The ransomware gang DarkSide extorted more than $90m in Bitcoin before allegedly disbanding its illegal operation, according to new research.
Analysts at London-based blockchain analytics firm Elliptic said in a report published Tuesday that they had discovered a now empty digital wallet that had contained the proceeds of ransomware attacks engineered by the cyber-criminal gang.
"In total, just over $90m in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets," wrote Elliptic's co-founder and chief scientist, Dr. Tom Robinson.
"According to DarkTracer, 99 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9m."
DarkSide has appeared in the news numerous times for its cyber-attacks, but the gang achieved real infamy earlier this month when it crippled America's Colonial Pipeline with ransomware. From this exploit, which triggered panic buying and fuel shortages along the East Coast, the gang reportedly netted $5m.
Elliptic researchers report that DarkSide's virtual wallet received a ransom payment of 75 Bitcoin from Colonial Pipeline.
The gang shut down its site on the dark web on May 13. Researchers at cybercrime intelligence provider Intel 471 reported that DarkSide had told its hacking partners who use the gang's “ransomware-as-a-service” tools to launch cyber-attacks that sales of its software and released services have ceased.
Before closing its digital doors, DarkSide appeared to be on track to achieve its most profitable month of the last three quarters.
Elliptic researchers found that since October 2020, February had seen the gang collect its biggest Bitcoin haul of more than $20m. May's earnings were close to $15m before DarkSide went dark.
Researchers noted that money extorted by the gang was divided up between those that had developed the ransomware (developers) and those who successfully deployed it (affiliates).
"In the case of DarkSide, the developer reportedly takes 25% for ransoms less than $500,000, but this decreases to 10% for ransoms greater than $5m," they wrote.
"This split of the ransom payment is very clear to see on the blockchain, with the different shares going to separate Bitcoin wallets controlled by the affiliate and developer."
Elliptic said that the DarkSide developer received a total of $15.5m in Bitcoin.
The cybersecurity industry should be placing more consideration on human behaviors to effectively tackle cyber-risks, according to a panel of experts speaking during the DTX: NOW virtual conference.
Lisa Forte, partner at Red Goat Cyber Security, who moderated the session, emphasized that human behaviors simply cannot be ignored when it comes to cybersecurity, noting that people “interact with our technology on a daily basis – whether that’s our staff who are responsible for looking after the data, or whether that’s clients creating unique usernames and passwords on our applications in order to access their own data, the human element comes into all of it.”
The panel first discussed approaches that security teams should use to help prevent people from falling foul of social engineering scams and cyber-attacks. Javvad Malik, security awareness advocate at KnowBe4, believes the starting point is to make people more aware of the threats that are out there. “Giving things a label and a name helps normalize it so people don’t feel like they’re the only ones getting caught out by a particular scam,” he said.
Additionally, this normalization needs to extend to when people are caught out by scams, thereby creating an environment in which there is no shame in admitting to being duped and that encourages frequent reporting of scams to law enforcement, according to Malik.
To help citizens truly understand cyber-risks, Holly Grace Williams, founder at Akimbo Core, said we need to focus on ensuring it is easy for people to do so. This includes the way awareness training is treated in organizations. “Very often I see security awareness programs delivered by companies where either the company doesn’t care about the content of the training and it’s simply a tickbox, or that the content is just on the face of it ineffective,” she noted.
John Graham-Cumming, chief technology officer at Cloudflare, added that digital companies should also be putting more effort into effectively forcing customers to adopt better security behaviors, such as strong passwords and two-factor authentication. He gave the example of systems that are emerging that tell users they are “using a password that has previously been hacked so don’t use that password,” he commented, adding that those outside the security industry “just need help to get into the right spot.”
The panel went on to highlight new ways security teams can bring about positive security behavioral change in people. Malik highlighted the importance of effective marketing to normalize certain behaviors. For example, he believes cybersecurity could learn from the “designated driver” terminology used to stop drunk driving, which was pushed heavily by behavioral scientists onto Hollywood. As this term got written into sitcoms, the concept quickly became normalized, and led to behavior change. “If we approach security from that perspective, we can get better behaviors,” he stated.
Removing the fear of punishment from employees caught out by social engineering attacks such as phishing is another crucial step organizations need to take. Williams noted that, sadly, it is still often the case that single employee mistakes are blamed by organizations for security breaches, which occurred in the wake of the Equinox and SolarWinds attacks. “If your entire organization can fail because one staff member chose a bad password, or clicked a link in an email, there are fundamentally bigger problems to your organization,” she pointed out.
As well as not laying blame for errors, developing the right security culture among all employees in an organization is crucial to preventing tactics such as phishing from being successful. This requires a good relationship being “built in” between security teams and other members of staff, according to Malik. “If the only interaction you have with your security team is when an incident occurs, or when they send a simulated phish out to you and say ‘we caught you out,’ regardless of how good it is, you’re just going to think ‘who are these people and why are they trying to trick me?'” he outlined.
Graham-Cumming agreed, stating that security personnel have to develop a good “bedside manner” in addition to having technical expertise. He said it’s vital to have a relationship with general staff “not just when things have gone bad,” which includes encouraging people to report any concerns they have, even if they turn out not to be security related. “It’s really about openness and honesty and treating people well so they respect what your job is and they feel like you’re somebody they can trust,” he explained.
The UK privacy regulator has fined a QR code provider that abused its access to personal data to spam individuals with direct marketing at the height of the pandemic.
The Information Commissioner’s Office (ICO) explained in a notice yesterday that it fined St Albans firm Tested.me £8000 after it send the marketing email without gaining adequate valid consent from data subjects.
The firm provided clients with contact tracing services by enabling them to offer customers a QR code to scan when arriving at their premises.
However, it used this data to send nearly 84,000 nuisance emails at the height of the COVID-19 pandemic between September and November 2020, the ICO said.
The ICO has also been running checks on other QR code providers to ensure they’re handling people’s data in accordance with the GDPR and its UK equivalent, the Data Protection Act 2018.
It said the checks revealed that most companies understood the laws and the importance of processing personal data fairly and securely.
The regulator’s guidance for firms as the economy starts to reopen following extensive lockdowns, is to make privacy policies clear and simple, follow data protection by design guidance and not to keep any personal data collected for more than 21 days.
Personal data collected for contact tracing is also not to be used for marketing or any other purposes, it said.
