Ransomware groups accumulate among US companies

Earlier this month, American defense giant Boeing joined one of the fastest-growing corporate clubs in the United States: companies that have been attacked by a new generation of increasingly brazen cybercriminals.

Last week, the hacking group calling itself LockBit released approximately 43 gigabytes of company data belonging to Boeing’s distribution and parts businesses, but that was just one of a series of breaches affecting major corporations. Americans, companies that in theory should have quite mature defenses. carried out by hackers linked to the cybercriminal clan known as Com, ALPHV, LockBit and Lapsus$.

His victims include Boeing, Clorox, Caesars Entertainment, Microsoft, MGM Resorts, Nvidia, Samsung, Okta and the Industrial and Commercial Bank of China (ICBC).

Claiming victim after victim across the American corporate landscape, these hacking groups are managing to breach well-resourced corporations almost at will, stealing data, extorting victims, and embarrassing them along the way.

“It’s like lightning in the sense that if they want to come after you, they’ll probably be quite successful, for most companies,” said Tom Uren, former member of the Australian Signals Directorate and current editor. with cybersecurity news from Seriously Risky Business. “The question is whether they have you in their sights.”

On Tuesday, the Cybersecurity and Infrastructure Security Agency, the FBI and Australia’s signals intelligence agency published an advisory drafted with input from Boeing that describes how LockBit was able to penetrate the defense contractor.

According to the advisory, LockBit affiliates exploited a Citrix vulnerability tracked as CVE-2023-4966 and “Citrix Bleed” that was first exploited in August, according to Mandiant. That vulnerability has been widely exploited by multiple ransomware groups to attack a major law firm, a major Australian shipping company, and was used to breach ICBC, according to researcher Kevin Beaumont.

The ICBC bankruptcy caused disruptions in the US Treasury market, a linchpin of the global financial system.

Citrix disclosed the vulnerability on October 10 and issued patches shortly after, but the vulnerability continues to be exploited. CISA has notified nearly 300 organizations that are potentially vulnerable to the exploit, a senior CISA official said Tuesday, although there are likely additional vulnerable organizations.

According to data collected by GreyNoise, a company that tracks malicious activity online, as of Tuesday there are nearly 360 active hosts potentially working to exploit the vulnerability.

The inability to patch widespread vulnerabilities like these has created a lucrative cybercrime landscape for groups like LockBit, which refers to the collective name for the ransomware variant, the group that develops and maintains it, and its affiliates. The group has carried out more than 1,400 attacks on victims in the United States and around the world since January 2020, a senior FBI official said Tuesday, demanding at least $100 million in ransoms and collecting ransom payments in the dozens. of millions of victims.

In the absence of law enforcement action against these criminal hackers, there is little reason to believe that these attacks will cease anytime soon. The FBI has taken “some actions to date specifically against LockBit and continues to look for law enforcement opportunities when and where we can take them,” the senior FBI official said.

Cybersecurity experts have been advising companies to follow basic cybersecurity hygiene protocols for years, and the situation has improved, experts say. But the great successes of LockBit and others in recent times show that there is still a long way to go on the basics, such as patching vulnerable software and systems.

“The controls that most organizations have in place to protect their data, such as (data loss prevention), appear to be failing with serious consequences,” said Allan Liska, an intelligence analyst at Recorded Future. “But it’s not just the data within an organization’s network that is of concern. “Ransomware groups can extract data from your cloud, your providers’ clouds, your providers’ clouds, etc.”

Organizations need to improve their monitoring and control of the entire data supply chain, he said, because “ransomware groups don’t care where they get their data from, they only care that they have it and can use it to extort money.”

Even as companies have improved their defenses, a number of recent high-profile attacks feature social engineering attacks that modern security systems struggle to prevent. These attacks involve calls to IT help desks, where people who control access to a system or network are convinced over the phone to hand over their credentials.

A recent report from Coveware, a company specializing in responding to cyber extortion incidents, noted that IT help desks are designed to resolve customer issues quickly and that this is creating an easy way in for attackers.

“In several of the cases we studied, it was clear that the IT support team’s incentives (resolution speed) incited social engineering,” Coveware wrote. “This is not an easy problem to solve, but we congratulate the companies that have mitigated the risks. These fixes meant higher costs and a slight depreciation of the experience for employees and stakeholders, in the interest of security.”

Jon DiMaggio, Analyst1’s chief security strategist who has written extensively about the inner workings of LockBit, said that while there are only a few groups with the “skill, talent and creative ability to pull off some of these more advanced attacks” , these teams, particularly those associated with the AlphV attacks, are getting much better at social engineering.

Many major companies still struggle with the basics of cybersecurity, DiMaggio said, let alone creating help desks that are difficult to manipulate. “It’s hard, but they have to change,” DiMaggio said. “Trying to focus on helping people and your customers can’t always be number one anymore.”

That might slow down response times, he noted, but that’s “a lot better than having to lose ungodly amounts of money, having your reputation destroyed and everything else.”

AJ Vicens

Written by AJ Vicens

AJ covers threats to nation-states and cybercrime. He was previously a reporter for Mother Jones. Contact him via Signal/WhatsApp: (810-206-9411).

Source link

Leave a Comment