• United States




2018 – the year of the targeted attack?

May 09, 20185 mins
CybercrimeData and Information SecurityHacking

There is a definite increase in sophisticated bad actor groups focusing on specific, high value targets.

Those of us in or near the city of Atlanta are still reeling from the recent ransomware attack on city systems. This attack, which is still disrupting the city network, has already cost $2.6 million in consulting fees related to clean-up costs, and that number will likely grow. The impact was widespread, to the point of taking down wireless Internet at Atlanta Hartsfield, the world’s busiest airport.

The ransomware in question — SamSam — should be familiar to many, because it has been involved in many such attacks, including Adams Memorial Hospital, Allscripts and the City of Farmington NM, earning an estimated $325K for the perpetrators just in January.

SamSam is believed to be the work of a group of bad actors who looks for open remote access ports on a network they target. Once they successfully break into a port, they pivot through the network until they can gain sufficient privileges to launch their attack. They have experienced ongoing success, in part, because their ransoms are “reasonable”, and they generally provide the keys necessary to recover files after payment has been made.

SamSam is not alone. A new version of the SynAck ransomware has appeared in the wild, with the ability to hide itself by acting like a normal Windows process. According to Dark Reading, it is also targeted, using a combination of open remote access ports and brute force attacks.

The concept of a targeted attack should not be a surprise to anyone in Information Security, because we all had a preview via the Sony attack in 2014. In that case, the perpetrators apparently were intentional in their desire to breach a Sony. Once they found their way in, they lingered for weeks or months without being discovered, what we call dwell time, during which they exfiltrated intellectual property and private communications.

It is easy to understand the increasing popularity of the targeted attack. If a bad actor sends out malware randomly hoping to snag someone, they can end up with many low value targets, not worth their time. With a targeted attack, however, a bad actor knows who they are going after, what assets they will likely find, and what their value is. Based on that information, they already know how they will market the data thereafter, or how much the victim will likely be able to demand in ransom.

The success of targeted attacks, such as SamSam, raises an important question — if the techniques used successfully by the bad actors are so well known, why do so many organizations still get successfully attacked?  If, for example, an attacker is looking for open RDP ports, why don’t organizations simply scan their network for open ports, and close them?  There are very few instances where an open RDP port is absolutely required, and if it is, there are easy measures that can be taken to secure it.

Sadly, indications are that too many organizations are not taking security seriously, as a recent report put the number of open Remote Desktop Protocol (RDP) ports at 4.1 million worldwide. Information security is a detailed discipline, requiring strong attention to detail. The only way to succeed is to sweat the details

Know what you have

Many organizations have what I call “closet systems”, referring to network equipment and servers that get put in a closet and forgotten. These systems often allow remote access since they are generally inaccessible. They make great pivot points for bad actors looking to penetrate a network, and such access largely goes unnoticed. To protect yourself, you must know what systems you have, and where they are, so you can secure and monitor them.

Fix what you have

If you discover a vulnerability, fix it quickly, instead of putting off the correction until a more convenient time. In the case of the City of Atlanta, reports indicated that they had serious indications of uncorrected issues months prior to the ransomware attack. While there is no certainty of a connection between the two, the issue should have been corrected as soon as it was discovered.

Don’t repeat the same mistakes

When you take appropriate cautions to protect against attack, such as blocking RDP access, make sure those precautions stay in place. I have seen too many situations involving network holes being closed, only to be reopened later by a well-meaning, but uninformed employee. Scan your network frequently for open reports and review your firewall rules regularly.

Don’t get too focused on one area

There is a saying among magicians — “only let them see what you want them to see.”  Magicians often distract the audience with one action, so they don’t pay attention to another. Bad actors often use the same approach. They hit you with one action, to cover the important one. I experienced this some time back during a small DDoS attack. Shortly after the DDoS attack began, I was hit with a very targeted whaling attack, a type of phishing message sent to executives. I believe the DDoS attack was intended to distract the security team, while the whaling attack was initiated. It is important to ensure that, in the event of an attack, part of the security team is still watching for indicators of other attacks.

Bottom line — there is a definite increase in sophisticated bad actor groups focusing on specific, high value targets. They may ultimately penetrate many networks because they are smart and motivated. We must focus on not making success easy for them, by keeping our networks locked down as much as possible, being vigilant in monitoring for signs of attack and tracking threat intelligence reports that can provide clues about what to look for.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author