Ransomware: APTs vs Vulnerabilities

ladies and gentlemen thanks everyone

yes what's the speaker channel uh that's a good question i don't know which one she's doing she's manually yeah i'm on at the moment that's a good question then well oh no you can tell i work with technology every day

good

put some glasses on okay good now

i mean as a man union i thought i would be louder hello

good oh oh yeah i'm definitely much louder now so hello welcome everybody in person i will pre-warn absolutely everybody that this is the first time i have ever done anything like this at all so i chose all you lovely people at b-sides newcastle to do this talk so sam i know sam you're sam you're chris start well that was absolutely fantastic but i will be have nowhere near as many terrifying stories as chris did but yes i just like to freak people out with the title ransomware apts versus vulnerabilities

oh are we getting them i've broke the slides

it's okay i fixed it eventually so over the course of this talk i will walk through three case studies of real-life ransomware attacks that have occurred in 2021 but as of 2020 researchers have estimated the cost of rectifying a ransomware attack to be just shy of two million dollars and according to industry predictions one ransomware attack actually occurs every 11 seconds up from once every 14 seconds in 2019 so just over the course of this talk there will probably be around 180 to 190 ransomware attacks alone so a good way to start is absolutely terrifying everyone so when we talk about ransomware attacks we usually do talk about them in terms of threat groups and advanced persistent

threat actors who have had the motivation in order to attack those organizations in questions this isn't always i'm not saying it is but everyone needs a name for the talk right so this focus on linkedin incidents that we all read about and regularly read about in mainstream news and linking them to a particular threat group i will probably argue throughout the the the this talk in general is actually becoming a bit of a moot point really because when ransomware itself works on vulnerabilities you know do we keep continually talking about the ransomware groups in the background so what would happen if we actually encouraged the conversation around ransomware to change and instead of purely focusing on the threat actors and

the tools techniques and procedures that they use to attack organizations we actually encourage companies and the security teams to focus on the actual problem the vulnerabilities that are currently being used talked about and readily weaponized because let's face it threat actors will target anything that they can get their hands on so as i said right at the top of the call at the top of the call used to zoom at the top of the presentation i will walk through three case studies of a taxes happened just over the course of 2021 the focus of these case studies is generally to provide a bit of an insight into talking about the weaknesses that have been exploited by those threat

groups in question in order to gain access to the systems so using these i will present a bit of a different way that we can start to think about the way that we essentially secure the organizations that are currently being targeted by these threat actors so diving straight first into our first case study on the 6th of may 2021 colonial pipeline who just happened to be the largest fuel pipeline in the united states carrying 45 of the east coast supply of diesel petrol and even jet fuel experienced a ransomware attack that has been linked to the threat group dark side darkseid operators stole roughly 100 gigabytes of company files from the systems in what's believed to be just under two

hours data included names contact information date of birth government issued identification and even health related information of around 5810 individuals colonial pipeline themselves actually paid 4.4 million dollars in ransom to the group in order to restore the service quickly of which the department of justice following a quite a bit of hefty analysis and research and pulling back did manage to seize 2.3 million dollars in cryptocurrency so concentrating on the group itself dark side who are known to have targeted colonial pipeline have operated since 2018 ignore that that's on there and shut down its operations following the colonial pipeline attack in 2021 though just like many groups that we continuously read about they have just rebadged to another group in this case

black mata so darkseid and its affiliates have been known to gain initial network access by exploiting vulnerable software exposed to the internet including things like citrix remote desktop web a remote desktop protocol moving from gaining that initial access to moving laterally throughout the company network inevitably looking for and removing any sensitive data that is of interest to them several threat groups have actually been linked to exploiting one particular vulnerability in citrix labelled as cve 2019 19781 which is actually a flaw in citrix application delivery controller gateway and sd1 why not products namely a suite of products that is used to deliver purpose-built networking appliances to improve the performance security and resiliency of applications delivered over the web

the vulnerability in citrix if exploited does actually allow a threat actor to gain access to sensitive code or data that is present on the server that is running the application but of course it's dependent on the network set up critically the exploitation of the vulnerability is based on exposure to the internet additionally the national institute of standards and technology have actually warned multiple times about the vulnerability in citrix with the last warning actually released on the 31st of december 2020 and have again urged that it's a critical vulnerability that needs to be patched the first proof of concept exploit for the code was published on github actually just one day before an attack occurred on the united states census

