For most people when you hear about a cyber attack you most likely think of a massive scale attack vs a large corporation that includes some form of malware. While these things are true in actuality a cyber attack can take many forms and today I am going to walk you through several cyber attacks to debunk a few myths about them.
The Myths
- Organizations’ can be too small to be the victim of a cyber attack.
- Malware is the primary tool used by bad actors to infiltrate organizations.
- Antivirus will protect you from all cyber attacks.
What you need to know
Before I get started on breaking these attacks down there are some things we need to define.
- Antivirus: Antivirus software, or anti-virus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. (Source: Wikipedia)
- Ransomware: is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. (Source: Wikipedia)
- Phishing: is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card numbers, or other sensitive details by impersonating oneself as a trustworthy entity in digital communication. (Source: Wikipedia)
- Threat Actor: A threat actor or malicious actor is a person or entity responsible for an event or incident that impacts, or has the potential to impact, the safety or security of another entity. (Source: Wikipedia)
Attack 1: Retail Ransom
A few years back I received a phone call from a small retail organization that had lost access to all of their files and needed their access restored. At the time I knew nothing about their environment as I had never engaged with them until this point outside of an initial phone call days before. Upon arriving I was quickly brought up to speed on their infrastructure which consisted of two computers being used as point of sales systems and a server for hosting their financial software and was connected to the other two systems. After a very brief investigation, I came to realize that their systems had been compromised and all of their information had been ransomed via ransomware. The attack can be broken down as the following:
- The attacker sent an employee a compromised email containing an infected spreadsheet.
- This spreadsheet was infected with reconnaissance malware that was used to gather information on the environment. Which allowed the attacker to figure out they could move freely around the network as there were no passwords or network security available at this time.
- Once that malware finished reconnaissance it was able to move to every system in the store without issue.
- After being fully deployed the malware dropped a secondary payload that encrypted all the organizations’ files.
- All the systems were then unrecoverable as the organizations’ backups were never tested and were unrecoverable causing the organization to lose their financial information for over a decade as well as all their complete warehouse inventory.
After this attack lucky I was able to help them with rebuilding the lost data from outside sources. However, it took a total of 18 months for a customer to completely recover all the lost information and re-inventory their warehouse. When we look at this scenario we see that the first myth gets completely busted as this organization only had three systems and the effects of this attack were thousands of dollars in operational cost to recover.
Attack 2: Contractor Contact
A more recent attack happening earlier this week. We saw one of our clients get attacked via a phishing campaign from a known good vendor. This attack can be broken down into the following steps:
- Our clients’ vendor had fallen victim to a cyber attack the following week and the attackers had gained complete access to the vendors’ email systems
- The attackers used the information from the vendors’ email systems to target key individuals within our clients’ organization and sent emails to them from a known good email address.
- This email stated that the information for their current project they had with the outside vendor was available via a download link. Most employees of our client deleted this email as they correctly identified it as suspicious. However, a leader in the organization resent it to his assistant before looking at it while in a hurry.
- The assistant then opened the link due to it being sent from an internal email address and from her boss. This link opened a login portal that was very similar to the Microsoft office login.
- This login screen was then used to harvest the assistants’ email username and password for Microsoft 365
This attack had little ground though once they harvested credentials from the assistant. This is due to the security practices that we enforce for our clients that blocked the credentials from being used to log in successfully. Looking at this attack though you can see that it debunked both the second and third myth as the attackers used nothing more than an email and fake website neither of which is a form of malware or an attack vector that antivirus would catch. It is also to note that because we stopped the attack and rendered it useless that every organization that was in the vendors’ contacts probably didn’t and that this attacker will more than likely move between victims until they reach a larger organization. Once the larger organizations are reached a more powerful campaign would be launched and if infiltrated the organization that the organization pivoted from will probably be on the hook for the damages caused if infiltrated.
Attack 3: Municipal Mayhem
We are privileged to be able to tell this story from one of our cybersecurity partners and report that they completely stopped this attack. During the attack, the threat actor took the following steps to attack a municipality:
- A phishing email was sent to a city employee which was used to deploy an executable file. The phishing campaign was successful and the threat actor stole the employee’s login credentials.
- The stolen credentials were used to open a remote connection to other systems on the network. This was achieved through Remote Desktop Protocol (RDP).
- Leveraging the newly opened remote connection, the threat actor then renamed local resources readily available on most systems and replaced them with malicious ones, allowing their attack to remain hidden and unnoticed from the anti-virus solutions the city had in place.
- The actor launched a Cobalt Strike Ransomware attack. This same hack has, in separate attacks, caused roughly $20M in damages. The attack in question was detained by our cybersecurity partner.
- The actor attempted to use malicious scripts to laterally spread throughout the city’s network and affect both servers and endpoints. These attempts to attack via scripts were also detained by our cybersecurity partner’s SOC team.
- The attacks continued every day for three months as new systems were brought in. By the time the city updated its infrastructure against the attack, it had cost them roughly $272,000.
- As we break down this attack we see that it actually disproves both myth two and three as the attackers in this scenario used tools readily available on the system to avoid detection of the antivirus that was already installed on the cities.
How to stay safe?
Email Security: One of the common denominators in all the attacks was the use of email as the entry point. Though email is not the only entry point that an attacker can use it is the most common. At Lockedheart we push our clients to use both a spam filtering service as well as an AI-Based Anti-phishing tool to stop email threats before they make it to the inbox of end-users.
Layered Endpoint Protection: There is no silver bullet for cybersecurity and if someone tells you there is, they are lying. Cybersecurity should be taken on in layers of protection. At Lockedheart we use several layers of security for our clients from the cloud to the endpoint as seen in attack two when we were able to stop the attack even though credentials were stolen, a secondary defense was able to stop it.
Password Management: The most cost-effective way to stop cyber attacks for small and medium businesses is the use of a password manager. Passwords managers come standard in our managed services offerings. They cut down on cyber attacks because like in attack two when credentials are stolen they can be replaced much faster and not by another common password that is used for other accounts.
Want to learn more about keeping your organization safe from cyberattacks contact inquiry@lockedheart.tech or call (470) 440–0548 today or visit https://lockedheart.tech.