A Moving Target - Overview of Current Threat Landscape

[Music]

hello everyone and also welcome from my side I'm really happy to be with you today and to welcome you to the next presentation from bide Sofia 2024 a moving Target overview of the current threat landscape I need to start with admitting something at the beginning of this presentation I found it quite challenging to prepare for this talk because of two reasons the first reason is the fact that it's my first time speaking in front of Bulgarian audience and I really wanted to do my best offer the best information for today so I really hope you enjoy the talk today the second reason has to do with the title of my presentation the Fret landscape is by definition something

which is very Dynamic something which moves and to be honest it is in a constant motion so creating an overview of something which is changing so dynamically it is quite challenging but I kept updating the information up until 3 days ago you'll see some of the Articles today being published on the 21st of March so everyone will have the B the best and the most recent information about the current threat landscape with this a short introduction about myself ganaa Danga from the beautiful city of P do we have anyone from p in the audience woohoo um I am Senior incident response consultant with CIS kotos and I'm currently based in Switzerland what I do as an instant

response consultant I can explain um with two parts the first part is probably the thing that you imagine when you read incident response I support customers during an active cyber security incident I do analysis of digital images collect triage data uh analyze a lot of logs we love logs in incident response so the classical technical analysis activities that you have in instant response this is super exciting front line of uh the current attacks but it is quite uh Dynamic stressful so I actually over time learn to appreciate the other part of my role which we call Proactive services this is when I work with customers on pretty much anything which is a planned project which long-term

improves their security it can be something like creating an instant response plan writing a Playbook about ransomware or just doing a dry run exercise sometimes I get asked which part I enjoy more the dynamic um super Hands-On part of the technical analysis or the more calm and more long-term sustainable um proactive work and to be very honest I think both have their value and they actually complement each other because yes when I am working on an incident we see missing controls we see that security is not probably yet the top priority of all companies but then you go and you work with them on a plan and you see how security actually is part of a bigger it transformation

and there are 10 projects within security which are ongoing and you understand why something just take longer and is work in progress I'm really excited about today's presentation and when I created it I had in mind a person who is kind of early in career starting his or her journey so I hope that the more advanced of you will bear with me I have included a lot of links where you can go and check out a bit deeper the topics like go crazy with the technical details but I hope that for all of you at the end of this presentation you have a feeling of yeah I actually can get what is the current threat landscape and if I want

to learn more I know where to start our agenda for today consists of six points we'll start with very brief introduction about my team not because I want to do free marketing but because more than 90% of the information in this presentation is actually original research from my team so it's good for you to know where the data comes from the second topic is quick explanation how does Fred landscape relate Translate to threat intelligence both are um good terms to be acquainted with then we'll look at advanced persistent threat groups nation sponsored threat actors the third topic I think no presentation about threat landscape can go without it uh the fourth topic runs somewhere of course we need to spend

some time talking about this and we'll close the threat overview with the most uh targeted vulnerabilities I wouldn't like to end on a negative note that's why we have the sixth part and we in Bulgaria like the number six uh it is the defense landscape we'll look at what we as Defenders can do in order to protect uh our environment or what are the things which actually play in our favor so some of you might have heard of Cisco toos and uh for some of you it might be a totally new um term toos is the Fret intelligence research organization of Cisco we are an awesome team spread around the globe of Engineers analysts researchers and

incident responders what we do is we use threat intelligence in order to create protection mechanisms for Cisco's customers and the internet at large the general internet why do I say the the general internet or all of us in a way we are actually um very active in the cyber security Community I hope that some of you are using clam AV or snort rules and those are both projects which are maintained by our team we also publish most of our research on the T blog and I'll have plenty of links for you to go and check after the presentation and last but not least presentations like this one around the world help us connect with the local

communities so how do we do what we do defend customers at Cisco toos usually the answer is thread intelligence so threat intelligence the way we Define it is a process consisting of three parts the first one is the one in blue collect we collect information which is relevant for the threats that we see uh currently we analyze them which usually means we separate the useful information from the information which is not actually useful and very often probably around 95% of the initial data is things we have seen things which are not relevant things for which there is a existing defense uh mechanism so we need to find the things that are new interesting and work on building the the

