{"id":19796,"date":"2022-08-09T03:21:14","date_gmt":"2022-08-09T11:21:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/08\/09\/news-13529\/"},"modified":"2022-08-09T03:21:14","modified_gmt":"2022-08-09T11:21:14","slug":"news-13529","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/08\/09\/news-13529\/","title":{"rendered":"Multiple attackers increase pressure on victims, complicate incident response"},"content":{"rendered":"<p><strong>Credit to Author: Matt Wixey| Date: Tue, 09 Aug 2022 11:00:04 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>There\u2019s a well-worn industry phrase about the probability of a cyberattack: \u201cIt\u2019s not a matter of <em>if<\/em>, but <em>when<\/em>.\u201d Some of the incidents Sophos recently investigated may force the industry to consider changing this rule-of-thumb: The question is not <em>if<\/em>, or <em>when<\/em> \u2013 but how many times?<\/p>\n<p>In an issue we highlighted in our <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/06\/07\/active-adversary-playbook-2022\/\">Active Adversary Playbook 2022<\/a>, we\u2019re seeing organizations being hit by multiple attackers. Some attacks take place simultaneously; others are separated by a few days, weeks, or months. Some involve different kinds of malware, or double \u2013 even triple \u2013 infections of the same type.<\/p>\n<p>Today, Sophos X-Ops is releasing our latest Active Adversary white paper: <em><a href=\"https:\/\/assets.sophos.com\/X24WTUEQ\/at\/q6r6n3x43mnrfchn5tfh3qmw\/sophos-x-ops-active-adversary-multiple-attackers-wp.pdf\">Multiple Attackers: A Clear and Present Danger<\/a><\/em>. In the paper, we take a deep dive into the problem of multiple attackers, exploring how and why organizations are attacked several times. Recent case studies from our Managed Detection and Response (MDR) and Rapid Response (RR) teams provide insight into the <em>how<\/em>, and exploring cooperation and competition among threat actors helps explain the <em>why<\/em>.<\/p>\n<p>Our key findings are:<\/p>\n<ul>\n<li>The key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack<\/li>\n<li>Multiple attacks often involve a specific sequence of exploitation, especially after big, widespread vulnerabilities like <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/03\/17\/mtr-in-real-time-exchange-proxylogon-edition\/\">ProxyLogon<\/a>\/<a href=\"https:\/\/news.sophos.com\/en-us\/2021\/08\/23\/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do\/\">ProxyShell<\/a> are disclosed \u2013 with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware<\/li>\n<li>While some threat actors are interdependent (e.g., IABs later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even \u2018close the door\u2019 by patching vulnerabilities or disabling vulnerable services after gaining access<\/li>\n<li>Historically, threat actors have been protective of their infections, to the extent of kicking rivals off compromised systems<\/li>\n<li>Ransomware actors, despite occasionally tangling with each other, seem less concerned about competition, and sometimes adopt strategies which directly or indirectly benefit other groups<\/li>\n<li>Certain features of the underground economy may enable multiple attacks \u2013 for instance, IABs reselling accesses, and ransomware leak sites providing data that other threat actors can later weaponize<\/li>\n<li>Some of the case studies we analyze include a ransomware actor installing a backdoor which was later abused by a second ransomware group; and an incident where one organization was attacked by three ransomware groups in the space of a few weeks, all using the same misconfigured RDP server to gain access. After the dust had settled, Sophos discovered some files which had been encrypted by all three groups<\/li>\n<\/ul>\n<p>At this stage there\u2019s only anecdotal evidence to suggest that multiple attacks are on the rise, but, as Sophos\u2019 Director of Incident Response, Peter Mackenzie, notes: \u201cThis is something we\u2019re seeing affecting more and more organizations, and it\u2019s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/FIN-Multiple-attackers-infographic-1660-\u00d7-1104-px-3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-86231 aligncenter\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/FIN-Multiple-attackers-infographic-1660-\u00d7-1104-px-3.png\" alt=\"An infographic summarising the key findings and takeaways from our white paper\" width=\"993\" height=\"661\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/FIN-Multiple-attackers-infographic-1660-\u00d7-1104-px-3.png 1660w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/FIN-Multiple-attackers-infographic-1660-\u00d7-1104-px-3.png?resize=300,200 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/FIN-Multiple-attackers-infographic-1660-\u00d7-1104-px-3.png?resize=768,511 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/FIN-Multiple-attackers-infographic-1660-\u00d7-1104-px-3.png?resize=1024,681 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/FIN-Multiple-attackers-infographic-1660-\u00d7-1104-px-3.png?resize=1536,1022 1536w\" sizes=\"auto, (max-width: 993px) 100vw, 993px\" \/><\/a><\/p>\n<h3>Key takeaways for organizations<\/h3>\n<p>Multiple attacks not only complicate incident response, but also place additional pressure on victims \u2013 whether that\u2019s through more than one ransom demand, or just the sheer technical difficulty of trying to recover from two or more attacks in a short space of time.<\/p>\n<p>In the white paper we provide best practice security guidance, as well as the following eight actionable takeaways to help organizations lower the risk of falling victim to multiple attackers:<\/p>\n<p><strong>Takeaway 1: Update absolutely everything<\/strong><br \/> It sounds simple, but: Update everything. One of our key findings is that cryptominers, and webshells and backdoors deployed by IABs, often come first when a vulnerability has been disclosed, and the latter typically try to operate stealthily \u2013 so you might think you\u2019ve avoided an attack, when in fact there\u2019s already malware on your system. That might be compounded (in a subsequent attack) by ransomware. Patching early is the best way to avoid being compromised in the future \u2013 but it doesn\u2019t mean you haven\u2019t already been attacked. It\u2019s always worth checking that your organization wasn\u2019t breached prior to patching.