QR codes are increasingly used not only to check-in to locations using the NHS Test and Trace app, but by hospitality venues keen to offer customers a hands-free menu experience.
However, the technology doesn’t just represent a privacy risk. Security experts have warned that QR codes could be hijacked by threat actors to download malware and other threats to users’ devices.
Some 90% of cyber-attacks investigated by a leading security vendor last year involved abuse of the Remote Desktop Protocol (RDP), and ransomware featured in 81%.
The figures come from a new Active Adversary Playbook 2021 compiled by Sophos from the experiences of its frontline threat hunters and incident responders.
It revealed that, while RDP is often used to gain initial access into victim organizations, especially during ransomware attacks, it was also hijacked by attackers in 69% of incidents for lateral movement.
Techniques such as using VPNs and multi-factor authentication (MFA), which focus on preventing unauthorized external access to RDP, won’t work if the attacker is already in the network, Sophos warned.
In fact, it seems as if attackers are increasingly capable of slipping past perimeter defenses to infiltrate networks. The average dwell time for cases investigated by Sophos was 11 days. Considering many of these were ransomware attacks which typically require less time, 264 hours is more than enough for threat actors to do their worst.
“With adversaries spending a median of 11 days in the network, implementing their attack while blending in with routine IT activity, it is critical that defenders understand the warning signs to look out for and investigate,” argued Sophos senior security advisor, John Shier.
“One of the biggest red flags, for instance, is when a legitimate tool or activity is detected in a unexpected place. Most of all, defenders should remember that technology can do a great deal but, in today’s threat landscape, may not be enough by itself. Human experience and the ability to respond are a vital part of any security solution.”
According to ESET, RDP attacks increased by a staggering 768% between Q1 and Q4 2020 as cyber-criminals focused on exploiting a tool used increasingly by remote workers to access their corporate desktops.
Tens of thousands of jobseekers have had their personal information exposed by a misconfigured cloud account, according to researchers.
The firm apparently specializes in recruitment for the building management systems sector, for projects including skyscrapers 22 Bishopsgate and The Shard, Wembley Stadium and the Olympic Stadium, Heathrow Terminal 5 and Crossrail stations.
The 5GB trove contained 21,000 files including CVs featuring personal information such as email addresses, full names, mobile phone numbers, home addresses and social network URLs. Other details included dates of birth, passport numbers and applicant photos, according to Website Planet.
The research team believes that TeamBMS’s IT service provider may have been to blame for the privacy snafu.
If found by threat actors, the data could have been used to commit follow-on identity theft and fraud, and craft phishing attacks designed to steal more personal details or deploy malware.
Website Planet also claimed that the information contained in the bucket could have been used for corporate espionage or to target victims’ homes for burglary.
The research team discovered the leak on December 29 last year, and reached out several times to TeamBMS’s parent company TeamResourcing as well as to the UK CERT. The bucket was finally secured on March 23.
Not only those impacted by the leak but the company itself should be on guard for any suspicious activity going forward, Website Planet claimed.
“FastTrack, and anyone else implicated in this breach, should be vigilant when receiving calls from parties claiming to be clients or associates. In which case, businesses must implement strategies to confidently identify these individuals,” it said.
“It’s crucial that FastTrack, as well as any businesses at-risk of this exposure, implements stringent security measures when storing customer data. Businesses should hire a cybersecurity professional, to be sure that customer data is adequately protected.”
The scourge that is ransomware has had a devastating impact on the lives of ordinary people around the world, but it doesn't have to be that way, according to a panel of experts speaking at the 2021 RSA Conference on May 18.
Ransomware is not a new problem in 2021, and it certainly is not one that appears to be diminishing by any measure; rather, it's growing. Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, commented that, according to her firm's research, from 2019 to 2020 the average ransom payment nearly tripled, from $115,123 to $312,493. In that same period the highest ransom payment doubled from $5m to $10m.
"They're just gaining more and more money, and when that happens ransomware becomes more and more popular in the criminal sector," Miller-Osborn said.
The Evolution of Ransomware
Michael Daniel, president and CEO at the Cyber Threat Alliance, explained that over the course of the last decade, ransomware has changed.
"If you look back to, say, 2013, ransomware was typically targeted at an individual's computer, and the average ransom was like 100 or 150 bucks, so it was a fairly minimal affair," Daniel said.
In contrast, in 2021 Daniel noted that the average ransom is more than $300,000, and it's not just individuals being targeted—it's things like schools systems, hospitals and the energy grid.
As the cost and scale of ransomware attacks have grown, so too has the complexity of trying to limit the risk and the ability to shut down attackers. Among the challenges is that the impact of ransomware isn't limited to any one industry or even any one agency within the US government.
Phil Reiner, chief executive officer, Institute for Security and Technology and Ransomware Task Force, explained that one of the primary reasons why the Ransomware Task Force existed was to help deal with the fast-moving threat landscape.
"It takes senior-level, top-down interest in a problem like this to really get after it with the resources that are required, and the prioritization of the issue needs to be raised in order to actually do something differently," Reiner said. "It's not business as usual. This is not just a normal cybersecurity threat—it's a plague."These threat actors, they feel like they can operate this way because they've got safe haven.Phil Reiner
It Is Time for a Comprehensive Approach to End Ransomware
The panelists all agreed that reducing the growth of ransomware will require a coordinated and comprehensive effort across public and private sectors around the world.
"You're not going to solve ransomware with some little silver bullet that just fixes the crypto payments processing problem, you're not going to solve it by just sending Cyber Command after somebody sitting perhaps in Eastern Europe," Reiner said. "These actions all have to happen at the same time if you're really going to effect significant change and shift the trajectory."
Daniel emphasized that disrupting the cryptocurrency element of ransomware will be a critical part of a comprehensive effort. He noted that it is clear that one of the big enablers for ransomware is the growth of cryptocurrencies.
"Cryptocurrency enables payments to occur in a way that the normal financial system can't track or block," Daniel said. "So clearly you're going to have to address that part of the ecosystem, which has nothing to do with cybersecurity directly. "
Increasing Pressure with Law Enforcement Actions
As ransomware attackers can be anywhere in the world, Reiner said that there are different tactics, including economic sanctions, that can and should be used globally to apply pressure to de-incentivize attacks.
"These threat actors, they feel like they can operate this way because they've got safe haven," Reiner said.