third Point defense mechanisms based on them this is uh the overall process that we follow we have one big advantage and that Advantage can be shown with the numbers on the current slide due to its product Telemetry we have access to enormous amount of data per day we have 550 million events that we can analyze looking at email alone per hour we block 9 million emails this Telemetry is of course impressive uh the more data the better up to a certain point because Big Data poses its own unique challenges and actually Telemetry is not the whole story yes Telemetry is important in order to understand the current threat landscape but we also need more detailed outside qualitative

research and the way we get to This research is first through the incidents that we work in so let's say I work on an incident there is um a ransomware group which has new used a new type of uh do in order to start the C2 connection as I find it I'm in the midst of an incident I don't have the time to go and reverse engineer it and this is not my specialty to be very honest about it that's when we involved the threat intelligence and the malware reverse engineering team in the background they reverse engineer the file they give to us what they think is the useful information the IP address of the C to

server anything else we need to know and they go ahead and they build signatures or defense mechanisms for the security tools yes we might not produce tens and thousands of signatures out of this one incident but this could be something which is new and very valuable the third Point vulnerability research we have a team which actually spends um its whole time researching vulnerabilities not in Cisco products but in products that our customers have in their normal it environment per year we have about 200 Zero days which we find and we proactively building us protection in our security tools um for for the End customer threat intelligence like most good things in life is a team sport and

that is why we have a lot of intelligence Partners those are some of those free letter agencies that uh you heard about at the beginning but also a lot of private organizations because threat intelligence is um something which can build upon each other and there we work with both in Europe and in the US with a lot of different partners the last point you have we have over here is the threet research so um I have a few colleagues who spend their their days on criminal uh dark web forums they have undercover personas and they monitor the type of information that is being offered for sale there all of these points combined make up what we base our threat intelligence

knowledge on and this is what we based actually fr the Fret landscape um our fret landscape understanding on a fret landscape what is it actually unfortunately there isn't the the big dictionary of cyber security where you go and you check okay threat landscape you have to try to research the term and you can boil it down to a few things the first thing is it is a description of the risk rks the dangers which are posed by different types of attacks to an organization it's important to keep in mind are those risks that have materialized they ongoing types of attacks or those are possibilities for attacks or potential risks for example a lot of the vulnerabilities that we heard

about if they haven't been exploited their potential and when we talk about the threat landscape there is a third point which is important namely the threat actors the vulnerabilities and the malware that we see those three terms you always need to mention them when you talk about the Fret landscape so these are the terms that we'll keep in mind as we go through the next Parts which talk about what we saw in 20123 and uh in the first months of 2024 ready to start so in terms of threat actors historically long time ago probably 10 or 15 years ago uh there used to be kind of a um dichotomy like two types of threat actors the ones on the left side

the cyber crime threat actors were and have are still financially motivated the type of attacks they would be launching um back 15 years ago would be rather rather unsophisticated more simple quick attacks and this would be the threat actors which if they encounter good defense they'll just move on to the next Target which is easier to compromise back then the state sponsored the ad Fred actor the the state sponsored actors those are um groups usually it's very rarely that it's an individual groups which are associated with a certain nation state and which conduct their activities in support of the politics of the interests of the state those guys used to be hyper sophisticated they would write their own

unique tools um they would spend months up to years quietly getting their way into the environment getting into as many as possible system they would pause their activities for months if they were suspecting that they are detected and their main uh goal would be pretty much uh data exfiltration sensitive data Data Theft sabotage or capabilities to perform sabotage so a lot of what I explained from this initial um characteristics of this groups is still valid but things have changed let's see if my laser will decide to work work um yes so the cyber crime for example ransomware groups in 2023 we saw that some of the ransomware groups have accumulated enough resources AK money to do their own research the

