Blog

Highlight From The SOC – Message From The Head Of MSS

By Simon Willgoss, Head of MSS

Sep-2021 6 min to read

Highlight From The SOC – Message From The Head Of MSS

Marhaba and greetings for Q3 from Help AG MSS! Phishing continues to plague many organizations. Our MSS team has been developing playbooks to better handle phishing, and our conversations led me to ask the following question: why is phishing so successful?

One explanation could be that it is easy. A script can send millions of emails with a malicious link or attachment. If only a small fraction of these recipients responds positively, it is easy to see the return on investment. It is, in most cases, that effortless.

Another explanation could be that it is effective. The rate of success is high, and must remain high, or the fraudsters would not bother. It would not be worth their time or effort. What makes phishing so effective, besides being easy?

I think the truth is this: it is effective because the receivers of phishing communication do not sufficiently validate (or cannot sufficiently validate) what they are looking at on their screen. So, they ‘click’, and give up their credentials. They believe something which should not necessarily be trusted without careful validation.

The same is true for most domains in cybersecurity. An individual waving their hands, yelling “We are under attack!” does not constitute a cyber attack. At Help AG, we train and expect our analysts to ask the right questions – “How do you know you are under attack? What has convinced you that you are under attack?”. These questions might seem inappropriate; however, they are the right questions to ensure the right response actions are taken quickly and in the right order. Our topics this quarter touch on issues of validation. Not every data dump on Pastebin is ‘fresh’ data, harvested through a recent (illegal) compromise of data. Not every Denial of Service (DoS) will saturate your internet link. Here are the topics for Q3:

Re-Publication of Credentials
Ransomware Targeting ESXi
Not Every DoS is a DDoS

Not everything is what it appears to be. This quarter has shown me the importance of careful validation when handling threats and vulnerabilities. I hope you find value in our analysis and findings for Q3 2021.

Top Cyberthreats In Q3 2021

Re-Publication of Credentials

The words “Massive Data Leak” will send fear and panic into the far corners of most organizations. It is tempting to believe that every large data leak is catastrophic, regardless of the type or quantity of data. In one sense, we should treat every data leak with seriousness and criticality. However, every potential cyber incident – including reports of leaked credentials or sensitive/confidential information should be quickly and properly assessed.

Help AG’s Digital Risk Protection (DRP) service has been utilized to evaluate and assess multiple supposed ‘large data leaks’. Help AG have identified several individuals selling data that was either dumped or sold previously. These individuals have re-offered old data, or re-posted publicly available data, for sale sometimes at a decreased cost, and sometimes manipulated to increase the difficulty of authenticating the data.

When confronted with a potential data breach involving “leaked credentials”:

Validate the authenticity of the data
Do the identities match those used by your users to access systems? Do the attributes match those available from internal systems? Email addresses are not necessarily clear evidence of a breach (if the identity is “firstname.lastname@name.com”) since your organization may use a different convention for access to systems. A list of employee names from LinkedIn can be used to programmatically generate a list of ‘identities’ (email addresses).
Validate the currency of the data
Is the data similar, or the same, as any previous data breach? If the data has not been seen previously, how “old” is the data? Identities of ex-employees, old/expired accounts and old passwords are good indicators of the ‘age’ of the data.
Validate the reputation of the seller
Does this individual have a ‘good standing’ in the community of sellers? Is the seller’s identity or account ‘new’ or recently created? Does the data appear discounted or inexpensive, given the amount/size?

Validating the reputation of a fraudster or ‘seller’ is a key part of the process, and this requires specialized tools and knowledge to avoid alerting fraudsters that they are being watched. Help AG is aware that fraudsters may attempt to lure cybersecurity professionals into dialogue, using old data as bait. If a cybersecurity professional is too eager or not careful, their behavior will soon disqualify them as an authentic buyer.

Ransomware Targeting ESXi

In July 2021, a Linux variant of the Darkside ransomware was seen in the wild. What was special about this piece of malware was the following:

It was built to run on Linux systems
It was designed to target a particular Linux flavor – the VMware ESXi Hypervisor

This Darkside variant leveraged two vulnerabilities (CVE-2019-5544 and CVE-2020-3992). Both vulnerabilities are remotely exploitable across a network (e.g. management network). Successful exploitation of either permits remote code execution on the ESXi host. The attacker does not need to compromise a Guest VM to exploit the host.

Whilst the likelihood of a successful compromise is low, the impact and subsequent ‘reward’ is significant. Encryption of an ESXi host filesystem would render possibly hundreds of systems ‘offline’ or ‘unavailable’ within minutes.

To protect hypervisors, Help AG recommends the following:

Ensure network security controls limit access to the hypervisor, including preventing access from public networks (e.g. the internet)
Restrict network access between Guest and Host systems/networks
Ensure sufficient Host resources exist for continuation of workloads when patching of hypervisors is required
Where possible implement strong, multi factor authentication (MFA) for administrative users
Consider implementation of Privilege Access Management solutions to provide role-based access control, authentication, authorization, and auditing of access to hypervisors

Not Every DoS is a DDoS

Help AG and Etisalat – we witness thousands of volumetric attacks against organizations across the UAE.

Help AG has also witnessed significant impact on organizations resulting from carefully crafted attacks, targeting specific applications. These attacks were ultimately not successful; however, they were disruptive without being significant in volume. What made them disruptive?

A network-based attack does not need to overwhelm all components. It need only overwhelm one significant system, upon which others depend. A good example is DNS. With specially crafted traffic, designed to bypass controls and protections, targeting specific DNS configurations, it is possible to inhibit DNS and stop the DNS server from responding to requests. These attacks do not generate sufficient, sustained volumes of traffic to be classified as ‘Distributed Denial of Service’, though they are often initiated using a distributed set of systems (i.e., bots or zombies).

When considering how to protect your DNS systems, Help AG recommends the following:

Design DNS with resilience in mind from day zero
Engage upstream providers to provide additional DNS resiliency
Identify organizational dependencies on DNS (e.g., site-to-site failover)
Consider hosting your DNS using a secure cloud-delivered solution
Implement DMARC, SPF and DNS security to prevent abuse of DNS

DDoS Attacks: Q3 2021

Total attacks: 75k
Increase over Q3, 2021: 126%
Longest Attack: 18 Days,22 Hours,20 Minutes
Top attack type: UDP

Continuing with the trends of 2020, DDoS attack numbers jumped out at 126% for Q3 2021 compared to Q2 2021. Attackers seem to be focused on the duration of zero to ten minutes, as observed in 51% of attacks, while longer-duration attack numbers did not change appreciably.58% of the attacks observed in UAE, were multi-vector attacks. 10 different attack vectors were used in a single attack targeting a UAE customer. Government institutions and private enterprises remain the top targeted verticals within UAE.