Is there some zero day that's getting out and causing a lot of these recent ransomware attacks? Has anyone been able to do some root cause analysis on the exact exploits that oil pipeline, meat processing, etc. plants have faced with their ransomware attacks?
On one hand it seems a bit expected to see an increase in attacks after big, public ones... but on the other hand how are these networks and computers actually getting compromised with what appears to be such speed and ease?
edit: I also wonder if defenses need to get more proactive about detecting these attacks. Why can't block devices have a mode where they immediately shut down into a fail safe if they see a huge amount of sustained block overwrites (like attempting to overwrite 50% of data within a short time span)? Or maybe bake copy on write filesystems into the hardware such that no matter what happens on the host side a perfect history of previous blocks is kept intact to be restored through some manual/external intervention.
> Is there some zero day that's getting out and causing a lot of these recent ransomware attacks?
My guess is this is fallout from the SolarWinds hack. Wouldn't be surprised if they discovered intel on a number of vulnerabilities or maybe even backdoors that are helping enable these attacks.
I've not heard of Linux or BSD systems being hit by cryptolocker-type ransomware, but most news reports don't get into the details of what operating system was involved.
The infrastructure needed for this is now fairly mature: you can rent botnets rather than build your own, infecting devices is relatively plug-and-play, device security has only improved marginally and for a shorter timespan than the useful life of the devices (i.e. so there are a lot of vulnerable devices out there.) That's just a few relevant tidbits on the technical side of things... the social/people side is even worse. So you no longer need to have a great deal of expertise or expend much effort to do these kinds of attacks and it sounds like organized crime has gotten in on the game in the past decade.
In the perfect world all setups should have protections against ransomware (CDP, backup, etc.).
But in the real world they don’t. It is really really hard to convince companies to purchase backup solution. Sadly, IT professionals like to talk and work on “fancy” security things. Criminals will do plain old criminal acts (steal, blackmail, kidnapping, etc.) to access to the servers. In short, security is important but it might fail: have a backup.
It could be also that criminals have also the full access to the entire IT infrastructure.
> Is there some zero day that's getting out and causing a lot of these recent ransomware attacks?
Unfortunately, the answer is largely no. Phishing emails containing malicious documents, now sometimes accompanied by call center operators priming the victims or walking them through the process of infecting themselves, are to blame for a large number of ransomware attacks. Exploitation of recent vulnerabilities (i.e. a handful of CVEs from 2020 affecting VPN devices) is also often used for initial entry, as well as plain old bruteforcing RDP servers and the like. Some groups have begun to invest in in-house vulnerability research teams but I have not seen much come from that as of yet, aside from implementation of exploits for existing CVEs.
> but on the other hand how are these networks and computers actually getting compromised with what appears to be such speed and ease?
The scale and architecture of some of the larger cybercriminal groups responsible for many of these attacks parallel your typical silicon valley startup. One of the larger groups has dozens of employees across a range of different focus areas/departments from malware development, infrastructure management, crypting services, redteam operators, ransomware negotiators, layers of management, etc. These groups work with other affiliate groups which only accelerates the process from initial infection to ransomware deployment, with affiliate groups that blast out malspam broadly as well as to curated target lists often responsible for supplying the steady flow of infections to malware-as-a-service platforms that provide the ability to view and manage bots to yet another set of groups that drop secondary payloads like Cobalt Strike and begin the process of lateral movement towards the domain controller so the final ransomware payload can be deployed. These groups have employee handbooks, training videos, slack-like chat services, Gitlab instances with dozens of projects, CRM-like tools for victim management, and even (in at least one case I'm aware of) physical offices in Russia.
It wouldn't surprise me. Let's take thousands of components from dozens of different CDNs and throw it in a Docker image that I downloaded from somewhere else and put it in production.
