Skip to content

Threat intel report Q4 2020

Derek Melber – Microsoft MVP & Technical Director

2020 is a tough year for cybersecurity.

The Alsid Research Team is hard at work compiling the findings and forecasts you need for the months to come.

A comprehensive approach

Anticipate Threats

 

Proactively harden your directory infrastructure

Bring vulnerabilities and weak configurations to light and maintain strong security boundaries through time

AD admins, Blue Teams, & Auditors

Detect Attacks

 

Detect attacks in true real-time with our AD-specific threat intelligence

Make AD an integral part of your security practice with SIEM & SOAR integrations

Enable your Threat Hunters with AD-native investigation capabilities

SOC Analysts & Threat Hunters

Respond To Breaches

 

Replay attacks and hunt for patients zero

Remediate at machine-speed through our orchestration playbooks

Detect persistence mechanisms and kick them out for good

Incident Responder

The features we are proud of

Cutting-edge security technology

Harden, protect, respond
All your practices extended to your most viral IT asset: AD

True real-time
Live exposure visualization, immediate attacks alerts

Step-by-step recommendations
A follow-the-guide approach for ad admins who are new to security

Intelligence-driven, ad-native
Beyond compliance, detect ad-specific attack patterns

Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making and priorization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your siem, soar, and iam solutions

Top 5 attack trends

2020 Q4: Main five tendencies

Double-extorsion Ransomware

Healthcare – Devices

Zerologon

Persistence

Vaccine Distribution Attacks

Healthcare
Devices

  • GE Devices attacked and breached
  • Devices were not secured at installation
  • Devices not included in security vulnerability or pentest
  • Audits typically consist of normal PCs and servers, and “other devices” forgotten
  • In many cases, IT can’t do the updates or perform the patching as the vendor does these tasks
  • Devices are managed remotely, so often insecure protocols are used (e.g. FTP and Telnet)
  • The IT staff must take action to request for security issues to be addressed, which takes time and effort, especially with potentially 100+ devices

Double-extorsion
Ransomware

  • Attackers realize that if they don’t get paid, they can post data online
  • Proprietary or embarrassing data on the Internet puts pressure on the organization to pay
    • Especially when it is healthcare patient data
  • More than 1000 companies had data posted online after not paying
  • Research shows that double-extorsion ransomware will increase in 2021
  • Research also shows that 2021 will include automated and different double-extorsion ransomware tactics
  • Most likely the targets will be large and wealthy organizations
  • Cloud providers might also be targets

“GE puts default password in radiology devices, leaving healthcare networks exposed”

Dan Goodin
GE Healthcare

Over 100 device models from GE Healthcare that are used primarily for radiological and imaging purposes in hospitals and other healthcare facilities can easily be compromised by hackers because of default support credentials that are publicly known but can’t be changed easily by users. 

This insecure implementation of remote management functionality allows hackers to access sensitive data stored on the impacted devices as well as infect them with malicious code that would be very hard to detect.

Zerologon

  • Hacking group “Cicada” exploiting Zerologon vulnerability
  • Focusing on Japanese companies
  • Focusing on automotive organizations, as part of industrial cyberespionage
  • Pharma and engineering also targets
  • Cicada was initially using enumeration
  • and lateral movement techniques

Persistence: Spotify

  • Common attack techniques are thought to be used:
    • Phishing
    • Credential Stuffing
    • Password spraying
    • Brute-force
  • December 9, 2020 – 3rd data breach in 2020
    • April 9, 2020
    • November 12, 2020

Persistence: U.S.
Government

  • December 2020 – Multiple agencies detect breaches
    – March 2020 – compromises at numerous U.S. agencies
  • June 2019 US planted malware capable of disrupting the Russian electrical grid
  • Federal data breach was persistent for past 8 or 9 months
  • National Nuclear Security Administration and DOE also breached

“On Thursday November 12th, Spotify discovered a vulnerability in our system that inadvertently exposed your Spotify account registration information, which may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify. Spotify did not make this information publicly accessible. We estimate that this vulnerability existed as of April 9, 2020, until we discovered it on November 12, 2020, when we took immediate steps to correct it.”

Vaccine Distribution Attacks

  • Healthcare and Pharma have been hit hardest in 2020 with ransomware attacks
  • The FBI warned about vaccine-related malicious attacks
    • Physical – stealing the actual vaccine en route
    • Logical – disrupting the vaccine delivery and/or application
  • The ransomware disruption is not only affecting the vaccine, but also normal treatments such as those for cancer
  • Attacks are coming from Russia and China
  • Reports are indicating that about 1/3 of healthcare is paying the ransom, as they feel life is in the balance
  • Others are not paying and instead replacing all computers/network
  • Healthcare and Pharma are easier targets:
    • High profile
    • Many endpoints (some not protected)
    • Lagging behind on securing the network and devices
    • Value of data on the dark web
    • M&A

Fireeye, solarwinds,
and Microsoft

FireEye revealed they were attacked and breached on Dec. 13. The attack was on the Orion network monitoring software, built by SolarWinds. A backdoor was planted in the Orion network. The backdoor software has been named “Sunburst”. Labeled as “potentially the biggest intrusion in our history” by FireEye CEO. Original Orion code alteration was in October 2019. And backdoor was added in March 2020

List of Organizations Attacked… So Far

Location of organizations that Microsoft has identified as having been exploited via
second-stage attacks as part of the SolarWinds Orion supply chain attack

…only about 50 organizations or companies… …that are genuinely impacted by the threat actor”, according to FireEye CEO

• U.S. Commerce
• Homeland Security
• U.S. State
• Treasury Dept
• Energy Dept
• National Institutes of Health
• Belkin
• Cicso
• Intel
• Nvidia
• Microsoft VMWare

Sunburst Details

  • Russian hacking group is the suspect behind the attack
  • The attackers entered the SolarWinds infrastructure and inserted a backdoor in a software update for the Orion network software
  • Sunburst gains access by “abusing credentials”, and it comes in many forms
  • Uses credentials to access data and install additional software

Sunburst Suspected
Microsoft Mail Attack

  • Microsoft warned Crowdstrike of failed attempts to access and read email
  • All signs point this is tied back to the SolarWinds breach
  • Investigation revealed:
    • An Azure account was making “abnormal calls” to Microsoft cloud API
    • The account was used by Crowdstrike to manage Microsoft Office licensing
    • However, Crowdstrike does not use Microsoft mail!
  • Trojanized versions of Orion were successfully blocked
    • Microsoft, FireEye, and GoDaddy all blocked attackers in late December
    • Seizing the avsvmcloud[.]com domain
  • Trojanized versions of Orion were successfully blocked
  • Microsoft, FireEye, and GoDaddy all blocked attackers in late December
  • Seizing the avsvmcloud[.]com domain
    • Map the network
    • Exfiltrate data
    • Deploy additional tools for persistence

Solar Winds
Lessons Learned

  • Patch systems
  • Secure and monitor privileged accounts
  • Secure against lateral movement
  • Secure against privilege escalation
  • Secure the main IAM systems
  • Deploy technologies that can maintain security
  • Deploy security solutions that don’t require privileges or agents

“Microsoft Alerts CrowdStrike of Possible Hacking Attempt”

Akshaya Asokan
Tweet, Twiiter

Attack examples

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks to spread internally

A technical expertise recognized worldwide and awarded by numerous prestigious prizes

Comments are closed.

Download pdf