Symantec Security Summary – April 2021

Ready for battle. Experts have been sounding the battle cry for years, but if this last month is any indication, enterprises face an even more diverse and persistent threat landscape as the number, type, and complexity of advanced cyber-attacks and incidents escalate.

Let’s start on the firmware front, which has been identified as an increasingly active enterprise target. According to a March 2021 Security Signals study, more than 80% of enterprises have experienced at least one firmware attack in the past two years. But here’s the kicker: Less than a third (29%) of security budgets are allocated to protecting firmware, and 21% of respondents said their firmware data is unmonitored, leaving most companies radically exposed. The survey found budgets channeled to fund security updates, vulnerability scanning, and advanced threat protection solutions—all critical investments, for sure. But firmware is getting overlooked, perhaps due to lack of awareness and automation, the survey suggested.

Firmware attacks are popular with attackers because they are a bounty for sensitive data, including credentials and encryption keys. Common detection products and general logging tools also can’t peer into firmware, and vulnerabilities allow attackers to remain on a computer even after it’s wiped, putting it further in the bull’s eye.

Moving on, there’s the issue of ransomware—another festering problem for the enterprise security team. Cyber criminals are making and demanding more money than ever before. The average ransomware payments spiked 171% in 2020, surging to $312,000. But get this: The highest ransom paid out by organizations doubled from 2019 to 2020, jumping from $5 million to $10 million.

COVID-19’s impact on ransomware can’t be overstated. Ransomware operators are taking advantage of the sweeping changes brought on by the pandemic to prey on organizations in the manufacturing, healthcare, and construction sectors, but with healthcare being a standout.

Of all the ransomware hits this year, the Ryuk variation stands out from the pack. An October 2020 joint cyber security advisory from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) specifically called out Ryuk attacks as a danger for healthcare organizations.

Legacy enterprise applications are also not immune to the stepped-up cyber security activity. A new threat intelligence report found critical vulnerabilities in unpatched SAP systems are providing a target-rich environment for cyber attackers worldwide. At least 1,500 SAP application-related attack attempts were tracked between June 2020 and March 2021 and there was evidence of more than 300 automated exploitations leveraging seven SAP-specific attack vectors and more than 100 hands-on-keyboard sessions from a wide range of threat actors. The attacks exploited security flaws impacting ERP, CRM, and supply chain systems and the most serious vulnerabilities involved CVSS 10, known as RECON, a remotely exploitable bug in SAP NetWeaver/Java, which was caused by a failed authentication check.

Enterprises are in the crosshairs despite the fact that SAP has a monthly patch cycle; the problem is that most customers just don’t apply the issued fixes for months – in some cases, even for years – after they are released. As a result, attackers have plenty of time to take advantage of unpatched flaws—the research found exploit attempts happening in as little as 72 hours from the release of a patch; it takes as little as three hours for unprotected SAP applications provisioned in a cloud IaaS environment to be compromised.

The exploitation can lead to full control of unsecured SAP applications, allowing attackers to steal sensitive information, disrupt critical business processes, initiate ransomware, or commit financial fraud. Given the scope and penetration of the SAP portfolio for mission-critical business, attacks could also compromise compliance for SOX, GDPR and other regulations. The threat was significant enough for the Cybersecurity & Infrastructure Security Agency (CISA) to issue an alert based on the report.

In separate, but somewhat related news, Federal agencies urged private companies and government agencies using Microsoft Exchange Server email applications to immediately patch their systems to prevent bad actors from exploiting newly-discovered vulnerabilities. The new flaws were discovered soon after Microsoft announced Exchange was compromised by at least one Chinese state-sponsored hacking group, potentially impacting thousands of organizations.

Even tech support is becoming a vector for cyber security attacks. Vade Secure is pointing to a large-scale email campaign that launched in March that attempts to lure enterprises in with fake billing emails from the leading antivirus software providers. These tech support scammers, pretending to be from Microsoft, McAfee, and Norton, are peppering companies with fake antivirus software billing renewal notices that say recipients will be charged up to $399 for a three-year subscription unless they call a certain phone number to cancel. Once they do, scammers attempt to lure them into installing remote access software that becomes a vector for malware. Vade Secure says it has filtered over 1 million of these emails targeting its customer base.

The burgeoning threat landscape is particularly alarming given the state of most companies’ cyber security posture. In fact, the KPMG 2021 CEO Outlook Pulse survey cited cyber security risk as the number one threat to an organization’s growth over the next three years, cited by nearly one-fifth of CEO respondents. Last year, it occupied the fifth spot on the list with 10% of CEOs indicating it was a threat to their organization’s development.

Digging deeper, a new report from Varonis found data security hygiene severely lacking among health care companies: Seventy-seven percent have 500 or more accounts with passwords that never expire and 79% have over 1,000 user and service accounts that are inactive, but still enabled. Another report found that even employees that have received cyber security training failed when asked to take a basic quiz on the topic. And a growing number of manufacturers, now a top target of cyber criminals and national-state groups, have experienced an incident (61%) with three-quarters of those scenarios taking production offline, according to a report published by Trend Micro.

Despite the gains in cyber security awareness and preparedness, there is still plenty of work to be done.