2022 will be another busy year for enterprise incident responders as ransomware, supply chain and myriad zero-day attacks will continue to rise, according to Cisco’s Talos security experts.
To help address the threats, the Cisco Talos team used a blog and online presentation to detail steps enterprises can take to defend themselves against the growing field of bad actors and also to point out lessons learned from recent damaging exploits such as the Log4j vulnerability and Microsoft Exchange server zero-day threats.
Once, zero-day attacks were typically launched by state actors against service providers, but those days are gone, wrote Nick Biasini head of outreach at Cisco Talos in a blog about the security landscape in 2022. Now new, less experienced combatants seek out a broader range of targets, using less surgical attacks. “This has led to more risky behavior than we’ve seen historically, without as much regard for collateral damage,” he wrote.
These state actors have changed their strategies, as well. Rather than focusing on espionage against other nations, now they also target dissidents and activists with attacks designed to destroy and disrupt. At the same time criminal enterprises have become a larger threat thanks to the billions of dollars they are able to collect readily through cryptocurrencies. “We’ve never faced more challenges as defenders…” Biasini stated.
Some of the biggest challenges for 2022 include ongoing problems such as Log4j and ransomware.
Unpatched Log4j remains a threat
Log4j software is widely used in enterprise and consumer services, websites, and applications as an easy-to-use utility to support client/server application development. But it has weakneses that, if exploited, could let unauthenticated remote actors take control of affected server systems and gain access to company information or unleash denial of service attacks.
Cisco telemetry has detected attackers exploiting these weaknesses in vulnerable VMware Horizon servers and infecting them with malicious payloads including Cobalt Strike—a tool developed to help penetration testers protect networks but also used by attackers, said Neil Jenkins Cisco Talos Cyber Threat Alliance Chief Analytic Officer in an online presentation. Even though there have been warnings to patch against Log4j, not everyone does, and “there are still threat actors, particularly advanced threat actors, who may look to target those vulnerabilities in future,” he said.
Cisco Talos stated that Log4j will be widely exploited moving forward, so users should patch affected products and implement mitigation solutions as soon as possible.
Ransomware still a scourge
With the exception of Q1, ransomware took up nearly 50% of all the threats that Talos tracked in 2021, thanks to the lure of lucrative payouts from ransomware victims. In turn, some of that cash will help ransomware cartels develop more sophisticated approaches. “As we saw with [supply chain attack] Kaseya, these cartels have the ability to purchase or develop zero-days to be leveraged in attacks, a trend that should concern us all and another reason why behavioral protection will continue to be an important aspect of detection in 2022 and beyond,” Biasini stated.
Another issue is that there are more and more ransomware players. At the beginning of 2021, many attacks came from one group, but by the end of the year there were at least 13 different ones, Jenkins said.
“Even with one family, you have a lot of different affiliates who are using different tactics, so even with one dominant family, you can see still see a diversification and the types of attacks and the types of tooling they’ll use,” Jenkins said.
There are other factors that could change the ransomware landscape—the US government’s anti-ransomware initiatives for one—as well as the scrutiny these groups are getting from law enforcement around the globe, Jenkins said. Larger ransomware groups might fragment to be less detectable, and open-source ransomware developers may have a more difficult time as some of their forums are shut down. As a result, the attackers might choose smaller targets to avoid the publicity and attention from law-enforcement that larger attacks might draw, Jenkins said.
The best protection is to maintain cyber-defense best practices such as offline backups, instituting multi-factor authentication, and having incident response plans in place, Jenkins said.
Zero day is here to stay
There has been a dramatic increase in zero-day attacks, with more than 50 discovered in the wild during 2021—more than in all of 2019 and 2020 combined, Biasini stated.
And zero days remain a rich source of attacks. At the recent Tianfu Cup hacking contest in China, there were no less than 30 successful exploits demonstrated against the short list of targets, including a handful that affected the latest versions of Windows and iOS. All of them were likely reported to the Chinese government due to recent regulation changes, Biasini stated, which can have consequences. The most recent example of this is Alibaba being penalized by the Chinese government for not disclosing Log4j to them in advance, he stated.
Beware suspect USBs
Another interesting development has been the continued practice of one of the oldest vulnerabilities in the security realm—the use of malicious USB devices.
“Starting in 2021, even carrying into this year, there has been an uptick of malicious USBs used as a means of initial access, which is a true blast from the past,” Jenkins said. “But just a reminder that even these old, outdated attack vectors can still be used, and still have success.”
Enterprise best practices
Cisco Talos researchers did have recommendations for enterprise incident response.
Patching, inventorying, segmentation training, and having incident-response plans in place are all important, but the Cisco experts have one main suggestion: institute multi-factor authentication. “We identified that a lack of MFA is probably the biggest one of the biggest hindrances to enterprise security,” Jenkins said. “There is a large number of ransomware incidents that could have been avoided with MFA. So we absolutely encourage wherever possible when you can and especially on sensitive systems to, to institute MFA—as soon as possible.”
Some other ideas:
- Keep accurate asset lists, current documentation and policies—especially those related to patching. These are fundamental when it comes to incident response. “The last thing you want is to be in the middle of an active incident to find out you don’t have an accurate inventory of assets or that you haven’t patched anything in six months. Ensuring fundamentals like network segmentation and proper access controls are implemented will limit the effects of a breach,” Cisco stated.
- Get software bills of materials (SBOM) from vendors when considering software options. That should allow a quick determination of how vulnerabilities in specific libraries or open-source software could change daily operations and hopefully allow for a more thorough and thoughtful response.
- Plan based on the idea you will be breached at some point. Create a cybersecurity incident response plan that includes all the stakeholders in the process. During an incident, every minute counts, making it crucial that the appropriate departments are ready to make decisions and take actions so containment can happen as soon as possible. Preparing and practicing your processes related to an incident can make the difference between mitigating a compromised system and suffering a total breach.
- Enable logging. This can be difficult and expensive, but it’s crucial to have logging enabled when you are engaged in an incident. Without it, you may never be able to determine things like the initial infection vector or patient zero. These failures can be catastrophic if multiple actors are able to abuse that same undiscovered weakness, Cisco stated.
READ MORE HERE