There’s a well-known industry phrase about the likelihood of a cyberattack: “It’s not a matter of ifbut when.” Some of the incidents Sophos has recently investigated could force the industry to consider changing this rule of thumb: the question is not ifWhere when – but how many times?
In an issue we highlighted in our 2022 Active Adversary Playbook, we see organizations being hit by multiple attackers. Some attacks occur simultaneously; others are separated by a few days, weeks or months. Some involve different types of malware, or double or even triple infections of the same type.
Today, Sophos X-Ops publishes its latest Active Adversary white paper: Multiple aggressors: a clear and present danger. In this article, we dig deeper into the problem of multiple attackers, exploring how and why organizations are repeatedly attacked. Recent case studies from our Managed Detection and Response (MDR) and Rapid Response (RR) teams provide insight into the How? ‘Or’ Whatand exploring cooperation and competition among threat actors helps explain the Why.
Our main conclusions are as follows:
- The main drivers of multiple exploits are vulnerabilities and unresolved misconfigurations after a first attack
- Multiple attacks often involve a specific exploit sequence, especially after the discovery of large and widespread vulnerabilities such as ProxyLogon/ProxyShell – cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IAB) and ransomware
- While some threat actors are interdependent (e.g. IABs later activating ransomware), others, such as cryptominers, attempt to terminate rival malware and may even “close the door” by patching the vulnerabilities or disabling vulnerable services after gaining access.
- Historically, threat actors have shielded their infections, to the point of kicking their rivals out of compromised systems
- Ransomware actors, although they sometimes tangle with each other, seem less concerned with competition and sometimes adopt strategies that directly or indirectly benefit other groups
- Certain features of the underground economy can enable multiple attacks – for example, IABs reselling access and ransomware leak sites providing data that other threat actors can then weaponize.
- Some of the case studies we analyze include a ransomware actor installing a backdoor that was then abused by a second ransomware group; and an incident where an organization was attacked by three ransomware groups in the space of a few weeks, all using the same misconfigured RDP server to access it. After the dust settled, Sophos discovered files that had been encrypted by all three groups
At this point, there’s only anecdotal evidence to suggest multiple attacks are on the rise, but, as Sophos Incident Response Director Peter Mackenzie notes: “It’s something that affects more in addition to organizations, and that’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professional and lowering the bar for hall.
Key takeaways for organizations
Not only do multiple attacks complicate incident response, but they also put additional pressure on victims, whether through multiple ransom demands or simply the sheer technical difficulty of trying to recover from two attacks or more in no time.
In the whitepaper, we provide guidance on security best practices, as well as the following eight takeaways to help organizations reduce the risk of falling victim to multiple attacks:
Takeaway 1: Update Absolutely Everything
It sounds simple, but: update everything. One of our main findings is that cryptominers, webshells and backdoors deployed by IABs, often come first when a vulnerability has been revealed, and these usually try to operate stealthily – so you might think that you have avoided an attack, when in fact there is already malware on your system. This could be made worse (in a later attack) by ransomware. Patching early is the best way to avoid being compromised in the future, but that doesn’t mean you haven’t already been attacked. It is always worth checking that your organization has not been hacked before applying patches.
Takeaway 2: Prioritize Worst Bugs First
But how can you patch early and how do you know what to patch? Prioritization can be a big question, given the number of vulnerabilities disclosed (18,429 in 2021, more than 50 per day on average, and the most reported vulnerabilities ever disclosed in a calendar year). So focus on two key things: 1) critical bugs affecting your specific software stack; and 2) high-profile vulnerabilities that could affect your technology. There are paid services that offer vulnerability information, but there are also free tools that let you set up custom alerts for particular products. Bug Alert is a non-profit service that aims to give early warning of high-impact bugs. It is also recommended to monitor ‘infosec Twitter’, as this is where many important vulnerabilities are discussed when first published. Or you can use CVE Trends, which aggregates data from multiple sites to show the most discussed vulnerabilities.
Takeaway 3: Pay attention to your setups
Misconfigurations – and the inability to fix them after an attack – are a leading cause of multiple exploits. Cryptominer operators, IABs, and ransomware affiliates are always looking for exposed RDP and VPN ports, and they are among the most popular lists in most criminal marketplaces. If you need remote Internet access and/or management, put it behind a VPN and/or Zero-Trust network access solution that uses MFA as part of its login process.
Takeaway 4: Assume other attackers have found your vulnerabilities
Threat actors do not operate in isolation. IABs can resell or relist their products, and ransomware affiliates can use multiple strains. Thus, a vulnerability or misconfiguration can lead several malicious actors to seek to exploit your network.
Takeaway 5: Don’t walk slowly in the face of an attack in progress
Being listed on a leak site can attract other opportunistic threat actors. If you are unlucky enough to fall victim to a ransomware attack, take immediate action, in conjunction with your security teams and incident response provider(s), to shut down the initial entry point and assess what data have been disclosed, as part of your larger remediation plan.
Takeaway 6: Ransomware works well with ransomware
Many threat actors have traditionally been competitive, to the point of repelling each other from infected systems, and this is still true today when it comes to cryptominers and some RATs. But ransomware doesn’t seem to follow this trend and can continue to encrypt files even if other ransomware groups are on the same network – or operating in mutually beneficial ways, so one group exfiltrates and the other number.
Takeaway 7: Attackers Open New Backdoors
Some attackers may introduce other vulnerabilities after gaining access, or create deliberate or unintentional backdoors (including installing legitimate software), which a subsequent malicious actor can exploit. So, while shutting down the initial infection vector is crucial, consideration should also be given to a) other weaknesses and misconfigurations that could be used to gain access, and b) any new entry points which might have appeared.
Takeaway 8: Some Attackers Are Worse Than Others
Not all ransomware strains are created equal. Some have abilities and features that can complicate attempts to respond to and investigate others – another reason to try to avoid falling victim to multiple attacks.
In an increasingly crowded and competitive threat environment, the problem of multiple attackers is likely to worsen, with more threat actors entering the mix and exploiting the same targets – deliberately or not.
For businesses, this means it will become increasingly important to respond quickly to attacks, apply patches, fix misconfigurations, and check for backdoors attackers may have installed before everything is shut down. entry point.
Multiple attackers are also bad news for analysts and responders, complicating incident response, threat intelligence, and security monitoring. In one of the case studies we explore in the report, for example, a ransomware group erased Windows event logs, which not only deleted traces of that group’s activities, but also those of both ransomware groups that previously attacked the network. In another case study, a threat actor was likely affiliated with two separate ransomware groups.
Threat actors themselves – especially ransomware actors – will at some point have to decide what they think about cooperation: whether to fully embrace it or become more competitive. In the future, some groups might deliberately team up, so that the tactics of one group complement those of another. Or we could see ransomware become more of a cryptominer – actively seeking out and eliminating rivals on infected hosts. At the moment, however, this is an uncertain area – one which we hope our report will shed some light on.
By Matt Wixey