2021 is not yet over, yet it’s already a record-breaking year for the cybercrime industry. We discuss the top 5 cyberattacks of 2021 so far.
Cybercrime is expected to cost the world $6 trillion by the end of the year. Ransomware attacks are growing in frequency and severity, culminating in several headline-making attacks that have brought national attention to cybercrime.
Security managers and enterprise-level CISOs are desperately looking for new techniques and technologies for navigating this challenging landscape. Security leaders everywhere are paying close attention to the year’s record-breaking attacks and trying to predict the next one.
How to Prevent the Next Major Attack
Looking at the year’s attacks, one thing is abundantly clear. Today’s cybersecurity solutions are not sufficient to prevent disruptive ransomware attacks. Many of this year’s victims had endpoint security systems, gateway sandboxes, next-generation anti-virus solutions, and more – yet they still became victims nonetheless.
This underscores the fact that CISOs need to look beyond traditional best practices and start investing in a truly transformative approach to cybersecurity. Anti data exfiltration (ADX) is a new technology that can protect against the sophisticated ransomware attacks that define today’s threat landscape.
Data exfiltration protection is not a gateway solution. It operates inside the network, preventing the unauthorized removal of data to external destinations. This also prevents malware and ransomware applications from communicating with their command and control (C2) servers. Once inside, hackers are left effectively disarmed, unable to exfiltrate data or hide their tracks.
How Anti Data Exfiltration (ADX) could have stopped attacks
1. CNA Financial
CNA Financial is one of the largest insurance companies in the United States. The company announced the attack in late March 2021, stating that it had fallen victim to a sophisticated cyberattack. The company negotiated its ransom down from $60 million to $40 million, and paid for the decryption key that it needed to continue operations.
A cybercrime syndicate called Phoenix claimed responsibility for the attack. The group used a type of malware called Phoenix Locker, which is itself a variant of the more popular Hades ransomware executable.
CNA Financials’ website remained closed for nearly two weeks after the attack. It only revealed the specifics of the attack two months after paying the ransom, when it was obligated by law to do so.
The Phoenix ransomware executable works by posing as a browser update. It tricks employees into installing the update, and then moves laterally throughout the network to gain higher privileges until it can successfully carry out phase two of the attack. It identifies sensitive data and then sends it outside the network before encrypting the data and launching the attack.
Data exfiltration protection would have prevented Phoenix from copying, compressing, and sending data from the CNA environment to the hacker’s cloud account. Investigators determined that the attackers wanted to blackmail users with their sensitive data. Without this data, attackers could not have successfully launched their attack or proven access to sensitive data.
2. Colonial Pipeline
The Colonial Pipeline attack is by far the most infamous of 2021 so far. A Russia-based hacking group called DarkSide has claimed responsibility for the attack, which focused on SCADA systems that connect operational systems with traditional IT networks that are internet-connected.
DarkSide successfully carried out their attack by focusing on Colonial Pipeline’s IT servers in its operational SCADA stack. Colonial Pipeline security professionals took the prudent action of taking down these systems before the attack spread, which contained the damage, but led to the sudden closure of a critical fuel pipeline, prompting a regional supply crunch that hurt consumers.
DarkSide breached Colonial Pipeline’s systems using compromised account credentials from a legacy operational system that did not feature dual-factor authentication. Attackers infiltrated the network and sent a compressed malware executable into the system.
DarkSide’s malware works by wiping the Recycle Bin and deleting volume copies using a non-restorable PowerShell script. It disables Windows services and targets terminated processes before recursively encrypting files until local and network shares are fully encrypted. It exfiltrates this data to an attacker-specified C2 server before deleting its own copy and posting the ransom note.
If Colonial Pipeline had deployed a data exfiltration solution, DarkSide’s malware would not have been able to exfiltrate its data to the C2 server. This would have interrupted the ransom process at its most critical moment. The malware would still contain its own copy of the data, which includes the decryption content. Mitigating the attack would be as simple as reaching into the malware and obtaining the decryption key it (still) contains.