Daniel suggested that for the federal government, there is a need to increase capabilities across multiple agencies and not just those where the focus is on security. For example, he noted that the Department of Health and Human Services (HHS), the Department of Energy and others need to work with organizations within their respective sectors to make them more resilient to ransomware incidents.
Miller-Osborn advocated for more law enforcement actions to help deter would-be ransomware actors. In her view, many ransomware attackers haven't been too concerned about consequences or the risk of ending up in jail. If there is a coordinated response, where ransomware infrastructure, network and payment operations are all taken down and people are arrested, convicted and get jail time, she expects that behavior will change
"Cybercrimes are never going to go away," Miller-Osborn said. "But the more people we can discourage from doing these kinds of activities, the safer everyone's going to be as a whole."
When a security breach occurs in the US today there is no single authority or national breach reporting law that needs to be adhered to, but that could change in the near future, according to a panel of experts speaking at the 2021 RSA Conference on May 18.
Luke Dembosky, partner at law firm Debevoise & Plimpton LLP, commented that the current state of breach reporting in the US is a patchwork of laws and policies that vary by jurisdiction. He noted that each individual state sets the rules that determine whether an organization has to report to state authorities, as well as impacted individuals, in the event of a data breach.
"It's very challenging for companies that do business across state lines, often to figure out what are all the various potential breach notification obligations," Dembosky said.
The (Solar)Wind Pushing the National Data Breach Reporting Law Forward
Adam Hickey, deputy assistant attorney general, National Security Division at the US Department of Justice, commented that there have been a number of high-profile breaches in recent years that have impacted critical infrastructure across multiple sectors. Without a single reporting framework, the federal government doesn't always get all the data and insight it needs.
"We are challenged getting a handle on the visibility of what's happening," Hickey said.
Among the recent high-profile data breach incidents discussed during the panel was the SolarWinds data breach. Tonya Ugoretz, deputy assistant director at the FBI, commented that a lot of times when there is a push for legislation to close a particular gap, like with the national data breach reporting law, that groundswell is prompted by something that didn't happen, someone who didn't take an action. That's not what happened in the SolarWinds incident.
Ugoretz said that in the SolarWinds incident, it was reported quickly by security vendor FireEye, which itself was a victim of a breach.
"They [FireEye] did the right thing," Ugoretz said. "Almost immediately upon noticing that they were the victim of this very sophisticated intrusion, they reached out to the government."
Part of the way you demonstrate you are taking something seriously and doing everything you can as a business is saying, I'm working with law enforcement to address it.Adam Hickey
She added that this type of quick notification doesn't always happen and the fact that it did may well have helped to prevent even more data loss, which was a theme that Hickey echoed. Hickey said that thanks to FireEye raising its hand and saying, "This is happening on my network," the federal government was able to move quickly to investigate and help limit risk.
Why a National Data Breach Reporting Law Is Needed
Hickey emphasized that a national data breach reporting law is needed to help provide visibility to law enforcement and push out information to enable potential victims to be protected.
As a general rule, Hickey noted, companies are more willing to contact the government and work with law enforcement now than they were ever before, for several reasons.
"In the past, having a data breach used to be kind of a scarlet letter, and there was a shame factor, so you kind of didn't want it to get out," Hickey said. "Now there's sort of a sad understanding that this is a part of the mortality of computer networks."
With the realization that data breaches happen, Hickey said, organizations' attention has turned not just to defense, but also to resilience and reputation.
"Part of the way you demonstrate you are taking something seriously and doing everything you can as a business is saying, I'm working with law enforcement to address it," Hickey commented.
What the National Breach Reporting Law Should Look Like
A key objective for a potential national breach reporting law that all the panelists agreed upon was the idea that it should make reporting a breach easier, not harder, than the current patchwork model.
Ugoretz emphasized that a having a national standard for breach reporting will give companies less to figure out, which is important especially at the moment that they're suffering from an intrusion. She wants to see a law that is clear and concise and that helps victims and law enforcement to figure out what happened and prevent further exposure.
"We think of each of these intrusions, as if it were a murder conducted by a serial killer where whoever is behind it will strike again and they're leaving clues, at each crime scene," Ugoretz said. "This reporting law will help us pick up those clues and share it with others before they then become subsequent victims."
The new US administration’s approach to modernizing the nation’s cybersecurity defenses was laid out by Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging technology, National Security Council, during a keynote session on day two of the virtual RSA Conference 2021.
Neuberger began by describing the increasingly dangerous cyber-threat landscape, noting that President Joe Biden’s administration has already had to deal with two large-scale incidents during its first 100 days in office—the SolarWinds and Microsoft Exchange attacks.
“Governments and companies are under constant, sophisticated and malicious attack from nation-state adversaries and criminals,” she outlined, adding that “today, more than ever, cybersecurity is a national security imperative.”
In this environment, Neuberger stated, it is time to shift the mindset from incident response to prevention. “I’ve observed that as a community we’ve accepted that we’ll move from one incident response to the next,” she said. “While we must acknowledge that breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo under which we operate.”
With this principle in mind, Neuberger set out three areas the current US federal government is focusing on to enhance the nation’s cybersecurity:
1. Modernize Cyber-defenses
Neuberger stated how the SolarWinds attacks demonstrated that “some of the most basic cybersecurity measures were not systemically rolled out across federal agencies.” These include multi-factor authentication, encryption and endpoint detection.
As well as mandating these basic security hygiene measures in government, Neuberger said the administration is also introducing ways of ensuring the software security it purchases from vendors is up to scratch. She explained that the products the government buys “often include defects and vulnerabilities.” This is being accepted by developers, either because they expect to be able to patch later or they decide to ignore them if they deem the defects to not be sufficiently serious, according to Neuberger.
“That’s not acceptable—it’s knowingly introducing unknown and potentially grave risks that adversaries and criminals then exploit,” she stated.
To tackle this issue, Neuberger revealed it is a priority of the government to ensure the software it buys is built securely from the start, “by potentially requiring federal vendors to build software in a secure development environment.” She added that this approach should have the knock-on effect of enhancing the software security brought by organizations outside of government, such as schools and small businesses.
