The series of cyber attacks on critical infrastructures - KRITIS - does not seem to stop. At the beginning of February, a hack attack caught the Swiss company Swissport and disrupted flight operations in Switzerland, then the ransomware attack on the Oiltanking tank farm in Germany, attacks on SEA-Invest in Belgium and Evos in the Netherlands. Some expert comments.
“Cyber attackers often target their attacks where they can cause the most business disruption. This way, the victim might be more willing to pay ransom to get their systems back online. For this reason, critical infrastructure, hospitals, transportation hubs, and city power grids often feature in the news of ransomware attacks. Attackers will always find ways to create pressure situations that benefit them.
Attackers are always finding new ways
Ransomware is not a new threat, but the tactics attackers use to penetrate corporate infrastructure and freeze or steal resources are evolving rapidly. Years ago, attackers would use brute force tactics to find a small vulnerability in a company and then exploit it to take over the infrastructure. Today, there are much more stealthy ways for cybercriminals to break into infrastructure. More often than not, they figure out how to compromise an employee's account to log in with legitimate credentials that don't raise suspicion.
Credentials are often stolen through phishing attacks on mobile devices. On smartphones and tablets, attackers have countless opportunities to engage in social engineering via SMS, third-party chat platforms, and social media apps. In addition to protecting the endpoint, organizations must also be able to dynamically secure access and actions within cloud and private applications. This is where Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB) solutions come into play. By understanding the interactions between users, devices, networks and data, organizations can spot key indicators of compromise that point to ransomware or massive data exfiltration. Securing employee mobile devices, cloud and personal applications together helps companies create a solid security posture based on a Zero Trust philosophy.”
Hendrik Schless, Senior Manager of Security Solutions at the security provider Lookout
Business model ransomware remains profitable
“Ransomware is the dominant business model among groups that conduct cyberattacks for profit. What we are seeing with the recent spate of attacks is that limited law enforcement will not solve the problem and certainly will not do so overnight. But Swissport appears to have contained the attack with minimal damage to its operational capacity, which speaks to the fact that ransomware isn't an all-or-nothing gambit - the "successful but limited ransomware attack" is a term we're familiar with hope we will see more .
Detecting and removing attackers from the network is becoming a daily operational task in many organizations. Although the attack was not stopped prior to encryption, Swissport appears to have quickly contained it and successfully limited the damage. Most important, especially for critical infrastructures, are fast and functioning backup processes, as Swissport has impressively demonstrated.”
Fabian Gentinetta from Cyber Security Expert Vectra AI
The damage caused by ransomware can be immense
“We have seen the damage ransomware attacks can do when businesses are down, which in turn impacts the supply chain and impacts the lives of citizens. The recent attacks on Oiltanking in Germany, SEA-Invest in Belgium and Evos in the Netherlands, and Swissport are worrying, but talk of coordinated attacks by nation states is premature. The most likely scenario is that the attackers are working with a database that contains similar targets and hit the mark with their efforts.
While it can take months to unravel the details of an attack, initial reports suggest that BlackCat, believed to be a new BlackMatter brand, could be responsible for the attacks on the fuel industry across Europe. In another case this week, KP Foods also fell victim to ransomware, with Conti blamed for the outages. What we do know about these two hacker groups is that they operate a ransomware-as-a-service (RaaS) business model. This means that it is organized crime with victim databases and numerous partners. These do not tie themselves to a specific ransomware group, but often work in collaboration with multiple groups and use powerful bots to automate the spread of the malware.
Bots amplify the effect
From the victim's point of view, it is actually irrelevant who is responsible, especially since this will probably only be known in a few months. The important question, however, is how the attacks took place. In most cases, as in the case of BlackMatter and Conti, it's a known vulnerability that allows the malware to penetrate infrastructure and encrypt systems. BlackMatter is known for targeting remote desktop software and exploiting previously compromised credentials, while Conti is known for exploiting vulnerabilities such as Zerologon (CVE-2020-1472), PrintNightmare (CVE-2021-1675, CVE- 2021-34527) and EternalBlue (CVE-2017-0143, CVE-2017-0148). Another avenue of attack is exploiting misconfigurations in Active Directory, and both Conti and BlackMatter have been known to use this tactic.
Organizations need to be aware that basic security principles can largely block the path of ransomware attack. Security teams must deploy solutions that provide appropriate visibility, security, and control over the cloud and converged infrastructure. I call on business: Identify the critical systems it depends on to function. Identify any vulnerabilities affecting these systems, and then take action to either patch or remediate the risk. Also, take care of excessive privileges in Active Directory that allow attackers to elevate their privileges and further infiltrate the infrastructure! If these basic measures are not taken, the company is vulnerable and at risk of disruption whoever attacks.”
Bernard Montel, EMEA Technical Director and Security Strategist Tenable