Botnets, Extortionware and Nation-State Disruption
Part of Secrutiny’s Emerging Trends Podcast Series with Shane Shook, Secrutiny’s Chief Strategy Advisor and a Forgepoint Capital Venture Consultant.
Shane has been advising enterprises on Information Technology, Security and Risk Management for over 30 years, alongside providing breach investigation forensics and expert witness testimony.
Understand your risks and decipher the warning signs by tuning in to our brand new cyber security podcast, with expert insights on the latest and greatest information security trends and happenings.
In the first episode of Secrutiny’s Emerging Trends Podcast Series, we interview Shane Shook, a cyber security expert of over 30 years. Shane cautions us against the emerging bot trends; built to invade and extract data but also enabling organisational sabotage or financial extortion, and the Iran cyber threat. Take a read to discover what Shane has to say, or simply press play and listen on the go.
What Emerging Trends and Current Events Are Impacting Organisations from Maintaining Appropriate Cyber Controls?
Over the last six months of live attack and incident data, we have noted two emerging cyber security trends, which, although have been seen on a global scale, are more prominent in the UK market.
Trend 1: The Rise of the Nation-State Saboteur
The first trend is the ongoing growth and penetration of botnets that, once active in an estate; look to facilitate access for other malicious services which then undertake espionage and sabotage. Sabotage can range from nation-state interruption of service, through to anonymous service disruption, undertaken purely for notoriety purposes.
For example, through the use of “Wipers” or DDOS; attack groups leverage botnets to provide access to select portions of an organisations estate to facilitate widespread attempts to interrupt communications or information services of that organisation.
Wiper – a class of malware whose intention is to wipe the hard drive of the computer it infects.
DDOS – a “distributed denial-of-service” attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
Shane commented that the Iranian’s penchant for “international issues have also brought Iran’s cyber capabilities to the fore due to escalated tensions in the Middle East, and their demonstrated history of cyber attacks. Interestingly, the tactics practised by Iran are very different in means and opportunity to what has evolved with recent ransomware extortion cases. The difference comes down to motives or motivation”.
Trend 2: The Move from Ransom to Extortion
Leveraging the increased prevalence of botnets we have observed a maturing of Ransomware from ‘incidental ransom’ to what is now being termed ‘Extortionware’; where access to an organisations data is purely a preliminary tactic to initiate negotiation to prevent disclosure or misuse. Malicious actors threaten organisations with some sort of harm by exposing personal or sensitive information.
For example, an attacker would compromise a database containing sensitive data and then threaten the enterprise that they will post the sensitive data online if their demands aren’t met.
Attackers are becoming ever more professional and brazen in their approach; with demonstrable effort directed at managing and controlling the extortion itself. Elaborate disclosure controls allow breached organisations to vet the information held and even open formal negotiations with the attacker based on the confidentiality of the data vs the scale of the organisation.
What Indicators Do Organisations Need to Look out For?
There are two sets of indicators that organisations should pay close attention to; the first being Network Indicators that will highlight live attacks on networks or business services; whether that be authenticated services or information services.
For example, if anomalies in the concentration of internet addresses attempting to attach to any services can be seen; it’s an early indicator that an organisation needs to protect that target. Alternatively, it could be a general attack across a range of information and communication services. In which case, the organisation need to protect themselves as a whole because there’s a set of demanding circumstances that are leading to this attack.
Secondly, is the need to assess whether there are any Coincidental Activities aside from what you are already observing, for instance, against your bank accounts, or physical intrusion attempts into protected estates. Because more often than not, these widespread or high scale targeted attacks on information services are used as a smokescreen for other more harmful activities, like theft; fraud; or sabotage of estates, like we’ve seen with Iran.
Shane continues: “Iran utilise kill chain tactics to set up and execute a plan with an epochal event correlated with media attention while leveraging false flags and disinformation”, and the opportunity they have consistently exploited has been simple; unpatched or improperly configured services.
