Symantec Security Summary - June 2020

Red Cross to World Governments: Do More to Stop attacks on Healthcare Orgs

You’d like to think that even cyber criminals would give it a rest while the world deals with the massive health challenges posed by the COVID-19 pandemic. No such luck. In fact, they’ve taken advantage of the health crisis to step up their cyber attacks on hospitals, healthcare, and medical research facilities, as well as on medical personnel and international public health organizations. In response, the head of the International Committee of the Red Cross (ICRC) and 48 politicians and dignitaries from around the world published a letter asking governments to do more to safeguard critical medical organizations from cyber attacks.

Peter Maurer, president of the ICRC, and his fellow signatories, urged governments “to take immediate and decisive action to stop all cyber attacks on hospitals, healthcare, and medical research facilities, as well as on medical personnel and international public health organizations.” What’s more, the letter asks governments to collaborate with cyber security companies and take more action against hackers targeting hospitals and the healthcare industry.

The Unsteady State of Cyber Security

Want a snapshot of the current state of enterprise cyber security? Look no further than a handful of recent surveys that taken together, depict a still disjointed and siloed tool landscape along with a workforce sorely in need of training when it comes to cyber security skills and best practices.

First off, most organizations are still coming at the cyber security challenge using a patchwork approach that impedes overall visibility and has created a crisis in confidence among security professionals, according to the third annual Oracle and KPMG Cloud Threat Report 2020. The report found 78% of the 750 cyber security and IT professionals surveyed are relying on more than 50 discrete products to address security issues while more than a third (37%) tap into more than 100 security tools.

Organizations trying to wrangle this hodgepodge of legacy and point solutions to address data security concerns face an uphill battle, the report found, as the systems are often not configured properly resulting in data loss incidents, exposed web servers and other server workloads, and inadequate use of multi-factor authentication. In addition, 70% of those surveyed believe they are relying on too many specialized tools to secure their public cloud footprint, specifically.

On top of these limitations, enterprises are also struggling with significant security skills shortages, notes a new report from research firm Stott and May. The report, “Cybersecurity in Focus 2020,” found 76% of respondents lamenting a shortage of cyber security skills in their organization, which is a slight improvement over last year when 88% were grousing about talent concerns. Nearly 72% of those surveyed said they are scrambling to procure cyber security talent with no improvement over 2019. Internal skills represent the biggest inhibitor to delivering on cyber security strategy, cited by 39% of respondents. To get around the issue, the report said security leaders were taking more creative approaches to resourcing, including nearly a third (30%) searching internally for transferable skills and almost half (46%) looking to AI and machine learning solutions to offset the skills gap.

Employees are the source of additional cyber security angst. It turns out people planning to leave their jobs—so called “flight risk” employees who are about to either resign or leave their posts—are a huge source of insider cyber security incidents and data leaks. A recent Securonix 2020 Insider Threat Report found that 60% of insider cyber security incidents and data leaks are caused by folks just about to leave their jobs. These employees or contractors, many with privileged access to systems, potentially steal or sell data, or worse, are the cause of a security failure by moving confidential data to third-party services without permission. The nightmare gets worse: Securonix found that roughly 80% of flight-risk employees will attempt to take proprietary data with them when they leave, from forwarding content to personal emails (43.75%) to abusing cloud collaboration privileges (16%). Securonix is advising companies to go beyond use of point solutions like DLP tools or privileged access management solutions to use of advanced security platforms that leverage purpose-built algorithms to detect specific outcomes.

On a positive note, organizations are beginning to recognize their cyber security deficiencies and making the proper adjustments. In a study from LearnBonds.com, three quarters (70%) of responding organizations say they see the value of increasing their investment in cyber security solutions, especially in the face of COVID-19, which has created a host of new opportunities for cyber criminals. In addition to boosting spending on security, the report found over half (55%) of major organizations planning to increase their investment in automation solutions, in part to address security gaps.

Let’s hope the additional investment and attention bolsters enterprise cyber security readiness because there’s clearly room for improvement.

German Intel sees Russian Hacking Threat to Critical Infrastructure

Remember the Russia-linked hacking group known as Dragonfly 2.0 (also known as Berserk Bear)? They've been around since late 2011, using a combination of malicious emails, watering hole attacks, and Trojanized software to gain access to their victims' networks. In 2017, Dragonfly made news when it targeted the energy sector in Europe and North America. Well, they’re in the news again, this time reportedly targeting German companies in the energy, water, and power sectors.

An advisory from German intelligence and security agencies to operators of critical infrastructure warned that investigators had uncovered evidence of the hacking group’s “long-standing compromises” at unnamed German companies. The real identity of the shadowy group remains unknown but it’s believed to be operating on behalf of the FSB, Russia’s intelligence agency.

New Threats on the Rise

Hackers looking to attack individual servers—that’s yesterday’s news. Today, cyber criminals are more interested in gaining illicit access to corporate networks and soliciting offers to sell access on the dark web.  A report by Positive Technologies found the number of dark web posts hawking network access was up 69% in the first quarter of 2020 compared to the fourth quarter of 2019. Not only are the number of incidents on the rise, the price tag for access is also climbing significantly. The report found that dark web pricing for this type of access had a huge range, from $500 to $100,000. In addition, some sellers are offering a commission of up to 30% of the profit from a hack that uses their access details.

Industrial companies are also increasingly in the crosshairs of a hacking group dubbed RATicate  that attacks industrial companies though the use of remote access tools (RATs) and information-stealing malware. The group targeted industrial companies in Europe, the Middle East, and Republic of Korea as part of five campaigns between November 2019 and January of this year. More recently, the group appears to have shifted tactics slightly and is using concerns about COVID-19 to convince victims to open the payloads. It’s unclear at this point whether RATicate is doing the business of corporate espionage or acting as a malware-as-a-service provider for others.

Attacks on cloud-based data are also ramping up. According to the 2020 Verizon Data Breach Investigations Report, breaches involving web applications and unsecured cloud storage nearly doubled in 2019 compared to 2018. The rise, Verizon found, can be attributed to companies moving information off-premises as well as misconfigurations. Web application attacks accounted for close to half of all breaches in 2019 (43%), and Verizon expects this vector to be more active throughout 2020 due to the shift in applications and data to the cloud fueled by remote work and COVID-19.