This is the inagural post of Atec Group’s weekly security roundups, and the gravity of the current state of cyber security really hits home as I sit down to prepare this post today. I am currently following two really big things going on in the infosec world.
1.) Hive Ransomware Gang Dismantled By The FBI
Summary
The FBI has infiltrated the network of a prolific ransomware gang known as Hive, saving victims, including hospitals and school districts, a potential $130m in ransom payments (Source – Security Week “Hive Ransomware Operation Shut Down by Law Enforcement”). The FBI gained access to the gang’s control panel in July, and was able to obtain software keys to decrypt the network of some 1,300 victims globally. The targeted syndicate operates one of the world’s top five ransomware networks and has heavily targeted hospitals and other health care providers. It was not immediately clear how the takedown will affect Hive’s long-term operations.
Analysis
The FBI has been very busy fighting a cyber war on two fronts. On the one hand, you have organized crime holding critical data for ransom – the modern day equivelent of bank robbery – but then you also have nation-state actors that are going after targets of opportunity in the USA. the FBI is keeping information close to the chest about how they actually got in there and infiltrated the gang, which is understandable. What is important here is what Hive actually was – a “Ransomware As A Service” (RaaS) that connected attackers to targets through a sophisticated adn rapidly deployable model. Previous to RaaS offerings like Hive, attackers has to put together all the infrastructure pieces before they could roll out their attacks. Think of RaaS as a niche Platform As A Service for the dark web. So, taking down this operation, or a huge chunk of it, would be like a cloud hosting provider getting shut down abruptly. This means that some of the former client criminal organizations who were using this service will be looking to rapidly deploy new ransomware infrastructure to continue operations, while others will lay low for a while so as not to attract law enforcement. Going after organizations like this is like smacking jello with a hammer, it goes everywhere.
Actionable Steps You Can Take Today Against Ransomware
- Keep an eye on logs to make sure there is no botnet activity on your network.
- If you find any, promptly remove those hosts physically from your network and make sure they are properly sanatized
- Ensure you have air-gapped backups. Tape backups are good for this, so are specialty cloud providers that do block or version locking
- Ensure you have a Disaster Recovery plan. If you dont, any plan is better than none – make something right away and iterate over it as time permits
2.) Russian Hacker Group Killnet Targets German Airports
Summary
Websites of German airports, financial sector organizations, and public administration bodies have been hit by cyberattacks instigated by a Russian “hacker group”, according to German authorities (Source – Security Week “Cyberattacks Target Websites of German Airports, Admin”) . The Federal Cyber Security Authority (BSI) had knowledge of distributed denial-of-service (DDoS) attacks against targets in Germany, a spokesman said. The attacks were aimed “in particular at the websites of airports,” as well as some “targets in the financial sector” and “the websites of federal and state administrations,” the spokesman said. The group’s call to arms was in response to Chancellor Olaf Scholz’s announcement that Germany would send Leopard 2 tanks to Ukraine to help repel the Russian invasion, according to financial daily Handelsblatt.
Analysis
This is the least shocking news I’ve read this week. Germany, Poland, Canada, The United States and other countries are going to be giving Ukraine tanks to counter Russian aggression in the Russian-Ukraine war. What makes nation-state hacker groups like Russia super dangerous is that they dont want money, they want to destroy what they can and deny access to everything else. The objective measure of success in a war is the control of territory. How one does that is largely dependant on the nature of the battlefield and the beligerant’s overarching strategy. One thing that commanders on the battlefield do is something called “area denial.” Examples of this would be minefields, traps and other consitions that would make a formation travel elsewhere enroute to engage their adversary. Area denial allows an army to define the terms of a battle by forcing an adversary into a situation where they can get ambushed. On the digital battlefield this works a little differently, but the DDoS attack is area denial for the internet. Disrupting airports is a great way to prevent people from moving around effectivly. Germany, Poland and other geographically similar places are rear staging areas for experts that are supplying or helping Ukraine fight against Russian aggression. By disrupting the movements of everyone, you can cause delays and other frustrations that could have an impact on the battlefield. More likely than not, however, is you just make the citizens angry at their civil authorities, which plays into Russia’s information warfare strategy.
Actionable Steps You Can Take Today Against DDoS Attacks
The attack surface for targets like Airports is the public-facing infrastructure, like websites. The website is the weakest link on the internet, because of their public nature. I am honestly shocked at how many organizations still host their websites on-prem, and how many still are older versions of WordPress that havent seen a plugin update in over a year because it breaks their site when they do attempt an update. Self-hosting a website is asking for trouble, and if you take a massive influx of garbage traffic like in the case of a DDoS – you dont have anywhere else to bleed that traffic off to. You are it. Most business circuts are not designed to take 5+Gbps of traffic for a sustained period of time, so such attacks could deny access to adjacent subscribers on the same network.
Here is how you protect yourself, and those within your “internet blast radius.” You can deploy #1 right away in most cases.
- Deploy a WAF/CDN like Cloudflare – They have a very robust free offering that will proxy your site, and speed it up. Their paid plans also protect things like API endpoints as well. Cloudflare’s network is HUGE and they have stopped massive DDoS attacks. If you are not using a Cloudflare or something similar in front of your website, you need to deploy a WAF posthaste.
- Make sure your underlying website sortware is up to date – If you are using a CMS like WordPress, Expression Engine, Joomla, Drupal, whatever the CMS may be, make sure it is up to date, espically if it is a mission critical part of your business. If your website is purely informational and doesnt update much, consider something like Hugo, Gatsby or one of the many static site generators available for use. My personal website uses Hugo and Cloudflare pages. I pay nothing to run my site, and whenever I commit a change to it on GitHub, the site is automatically deployed. It’s no fuss, and my goodness it is fast.
Conclusion
If you found this helpful, please feel free to share this article, and subscribe to our mailing list if you are not already. Be well everyone!