How can we help?
Published: 14th January 2022 | In: Insights, Threat Intelligence & Guidance
At this time of further uncertainty and rapid change, now is the time to evaluate your organisations’ security posture and Incident Response readiness. 2021 was an extremely disruptive year, with ransomware cyber-attacks remaining a considerable threat, impacting critical infrastructure and organisations, regardless to size or sector.
With customers adopting technology faster than ever before and the take-up of OT and IoT forecast to increase, the attack surface continues to widen.
Before looking to 2022, let us look at what our Threat Intelligence Team highlighted as notable events in 2021.
Cybercriminals Don’t take a holiday
On Christmas Eve 2020, the Scottish Environment Protection Agency (SEPA) was subject to a ransomware attack, with at least 1.2 GB of data (4,000 files) stolen. It wasn’t until Thursday 7th of January 2021 that SEPA confirmed they were responding to a cyber-attack, and on 14th January further information was published, confirming a ransomware attack. The attack was attributed to The Conti Group, who have attacked more than 400 organizations worldwide, 290 of which were based in the United States, according to the FBI.
IT Management software company, Kaseya, became aware that their product was being used as part of a ransomware campaign. Coinciding with the American Independence Day weekend, this was a conscious decision by the threat actors to inflict damage when there would be reduced resources to deal with it.
Solorigate (AKA NOBELIUM)
In January 2021, NOBELIUM, the threat actor behind Solarwinds, focused on an email-based attack attempting to gain a foothold on a variety of sensitive diplomatic and government entities. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organisations and industry verticals (3000 individuals from 150 organisation targeted).
Attack on Critical National Infrastructure
Facilities of critical national infrastructure came under attack. In Feb 2021 a threat actor gained unauthorised remote access (TeamViewer) to a computer managing a Florida City water treatment plant. The threat actor leveraged the access to increase the amount of sodium hydroxide by 100 times the normal level.
DarkSide attacks Colonial Pipelines
On Friday May 7th, 2021, Colonial Pipeline, the largest fuel pipeline in the United States providing 45% of all fuel consumed on East Coast US, shut down operations after suffering a ransomware attack from a threat actor called DarkSide. The incident led to declaration of emergency in US and an executive order from the Biden administration to bolster cyber defences. It is reported Colonial Pipelines paid circa $4 million in bitcoin, but still recovered the data using their offline backups.
An attack on the Ireland’s Health Service Executive (HSE)
The Health Service again came under threat. On 17th May 2021, Ireland’s HSE was taken down in response to a ransomware security incident. Attributed to Conti Group, the data of 520 patients was posted as proof of hack by the malicious actor, and fraud calls started almost immediately.
The Irish NCSC report also revealed that The Conti Group had also tried to breach Ireland’s Department of Health, the government agency behind the HSE, but the attack failed after the group’s tools were detected and the attack stopped—showing, again, the benefits of using detection rules that spot tools and techniques used by threat actors rather than static IOCs.
Renewed Warnings from NCSC to Schools, Colleges & Universities
Surges in cyber security attacks on education establishments across the country, showed no signs in slowing down.
- March 2021 South and City College Birmingham closed all campuses
- March 2021 Millersville Classes delayed start due to ransomware attack
- April 2021 University of Hertfordshire suffered an attack that took down its network and cloud access
- July 2021 REvil hacks 11 schools in New Zealand
In February 2021, then again in late May/June 2021, the NCSC warned institutions as they observed an alarming increase in ransomware attacks against schools, colleges, and universities in the UK.
As schools, universities and colleges across the UK prepare to welcome pupils and students back from the festive break, threat actors may again look to cause disruption to the start of the term.
Ending the Year on a High … Global Security Alert
On the 9th December 2021, a critical vulnerability was discovered in the open-source and hugely popular logging service within Apache WebServer (Log4j). Since then, several patches have been released to remediate or mitigate the initial vulnerability and the additional vulnerabilities which were discovered following the greater scrutiny of the software.
Ready to Defend
To help your organisation prepare for the start of the New Year our Threat Intelligence Team has prepared the following Security Guidance.
The Crown Jewels
Understand what the organisation’s information Crown Jewels are (Things that bring in Capital or Revenue, but which may also incur the largest regulatory fines, or reputational damage)
Why would an attacker break in when they can log in?
Identity and password/phishing attacks are cheap, and on the rise. Make it harder to get in. Implement strong Identity and Access Management across your technology estate
Implement effective scanning, monitoring, and logging within your environment
Automate patch management of systems, services, and applications.
Remote access is a very real risk
We’ve seen a dramatic increase – over 50% of the incidents we’ve participated in abuse valid remote access. Segregate internal networks
Ransomware attacks are commoditised
Make sure you have Cyber Incident Response Plans and Playbooks for different scenarios. You need to be ready – what’s your Incident Response plan? Check your backups. What happens if someone threatens to release all corporate data?
Run end-to-end cyber exercises to make sure that they are effective, and that people are familiar with the processes
Zero Trust and Assume Breach are key components of a modern strategy
The cost of mitigating cyber threats is usually much lower than the losses of a successful attack. Protecting your organisations and people’s data and money, therefore, makes business sense, as well as being a regulatory requirement.
Preparing a proactive response to cyber-attacks
With the rapid growth in sophisticated attacks, it can be challenging for any organisation to manage its risk exposure effectively and efficiently. Significant and sustained cyber-attacks can not only halt business operations and threaten reputation; security breach costs can run into millions in remediation work.
Quorum Cyber have devised executive and board level training to help identify what’s important to the business in the event of a cyber incident and to help you realise how strategic goals can be augmented by cyber security to help develop opportunities and bolster reputation.
Incident Response Readiness Assessment & Cyber Exercising
As part of our Incident Response Readiness Assessment, we review any existing Cyber Incident Response Plans – if this doesn’t exist, don’t worry we can help create one that’s fit for purpose. In the next phase, we review the existing cyber incident response playbooks to make sure that all the bases are covered and that individual plans are in place.
Our Cyber Incident Exercises test your plans, plays, and teams to make sure that everything works. Like any good coach, we work with you to help you learn lessons from each exercise to ensure that any and weaknesses are bolstered and ensure that you are challenge ready.
Effectively respond to a security breach, maintain market confidence, avoid unnecessary business disruption, and safeguard your organisation from the potentially devastating effects of a cyber-attack.
Be ready to defend to in 2022. To find out more, get in touch with the Quorum Cyber Team.