bureau in january 2020 more recently and actually more importantly to our point threat answers continue to indicate the preference for exploiting citrix and this particular cve in the forums between january 2020 and march 2021 with it being the top mentioned cve in both russian and english-speaking dart web forums swiftly moving on to our second case study french multinational firm axa were identified a ransomware attack on the 17th of may this year that appeared to be impacting branches of the firm based in thailand malaysia hong kong and the philippines the avadon ransomware group actually claimed credit for the attack and posted on their data leak site that they had gained access to around three terabytes of sensitive

information from the customer systems similar to the first one that was just walked through that was a whole host of sensitive information including things like customer medical reports identification cards bank account statements amongst so much more accident actually mention how much the ransom was that the group had posted to them but from analysis of the group themselves we do know that this was at least between thousand dollars and six hundred thousand dollars turn our attention to the group themselves they've known to operate it between february 2020 and june 2021 turn into a ransomware as a service model in june 2020 but i won't mention that now i mention it a little later in the presentation

just to keep everybody in suspense as to what that is during the experience of operations researchers believe the group have targeted an impact into a whole host of degrees around 2934 organizations however you probably would never know it because many of these didn't actually reach the mainstream media only a handful did including axa that we've just talked about avadon its affiliates have been associated with targets in exposed remote desktop service connections to provide a very basic understanding of what that is and to not patronize anybody in the audience and apologize to any networkers this is essentially allows a local computer to establish a link with a computer to an order to gain full or restricted access to that computer of

choice and was first introduced in windows xp microsoft amongst a whole other load of security researchers have actually warned about a remote desktop service and the use of it for being used by threat actors numerous times over the past few years in 2019 alone microsoft released a set of two fixes for remote desktop services that included two critical ones using remote code execution namely labeled a cve 2019 1181 and cve 2019-1182 one effective version of windows was actually windows 7 which as i think everybody's aware actually went end of life january 2020 so both the vulnerabilities released by microsoft required no user interaction whatsoever and if exploited essentially allowed the threat actor to gain access to install programs view

change delete data and more importantly could allow them to create a new user account that had a whole host of access rights making these set of vulnerabilities super attractive to any threat actor that wanted to exploit them more recently in february this year ali pentester a company known as raxis actually released a new metasploit module that was based on the timing vulnerability in outlook web application the vulnerability itself was essentially based on a discrepancy in how long it takes the web application to identify a fake logon versus one that is genuine and during the kind of proving of that vulnerability itself the researcher actually showed what the discrepancy was and how kind of integral this was

so when the research invented a fake username it took the system around four seconds to confirm that that username was incorrect when they entered a genuine username it actually took three milliseconds for the system to confirm that it was genuine might seem to us as humans kind of very small but in terms of computing this is massive essentially building that into metasploit would allow any you know genuine pen tester and but even be more attractive to a threat actor to use that tool in order to run it against the target system and look to gain access to that network by running a whole host of details against that particular targeted network illustrating i think why it's so popular

for ransomware threat actors our third and final case study looks at bangkok air who many have probably read about in the last couple of weeks who actually experienced a ransomware attack on the 23rd of august to the airlines credit and actually relatively unusual for someone who has experienced a ransomware attack they admitted upfront that they had lost data due to the attack itself including again a whole trove of sensitive information that was then sold on the dark web including passenger names contact information and even partial credit card information as well bangkok air did actually release what the ransom asked for was and it was 50 million dollars so quite a significant difference from the group we were just talking about

being a vadon however bangkok air did not pay that ransom which did inevitably lead to the disclosure of the information that we have just mentioned so it is still too early to understand how much this cyber attack will actually cost the airline but given the release of personal data alone it is likely that the revenue will decrease quite significantly and a victim from 2019 called demand actually cited that they had experienced an estimated loss of 95 million following them themselves falling victim to a ransomware attack so third and finally the group behind the attack on bangkok air was a group known as lock bit 2.0 who had technically operated since 2019 but did have a brief hiatus and

reappeared in june 2021 since the reappearance sort of mid-year this year the group have been associated with exploiting vulnerabilities in the fortinet fort

