Criminals Take Cyberattacks to the Next Level: Recent Cybersecurity Attacks & Tactics Explained
If you’ve been watching the news, it’s no surprise that criminals are getting more innovative with their cyberattacks. They’re going after your security tools, targeting your backups, breaching your security vaults, and more. In this blog, we’ll dive into three cybercrime case studies, examine the new tactics criminals used in recent cybersecurity attacks, and explore the top security control you can use to reduce your organization’s risks.
Case Study 1: The IHG Hotel Chain Cyberattack
Last month, the parent company of the Holiday Inn, IHG, was the victim of a destructive attack that shut down their computer systems. It turns out they were hacked by a criminal couple from Vietnam, who broke in and attempted to install ransomware. According to BBC News, which interviewed the criminals, the couple sent a phishing email containing a “booby-trapped” email attachment. Some reports indicate that the couple also had to “bypass an additional security prompt message sent to the worker’s devices as part of a two-factor authentication system.” Multi-factor authentication (MFA) bypass attacks, such as the one used in the IHG attack, are an increasingly popular attack tactic. In fact, a similar MFA fatigue attack—where the criminals unceasingly send MFA verification requests to the user’s cell phone until they finally click one and enable the criminal to bypass authentication security—was also recently used in the September Uber attack.
The criminals in the IHG attack claim that once they were in the IHG environment, they were able to access the company’s internal Outlook emails, Microsoft Teams chats and server details. In addition, they say they found an improperly stored password that they were also able to leverage, although IHG denies this claim. The couple planned to deploy ransomware, but IHG’s security systems blocked their attempt, so the couple decided to simply delete the data instead.
The end result? Not only were IHG’s customers inconvenienced by the system downtime, but the company’s bookings plummeted after the attack. While the average worldwide total cost of a data breach is a staggering $4.35 million USD, the reputation damage and loss of customer and partner trust can add to the already painful losses and cripple an organization.
Case Study 2: BlackCat Attacks a NYC Company
BlackCat is a prominent ransomware gang that has also attacked a German oil supplier and an Italian energy agency. Many in the industry think BlackCat is a rebrand of the DarkSide gang—the criminals responsible for the Colonial Pipeline attack.
BlackCat is known for leveraging ransomware as a service (RaaS). RaaS is a criminal version of the business franchise or affiliate model. As with any franchise model, there can be varying levels of guidance, tools and materials involved, but the result is the same—it ensures criminals no longer need to be skilled developers to launch successful ransomware attacks. The kits can also come with customer support and access to extortion sites to pressure the victim and receive payment. For more details, read this RaaS blog or take a deep dive into criminal marketplaces by watching this video on How the Dark Web Works.
One of BlackCat’s recent cybersecurity attacks targeted a 150-person company based in New York City. Many employees were working remotely, and they were confused when they experienced a sudden, marked slowdown in remote access. Sadly, two days later they discovered why. Criminals had been exfiltrating their data and then ultimately detonated a ransomware attack.
The criminals entered the company’s environment through an old, unpatched vulnerability in the Citrix VPN. They spread throughout the network using stolen passwords and common IT tools, rather than malware—a growing trend that today’s criminals frequently use to avoid detection. Many of today’s criminals also look for the victim’s financial data and cyber insurance coverage before they deploy ransomware. This enables them to analyze the victim’s finances and insurance coverage limits in order to ensure they ask for the maximum possible payment.
Case study 3: Suffolk County, NY Faces Comprehensive System Lockdown
BlackCat has been busy—another of their recent cybersecurity attacks targeted New York’s Suffolk County. The criminals crippled the IT systems, email, and websites, as well as 911 services—reducing them to phone calls and hand-written records. In addition to locking down their systems, BlackCat stole and threatened to publish 4TB of data unless the ransom was paid. This likely includes all sorts of personal and financial data. While these extortion exposure tactics have been around for a couple of years, it is likely to continue to remain a popular tactic moving forward.
In a new twist, BlackCat has a newly updated toolkit which includes advanced features, such as automatically extracting passwords from backups. BlackCat also attacked Suffolk County’s backups and stole the passwords, so they could not easily restore their data. (This is a prime example of why organizations need to carefully configure and protect backups and cybersecurity tools.) But BlackCat did not stop there, they also turned this into a supply chain attack and compromised and encrypted the networks of several of Suffolk County’s contractors as well. When the ransom was not paid as requested, they posted some of the data.
