The Russia-linked cybercrime gang thought to be behind a hack that has impacted companies around the world has posted a message to its corporate victims.
In short, firms affected by the MOVEit hack are being told to congtact the Cl0p ransomware group before June 14, or face the consequences.
Category: ransomware
Little Bobby Tables is back!
Staff at the BBC have been warned that their personal data may now be in the hands of cybercriminals, following the exploitation of a vulnerability in a software tool used by the company that manages their payroll.
By Jayakumar (Jay) Kurup, Global Sales Engineering Director at Morphisec
Securing operational technology (OT) creates unique challenges.
Zero tolerance of downtime in factories, ports, banks, treatment plants, and other OT environments means that standard security practices like patch management or deploying protective solutions onto endpoints can be almost impossible to uphold.
Sometimes this is due to cultural reasons (management’s fear of even the slightest chance of disruption); other times, it is technological. OT systems often come as closed systems with firmware and software installed by a supplier.
Despite these challenges, securing OT environments is still something that needs to happen. So, what do you do with an inherently vulnerable system that you don’t want to touch? You try to air-gap it. Great in theory. In practice, however, air-gapping an OT system or firewalling its protected network is only the beginning of hardening its overall security.
OT Attacks Are on the Rise
Whether for geopolitical purposes or to collect a ransom, disrupting or threatening the performance of OT systems can be a huge win for threat actors. This has always been the case, but with OT cyberattacks rising by 87% last year, the threat level to OT is higher than ever.
Since the kinetic conflict between Russia and Ukraine began, a cyber war has been fought in parallel. The result has been a global wave of OT attacks compromising companies like Rosent, Nordex, the UK postal service, and more.
Threat actors are also finding more ways to compromise OT environments.
Only a minority of infrastructural attack chains are the kind of “pure” OT compromises we famously saw in 2010 with Stuxnet, the 2018 Shamoon attacks on Saudi Aramco and more recently with 2020 EKANS ransomware attacks against Honda and Enel. Instead, attacks can come from various vectors, including insiders, the business networks that connect to protected networks and OT assets, and downstream supply chain compromise, i.e., “Chinese Spy Cranes.”
These different vectors are all a threat to OT systems because fully air-gapping an OT system is impossible. Industrial control systems (ICS) need to connect to corporate TCP/IP networks periodically, and when they do, they can end up plugged into the wider network, exposing the system to potential vulnerabilities and risks.
Ransomware or malware that disrupts the flow of data into a system threatens connections between endpoints (as we saw in the Nordex attack), or infiltrates proprietary information, can shut down operations too.
The rise of remote access capabilities and business connectivity also means that OT networks are plugging into IT environments more than ever. Even in the most secure networks, blind spots and security gaps will emerge. OT users need point solutions to plug these gaps in a way that complements their legacy systems and security technology.
What OT Security Controls Need to Do
No single layer of security can be relied on to protect OT systems, and layering security (aka “defense in depth”) is critical. However, defense in depth isn’t possible without effective security controls. This is where many OT security programs struggle. Security solutions must overcome three serious challenges to stop threats in and around unconventional, resource-constrained, and reliability-focused OT systems.
First, anything deployed on an OT or OT adjacent system needs to avoid the problem of false positive alerts. In OT environments, processes cannot be shut down due to false positives.
Second, protection must happen efficiently when deployed on resource-constrained devices and within low bandwidth with complex network topologies. In OT environments, solutions reliant on downloading updates (which can inadvertently expose assets) create risks.
Third, and most importantly, any OT security solution needs to stop advanced threats from propagating from an IT (IT/business) network to the IT/OT DMZ and into the OT (operational) network. This is critical because these environments are targets for some of the world’s most well-resourced ATPs, who can and will use zero days, fileless worms, trojans, and customized ransomware and malware to attack valuable targets.
Outside of OT environments, scanning-based solutions such as endpoint detection and response (EDR) platforms are being used to protect IT endpoints. In OT environments, however, they are not suitable solutions and will often heavily underperform. This is important since EPPs and EDRs rely on continual telemetry for signature and behavioral pattern updates and threat feeds. As a result, EDRs cannot operate properly in an air-gapped situation.
As these solutions scan for malware hooks, they use up scarce computing resources. Most EDRs are also incompatible with the diverse range of legacy OS, hardware, and applications that exist in a typical OT environment and create many false positives. None of which bodes well for their longevity in any sensitive site.
Most importantly, the biggest issue with using EDRs to protect OT adjacent systems and networks is that they fail to detect fileless and evasive attacks reliably. Many threats don’t create the recognizable signatures EDR looks for. Advanced threats (such as Cobalt Strike) also operate in unscannable environments like device memory during run time.
The same applies to solutions that use similar technology in other parts of the IT environment, such as NDRs deployed to analyze network traffic.