Another vital step in this area is to gain visibility into what software is developed securely and what isn’t, as it is currently impossible for customers to make this assessment. Neuberger explained: “Today we place our trust in vendors but we largely do it blindly, because we don’t have a way to measure that trust.”Today we place our trust in vendors but we largely do it blindly, because we don’t have a way to measure that trustAnne Neuberger
She additionally highlighted that the administration is currently working on a pilot program to protect the technology relied upon in critical national infrastructure. This initiative “will facilitate private-sector efforts to install new technologies that provide timely visibility, detection, response and blocking capabilities.” Neuberger noted this is “the first step in a series of efforts we’ll be working on to ensure we can trust the systems underpinning our critical infrastructure.”
2. Return to a More Active Role on Cyber Internationally
Neuberger also emphasized the need for the US to strengthen its global partnerships “to counter adversaries that leverage technology to undermine national and global security.” She highlighted a number of initiatives in this area, including the Quadrilateral Security Dialogue (QUAD), which aim to “counter cyber-threats and hold malicious actors accountable.”
She revealed that one of the administration’s first global cybersecurity initiatives will be a “cooperative effort to counter ransomware,” with this vector becoming increasingly prevalent. She noted: “This represents a national security threat for countries around the world because it can disrupt schools and hospitals and governments’ and companies’ abilities to deliver services. And because of the huge financial cost.”
Neuberger added that it is particularly concerning that ransomware actors are often able to strike by targeting known weaknesses, such as endpoint and software vulnerabilities.
Additionally, the increasing sophistication of ransomware groups, in terms of both their techniques, like the use of fileless malware, and their operational models, including the growth of double-extortion schemes, cannot be ignored. Neuberger commented: “International cooperation to address ransomware is critically important because transnational criminals are most often the perpetrators of these crimes and they often leverage global infrastructure and money laundering networks to do it.”
3. Prepare America’s Future Cybersecurity Posture
As well as focusing on securing today’s technology and infrastructure, Neuberger said another priority of the Biden administration is “to invest in and facilitate the innovation of tomorrow.” As such, the government’s American Jobs Plan has a proposal to invest $180bn in R&D emerging technologies. This covers areas like AI, quantum computing and micro-electronics.
This investment is vital for enhancing the US’s cyber-defenses, according to Neuberger. In particular, she highlighted the future importance of quantum computing in this regard. While this technology “promises to revolutionize certain unsolvable computing problems,” it will also “fundamentally disrupt cybersecurity and the technology platforms on which it’s built.”
This is because quantum computing offers malicious actors new vectors to compromise IT systems, with potentially “devastating” impacts on certain encryption methods, such as isometric encryption, which is “the foundation of our economic and national security communications.”
As such, the American Jobs Plan “reflects a commitment to accelerate US leadership in quantum computing and quantum information science more broadly,” which will help “protect the country from the adversarial use of these technologies.”
Neuberger concluded her talk by saying: “Bolstering the nation’s cybersecurity, safeguarding our critical infrastructure and renewing America’s advantages broadly are fundamental to the Biden administration’s commitment to our national security strategy.”
McAfee senior vice president and CTO, Steve Grobman, took to the virtual stage at RSA Conference on May 18 with a call to action: reconsider the perception of risk by looking at data, not headlines
Grobman claimed that often the information security industry falls into the trap of perceiving risk based on how threats are portrayed in the media.
“A scientific approach is needed to measure risk and help counteract bias,” he said. Groban used the example of a micromart as a way of doing this. A micromart is a unit of risk defined as one-in-a-million chance of death. “We can use micromort to challenge our intuition on what is actually risky and what isn’t,” he said.
“Many of our perceptions about risk in cyber are miscalibrated… We need to use science based on data to counteract the influence of social and traditional media and raw emotions,” Grobman warned.
“Organizations worry about all sorts of threats. Mass malware we see every hour. Spear-phishing attacks on critical employees we see every day. And the rare national state-directed attacks that have the potential to be devastating.
“One observation is that the frequency of an event is inversely proportionate to its impact.”
The impact of a cyber-event, said Grobman, “has multiple levels of nuance. We need to consider the impact to an organization independently from the global impact.”
He gave the examples of WannaCry and NotPetya, which had catastrophic effects and a global impact on numerous organizations around the world, as they spread fast and were highly disruptive. He also gave the example of other attacks that had a huge impact but only on a solo organization.
“We need to examine the different aspects of the damage that emanates from certain attacks, for example, indirect costs, such as regaining environmental integrity, which can be immense.”
“We need to understand the risk/reward benefits when we choose to engage in high-risk areas,” he continued.
Impact, Scale, Frequency
Grobman suggests a risk model that takes all factors into consideration. “Consider impact, scale and frequency. These are the three vectors that matter,” he explained. “This model is all about risk. Risk is the potential for negative outcome, whereas an event is a historical record of what has occurred. Past events don’t predict future outcomes.”Many of our perceptions about risk in cyber are miscalibrated… We need to use science based on data to counteract the influence of social and traditional media and raw emotionsSteve Grobman
However, Grobman advised, “they can provide data to scientifically access the likelihood of future scenarios” in order to understand how to prepare defenses.
McAfee did some research into how what we should worry about aligns with what we do worry about. “We analyzed traditional and social media along with the web activity of McAfee data related to threats. We found that many of the high-profile single organization targeted attacks saw a lot of attention.
“Whereas some campaigns such as trickbot get little media coverage, but organizations need to pay greater attention to them. They act as the catalyst for secondary, high impact attack scenarios.”
Media coverage can inform us about emerging global cyber events, said Grobman, “but we need a more science-based approach. We need to comprehensively evaluate the events that impact organizations.”
In addition, Grobman advises that good cyber-hygiene and good user education to prevent everyday threats, are incredibly important. “We need a combination of technology and cyber-operators to defeat the adversary, because no technology on its own can outsmart or outplay an advanced attacker.”
In conclusion, Gobman said it is critical that “the investments we do make have the strongest benefits compared to the risks they are mitigating.
“My call to action for you is this: let’s make the best cyber-defense decisions possible. Yes, watch the news and monitor your Twitter feed, but be hyper-conscious to counter-balance natural instinct reactions driven by media and hype and ensure that every trade-off and decision you make to defend your organization is based on data and objectivity.”
Approximately 2.9 million Distributed Denial of Service (DDoS) attacks were launched in the first quarter of 2021, according to research from NETSCOUT’s ATLAS Security Engineering & Response Team (ASERT).