<\/p>\n<p><strong>Takeaway 2: Prioritize the worst bugs first<\/strong><br \/> But how can you patch early, and how do you know what to patch? Prioritizing can be a big ask, given how many vulnerabilities are disclosed (<a href=\"https:\/\/www.computerweekly.com\/news\/252510662\/2021-another-record-breaker-for-vulnerability-disclosure\">18,429 in 2021<\/a>, more than 50 a day on average, and the greatest number of reported vulnerabilities ever disclosed during a calendar year). So focus on two key elements: 1) critical bugs affecting your specific software stack; and 2) high-profile vulnerabilities that could affect your technology. There are paid services which offer vulnerability intelligence, but there are also free tools which let you set up custom alerts for particular products. <a href=\"https:\/\/bugalert.org\/\">Bug Alert<\/a> is a non-profit service that aims to give early warning of high impact bugs. Monitoring \u2018infosec Twitter\u2019 is also recommended, as that\u2019s where many prominent vulnerabilities are discussed when first released. Or you could use <a href=\"https:\/\/cvetrends.com\/\">CVE Trends<\/a>, which collates data from several sites to show the most-talked-about vulnerabilities.<\/p>\n<p><strong>Takeaway 3: Mind your configurations<\/strong><br \/> Misconfigurations \u2013 and a failure to remediate them after an attack \u2013 are a leading cause of multiple exploitations. Cryptominer operators, IABs, and ransomware affiliates always look for exposed RDP and VPN ports, and they\u2019re among the most popular listings on most criminal marketplaces. If you do need remote access and\/or management over the internet, put it behind a VPN and\/or a zero-trust network access solution that uses MFA as part of its login procedure.<\/p>\n<p><strong>Takeaway 4: Assume other attackers have found your vulnerabilities<\/strong><br \/> Threat actors don\u2019t operate in isolation. IABs might resell or relist their products, and ransomware affiliates may use multiple strains \u2013 so one vulnerability or misconfiguration can lead to multiple threat actors seeking to exploit your network.<\/p>\n<p><strong>Takeaway 5: Don&#8217;t slow-walk addressing an attack in progress<\/strong><br \/> Being listed on a leak site may attract other, opportunistic threat actors. If you\u2019re unfortunate enough to be hit with a ransomware attack, take immediate action, in conjunction with your security teams and incident response provider(s), to close the initial entry point and assess what data has been leaked, as part of your wider remediation plan.<\/p>\n<p><strong>Takeaway 6: Ransomware plays nicely with ransomware<\/strong><br \/> Many threat actors have traditionally been competitive, to the point of kicking each other off infected systems, and that\u2019s still true today when it comes to cryptominers and some RATs. But ransomware doesn\u2019t seem to follow this trend, and may proceed to encrypt files even if other ransomware groups are on the same network \u2013 or operate in a mutually beneficial way, so that one group exfiltrates and the other encrypts.<\/p>\n<p><strong>Takeaway 7: Attackers open new backdoors<\/strong><br \/> Some attackers may introduce further vulnerabilities after gaining access, or create deliberate or unintentional backdoors (including the installation of legitimate software), which a subsequent threat actor can exploit. So while it\u2019s crucial to close off the initial infection vector, it\u2019s also worth considering a) other weaknesses and misconfigurations that could be used to gain access, and b) any new ingress points that may have appeared.<\/p>\n<p><strong>Takeaway 8: Some attackers are worse than others<\/strong><br \/> Not all ransomware strains are equal. Some have capabilities and features that may complicate attempts to respond to and investigate others \u2013 another reason to try to avoid becoming a victim of multiple attacks.<\/p>\n<h3>Conclusion<\/h3>\n<p>In an increasingly crowded and competitive threat environment, the problem of multiple attackers is likely to grow, with more threat actors coming into the mix and exploiting the same targets \u2013 either deliberately or unintentionally.<\/p>\n<p>For organizations, this means that rapidly responding to attacks, applying patches, fixing misconfigurations \u2013 and checking for backdoors which attackers might have installed prior to any entry points being closed \u2013 will become more and more important.<\/p>\n<p>Multiple attackers are bad news for analysts and responders too, complicating incident response, threat intelligence, and security monitoring. In one of the case studies we explore in the report, for example, one ransomware group wiped Windows Event Logs \u2013 which not only deleted traces of that group\u2019s activities, but also those of the two ransomware groups which had attacked the network previously. In another case study, one threat actor was likely an affiliate of two separate ransomware groups.<\/p>\n<p>The threat actors themselves \u2013particularly ransomware actors \u2013 will at some point have to decide how they feel about cooperation: whether to fully embrace it or become more competitive. Going forward, some groups might deliberately team up, so that one group\u2019s tactics complement another\u2019s. Or we might see ransomware become more like cryptominers \u2013 actively searching for, and terminating, rivals on infected hosts. At the moment, however, it\u2019s an uncertain area \u2013 one which we hope our report will shed some light on.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/08\/09\/multiple-attackers-increase-pressure-on-victims-complicate-incident-response\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/insect-gb507ec2e8_1920.jpg\"\/><\/p>\n<p><strong>Credit to Author: Matt Wixey| Date: Tue, 09 Aug 2022 11:00:04 +0000<\/strong><\/p>\n<p>Sophos\u2019 latest Active Adversary report explores the issue of organizations being hit multiple times by attackers<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[26446,25303,25141,15826,129,25098,27216,26531,24616,3765,24552,27030,16771],"class_list":["post-19796","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-active-adversary-playbook","tag-blackcat","tag-conti","tag-cryptominers","tag-featured","tag-hive","tag-iabs","tag-karakurt","tag-lockbit","tag-ransomware","tag-security-operations","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19796"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19796\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19796"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}