By: Alex Hinchliffe, European threat intelligence analyst, Unit 42, Palo Alto Networks
Cryptomining keeps grinding on … Commodity ransomware will still plague users and their systems in 2019.
GandCrab and Bitpaymer are commonly seen today but the volumes recently are much lower than in 2016 and 2017.
Filling some of that void currently and for the foreseeable future are crypto miner trojans that use victims’ computing resources to mine digital currency to earn money for attackers.
These threats are already extremely prevalent and target IoT devices, web-browsers, cloud infrastructure as well as traditional computers and mobile devices.
We have already identified malware combining ransomware and crypto mining and expect this trend to continue.
Ransomware goes for low volume, high-value hits
We will also see an uptick in targeted ransomware with target organizations being held to ransom for much larger sums because their entire infrastructure is locked, preventing business operations.
2018 saw some of these low-volume, high-value ransomware attacks, such as those described in the City of Atlanta attack or the Indiana hospital attack to name but two.
These typically occur as a traditional data breach, including lateral movement to discover more hosts.
The breach does not exfiltrate data as is traditional but instead deploys ransomware to said hosts.
Victims having critical infrastructure, or responsibilities to citizens or patients have a need to immediately restore order, making paying the ransom all the more appealing.
TIP: Even if backups (and restoration processes) exist, as per the Indiana attack, the time required to restore the entire enterprise may be longer than decrypting data using a key obtained through payment.
Ensure the most efficient restore process is available with appropriate prioritization given to those systems needed the most.
TIP: These breaches occur through weak credentials, poor password policies, lack of multi-factor authentication, unnecessary exposure of systems and services to the internet or unpatched vulnerabilities.
Addressing some of these very basic cyber hygiene factors would significantly strengthen an organization’s defenses.
Recognition Authentication Attacks Rise as Password Usage Finally Declines
2018 saw passwords continue to be the blight of our lives.
Too frequently, they operate as a weak form of what-you-know authentication, not who-you-are or what-you-have.
Despite techniques to make them stronger, passwords continue to be the cause of many contemporary data breaches. This may change in 2019 and beyond but will lead to threat actors choosing new targets to unlock access.
Other, non-string-based authentication mechanisms, such as smart cards, have been available for years and in recent history advances in smart-phone authentication technology, such as touch – thumb and fingerprint recognition – and face recognition, have commoditized such technology.
If this trend in technology and in the continued reduction of the need for traditional passwords continues, we believe adversaries will also shift their focus here in order to gain user credentials and continue their ability to perform unauthorized authentication.
TIP: Where necessary always rely on multiple methods of authentication or access validation in order to better trust someone is who they say they are.
Setting up zero-trust networks and using multi-factor authentication for those network zones, services, or users that require it will improve your organization’s security posture by limiting, controlling and monitoring access as well as containing issues should they arise.
Optimistic Prediction Threat Intelligence Sharing Will Persist Post-Brexit
Over the years, threat Intelligence sharing has increased to the great benefit of everyone.
Individual researchers share more now than ever and alliances, such as the Cyber Threat Alliance, are forming between security vendors to pool their knowledge and combined customer bases to improve security for all.
Unit 42 has also been building out relationships with many public and private-sector organizations around the world and, in EMEA, this includes the likes of Europol, NATO, various NCSCs, an ever-growing list of CERTs and others.
Many relationships stem from core Palo Alto Networks hubs, such as Amsterdam and the United Kingdom, and these trust networks not only enable data sharing but occasionally also lead to joint collaboration and successful outcomes against cyber adversaries.
In 2019, the United Kingdom will exit the European Union – the details of which will not be discussed here – but needless to say, a frequent discussion point with the aforementioned organizations, as well as our customers and partners, is whether these relationships and our ability to share threat intelligence data will continue post-Brexit.
The good news is that Unit 42 will continue to share whatever threat intelligence data we can from the data we possess and actively gather, to help organizations defend themselves and others they may serve.
Of course, with new policies coming into places, such as GDPR and NIS directives, certain constraints are imposed on data, especially that of European citizens, however much of what we have been doing over the last decade or more, will continue as best we can.