Klo ransomware group for example they were actively using zero days last year which means that they have the capabilities to do their own unique search on the other hand the state sponsored actors they realize that by using their own unique tools it is a bit like leaving a signature attribution which is the process of saying this attack has been performed by this group becomes quite easy Once you sign something right so they realize that actually they're better off using tools which which are available for common sale on the dark web commodity malware and thus they get closer to the cyber crime and may make attribution harder it is an interesting development that we saw those two threat actors are not the

full picture we will now take a look at a few other ones okay so we have the uh cyber crime we have the nation state one there is a third group over here which is called um ideologues ideologically motivated groups KET Anonymous Sudan these are groups which mostly do sabotage mostly do those attacks but their main goal is to actually um support an ideology that they are uh fan they are fans of you can be a green uh so sustainable ility ideologically motivated uh group and attack let's say co- companies this type of groups they try to do quick attacks which get high media coverage the fourth one the FR seers I bet some of you have been tempted to

fall into this category at some point so these are people who are just super excited about technology they're excited about breaking into things they don't think about the legal consequences that we heard um about this morning and um they actually they have varying level of skills but they end up doing more damage uh than they expect very often the last ones the inside their threat this is a growing group imagine the following situation you have a company where an employee has been asked to leave has been fired the employees saw this coming a we we before she was asked to leave the company she planted a logical bump this is a program which will get executed let's say in three

weeks or three months time with a schedule task something very easy to set up this program is going to wipe up not only the workstation of the user but the whole servers or network shares that the user had access to so this type of group is becoming an increasing risk because we have more and more people who actually have the skill to perform this type of an attack um okay well now moving into the first type of threats that we saw in 2023 advanced persistent threat attacks whenever we talk about this group it's important to think to what nation state is this group linked to we monitor quite a few different uh APS the main lines being China Russia

and since the fall uh where the the conflict in between Israel and Hamas started we also see quite a lot of activity in the Middle East uh APS looking first at the China uh APS think about 2023 um what happened in terms of geopolitics at the beginning of the year we had the Spy balloon flying over the US that was take or that was capturing information about military bases in the US then um over the course of the year the tension between Taiwan and China was on the rise and not just between China and Taiwan between China and Japan and other countries um in the region the geopolitical factor plays a very important role because Chinese APS

tend to spend a long time in an environment they mostly try to exfiltrate information about the organization that they have uh compromised and they um how to say it they are in a way they try to take the path of least resistance it is not through very complicated malware that we see them necessarily launching their attacks they often use living of the land tools lowans um but they're very effective one interesting thing we saw last year and it is a bit of a suspicion but we saw after an AP attack has been detected very shortly after that a ransomware attack starting we cannot prove with 100% certainty the link between the two but it is very possible that the AP Group

which already has access in the environment has been collaborating with the ransomware group which benefited financially from the existing compromise the third point we see the fourth point we see over here telecommunications telecommunications has been the sector that we see most often targeted by Chinese APS and the reason is quite obvious telecommunications are essential for the security of a country and if telecommunications were to be sabotaged in the case of a military conflict this would paralyze at least for some time the response capacities I would like to go to the next slide and actually show you an example of a Chinese AP group in 2023 this group was not that uh well known vot typhoon it is

one of the active Chinese AP groups which has been making its way into the Telecommunications um organizations so companies uh in Guam over here Guam is a territory US territory in the West Pacific Ocean close to China in the case of military conflict with Taiwan this would be the military base which would get activated so compromising us um telecommunications equipment there it's absolutely essential so vote typhoon was on our radar in 2023 but it wasn't until December and January 2024 uh that we they exploded uh the the US Department of Justice discovered a bot net of uh V typhoon they had compromised small router devices and created massive Network which in case of um of

activation could lead to um sabotage on a very large scale uh V typhoon was using the evanti connect uh vulnerability that I think made our life quite interesting at the beginning of the year so this is one example how a group that we have seen being kind of active but not uh overly active actually was discovered to be um much more present than we expected moving on to Russia and we'll talk about uh the Russian ransomware groups very shortly but when we talk about APS in Russia there are three important terms the first one is garadon which interesting fact comes from confused spelling of armagedon initially so this is an AP Group which targets quite a bright Spectre of uh

organizations and its goals are m mostly Espionage then we have Tura and Tura is more sophisticated this is an apt Group which would Target predominantly uh telecommunications and my uh third term is uh smoke loader malware this was a new malware that was used by Tura to give an example what a security researcher would do we would be monitoring what each of those groups is doing and what tools they're using and they had a problem the group Tura was using for about 20 years Tura snake snake is a mware which had a lot of remote access capabilities data exfiltration Etc well the US managed to bring down the central infrastructure which is supporting this malware so Tura

