Ransomware

Ransomware Attacks: New Ways to Exploit Old Vulnerabilities

April 13, 2023 by Christian Espinosa

cybersecurity ransomware The alarming rise of ransomware attacks is less shocking to those of us who’ve been in the industry for a long time. They grab the headlines, especially when they hit high-profile healthcare, education, and finance targets. But the reality is, there’s nothing new here. In fact, 76% of the vulnerabilities currently being exploited were first discovered between 2010 and 2019. Cybercriminals are leveraging these old weaknesses with the latest in AI and machine learning to maximize their impact.

This statistic comes from a new report on ransomware, which is worth going through to determine why old vulnerabilities are still a problem. Looking at this through the lens of “Is it a people problem?” could also shed some light on the future of ransomware attacks.

Ransomware Is on the Rise, and You’ll Never Be 100% Prepared

The increase in these attacks is something on the minds of most security leaders. When they happen, it’s cataclysmic and chaotic. It’s not just a breach — it’s the inability to access your data and disruption to your customers. There are monetary and reputational ramifications. The question is always, “Should you pay?”

It’s a polarizing question, with many adamant that not paying will convince other hackers not to attack them. That, of course, is flawed logic. I can tell you that cybercriminals don’t care what your position is. They are trying to maximize their return by infiltrating as many systems as possible. The answer changes when the stakes are higher, like exploiting vulnerabilities in medical devices.

This is rare, so the answer depends on your preparedness for such an attack. Do you have backups that are current? How fast can you restore systems? How advanced are your forensics?

If you’re not in a position to ensure business continuity, you can make strides to do this, and you should. Along with this prep, you’ll need to be proactive and forward-thinking. It’s impossible to mitigate every risk, as we learn in the report, Ransomware Through the Lens of Threat & Vulnerability Management.

Next, we’ll review some of the report’s biggest findings.

Breaking Down the Ransomware Report

This study has some great data in it that you and your team can learn from. Here’s my take on the findings:

Ransomware Vulnerabilities Increase

The report lists a 19% increase in vulnerabilities associated with ransomware, bringing the total in 2022 to 344. Researchers also mapped these to MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). In doing so, they found 57 highly dangerous out of 81 unique end-to-end products. The most common were Microsoft, Oracle, VMWare, Atlassian, Apache, and SonicWall.

Scanning Tools Aren’t Catching These Vulnerabilities

You likely depend on scanning tools, like Nessus, Nexpose, or Qualys, but they aren’t detecting some of the serious issues. A total of 20 vulnerabilities were not detectable with these popular scanners, and all of these were old and discovered between 2010 and 2019. It’s not too abnormal for this, as cybercriminals are always reinventing their attack strategies. They are constantly refining and seeking to get past your defenses.

Trending: New CWEs

The report found that 80 CWEs (Common Weakness Enumerations) are contributing vulnerabilities that ransomware can exploit. This is a 54% increase over 2021. The problem — it seems, is that companies are releasing software and applications without a thorough evaluation of the code. Such a statistic highlights the race to get a product to market and extend releases. It would seem that DevSecOps adoption may be faltering.

Whether you’re a cyber professional or a regular software user, there’s an expectation that the application will be secure by design. It points to a larger conversation about why security and development aren’t tighter. Security and innovation can play well together; they are not foes. To me, you can’t deliver the best software experience without weaving security throughout its design.

Ransomware Attackers Are Highly Sophisticated

Many of the groups launching ransomware attacks aren’t your everyday hackers. They belong to APT (Advanced Persistent Threat) groups. Many have connections to nation-states and seek to cause havoc to infrastructure. So, it’s not all about the potential for money. The report highlights the rise of ransomware before the actual war between Russia and Ukraine. Russian hacking groups targeted critical infrastructure in Ukraine.

Researchers also named China and North Korea as countries with APTs, and they believe this trend will only rise. Cyberwar is the newest playing field for conflict.

