We are losing the war to ransomware, and criminals don’t even have to try being innovative. They use known vulnerabilities and weak devices to sneak in, experts from cybersecurity company Ordr told Cybernews.
Threat actors use the same system cracks repeatedly to breach organizations. They manage to find a way in through unpatched software, unprotected cloud, and weak passwords. The Cybersecurity and Infrastructure Security Agency (CISA) recently listed the top 10 ways criminals get in, highlighting there's no need for them to exploit zero-day vulnerabilities.
Threat actors exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access. When you combine it with the fact that many organizations don't keep count on how many and what devices they have on their network, it is meant to explode.
"Ransomware is out there. Not preparing for it would be like building a brand new building in a flood zone and not taking any protective measures to make sure that the building can withstand a flood," Greg Murphy, CEO of Ordr, told Cybernews during an interview.
According to him, the prevalence of attacks is extremely high at the moment.
"680 hospitals are known to have been breached just last year. That's more than 10% of the hospitals in the United States, and that's just the attacks that we know about. The actual number is probably higher. Every hospital, every critical infrastructure player is under attack," he said.
I virtually sat down with him and Ordr's consultant Brad LaPorte, a former Gartner analyst, to discuss why and how the ransomware problem is only getting worse despite speculations the attacks might be on a temporary decline.
Are attacks getting more targeted, or is it still mostly spray and pray type of attacks?
Brad. It's a mix of both. Criminals are typically financially motivated. They are trying to get the most amount of money as quickly as possible with the minimal amount of effort. They can leverage malicious automation software tools. If they just get online, there are tons available on underground marketplaces where they can actually just scan the internet for internet-facing assets, IoT, medical devices, anything that's really connected to the infrastructure. You see this a lot in the healthcare and manufacturing industries, and basically, it is that low-hanging fruit.
Going back to the first aspect, there are also opportunistic attacks. Back in December, there was a major celebrity vulnerability in the Log4j logging library. Once a disclosure comes out, then it's like a feeding frenzy, all these criminals identify, hey, this is easy, you can just run automated programs, identify all the weak assets that are using Log4J logging capability.
In addition, they are also evolving into a targeting aspect as well. When they know that a specific target has a five million dollar policy, then it becomes more surgical as well.
Greg. We have to start thinking about these attackers as they are criminals, but they also are relatively sophisticated business people. When you think about how normal businesses do marketing, what are the characteristics of their product, and they try to steer their marketing tactics to customers or prospects they can think are likely to respond. You see ransomware gangs doing exactly the same thing.
They tend to look where are organizations that are highly likely to pay in response to an attack, and so that would tend to point them to highly regulated industries, industries where's a high propensity to have cyber insurance, so a pool of funds to draw from, places where the ability to disrupt normal operations has severe consequences.
That's why you tend to see these attacks concentrate on the merrier – healthcare, manufacturing that share those characteristics. If you think about a ransomware gang as a sophisticated business and they are doing targeted marketing campaigns and looking at where they are most likely to get a return for their investment, it points them to the same types of targets again and again.
The CISA's advisory said that cybercriminals exploit poor cyber hygiene rather than zero-days to breach organizations. So we still trip over small things?
Brad. Historically, it's been social engineering, business email compromise, and phishing. It's still very prevalent, in parallel and overlapping. A lot of products out there, I call them Swiss cheese, have all these different vulnerabilities, all these different entry points to exploit. In the IoT space, the medical device space, even operation technology, there's really not a lot to those devices from an interface perspective: you have a logging mechanism and base-level embedded OS. It's very easy to exploit. If I just have a simple vulnerability that is a part of that basic software, open-source software, which can be manipulated by the community, so there's a lot of different entry points.
Threat actors are using malicious automation to constantly scan the internet and look for those Internet-facing assets. If I knew there was a vulnerability with a webcam that's very prevalent in standard models for hospitals, or baby monitors, I can identify and use that, and run malicious automation to identify those and exploit that at a mass scale.
