Businesses have thrived in the era of more – more tools, more access, and more connections. When it comes to the digital landscape though, the notion of having more doesn’t come without risk. While businesses have continued to grow and scale, cyber attacks have done the same and quickly so.
This post discusses some of the most dangerous endpoint, identity, and cloud-based cyber attacks from the first three quarters of this year. Understanding their causes and impacts is the first step businesses can take to strengthen their defenses against similar attacks in the future.
Endpoint attacks have evolved in the last two decades from computer viruses to sophisticated ransomware campaigns targeting high-profile organizations. The challenge today is that protecting endpoints isn’t what it used to be. Threat actors are professionalizing, turning ransomware activities into full-scale service models. The rise of Ransomware-as-a-Service (RaaS) means that even low-level cybercriminals can now access and become profitable off of complex malware tools.
In the first three quarters of this year alone, ransomware has targeted multiple critical infrastructure organizations, including those listed below:
- Bernalillo County (Ransomware attack) – In January 2022, New Mexico’s most heavily populated county, experienced a ransomware attack which took out many of its government systems and services. The attack forced officials to keep most county buildings closed to the public.
- Denso (Pandora Ransomware) – In February, Denso, a Fortune 500 company supplying automotive parts for Toyota, Honda, Mercedes-Benz, Volvo, Fiat, General Motors, and Ford, detected unauthorized, third-party access to its network. The attack was later claimed by ransomware gang Pandora, who then threatened to leak 1.4 terabytes of the company’s trade secrets and transactional records.
- Bridgestone (LockBit Ransomware) – In March, Bridgestone was hit with a cyber attack that forced operators to shut down affected computer networks and production across its North American factories. The LockBit ransomware group later took responsibility for this attack.
- Costa Rican Government (Conti) – In April, a ransomware attack on the Costa Rican government led to the first national emergency declared in response to a cyber attack. The impact of the ransomware attack affected government services, the country’s ministry of finance, as well as the import and export sectors. Later claimed by Conti ransomware group, the government was asked to pay $20 million dollars. Shortly after, Conti group hit the Costa Rican government a second time, this time using HIVE ransomware to cause widespread disruption of the country’s public health services systems.
- Spice Jet (Ransomware attack) – In May, India’s second largest airline, SpiceJet, faced a ransomware attack leading to a cascading delay of flights which stranded many passengers at both airports and within aircrafts. Many passengers aired their frustrations regarding the delay and lack of communications over social media.
- Entrust (LockBit 3.0) – In June, Digital security firm, Entrust, confirmed that its networks were breached by a ransomware gang who successfully stole data from their internal systems. Entrust’s services include identity management, comms encryption, and secure digital payments making news of their ransomware attack an immediate concern for organizations using their software for authentication. Subsequently, Entrust was found to be added to the LockBit 3.0 Tor-based website.
- Knauf (Black Basta) – In July, Black Basta ransomware gang claimed responsibility for their cyber attack on Knauf, the multinational building and construction materials giant. Knauf’s global team was forced to shut down all of their IT systems to isolate the attack, which disrupted business operations and delivery processes. Post-attack, Black Basta published 20% of the exfiltrated files, congruent to their notoriety for double-extorting their high-profile victims.
Also in the 3rd quarter of 2022, CISA and the FBI warned of a number of ongoing, widespread ransomware campaigns currently attacking unnamed businesses and organizations.
- Zeppelin Ransomware Campaign – In August, the FBI and CIS released a joint cybersecurity advisory to share known indicators of compromise, as well as tactics, techniques, and procedures of Zeppelin malware, functioning as a RaaS. This malware has been used against defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.
- Vice Society Campaign – In September, the FBI, CISA, and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory warning against a disproportionate increase of ransomware attacks on the education sector by Vice Society in tandem with the start of the 2022-2023 academic year for American schools.
Ransomware, data breaches, and supply chain attacks saturate global news headlines, but another rising threat has gained traction in 2022. Identity-based attacks are now a threat businesses keep at the forefront of their threat awareness efforts. With remote workforces, widespread adoption of IoT, and the huge numbers of digital identities being created even for a single organization, the attack surface continues to widen, leaving businesses vulnerable to identity-based exploitation by opportunistic threat actors.
Attacks on Active Directory – Cisco
Too often, threat actors weaponize legitimate tools and solutions that their targets use. Active Directory (AD) works by storing information about objects on a network in a logic hierarchy to make information easy to find for administrators and users. As seen in several identity-based attacks over the last few quarters, threat actors leverage Active Directory (AD) infrastructure in their ransomware campaigns and extortion efforts, especially when there is a lack of identity protection. Consider the following examples where ransomware gangs targeted AD as part of their tactics.
In late 2021, researchers reported on a recent BazarLoader infection and how it led to the use of Cobalt Strike, and finally, Conti ransomware to perform network reconnaissance. Just three minutes after the initial compromise, the threat actor used ADFind, a command line tool, to enumerate an AD environment on the infected host. By compromising AD, the actors were able to discover users, computers, file shares, and more from the environment. Typically, a threat actor’s next step is to gain access to the domain controller and other network servers, moving laterally into the system.
The Cisco breach that occurred in May 2022 leveraged legitimate employee credentials synced in an employee’s browser and a combination of vishing (voice phishing) attacks and MFA fatigue techniques to achieve VPN access to the targeted network. Once in, the threat actor exfiltrated the contents of a Box folder and the employee’s authentication data from Active Directory.