Old Vulnerabilities, New Attacks

As noted in the opening, 76% of ransomware-associated vulnerabilities date back to pre-2020. There is cause for concern when digging into this a bit more. The report calls out 264 old vulnerabilities, and 208 have publicly available exploits. The most significant data point from this section is that 119 of these are actively trending on the dark web as of interest to hackers.

Next, the analysts examined which products had these old vulnerabilities, with Windows 11, Enterprise Linux, openSUSE, and Linux having the most. Recall also that 20 of these were not detectable by the best scanners.

All of this points to the issue of cyber hygiene. It’s a good time to examine how you maintain system health and improve security. Much of this can be associated with the same-old challenges of legacy systems, unpatched components, and “shadow” IT assets. They are the favorite entryways for hackers, and as long as we, the good guys, don’t address them, they have an easy way to get inside and do damage.

Putting a spotlight on this will beget greater visibility, but this may be a deeper problem that has a lot to do with your people. I don’t mean your technical folks aren’t good at cybersecurity. They likely are. What they often aren’t good at is communication, adaptability, flexibility, and uncertainty. However, these are attributes of the job. When they don’t evolve their mindset, security vulnerabilities will persist. They prefer the status quo and certainly don’t want anyone challenging them. That’s when they get defensive, and that’s not the type of defense you want them playing.

It’s a problem that encircles some other trends.

More Ransomware Trends and Predictions

The report also offers some insights on what to expect. In 2022, phishing, email compromise, stolen credentials, and vulnerabilities enabled ransomware attacks. These have been standard entryways, so the focus goes back to what’s happening with vulnerability management.

The foundations of a good program are processes, people, and technology. Technology can assist, but you need robust protocols and people that will think critically and act, which requires them to move outside their comfort zone. So, yes, this is a people problem, too.

Another trend I’ve written about is the proliferation of AI. It’s become very accessible, which has pros and cons. Bad guys will use it the same way the good guys are.

So, what does all this mean in the picture of how your people will evolve and be better at combatting ransomware?

So, there are a lot of people gaps in protecting against ransomware. It’s not something you can’t change. I developed a system to do just that with the Secure Methodology™. It’s a seven-step guide to help cyber leaders transform staff into highly communicative, collaborative, and adaptable professionals.

The Future of Ransomware Defense: People Matter

Your cyber team won’t magically change overnight and develop the people skills they need to win the cyber war. It’s a process, which is why there are seven steps. Each of these connects to how technical people act and feel. The problem is that they have little awareness of how these actions and feelings heighten risk and deter collaboration. You have the opportunity to open their minds to this and connect it to being a better cyber professional (and, possibly, person!).

If you present this to them as something that’s not threatening, they’ll be more receptive. It’s still change, which is hard for anyone in any situation. Remember, these people don’t like to be wrong. They want to be the smartest person in the room. So, they’ll resist when they hear they aren’t and need to adapt. But that’s the point of becoming better at work or in life.

Here are the main things that the Secure Methodology can do for you and your team.

It can teach them real skills on how to communicate, which includes listening and understanding nonverbal cues. They’ll have to leave behind their geek speak and adopt a more inclusive language. There are exercises in the Secure Methodology to facilitate this.
It can expand their mindset. People can’t grow when they have a closed mindset. Opening up will help them reframe their perspective, which can create some “aha” moments.
It can help them be more empathetic. Empathy is an essential trait for technical people. If they can understand the position of others, even hackers, they’ll be better prepared to defend against them. Empathy within the team also cultivates trust and respect.

Ransomware will continue to be a considerable threat to any organization. The numbers tell the story, and you have to be creative in how to thwart it. Your people are the most crucial component, and the more you can develop their non-technical skills, the better.

You can learn more about the Secure Methodology by reading my book, The Smartest Person in the Room, and checking out the course, now available.

What the Latest Cybersecurity Breaches Can Teach Us

October 8, 2022 by Christian Espinosa

In the field of cybersecurity, there are always opportunities to learn. It’s a dynamic ecosystem that’s always changing in terms of threats. There’s also no shortage of cybersecurity breaches, with fear-inducing headlines that can make any company shutter. But I’d also argue there is much to learn in these situations.

