In this edition of the newsletter, we will cover:
- Supply chain attacks - SolarWinds
- Cybersecurity trends
- Cybersecurity trends - Africa
Supply chain attacks - SolarWinds
First reported on the 13th of December 2020 by FireEye who had been investigating the theft of intellectual property of theirs, the SolarWinds hack has occupied the attention of hundreds of organizations worldwide. As incident response and cyber forensics teams continue to probe into this highly sophisticated campaign, the number of victims grows, but so does the understanding of the motives, tactics, and techniques of the threat actor.
What are supply chain attacks?
Third party cyberattacks, also known as supply chain attacks, stem from the inherent risks that firms face when dealing with partners, vendors, or suppliers. In these attacks, malicious actors compromise one set of companies and, hiding behind trusted relationships, commit criminal acts against others.
How did the SolarWinds one materialize?
In the SolarWinds case, the tech giant’s infrastructure had been breached, weaponized software updates carrying the Sunburst backdoor had been prepared and then distributed to customers of the Orion platform.
How many have been impacted?
According to a report from the New York Times, since March 2020 the Sunburst backdoor had been installed on roughly 18,000 systems that had contacted the malicious party’s command and control servers.
On a portion of those endpoints, the attackers had also deployed the Teardrop malware which could, among others, exfiltrate data and install additional malware. The exact figures of how many companies have fallen victim to the second-stage attacks are not clear. Mandiant’s initial estimate has been 50. Per official announcement, Microsoft, its resellers and at least 40 of its customers have suffered.
The United States federal agency CISA has indicated that fewer than 10 US government agencies have been breached. According to Amazon's intelligence team, as many as 250 organizations may have been compromised. Unnamed US officials believe however that some victims may have been counted twice.
What is the motif?
The US Cyber Unified Coordination Group believes it to be an intelligence gathering effort.
Who could this sophisticated attack be attributed to?
Per US intelligence agencies, the malware campaign is likely of Russian origin. Researchers at Kaspersky have found code similarities between the Sunburst malware deployed on SolarWinds’ Orion servers and known versions of the .NET Kazuar backdoor which Palo Alto’s intelligence team had tentatively linked, back in 2017, to the Russian advanced persistent threat group Turla. Kaspersky’s cyber experts have spotted the use of Kazuar together with other Turla tools during multiple breaches in the past years.
1. The appetite for SMBs
Although SMBs may have historically ruled themselves out of the appealing targets’ lists of cybercriminals, a recent study by Verizon has found that 28% of all breached victims were indeed small entities. It also found that 14% of the breaches were suffered by small businesses in the Finance and Insurance sector, 14% by the Information industry, 14% by the Healthcare sector, and 10% by the Public sector.
Note: The percentage figures have been rounded off.
2. Phishing automation
Phishing will remain a mainstream tactic for the theft of user credentials, fraud, and malware distribution. Per reports from F5 Labs there has been a 15% annual increase in phishing incidents in 2019 and another 15% in 2020. The growth in the use of TLS encryption and digital certificates across phishing sites along with the trend of adversarial emails becoming more sophisticated while legitimate business ones becoming less believable will make this attack vector even more successful.
Also, analysts at WatchGuard foresee a major increase in spear-phishing attacks in 2021 due to automation. “Cybercriminals have already started to create tools that can automate the manual aspects of spear phishing. By combining such tools with programs that scan data from social media networks and company websites, phishers can send thousands of detailed, believable spear-phishing emails, with content customized to each victim.”
3. The ransomware scourge
The ransomware threat has been bullying firms across all industries and geographies in 2020 and will continue to do so in 2021. As of September 2020 one in four attacks remediated by the IBM Security X-Force Incident Response Team has been caused by ransomware with 41% of the analyzed attacks targeting organizations with operational technology (OT) networks. According to Digital Shadows and their Q3 2020 ransomware update, “not only was there a new attack reported every day, but that new variants and new data leak sites were popping up each week.”
4. Cloud and VPN infrastructure at the gunpoint
A recent study by Gartner has flagged the “distributed cloud”, which is the migration of business processes to the public, private or hybrid cloud, as a key priority in 2021. With more companies moving away from the on-premise setups and with work-life realities being shaped continuously by the COVID-19 pandemic, cyberattacks against cloud and VPN backbones are expected to spur.
According to the Threat Post, the ongoing reliance on remote workers will present a “fertile attack vector for criminals looking to exploit insider threats”. Forrester researchers already link 25% of the data breaches to trusted insiders and believe that the number will grow to 33% in 2021. Forcepoint also warns of an uptick in insider threat-related cybercrime. Analysts “expect to see bad actors, literally, becoming deep undercover agents who fly through the interview process and pass all the hurdles” to embed themselves within the target entities with the goal of gathering and exfiltrating valuable intellectual property and/or sensitive data.
Cybersecurity trends - Africa
At the end of 2020 KnowBe4, a global leader in the provision of cyber security awareness training solutions, issued a highly informative cybersecurity report which had interviewed 900 participants across eight countries – South Africa, Kenya, Nigeria, Ghana, Egypt, Morocco, Mauritius, and Botswana.
The research found that:
- Attitudes and behaviors had been shifted because of the global Coronavirus pandemic.
- More people (48% of the respondents) were concerned with cybercrime in 2020 as compared to the 38% in 2019.
- There was greater awareness however around Two-Factor Authentication and Ransomware.
- 96% of the surveyed had flagged the use of WhatsApp for personal reasons, while 85% – for work-related ones. 87% of the participants had answered that they used email as their primary communication channel at work. These statistics, coupled with the 67% of the participants using smartphones on a regular basis for both payments and mobile banking, make email and instant messaging the biggest threats facing the average user.
Note: The percentage figures have been rounded off.
As many people keep on working remotely, training and awareness will remain the best first steps to protect individuals and businesses alike from the cybersecurity risks in the wild.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
Amatas, Cyware, FireEye, The New York Times, Amazon, Microsoft, US CISA, Kaspersky, Palo Alto, Verizon, F5 Labs, WatchGuard, Security Intelligence, IBM Security X-Force, Digital Shadows, Gartner, The Threat Post, Forrester, Forcepoint, KnowBe4, Creative Commons.