I think it is just media bias, ransomware has become an interesting story so it is getting published more frequently, not necessarily having anything to do with any actual uptick in activity. (same issue with covid-related violence towards asians. I remember hearing a bit about it at the beginning of the pandemic, very little for months and months, then a few weeks of intense coverage which has simmered down recently. I doubt any of this really correlates with the actual frequency of incidents). News has trends and people mistake what the news is talking about something for the actual prevalence of the subject.
Many many companies are really very insecure, there doesn't have to be some big 0day for most. More like a combination of long known, unpatched vulnerabilities, social-engineering vulnerabilities, and instances of essentially leaving the door entirely open.
Don't forget that many known vulnerabilities aren't patched by people running these systems. Just because a vulnerability is known doesn't mean it's patched.
Because essentially all networked IT systems are extremely easy to attack. These attacks probably cost ~$10k to pull off. If you can get $4M, like in the pipeline attack, by paying $10k and have no moral compunctions about it, why would you not be exploiting it as ruthlessly as you can and expanding your operations as quickly as you can to exploit the entire market? So, really there is nothing surprising about the current rash of attacks if you know the actual level of security we can expect. The real question is why it took so long for people to turn $10k into $4M and reinvest that $4M into 400 more $10k attacks with $4M payouts.
Now, somebody will say something like: "Everybody knows these companies don't care about security. If they just focused on security and adopted best practices or (insert basic practice here) they would not be having these problems." Sure, these attacks are utterly trivial to implement and the target companies are massively behind the curve on "best practices" by orders of magnitude. But, even the best systems are completely and utterly ridiculously inadequate. You can completely and utterly compromise essentially any currently deployed commercial IT system for less than $10M with the median for total compromise of a Fortune 500 company being ~$100k. And frankly, $10M is just me sandbagging the upper bound. I have never had any person in any security organization from an engineer to a regional cybersecurity director to a CISO at a Fortune 500 company ever give a number over $1M when asked over lunch.
For third party evidence, you can just look at Zerodium where they pay for exclusive rights to zero days in the most "secure" products currently available for only slightly more than $1M. You can literally burn multiple remote zero-click full-chain RCE zero days per attack and you would still be spending less than $10M per attack. If you can leverage a single remote zero-click full-chain RCE zero day even 10 times the cost per attack drops to the $100k-500k range.
So sure, they could improve their security by a factor of 100x, bringing it from $10k to $1M. That might stop some criminals for a time. They might attack cheaper targets for a time. But if they can pay $1M to get $4M from you, then once they eat all the other fish in the barrel they are going to eat you.
I'd guess it's because the majority of corporate IT actually is not as secure as most companies think. In my own professional experience, and conversing with peers and friends who work infosec, the security profile of most companies is a hard exterior shell, with a deliciously juicy squishy center. These companies might think they're super secure. After all, they just bought a fancy new Data-loss-prevention appliance, and just passed a SOC2 audit, so this means they're secure, right? Nevermind that this expensive appliance is effecively MITM-ing all TLS within the company, and is running an unsupported version of Tomcat for its web-UI that must be on a publicly reachable IP in order for the service to work. Nevermind that mid-level IT were ordered to not mention to the auditor the different ways various security controls could be trivially bypassed by a high school student, not if they wanted to keep their jobs. Nevermind that Sales throws an absolute fit to the CEO every time IT tries to remove their exception to the password complexity requirements, forcing them to use a different password than incrementing the number at the end of "P@ssword57". Nevermind that IT was told to stop trying to set up network ACLs in Azure because restricting traffic between network segments is interfering with Dev's delivery velocity. I could keep going forever with examples from my own career or synthesized from my peer's war stories.
But with a hard shell and squishy center security posture, all it takes is one security event, and you're pwned. All it takes is one salesman to click on a phishing email, one data entry drone to get hit by a drive-by ad while watching YouTube during lunch break, one Internet-facing server to miss a security patch, etc. Once with a foothold, these ransomware gangs move with speed and thoroughness that comes of lots of practice. Depending on the size of the enterprise, and how well it is or is not segmented, compromise can spread from patient zero in days, if not hours.