hello oh i'm back gave me a pause um so yeah so the group themselves have targeted like 40 appliances in general one particular one is the one that's on behind me which is cve 2018 13379 again exploited to try and gain access to victims networks so the vulnerability when exploited does essentially allow a remote unauthenticated access to a system um of the fortigate appliance and you know prop that button they could get things like configuration files and password files that are inherently within the appliance itself gathering those credentials could essentially allow a threat actor either them themselves or even selling those credentials on to allow any threat to whatsoever to regain access to that appliance

as long as that appliance password is not changed in any way even three years after its initial disclosure in 2018 the vulnerability itself is still being used by threat actors to gain initial access to targeted company networks i think this definitely illustrate some of the challenges that we're talking about through the course of this presentation where companies either just don't understand the importance of patching and looking at some of these vulnerabilities especially the ones that are web facing or just don't understand their own kind of exposure to these particular types of vulnerabilities i think the job of every single one of us here to try and explain to people um what that impact could well be

just yesterday morning fortinet again confirmed that that vulnerability is still being targeted by threat actors and there has been a threat actor advised by fortinet who has managed to gather 87 000 credentials linked to fortinet ssl vpn devices that have now been sold on the dark web whether those companies are not have patched that vulnerability if they haven't changed any of those credentials that is essentially keys to the kingdom for any threat actor that is purchasing those details this follows on from another report released by ncsc in sort of december 2020 that again we're still preaching the facts that threat actors have are still targeting that vulnerability with over 600 ips when they looked at

the dark web just being linked to the uk alone again stressing to people that they should really be looking at these types of vulnerabilities and understanding their potential exposure to them themselves

so so what so what do all these attacks have in common and the answer actually is ransomware as a service those that kind of haven't had a quick nap may have heard me mention ransomware as a service that i said that i'd mentioned later on in the presentation and this is it so essentially ransomware as a service is a business model used by ransomware developers in which they lease variants in the same way as software as service developers actually do legitimately this service gives everybody even people without any technical expertise or very little technical expertise the ability to launch any ransomware attacks against a target of their choosing the screenshot on the right-hand side of

the screen is actually taken from lockbit 2.0 affiliate page demonstrating sort the professionalism of the group and actually shed some light on what affiliates in the group themselves offer and what they need to do in order to carry out a successful ransomware attack so ransomware as a service is actually a massively growing economy as we kind of go through the years and i'm a competitive one of that as you can imagine when ransomware operators are vying for attention and are vying for purchases the total ransomware revenue in 2020 for ransomware as a service is thought to have been about 20 billion up from 11.5 billion dollars sort of the year before affiliate programs are only one model

with many groups offering a monthly no commitment subscription a one-time license fee and finally the ability to share any profit of any attack that's committed so given this is such a competitive market and is driving such a revenue for these groups themselves it is no surprise that these groups have to continually find some way to gain some advantage over the other groups that are saturating this market at this point one of those ways is actually to find vulnerabilities in networks and provide access and use of these to sort of their customers as we've mentioned before one of those is looking at picking up credentials for things like the 40 net products that we've just talked about with the 87 000

credentials other ways it's just purely trying to scan the internet to find that hole in that company that they can poke and find their way in vulnerabilities themselves are not identified with a ball linked to a threat group apt or even an active ransomware group in general vulnerabilities become entwined with these groups once they've been actively exploited in live real-world attacks the three examples behind me are actually open source scans that i carried out probably on tuesday now on internet search engine showdown and each provides a tiny little but really juicy insight into the problem that we're currently talking about so namely that vulnerabilities can be identified from a simple search on the internet of any company around the globe

whatsoever who is currently exposed to the internet through like their ip address with a group such as things like lock bait in a vadon who have the know-how and the understanding of how to exploit these using them as part of their service to gain this traction with the customers so now we're free to everybody out and you're all thinking that oh my god we're all going to get attacked by ransomware when there's sod all we can do about it let's just take a step back and think about the kind of problem that i introduced right at the top of this um presentation so what happens if we encourage the conversation around ransomware to change and instead of purely focusing on those

