Highlight From The SOC – Message From The Head Of MSS
Marhaba and greetings for Q3 from Help AG MSS! Phishing continues to plague many organizations. Our MSS team has been developing playbooks to better handle phishing, and our conversations led me to ask the following question: why is phishing so successful?
One explanation could be that it is easy. A script can send millions of emails with a malicious link or attachment. If only a small fraction of these recipients responds positively, it is easy to see the return on investment. It is, in most cases, that effortless.
Another explanation could be that it is effective. The rate of success is high, and must remain high, or the fraudsters would not bother. It would not be worth their time or effort. What makes phishing so effective, besides being easy?
I think the truth is this: it is effective because the receivers of phishing communication do not sufficiently validate (or cannot sufficiently validate) what they are looking at on their screen. So, they ‘click’, and give up their credentials. They believe something which should not necessarily be trusted without careful validation.
The same is true for most domains in cybersecurity. An individual waving their hands, yelling “We are under attack!” does not constitute a cyber attack. At Help AG, we train and expect our analysts to ask the right questions – “How do you know you are under attack? What has convinced you that you are under attack?”. These questions might seem inappropriate; however, they are the right questions to ensure the right response actions are taken quickly and in the right order. Our topics this quarter touch on issues of validation. Not every data dump on Pastebin is ‘fresh’ data, harvested through a recent (illegal) compromise of data. Not every Denial of Service (DoS) will saturate your internet link. Here are the topics for Q3:
- Re-Publication of Credentials
- Ransomware Targeting ESXi
- Not Every DoS is a DDoS
Not everything is what it appears to be. This quarter has shown me the importance of careful validation when handling threats and vulnerabilities. I hope you find value in our analysis and findings for Q3 2021.
Top Cyberthreats In Q3 2021
Re-Publication of Credentials
The words “Massive Data Leak” will send fear and panic into the far corners of most organizations. It is tempting to believe that every large data leak is catastrophic, regardless of the type or quantity of data. In one sense, we should treat every data leak with seriousness and criticality. However, every potential cyber incident – including reports of leaked credentials or sensitive/confidential information should be quickly and properly assessed.
Help AG’s Digital Risk Protection (DRP) service has been utilized to evaluate and assess multiple supposed ‘large data leaks’. Help AG have identified several individuals selling data that was either dumped or sold previously. These individuals have re-offered old data, or re-posted publicly available data, for sale sometimes at a decreased cost, and sometimes manipulated to increase the difficulty of authenticating the data.
When confronted with a potential data breach involving “leaked credentials”:
- Validate the authenticity of the data
Do the identities match those used by your users to access systems? Do the attributes match those available from internal systems? Email addresses are not necessarily clear evidence of a breach (if the identity is “email@example.com”) since your organization may use a different convention for access to systems. A list of employee names from LinkedIn can be used to programmatically generate a list of ‘identities’ (email addresses).
- Validate the currency of the data
Is the data similar, or the same, as any previous data breach? If the data has not been seen previously, how “old” is the data? Identities of ex-employees, old/expired accounts and old passwords are good indicators of the ‘age’ of the data.
- Validate the reputation of the seller
Does this individual have a ‘good standing’ in the community of sellers? Is the seller’s identity or account ‘new’ or recently created? Does the data appear discounted or inexpensive, given the amount/size?
Validating the reputation of a fraudster or ‘seller’ is a key part of the process, and this requires specialized tools and knowledge to avoid alerting fraudsters that they are being watched. Help AG is aware that fraudsters may attempt to lure cybersecurity professionals into dialogue, using old data as bait. If a cybersecurity professional is too eager or not careful, their behavior will soon disqualify them as an authentic buyer.
Ransomware Targeting ESXi
In July 2021, a Linux variant of the Darkside ransomware was seen in the wild. What was special about this piece of malware was the following:
- It was built to run on Linux systems
- It was designed to target a particular Linux flavor – the VMware ESXi Hypervisor
This Darkside variant leveraged two vulnerabilities (CVE-2019-5544 and CVE-2020-3992). Both vulnerabilities are remotely exploitable across a network (e.g. management network). Successful exploitation of either permits remote code execution on the ESXi host. The attacker does not need to compromise a Guest VM to exploit the host.
Whilst the likelihood of a successful compromise is low, the impact and subsequent ‘reward’ is significant. Encryption of an ESXi host filesystem would render possibly hundreds of systems ‘offline’ or ‘unavailable’ within minutes.
To protect hypervisors, Help AG recommends the following:
- Ensure network security controls limit access to the hypervisor, including preventing access from public networks (e.g. the internet)
- Restrict network access between Guest and Host systems/networks
- Ensure sufficient Host resources exist for continuation of workloads when patching of hypervisors is required
- Where possible implement strong, multi factor authentication (MFA) for administrative users
- Consider implementation of Privilege Access Management solutions to provide role-based access control, authentication, authorization, and auditing of access to hypervisors
Not Every DoS is a DDoS
Help AG and Etisalat – we witness thousands of volumetric attacks against organizations across the UAE.
Help AG has also witnessed significant impact on organizations resulting from carefully crafted attacks, targeting specific applications. These attacks were ultimately not successful; however, they were disruptive without being significant in volume. What made them disruptive?
A network-based attack does not need to overwhelm all components. It need only overwhelm one significant system, upon which others depend. A good example is DNS. With specially crafted traffic, designed to bypass controls and protections, targeting specific DNS configurations, it is possible to inhibit DNS and stop the DNS server from responding to requests. These attacks do not generate sufficient, sustained volumes of traffic to be classified as ‘Distributed Denial of Service’, though they are often initiated using a distributed set of systems (i.e., bots or zombies).
When considering how to protect your DNS systems, Help AG recommends the following:
- Design DNS with resilience in mind from day zero
- Engage upstream providers to provide additional DNS resiliency
- Identify organizational dependencies on DNS (e.g., site-to-site failover)
- Consider hosting your DNS using a secure cloud-delivered solution
- Implement DMARC, SPF and DNS security to prevent abuse of DNS
DDoS Attacks: Q3 2021
- Total attacks: 75k
- Increase over Q3, 2021: 126%
- Longest Attack: 18 Days,22 Hours,20 Minutes
- Top attack type: UDP
Continuing with the trends of 2020, DDoS attack numbers jumped out at 126% for Q3 2021 compared to Q2 2021. Attackers seem to be focused on the duration of zero to ten minutes, as observed in 51% of attacks, while longer-duration attack numbers did not change appreciably.58% of the attacks observed in UAE, were multi-vector attacks. 10 different attack vectors were used in a single attack targeting a UAE customer. Government institutions and private enterprises remain the top targeted verticals within UAE.
Attack Frequency: Total DDoS Attacks Q1 vs Q2 vs Q3
Continuing the trend of 2020, Attack numbers spiked at 126% compared to Q2 which clearly depicts increased DDoS Attack activity towards UAE
Frequency by Duration:Q3 Statistics
51% of DDoS attacks lasted less than 10 minutes – Probable indicator of testing the defenses or masquerading other attack vectors
Attack Vectors: Top 5 Only Q1 vs Q2 vs Q3
While TOP 5 DDoS attack patterns used have remained a constant, UDP based DDoS attacks have spiked in Q3.
Attack Vectors: Multi-Vector Q3 – Statistics
58% of the DDoS Attacks observed in UAE are multi-vector attacks.
Vectors Targeted: Top 3 Only Q1 vs Q2 vs Q3