All of the above means; nation-states, such as Iran or their proxies, are phishing and water holing with globally dispersed botnet facilities to drop custom malware or inject malicious code into processes for a beachhead. From this, they then exploit poor administrative controls and architecture to maintain persistent access while they form their next stage activities – that correlate with their motives.
What Are Their Motives?
Historically the activities attributed to Iranian cyber attacks have been focused on sabotage, they’ve been focused on massive disruption for media notoriety, as an example of information services and communications, whether it be against the telecoms, the banks, or utility infrastructure. Whereas other groups tend to be exploiting Extortionware or ransomware, and even IP theft; principally oriented toward financial gain or some competitive market game.
“In today’s environment, the growth and spread of these global botnets are facilitating these more high-value services, and because of that whether it’s early indicators are reconnaissance or compromised, the same facilities are being used in these global botnets to pursue the ultimate objective,” continued Shane.
How Can Organisations Protect Themselves?
Living in an ever more digital world and with the increase in remote working patterns; it’s more important than ever to ensure information remains private and protected. Shane encourages companies to look for warning signs against attacks and have systems in place to ensure utmost privacy.
It is essential to understand that organisations which fall victim to these predatory attacks are fundamentally no longer in control. The malicious actors have usurped control of their authentication and most likely other key services to make detection and eradication far more challenging.
In most cases, the attackers do away with their reliance upon malware to fulfill their end goal, and in some incidents, we have even seen the remaining malware used as a means of distraction; keeping responders from recognising and addressing the actual attack that is in progress.
Accordingly, control needs to be re-established by limiting the impact of administrative and services credentials misuse – to incidental systems, to prevent their continued opportunity to control the wider estate. By reclaiming control over the credentialed use of systems and services, victims can gain time to effect better host and network defensive postures and perform related investigations into root cause and impact – both on themselves as well as their partners and customers.
“The past ‘security onion’ focus on security (firewall + AV + SIEM) is no longer a successful defensive or protection strategy. Organisations today are more dispersed and include more mobile users and devices and rely on more shared network services and partners. That means visibility at the network and endpoint, coupled with specific and unique rights to use credentials and data in those services is necessary,” added Shane.
“An actor needs three things to succeed – (a) tools, (b) credentials and (c) time. Take any combination of those away from them, and they will fail. Next to that is having visibility on who’s using what and how they’re making use of it? What are the network paths that they’re taking? What are the application services and configuration, of course, the credentials and how commonly those credentials are allowed or are being used?”
Cyber Attack Prevention
You can’t protect yourself 100% from cyber attacks, but you can take practical and pragmatic steps to limit your organisation’s cyber risk and mitigate the impact and damage when an attack does occur. Check out this infographic to discover Secrutiny’s 12 best practices and preventative measures.
These are general best practices and measures for preventing cyber attacks; for these specific trends, we would also recommend organisations periodically check, Sense, or Google, as well as their social footprints; because those are information sources used for targeting by a variety of attackers.
In conclusion, Shane encourages listeners not to be hasty in their estimation of what the nature of the attack or actual risk is: “They should prevent the risk from continuing by recognising those attempts to exploit their authentication or exploit their network services and by doing so, prevent the ultimate objective from being attained”.
…but don’t rush to judgment on who the actor is or their intention – be cautious – because understanding the actor helps better calculate their end goal better than purely dissecting the methods they used to get in.
If you have any questions or concerns with any of the topics discussed, please get in touch and keep an eye out for our Spring episode as we catch-up on the latest emerging trends and current events with Shane.
A critical privilege escalation exploit in Windows Server (CVE-2020-1472), codenamed Zerologon, allows an attacker to become a domain admin, even without any credentials.
Microsoft’s September Patch Tuesday fixes 129 security holes (23 of which are rated ‘critical’) in numerous versions of its Windows operating system and related software. One of the more critical patches could allow remote code execution by sending an email to a victim.
Secrutiny Awarded Position on Crown Commercial Services “Cyber Security Services 3 Dynamic Purchasing System”
We are thrilled to announce that Secrutiny has been awarded a position on Crown Commercial Service’s Cyber Security Services 3 Dynamic Purchasing System (DPS).