The estimated figure represents a 31% increase compared to the same period in 2020. All three months of the year's first quarter saw more than 900,000 DDoS attacks, which researchers said exceeded the existing baseline of 800,000 per month.
"The first two months of the year are usually the slowest months in the DDoS attack calendar," wrote researchers.
"This year, we saw 972,000 attacks in January, which eclipses the record set last May for the largest number of attacks yet seen in one month."
ASERT has warned that last year's record-breaking volume of DDoS attacks could be exceeded in 2021.
"If this activity holds, we are on a trajectory that blows right by the unprecedented 10-million-attack threshold recorded in 2020," wrote researchers.
Comparing the first quarters of this year and 2020, researchers noted no significant increase in the size of the attacks launched. During both periods, attackers opted to deploy fast attacks that victims would find difficult to mitigate.
The length of the attacks and the throughput both increased year-on-year. Many attacks (42%) lasted between five and ten minutes, while assaults lasting fewer than five minutes dropped from 24% to 19%.
"Adversaries ratcheted up throughput considerably, as the max throughput recorded increased 71% compared with Q1 2020," noted researchers.
Analyzing which industries attackers chose to hit, researchers observed that healthcare, education and online services were prime targets.
Healthcare organizations suffered about 7,000 attacks in Q3 2020, 10,000 attacks in Q4, and 8,400 attacks in Q1 of 2021. The figure for the first quarter of 2021 represents a 53% increase year over year.
In education, attacks rose by 41% over the past three quarters, with 32,000 attacks in Q3 2020, 39,000 in Q4 and 45,000 in the first quarter of this year.
This latest research supports conclusions noted in NETSCOUT’s semi-annual Threat Intelligence Report, which predicted DDoS attacks would continue to hit record numbers this year while becoming increasingly complex in scope.
An Oregon man has been indicted on suspicion of carrying out a million-dollar streaming service fraud scheme.
Samuel Joyner allegedly conspired with an accomplice based in Australia to steal and resell customer account credentials for popular internet streaming services, including Netflix, HBO Max and Spotify Premium.
On May 12, a federal grand jury in Portland returned an indictment charging 30-year-old Beaverton resident Joyner with conspiracy to commit computer and access device fraud, trafficking and use of unauthorized access devices, and possession of fifteen or more unauthorized access devices.
According to the indictment, between February 2018 and March 2019, Joyner teamed up with 23-year-old Sydney resident Evan McMahon to create and operate an online subscription service called AccountBot.
AccountBot sold account credentials to access streaming services at a heavily discounted rate, rating from $1.79 to $24.99 depending on the service and the duration of access.
It is alleged that Joyner and McMahon used credential stuffing attacks to obtain usernames and passwords for the services, which they then sold via AccountBot in exchange for cryptocurrency or fiat.
By March 2019, AccountBot had more than 52,000 different registered customers and over 217,000 unique sets of stolen account credentials.
The indictment alleges that the men were equal partners in the illicit business but had different roles. Drafting computer code for AccountBot’s website and managing customer payments was allegedly McMahon's responsibility, while Joyner is accused of stealing most of the user credentials and running AccountBot's customer service.
McMahon pleaded guilty and was sentenced in April to serve two years and two months on an intensive corrections order.
Australian Federal Police cybercrime operations case officer Joanna Kondos said: “Following a referral of information from our FBI law enforcement partners, the Australian Federal Police arrested, charged, and secured a conviction against a Sydney man, and we also seized more than a million dollars’ worth of cryptocurrency assets which were the proceeds of his crime."
Joyner, who reportedly went by numerous online aliases, including "FamousCracker," was arrested on Wednesday by the FBI. He pleaded not guilty and was released pending a five-day jury trial scheduled to begin on July 13, 2021.
By acquiring Waeg, IBM hopes to extend the range of Salesforce services it can offer and progress its hybrid cloud and AI strategy.
IBM said the deal would "build on its continued investment in Salesforce consulting services to meet the rising client demand for experience-led business transformation and new customer engagement strategies backed by data, AI, and machine learning."
This news follows IBM's acquisition of leading US Salesforce consultancy 7Summits in January 2021.
Waeg was established in 2014 and employs 130 people in offices in Belgium, Denmark, France, Ireland, Netherlands, Poland, and Portugal. It provides a full complement of Salesforce consulting services, including business-to-business commerce, digital strategy advisory, marketing automation and customer experience design, implementation, and managed services.
The company works with organizations across a range of industries, but its expertise is most highly concentrated in manufacturing, healthcare, and life sciences.
Waeg holds expert distinctions in Salesforce's Navigator program in Manufacturing, Pardot, and Salesforce B2B Commerce and holds over 400 Salesforce certifications.
"Salesforce continues to play a critical role in companies' digital transformations as they adapt to the conditions created by the pandemic," said Mark Foster, senior vice president, IBM Services and Global Business Services.
"Trust is the new currency of customer and employment engagement, and every touchpoint is an opportunity to personalize the relationship."
Foster added that Waeg's Salesforce expertise would help IBM customers move with the times.
He said: "Waeg's strength in Salesforce consulting services will be key to creating intelligent workflows that allow our clients to keep pace with changing customer and employee needs and expectations."
Foster's expectations are in alliance with Waeg's mission as described by the company's co-founder and managing partner Chris Timmerman.
Timmerman said: "Waeg's growth was built on the simple notion of helping our clients successfully navigate constantly changing customer demands. Now, as we join forces with IBM, we are excited to leverage our collective Salesforce capabilities to accelerate that growth across Europe."
The transaction is subject to customary closing conditions. It is expected to close this quarter.
Consumers have been warned to be vigilant about a surge in meal kit delivery scams, following rising demand for these DIY recipe kits during the COVID-19 lockdown.
Cybersecurity firm Tessian revealed it had uncovered a number of SMS scams impersonating well-known meal kit delivery companies, including Gousto and HelloFresh.
These scams come in a number of forms. In one example, several phishing campaigns are impersonating Gousto and asking recipients to rate their delivery to enter a prize draw. The link in the message takes them to a fake website, designed to steal personal and financial information or harvest important credentials.
There is also significant variation in the sophistication of these scam messages, with a particularly easy one to spot stating: “Your Gousto box is now delivered. Enjoy the reoipej! Rate delivesy and enter wrize diaw at ‘URL’.”
