2018 – the year of the targeted attack?

Those of us in or near the city of Atlanta are still reeling from the recent ransomware attack on city systems. This attack, which is still disrupting the city network, has already cost $2.6 million in consulting fees related to clean-up costs, and that number will likely grow. The impact was widespread, to the point of taking down wireless Internet at Atlanta Hartsfield, the world’s busiest airport.

The ransomware in question — SamSam — should be familiar to many, because it has been involved in many such attacks, including Adams Memorial Hospital, Allscripts and the City of Farmington NM, earning an estimated $325K for the perpetrators just in January.

SamSam is believed to be the work of a group of bad actors who looks for open remote access ports on a network they target. Once they successfully break into a port, they pivot through the network until they can gain sufficient privileges to launch their attack. They have experienced ongoing success, in part, because their ransoms are “reasonable”, and they generally provide the keys necessary to recover files after payment has been made.

SamSam is not alone. A new version of the SynAck ransomware has appeared in the wild, with the ability to hide itself by acting like a normal Windows process. According to Dark Reading, it is also targeted, using a combination of open remote access ports and brute force attacks.

The concept of a targeted attack should not be a surprise to anyone in Information Security, because we all had a preview via the Sony attack in 2014. In that case, the perpetrators apparently were intentional in their desire to breach a Sony. Once they found their way in, they lingered for weeks or months without being discovered, what we call dwell time, during which they exfiltrated intellectual property and private communications.

It is easy to understand the increasing popularity of the targeted attack. If a bad actor sends out malware randomly hoping to snag someone, they can end up with many low value targets, not worth their time. With a targeted attack, however, a bad actor knows who they are going after, what assets they will likely find, and what their value is. Based on that information, they already know how they will market the data thereafter, or how much the victim will likely be able to demand in ransom.

The success of targeted attacks, such as SamSam, raises an important question — if the techniques used successfully by the bad actors are so well known, why do so many organizations still get successfully attacked?  If, for example, an attacker is looking for open RDP ports, why don’t organizations simply scan their network for open ports, and close them?  There are very few instances where an open RDP port is absolutely required, and if it is, there are easy measures that can be taken to secure it.

Sadly, indications are that too many organizations are not taking security seriously, as a recent report put the number of open Remote Desktop Protocol (RDP) ports at 4.1 million worldwide. Information security is a detailed discipline, requiring strong attention to detail. The only way to succeed is to sweat the details

Know what you have

Many organizations have what I call “closet systems”, referring to network equipment and servers that get put in a closet and forgotten. These systems often allow remote access since they are generally inaccessible. They make great pivot points for bad actors looking to penetrate a network, and such access largely goes unnoticed. To protect yourself, you must know what systems you have, and where they are, so you can secure and monitor them.

Fix what you have

If you discover a vulnerability, fix it quickly, instead of putting off the correction until a more convenient time. In the case of the City of Atlanta, reports indicated that they had serious indications of uncorrected issues months prior to the ransomware attack. While there is no certainty of a connection between the two, the issue should have been corrected as soon as it was discovered.

Don’t repeat the same mistakes

When you take appropriate cautions to protect against attack, such as blocking RDP access, make sure those precautions stay in place. I have seen too many situations involving network holes being closed, only to be reopened later by a well-meaning, but uninformed employee. Scan your network frequently for open reports and review your firewall rules regularly.

Don’t get too focused on one area

There is a saying among magicians — “only let them see what you want them to see.”  Magicians often distract the audience with one action, so they don’t pay attention to another. Bad actors often use the same approach. They hit you with one action, to cover the important one. I experienced this some time back during a small DDoS attack. Shortly after the DDoS attack began, I was hit with a very targeted whaling attack, a type of phishing message sent to executives. I believe the DDoS attack was intended to distract the security team, while the whaling attack was initiated. It is important to ensure that, in the event of an attack, part of the security team is still watching for indicators of other attacks.

Bottom line — there is a definite increase in sophisticated bad actor groups focusing on specific, high value targets. They may ultimately penetrate many networks because they are smart and motivated. We must focus on not making success easy for them, by keeping our networks locked down as much as possible, being vigilant in monitoring for signs of attack and tracking threat intelligence reports that can provide clues about what to look for.