Skip to content

Threat Intel Report Q4 2020

A comprehensive approach

Anticipate threats

 

Proactively harden your directory infrastructure

Uncover vulnerabilities and weak configurations to maintain strong security boundaries

AD admins, blue teams, and auditors

Detect attacks

 

Detect attacks in real time with our AD-specific threat intelligence

Make AD an integral part of your security practice with SIEM and SOAR integrations

Enable your threat hunters with AD-native investigation capabilities

SOC analysts and threat hunters

Respond to breaches

 

Replay attacks and hunt for patient zero

Remediate at machine-speed through our orchestration playbooks

Detect persistence mechanisms and kick them out for good

Incident responders

The features we are proud of

Cutting-edge security technology

Harden, detect, respond
All your practices extended to your most vital IT asset: Active Directory

True real-time
Live exposure visualization, immediate attack alerts

Step-by-step recommendations
A follow-the-guide approach for AD admins new to security

Intelligence-driven, AD-native
Beyond compliance, detect AD-specific attack patterns

Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making
and prioritization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your SIEM, SOAR, and IAM solutions

Top 5 attack trends

Q4 2020

Double extortion ransomware

Healthcare devices

Zerologon

Persistence

Vaccine distribution attacks

Double extortion
ransomware

  • Attackers realize that if they don’t get paid, they can post data online
  • Proprietary or embarrassing data on the internet puts pressure on the organization to pay, especially when healthcare patient data
  • More than 1000 companies had data posted online after not paying
  • Research shows that double extortion ransomware will increase in 2021
  • Research also shows that 2021 will include automated and different double extortion ransomware tactics
  • Targets will most likely be large, wealthy organizations
  • Cloud providers might also be targets

Healthcare devices

  • GE devices were attacked and breached
  • Devices were not secured at installation
  • Devices not included in security vulnerability or pentest
  • Audits typically consist of normal PCs and servers, while “other devices” are forgotten
  • In many cases, IT can’t do the updates or perform the patching, as the vendor does these tasks
  • Devices are managed remotely, so insecure protocols are often used (e.g. FTP and Telnet)
  • The IT staff must request that security issues be addressed; this takes time and effort with potentially 100+ devices

“GE puts default password in radiology devices, leaving healthcare networks exposed”

Dan Goodin
Ars Technica

Over 100 device models from GE Healthcare that are used primarily for radiological and imaging purposes in hospitals and other healthcare facilities can easily be compromised by hackers because of default support credentials that are publicly known but can’t be changed easily by users. This insecure implementation of remote management functionality allows hackers to access sensitive data stored on the impacted devices as well as infect them with malicious code that would be very hard to detect.” -ARN

Zerologon

Persistence: U.S.
Government

  • December 2020: multiple agencies detect breaches
  • March 2020: compromises at numerous U.S. agencies
  • June 2019: US planted malware capable of disrupting the Russian electrical grid
  • Federal data breach was persistent for past 8 – 9 months
  • National Nuclear Security Administration and DOE were also breached

Vaccine distribution attacks

  • Healthcare and pharma were hit hardest in 2020 by ransomware attacks
  • The FBI warned about vaccine-related malicious attacks
  • Physical – stealing the actual vaccine en route
  • Logical – disrupting the vaccine delivery and/or application
  • The ransomware disruption is not only affecting the vaccine, but also normal treatments such as those for cancer
  • Attacks are coming from Russia and China
  • Reports indicate that about 1/3 of healthcare is paying the ransom, as they feel life is in the balance
  • Others are not paying and instead replacing all computers/network

Healthcare and Pharma are easier targets:

  • High-profile
  • Many endpoints (some not protected)
  • Lagging behind on securing the network and devices
  • Value of data on the dark web
  • M&A

FireEye, SolarWinds,
and Microsoft

FireEye revealed they were attacked and breached on December 13. The attack was on the Orion network monitoring software, built by SolarWinds. A backdoor was planted in the Orion network. The backdoor software was named “Sunburst” and has been labeled as “potentially the biggest intrusion in our history” by FireEye CEO. Original Orion code alteration was in October 2019, with backdoor being added in March 2020.

List of organizations attacked… so far

Location of organizations that Microsoft has identified as having been exploited via
second-stage attacks as part of the SolarWinds Orion supply chain attack

“…only about 50 organizations or companies… that are genuinely impacted by the threat actor”

– FireEye CEO

  • U.S. Commerce
  • Homeland Security
  • U.S. State
  • Treasury Dept
  • Energy Dept
  • National Institutes of Health
  • Belkin
  • Cisco
  • Intel
  • Nvidia
  • Microsoft VMWare

Sunburst details

  • Russian hacking group is the suspect behind the attack
  • The attackers entered the SolarWinds infrastructure and inserted a backdoor in a software update for the Orion network software
  • Sunburst gains access by “abusing credentials”, and it comes in many forms
  • Uses credentials to access data and install additional software

Sunburst suspected in Microsoft mail attack

  • Microsoft warned CrowdStrike of failed attempts to access and read email
  • All signs point this is tied back to the SolarWinds breach

Investigation revealed:

  • An Azure account was making “abnormal calls” to Microsoft cloud API
  • The account was used by CrowdStrike to manage Microsoft Office licensing
  • However, Crowdstrike does not use Microsoft mail!
  • Trojanized versions of Orion were successfully blocked
  • Microsoft, FireEye, and GoDaddy all blocked attackers in late December
  • Seizing the avsvmcloud[.]com domain
  • List of organizations running Sunburst was discovered by decrypting some of the information being sent to attackers
  • Backdoor was built to “phone home” approximately every two weeks
  • After a phone home, additional malware was often installed to map the network, exfiltrate data, and/or deploy additional tools for persistence

Lessons learned from SolarWinds

  • Patch systems
  • Secure and monitor privileged accounts
  • Secure against lateral movement
  • Secure against privilege escalation
  • Secure the main IAM systems
  • Deploy technologies that can maintain security
  • Deploy security solutions that don’t require privileges or agents

Attack examples

Our solutions

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally

A technical expertise recognized and awarded worldwide

Comments are closed.

Download pdf

Want more insights?

Contact us