Tessian added that thousands of these SMS and WhatsApp messages are typically sent out at the same time.
Gousto has also warned its customers about the scams, posting on its Twitter account: “We are aware that these emails/texts are in circulation unfortunately, and we would advise against opening them. Our Info Tech team are looking into this suspicious activity."
Commenting on the findings, Tim Sadler, CEO and co-founder of Tessian, said: "Throughout the pandemic, we've seen cyber-criminals jump on trending topics and impersonate well-known brands, with increasing sophistication. Often, scammers will register new web domains to set up convincing-looking fake websites, luring their victims to these pages using phishing scams, and then harvest valuable information.
“These scams are getting harder and harder to spot, with the perpetrators regularly coming up with new tactics to convince users to follow their link and input their confidential data. A general rule of thumb is that, if you’re ever not sure if something is a scam, then assume it is. You can always verify a message’s legitimacy with the company directly.”
The FBI has warned families of missing persons to be on their guard for extortion demands from cyber-criminals claiming to have abducted their loved ones.
The scammers typically scour social media posts to gather information about missing persons and their families. They’ll carry out open source research to find out more about the individual in order to make their claims more realistic.
The fraudsters will then contact those family members online or call/message them using third-party apps to disguise their phone number. Usually they’ll request between $5000 and $10,000 in ransom, the FBI claimed.
“Generally, offenders do not offer proof of life. However, in one instance, an accomplice made telephone calls to family members claiming to be the missing person. Offenders often claim the missing person is ill or injured, adding to the urgency of the situation and putting additional pressure on family members to pay the ransom,” the FBI warned.
“Since the onset of COVID-19 nationwide stay-at-home orders, law enforcement has received several reports of scammers targeting families who have posted on social media about their missing family member.”
The FBI claimed in its recent Public Service Announcement that such scams had increased over the past three years, with COVID-19 offering extortionists more opportunities to strike the vulnerable.
The Feds urged anyone who has been targeted in this way to contact their local law enforcement agency or FBI field office, file an online complaint with the Internet Crime Complaint Center and be sure to keep all records of communication with the individuals concerned.
There were nearly 77,000 cases of extortion recorded by the FBI last year, putting the category third top in terms of frequency, according to its Internet Crime Report 2020. Nearly $71 million was lost to such incidents over the period.
The National Cyber Security Centre (NCSC) is launching a second annual survey in a bid to drive greater diversity in the cybersecurity sector.
Developed in partnership with KPMG UK, the 2021 Diversity and Inclusion Survey for the UK Cyber Workforce aims to improve understanding of disability and neurodiversity in the workforce to better spot where improvements are needed.
According to the results of the inaugural report, Decrypting Diversity 2020, there’s still a long way to go in the sector.
It revealed that one in five respondents do not feel they can be themselves at work, while 41% of black cybersecurity professionals felt they’d experienced discrimination because of their ethnicity over the previous year. A further 14% of respondents said they’d experienced barriers to career progression as a result of diversity and inclusion issues.
Part of the problem seems to be transparency: nearly three-quarters (74%) of negative incidents as a result of diversity and inclusion are not reported.
New benchmarks in this year’s study will capture key data on disability, neurodiversity, location of workplace, employer size and seniority.
The hope is that with this extra information, improvements can be made to encourage a wider range of individuals to choose a career within the sector — one experiencing major skills shortages. Currently, there’s a global shortfall of over three million professionals.
The NCSC said cybersecurity leaders need to be more accountable for diversity and inclusion among their workforce and the industry as a whole needs to absorb best practice more effectively from within and outside the sector.
“Our second Decrypting Diversity survey will help us build on the collective understanding of where the sector is falling short, allowing us to break down barriers to ensure that there are opportunities for all,” said NCSC CEO, Lindy Cameron.
“We know that a welcoming community and greater diversity leads to more innovation and better outcomes for the UK, and the NCSC is committed to helping transform the cybersecurity sector into an exemplar of best practice.”
Those wishing to participate can access the survey here.
Insurance giant AXA could face a barrage of DDoS attacks if it refuses to engage with a ransomware group that claims to have stolen terabytes of data from some of its Asia customers.
It emerged over the weekend that partners of the French multinational had been struck by the Avaddon variant, which claimed to have encrypted data in Thailand, the Philippines, Hong Kong and Malaysia.
The group also claimed to have stolen 3TB of highly sensitive data including customer HIV and STD reports, customer and doctor ID documents and bank account details, and much more.
According to the post on its leak site, republished by Heimdal Security, the insurance group has 10 days from Saturday before Avaddon launches DDoS attacks on its network, in a bid to force payment.
Some passport details touted as part of the breach have already been leaked, as is customary, to show the group means business.
The incident comes just days after AXA announced a new policy in France whereby it would no longer reimburse customers for any ransomware payments made to threat groups. The stance had been praised by security experts who believe that cyber-insurance payments are perpetuating the global problem of ransomware.
ImmuniWeb founder and CEO, Ilia Kolochenko, argued that the jurisdictions affected have weaker data protection regulations than Europe.
“The financial and legal consequences of the breach in the EU or Singapore would have been much higher,” he added. “This incident also emphasizes the importance of a third-party risk management program to protect corporate data.”
Martin Jartelius, CSO of Outpost24, added that the size of the claimed data haul is particularly worrying in an age when privacy-by-design should be paramount.
“Ransomware and targeted breaches are a threat to all organizations and can be extremely difficult to protect against. But here the leaked information, and the existence of such information to leak, is more concerning,” he said.
“As always when someone prepared to commit crimes to get money give you a promise not to release in the case money is awarded, there is little to nothing to support that they will not be back asking for more money again, and again.”
Artificial intelligence, commonly referred to as AI, represents both a risk and a benefit to the security of society, according to Bruce Schneier, security technologist, researcher, and lecturer at Harvard Kennedy School.
Schneier made his remarks about the risks of AI in an afternoon keynote session at the 2021 RSA Conference on May 17. Hacking for Schneier isn't an action that is evil by definition; rather, it's about subverting a system or a set of rules in a way that is unanticipated or unwanted by a system's designers.
"All systems of rules can be hacked," Schneier said. "Even the best-thought-out sets of rules will be incomplete or inconsistent, you'll have ambiguities and things that designers haven't thought of, and as long as there are people who want to subvert the goals in a system, there will be hacks."