had to come up with a new tool to use that's 2023 if we look at 2024 in February and March we discovered their new tool it's called Uh tiny Tura NG uh we as researchers get the privilege to come up with fun names it's one of the things that researchers get to do and for anyone who is interested in seeing what is the code what what what uh is the functionality of a mware feel free to then visit this um very detailed articles we have one on how actually it gains access and the second uh block on the post compromise activity once on the system what do they do all of this information is available

in a report it is free to download it code ear in review so if anyone is interested you can check it out on the toos intelligence blog run someware favorite topic of every incident responder these are most of the incidents that I work on um notice that it says ransomware in extortion I had a chat before this conference uh before this talk that we see an interesting move ransomware groups what they do is they encrypt the data of organizations to prevent them from using it and they request a sum of money the ransomware in order to decrypt it that was the old and proven uh way of working what they started doing is actually before they do the encryption

they steal data they exfiltrate data and after that they not only request money so that um they decrypt the systems and they you can use them again but they also say that unless you pay the ransomware your sensitive data will be released on the dark web this is extortion and this puts a lot of pressure on organizations which are highly controlled imagine you have healthc care you have your medical information being exfiltrated and um the threat actor is threatening that would be published on the dark web which is something that uh is for first um subject to regulations their laws which uh provision fines for this so the company would need to pay a fine for this uh but secondly it's huge

reputation um blow for them so when we talk about ransomware we talk about ransomware as a service some of you are for sure familiar with how this works but let's do a quick recap what ransomware as a service is ransomware as a service Works a bit uh like any as a service where you just consume something and you don't really take care of the maintenance or the whole back end let's call it in the context of ransomware we have the first actor this is the access broker what access Brokers do is they ensure that there is an entry door into the organization their job is to compromise organizations through by finding an exploit and a vulnerability in the

environment by compromising specific users stealing their credentials and what they do is they ensure that I have access into the environment and the second point is over here persistence Z systems this access is stable it's not just one time that I can get into the environment it is um something that can be reused again and again so then we have on the other end the ransomware as the service operators those are the really smart guys those are the guys that would be actually providing the programs that would be used during the ransomware attack or let's call it the tool kit why the tool kit well a ransomware attack actually has more than one program that

is being used there is of course the ransomware Builder which is the program that you use in order to create the encryption software which will be execute it on the individual endpoints on the individual systems you also have the leak site remember I mentioned how they published how they threaten to publish the information the stolen information from the organizations well they need a place to do that so they have a leak site where they do um the public shaming they say we compromise organization X unless it pays within this time we're going to publish here their data this is the leak side then there is victim messaging ransomware is actually quite um Dynamic so when organization is

compromised they need to get into contact with the ransomware with the people who conducted the attack and most of the organizations try to negotiate a lower sum that they can pay they also try to get some kind of a proof that yes we'll pay are you sure that you're going to decrypt our information can you you provide references so there is the respective infrastructure for this and then last but not least Payment Processing um ransomware groups require that their their Ransom is paid in um cryptocurrency and for this you need to have wallets and the the respective parts so we have the access we have the tools what we're missing are the hands on the keyboard and this is what we have

now in the middle these are the so-called ransomware Affiliates these are it's a bit like franchise these are the ones that are actually going to conduct the attack by buying access to a compromised organization getting a tool kit from the ransomware as a service operator and actually conducting the attack they are the one which are going to take most of the money but they will need to pay to The ransomware Operators a fixed amount the amount there're different models it can so if you're a very active affiliate you can have kind of a monthly subscription where you pay a fixed fee you can launch as many tax as you want the fee is the same other

ones would have percentage and the percentages vary a bit between 10 15 the highest one being 30 you as an affiliate you're interested actually in two things the first thing is that uh those guys the access Brokers have provided to you good credentials and credentials are not created equal if I manage to get credentials of a admin in an environment that is going to cost a lot more than a simple user or even a contractor that has very limited access the second thing that is important is the quality of this toolkit because mware is code and code is buggy imagine that your uh decrypt or your decryptor does not work and you use your reputation in front of your customers