Abuse of AD serves threat actors well as it is designed to provide convenient access into a network. Compromising AD means threat actors can move deep into the network, escalating their access rights and encrypting and exfiltrating data on the way. With AD being the crown jewels of a business, attackers have zeroed in on targeting identity and access management gaps to reach what it is they want.
Attacks on Identity Management Platforms – Okta and Lapsus$
In March of this year, Lapsus$ digital extortion gang published what looked like substantial amounts of source code from Microsoft’s Bing and Cortana products. Though a potential Microsoft breach was serious enough, Lapsus$ also posted screenshots of their control over an Okta super admin account. Okta is a popular identity management platform used by thousands of large-scale organizations allowing users to access multiple services and apps through a single login interface.
Lapsus$’s control of an Okta super admin account is dire indeed as businesses increasingly rely on identity management software to streamline login experiences for their employees, partners, and customers. Businesses are falling victim to more account takeovers that directly stem from compromised identity management vendors, giving threat actors system privileges such as resetting account passwords, changing account email addresses, and access to sensitive data.
As ransomware and other malicious actors target on-premises Active Directory and cloud-hosted Azure AD for initial access and lateral movement, identity protection has become a must for organizations.
The accelerated move from on-prem to hybrid and cloud environments has introduced a pressing need for businesses to keep their cloud workloads safe from threat actors. Cloud servers allow businesses to scale with ease, boosting efficiency, but also requires unique considerations such as securing serverless workloads and Kubernetes, virtual machines, and containers.
Amazon Web Services (AWS)
A subsidiary of Amazon, AWS is a comprehensive cloud computing platform providing a variety of on-demand services such as data storage, content delivery, networking, and more. One of its main services is Amazon Simple Storage Service (S3) – an object storage service built to house and retrieve any amount of data for its users. Objects (files) are then stored in S3 buckets which serve as containers for any amount of data belonging to an account.
While AWS S3 buckets are highly popular, they have become a prime target for threat actors as they are accessible to the public and are often misconfigured. Once an S3 bucket is compromised, it provides the threat actor with access to incredible amounts of data of which they could exfiltrate, use for ransom, sell on darknet marketplaces, or all of the above.
In the recent Civicom data leak, the misconfiguration of an S3 bucket resulted in a massive data leak, compromising over 100,000 files. In this case, the bucket was left open without password or security verification. The online video conferencing firm reported that 8 terabytes of stolen data included the video and audio files of customers’ meetings, recordings, and transcripts. As the firm’s main customer base included B2B companies, much of the data may have contained private company secrets or intellectual property. Further, the leak also revealed personally identifiable information (PII) of many of Civicom’s own employees.
The July breach of Pegasus Airlines showcases yet another example of unprotected S3 buckets leading to data loss. In this attack, the airline reported 6.5 terabytes of data was compromised with over 23 million files publicly exposed. Files in the unprotected bucket were linked to proprietary software developed by the company for use in aircraft navigation and in-flight processes such as take off and landing, refueling, and safety procedures. Pegasus Airlines also confirmed that sensitive information such as the PII of flight crews, source code, secret keys, and even plain-text passwords were also exposed. At least two other affiliated airlines using the same proprietary software may also be compromised in relation to this breach, exponentially increasing the number of total persons affected.
Kubernetes is an open-source system that automates the deployment, scaling, and management of applications running in containers. It uses a cluster architecture composed of many control plans and one of more virtual or physical machines called worker nodes. The worker nodes are what host “Pods” – components of the application workload. The control plane exists to establish policy which manages the worker nodes and Pods in the cluster. Since the control plan is responsible for running across multiple endpoints to provide fault-tolerance and high availability, it is a valuable target for threat actors seeking to leverage its infrastructure for malicious purposes or to cause a denial of service attack.
As it is hosted in a cloud environment, Kubernetes is afflicted with the same main threat vectors that clouds are susceptible to:
- Supply Chain Risks – These kinds of risks can occur at the container level if a malicious container or third-party application provides threat actors with a foothold in the cluster. Actors could also gain a foothold into any of the worker nodes or part of the control plane was compromised.
- Malicious Threat Actors – Threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes infrastructure allowing them to gain access from a remote location.
- Insider Threats – Administrators, users, or cloud service providers (CSPs) would all have access to physical systems or hypervisors managing Kubernetes nodes. This level of access could be used to compromise a Kubernetes environment.
How SentinelOne Measures Up to 2022 Cyber Attacks
2022 has, so far, been a complex year as businesses settle back into offices and hybrid workspaces but face the ramifications of geopolitical uncertainty, economic downturn, and cyber attacks that are climbing to new heights. Having more tools, access, and connections has no doubt benefited businesses, but it has also opened up a larger attack surface in which threat actors can operate.
While no business is immune from cyber attacks, examining the most dangerous attacks of the first three quarters of 2022 allows for better preparation for the following quarter and beyond. SentinelOne’s autonomous, AI-driven solutions can help deliver comprehensive security for those in search of endpoint, identity, and cloud protection.
In a single cybersecurity platform, Singularity XDR, fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, cloud workload protection (CWPP), and identity threat detection and response (ITDR). With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.
Request a demo of Singularity XDR to start leveraging AI-powered prevention, detection, response, and threat hunting across user endpoints, containers, cloud workloads, and IoT devices. Need expert advice? Contact us here.