By Ram Movva, the President and Co-founder of Cyber Security Works

Could these attacks have been avoided? Can we prevent future attacks?

Yes.

If these organizations had remediated vulnerabilities that are associated with ransomware, they could have shrunk their attack surface and avoided the attack.

The catalyst behind the rise in ransomware attacks is the ease with which they can exploit organizations due to technical debt and patch management lags. We’re seeing industries such as critical oil pipelines, global meat processing plants, and even regional ferry transportation get hit with disruptive ransomware. Each attack provides additional proof that digital infrastructure is weak and needs maintenance so it will be strong enough to defend against these threat actors.

CSW’s analysts have been conducting in-depth research on ransomware and attack trends for the past year. We have delved deep into ransomware attacks, exploits, Advanced Persistent Threat (APT) groups, exploit kits and attack patterns that occurred in the last two years and we recently published our findings in a Ransomware Spotlight Report. The report covers the latest attacks and ransomware trends, and provides actionable insights for organizations to prioritize vulnerabilities for patches.

Rapid Rise in Ransomware

Remote working has resulted in weaker controls and more public-facing RDP servers, thus creating the ideal environment for ransomware to thrive. Predictably, this led to an increase in ransomware attacks since 2020.

We have been tracking ransomware associations with vulnerabilities since 2019, when RiskSense published its first Ransomware Spotlight Report. CSW’s analysts have noted that the number of vulnerabilities associated with ransomware rose from 57 in August 2019 to 223 in December 2020. By the first quarter of 2021, we found that the number of vulnerabilities had increased to 260, clocking a 17% increase!

Currently, ransomware attackers are spoiled for choice with 260 vulnerabilities to compromise and can easily launch crippling ransomware attacks.

So, what should organizations fix first to avoid becoming the next ransomware victim?

Our researchers had highlighted 132 vulnerabilities trending as ransomware targets in Q1 of 2021. These key vulnerabilities are weaponized and have active exploits; they should be at the top of every organization’s remediation list.

Although every vulnerability tied to ransomware should be considered a high exposure risk to an organization, we recommend that these 132 issues be prioritized for patches because they have been exploited actively by attackers from 2018 to 2021 (Quarter 1).

If organizations were to rely solely on CVSS scores to prioritize and patch vulnerabilities, they would still be exposed to ransomware. We say this because of the following reasons:

• Only 65% of vulnerabilities tied to ransomware have a CVSS v3 score. Approximately 25% of these vulnerabilities are rated as critical and 10% as high. Therefore, if organizations were to patch critical and high vulnerabilities, they would get only 35% coverage against ransomware and still be vulnerable to attacks.
• While 99% of the vulnerabilities have a CVSS v2 score, only 70% are rated as high, and if only these are prioritized for patching, the 25% of vulnerabilities rated as medium and 3% rated as low will remain unaddressed, enabling attackers to launch ransomware attacks.

Note: 2% of vulnerabilities do not have CVSS v2 score.

To keep it simple, organizations need continuous threat contexts and proactive alerts to patch vulnerabilities, which are fast becoming cannon fodder for ransomware.

Ransomware is not particularly clever, but ransomware families share and leverage 260 vulnerabilities.

Exploit Kits, Ransomware Families, and APT Groups

Our research also focused on the exploit kits commonly used by attackers. Exploit kits are automated tools used by hackers to exploit a vulnerability and then deliver malware or ransomware payloads. They target common software products from vendors such as Adobe, Flash, Java, Microsoft, and Silverlight.

Essentially, these are packaged executables, built as layered vulnerability attacks providing all the tools needed to attack an organization.

We identified 32 commonly used exploit kits and three new kits used by attackers in Q1 of 2021.

In December 2020, we identified 125 ransomware families that were using 223 vulnerabilities to attack their targets. In 2021, this number rose to 140, clocking a 12% increase! The infamous DarkSide ransomware that recently stalled Colonial Pipeline and disrupted gasoline supply in the US is one among the 140.

Our researchers have also been closely monitoring the mushrooming of APT groups and their affiliations to hostile nation-states for more than a year. APT and ransomware associations increase the power of this threat by several notches. These threats are called “persistent” for a reason. APT groups are seemingly well-funded, often, by nation-states who hire them to conduct deep targeted attacks. Therefore, they are not solely motivated by monetary incentives. Their focus is on government entities, critical infrastructure, and Fortune 500 companies to spy and steal sensitive information within Pharma, Energy, and other sectors.

Our Spotlight Report listed 33 APT groups, the ransomware families they are associated with, and the CVEs they exploit. In the first quarter of this year, we spotted a new association to the APT group Viking Spider, which used CVE-2017-0213 to launch attacks in Microsoft Windows Servers. (Download Q1 report for more information.)

