Federal Advisory Warns of Increasing Conti Ransomware Attacks
Also, a second grain coop is hit with ransomware, and the Port of Houston fends off a cyberattack.
![8x8 SIP 8x8 SIP](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt11ab1191ce4086ce/652443db54b4aabbef03c0f3/Alarm-Siren.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Raghu Nandakumara is field CTO at Illumio. He said there are two factors, neither of which are technical in nature, that differentiate Conti from other ransomware.
“First, Conti’s model takes the double-extortion’ approach,” he said. “They are looking to make money both from restoring a victim’s data and continuing to keep it private. A victim may never pay out in order to restore systems (if they have effective backups and procedures then they would go down this route). But there is a very strong chance they will pay, and continue to pay, to keep sensitive data private. This in turn facilitates the second factor – the ability to keep the ransomware provider on retainer, rather than them being paid only on successful exploitation of a victim. The more guaranteed income stream for the provider allows them to develop their capabilities.”
It’s clear the business model is evolving to facilitate a more constant income for those who participate in the ransomware ecosystem, providing it with further sustenance, Nandakumara said.
Conti actors can gain initial access to networks via numerous vectors.
“Email and phone calls are easy vectors through which threat actors can mount phishing attacks,” Nandakumara said. “By socially engineering the initial victim, Conti actors introduce malicious content into an organization. Eliminating these two vectors is hard because they are human problems. Organizations must maintain a continuous education and awareness program so that employees are aware of and alerted to these threats.”
With regard to the exploit of remote desktop protocol (RDP), this is a technical problem, he said.
“This attack vector can be limited with technical solutions,” Nandakumara said. “RDP access from outside the organization should only be granted via authorized gateways with MFA enabled, and RDP traffic within the organization should be limited to between authorized hosts only, coupled with access being tied to specific roles. Furthermore, hosts that are RDP accessible should be prioritized for patching when vulnerabilities are announced, as they will typically be hosts that have the greatest exposure.”
Ransomware is dependent on freedom of lateral movement to spread far and wide, Nandakumara said.
“The fewer restrictions there are on this movement, the easier it will be for the attack to spread and the quicker it will progress,” he said. “Some ransomware attacks have been able to inflict catastrophic impact in a matter of minutes by exploiting this freedom. Segmentation limits this freedom, such that the attack can no longer spread from one compromised host to hundreds or thousands in a single hop. This slows down the spread, and ideally limits it.”
This week, Crystal Valley, a Minnesota-based grain cooperative, was targeted in a ransomware attack. This followed the ransomware attack on Iowa-based New Cooperative last weekend.
Crystal Valley released the following statement:
“This attack has infected the computer systems at Crystal Valley and severely interrupted the daily operations of the company. Crystal Valley and cybersecurity experts are working diligently to reestablish safe and secure operating systems, which will be back online when we are confident the issue has been resolved.”
Crystal Valley hasn’t released any further information and there’s been no information regarding a ransom. The BlackMatter ransomware group, which attacked New Cooperative, demanded a $5.9 million ransom that could increase to $11.8 million.
Marcus Fowler is director of strategic threat at Darktrace.
“With two attacks on critical grain cooperatives this week so close together, all organizations in critical infrastructure, specifically the food and agriculture sector, should be on high alert,” he said. “If these two attacks were both conducted by BlackMatter, this could indicate a broader supply chain attack or campaign targeting the food chain, which means there may be other companies that were breached and don’t know it yet or have failed to report.”
These ransomware attacks forced both companies to take their systems offline, Fowler said. This could have significant and longer-term consequences.
“Ceasing operations could cut off feed supply for animals and, in turn, cut meat processing, dairy production and more, creating enormous unintended consequences and potentially food scarcity nationwide,” he said.
The reality of perimeter-centric cybersecurity is that it is not a solvable problem, Fowler said.
“We cannot stop determined attackers from getting into systems,” he said. “There are too many attack vectors, some sophisticated and some not so much. And digital infrastructure across industries is only becoming more complex. What we can do, however, is take the necessary steps to minimize risk and disruption to business operations once attackers inevitably get inside. By assuming that a breach is inevitable, companies can focus on identifying threats and anomalies to help prevent a breach from spreading laterally within a network and becoming a cyber disaster. The sooner security leaders can embrace what is achievable, the better.”
While teams can glean helpful information from analyzing historical attacks, this activity can’t anticipate new types of novel or emerging threats, Fowler said.
“Self-learning artificial intelligence (AI) can help organizations prepare for an attack by continuously analyzing behaviors to continuously learn what’s normal for that organization,” he said. “AI can also help disrupt threats in their early stages, preventing malicious activity from escalating while giving human security teams valuable airtime to respond and remediate the root cause of any incidents.”
