According to the Global Incident Response Threat Report, an analysis of the latest attack trends seen by VMware Carbon Black, Russia and China are responsible for the lion’s share of cyberattacks in 2019.
The threat actors, be it state-sponsored or organised crime groups seem to be employing more advanced and sophisticated methods for cybercrime. Additionally, geopolitical tension is once again playing out in cyberspace specifically as it relates to the upcoming 2020 US elections.
The report pointed out the majority of today’s cyberattacks now encompass tactics such as lateral movement, island hopping and destructive attacks. Advanced hacking capabilities and services for sale on the dark web compound the issue, as does an unprecedented collaboration among nation-states. These realities pose a tremendous risk to targets with decentralised systems protecting high-value assets, including money, intellectual property and state secrets.
Key findings from the report include:
CSA reached out to Tom Kellermann, Cybersecurity Strategist, VMware Carbon Black to find out more about the report findings and also how Carbon Black is addressing these issues.
While Russia and China seem to be accountable for most cyberattacks, North Korea seems to have fallen down the order. Interestingly, Tom said the US Cybercommand and Financial Sector ISAC have shared unprecedented threat intelligence per the tactics employed by the Lazarus group, and thus many of North Korea’s recent cyber campaigns have been thwarted. However, the attack landscape is constantly evolving, and he does expect a resurgence of attacks from North Korea any day now, with custom malware.
Looking at cyberattack methods, over 40% of attacks targeted victims through island hopping. Island hopping is a term used to describe the process of undermining a company's cyber defences by going after its vulnerable partner network, rather than launching a direct attack.
Cybercriminals are expanding their use of island hopping to creep into systems at their most vulnerable points, then hopping to higher-security parts of the network. VMware Carbon Black research has also found that attackers are selling island hopping access to compromised systems, often without the target realising they are exposed.
“Organisations are improving their defences of critical assets however, hackers are migrating to new techniques, like island hopping, wherein they commandeer the digital transformation efforts of the victim organisation to target their customers. This is achieved via watering hole attacks and reverse business compromise (RBEC). Today’s cybercrime wave commandeers the victim’s brand and uses the reputation of that brand to target their customers.”
Tom believes the creation of an island hopping marketplace is a game-changer, providing attackers with increased incentives to infiltrate systems and a greater ability to embarrass brands, and giving relative amateurs an easy path to inflict serious damage.
While 76% believe the financial industry is the most likely target of cyberattacks, the frequent targeting of educational and government entities illustrates the appeal of decentralised systems that control large amounts of money or information. 38% of IR firms said the government was most often targeted by island hopping attacks, compared to 34% for education.
Tom explained, “Although the financial sector is the most secure, they are facing a siege by the very best hackers in the world who are leveraging custom malware, new living off the land (LotL) techniques and island hopping to bypass their perimeter defences. What’s most concerning is that destructive attacks have surged to nearly 41% of attack occurrences, according to our research. We are in the age of the modern bank heist, and it is becoming a hostage situation.”
There are always concerns about outside influence on elections. With the 2020 Presidential Election looming, 59% of American respondents said risk around election process and security have increased. Adding to that, 65% of them believe that the election will be influenced by an outside entity or even a cyberattack. The 2016 US Presidential elections also drew similar concerns. In fact, almost all elections around the world have concerns about outside interference and influence. Russia is viewed as the most likely source of such attacks, at 73%, followed by Iran at 13% and China at 7%.
“The US electoral system is incredibly vulnerable to cyberattack. Voter databases are being sold online as we speak. The greatest danger is voter suppression via manipulation of specific voter PII so that they are disenfranchised from voting. Cyberthreat hunting must be conducted immediately on all voting machines, databases and correspondent networks. All IOCs must be eliminated, and application control must be deployed after that,” emphasised Tom.
The report also highlighted how voter databases are being compromised with machines from previous elections are readily available from high-reputation vendors on the dark web for less than US$100. In total, from a single listing, information on more than 81 million voters is currently available for sale.
Based on the findings, Tom said VMware Carbon Black is laser-focused on empowering the greater community to become more effective in disrupting the modern cognitive attack loop.
“We do so by improving our analytics associated with behavioural anomalies and by API integration with over 140 cybersecurity vendors. Finally, we partner with 124 incident response firms who deploy our EDR in during 60% of the world’s cybercrime investigations.”