Symantec Security Summary – November 2021

The U.S. government fired off major salvos in its ongoing cyber security offensive. Executing a two-pronged approach, the Biden administration advanced serious efforts to get the government’s cyber security house in order while taking aggressive steps to combat on-going foreign and domestic cyber security attacks.

On the home front, the Biden administration rolled out a bug fix mandate, giving civilian federal agencies six months to patch cyber security threats found between 2017 and 2020.  The Cyber Security and Infrastructure Security Agency’s (CISA) first-of-its-kind directive covers 200 known threats discovered by experts during that period as well as 90 additional flaws found in 2021. The goal, the report says, is to force agencies to fix all potential threats, major or not, and to establish a basic list for private and public organizations to follow.

At the State Department, cyber security has been identified as one of five pillars in the agency’s modernization effort. Along with stepped up efforts to hire more STEM workers and to update the department’s capabilities for remote work, Secretary of State Antony Blinken is aiming to create a new bureau for cyber space and digital policy to bring American diplomacy into the 21st century. As part of the effort, the agency is planning to add 500 new civil service positions and increase its IT budgets by 50%.

There is also a crackdown on escalating cyber attacks. The Justice Department is promising arrests and other actions as part of on-going efforts to combat ransomware and other cyber crime. In recent interviews, Deputy Attorney General Lisa Monaco promised more arrests, seizures of ransom payments to hackers, and new law enforcement operations in the “days and weeks to come.” The department made good on that promise with new charges brought against a suspect in Ukraine over the July REvil ransomware attack on software company Kaseya, which reportedly infected 1,500 businesses. The government also seized an estimated $6 million in ransom payments as part of the operation.

In addition, the Justice Department announced the Civil Cyber-Fraud Initiative, which will pursue contractors which hide or fail to notify the government about cyber security breaches using the False Claims Act. 

Ransomware once again in the spotlight. The U.S. government convened a major global ransomware summit last month with participation from more than 30 countries. The two-day virtual event was aimed at improving global network resilience, addressing illicit cryptocurrency usage, and elevating both law enforcement collaboration and diplomatic efforts. While rival nations Russia and China weren’t invited to this summit, officials didn’t rule out including them in future sessions.

A multi-country operation was responsible for turning the tables on the ransomware group REvil (aka Leafroller, Sodinokibi), hacking it and forcing it offline in recent weeks. A report from Reuters alleged that the FBI, along with Cyber Command, the Secret Service, and like-minded countries were engaged in a coordinated action against REvil and other cyber-crime groups. Sources close to the investigation told Reuters that the initiative has successfully compromised REvil’s computer network infrastructure and gained control over some of its servers. REvil, reportedly responsible for the May cyber attack on Colonial Pipeline and meatpacker JBS, was shut down temporarily in July in the aftermath of the Kaseya ransomware supply chain breach.

The Darkside ransomware gang was also in U.S. government’s targets. The State Department said it is offering a $10 million reward for any information that may lead to the identification of members of the gang, which is linked to a group Symantec tracks as Coreid. There is a $5 million reward for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in a DarkSide variant ransomware incident, according to a press release put out by the government.

In the spirit of protecting critical infrastructure, the FBI, NSA, CISA, and EPA issued a joint cyber security advisory on threats aimed at water facilities. The advisory warned of “on-going malicious cyber activity” by known and unknown threat vectors on U.S. water and waste system facilities, which could impede the ability to provide clean and portable drinking water and to manage wastewater.

Russia is at it again. Despite earlier sanctions imposed by the Biden Administration in response to some of these cyber operations, the Russian intelligence agency (the S.V.R.) has launched a new campaign to infiltrate thousands of U.S. government, corporate, and thinktank computer networks, according to warnings from Microsoft and cyber security experts. Categorized by a top Microsoft security officer as “large and on-going,” the effort is reportedly aimed at data stored in the cloud. Microsoft is insisting the percentage of successful breaches are small, but it recently notified more than 600 organizations that they had been the target of approximately 23,000 attempts to breach systems.

Employees in the financial sector take note: A phishing scam called MirrorBlast aims to trick employees into downloading weaponized Excel files to scam and infiltrate corporate networks. Cyber security company ET Labs, which discovered the campaign, maintains the weaponized Excel file can easily bypass malware detection systems because it’s accompanied by extremely lightweight embedded macros.

Supply chain attacks are surging, according to data breach reports. New information from the Identity Theft Resource Center (ITRC) claims that a total of 793,000 more individuals have been affected by supply chain attacks this year so far than in all of 2020. The North Korean group Lazarus (aka Appleworm) is the latest to mount software supply chain attacks, according to new research from Kaspersky. They claim Lazarus group is using updated variants of the DeathNote cluster and BLINDINGCAN malware to build supply chain attack capabilities with recent attacks specifically targeting a South Korean think tank and an IT asset monitoring solution vendor.

Overall, there’s been a rise in global cyber attacks since the onset of the COVID-19 pandemic, according to new analysis from Check Point. Check Points reports there are 40% more attacks weekly on organizations this year compared to last year, with the average increase in the United States even higher, at 53%. The research found those in the education/research sector experiencing the highest volume of attacks followed by government/military and then health care. VirusTotal reports there are more than 130 different ransomware families now in circulation.