This attack is made even more difficult because BlackCat is using the Rust programming language for their ransomware. Rust is a very secure language that creates a faster, more portable ransomware product, and makes recovery efforts notably harder. As you can see from these recent cybersecurity attacks, Ransomware-as-a-Service enables criminals to attack many more targets using a single infrastructure.
Lessons Learned from Recent Cybersecurity Attacks and 6 Keys to Reducing Risks
As we can see in these case studies, criminals will continue to innovate to create stronger ransomware programs and tactics. It’s not possible to stay ahead of every zero-day exploit and human error that can open the door to a cyberattack. But there are multiple different strategies you can use to reduce your organization’s risk. Let’s take a quick look at the top strategies.
- Multi-Factor Authentication (MFA) is an added layer of protection to verify it’s really you who is accessing your account and not a hacker. It is one of the simplest, most cost-effective strategies organizations can use to reduce risks in a variety of areas. We talk about MFA so often, we’re not going to go into details here, but check out our MFA tip sheet and free MFA implementation videos to learn more.
- Employee Cybersecurity Awareness Training is crucial to make everyone in your organization part of your first line of defense against cyberattacks such as phishing, business email compromise and more. Ensure you routinely communicate cybersecurity policies, procedures, and best practices to stakeholders, including IT staff, security team members, legal counsel, general employees, and the leadership team. An online training portal format is the most effective way to train your team. Read this blog for more details. Don’t forget to arrange any specialized training that might be required for your cybersecurity responders and executive board.
- Endpoint detection and response (EDR) & extended detection and response (XDR). EDR is a robust endpoint security solution that is a step up from traditional signature-based antivirus programs. Leading EDR tools offer a robust integrated threat intelligence solution with continuous real-time monitoring and behavioral detection as well as immediate mitigation and response, threat hunting, and historical forensic data collection capabilities. With EDR, the solution not only detects and immediately quarantines threats, but it also provides the information you need for threat hunting, along with response capabilities. To learn more about EDR, watch this 6-minute EDR video. To take it a step further, XDR further extends the capabilities of EDR and incorporates different data sources from your network, email, and cloud, as well as integrates with SIEM and SOAR systems.
- Incident response tabletop exercises help organizations discover their strengths and weaknesses BEFORE they have an incident. It requires gathering the incident response team including IT, management, public relations, legal counsel, etc., and stepping through the team’s response to a given scenario using the organization’s incident response plan as a guide. It’s an important way to identify weaknesses or gaps in the plan or process and ensure that all members of the team are familiar with their respective roles and responsibilities. Cybersecurity leaders, from NIST to industry associations and government agencies, agree that these are important parts of your organization’s incident response preparation.
- Data Mapping & Control. Until you know what assets you’re trying to protect, you can’t properly protect them. You need to identify and inventory all of your systems, data, and assets, as well as decide on a tracking mechanism that meets your needs and budget. Small organizations may be able to start with an Excel worksheet and manually track your data (although this takes a lot of time). The more popular option is to use a tool like OneTrust that integrates data mapping with your risk processes to provide an evergreen map of data flows and complete records of processing. As you inventory your data, consider what you can delete. Data is hazardous material. The more data you have, the more risk you incur if you are breached. One of the quickest and most inexpensive ways to reduce your risk is to reduce the amount of data you hold. Only keep necessary data, and regularly review and delete data as part of your organization’s cybersecurity plan. However you proceed, it’s crucial that you continuously update your records of assets and inventories so you can correctly analyze risk and identify security gaps.
- Effective Backups are a crucial part of your cybersecurity program. Start by ensuring that you are backing up ALL your data – onsite, cloud, BYOD – everything you may need to recover. But backing up your data is not enough. How you maintain, test, and configure your backups can make a big difference in whether your backups have what you need. These backups should be immutable, use the appropriate retention time, and cover all the necessary data (including cloud and remote repositories). In addition, your organization should have a routine testing schedule and restoration plan. Watch this video case study on how backup policies and testing can be critical after a data breach.
We hope you found learning more about these cybercrime case studies and the new tactics criminals used in recent cybersecurity attacks helpful. An ounce of prevention is worth a pound of cure—use these suggestions to enhance your cybersecurity posture and decrease your organization’s risks. Please contact the LMG Security team if you need help implementing these solutions, developing policies, testing your environment. or training your team. We’re ready to help.