Hacking AI and the Explainability Problem
Schneier highlighted a key challenge with hacking that is conducted by some form of AI: it might be difficult to detect. Even if the hack is detected, it will be difficult to understand what exactly happened.
The so-called explainability problem is one that has been tackled in the popular cult classic science fiction novel The Hitchhiker's Guide to the Galaxy. Schneier recounted that in that novel a race of hyper-intelligent pan-dimensional beings build the universe's most powerful computer, called Deep Thought, to answer the ultimate question of life, the universe, and everything. The answer was 42.
"Deep Thought was unable to explain its answer, or even what the question was, and that is the explainability problem," Schneier said. "Modern AIs are essentially black boxes: data goes one in one end, and the answer comes out the other."
Schneier noted that researchers are working on explainable AI, but he doesn't expect it to yield any short-term results for several reasons. In his view, explanations of how AI works are actually a cognitive shorthand used by humans, suited for the way humans make decisions.
"Forcing an AI to produce a human-understandable explanation is an additional constraint, and it could affect the quality of its decisions," he said. "Certainly in the near term AI is becoming more opaque, less explainable.
While a world filled with AI hackers is still science fiction, it's not stupid science fiction.Bruce Schneier
AI Hackers on the Horizon
At present, Schneier doesn't see the mass application of AI for malicious hacking activities by threat adversaries, though that is a possible future that organizations should start to prepare against.
"While a world filled with AI hackers is still science fiction, it's not stupid science fiction," Schneier said.
To date, Schneier has observed that malicious hacking has been an exclusively human activity, as searching for new hacks requires expertise, creativity, time, and luck. When AI systems are able to conduct malicious hacking activities, he warned, they will operate at a speed and scale no human could ever achieve.
"As AI systems get more capable, society will cede more and more important decisions to them, which means that hacks of those systems will become more damaging," he said. "These hacks will be perpetrated by the powerful against us."
Defending Against AI Hackers
While the first part of Schneier's talk was a grim and sobering sermon on the risks of AI hacking, there are potential upsides for cybersecurity as well.
"When AI is able to discover new software vulnerabilities in computer code, it will be an incredible boon to hackers everywhere," Schneier said. "But that same technology will be useful for defense as well."
A potential future AI tool could be deployed by a software vendor to find software vulnerabilities in its own code and automatically provide a fix. It's a potential future that could eliminate software vulnerabilities as we know them today, Schneier stated optimistically.
"While it's easy to let technology lead us into the future, we're much better off if we as a society decide what technology's role in our future should be," Schneier concluded. "This is something we need to figure out now before these AIs come online and start hacking our world."
RSA Conference keynoter Theresa Payton outlines how misinformation works and what organizations can do to help combat it.
Misinformation is everywhere on the internet today, but there are ways to spot it and limit its risk, according to Theresa Payton, CEO of Fortalice Solutions.
Payton detailed her firm's research into internet misinformation campaigns in an afternoon keynote session at the 2021 RSA Conference on May 17. Payton has been writing about and tracking the activities of misinformation groups on the internet for several years and has identified a number of key patterns. While there are different objectives for different groups, at the core, internet misinformation campaigns are about encouraging distrust.
"Manipulators promote misinformation to encourage populations to doubt what they believe," Payton said. "The end game is to make you doubt everything you believe, which leaves you open to believing anything."
The Misinformation Multiplier
Payton commented that although political and social espionage is centuries old and well documented, technology gives it a new twist. She noted that in 2013 the World Economic Forum listed online misinformation as one of the top trends.
The reason why online misinformation is so widely used is because it works. Payton added that the business of misinformation is also very lucrative, generating lots of money for certain groups that are able to execute campaigns effectively.
"Research shows that a false story reaches people six times faster than just the actual news or the truth," she said.
Public Health Misinformation
Among the many topics that are the target of misinformation on the internet today is public health related to the COVID-19 vaccine.
Payton said that one rough estimate shows that misinformation on public health alone generated billions of social media views in a year. The impact of one such misinformation campaign was revealed in a UK poll that Payton cited, reporting that 8% of UK residents believe that 5G technology actually spreads the coronavirus. In the United States, she said, 27% of Americans are hesitant to get the COVID-19 vaccine, much in part due to manipulation campaigns.
"These theories are just a small part of the global infodemic that is running largely unchecked on social media platforms," Payton said. "It doesn't have to be this way."
The end game is to make you doubt everything you believe, which leaves you open to believing anything.Theresa Payton
How Misinformation Spreads
There are various ways that misinformation spreads on the internet, though there are a few key recurring patterns.
The first step is the creation of the news item, which is then posted on independent news sites.
Popular but innocuous hashtags are used, and a combination of real people, fake personas, and bots re-share the original post.
Payton referred to the sharing of the news as an information laundering process, which is repeated over and over until the misinformation takes hold.
What Users Can Do to Combat Misinformation
Among the different steps that users can take to combat misinformation is to be vigilant and look out for sensational headlines.
Payton said that the fact that a topic is not being reported on traditional news media outlets could be another red flag. Traditional media outlets typically have to properly source and attribute news before it is published.
There are also tools that organizations can use to help identify potential misinformation campaigns. Payton recounted how her firm was able to use a series of tools to help identify the perpetrators behind one particular COVID vaccine–related misinformation campaign. Among the tools her team uses is Botometer, which can be used to identify the likelihood that a given social media account is a real person or is a bot. Another tool that her team uses is the Facebook Crowdtangle tool that can help to identify and correlate social media activities, which can be further visualized with the NodeXL tool for social media visibility.
For companies, Payton suggests that they consider building a playbook around how to respond to potential manipulation campaigns.
"Think about having an incident response playbook where either your industry, your executives, or your actual company fall prey to some type of misinformation or disinformation campaign," Payton said. "Go on offense now and create debunking and pre-emptive measures."
Payton also recommends that the standard operating procedure at organizations of all sizes should include scanning for misinformation about the industry the company is in, the company itself, and its executives.
"The only fix is for all of us to be enraged by what the manipulators are doing," Payton said. "It is time for this digital generation to rise up against those who are trying to hijack our minds and manipulate what we know to be true."
The 2021 RSA Conference got underway on May 17, with RSA CEO Rohit Ghai explaining what resilience is all about and what that means for cybersecurity.
