Earlier this week, NBC reported a security breach perpetrated by ransomware agents targeting the U.S. Marshals Service (USMS). This is one of the most prolific ransomware attacks on the US federal system in 2023. Speaking to NBC News, U.S. Marshals Service spokesperson Drew Wade accepted their data resources containing critical information pertaining to investigations, employees and legal processes were affected.
Recommended: CIO Influence Interview with Tyler Farrar, Chief Information Security Officer at Exabeam
In an email comment shared with CIO Influence editorial team, Jeannie Warner, director of product marketing, Exabeam explained the whole scenario involving the USMS.
Jeannie said, “This incident illustrates how ransomware is often a means to the end to what adversaries want the most: data. Fortunately, the federal government acted quickly to isolate the affected system from the rest of the network before the threat actors had the chance to move laterally and do more damage.
Organizations continue to have a diluted perspective on ransomware. There is enough out there on what it is, how it works, and a massive push to “stop” it, but we never solved the foundational problems that make it possible. Ransomware is a combination of insufficiently hardened systems and a missed intrusion, period. The attacks are only possible because of a weakness in an environment that begins with or later involves compromised credentials. If you unsuccessfully manage your environment hardening and intrusions, you will eventually fall victim to ransomware.”
Ransomware is so prevalent for multiple reasons:
Easy targets are ones that lack sophisticated defenses and monitoring – places with budget battles like state agencies, LEO, and education. And it’s highly profitable. There’s incentive to run ransomware for multiple reasons:
-
The ransom (often demanded in bitcoin these days to remove tracing to the destination)
-
It is the ultimate DOS attack
-
Harvesting data from the systems before locking them – then selling or using the data
Jeannie continued, “Many agencies have not yet invested in the credential-protecting and monitoring software that could slow or stop attacks. Without patching these core vulnerabilities and setting up monitoring properly, it’s very hard to break the cycle of compromise.
-
Organizations lack budgets and don’t focus on credential behavior detection/protection software
-
Ransomware software is becoming easy to use – there are literally videos showing a would-be threat actor what to do
-
Ransomware “detects itself,” so the reported numbers will only increase.”
In January 2023, 33 publicly reported ransomware attacks were disclosed. In February, this number jumper to 40, a 21% rise within a month.
The reports of a phishing attack on Riot Games was covered extensively in the global media. Reddit’s investigation of the breach found that some contact information for hundreds of former and current employees was accessed. At this time, there is no evidence personal user data and other non-public data has been stolen or distributed online. However, Reddit is still recommending that all users set up two-factor authentication and use a password manager moving forward.
Sam Humphries, Head of Security Strategy, EMEA, Exabeam had highlighted the need to focus on preventive measures in such scenarios. Sam said, “This latest incident is yet another reminder that all it takes is one employee’s credentials to be stolen to open the door to an organization’s internal systems. This compromise is often achieved through a simple, tried-and-true method – targeted phishing attacks. By accessing one user’s account after they fell victim to the phishing attempt, the adversaries were able to mine numerous documents and source code – and this company is not alone. Many others have been successfully breached the same way in recent weeks.
“Fortunately, in the case of Reddit, the targeted employee self-reported the incident to their security team, allowing for prompt investigation and response. More often, organizations struggle to detect the usage of compromised credentials. A recent survey found that 65% of security professionals still prioritize prevention over threat detection, investigation, and response – demonstrating that there is a clear disconnect between the frequency with which companies are facing these attacks and the ability to detect them successfully.
“As such, organizations need to place as much (if not more) emphasis on detection as prevention. This will allow them to more efficiently and effectively identify malicious behavior indicative of a compromised employee account and minimize data theft.”
Similarly, Justin McCarthy, co-founder and CTO, StrongDM added, “The goal of nearly every cyber adversary is simple – access – and whether they gain access through phishing or other means the outcome is never good. Attackers are relying on highly-sophisticated social engineering tactics to secure valid credentials because they’re essentially VIP passes into databases, and servers — as evidenced by this Reddit incident. Unfortunately, once adversaries get those valid credentials, they oftentimes have unlimited access internally. Even the most cyber-aware employees can unknowingly fall victim to a phishing attack. Ensuring that access to infrastructure is secured for all users — from admins, developers, analysts and more — is critical to keeping employee, partner and customer data safe. One way to accomplish this, and prevent fallout from a phishing attempt, is completely eliminating credentials from the hands of your staff and moving to just-in-time access or ‘Zero Standing Privilege.’”
Geopolitical tensions are also fueling ransomware attacks.
Tyler Farrar, CISO, Exabeam had stated last month in an email comment: “Nation-state actors will continue cyber operations in 2023; whether these attacks increase, decrease, or stay the same ultimately depends upon the strategic objectives of each campaign. Based on the current geopolitical climate, I think we can expect these cyberattacks to increase across the major players. For example, Russia’s failure in Ukraine exposed its weaknesses to the world, but its attacks are likely to continue against Ukraine, including operational disruption, cyber espionage, and disinformation campaigns. It would be unsurprising for the attacks to expand beyond Ukraine too, as Russia’s leader attempts to prove Russia is not weak. Likewise, cyber espionage is a key tactic in China’s strategy for global influence and territorial supremacy, and I think we can expect these operations to increase, particularly across private sector companies…”
Tyler continued, “In 2023, state policies will directly influence cybercriminal and hacktivist communities to obfuscate sources and methods, increasingly blurring the lines between nation-states, cybercriminals, and hacktivists. Cybersecurity teams would be wise to remain flexible with respect to threat actor attribution.”
With enhanced cybersecurity solutions to thwart data security incidents, enterprises are also required to train their employees and IT staff on best practices in data management. Read our blog series to learn more about these practices.
[To share your insights with us, please write to sghosh@martechseries.com]