It's not all doom and gloom. Seeing these events happen, or having the near-death experience of surviving a ransomware attack is (at least temporarily) lighting a fire under companies' asses to get their shit together, and start keeping their support contracts current. Detection and response tools are getting better. I know of a managed EDR solution that kills all connections except the control connection back to their security center and clears out the routing table so no new connections can be made. Then they call you.
But for every company that is taking steps to secure themselves against the current threat landscape, there are plenty more that are failing to do so, whether out of naivety or complacence.
I don't think there's any nation state level actors or fancy zero days in play here, just ordinary organized crime. This appears to be very effective and profitable.
Most corporate networks are very bad when it comes to administration practices and credential hygiene. I'm talking about Active Directory of course, which is the identity and management backbone of most every corporate network. However, to be accurate, this isn't a problem with AD as a technology itself - it can be made very secure - but how it's deployed and used in practice. Of course, you could argue that a technology is bad if deploying it securely requires arcane knowledge and isn't the default configuration... However, the same underlying principles or weaknesses exist in the underpinning technologies or concepts themselves and are not AD specific.
Ideally, Active Directory is the identity management backbone of your entire corporate network. Identities and devices are centrally managed through it. Ideally, access to every single server, workstation and application is managed through it.
Compromise the identity management backbone and you compromise everything that it controls access to, i.e. the entire network and all business data. Doesn't matter whether it's AD or MIT Kerberos or whatever.
In practice, this issue is Windows- and Active Directory specific, but mostly because AD is the most widely deployed directory service by far and Windows machines tend to be domain joined for effective management.
But to be clear, Linux would be vulnerable to this in exactly the same way if they were configured similarly, which they're often not. But you could have MIT Kerberos etc. running to centrally manage access to all of your Linux assets - compromise it and you compromise all assets it manages access to.
In AD, there's a group called Domain Admins which grants unrestricted administrative access to every single workstation, server and identity in the directory. In today's security conscious world, that concept is very much a blast from the past, but I digress...
On most networks, practices are generally very lax and the number of Domain Admins and the use of such accounts thereof vastly exceeds the minimal scope they should be used in. Admins log in to standard workstations with them etc. putting the accounts/credentials at risk of theft.
On most networks, it's fairly trivial to move laterally after the initial foothold and to capture Domain Admin credentials (because they're scattered all over the place), after which the entire network is compromised and it's game over.
I've seen it happen in the span of about 12 minutes from initial compromise via the internet to malware being deployed to thousands of endpoints at once through AD. No actual vulnerabilities needed, just bad (network) administrative practices.
Explanations I've heard tie it to the SolarWinds breach, which is far worse in implication than we may have ever thought, or that Russia's Internet Research Agency may be amping up political pressure on Joe Biden through state-sponsored attacks.
I agree. It is frustrating that the NSA essentially spends taxpayer dollars to collect and hoard zero days that eventually get used against us when they could be disclosing them to vendors who could in exchange selectively deploy patches geographically to always enable protection of these very assets without interfering with international NSA missions. There is no reason the country responsible for developing virtually all modern technology should be so encumbered by it as to let it be used against us.
You don't need NSA-grade vulnerabilities to find a company to exploit these days. This is a frequent security trend, obsessing over the most sophisticated attacks (they're exciting!) while ignoring the boring ones (let's audit the security of our assets, clean up old accounts, and rotate passwords)
On one hand it seems a bit expected to see an increase in attacks after big, public ones... but on the other hand how are these networks and computers actually getting compromised with what appears to be such speed and ease?
edit: I also wonder if defenses need to get more proactive about detecting these attacks. Why can't block devices have a mode where they immediately shut down into a fail safe if they see a huge amount of sustained block overwrites (like attempting to overwrite 50% of data within a short time span)? Or maybe bake copy on write filesystems into the hardware such that no matter what happens on the host side a perfect history of previous blocks is kept intact to be restored through some manual/external intervention.