Cyber Threat Intel Brief for January 31, 2022

Recent Threats by Industry

Cyber / MSP / MSSP Windows Services lay the groundwork for a Midas ransomware attack- An attack on a technology vendor in Decemeber of 2021 used a ransomware known as Midas to leverage at least two different commercial remote access tools and an open source Windows Utility in the process. This poses a threat to MSP's and other businesses who use many remote access tools as a part of their day to day business. https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/
Healthcare Ransomware- Randomware continues to be a threat to healthcare providers and organizations. In August of 2021 Sanford Health- the leading healthcare system based in Sioux Falls - fell target to attackers. Luckily Sanford Health was quick to respond and no compromise occured.
https://www.usnews.com/news/best-states/south-dakota/articles/2021-08-05/sanford-health-targeted-by-cyber-hackers
SaaS Providers Cloud identity systems- The more users rely of shared infrastructure the bigger the problem is when those providers are compromised. When core identity providers go down, those applications that depend on them are affected too. “This makes large identity providers a perfect target for hackers,” he continued. “For the fast-growing number of businesses around the world that depend on the Microsoft Azure cloud, Azure AD acts as a major identity provider, authenticating countless users every minute. Hackers compromising Azure AD could therefore take out several apps at once and do damage on a large scale.”

https://www.securityweek.com/cyber-insights-2022-identity

Financial Services Fraud is the single most common identity-based attack. Account takeover, account opening, and BEC scams are three types to watch for in 2022.

https://www.securityweek.com/cyber-insights-2022-identity

Biotech / Pharma Chinese hacker group APT 27- This threat actor group has been long suspected of launching attacks on Western Governement agencies. Recently they have started targeting German companies in sectors such as Pharmaceuticals and Technology. In addition to stealing trade secrets and intellectual property, the hackers may be trying to penetrate customers’ and service providers’ networks to infiltrate several companies at once, the BfV said in a circular to companies.

https://www.euronews.com/next/2022/01/26/germany-china-cyber

Government Canada Foreign Ministry- A cyber incident was detected last week occured that targeted Canada's Foreign Ministry's internet based services. Canadian cybersecurity officials were working to restore those internet services as of Monday night. "Critical services for Canadians" through the foreign ministry were not affected by the incident, the Treasury Board of Canada Secretariat, a government agency, said in a statement to CNN.

https://www.cnn.com/2022/01/25/politics/hackers-canada-cyber-attack/index.html

 

Cyber-Threat Forecast for the Quarter

Legion Cyberworks analyzes millions of security signals and events each month.  The following is a forecast of threats or other trends that can impact your organization.  Expect to see more of the following over the coming weeks and months.

Ransomware - Malicious code that when executed, encrypts victim data, prevents access to victim systems, applications, or data, or otherwise holds system/data/application hostage for ransom, usually paid using cryptocurrency.

Cases of ransomware will continue to rise in 2022 based on the volume of attacks, a dramatic increase in the "ransomware as a service" model that enables low-skill attackers to harness powerful tools for "creating", distributing, and collecting proceeds from ransomware attacks, and the increased use of ransomware in longer-term attack campaigns targeting larger and (presumably) more sophisticated organizations, governments, and military.

Supply Chain Attacks - Electronic or physical attacks on suppliers, which can affect confidentiality, integrity, or availability of goods or services.

Attackers may use vulnerabilities that affect multiple supply chain entities, including critical infrastructure providers, to carry out a coordinated attack that has a cascading effect.  Such an attack would likely cause increased harm to those affected, giving threat actors, including nation state adversaries of the USA, cover for additional hostile actions.

Talent Impact on Security - Refers to lack of cybersecurity and technology talent needed to properly operate, maintain, and secure an organization's information systems.

A lack of in-house cybersecurity skills across a range of disciplines and experience levels means businesses face higher levels of exposure related to security, privacy, compliance, and other facets of information security.  Businesses are encouraged to provide cybersecurity career development opportunities for their IT and Security staff.  This can be done through a combination of industry training (Eg. SANS, CompTIA), online education and training platforms, or attending local security meet-ups and groups such as your local ISSA chapter.

With a continued rise in the number of attacks US businesses face, we need a new generation of cyber-security talent to defend against increasingly sophisticated and potent threat actors.

Weekly Honeypot Stats for January 24, 2022

The following are curated from our network of honeypots which are exposed to Internet traffic.  Legion Cyberworks uses our network of honeypots to understand threat actor activities and observe trends.  This information is used to enhance our security awareness and the services we deliver to our customers.

Suricata Top 10 CVEs

Suricata Top 10 IDS Signatures

Top Attacks by Source Country

 

Suricata Top IDS Alert Categories

Top Attacks by Destination Port