Businesses have thrived in the era of more – more tools, more access, and more connections. When it comes to the digital landscape though, the notion of having more doesn’t come without risk. While businesses have continued to grow and scale, cyber attacks have done the same and quickly so.
This post discusses some of the most dangerous endpoint, identity, and cloud-based cyber attacks from the first three quarters of this year. Understanding their causes and impacts is the first step businesses can take to strengthen their defenses against similar attacks in the future.
Endpoint attacks have evolved in the last two decades from computer viruses to sophisticated ransomware campaigns targeting high-profile organizations. The challenge today is that protecting endpoints isn’t what it used to be. Threat actors are professionalizing, turning ransomware activities into full-scale service models. The rise of Ransomware-as-a-Service (RaaS) means that even low-level cybercriminals can now access and become profitable off of complex malware tools.
In the first three quarters of this year alone, ransomware has targeted multiple critical infrastructure organizations, including those listed below:
In addition, in the 3rd quarter of 2022, CISA and the FBI warned of a number of ongoing, widespread ransomware campaigns currently attacking unnamed businesses and organizations.
Ransomware, data breaches, and supply chain attacks saturate global news headlines, but another rising threat has gained traction in 2022. Identity-based attacks are now a threat businesses keep at the forefront of their threat awareness efforts. With remote workforces, widespread adoption of IoT, and the huge numbers of digital identities being created even for a single organization, the attack surface continues to widen, leaving businesses vulnerable to identity-based exploitation by opportunistic threat actors.
Too often, threat actors weaponize legitimate tools and solutions that their targets use. Active Directory (AD) works by storing information about objects on a network in a logic hierarchy to make information easy to find for administrators and users. As seen in several identity-based attacks over the last few quarters, threat actors leverage Active Directory (AD) infrastructure in their ransomware campaigns and extortion efforts especially when there is a lack of identity protection. Consider the following examples where ransomware gangs targeted AD as part of their tactics.
In late 2021, researchers reported on a recent BazarLoader infection and how it led to the use of Cobalt Strike, and finally Conti ransomware to perform network reconnaissance. Just three minutes after the initial compromise, the threat actor used ADFind, a command line tool, to enumerate an AD environment on the infected host. By compromising AD, the actors were able to discover users, computers, file shares, and more from the environment. Typically, a threat actor’s next step is to gain access to the domain controller and other network servers, moving laterally into the system.
The Cisco breach that occurred in May 2022 leveraged legitimate employee credentials synced in an employee’s browser and a combination of vishing (voice phishing) attacks and MFA fatigue techniques to achieve VPN access to the targeted network. Once in, the threat actor exfiltrated the contents of a Box folder and the employee’s authentication data from Active Directory.
Abuse of AD serves threat actors well as it is designed to provide convenient access into a network. Compromising AD means threat actors can move deep into the network, escalating their access rights and encrypting andexfiltrating data on the way. With AD being the crown jewels of a business, attackers have zeroed in on targeting identity and access management gaps to reach what it is they want.
In March of this year, Lapsus$ digital extortion gang published what looked like substantial amounts of source code from Microsoft’s Bing and Cortana products. Though a potential Microsoft breach was serious enough, Lapsus$ also posted screenshots of their control over an Okta super admin account. Okta is a popular identity management platform used by thousands of large-scale organizations allowing users to access multiple services and apps through a single login interface.
Lapsus$’s control of an Okta super admin account is dire indeed as businesses increasingly rely on identity management software to streamline login experiences for their employees, partners, and customers. Businesses are falling victim to more account takeovers that directly stem from compromised identity management vendors, giving threat actors system privileges such as resetting account passwords, changing account email addresses, and access to sensitive data.
As ransomware and other malicious actors target on-premises Active Directory and cloud-hosted Azure AD for initial access and lateral movement, Identity protection has become a must for organizations.
The accelerated move from on-prem to hybrid and cloud environments has introduced a pressing need for businesses to keep their cloud workloads safe from threat actors. Cloud servers allow businesses to scale with ease, boosting efficiency, but also requires unique considerations such as securing serverless workloads and Kubernetes, virtual machines, and containers.
A subsidiary of Amazon, AWS is a comprehensive cloud computing platform providing a variety of on-demand services such as data storage, content delivery, networking, and more. One of its main services is Amazon Simple Storage Service (S3) – an object storage service built to house and retrieve any amount of data for its users. Objects (files) are then stored in S3 buckets which serve as containers for any amount of data belonging to an account.
While AWS S3 buckets are highly popular, they have become a prime target for threat actors as they are accessible to the public and are often misconfigured. Once an S3 bucket is compromised, it provides the threat actor with access to incredible amounts of data of which they could exfiltrate, use for ransom, sell on darknet marketplaces, or all of the above.
In the recent Civicom data leak, the misconfiguration of an S3 bucket resulted in a massive data leak, compromising over 100,000 files. In this case, the bucket was left open without password or security verification. The online video conferencing firm reported that 8 terabytes of stolen data included the video and audio files of customers’ meetings, recordings, and transcripts. As the firm’s main customer base included B2B companies, much of the data may have contained private company secrets or intellectual property. Further, the leak also revealed personally identifiable information (PII) of many of Civicom’s own employees.
The July breach of Pegasus Airlines showcases yet another example of unprotected S3 buckets leading to data loss. In this attack, the airline reported 6.5 terabytes of data was compromised with over 23 million files publicly exposed. Files in the unprotected bucket were linked to proprietary software developed by the company for use in aircraft navigation and in-flight processes such as take off and landing, refueling, and safety procedures. Pegasus Airlines also confirmed that sensitive information such as the PII of flight crews, source code, secret keys, and even plain-text passwords were also exposed. At least two other affiliated airlines using the same proprietary software may also be compromised in relation to this breach, exponentially increasing the number of total persons affected.
Kubernetes is an open-source system that automates the deployment, scaling, and management of applications running in containers. It uses a cluster architecture composed of many control plans and one of more virtual or physical machines called worker nodes. The worker nodes are what host “Pods” – components of the application workload. The control plane exists to establish policy which manages the worker nodes and Pods in the cluster. Since the control plan is responsible for running across multiple endpoints to provide fault-tolerance and high availability, it is a valuable target for threat actors seeking to leverage its infrastructure for malicious purposes or to cause a denial of service attack.
As it is hosted in a cloud environment, Kubernetes is afflicted with the same main threat vectors that clouds are susceptible to:
2022 has, so far, been a complex year as businesses settle back into offices and hybrid workspaces but face the ramifications of geopolitical uncertainty, economic downturn, and cyber attacks that are climbing to new heights. Having more tools, access, and connections has no doubt benefited businesses, but it has also opened up a larger attack surface in which threat actors can operate.
While no business is immune from cyber attacks, examining the most dangerous attacks of the first three quarters of 2022 allows for better preparation for the following quarter and beyond. SentinelOne’s autonomous, AI-driven solutions can help deliver comprehensive security for those in search of endpoint, identity, and cloud protection.
In a single cybersecurity platform, Singularity XDR, fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, cloud workload protection (CWPP), and identity threat detection and response (ITDR). With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.
Request a demo of Singularity XDR to start leveraging AI-powered prevention, detection, response, and threat hunting across user endpoints, containers, cloud workloads, and IoT devices. Need expert advice? Contact us here.
SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.