3. JBS USA
One month after Colonial Pipeline fell to hackers, the largest meat packing company in the world also suffered a debilitating attack. JBS USA is the American subsidiary of JBS SA, a Brazil-based meat distribution firm. The company was able to mitigate some of the damage of the attack using backups, but it was still forced to temporarily pause operations and suffer expensive downtime.
JBS did not initially comment on whether it paid the attackers, and did not comment on its decision to close its North American plants for two days. Eventually the company admitted to paying $11 million to attackers in response to the threat of closure.
The attack did have costly ripple effects on the national meat supply chain, preventing supermarkets and restaurants from serving meat to their customers for much longer, and leading to price hikes as a result of the supply-side crunch.
The JBS attack actually began in February 2021, with initial reconnaissance pointing out structural vulnerabilities in the victim’s network. Cybercriminals carried out data exfiltration for months, starting as early as March and finishing this phase of the attack at the end of May. Hackers finalized the attack only after the exfiltration was complete, on June 1st.
JBS could have mitigated the entire attack using data exfiltration protection software. This would have made it impossible for hackers to spend months stealing data from the company without leaving obvious traces. Security alerts would have resulted in swift action that could have expelled the attackers well before the attack struck.
4. Kaseya
Kaseya is an IT services provider based in Florida that made headlines after falling victim to a large-scale ransomware attack claimed by REvil. This attack compromised between 800 and 1500 businesses around the world, with disruptive effects following end users throughout complex supply chains.
Kaseya’s case is unique because of the company’s place as a managed service provider with such a large customer base. The vast majority of these companies are small businesses, but the infrastructure of their IT supply chain links them closely together.
In this case, REvil targeted Kaseya’s virtual server appliance (VSA) solution, and claimed to hit 1 million endpoints throughout the entire supply chain. Kaseya’s VSA solution exists both as a cloud-based Software-as-a-Service (SaaS) solution and as an on-premises product.
REvil hackers compromised Kaseya’s VSA product by installing a malicious executable into the VSA system. The attack took place in multiple stages, with the first payload disabling Windows Defender and the second actually performing the ransomware encryption task.
If Kaseya has invested in data exfiltration protection, REvil would not have been able to distribute the second payload during their attack. The first payload would have been unable to communicate with the second, rendering the attack harmless. REvil would not have been able to demand its $70 million ransom.
5. Brenntag
Brenntag is a German-based chemical distribution company with operations in 77 countries. Earlier this year, DarkSide targeted the company’s North American division, encrypting data and devices on the compromised network and stealing 150 GB of data.
DarkSide claims that it launched the attack after gaining access to Brenntag’s network through stolen user credentials purchased on the Dark Web. This kind of attack is becoming increasingly common, and is incredibly difficult to counter using traditional cybersecurity technologies.
Stolen user credentials often go unreported and can even come with valuable administrative privileges. Cybersecurity professionals need to craft policies that exhibit a zero-trust framework even for privileged account holders.
DarkSide would not have been able to steal 150 GB of valuable data if the Brenntag network did not allow privileged account holders to exfiltrate large volumes of data. There are very few legitimate reasons why an administrator would want to move so much sensitive data at once.
Deploying a data exfiltration protection solution that prevents these kinds of transfers would have had very little, if any, impact on day-to-day operations and usability. But it could very well have saved Brenntag from paying a $4.4 million ransom to the DarkSide cybercriminal syndicate.
How ADX works
ADX works by investigating outgoing data on endpoint devices. This gives it a markedly smaller footprint than other solutions, such as firewalls or DLP, which examines incoming and outgoing traffic at the edge of the network. ADX solutions are lightweight enough to run on mobile devices and do not need to work on the corporate network.
Instead of comparing traffic to a dictionary of attack signatures, ADX solutions use behavioral analytics to identify unusual behaviors on a user-centric basis. ADX limits the ability for users – including privileged users and administrators – to send sensitive data outside the network.
For more information on how ADX can help your business please contact BlackFog or signup for a 7 day ransomware assessment on our web site.