Cybercriminals are constantly looking for ways to monetize the data they get their hands on. Over time, they have developed a criminal ecosystem that uses advanced technologies, new tools, and even specific developments to access, steal, distribute and sell the information that they have in their sights. Because of this criminal ecosystem, 2019 has been a turbulent year for cybersecurity, cyberattack prevention and IT system protection in all kinds of organization, both public and private. Despite the professionalization of the tactics, techniques and procedures used by black hats, these intangibles have led to a paradigm shift—ever more pronounced—in the heart of organizations that aim to raise awareness.
According to The Global Risks Report 2019, published annually by the World Economic Forum, massive data fraud and theft is fourth on the list of global risk by likelihood over a 10-year horizon, and cyberattacks fifth. By way of comparison, in the 2011 edition of the same report, “online data and IT security” were much lower down on this list.
Over the last 12 months, 3 kinds of cybercrime have been particularly active, and have caused reputational, economic and operational damage, along with the loss of sensitive information.
This has been yet another year in which ransomware has been one of the most common attacks around the world. This malware is in constant evolution, with many new strands being seen every year. The statistics speak for themselves: ransomware attacks have shot up 500% in 2019 since the same period last year.
For an example of this increase, we need look no further than the USA. In the States, multiple local governments’ IT systems were brought down by ransomware, leading to essential public services being suspended in the cities affected. One particularly controversial case was the attack on Jackson County in Georgia; here, the local government opted to pay the steep ransom demanded by the cyberattackers: $400,000 to recover the files, which had been encrypted most likely by a variant of Ryuk. In terms of scope, the attack experienced in Texas in the month of August was particularly intense. Twenty-two local governments were simultaneously hit by a coordinated ransomware attack coming from the same source. In this case, the ransom demand was the staggering sum of $2.5 million.
After this first wave, which focused on public administrations in the USA, the latest victims of ransomware over the last few months have mainly been city halls and public institutions in the Europe.
The Police Federation of England & Wales was another institution to have its databases and servers encrypted by a malware. The attack also managed to erase the backups that the organization had created. In Spain, the first signs were seen in the Basque Country, where there were at least four reports of alleged cybersecurity crimes. Warnings were sent out about a massive campaign of emails containing attachments with malware. In Zaragoza, a piece of ransomware called sodinokibi hijacked the servers of Imefez (Municipal Institute for Employment and Business Development), leaving around 70 unable to work. The cyberattackers demanded a ransom of €30,000.
But these are far from the only examples. We’ve also seen similar cases in purely industrial companies, such as the Japanese Hoya Factory, which had to stop its production systems in the face of the loss of, among other things, the credentials needed to ensure their correction function. The Mexican oil company Pemex was one of the most recent victims of a ransomware attack on an industrial environment, when its employees were forced to shut down their computers and stop work after IT systems were encrypted.
The victims of many of these incidents had something in common: they were large institutions, which meant that the cybercriminals behind the attacks expected them to pay the ransom in order to get back to normal. This has led ransomware to be among the greatest concerns for large companies. These same companies have also experienced a significant number of cyberattacks that use Living-off-the-Land (LotL) techniques—the use of trusted system tools to stay hidden.
In our predictions for 2019, we included an increase in live hacking using fileless techniques. Now, with the year coming to an end, we can confirm that this prediction has very much come true. The use of fileless and Living-off-the-Land techniques via PowerShell, scripting, WMI and legitimate third-party software has become routine for attackers. And the trend is set to continue to grow in 2020.
In spite of how long it has been around, and the fact that companies are increasingly raising employee awareness, phishing is still the starting point for many cyberattacks. This technique takes advantage of employees, who are very often the weakest point in the cybersecurity chain.
In 2014 this cyberattack technique gained even more notoriety after the theft of 80 million JP Morgan bank accounts. In 2019, it is still extremely active. This is reflected in the RSM report Digital transformation and its impact on cybersecurity. According to those surveyed, 46% of successful cyberattacks started with a phishing email sent to an employee.
As well as traditional phishing, 2019 has seen an increase in a more complex type: spear phishing. This highly targeted kind of cyberattack involves an employee receiving an email that seems to be from a superior or a trusted colleague, asking them to carry out some particular action. But we’ve also seen that an email isn’t even always necessary to impersonate the boss. Back in August, the CEO of a British company believed he was speaking to the head of the company’s German parent company. However, the voice was in fact being simulated using artificial intelligence. The trick worked, and the CEO transfered the €200,000 the criminal asked for.
3. Critical infrastructure_
Cyberattacks against this kind of infrastructure are among the most damaging, and are still going strong. These physical targets are not always attacked by your average cybercriminal. They tend to fall prey to more sophisticated attacks seen in cyberwar that are able to sabotage an enemy’s infrastructure remotely. The ability to do so is of such value that the intelligence services of most powerful nations in the world attempt to carry out these kinds of attacks.
Attacks on critical infrastructure are nothing new—the US and Israeli use of Stuxnet to destroy 1,000 centrifuges in an Iranian nuclear power plant is proof of this—but 2019 brought new examples. This is the case of several hospitals in the USA, which had to stop all operations and medical procedures after a cyberattack, or the cyber-fights between Israel and Palestine.
Cyberattacks on critical infrastructure represent real threat to nation states for two reasons. Firstly, they can paralyze, or at least interrupt, public services (power supply, healthcare, bureaucracy…) that are vital to the country. Secondly, as we have already mentioned, they can plunge nations into a state of constant cyberwar to protect their cybersecurity.
Zero-trust as a solution_
Even companies with a mature cybersecurity strategy are susceptible to cyberattacks. And no one wants to suffer a security breach, which is why so many resources are invested in reinforcing protection measures. This, however, is not enough; cybersecurity strategies are open to misinterpretation.
It is important to stress, for example, that not all of the organization’s assets need to be protected in the same way, and that investing more in cybersecurity isn’t always a guarantee that the organization will be safer. The fact is that companies need to focus on what they have nearby, on where the information sought by cybercriminals is stored: the endpoint.
Cyberattacks use a litany of tactics, techniques and procedures to get hold of the information that they are after. Along the way, they leave a trail in the form of behaviors that, while not necessarily malicious, are certainly suspicious. This is why a zero-trust policy is the most important strategy for organizations to be able to prevent these incidents.
At Cytomic we offer a managed model that is based on this policy for unknown processes, applications or executables, stopping them from running until they have been verified as trusted applications. This model, along with the subsequent behavioral profiling for each process, has proven to be the most effective to date when it comes to preventing security breaches. What’s more, our continuous, complete and detailed monitoring of all activity on all endpoints allows us to detect anomalous behavior and act on them.
It is vital that organizations become aware of the fact that threats can take many forms. It is therefore not a case of designing defense vectors for a specific threat; what is needed is to have an integral strategy that is able to analyze all running processes on the system, and act before any vulnerability can be exploited.