From a targeted attack on the European Medicines Agency which stole and illegally released data online about the Pfizer/BioNTech vaccine, to large-scale phishing campaigns aimed at Covid-19 research facilities, threat actors have demonstrated few qualms when it comes to exploiting the global crisis.
“For adversaries that have been lurking in the shadows, it’s a golden age of vulnerability,” cautions Roger Sels, BlackBerry VP of solutions for EMEA.
As these attacks grow ever-more sophisticated, and criminals go to new lengths to capitalise on the fallout from the pandemic, organisations must ensure they are prepared to face these emerging threats by bolstering their security strategy.
Evolving threat actors
2020 saw a troubling rise in cyber attacks across all sectors. As organisations scrambled to respond to get back up and running in a period of extreme uncertainty, adversaries were ready and waiting to take advantage of VPN and firewall vulnerabilities.
Despite more than 18 months having passed since the onset of pandemic, Sels points out that this heightened level of increasingly automated breaches is continuing unabated.
Attributing these attacks is arduous and often fruitless. Many actors carry out false-flag campaigns that attempt to hide their tracks and shift the blame to other parties. And, as crimeware-as-a-service accelerates, barriers to entry are dropping.
“These kits can be purchased where everything is provided upfront and payment is expected only when there has been a successful campaign,” explains Sels. “People are leveraging the work of highly skilled groups.”
In a similar vein, adept cybercriminals are reselling access to company networks as an easy way to maximise profits and minimise risk, disappearing long before the breach is detected.
Sels highlights the Colonial Pipeline attack in May 2021 – attributed to DarkSide – as a case in point. “The ransomware makers went on the record to say they had no idea what the initial attack vector was,” he says. “They just purchased the access and deployed the ransomware.”
New heights
The creativity demonstrated by threat actors since the start of Covid-19 is nothing new. After all, says Sels, cybersecurity is mainly driven by the offensive side, with security teams tasked with figuring out ways to prevent, detect and respond to new attacks.
“The asymmetric nature of cyberwarfare means that the benefits for the adversary to innovate are higher than for the team playing defence,” he continues. “Innovation of the attack is their business and means the difference between a successful campaign, or jail time.”
Paradoxically, increasingly intelligent security solutions are pushing adversaries to get more creative. “Their old techniques and tactics won’t cut it anymore,” reflects Sels.
A fitting example of how criminals are going to new lengths to evade defensive measures is the GoLang remote access Trojan, which BlackBerry dubbed ChaChi. Following initial sightings in the first quarter of 2020, ChaChi’s code was altered to include obfuscation in late March and has been used by operators of the PYSA ransomware to attack victims globally.
“GoLang malware has been around for a number of years but they found a new way to obfuscate it, which is relatively uncommon,” explains Sels. “These criminals understand that certain detection mechanisms and signatures will look for particular features in files, and if they are [written in] a different programming language it might mean they don’t get picked up by security solutions.”
Turning to supply chain attacks, Sels points out that adversaries now fully appreciate the benefits of targeting service providers with large numbers of clients to yield maximum results. “If I want to breach 500 companies, I can do so 500 times sequentially,” he says. “Or I can find a single common denominator and breach them once. It’s going to be much cheaper and my chances of succeeding will be higher.”
Criminals, he continues, are demonstrating significant planning, investment and experimentation to carry out these attacks, embedding themselves into software in ways that cannot easily be picked up by security teams.
A catalyst for change
The introduction of fresh sanctions is also likely to alter the threat landscape. In October 2020, the US Treasury issued an advisory alerting organisations of potential sanction risks related to facilitating ransomware payments.
Then, in May 2021, global insurance company AXA announced it would stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
Sels acknowledges how difficult it is for organisations faced with criminals holding their data and services hostage. “A lot of people say you should never pay, but when it becomes a question of the livelihood of the company, are we as a society prepared to see these companies fail because we don’t allow them to pay?” he says.
However, the VP for solutions believes these events will act as a catalyst for change. “If the money is no longer coming from an insurance provider and there is stigma from the government level with the potential looming threat of sanctions, it is going to lead some businesses to say ‘Are we as prepared as we can be to deal with a ransomware attack? How can we prevent this?’” he explains. “So I think it will shift the balance and organisations might actually start looking at investing in better protection in those areas.”
Even if ransomware did start to become less economically viable, though, Sels notes that adversaries will continue to innovate and find new ways to maximise profit. For example, he says, criminals could further analyse the data they access to blackmail companies about potential law violations or threaten to release unflattering executive communications to the public.
In this rapidly evolving environment, it is crucial for organisations to take action by adopting emerging best practices, leveraging artificial intelligence to increase endpoint security and enable faster, more accurate decision making.
Sels highlights the value of drawing on external specialists to carry out continuous threat hunting as part of a 24/7 managed detection and response service.
By employing intelligent security solutions, organisations can prepare for future attacks and ensure they have a robust defence against emerging threats. Those that avoid taking action risk joining the catalogue of high-profile attack victims facing an uncertain future.