied back to the SolarWinds breach
- Investigation revealed:
- An Azure account was making “abnormal calls” to Microsoft cloud API
- The account was used by Crowdstrike to manage Microsoft Office licensing
- However, Crowdstrike does not use Microsoft mail!
- Trojanized versions of Orion were successfully blocked
- Microsoft, FireEye, and GoDaddy all blocked attackers in late December
- Seizing the avsvmcloud[.]com domain
- Trojanized versions of Orion were successfully blocked
- Microsoft, FireEye, and GoDaddy all blocked attackers in late December
- Seizing the avsvmcloud[.]com domain
- Map the network
- Exfiltrate data
- Deploy additional tools for persistence
Solar Winds
Lessons Learned
- Patch systems
- Secure and monitor privileged accounts
- Secure against lateral movement
- Secure against privilege escalation
- Secure the main IAM systems
- Deploy technologies that can maintain security
- Deploy security solutions that don’t require privileges or agents
“Microsoft Alerts CrowdStrike of Possible Hacking Attempt”
Akshaya Asokan
Tweet, Twiiter
Attack examples
- Pray.com: Data Breach [EN] https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/
- JM Bullion: Data breach [EN] https://www.bleepingcomputer.com/news/security/business-services-giant-conduent-hit-by-maze-ransomware/
- Ohio University: Software Breach [EN] https://www.infosecurity-magazine.com/news/maze-claims-ransomware-attack-on-us/
- Dental Care Alliance: Ransomware https://www.cpomagazine.com/cyber-security/honda-ransomware-attack-a-lesson-in-segmentation/

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks to spread internally

A technical expertise recognized worldwide and awarded by numerous prestigious prizes