Then you start getting into a supply chain attack which is what happened with SolarWinds, and those types have increased over 2800% over the past few years. The challenge is, if you don't have visibility into that, you don't have visibility into those devices.
During COVID, when hospitals increased the number of devices to support the community, those devices weren't about security right away. How effective were they in managing that inventory and actually knowing what kind of devices they have operating? It's difficult to maintain that.
Greg. Criminals are not rewarded for being innovative. They just want to find a vulnerability that's there and that they can exploit. If you look across an enterprise, the most vulnerable device in any enterprise is the one they don't know about. If you look at how most organizations are set up, the IT organization is responsible for laptops, desktops, and the odds are pretty good that those devices are following more standard processes with some form of regular updates and patches.
If you think about all of the other connected devices, very often, a security camera is installed by the facilities department to the extent that they keep an inventory that might be a spreadsheet on someone's laptop somewhere as opposed to a true asset database.
Similarly, in healthcare, for example, you have medical devices that are owned and operated by a biomedical engineering organization that has its own processes that are separate from an IT and security organization. And similarly, in manufacturing. You have that divided ownership and multiple different systems of record, it becomes very easy for those devices to fall out of compliance, to be not kept up to date and patches, or for the organization to not even truly know that they exist.
That creates the vulnerability, and again, that's all what the attacker needs. They don't need the new state of the art technique, they just need to find a device that's pointing towards the internet that is vulnerable and can be exploited. Once they are in, they can move and spread laterally across the organization.
What are the main challenges when protecting legacy devices, operational technology with long lifespan?
Greg. Take healthcare. Very often those of us who are in the world of IT, think about a device that has 2-3 years life and then it cycles out of the organization. When you look at critical imaging systems in healthcare or major manufacturing systems, those devices can be designed to operate for 10-12 years. They have very critical functions in the organization, and they can be extraordinarily expensive.
We had a customer who looked at its network and discovered that they had close to 10,000 devices on their network running Windows 7, and the immediate response would be let's get that off the network. But that would cost more than 600 million dollars. There's no money to do that and clearly from an operational perspective, that would be incredibly disruptive. That's just a fact of life.
A lot of these devices have very long lives, even today, there are brand new devices coming off the manufacturing line that are running embedded Windows XP. You need to make sure that you have visibility and awareness of those devices, and you need to take steps on your network to make sure those devices, because they are especially vulnerable, to make sure they are segmented. You want to make sure that those devices aren't internet-facing, and there's a restricted policy on what types of devices can access them. You want to make sure you have layers of protection around those devices so that those vulnerabilities are less likely to be exploited.
How do you look for threats when ransom gangs are constantly innovating, shutting down just to resurrect and throw law enforcement off track?
Brad. Certainly we are hypervigilant and motivated to do our jobs. You can't look at ransomware groups as a single entity, they are not all encompassing. It's actually five, ten, sometimes fifteen groups that work in unisend. It's very hard for organizations to do the initial part of the entry point all the way to the final. The people getting the money at the end aren't necessarily people who started it. It's a very elaborate global economy.
Greg. Very often, the news media point to a few particular well-known entities that have conducted large and successful attacks. Again, if you start to look at ransomware as a business, it's a fairly decentralized business, and the barriers to entry are pretty low for a new organization to constitute itself. The reality of this is that we have to recognize that it is a fact of life.
A few years ago, people would say that some ransomware gang decided to target our business, we were victimized, there could have been a thousand other companies they could have picked and they just happened to pick us. I think that mindset has to shift. Ransomware is out there. To not prepare for it, would be like building a brand new building in a flood zone and not taking any protective measures to make sure that the building can withstand a flood. Organizations need to assume that there will be hundreds, thousands of attackers out there, and have the defenses in place.
More from Cybernews:
Subscribe to our newsletter