Gary Ogasawara is CTO at Cloudian.
“The keys to defeating ransomware are immutable (unchangeable) data backups and encryption,” he said. “Data immutability prevents cybercriminals from deleting or altering data, enabling recovery of an uninfected copy in the event of an attack without having to pay ransom. Similarly, encrypting sensitive data both at rest and in flight prevents such criminals from reading or publishing this data in any intelligible form, again eliminating the need to pay ransom.”
News broke Thursday that the Port of Houston, a critical piece of infrastructure along the Gulf Coast, was likely infiltrated by foreign hackers through the theft of legitimate credentials.
The Port of Houston Authority said it “successfully defended itself against a cybersecurity attack” in August. Port of Houston followed its facilities security plan in doing so, as guided under the Maritime Transportation Security Act (MTSA). No operational data or systems were impacted as a result.
The incident is a reminder that foreign spies are targeting U.S. maritime ports to gather intelligence at a time when U.S. officials are taking steps to protect critical infrastructure from cyberattacks.
Neil Jones is cybersecurity evangelist at Egnyte.
“Labor shortages and supply chain disruption resulting from the global pandemic have already stifled productivity at U.S. ports,” he said. “Just last month, a record 44 vessels were awaiting a berth space at the Los Angeles and Long Beach, California, ports, with an average wait time of 7.6 days. Imagine if a cyberattack had occurred on the ports’ operations during such a critical time. In the Port of Houston case, the attacker appeared to breach the port’s network via remote access, a mission-critical requirement for a port that’s required to function on a 24/7/365 basis. So, it is especially fortunate that shipping operations weren’t disrupted.”
Danny Lopez is CEO of Glasswall.
“While it’s positive the Port of Houston cyberattack did not disrupt operations, the fact that foreign adversaries were able to obtain legitimate credentials for the systems belonging to one of the largest ports on the U.S. Gulf Coast is concerning,” he said. “More details on how the intrusion happened will likely be revealed in the coming days. But for now it’s worth underlining how to minimize the risk and impacts of credential theft.”
Critical infrastructure organizations need to adopt strong processes for onboarding and offboarding employees and affiliates that may receive access to key information systems, Lopez said.
“It’s vital to control privileged access and to monitor those that enjoy that administrator privilege,” he said. “Ensuring that MFA is enforced wherever possible is a vital defense where user credentials find their way into the hands of adversaries. This will help to limit the blast radius, and in most cases, defeat the data breach.”
Saryu Nayyar is CEO of Gurucul. She said there are rarely publicized success stories in cybersecurity. Usually the stories involve damaging breaches.
“So this story that the Port of Houston has successfully fended off an attack is encouraging to hear,” she said. “The attackers attempted to make use of a new vulnerability in ManageEngine ADSelfService Plus, a password management service, to enter the network.”
Infrastructure such as port operations are fertile ground for ransomware-style attacks, Nayyar said. That’s due to both their critical nature and often their relatively poor security practices.
“Ports, utilities, airports and other types of infrastructure should have both comprehensive security systems coupled with active monitoring of endpoints, IoT devices, servers, network and individual systems so that early detection and remediation become the norm, rather than the exception,” she said.
Veritas Technologies surveyed more than 2,000 global IT leaders whose organizations have undertaken pandemic-led digital transformation. It found most are severely vulnerable to ransomware attacks because they’ve been unable to keep pace with the accelerated digitization.
In fact, the average organization experienced nearly three ransomware attacks that led to downtime in the past 12 months. Furthermore, 10% were hit with ransomware more than five times.
Additional findings revealed:
The cloud presents the biggest vulnerabilities to ransomware. Only 61% believe that their organizations’ security measures have fully kept pace with their digital transformation initiatives. The largest gaps are cloud technology (56%) and security (51%).
The vulnerability lag has consequences, as organizations with at least one gap in their technology strategy have, on average, experienced around five times more ransomware attacks compared to those with no gaps.
Digitization is outpacing security. Sixty-one percent believe their organization’s security measures have fully kept up since the implementation of COVID-led digital transformation initiatives, with 39% experiencing some form of security deficit.
No organization is immune, with 88% of organizations reporting that they experienced downtime in the past 12 months.
Mike Walkey is senior vice president of global channel and alliances at Veritas.
