Tuesday, January 19, 2021
By Charles Buege, Fuel Editorial Advisory Committee Member
At Palo Alto Networks’ Ignite ’20 virtual conference last November, Brittany Barbehenn and Alex Hinchliffe of Unit 42 gave a fantastic summary of several items that their research team had seen thus far on the different attack vectors out there. Here, we provide a rundown of the attacks they shared to keep on your radar in the new year and beyond.
Ransomware is moving away from the original “spray and pray” methodology to a more targeted attack vector, depending on the environment being targeted (schools, medical facilities, etc.) They are using more open source tools, exploiting known and recently announced vulnerabilities that have, in most cases, not been patched yet. They are also using many brute force attacks targeting remote desktop protocol (RDP) systems. If nothing else, this is just another reminder that companies need to keep their systems well patched and up to date to protect themselves from these simple attack methods.
Cryptojacking in Docker is a very good return on investment for threat actors, as they have found that many companies are not following best practices for securing their systems. Numerous systems that have been implemented have been put in place with the most basic of protections and default credentials, leaving them as prime targets for threat actors to go after. If companies put even the simplest protections into place, threat actors are moving quickly along because there are so many other available targets out there that haven’t done even this, that those systems even with the most basic protections in place aren’t worth their time. These best practices that aren’t being followed include the use of weak credentials, shared API keys across multiple systems and incorrect and/or incomplete configurations, which are very simple and easy things for threat actors to exploit and abuse.
Emotet is an interjection process into an existing email chain, spoofing one of the users and allowing for the installation of ransomware starting an infection. This method is formerly from the banking arena but is now being used across many platforms and most recently part of the Ryuk attacks. Since the email chain was already established, the attachment is more easily accepted as being “safe” and prone to simply being accessed or executed, allowing for the infection to start.
There is a definite continuation of domain squatting going on out there. By this, Brittany and Alex were referring to phishing links attempting to send you to sites like “netflix-payments.com,” which is obviously false. This process is still very common and just another example of how important and simple it is for users to take a few seconds to read through the link that has been sent and see that there is something not right about it.
Another item that is becoming more common in ransomware is what is called double extortion channels. This is the process where the files being ransomed are first exfiltrated off the system(s) that is/are going to be held for ransom prior to the encryption. If the ransom isn’t paid, the information that was offloaded is then released to the world in general, in retaliation for not paying the ransom.
Vulnerabilities and exploits are being leveraged as often as ever. Any time a network vulnerability is available, it is leveraged first so that once it is compromised, that method of insertion into the network allows for both north/south as well as east/west spread of infection and attack into a victim’s network. Three of the most common network vulnerability CVE’s that were seen this year are as follows:
Microsoft SMBv3 (CVE-2020-0796) wormable
Microsoft DNS Server (CVE-2020-1350) wormable
Microsoft Netlogon Zerologon (CVE-2020-1472)
Additionally, here are the top 10 MITRE ATT&CK techniques seen over 2020:
T1566.001: Spearphishing Attachment
T1105: Ingress Tool Transfer
T1204: User Execution
T1059: Command and Scripting Interpreter
T1547.001: Registry Run Keys/Startup Folder
T1082: System Information Discovery
T1027: Obfuscated Files or Information
T1057: Process Discovery
T1094: Custom Command and Control Protocol
During the presentation, Brittany and Alex also spoke about renaming the Unit 42 playbooks to ATOMs (Actionable Threat Objects and Mitigations). Here is the new URL for getting details about the different ATOMs: https://unit42.paloaltonetworks.com/atoms/
Bad actors will always exist, and their methods will continue to evolve. As cybersecurity professionals, it’s our job to stay on top of and ahead of threats. For some of us, the fast-paced nature of the job is part of the reason we entered the field — no day is the same. The good news is with a community backed by researchers like the team at Unit 42 and more, we don’t have to go it alone.
More to Explore
Check out these Fuel blog posts for further reading: