This biweekly highlights APT operations’ growing focus on supply chain compromise and the increasingly complex relationships among ransomware syndicates. We also address continued record-setting breaches of deregulated financial organizations and note financial institution’s actions to limit resources of disinformation groups.
Supply Chain Attack Risk is Very Likely to Increase Through 2021 for Many Verticals.
A report by The European Union Agency for Cybersecurity (ENISA) determined risk of supply chain attacks increased significantly during 2020 and continues through 2021, according to a study of 24 such attacks (1). Half of attacks are operated by APT groups and the majority target supplier-side supply chains with the aim of exfiltrating customer data or intellectual property. It is very likely that supply chain attack risk is increasing because security solutions and personnel often don’t fully scope data within trusted environments.
Multiple Threat Actors Leverage Print Nightmare to Move Laterally and Encrypt More Systems.
Ransomware operators continue to flock to advantageous attack avenues enabled by vulnerabilities that are the result poor patch management of both suppliers and clients. Post compromise exploitation of MS Print Nightmare vulnerabilities CVE-2021-1675 and CVE-2021-34527 provides ransomware operators with privileged remote code execution and the ability to move laterally to further systems and launch encryption (2). It is likely that these vulnerabilities are heavily exploited because of poor patch management and confusion in the patch remediation process, which resulted in clients making insecure manual reconfigurations of registry settings that allowed similar exploit mechanisms to persist (3). This behavior indicates unpatched software vulnerabilities that provide privileged remote code execution are very likely to continue to support growing ransomware attacks.
Ransomware Attack on US Hospital System Creates Strain to Patient Care.
Memorial Health System manages multiple hospital locations across the U.S. and was the victim of a ransomware attack on August 15 resulting in disrupted normal operations at many locations (4). Certain lower priority cases were diverted to other hospitals and two hospitals were reportedly working from pen and paper. High priority and urgent patient care was not affected. Health systems in parts of the U.S. are already strained by shifting regional pandemic spikes in hospital utilization (5).
It is Likely That Growing Ransomware Success is Driving Increased Complex Syndication.
Reporting indicates that individual ransomware affiliates are switching between the ransomware families they operate with increased frequency (6). Some attackers have the ability to launch multiple family-variants during each attack. Both of these factors strongly indicate continued growth of ransomware attacks driven by increased monetary potential from poor security practice.
Nation State Contact with Ransomware Syndicates Creates High Risk for Strategic Targets.
A report from Analyst1 draws a stronger link between Nation-State activities and ransomware operations (7). The report specifically calls out Russian ransomware activity providing a conduit to government channels. The further evidence implies that targeting is highly strategic in some cases, and the risk from data exfiltration of proprietary information increases greatly. States supporting ransomware operations on a covert level create significant roadblocks to international prosecution.
Expansion of Deregulated Finance Platforms (DeFi) Puts Cryptocurrency Holders at Increasing Risk of Cybertheft.
The hack of the Poly Network resulted in the largest theft of cryptocurrency to date (8). A hacker was able to exploit cross-blockchain functions and target assets on Binance Smart Chain (BSC), Ethereum and Polygon blockchains. The fraudster later returned stolen funds except for $33 million worth of Stablecoin (9). The hacker was offered $500,000 by Poly and was offered an advisory position, both of which were refused (10). The remaining stolen funds have been returned to the Poly network (11).
Central Finance Institutions Act to Limit Disinformation.
Some Netherlands banks including Rabobank refuse accounts for groups expounding "conspiracy theories and other proven disinformation" (12). The aim is to fight extremism, but this escalation may constitute a slippery slope and may open the door to institutions to arbitrate further types of information or status. Central financial institutions taking overt actions against disinformation groups should expect high-risk of retaliation from activist groups and linked affiliates that is very likely to involve a cyber component.