threat groups and the associated links to what they have been exploiting we move the conversation on a little bit and start to encourage companies and security teams to understand the vulnerabilities that are currently out there being used talked about on things like the dark web and are looking to be readily weaponized so i mean as a threat intelligence specialist myself i'm not saying that understanding the groups is not important it absolutely is but that's more when we're talking about understanding um attacks on a kind of more global scale so talking country to country um in a similar way as our keynote did is absolutely valid but when we're talking about ransomware we do end up

missing a little bit of a chunk of the puzzle because when we are talking about apts we are generally talking about motivation so we do need to continue to focus on what is currently being exploited and what is being taught by those threat actors so actually this is where threat intelligence can come hand in hand with anything that other teams are doing um so if you have no ti team then it's absolutely valid this whole source is out there from the likes of intel 471 who have the ability to push out this information and talk about the vulnerabilities that are currently out there being used and are being readily weaponized if you do have a ti team and they're not

kind of doing this at the moment just just send them on this talk send them my way we can have that conversation sort of in general so building on the previous point of why we need to focus more on the vulnerabilities themselves and less and just understanding the threat group in the background that increase of ransomware over service means that threat actors and affiliates will completely make a service work for them so it continues to render the old adage of motivation and capability in association with apts a little bit down the pecking order because now those groups that ordinarily may have had the complete motivation to target a particular company but have not had the technical expertise to do so

now have a whole criminal underground forum that is ready there and waiting to take the money and give them those tools that they need to be able to exploit that company in practical terms this means that tooling such as things like cobalt strike and meta split when we're talking about motion france and where threat taxes absolutely remains a significant threat but what we do need to start focusing on is those sort of internet-facing gems that are out there that are ready willing for the taking for those threat groups and understanding what that means for the customers and how to protect themselves recently i think it was only last week lockwit 2.0 actually completed an interview

with a security journalist where they were actually asked outright what companies could do to avoid falling victim to lock bit themselves they gave two key bits of advice one of them was to have a kick-ass anti-virus product and the second one was just to make sure that they update and patch all software regularly i think adeptly kind of tying up this entire presentation that we've kind of just gone through oh i thought i've moved on a bit too far then so before we do kind of kick into some of the advice that you've seen on the screen um i'll be up front this talk i think unlike some of the other talks that are at b-side today is

not about reinventing the wheel i'm not going to suggest things like fancy ai firewalls that need to be put into every part of the company and just obliterate your network or have your security team setting some sort of bunker away from the chinese and the russians no absolutely not we're going back to basics security 101 i think that everybody has kind of come around to some point in their career and we're just talking about keeping things secure so with that in mind and to keep a bit of an eye on the threat landscape and understand that ransomware as a service is increasing massively you know today we have seen 600 vulnerabilities that have been released

researchers think this is going to be over a thousand given this alone it is important that companies have a great eye policy and programme of understanding vulnerability management but not just saying oh yeah if a vulnerability comes out i need to patch that because my policy told me to but actually having the understanding to kind of step back and go that's great we can do that but we need to understand what our risk is from our own organization so if we have 20 cves that are all internet facing those the ones that are going to prioritize outside of the ones that are behind six firewalls and a network segmentation so it's just having that understanding

and thought process and kind of marrying that against what we've been talking about in terms of those threat actors that having these conversations on the dark web and what are they talking about in conjunction with that so linking to that kind of threat intelligence vibe and the provision of that and marrying everything together you can use that type of threat intelligence of what threat actors are currently using what they're exploiting what's their tools and techniques and how are they doing some of this scanning and kind of equipping a great red team with it they can take that information use it apply it to each of those organizations and basically come up with those strategies in conjunction with your ti

team to make sure that you are keeping up-to-date and secure from those type of attacks but that said vulnerabilities are only just like one albeit major part of the puzzle security defenses are not infallible you do also need to make sure that your employees understand the kind of things that have been leveraged against them so things like emails that wins the organization if somebody's trying to get into the system how are they keeping their credentials secure and what are you doing to help them do that and also build a culture of personal online security responsibility so as i end the talk if there's one thing that you take away from this is just keep it simple

if it's rubble from the internet it's dangerous it's being talked about just the love of god patch it so thank you for being a wonderful audience thank you for listening to my talk i'm kat