because ransomware Affiliates call their victims customers and actually they pay you but you're not able to decrypt their environment so you need to think fa carefully which ransomware operator am I going to choose this is the background against which ransomware is taking place it is a ecosystem it's highly professional and it's very Dynamic what we observed last year the first thing we observed is not all of the incidents that we see are ransomware there are other types of attack so ransomware is very present but it's not um the only incident that we have so about 20% of the incidents that my team that was inent response observed were actually Ransom where out of those 20% we had 33%

involving data extortion some groups even went that far that they stopped encrypting they could have done that the environment was compromised but they just exfiltrated data one of the reasons for this is that encryption is actually slow encryption takes time so this is something that um if you are under time pressure you can just exfiltrate the data publish it on the leak site and if the organization is highly regulated you have a good chance that they will consider paying the third point over here um is about a ransomware group that we will talk again log bit log bit was the most active ransomware as a service operator um about a quarter of our incidents were uted to them so they're

very very uh sophisticated I would like to highlight just one more thing over here and this is point number two who would have thought that out of all industries that ransomware could Target Healthcare would be the most targeted one 2022 it was education 2023 it was Healthcare if any of you is working in the area of security for medical devices I can I I bet you you have seen a lot of attacks last year and Healthcare is something which is very sensitive as information so extortion Works nicely but it's also something with a lot of OT and OT is hard to secure as so operational technology is something which poses a whole new set of

challenges I promise that we'll talk about log bit because log bit is a very good example how unfortunately you cannot do a presentation about threat overview in 2023 and hope to use it much longer why so walk bit most active ransomware group 2023 what happens about two months later there is a takeown the takeown is pretty much a coordinated um operation between law enforcement around the globe usually that interrupts the operation of a certain uh group there was a takedown from um log bit uh yes on the 20th of February um about a dozen servers were seized two people were arrested the cyber security Community celebrated it yes they are out of business we stopped

them the most active group of 2023 is now down so well done yeah two days later they already claimed oh guys that was a joke we actually have backup copies we are able to go back to business immediately it was not quite immediately on the 22nd we did not see any new information but by March we could see new attacks and we could verify no this was not a takedown their operations are not interrupted there are many reasons why it's very hard to stop such um groups they are very professional they are spread around the globe they have decentralized it and they have a culture where not there isn't a single person that knows all of the information so

even if you manage to arrest key people there are other people that are actually going to be able to bring the operations back now I would like to switch to a new topic this is the article that uh I was mentioning no this one is from about two weeks ago and it's something that we observed in our incidents actually uh I checked because pran mentioned that you can find a PDF copy of the guide this is a prime example nowadays we very often have this PDF documents that you can view online you cannot download them you Pro mostly cannot even print them but it's a PDF document that you can review this type of PDF platforms are

generally called digital document publishing sites um there are different ones uh PUO uh flip book so there are plenty of them they usually offer for free publishing of PDF documents if it's a small document it's um it doesn't even require uh registration mostly what we see is that attackers are using this type of we websites as a second stage in their uh Ransom tax there is an initial compromise of um of credentials no there is an initial compromise that we have the email of a user there is a user that receives a fishing email which directs the user to one of those digital document publishing sites ddps on this in this document which is made to look very legitimate sometimes

even matching the style of the organization the design there is a built-in link to another website the user clicks on this link and through a series of redirects which are made to look very authentic like um with capture and all of this the user ends up on a fake login page where their credentials are harvested this type of attack actually is quite hard for security tools to detect and the reason for that is that the URLs the information in those links in these documents is protected so a normal security tool would try to extract the links try to check their reputation well the reputation of the whole website is good like it's only a fraction of of the documents there that

are malicious but they are malicious links butin and it's very hard to actually detect them this is a brand new technique that we are observing and can um keep your eyes open when you work uh on an incident last topic uh in the ransomware uh section it's leaked code we have observed something very interesting last year remember how I told you that the ransomware operators provide kind of a toolbox for the Affiliates to launch their attack well what would happen if somebody were to provide this tool box for free just leak it on the dark web and you can build your own tools for the ransomware attack this is exactly what happened with one specific Builder the ransomware Builder