CWEs Enabling Ransomware

Lastly, we also analyzed how and why ransomware attackers can exploit weaknesses in applications and operating systems and uncovered many insights that would be useful for software developers.

Our report identified the top five vulnerabilities in the Common Weakness Enumeration (CWE) that the attackers are abusing are CWE-119, CWE-20, CWE-264, CWE-94, and CWE-200.

In the past quarter, two new CWE IDs were introduced: CWE-295 and CWE-611. CWE-295 falls under the A3 category of the Open Web Application Security Project’s (OWASP) top ten vulnerabilities in 2017, indicating sensitive data exposure risk.

Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) is another reason for the spate of attacks. Today, any malicious attacker with just a little technical knowledge can get an entire ransomware kit from a RaaS website and launch an attack. Each kit comes with detailed instructions on how to deploy the payload, making it extremely easy to launch an attack. The recent DarkSide Ransomware attack on Colonial Pipeline is a classic example of how mature RaaS has become. It is also an indicator of how sophisticated and customer-friendly RaaS is soon to become.

The Way Forward

When we noticed a marked spike in key index numbers, such as vulnerabilities, active exploits, APT groups, and ransomware families, we decided to release quarterly updates on ransomware to help organizations remediate and patch targeted vulnerabilities.

Ransomware is exponentially growing, and the 17% increase in vulnerabilities in Q1 of 2021 is not an encouraging sign. Today, our dynamic database of ransomware research remains the only single source for organizations to quickly understand their attack surface exposure and learn what contributes to ransomware growth. The only way to defend against this threat is to elevate cyber hygiene and adopt continuous risk-based vulnerability management that provides active threat contexts about ransomware.

Watch out for our next quarterly update to get the latest statistics, exploits, and trends on ransomware.

A longer version of this article will appear in the next issue of CISO MAG. Subscribe here.

About the Author

Ram Movva, the President and Co-founder of Cyber Security Works (CSW), is an industry expert in offensive security and intrusion detection. With a master’s degree from Georgia Tech, Ram was with TIBCO for over a decade. He was also part of the founding team at RiskSense, a risk-based vulnerability management company.

After spending 15 years in the US, Ram co-founded Cyber Security Works (CSW) in 2008. Under his strategic leadership, CSW has enabled companies worldwide to improve their security posture.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post The Vulnerabilities that Open the Door to Ransomware appeared first on CISO MAG | Cyber Security Magazine.

SPONSORED CONTENT

Traditional methods of deploying on-premise cybersecurity cannot with this changing demand. For improved responsiveness to threats, one must look at virtualized cyber security solutions such as a Virtual (vFirewall) deployed on a Software Defined Network to close the gaps with on demand provisioning and scaling. End users are also turning to Managed Security Service Providers (MSSP) with the expectation of greater speed to deploy and scale cyber security.

In this episode, Ho Chin Chow, Deputy Director, Product Management, SPTel explains how virtualized cyber security such as vFirewalls can help businesses react quickly to the changing threat landscape and control security spending with just in time provisioning.

RSS: https://feeds.soundcloud.com/users/soundcloud:users:899202688/sounds.rss

Spotify: https://open.spotify.com/show/7pBhvwEVAaL4uUJnzD5rWO

Unlike other vFirewall solutions, SPTel’s vFirewall can be deployed as-a-Service, swiftly, over SPTel’s end-to-end software defined network. It is also a dedicated vFirewall service (unique in the market) which means end users will have improved control over security policies and updates.

Ho Chin Chow is the Deputy Director of Product Management in SPTel and Product Owner of SPTel’s product portfolio consisting of Connectivity, Internet, SDWAN, IoT-aaS, Managed Network & Security. He is engaged in thought leadership within SPTel and leads the product track in its digitalization project.

He is an accomplished product management professional with 18 years of telecommunications experience. His product knowledge spans both local and regional spheres.

RELATED STORY

Stay Ahead of Cyberattacks with Virtual Cybersecurity

The post Episode #10: The Case for Virtual Cybersecurity appeared first on CISO MAG | Cyber Security Magazine.

Palmer has over 20 years of cybersecurity experience.  That includes executive positions at large cybersecurity vendors, leading the U.N. Global Program against cybercrime.  Before joining Tenable, Palmer held the position of Global Director, cybersecurity Risk & Controls for Banco Santander – the largest bank in the EU and Latin America.

Palmer began his career as a U.S. military officer focused on cybercrime cases.  After the military, he worked in a senior operational role by creating the [.]ORG top-level Internet domain cybersecurity program.