do you have a couple of minutes for q and e oh yeah of course if there's any questions i'm happy to answer let me grab the next if i didn't break the microphone when i dropped it on the phone you literally mate dropped that was pretty awesome smash does anyone have any questions yes i'll come kind of in this direction yes here two pieces of information but the the same question for both uh with the likes of uh microsoft products uh you want about a remote desktop uh well remote desktop services uh up until but not include in 2019 uh only supports tls version uh 1.0 which is uh deprecated as such it's only when he

moved to 2019 will it support 1.1 1.2 1.3 as it were with that in mind and uh because of the amount of companies that have actually paid this ransomware uh where uh you you've got the people that are producing it who've got 10 times the r d budget of all of the other antivirus companies put together do you see in the next 10 years an exponential rise with uh ransomware oh good question um so sorry can you just repeat that last bit uh because of the the the uh the hackers have got ten times the the r d budget of uh uh all of the other uh legitimate uh like antivirus companies put together and when you look at likes of broadcom's

bought out so many companies uh when they consolidate that their rnd budget's gonna come down like they're not gonna expand on that so do you see that uh ransomware's gonna exponentially rise in in the next so like 10 years oh yeah definitely so i think ransomware will continue to put that kind of revenue and budget and ability and even technical nuance straight into the services that they're actually providing those customers that are looking to target those organizations that do have a reduced kind of security budget i think the rise of ransomware as a service is probably going to continue it's so lucrative to them that i think they will continue to put all their kind

of attention into that so trying to balance that kind of threat i think the understanding here is we do literally have to start looking at those vulnerabilities to try and stay ahead of what's happening and just making sure that there is some sort of understanding that yes they are going to continue they're going to try and continue to leverage that attacking and they need to then try and displace them somewhere else so we are seeing and actually because of that an increase in cyber threat for example of which we can start to concentrate on after that but yes ransomware threat actors are going to increase exponentially i think the the hackers when you give you the two pieces of information

they miss the third one always ensure that you've got backups especially off-site absolutely yes that is 100 key any organization that has not paid the ransomware today has said that they've not done so because they have had off-site backups that they've been able to restore from so yeah absolutely agree cool thank you very much i think we've got time for a couple of questions some very well there's a break but i know there's gonna be some spicy questions so chris with your knowledge about all the money being made from ransomware why haven't you gone to the dark side oh spicy i i think it's just my pure love of threat intelligence and all things sort

of white hat hacking so i must say my my whole thing with threat intelligence i am not a techie so my understanding is purely people motivation so i think that's probably one of the reasons why i love trying to stay ahead of what somebody is doing trying to understand what their motivations are and trying to find ways to prevent them getting into any network that i'm currently protecting at this point but yeah i think i just don't quite have that too much of an evil side to go across to that but who knows another 10 years just keep an eye out they have cookies yes hi thanks for the talk so the one of the root like most obvious

root cause from these case studies and from many others is like there are like the scenario is very similar so there are known vulnerabilities out there but companies are not touching them and like if you look at the typical company organizational structure you see like the engineering teams working on like a product or a feature you see some security teams which keep saying that we need to patch and upgrade but they are not empowered to do so and like engineering teams usually like oh delay this to the next cycle and if they upgrade fails because it interferes with with the features they delay it further so it seems there is like some kind of organizational missing link here for

engineering security tech people to actually walk through the security issues and push the patches forward so what's your take on the like ideal organizational structure inside the company which would support like active security patching i would say oh good question to be honest i think given my my background i'm pretty much going to say the threat intelligence so you have to on one hand change the security kind of values and it starts from a top-down approach so you need to get your board bought in of understanding why we need to do this and why it needs to be a priority to talk about security in this type of field whether as you say you're in the engineering team and just

trying to get something done for the end customer you do still need to have those conversations with security who may be like less reprimanding about patching if security is actually built in at the first few stages so marrying those two together i think you do then need to have a vein of threat intelligence running through just to ensure that you can kind of have that covered so when you have that conversation your engineering team goes well it's going to take me a week longer to build that particular entrance and you're like well would you rather take a week or would you rather then be smashed by ransomware and having to speak to your board and

trying to get like 50 million dollars out of them so it's trying to balance those two thoughts and making sure that you're equipped with what you need to be in order to have those conversations cool thank you very much i think the new hashtag for besides newcastle should be smashed by ransomware yeah that's pretty cool and ladies and gentlemen thank you very much everybody give a round of applause