Ongoing Geopolitical Tensions Involving China, Russia, North Korea and Iran are Leading to Cyberattacks
A new report suggests that China and Russia alone account for 47% of cyber-attacks throughout 2019. Within all cyber-attacks, the use of custom malware and process hollowing is growing, destructive/integrity attacks are increasing, and a new form of island hopping is worrying.
While it is problematic to attribute sources of attacks, these details come from the latest VMware Carbon Black Global Incident Response Threat Report (PDF). “What makes this study unique,” VMware Carbon Black’s head security strategist Tom Kellermann told SecurityWeek, “is that it is not limited to VMware Carbon Black facts and figures. The thirty largest incident response and MSSP firms in the world contributed to this study, from SecureWorks to Booz Allen and Deloitte, and across all of their investigations over the last six months.”
The findings described in the report come from incident responders working in the field rather than from a survey of opinions or a single company’s private telemetry. “These incident responders,” continued Kellermann, “are suggesting Russian and Chinese sources from the nature of the forensic footprints and the secondary C2 locations, not just the primary C2 locations, they discover. That doesn’t dismiss the possibility of false flag and proxying operations, but combined with human intelligence on the malicious code, possible motives and cui bono? [who benefits?] applied to the situations, this is probably quite accurate.”
Underlying the source of attacks is the current global geopolitical tension. Attacks from Iran are increasing — and indeed, from the U.S. itself. This latter, suggests Kellermann, “is probably because there is an undercurrent of disillusionment in America right now, and we’re seeing this expressed in cyberspace.” While this includes ‘domestic terrorism’, it is likely to be exacerbated in future years as an unintended consequence of attempts to close the skills gap. School kids are being taught cyber skills in high school — but unless they go all the way through university to degree level, they will not find employment in security. It is almost inevitable that drop outs will look elsewhere to use their skills — and Kellermann believes that this has already happened in Brazil: successful attempts to improve Brazilian cyber skills over the last two decades is the root cause in the growth of a robust and skilled Brazilian hacking community today.
The global geopolitical condition is a particular concern for Kellermann, with the 2020 presidential elections approaching. “Current listings for state voter database dumps are available for sale on the dark web,” says the report. One bundle of data from 27 states has been sold at least 47 times as of October 2019, suggesting that criminals see multiple ways of monetizing the personal information.
But what worries Kellermann most is application of the growing use of ‘access mining’. Stolen data is being sold by the criminals for near-term profit; but the criminals concerned, he suggests, “are waiting or the big fish buyer to come and say, ‘sell me the access to the system where you got this data’.”
He is worried that nation states and politically motivated non-states will get access to those systems and start manipulating details to cause voter disenfranchisement.
“This can be done quite simply by changing the integrity of the records,” he said. “When a person attempts to vote, they are denied because their name or address has been misspelled. That is a viable way to curtail democracy.” Given the tightness of voting in the swing states, it wouldn’t take a great deal to change the outcome — and just a few swing states could choose the president. “On the list of the databases for sale,” said Kellermann, “there are three of the most significant swing states with the greater part of their voting data: Michigan, Ohio, and Florida are included. Whoever wins those three states will win the election.”
Within current cyber-attacks, two new developments are highlighted in the report. The first is an increasing use of destructive malware. Criminal gangs are seeking stealth and persistence — perhaps with a mind to future access mining. When stealth is lost, and incident responders are detected, rather than just leave, the criminals are increasingly destroying the environment. Forty-one percent of attacks, up 10% on the previous two quarters, now include destructive/integrity attacks.
“In some ways,” says the report, “destruction is the ultimate in counter-incident response: As a victim calls the police during a home invasion, the attacker decides to burn the house down. Once the house is burnt down, detectives aren’t likely to figure out how the thieves broke in or what was stolen, thus erasing the evidence.” This is easily achieved with wiper malware or ransomware with no ransom.
The second development is a new form of island hopping, that employs reverse business email compromise. “The commandeering of mail servers,” Kellermann told SecurityWeek, “is followed by selectively deploying fileless malware against a handful of targets, particularly the board members of customer corporations. For executives, the worst-case scenario is no longer the theft of data; it is island hopping, as your brand will be used to attack your customers,” he continued. “This is the dark side of digital transformation.”
While the attacks themselves are becoming more sophisticated, so too are the criminals and the malware they use. For several years there have been reports of cyber criminals using old malware. This seems to have reversed. Custom malware is now used in 41% of attacks, an increase of 5% over Q1, 2019.
“Improved attack capabilities from the elite hackers has multiple causes,” Kellermann told SecurityWeek. “Firstly, they are aligned with their national governments and act like cyber militia for those governments. Secondly we’re living in an era of improvement and enhancement to the sophisticated attacks leaked by Shadow Brokers. And because of the absence of international norms of behavior and the global political angst that exists across the world between the haves and the have-nots, this manifests in cyber space in the form of various activities.”
Despite the clearly worsening cyber outlook, Kellermann believes there are steps that can and must be taken to improve things. “One of the biggest problems for business,” he said, “is that the security industry is fragmented and competes with itself rather than against the dark web. The criminals are more united and cooperative. We need to concentrate on two constructs as an industry: we need to open up our APIs and integrate with each other as much as possible so that we can really get to a single pane of glass; and we also need to change the way we protect things.”
The failure of perimeter defense is not a new idea. But, says Kellermann, “We need to protect things from inside out. We should be using an architectural model similar to a modern penitentiary rather than a castle-like fortress.”
Achieving this begins with really understanding viable attack paths and limiting lateral movement, “which in turn,” he suggests, “would limit our worst-case scenario — which is island hopping. We need to baseline vulnerabilities, we should be using just-in-time administration, and we should employ application control.”
Microsegmentation is an imperative to inhibiting lateral movement and particularly attacks like process hollowing, and we should be using big data. “But we cannot be completely dependent on machine learning or AI,” he added, “because they can be polluted. Finally, when we collaborate, not only do we need to embrace MITRE ATT&CK, we need to appreciate the fact that in order to be predictive on future TTPs and the combination of future TTPs, we need to get away from the linear kill chain and embrace the cognitive attack loop.”