Resilience is the theme for the 2021 RSA Conference, which is being held as a virtual event as the ongoing global pandemic continues to restrict in person gatherings. Ghai opened the conference and his keynote with an acknowledgment that this year's conference follows a year of trial and tribulations for everyone. The path and the way forward in his view was summed up in one word - resilience.
"Resilience isn't just about getting up when you fall," Ghai said. "To be good at it, we must fall less often, withstand the fall better, and rise up stronger every time."
The Intersection of Chaos and Resilience
Ghai commented that the concept of chaos is a good way to describe the cybersecurity landscape. He noted that in cybersecurity, defenders are dealing with multiple, connected technology stacks across different cloud providers. On top of that, Ghai said that there is the added randomness of malicious actors trying to disrupt operations and instil fear.
"How can you secure chaos?" Ghai asked rhetorically. " You can't, you don't - you focus on resilience by embracing chaos."
Embracing chaos in Ghai's view is about expecting the unexpected, trusting no one and compartmentalizing failure zones. Going a step further, he suggested that cybersecurity reliability engineering teams should constantly assess and test their responses to different types of risks and attacks.
"If you don't have visibility, then you don't know what to defend," Ghai said. "Once you do have visibility, use threat intelligence to understand your vertical's likeliest antagonists, including their methods."
Zero Trust and Resilience
The concept of zero trust is also critical to enabling resilience.
"Zero trust was always important, but in the post COVID work from anywhere, always on world, it is an imperative," Ghai said.By prioritizing based on risk and protecting what matters most, we will ensure that when we fall, we will withstand thatRohit Ghai
He added that zero trust is a mindset as well as an architecture. With zero trust organizations make use of microsegmentation to divide up a network, as well as providing application layer threat prevention. Zero trust also involves the use of risk based, continuous multi-factor authentication as a critical component.
"Most important of all is to limit trust to what is absolutely required, and never elevate trust based on unreliable factors," Ghai said. "By being prepared for chaos, we will fall less often."
Taking a Risk Based Approach to Resilience
Resilience is also about understanding and managing risk.
"We have to protect the address that represent the greatest risks, not where we see the most holes," Ghai said.
There are a number of different ways that organizations can take a risk based approach to resilience. Ghai pointed out that the NIST cybersecurity framework does an excellent job of proposing a risk based approach to cyber security. In his view, every organization needs to deploy an integrated risk management solution and implement methods to quantify all risk, including cyber risk.
"By prioritizing based on risk and protecting what matters most, we will ensure that when we fall, we will withstand that," Ghai said.
Kintsugi: Rising up Stronger
Ghai also emphasized the need for the cybersecurity community to be inclusive and diverse, in order to help grow the overall community.
"We need to recruit better than the adversary," Ghai said.
While the past year has been challenging, Ghai emphasized that there is need to remain vigilant and to build back up after failure. Building back after being broken, is what the Japanese art of Kintsugi, also known as golden repair, is all about as well. Ghai explained that in Kintsugi, gold lacquer is used to help fix and restore broken pottery and ceramics. For Ghai, Kintsugi is the perfect metaphor for what resilience should be.
"Kintsugi does more than restore - it transforms, it doesn't hide faults and breaks, it highlights them," Ghai said. "The golden wound becomes a celebration of the hand that put things back together, a celebration of the purposefulness and learning from the process, a celebration of resilience."
Information security professionals need to be more open to adaptation and embrace emerging ideas to enhance overall cyber-resiliency, according to expert speakers during an opening keynote on day 1 of the virtual RSAC Conference 2021.
Jimmy Sanders, information security, Netflix DVD, and Angela Weinman, head of global governance, risk and compliance, VMware, set out three “hard truths” about the sector, and how these negative practices can be addressed.
1. The Security Risk Picture is Out of Focus
This is a major issue, “because if you can’t accurately determine risk, it becomes difficult to rapidly recover from impacts,” explained Sanders.
Weinman noted that the industry is not currently "managing the risk well enough,” and she cited a recent VMWare study with MIT, which showed that under half (46%) of top executives stated they were happy with how their resiliency risk plans were executed last year.
Weinman said this was as a result of security professionals being “too conservative when predicting risk impacts and necessary treatment,” emanating from their desire to be accurate. She added this was highlighted by the shift to remote working during COVID-19, where planning for critical staff to be working from home for a period of time was not enough – it needed to be for all employees.
The solution to this, according to both speakers, is to “zoom out” and look at a spectrum of impact, rather than a narrowly defined scenario. Sanders explained: “We must broaden our views and prioritize environments so we ensure that not all environments are protected and viewed the same.”
2. Legacy Security Practices Are Slowing Us Down
The two speakers highlighted that traditional, and often uneccessary practices are commonplace in the sector, which is holding back progress. This is borne out of a lack of diverse voices in cybersecurity, according to Sanders. He argued that in order for fresh perspectives to be brought on security practices, ideas need to “be voiced without the fear of ridicule and condemnation.”
He added that there are currently “many intelligent minority voices that do not get heard within the security community.” This requires being intentional about allowing different viewpoints to be heard, particularly from women and ethnic minorities.
Weinman pointed out that this leads back to the first hard truth surrounding the security risk picture, as “we can get a better risk management picture if we have more points of view.”
Another aspect to this issue is the growing use of automation in security processes, which have led to a tick box culture. “Is everything we’re doing adding to our security posture? If not, why are we doing it?” asked Weinman. Again, diversity of thought is critical in this respect, to provide a fresh perspective on outdated practices, and question why things are being done, linking back to cyber-hygiene and the goals of the business.
3. Security is Not a Solo Sport
Sanders emphasized that no matter how good a security professional may be, resiliency cannot be achieved without collaboration across the sector. He described the need for a “snowball effect,” where great ideas build upon each other. “We, the security community, need to ensure that the best security practices are accessible to everyone.”
This requires organizations putting aside rivalries to “share knowledge and effective techniques to achieve what a single company can’t,” in the view of Sanders.
Weinman noted that it is “a common misconception that because of what we do, we must work in individual secrecy.” She advised security professionals to join a study group, working alongside people from other vendors.
Sanders, who leads the emerging technology group for ISSA International, added: “the most rapid growth in mini security practices happens when they start sharing what went right, but also what went wrong.”
Wrapping up the session, Sanders commented: “The ultimate lesson that I want you to take home is that we need each other now more than ever in these exciting times.”