Ransomware had a massive impact on organizations in 2021, responsible for nearly 38% of all breaches, and 31% of breaches in APAC. In APAC, 10% of breaches were the result of unsecured cloud databases, higher than the global average (6%) as per Tenable research.
The research further covered 1,825 breach events spanning from November 1, 2020 to October 31, 2021. This analysis explored the data to understand breach trends, such as impacted industries and the root causes, over a 12-month time span. Tenable found that over 40 billion (40,417,167,937) total records were exposed. While this is an incredible number, 87% of the breach disclosures analyzed did not include any information on the number of records exposed, meaning this figure is likely much higher.
Satnam Narang, Staff Research Engineer, Tenable speaks to DynamicCISO and elaborates on how breaches and successful ransomware attacks can cripple an organization with increased costs and lost revenue. To reduce the probability of a business impacting by such attack, enterprises need to understand their program effectiveness, identify and address flaws related to ransomware attacks. Preventing ransomware and disruption of service attacks remain a top priority for organizations of all sizes.
DyanmicCISO: As a researcher where do you see the breach trends heading considering Ransomware groups are leveraging active directory vulnerabilities and misconfigurations in their attacks?
Satnam Narang(SN): What’s fascinating about the breach figures from our Threat Landscape Retrospective is that they are likely an undercount of the actual true figures due to lack of reporting requirements for organizations globally or an inability to quantify the impact of a breach event. Therefore, we expect these numbers to be much higher and the numbers continue to rise due to ransomware attacks due to cloud usage by organizations, as we expect attackers to pivot away from large organizations to mid-sized companies. This includes organizations in healthcare or connected to healthcare in some fashion as well as the education sector.
Once ransomware groups make their way into an organization, their goal is to spread to various endpoints and the most efficient way to do so is by leveraging Active Directory. One of the most prominent vulnerabilities used by ransomware groups is Zerologon, a flaw that was disclosed in August 2020 and has remained in the Top 5 vulnerabilities each year in our Threat Landscape Retrospective report.
For ransomware attackers, Active Directory compromise is the Holy Grail. While Zerologon is not the only way attackers take advantage of Active Directory, it has become one of the more viable means of attack and is often paired with other initial access vulnerabilities, such as flaws in SSL VPN devices.
DyanmicCISO: Each industry faces unique challenges, with an ever-changing array of assets to protect and sometimes a stringent budget. What are some of the emerging trends in cybersecurity landscape that organizations need to follow?
S N: Visibility into the various assets within a network remains a challenge for organizations, but what compounds this is that even with visibility and awareness, organizations are still failing to patch legacy vulnerabilities.
We continue to see attackers exploit vulnerabilities that were patched 1-3 years ago, which highlights two important trends: attackers don’t need to burn zero-days to breach organizations and organizations are struggling to patch their systems.
DyanmicCISO: What kind of strategies have emerged in the ransomware-as-a-service kind of attacks and what can enterprises expect in the short to near term?
S N: Double and triple extortion tactics have proven to be very lucrative for ransomware-as-a-service groups, as the combination of encrypting files within a network and threatening to leak sensitive information publicly puts added pressure on organizations that have to grapple with a choice to pay the ransom or not.
We saw in multiple cases where even when an organization is able to recover their files from backups, they still opted to pay the ransomware groups in order to ensure the stolen files didn’t see the light of day.
The triple component of extortion can vary between performing a denial of service attack against the breached organization’s website, leaving them without a way to keep customers and the general public informed of what’s happening. However, ransomware-as-a-service groups have also been observed contacting customers of a breached organization, disclosing the breach to them and encouraging them to contact the organization to create added pressure of paying the ransom demand.
Example: REvil, also known as Sodinokibi, was identified as the ransomware behind one of the largest ransom demands on record: $10 million. It is sold by criminal group PINCHY SPIDER, which sells RaaS under the affiliate model and typically takes 40% of the profits.
The introduction of the third layer of extortion makes an already challenging situation more difficult for organizations.
DyanmicCISO: Software Supply Chain attacks are a difficult and growing problem. The SolarWinds attack is a reminder that cyber threat actors are more than capable of exploiting vulnerabilities in supply chain security. What are some of the protective measures that enterprises can adopt to address potential supply chain attacks in the future?
S N: There are a lot of lessons being learned following the SolarWinds attack and the fallout from the Log4Shell discovery late last year.
One of the most compelling is the implementation of a software bill of materials to ensure visibility into the various components used by software developed and purchased by an organization. This is gaining momentum within the United States and will likely see more adoption globally in the coming months.
Enterprises must watch they are introducing in terms of software code or service provider applications. Otherwise this may lead to vulnerability and hack’s like Solar wind may be possible. Businesses should try to reduce the stigma surrounding the use of external security services, such as code reviews, pen testing and vulnerability scans.
DyanmicCISO: Organizations place their trust in cloud providers to ensure a secure environment. Unfortunately, that approach has numerous problems. What according to you are some of the key challenges in securing the cloud environment?
S N: For cloud environments, the biggest challenge is the misconfiguration of assets and the abuse of highly permissioned accounts.
Sometimes, accounts are granted more access than necessary, putting organizations at risk in the event of a compromise, in addition to the misconfiguration of buckets and blobs within popular cloud environments. These misconfigurations are responsible for many of the breaches we’ve observed throughout the last year. It is therefore important for organizations to utilize tools that can help identify some common of the misconfiguration issues.
Due to complexity, employees often allow unrestricted access without realizing, and even when organization’s leverage cloud vendor tools for identity and access management (IAM), there can still be gaps.
Its essential to implement “Shared Responsibility Model” and enterprises need to implement it because one cloud misconfiguration or mistake can push an organization towards a data breach or cyber-attack leading to massive losses.