Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Secureworks. Show all posts

Cybercriminal Groups Unleashing Ransomware Within a Day of Target Breach

 

A recent threat report reveals a significant shift in cybercriminal tactics, indicating a noteworthy decline in the time it takes for them to deploy ransomware after initially infiltrating their targets. 

Last year's average of 4.5 days has now plummeted, with cybercriminals now striking within the first 24 hours of gaining access, according to findings by cybersecurity firm Secureworks. 

This alarming trend underscores the company's warning that 2023 may witness an unprecedented surge in ransomware attacks, with three times as many victims appearing on leak sites in May compared to the same period last year.

However, Secureworks highlights a caveat regarding leak sites as a metric for gauging the scale of the ransomware issue. Notably, the report emphasizes that leak sites may only represent around 10% of the total victims known to law enforcement. 

Consequently, it urges caution when interpreting leak site data. Despite this, the aggregate data undeniably underscores the enduring appeal of ransomware and data extortion as lucrative criminal enterprises, posing a substantial threat to businesses.

Secureworks further reveals a disturbing statistic: in over 50% of its incident response cases, hackers managed to unleash their malware within a mere 24 hours of infiltrating the victim's network. 

This marks a stark drop from the 4.5-day average observed last year. In 10% of cases, ransomware was deployed within a staggeringly short five-hour window from initial access.

Don Smith, VP Threat Intelligence at Secureworks Counter Threat Unit, sheds light on the driving force behind this reduction in dwell time. He posits that cybercriminals are motivated by a desire to minimize the chances of detection, as the cybersecurity industry has become more proficient at identifying precursors to ransomware attacks. 

Consequently, threat actors are shifting focus towards simpler and faster operations, forsaking larger-scale, complex encryption events that span multiple enterprise sites. However, the risk posed by these expedited attacks remains significantly high.

Smith adds a cautionary note, emphasizing that despite the prevalence of familiar threat actors, the emergence of new and highly active threat groups is contributing to a notable surge in both victims and data breaches. 

Even in the face of high-profile crackdowns and sanctions, cybercriminals exhibit a remarkable capacity for adaptation, ensuring that the threat continues to escalate at an alarming pace.

Zellis Cyberattack: British Airways, Boots and BBC Employee’s Personal Data Exploited


Zellis Cyberattacks Exploiting MOVEit

British Airways (BA), Boots, and BBC have recently been investigating an alleged cyber incident. The attack, apparently carried out by a Russia-based criminal gang, included the theft of the personal data of the companies' employees.

BA confirmed the attack, noting that the hackers targeted software named MOVEit used by Zellis, a payroll provider.

“We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident, which occurred via one of their third-party suppliers called MOVEit,” said a British Airways spokesperson.

The affected BA employees were informed about the situation through an email, which read that the compromised data included their names, addresses, national insurance numbers, and banking details, according to The Telegraph which initially reported about the incident. BA further added that the attack has prominently affected the staff who were paid via BA payroll in the UK and Ireland.

Another company affected by the attack, Boots, says that “some of our team members’ personal details” were compromised. The Telegraph reported that the staff members were informed about the attacks, with the stolen data involving their names, surnames, employee numbers, dates of birth, email addresses, the first lines of home addresses, and national insurance numbers.

While a BBC spokesperson has confirmed the attacks, the corporations decline that the breach involves any of its staff’s bank details.

“We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures,” the spokesperson said.

Microsoft’s Investigation of the Attacks

Microsoft threat intelligence, in a tweet on Sunday, claimed the attacks on MOVEit were carried out by a threat group called Lace Tempest. The group is popular among threat intelligence firms for their ransomware operations and running “extortion sites” carrying data obtained in attacks using a ransomware strain called Clop.

Microsoft says “The threat actor has used similar vulnerabilities in the past to steal data and extort victims.”

According to Rafe Pilling, director of Secureworks, a US-based security firm, the attack was probably carried out by an affiliate of the cybercriminal gang behind the Clop ransomware, as well as the connected website alluded to by Microsoft where stolen data is advertised. He adds that a Russian-speaking cybercrime organization was responsible for Clop.

Pilling forewarns the victims, asserting they might be contacted by the hackers in the near future, demanding ransom in return for the stolen data. “Victims will be contacted and if they refuse they will probably be listed and published on the Clop site,” he said. Furthermore, MOVEit spokesperson recently confirmed that they have “corrected” the vulnerability exploited by the threat actors.

“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures,” they added.  

Ransomware is Now the Top Attack Vector Due to Bug Exploitation

 



Security experts at Secureworks have revealed that vulnerability exploitation has accounted for 52% of ransomware incidents investigated by the company over the past 12 months. This makes it the number one initial access vector for attackers, according to a new report published by the company.

As an annual report, the security firm's State of the Threat report is compiled based on the insight gathered from the anti-terrorism unit of the organization over the past year.

A leading ransomware researcher has found that last year, ransomware actors mainly used vulnerabilities found in systems exposed to the Internet to increase their effectiveness, rather than to take advantage of credentials  often associated with the compromise of Remote Desktop Protocol (RDP), and using malicious emails.

Reports suggested that this shift in tactics may directly result from a significant imbalance between the capabilities of threat actors and network defenders. This imbalance may explain this shift in tactics.

At the same time as threats are rapidly weaponizing newly discovered vulnerabilities, developers of offensive security tools (OSTs) are also driven by the need to generate profit or keep their tools relevant  to implement updated exploit code as soon as possible, the report illustrated. 

A lot of people often overlook the fact that responsible disclosure is often about not having to wait for patches to become available. Even if a patch is available, the process of patching a vulnerability in an enterprise environment is far more complicated and much slower than the process for threat actors or OST developers of weaponizing publicly accessible exploit code.

As a result, vulnerability management teams must also take precautions against the persistent threat of credential-based attacks. In a recent report, Secureworks reported a 150% growth in the use of info-stealers that are designed to grab credentials from networks and gain access to them in an attempt to steal sensitive information.

There has been an investigation launched by an anti-virus vendor on a single day in June, during which it claimed to have observed over 2.2 million credentials, which were collected by criminals who stole information and made them available for sale on an underground platform.

According to Secureworks, ransomware continues to represent the number one threat to global organizations, accounting for more than a quarter of the attacks analyzed by the company. Among the threats that have been reported, most of them have been linked to Russian cybercrime groups.

So far this year, the good news is that the median dwell time of attackers has dropped from 22 days in 2021 to 11 days. This is a decrease of two days from last year, but it still leaves attackers with plenty of time to steal data from organizations and deploy the payloads for ransomware attacks.

Preventions for ransomware attacks


Safeguarding your systems from malware attacks includes simple yet effective measures like

• Never click on unknown or unauthorized links or stores.
• Never input your personal information on unofficial stores or websites.
• Never click on any unknown attachments on emails.
• Never plug into any unknown USB sticks.
• Never download any software or application from unauthorized sources.
• Always keep your systems up-to-date.
• Always work under VPN security while using public wi-fi.
 
To ensure that the vulnerabilities do not get exploited, you need to identify and address them as soon as possible. Keeping track of your vital systems and their security is impossible without implementing an effective vulnerability management system (VM). 

Choosing the right VM tools is important as they provide accuracy, guidance in the right directions, and efficiency, to help your team in dealing with the most critical vulnerabilities. Once you establish a scalable and sustainable VM program you will be capable of defending your systems from ransomware attacks.