Security teams struggle with ransomware, cloud services

Ransomware, insecure internet-facing systems and attacks against cloud-based services are among the top threats facing industry this year, according to new and recent threat intelligence reporting. 

The Q2 threat report released today by Rapid7 and detailing the latest tools and tactics used in cyber campaigns targeting the private sector, pegged the manufacturing sector as the most targeted industrial vertical in the second quarter, followed by the finance, retail and healthcare sectors.

Even as manufacturers have consistently ranked at the top of the list in previous reports, there was a notable increase tracked by Rapid7 between Q1 and Q2. Many industries suffer from outdated or insecure legacy tech, interoperability problems that prevent timely patches and other common issues, but Wade Woolwine, a principal security researcher and one of the authors of the report told SC Media the manufacturing sector in particular has “bad IT practices, generally speaking” and less regulatory oversight of their digital security practices compared to other sectors.

“In all of the work that I’ve done with manufacturing customers, their IT systems are really far behind…the business reasons [for doing something] typically trump the security reasons,” said Woolwine. “Because if you shut down that Windows XP system that’s running the entire factor, you’re up the proverbial creek and also the company that wrote that software went out of business 10 years ago. So, they have a really unique challenge in balancing security and business priorities, and the net result is that creates a huge attack surface for attackers.”

The manufacturing sector’s reliance on IT systems to stay operational and solvent combined with their role building and selling much of our hardware and software makes it an attractive target for both profit-motivated criminal hackers as well as Advanced Persistent Threat groups looking to steal intellectual property or sabotage the supply chain. A threat report released earlier this month by CrowdStrike’s OverWatch team found similar unique problems in the manufacturing sector, saying it is “among only a handful of industries that OverWatch routinely sees targeted by both state-sponsored and eCrime adversaries.”

That kind of poor security posture can lead to compounding problems when systems go offline due to an intrusion.

“If an attacker – ransomware or something – hits [a vulnerable manufacturer], you know they’re getting paid,” said Woolwine. “Whatever they ask for, they’re getting paid, so over time attackers have gotten more business savvy.”

It’s not just manufacturers who need to worry. Ransomware attacks have exploded across private industry, state and local government and school systems over the past two years at a time when an economic recession, budget cuts and a new reliance on remote work has left many organizations vulnerable.

CrowdStrike’s report tracked the “extraordinary success threat actors have seen with targeted intrusions using ransomware and Ransomware-as-a-Service models,” with Dharma, Phobos, Medusa Locker, REvil and Makop making up the top five variants the firm has seen deployed between January and June. While nation-state hacking groups often get more press, the company found that more than 80 percent of observed intrusions in the first half of 2020 were carried out by eCrime.

Cybercriminals “continue to achieve enormous success with ‘big game hunting’ campaigns, and the availability of commodity malware through ransomware-as-a-service models has contributed to a proliferation of activity from a wider array of eCrime actors,” the report said.

The volume of threats against cloud-based emails and systems remains high as nation state hacking groups and ransomware gangs increasingly gravitate towards exploiting managed service providers. That activity will likely only increase in the coming years.

“We saw a huge increase [of attacks against cloud providers] probably four or five quarters ago…but since then we’ve seen it maintain very steady since,” said Woolwine.

One honeypot set up by the Rapid7 detected Mirai-like network connections for second-stage malware downloaders originating from over 8,000 botnet IPs, coming from web servers, routers, cameras DVRs and other IoT devices. That represented an “outside the norm” uptick in measured activity compared to previous quarters.

While the coronavirus pandemic and subsequent largescale shift to remote work nationwide has in many ways opened up a golden age for cyber criminals and scammers, telemetry data from another honeypot tracked “an order of magnitude drop” in daily SQL server brute force attacks beginning around May.

However, there is still a pool of nearly 100,000 SQL server instances exposed to the internet, and researchers detected a range of malicious activity in their honeypot, from attempts to install cryptomining software to exploiting unpatched systems with EternalBlue, a hacking tool originally developed by the National Security Agency and later leaked out into the wild by the Shadow Brokers.

The main takeaway from this research: “You’re taking a huge risk putting any database query interface directly on the internet and doubly so if they can be accessed with simple credentials,” Rapid7 noted.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.