You have probably heard that cybercrime is on the rise, in large part due to Covid-19. To help our Ateran’s understand what’s out there, and to protect both their own business and their clients, Candid Wüest, Acronis VP of cyber protection research has shared his world-renowned expertise on the topic. Here’s the first in a two-part blog that will look at today’s threat landscape, and the strongest possible responses.
Understanding the mindset of an attacker
The first thing to know about cyber-attackers is that they are smart, and they are not afraid to change tactics until they find something that works. It’s important to be aware of what kinds of attacks are common, as well as the current trends in hacks and scams, so that you can educate both yourself and your own clients, too. At the moment, social engineering attacks that leverage the Coronavirus are common, because they are playing on people’s fear and uncertainty. These could come in the form of emails that claim you are entitled to a relief fund, or hidden malware in a link that promises a COVID-19 test – after promising that their tracing app has shown you have been exposed to the virus.
While many organizations might think that they have nothing that would attract an attack, for example, if they don’t take credit card information from their customers, or aren’t one of the big players in their industry, this is actually a common misconception.
There is always something interesting for the attacker, even if they are looking to use you as a stepping stone in the supply chain to reach your customer. Motivation usually come under three categories:
- Financial gain: For example, looting online accounts, stealing sensitive credentials that they can sell on, or extorting your company via ransomware to get a pay-out. One such example was completed against by the Lazarus Group in 2018, who achieved the theft of $100 million, which would have been as much as $1 billion if they hadn’t misspelled the word ‘foundation’ and been flagged by one of the banks under attack.
- Nation-state attacks: These are usually against big names, and can include espionage or sabotage attacks, or the stealing of sensitive company information. Think about the attacks against the power grid in the Ukraine, where electricity was switched off for more than half a million households.
- Ideology or personal attacks: Under this category comes instances of ‘hacktivism’ or whistleblowing on company unsafe data practices, and those who act for revenge, fun or fame. The National Health Service in the UK was put under the spotlight by the WannaCry ransomware, resulting in hospitals having to turn away patients while they handled the attack and a 6% drop in admissions rate. While the hackers only made $160,000 – the effects were devastating.
Many security teams think that they will recognize an attack in advance, but the truth is that attackers are getting smarter than ever. They will learn about you, your company, and your online behavior, and craft an attack that is designed to fly under your radar.
What Kinds of attacks should MSPs look out for?
Let’s look at three kinds of attacks that we’ve seen grow in popularity.
Takeaway: Monitor everything you download, even if it comes from a legitimate source.
Data Breaches and Privacy is a huge hot topic, with compliance regulations such as GDPR and CCPA putting data use under the microscope and giving customers more control than ever over their information. The Ponemon Institute has estimated the cost of a data breach at $3.9 million. Of course, this is for larger organizations, but it takes a far lesser financial hit for a smaller business to need to close its doors.
A subsection of this kind of attack is dangerous password misuse, where attackers can use stolen credentials on other services, combining them with botnets to try passwords at scale. As users often reuse passwords on other accounts, this can cause serious harm.
Takeaway: protect sensitive customer information above all else.
Cloud-based attacks are also increasingly common. Attackers can leverage misconfigured cloud storage such as Amazon s3 buckets, or launch attacks against Kubernetes or Docker, serverless applications or exposed API services. The cloud can also be used in attacks where the malware is hosted on the cloud itself, using Office 365 or Google Drive. Attacks can be staged and exfiltrated from here, especially as people tend to trust the cloud. The third kind of cloud attack is where attackers use infrastructure vulnerabilities to attack the cloud itself, through issues with CPU, or VM or container escape vulnerabilities.
Takeaway: Don’t assume the cloud is safer than on-premises machines.
Risks by numbers: what’s out there?
Acronis sees about 300,000 new malware samples per day, working out to 6 per second. Of course, these are not all functionally different and are usually a variant of something we have seen before. Think of it as a birthday present, where the wrapping paper is unique, but the gift is the same underneath. You need an X-ray vision to detect the problem, or a way to unwrap the layers before you know what you’re dealing with. Let’s look at some of the different kinds of malware that we see every day.
Nowadays, malware or threats are used as the collective word to encompass a whole lot of attacks. Malicious software can be a Trojan, which sometimes has benign legitimate functionality like a game or a piece of software, but more often today is invisible and without any useful interaction. We see around 50 software vulnerabilities every day, some of which are severe, and others which are simply bugs and couldn’t cause much damage at all. If these vulnerabilities are leveraged to inject code for malware, this is known as an exploit. Importantly, this kind of malware does not usually replicate on its own, differentiating it from Worms. However, many threats today are a mixture of Trojans and Worms.
While Viruses usually act by a code that infects a single host device, replicating after human interaction only, Worms are standalone software packages, and they can replicate over the network from one machine to another, taking advantage of vulnerabilities without the need to be opened on each device.
Threats are only getting more sophisticated, the most common example being the APT, or Advanced Persistent Threat. These are often attributed to Nation-State attacks and could be a combination of 5 or 10 different malware, hiding in a network for months or even years without being seen.
Where do botnets fit in?
Another important threat to think about are Botnets, also referred to as zombies. These can receive commands from a central server and can be scaled to hundreds of thousands of machines, all reporting to the attacker remotely. An attacker could say, ‘send me the sensitive data’, ‘download that specific payload and execute it’ or ‘flood the system using a DoS attack’. These kinds of attacks are simple but can bring down a whole corporation.
So that’s what you should know from the point of view of the attacker, the tools and methods that they might use to break into your network or your systems. Next time, Acronis will be walking us through exactly how your machines could be compromised from the front end, and of course – the steps that you can take to mitigate this risk for yourselves and your clients, too. If you’d like to hear Candid Wüest for yourself, you’d better sign up for our July webinar, where he will be sharing some of his cybersecurity secrets with the Atera community.