Symantec Security Summary – December 2021

To complicate an already fraught global landscape, it appears nation-backed cyber security attacks are ramping up. On the one-year anniversary of the discovery of the SolarWinds supply chain attack, a Mandiant report finds the Russia-linked attackers are still training their exploits at multiple organizations in the technology sector. Identified by Microsoft as “Nobelium,” the group is now using a bespoke downloader called Ceeloader, which decrypts a shellcode payload to run in memory on an infected device. “The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts,” the Mandiant report found.

Case in point: The French National Cyber Security Agency (ANSSI) warned that the same attackers have mounted multiple phishing campaigns against French organizations since February 2021. When the attackers compromised email accounts belonging to French organizations, they frequently used them to send “weaponized” emails to foreign institutions.

Move over Russia--Iran-related hacking activity is now on the rise. The Microsoft Threat Intelligence Center (MSTIC) has released a detailed report chronicling the evolution of six Iranian threat actors and highlighting the groups’ increasingly sophisticated attacks. Microsoft surfaced three notable trends: The groups are increasingly using ransomware to collect funds or disrupt their targets; they are exhibiting behavior that is more patient and persistent; and they are employing aggressive brute force attacks on intended targets. The Microsoft report concludes that the Iranian groups have evolved into more competent threat actors capable of conducting a full spectrum of operations, including ransomware and disk wipers, mobile malware, phishing attacks, password spray attacks, and even supply chain attacks.

In a follow-up, the MSTIC and Microsoft’s Digital Security Unit (DSU) reported that Iranian threat actors are stepping up attacks against IT services companies as a way to access their customers’ networks—i.e., reminiscent of the SolarWinds supply chain attack. The partners assess that the string of activity is part of a broader espionage objective to compromise organizations of interests to the Iranian regime. "This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain," Microsoft said. Just this year, Microsoft sent over 1,600 notifications to 40 IT companies, alerting them to hacking attempts coordinated by Iranian APT groups. There were only 48 such notifications in 2020, Microsoft said.

Heightened Iranian state-sponsored activity prompted a joint security alert from cyber security agencies in the United States, the United Kingdom, and Australia. The alert was authored by the U.S. Cyber Security and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC). It warns of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.

Iran is yet another foreign country with its fingers in election tampering. The U.S. Department of Justice recently indicted a pair of Iranian nationals for cyber activity intended to “intimate and influence” American voters during the 2020 U.S. presidential campaign. Among the charges filed against the Iranian nationals were hacking the voter websites of 11 U.S. states, hacking a U.S. media company, and contacting Republican Party members with fake videos of Democrats’ election fraud.

On a separate front, the Pegasus spyware developed by NSO Group of Israel has been found on iPhones belonging to at least nine U.S. State Department employees, according to Reuters. While the backstory behind this breach is still unclear, the hacks took place over the last few months and were targeted at officials based in Uganda or were working on issues related to that country. NSO Group says it doesn’t believe its tools were used, but plans to investigate anyway.

Despite the uptick in international and nation-state cyber crime, there’s bad news on the insurance front. Lloyd’s of London announced that costs associated with nation-state-related attacks will no longer be covered by its insurance policies. Its new “Cyber War and Cyber Operation Exclusion Clauses” will exclude losses related to a cyber operation carried out as part of a war, any retaliatory attacks between specified states, or a cyber-operation that “has a major detrimental impact on the functioning of a state.” Under the new clauses, the company can also refuse to pay out for nation-state-backed attacks that hit essential services like financial institutions, financial market infrastructure, health services, and other utilities.

Ransomware continues to be this year’s biggest cyber scourge. According to report from threat intelligence firm ProDaft, attackers using the Conti ransomware have collected at least $25.5 million in ransom payments since July 2021. Add hotels to the list of victims. It recently disclosed a Conti ransomware attack that impacted guest reservation and room key card systems. The hotel chain says it doesn’t appear that any guest data has been leaked and no ransom demand has been made yet. A cyber attack thought to be ransomware has forced more than 300 supermarkets in northern England to temporarily shut down and switch to cash-only payments.

A new report also finds double extortion tactics are escalating in ransomware attacks. Group-IB’s Hi-Tech Crime Trends Report 2021/2022 finds a 935% spike in the number of organizations hit by double-extortion ransomware, which exposes their stolen data on a data leak site. And on the recovery front, a new report from Sophos reveals it costs more for targets in the education sector to come back from ransomware attacks compared to other industry sectors. Education organizations incur around $2.73 million in expenses to cover downtime, data recovery, device and network repairs, and security updates—on top of ransom payments—which is 48% higher than the global average across all sectors.

Despite everything, ninety percent of IT decision makers admit they’re willing to compromise on cyber security initiatives in order to achieve other digital transformation goals and only half of respondents are confident that the C-suite fully understands cyber risks, according to new Trend Micro research.

Strap in—it’s going to be a bumpy ride.