Edited excerpts of the interview:

By Brian Pereira, Principal Editor, CISO MAG

Your research shows that only 4 in 10 security leaders know how secure or at risk they are. How does an organization quantify business risk due to these business-impacting cyber attacks? Are there any frameworks or tools to do this?

I worked on this idea for two years and my prior job at the bank (Banco Santander) was trying to quantify risk — moving from qualitative to quantifiable analysis. Many security leaders use the heat matrices, the red, amber, green (RAG) scores to try to describe risk to the business leaders. This is really IT talk. Every organization I worked at did this. It doesn’t say anything to really quantify the risk or help people understand the reduction in risk. How can a business leader make a decision based on a color in RAG scores? There is a gap in communication between how IT people speak (technical or ambiguous), and the expectations of business leaders — quantitative understanding of risk.

A cyber exposure score, which is what Tenable creates, is a powerful tool because it gives you a quantifiable number.

Why haven’t security leaders been able to do accurate risk assessments for business-impacting cyberattacks?

The heart of it is really the lack of partnership between the security and the business leaders. There’s not enough alignment of metrics and objectives with business strategic priorities. I see that organizations report risk in a very qualitative language. This is not the language of business leaders. They have to consider industry benchmarking frameworks and accurately report it to the business, especially in times like today.

Organizations with security and business leaders who are aligned in measuring and managing cybersecurity as a strategic business risk deliver demonstrable results. What would be your recommendations to security leaders to do this security-business alignment? How do they weave cybersecurity into the fabric of business discussions?

The keys are a few things: linking the security program to business performance.  Making sure you have visibility across the entire attack surface. The attack surface has expanded with cloud and even operational technology. You can’t protect what you can’t see. And you have to apply a business context to your tactical decisions and express that in a quantifiable matrix that business leaders understand.

Looking at the global threat landscape, which countries are being targeted the most? And what could be the reasons?

We saw that all the markets had a high percentage of business-impacting events over the last 12 months. 97% of businesses in India reported a cyberattack within the last 12 months. And 74% expect an increase in cyberattacks. Today, we are in a very dynamic business environment, with business and technology closely woven together. The effective business-aligned CISO just can’t focus on technical issues or one part of that threat landscape. They really have to be aligned with the business and elevate themselves as a business-aligned security expert — and be aware of the entire expanded threat landscape.

Specific to India, what does your research show, with respect to the types of businesses being increasingly targeted?

We saw medium and large businesses being attacked. We know that these businesses make India a dynamic and exciting economy, with Digital India, and all the technology being used throughout India – in business and in government. Cybercriminals know where the money is, and they target technology and intellectual property. Given the monetary value and the damage that can be caused by a successful attack, across industries, telecom, health care, finance, all these industries are major targets. And what we found in this study is that all of these are equal opportunity targets for cybercriminals to attack a business.

Your research shows that 67% of security leaders in India say these attacks also involved an operational technology (OT) system. What kind of industries are being targeted within India? Does this also include critical infrastructures like nuclear plants and electricity grids?

This is really an issue of convergence. Automation is now common in the industrial environment. And that environment is converging with the IT environment. It is in critical infrastructure and manufacturing. But it can be in lots of different types of businesses. Think about automated access controls, with all kinds of smart connected devices, HVAC — some of these use smart connected industrial controllers. And we are finding that cybercriminals are attacking these devices and often, security teams aren’t monitoring these satisfactorily. They are using legacy approaches for vulnerability risk management, and they are not detecting these devices. And the criminals are attacking them.

A heavy manufacturing plant that uses OT devices, was targeted last year in Europe. And it cost Euro 40 million in the first week.  It disabled their operations. So it is critical that the security teams secure these critical operations and make sure they are using the same amount of analysis and care that they apply to other amounts of threats and that they are applying that as well to this new threat vector, which is OT.

I want to talk about the COVID-19 response strategies, and you have another data point in your report about this: 75% of the respondents say their COVID-19 strategies are somewhat aligned to the business. What is the reason for the surge in COVID-19 related phishing attacks on businesses?

Cybersecurity threats really thrive amidst a climate of uncertainty. We’ve seen attacks increase with attackers taking advantage of the current pandemic environment. This highlights the fact that cybersecurity should be a board-level concern. In times of crisis, it’s more important that you have clarity and alignment with the business. Cybersecurity teams need to evolve to align themselves to a business strategy that understands this, connects with this, and manage cyber risk, in relation to the world around them, which is now an unusual world due to COVID-19.

The post “You can’t quantify business risk with RAG color coded scores” appeared first on CISO MAG | Cyber Security Magazine.