In a perfect world, breaches and attacks wouldn’t happen. Everything would be top-notch secure, and cyber criminals would be foiled at every turn. Unfortunately, that’s not the reality. In fact, breaches are rising, and hackers are getting smarter and more sophisticated. Data breaches exposed 22 billion records in 2021, and ransomware attacks increased by 92.7% from 2020 to 2021.

Even with the most robust tools and processes, you can’t guarantee your organization won’t be a victim. Aside from these components, the human element is the most important. Who you put in charge of protecting data and securing your infrastructure is most often the differentiator. And those people need more than just technical aptitude. They need to be communicators and collaborators. They need to be flexible and open to change and growth.

With that in mind, let’s consider what the latest cybersecurity breaches can teach us.

U-Haul Data Breach Exposes Customer Information

The moving and storage company U-Haul reported a data breach to customers in September 2022. The attack enabled cyber criminals to access rental contracts between November 2021 and April 2022. As a result, over 2 million customers had sensitive data exposed, including names, driver’s licenses, and state identification numbers.

The hack was successful because of the ability to compromise unique passwords that enabled access to customer contract search tools. The company didn’t disclose anything further about the password compromise.

In this scenario, a few things come to mind as learnings. First, it highlights the need for multifactor authentication across the entire enterprise. Second, it’s possible zero trust architecture could have prevented this. Third, perhaps there wasn’t visibility or transparency across the digital infrastructure, which left this database vulnerable. They could have averted such a breach not with better tools but with better communication.

OakBend Medical Center Suffers Ransomware Attack

Ransomware in healthcare has become a serious issue, with over 55 of these attacks this year alone. Due to a ransomware attack, the Oakbend hospital had communication and IT issues. They announced they were working under “electronic health downtime procedures.”

The standard response was to take everything offline and rebuild their systems. Healthcare is a key target for hackers, as they know this is a mission-critical industry that will often pay the ransom.

We can learn from this incident that the need for updated and practiced cyber incident response procedures is critical. Additionally, questions about redundancy and backups are relevant. We don’t know the details, but with healthcare, the weak link is often legacy systems. Human error and apathy are brewing in hospital IT offices.

Healthcare data is a serious business. I would advise any healthcare organization to modernize its approach to cybersecurity, which requires removing legacy systems, updating infrastructure, and driving change in the hearts and minds of the professionals responsible for it. Until these things happen, healthcare will always be an easy target.

Aon Data Breach Exposes Sensitive Customer Data

Aon first noted the breach in its Securities & Exchange Commission filing in February 2022. However, the global financial company didn’t advise customers until May. The breach’s root cause was access by an unauthorized third party. The company’s investigation reported no evidence that the stolen data was misused and that they had enacted new controls.

It makes you wonder if these controls were so robust, why weren’t they already in place? And why did third parties have the opportunity to steal customer information?

Aon, like any other financial institution, certainly has a sophisticated cybersecurity footprint with teams of professionals that are experts. Yet, there’s always a way in! Would zero-trust architecture have saved the day? Would all those smart cyber folks have noticed this access vulnerability sooner if they worked more like a team rather than individual contributors? Without more details, it’s hard to know. As someone who’s been in this industry a long time, I know that human blindsides are the worst.

Social Engineering Scam Exposes Marriott Customers’ Credit Card Information

Marriott reported that an employee was a social engineering victim, leading him to turn over credentials. The hackers then tried to extort money, contacting the company boasting of their access. The hotel chain stated that the hacker didn’t reach its core network, but customer data related to the specific location was part of the breach. Marriott refused to pay the cyber criminals and contacted law enforcement.

The obvious learning is around constant and consistent training for employees on cybersecurity. However, even if that’s in place, employees may not give it much credence if it’s not a top-down philosophy that’s part of the company culture. Other points to consider are again about access — who has it, how they get it, and who is trustworthy.

If you take away anything from these cases, the most important thing is going back to your people. How are they protecting your data? What are their misconceptions or flawed reasonings?

The most secure companies don’t get that way because they spend the most money or have all the latest and greatest tools. They don’t end up in the headlines because their people work proactively and are agile in collaborating and communicating. If you can do anything right now to strengthen your company’s defense posture, it’s about getting your technical teams aligned, motivated, and growing their mindset. Without this, everyone stays in the same place, and the hackers will keep succeeding.

Ransomware – Should You Pay?

July 3, 2020 by Christian Espinosa

Last night I watched an episode of Chicago Med (Season 2, Episode 19). It happened to be about ransomware. Chicago Med was infected with ransomware, rendering all computer systems (doctor’s tablets, MRI machines, patient history systems, diagnostic systems, etc.) useless. The staff of Chicago Med had to resort to “manually” doing everything – filling out paper lab requests, using a whiteboard for patient status, using old school methods to diagnose patients, etc.

A debate ensued about whether Chicago Med should just pay the ransom, which was around $30k. The staff had differing opinions in the episode.

This is a debate worth discussing, as I do not see a clear answer to the question “should I pay the ransom”, other than “it depends”.

Ransomware Attack - Manual method

The reliance on medical technology makes manually processes like this prone to mistakes

I tend to look at everything from a risk perspective. Sure, it’s easy to say “our policy is we do not pay the ransom”, but at what cost? Many people have polarizing opinions on just about everything, including this topic. It’s easy to make recommendations from afar. What if your spouse was in a hospital and needed immediate emergency treatment, but treatment was delayed because of ransomware? Every second in this delay increased the risk that your spouse might die. Would you still support the policy “we do not pay the ransom”, even if it meant your spouse may die? Is $30k worth more than your spouse?

Also, the rationale for the “we do not pay the ransom” policy goes something like this – “if the hackers know we do not pay the ransom, they won’t attack us”. This is flawed logic because many cybercriminals release ransomware into the “wild”, non-directed, to spread to as many systems as possible, so they can maximize odds of success and returns.

The Chicago Med hospital administrator was adamant about not paying the ransom, but one of the doctors paid the ransom himself. After the ransom was paid, all the systems came back online and everything went back to “normal”. The doctor that paid the ransom simply stated that the risk was too great and that he had calculated the ROI and it was an easy decision.

But, wait…what if you pay the ransom and the hackers just take your money and don’t decrypt your systems?

This is certainly a possibility, although it is almost never the case. Most cybercriminals are in the business of making money, so their business models support this objective. Cybercriminals probably analyze risk in greater depth than most IT Staff of Cybersecurity Staff.

Risk is a real issue that is almost always overlooked. Sure, screw paying the ransom if:

Your IT/Cybersecurity Staff has an up-to-date and rehearsed Incident Response Plan
Your IT/Cybersecurity Staff has current, up-to-date backups that can be restored quickly
Your IT/Cybersecurity Staff can source the ransomware infection and prevent it from occurring again after the backup restoration
Your IT/Cybersecurity Staff knows which vulnerability the ransomware exploited
Your IT/Cybersecurity Staff knows the extent of the infection – did the infection hit the backup systems?

In the Chicago Med episode, they had to end up diverting patients to other hospitals because of the ransomware. The Chicago Med IT Staff seemingly did not have a plan, at least a timely one, to restore the hospital systems.

I’m certainly not advocating people pay the ransom, but blindly making blanket policies without understanding risk is a huge problem, especially at places where time is of the essence, such as hospitals.

So, what can you do to help with RANSOMWARE? I recommend 3 things to start:

Perform a risk assessment against your environment – identify your critical assets (data and systems). Not everything is critical. Narrowing your focus to what is critical, then prioritizing accordingly allows you to better protect these systems and restore them in a prioritized manner. Too many organizations try to equally protect everything. This is a huge mistake, as everything is half-ass protected, which doesn’t cut it. It’s better to protect your 10 critical assets 100% and leave the 90 noncritical assets at 50%. This is better than all 100 assets being protected at 60%, which is a common mistake.
Once you know your critical systems, make sure those systems (and the applications installed on them) are patched routinely and that they are backed up (the system itself as well as the data on the system) as frequently as needed.
Critical system backups security and testing. Make sure the backup system is secure. If the ransomware hits the backup system, the backups are no good. Also, make sure you know how to restore from backups. This seems simple, yet it is often overlooked. I’ve seen many organizations back up their data routinely and religiously and never once test the restoration procedures. During an incident, they found out that the restoration procedures did not work at all or only partially worked.