called Cs and you can take a look over here so it is a program which provides the functionality to create the tools needed for ransomware attack um you can choose the file extension uh you can put your payment information here so your Bitcoin coin address uh most of them have uh language different language support you can add the icon so it is quite a user friendly uh Builder I would say so if we go back to the ransomware as a service it turns out that you don't need to actually pay to ransomware operator to get the toolbox you need for your attack and in a free market economy the direct consequence is that there is

price dumping in this graph you see on the left hand side in Orange the average ransomware sums which were requested by groups that used leaked ransomware Builders we end up around four or five million I know the scale is not optimal they look the same but actually the scale is different on the right hand side you have the prominent the established Ransom groups and you can see that the average uh amount is much higher we start with 4 million and we can go up to 55 so it turns out that if you don't have the additional cost of paying for for the two kit and you do it yourself do it yourself around someware attack in

a way you can request a much lower sum and does be um as efficient as you want what is what this means for us us for instant response for cyber Security Professionals there are many more people who are able to start a ransomware attack because the threshold is lower yes our last topic um the top vulnerabilities that we observed this is a very brief one but I still wanted to touch on it because I think the information is uh surprising in 2023 we looked what are the vulnerabilities that were most most often exploited and if I were to yet to now start like a poll and ask you most of us would guess that some of the 2022

2023 even vulnerabilities would be the ones that were most often exploited and you'd be wrong because if we look at this graph you see that the most exploited vulnerability that we observe was from year 2017 the top five as 2017 2020 2012 2012 the other interesting point over here is check the severity we are in the range of really high severity for most of the vulnerabilities so what does it mean attackers were using wellknown old vulnerabilities with high severity why and the answer is over here in the third column those vulnerabilities are found in Microsoft um Tools in Microsoft programs and there is hardly an organization nowadays without the Microsoft Suite so they go go for

something which is very likely to be available even if it's very old because we all know patching is something which poses a great challenge to most organizations key takeaway patching even if it's 10 year or 12 year old vulnerability there's still a chance that it's being exploited and now we come to the defense landscape the light end of the tunnel the way it usually looks the Fright landscape is cat and mouse so we have the adversaries which are getting better developing using AI for example in order to write better fishing emails which are with less uh errors which which trick more users and we have the Defenders and we are keeping up with them um we come up with better

strategies to defend and we are as creative as they are what are some of the things which play in our favor I've highlighted four of them the first one is AI support um I don't believe that AI is the magic when that will solve all of our problems but it has a lot of useful uh use cases and one of them is when you create configurations configurations um of security tools could be optimized with the help of AI tools and this is something which saves time and prevents default configurations being used as often as we see the second part is threet Intel alliances there are there is awareness among organizations that they need to join efforts the organizations share

threat intelligence and this way they know earlier of an attack they know better how to respond so that the organization is protected and it seems to be working I see universities exchanging actively information which is not the most um quick to adopt new things uh industry and I also see for example automotive industry getting more active the third Point regulations I bet quite a few of you have heard about n to which will come into effect officially October in practice in January next year this is a new Cyber security regulation which will require that pretty much any important organization from the post office to the V to the waste management uh they will have to have better

security these regulations will make cyber security management priority why because there are consequences if they don't and the last point is increased awareness um my sister is a doctor uh she's definitely a good example of how non Tey this uh industry is but even she has started to ask me about uh what she can do so that she doesn't open a fishing email so I think the general user by now uses so many Digital Services that people have started becoming more careful at work in their um personal life and this as a whole creates um better environment for us the Cyber Security Professionals with this I'm at the end of my presentation I have selected my top

resources for you to take a look at um for any anyone who likes podcasts I listen to them a lot when I'm traveling there is a very good um 10 to 12 minute series that I like to listen to takes we have our blog where once per quarter we summarize what were the the the threats that we observed in the past three months and of course uh the Fret newsletter once a week every Thursday I believe um we publish an overview what were the noteworthy uh security events from the past week thank you for your attention and I hope that you have a lot of questions in the Q&A and also in the breaks [Applause]

[Music]