More and more attacks on critical infrastructures

22. February 2022
| No comments
More and more attacks on critical infrastructures

Share post

The series of cyber attacks on critical infrastructures - KRITIS - does not seem to stop. At the beginning of February, a hack attack caught the Swiss company Swissport and disrupted flight operations in Switzerland, then the ransomware attack on the Oiltanking tank farm in Germany, attacks on SEA-Invest in Belgium and Evos in the Netherlands. Some expert comments.  

“Cyber ​​attackers often target their attacks where they can cause the most business disruption. This way, the victim might be more willing to pay ransom to get their systems back online. For this reason, critical infrastructure, hospitals, transportation hubs, and city power grids often feature in the news of ransomware attacks. Attackers will always find ways to create pressure situations that benefit them.

Attackers are always finding new ways

Hendrik Schless, Senior Manager of Security Solutions, Lookout (Image: Lookout).

Ransomware is not a new threat, but the tactics attackers use to penetrate corporate infrastructure and freeze or steal resources are evolving rapidly. Years ago, attackers would use brute force tactics to find a small vulnerability in a company and then exploit it to take over the infrastructure. Today, there are much more stealthy ways for cybercriminals to break into infrastructure. More often than not, they figure out how to compromise an employee's account to log in with legitimate credentials that don't raise suspicion.

Credentials are often stolen through phishing attacks on mobile devices. On smartphones and tablets, attackers have countless opportunities to engage in social engineering via SMS, third-party chat platforms, and social media apps. In addition to protecting the endpoint, organizations must also be able to dynamically secure access and actions within cloud and private applications. This is where Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB) solutions come into play. By understanding the interactions between users, devices, networks and data, organizations can spot key indicators of compromise that point to ransomware or massive data exfiltration. Securing employee mobile devices, cloud and personal applications together helps companies create a solid security posture based on a Zero Trust philosophy.”

Hendrik Schless, Senior Manager of Security Solutions at the security provider Lookout

 

Business model ransomware remains profitable

Vectra AI, Fabian Gentinetta (Image: Vectra AI).

“Ransomware is the dominant business model among groups that conduct cyberattacks for profit. What we are seeing with the recent spate of attacks is that limited law enforcement will not solve the problem and certainly will not do so overnight. But Swissport appears to have contained the attack with minimal damage to its operational capacity, which speaks to the fact that ransomware isn't an all-or-nothing gambit - the "successful but limited ransomware attack" is a term we're familiar with hope we will see more .

Detecting and removing attackers from the network is becoming a daily operational task in many organizations. Although the attack was not stopped prior to encryption, Swissport appears to have quickly contained it and successfully limited the damage. Most important, especially for critical infrastructures, are fast and functioning backup processes, as Swissport has impressively demonstrated.”

Fabian Gentinetta from Cyber ​​Security Expert Vectra AI

 

The damage caused by ransomware can be immense

“We have seen the damage ransomware attacks can do when businesses are down, which in turn impacts the supply chain and impacts the lives of citizens. The recent attacks on Oiltanking in Germany, SEA-Invest in Belgium and Evos in the Netherlands, and Swissport are worrying, but talk of coordinated attacks by nation states is premature. The most likely scenario is that the attackers are working with a database that contains similar targets and hit the mark with their efforts.

While it can take months to unravel the details of an attack, initial reports suggest that BlackCat, believed to be a new BlackMatter brand, could be responsible for the attacks on the fuel industry across Europe. In another case this week, KP Foods also fell victim to ransomware, with Conti blamed for the outages. What we do know about these two hacker groups is that they operate a ransomware-as-a-service (RaaS) business model. This means that it is organized crime with victim databases and numerous partners. These do not tie themselves to a specific ransomware group, but often work in collaboration with multiple groups and use powerful bots to automate the spread of the malware.

Bernard Montel, EMEA Technical Director and Security Strategist at Tenable (Image: Tenable).

Bots amplify the effect

From the victim's point of view, it is actually irrelevant who is responsible, especially since this will probably only be known in a few months. The important question, however, is how the attacks took place. In most cases, as in the case of BlackMatter and Conti, it's a known vulnerability that allows the malware to penetrate infrastructure and encrypt systems. BlackMatter is known for targeting remote desktop software and exploiting previously compromised credentials, while Conti is known for exploiting vulnerabilities such as Zerologon (CVE-2020-1472), PrintNightmare (CVE-2021-1675, CVE- 2021-34527) and EternalBlue (CVE-2017-0143, CVE-2017-0148). Another avenue of attack is exploiting misconfigurations in Active Directory, and both Conti and BlackMatter have been known to use this tactic.

Organizations need to be aware that basic security principles can largely block the path of ransomware attack. Security teams must deploy solutions that provide appropriate visibility, security, and control over the cloud and converged infrastructure. I call on business: Identify the critical systems it depends on to function. Identify any vulnerabilities affecting these systems, and then take action to either patch or remediate the risk. Also, take care of excessive privileges in Active Directory that allow attackers to elevate their privileges and further infiltrate the infrastructure! If these basic measures are not taken, the company is vulnerable and at risk of disruption whoever attacks.”

Bernard Montel, EMEA Technical Director and Security Strategist Tenable

 

Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

Data encryption: More security on cloud platforms

Online platforms are often the target of cyberattacks, such as Trello recently. 5 tips ensure more effective data encryption in the cloud ➡ Read more

PR News
, , , , , ,