If you’re unclear on how to perform the risk assessment or need help with a cybersecurity plan, Alpine Security can help you with our CISO-as-a-Service.

70% of Cyber Attacks Will Be Against Small Businesses in 2020

January 24, 2020 by Christian Espinosa

Introduction

In 2020 it is estimated the percentage of cyber attacks against small businesses will be close to 70%. It’s also estimated that in 2020 the cost of cyber attacks is going to be around $5 trillion. That’s trillion with a T. And if 70% of the attacks are against small businesses, then obviously the small businesses are going to be paying for a lot of that $5 trillion. Cyber attacks affect small businesses in a few ways. This post discusses how cyber attacks affect small businesses and what can be done about it.

The Effect of Ransomware and Stolen Data on Small Business

One way cyberattacks affect a small business is if a small business is attacked with something such as ransomware. The ransomware can render systems useless for maybe one week or two weeks. So the small business can’t provide the service they need to provide to generate revenue or they can’t produce the product they need to produce to generate revenue. So basically they’re dead in the water for one or two weeks and they can’t produce anything to generate revenue. That alone can take a small business out of business.

The other primary method or primary way that small businesses have to pay for a cyber attack is if a small business’s client data is stolen. Typically, for every record that’s stolen the small business has to pay for credit monitoring for all those records. There’s a clinic in Missouri that was put out of business. They had 20,000 patient records stolen by an attacker. They had to pay for credit monitoring for all 20,000 of those patients. The credit monitoring, I’m not exactly sure the price, but I think it was around $20 per person. So if you had 20,000 records stolen and you have to pay $20 per record, that’s $400,000 that that small business had to pay per year in credit monitoring fees. Most small businesses do not have a cash reserve of $400,000 so that took that clinic out of business.

Why Do Cybercriminals Attack Small Businesses?

You may ask yourself, “Why do attackers go after small businesses? Why is the percentage so high towards small businesses?” There are two main reasons. The first reason is most small businesses do not have a very mature cybersecurity program. They don’t have a dedicated staff to solely work on cybersecurity, it’s typically somebody’s additional duty. The attackers know this and they know that they can more easily get into a small business than a larger business because most large organizations have a dedicated cybersecurity staff and a mature cybersecurity program.

The second reason is attackers will attack a small business and use that business as a foothold to attack a larger business. Small businesses typically have relationships with larger businesses. If the large business is fairly secure but the small business is not, the attacker’s going to go after the small business and then leverage that relationship from the small business to attack the larger business.

An example of this is Target. Target’s a large store. Obviously, they’re all over the place, but Target wasn’t attacked directly because they have a fairly mature cybersecurity program. The HVAC vendor or heating, ventilation and air conditioning vendor was attacked. The HVAC vendor for Target was a small business. So the attackers attacked the HVAC vendor and then from there, they leveraged the HVAC vendor’s relationship with Target. The attackers rode the trusted connection from the HVAC vendor to attack Target and compromise Target’s point of sale machines which stole everyone’s credit card numbers.

As a recap, the two reasons small businesses are attacked:

They are typically not very mature in the cybersecurity maturity process
They are often leveraged to attack the larger business

What Can You Do?

My company, Alpine Security believes small businesses are vital to the economy. We’re a small business and we want to support other small businesses. So we’ve come up with our fractional virtual CISO service – that offers an affordable means for small businesses to develop cybersecurity capabilities in alignment with risk tolerance, industry, and business objectives. To learn more about our CISO service, you can call us at (844) 925-7463, email us at [email protected], or visit: https://alpinesecurity.com/services/ciso-as-a-service/

It is in our interest to help small business owners protect your environment from being attacked.