This month’s news includes breaches, breaches, and more breaches, some of them using interesting tactics and techniques. Read on to find out what we’re talking about this month.
TeamTNT Hijacks Servers to Run Bitcoin Encryption Solvers
Signs of TeamTNT activity have been observed by analysts at AquaSec, a pure-play cloud native security company, on honeypots since early September. This means the notorious hacking group is back in action after declaring a cease of operations in November 2021. The recent attacks have signatures linked to TeamTNT and use tools previously deployed by the gang. The most remarkable tool has been to use the computational power of hijacked servers to run Bitcoin encryption solvers. This article goes into depth about these new attack pathways and other novel characteristics of the attacks.
“An organization can never let its guard down against cybersecurity threats. This threat actor group was supposedly done attacking organizations as of November 2021, but here they are again with new advanced tactics aimed at cryptocurrency. Organizations have to stay aware of old and new threat actors and their tactics. Besides a defense in depth (layered) approach, organizations need a solution that can also misdirect an adversary away from valued assets, immediately detect threats, and provide real-time tailored CTI and threat-hunting capabilities. In other words, proactive cybersecurity measures need to be implemented.” — Shunta Sanders, Director of Global Pre-Sales Engineering
Source: Bleeping Computer, September 19
Quarter of Healthcare Orgs Say Ransomware Attacks Result In Patient Deaths
A study from Ponemon Institute and Proofpoint shows that nearly a quarter of healthcare organizations hit by ransomware attacks experienced an increase in patient mortality. The most common consequences of cyberattacks are delayed procedures and tests, followed by increased complications from medical procedures. Ransomware was shown to be the most likely to have a negative impact on care. The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care,” surveyed 641 healthcare IT and security practitioners.
“Healthcare cyber attacks are becoming more common. Hospitals and other healthcare organizations know there are human lives at risk. Deception has been proven to reduce the damage this kind of targeted attack can cause.” — Fernando, Founder
Source: eSecurity Planet, September 11
Detecting Suspicious Activity in AWS Accounts with Decoys
This blog post by Amazon shows how to create low-cost private decoy AWS resources in AWS accounts and configure them to generate alerts when they are accessed. Adopting multiple ways to detect suspicious behavior and notify response teams or workflows to take action is becoming more and more common across all sectors. AWS touts the use of honeypots as an effective way to detect suspicious behavior. These decoy resources appear legitimate but don’t contain any useful or sensitive data and typically are not accessed in the normal course of business by users and systems. Any attempt to access them is a clear signal of suspicious activity that should be investigated, one of deception technology’s clearest calls to action.
“AWS has published an interesting approach on how to use AWS private decoys to detect suspicious behavior and how they manage the Fidelity-Isolation-Cost trilemma using AWS resources. That means make it real, isolated and take care of the budget. There are also examples including resources, trails, events and how to deploy and test the solution.” — Juan de la Fuente, Threat Intelligence Analyst
Source: Amazon, September 6
US Cyber-Defense Agency Urges Companies To Automate Threat Testing
The US government has come out with a new recommendation for companies — automated continuous threat testing. This strategy helps to protect against longstanding online threats by continually validating security programs against known threat behaviors. In this article, a government official states that emulating adversaries and testing against them is key to defending against cyberattacks. Read more for the alert from the Cybersecurity and Infrastructure Security Agency and several other US and international agencies.
“We are well aligned with the US government here. CounterCraft The Platform can be used with zero effort to aid in detecting well-known tactics and procedures (and also unknown ones!).” — Fernando, Founder
Source: Bloomberg, September 14
Uber Says Lapsus$-Linked Hacker Responsible For Breach
A hacker affiliated with the Lapsus$ hacking group was responsible for a cyber attack that forced Uber to shut several internal communications temporarily last week. While the attacker didn’t access user accounts or the databases that store sensitive user information such as credit card numbers, bank account or trip details, they did access several internal systems. Investigation is still underway to determine the impact of the incident. The breach happened when a contractor accepted a two-factor login approval request.
“Whenever a global company suffers a breach, it’s big news. The fact that this attack started by compromising a contractor is always interesting and makes clear that an advanced threat actor was behind it. Deception can be key in this kind of attack, as even companies that have done a good job setting up cybersecurity measures are still quite vulnerable when attackers manage to breach all the cybersecurity barriers.” — The Leadership Team
Source: Reuters, September 19