“Organizations will need to distribute their efforts wisely if they are to effectively address all of the areas that are lagging and, perhaps, this is why decision makers anticipate this process taking so long,” he said. “More worrying, 42% think that it will take more than two years before they will be able to resolve these gaps. To shorten the time needed to protect their infrastructure, organizations would need to spend an average of $2.47 million to close the gaps in their technology strategy within the next 12 months. On average, respondents think that their organization would need to hire 27 full-time IT employees to close the gaps in their technology strategy within the same time frame. Given the global skills shortage, it’s unlikely that every company is going to be able to acquire the talent needed to rise to this challenge.”
Other cybersecurity strategy gaps include compliance and regulatory (44%), skills (44%), resiliency/recovery (40%) and budgetary (38).
“To protect themselves from data threats, organizations’ production and protection environments have to evolve in parallel,” Walkey said. “This means that as each new solution is introduced into the organization’s technology stack, protection capabilities need to be extended to cover it in a timely manner.”
Good data protection strategies are predicated on a thorough understanding of the value and location of the data that needs to be protected, he said. Therefore, before cloud data sets can be properly protected from threats like ransomware, IT teams need to know exactly what data has been sent to which cloud services.
Veritas Technologies surveyed more than 2,000 global IT leaders whose organizations have undertaken pandemic-led digital transformation. It found most are severely vulnerable to ransomware attacks because they’ve been unable to keep pace with the accelerated digitization.
In fact, the average organization experienced nearly three ransomware attacks that led to downtime in the past 12 months. Furthermore, 10% were hit with ransomware more than five times.
Additional findings revealed:
The cloud presents the biggest vulnerabilities to ransomware. Only 61% believe that their organizations’ security measures have fully kept pace with their digital transformation initiatives. The largest gaps are cloud technology (56%) and security (51%).
The vulnerability lag has consequences, as organizations with at least one gap in their technology strategy have, on average, experienced around five times more ransomware attacks compared to those with no gaps.
Digitization is outpacing security. Sixty-one percent believe their organization’s security measures have fully kept up since the implementation of COVID-led digital transformation initiatives, with 39% experiencing some form of security deficit.
No organization is immune, with 88% of organizations reporting that they experienced downtime in the past 12 months.
Mike Walkey is senior vice president of global channel and alliances at Veritas.
“Organizations will need to distribute their efforts wisely if they are to effectively address all of the areas that are lagging and, perhaps, this is why decision makers anticipate this process taking so long,” he said. “More worrying, 42% think that it will take more than two years before they will be able to resolve these gaps. To shorten the time needed to protect their infrastructure, organizations would need to spend an average of $2.47 million to close the gaps in their technology strategy within the next 12 months. On average, respondents think that their organization would need to hire 27 full-time IT employees to close the gaps in their technology strategy within the same time frame. Given the global skills shortage, it’s unlikely that every company is going to be able to acquire the talent needed to rise to this challenge.”
Other cybersecurity strategy gaps include compliance and regulatory (44%), skills (44%), resiliency/recovery (40%) and budgetary (38).
“To protect themselves from data threats, organizations’ production and protection environments have to evolve in parallel,” Walkey said. “This means that as each new solution is introduced into the organization’s technology stack, protection capabilities need to be extended to cover it in a timely manner.”
Good data protection strategies are predicated on a thorough understanding of the value and location of the data that needs to be protected, he said. Therefore, before cloud data sets can be properly protected from threats like ransomware, IT teams need to know exactly what data has been sent to which cloud services.
The federal government has issued an advisory that more than 400 U.S. and international organizations have been attacked with Conti ransomware.
The FBI, Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) released the advisory. Malicious cyber actors use Conti ransomware to steal sensitive files from domestic and international organizations, encrypt the targeted organizations’ servers and workstations, and demand a ransom payment from the victims.
Conti is considered a ransomware-as-a-service (RaaS) variant; however, there is a variation in its structure that makes it different. It’s likely that Conti developers pay the ransomware deployers a wage rather than a percentage of the proceeds used by affiliate cyber actors. In addition, they get a share of the proceeds from a successful attack.
The joint advisory recommends mitigations for network defenders. Those include updating your operating system and software, requiring multifactor authentication (MFA) and implementing network segmentation.
Illusive’s Robert Golladay
Robert Golladay is Illusive‘s EMEA and APAC director. He said the escalation in Conti ransomware attacks isn’t surprising.
“We continue to see it distributed through TrickBot infections,” he said. “Threat actors are constantly stepping up their game and improving their tools to increase their success rate, and then sharing what works. They effectively operate a GitHub for attackers, sharing code once they’ve been successful with a technique. Once an attacker is in the network, which inevitably will happen, it won’t take them long to move laterally to target ‘crown jewels.'”
Scroll through our slideshow above for more on Conti ransomware and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like