Protecting OT Environments with AMTD
Automated Moving Target Defense (AMTD) is a super lightweight, preventative solution that can be deployed in and around OT systems to shut down attack pathways.
AMTD is fundamentally suitable for OT environments because it stops threats without needing to detect them. It also does not require an internet connection, updates to date telemetry, or modern OS versions.
Able to stop zero days, fileless, and evasive attacks, AMTD randomly morphs runtime memory environment to create an unpredictable attack surface and leaves decoy traps where targets were.
OT threats don’t follow standard playbooks. They are often unknown and dynamic, and, with OT systems firewalls dissolving, coming from more places. This is what a changing threat landscape looks like. As always, the best response is to double down on prevention. AMTD is a proven solution for preventing the worst threats OT security teams will ever experience.
The post How to Protect Operational Technology (OT) from Cyber Threats appeared first on Cybersecurity Insiders.
Lots to learn, clearly explained in plain English... listen now! (Full transcript inside.)
A recent ransomware attack on a New York-based biotech company, Enzo Biochem, has resulted in the exposure of sensitive information belonging to more than 2.5 million patients. The cyber incident, which occurred on April 6th, compromised clinical test data and approximately 600,000 social security numbers. Enzo Biochem, renowned for its bacterial disease detection capabilities, has confirmed the breach in its SEC filing, expressing concerns that employee data may have also been accessed by the malicious actors behind the file-encrypting malware.
The identity of the ransomware group responsible for the attack has yet to be disclosed, as investigations into the incident are ongoing. However, it is not uncommon for ransomware gangs like LockBit and BlackByte to target healthcare organizations due to the high demand for the sensitive data they possess on the dark web. Information such as social security numbers, dates of birth, insurance details, and payment card information can fetch considerable sums, depending on the authenticity and novelty of the sourced data.
Law enforcement agencies worldwide have been intensifying their efforts to apprehend notorious ransomware gangs. In response, these groups have adapted their modus operandi. Recent trends indicate that they are now targeting the same victims multiple times within a year. Consequently, the FBI has issued a warning, cautioning organizations against paying ransoms as there is no guarantee of receiving a decryption key in return. Instead, it is advisable for companies to rely on robust backup strategies for data recovery and refrain from incentivizing criminal activities by meeting ransom demands.
The ransomware attack on Enzo Biochem has exposed the personal and clinical data of millions of patients, highlighting the growing threat posed by cybercriminals to healthcare organizations. To mitigate such risks, it is crucial for biotech and medical firms to invest in comprehensive cybersecurity measures, including robust data protection protocols, employee training programs, and effective incident response plans. By prioritizing cybersecurity and adopting proactive measures, organizations can enhance their resilience against ransomware attacks and safeguard sensitive patient information.
The post Ransomware attack on Biotech company exposes info of over 2.5 million patients appeared first on Cybersecurity Insiders.
A new study conducted by Veeam Software claims that hackers have shifted their focus towards backup storage appliances, as they provide assurance that the victim will definitely pay the demanded ransom amount.
According to Veeam’s 2023 Ransomware Trends report, one in 7 organizations has been infected with file-encrypting malware in the past year. Out of these organizations, at least 80% were forced to pay a ransom because their backup storage appliances were also encrypted by the malicious software, leaving them no choice but to comply with the hackers’ demands.
Interestingly, Veeam software also sheds light on the ransom payments made for cyber-attacks. It alleges that victims’ negligence in protecting their data from infiltrations creates a conducive environment for cybercriminals to wreak havoc in the online marketplace.
The Veeam survey also highlights the fact that paying a ransom does not guarantee recoverability, as threat actors never provide assurance that they will promptly return the decryption key upon receiving the ransom.
What if they demand more for the decryption key or fail to delete the stolen data in the case of double extortion attacks? What if they repeatedly target the same victim because they have found a way into the victimized network?
While Veeam, being a backup software provider, maintains a neutral opinion on those spreading ransomware, it is advisable not to pay a ransom to hackers. Instead, it is better to invest in technologies that offer on-site and off-site backup appliances, as well as cloud resources.
The post Now ransomware hackers targeting backups for ransom pay assurance appeared first on Cybersecurity Insiders.
Bad enough for your company to be held to ransom after a cyber attack.
Worse still to then have one of your own employees exploit the attack in an attempt to steal the ransom for themselves.
Read more in my article on the Tripwire State of Security blog.
13 years jail for spoofing scammer, a rogue IT security expert’s Bitcoin blackmail goes wrong, and Facebook’s eyewatering GDPR fine may be only the beginning of its problems.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by the Imposter Syndrome Network podcast’s Zoë Rose.
Another traitorous sysadmin story, this one busted by system logs that gave his game away...