Modern Attacks Include Supply Chain "Hopping" and Reversing Agile Environments
Cybercrime groups are becoming more creative and using tactics such as supply chain attacks against digitally transformed and agile environments.
According to a new report by VMware Carbon Black, which included a survey of 83 incident response and cybersecurity professionals, 82% of attacks now involve instances of “counter incident response” where victims claim attackers have the resources to “colonize” victims’ networks.
Speaking to Infosecurity, Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black, said there has been a common “arrogance in how we conduct incident response” and this allows the adversary to know that the defender has spotted them, and attackers move into “a destructive attack mode” in response. This will involve them tampering with agents, dropping wiper malware and ransomware, and changing time stamps on logs whilst they are in the victim’s environment.
“We must do a better a job of how we react” Kellermann said, adding that there needs to be a “silent alarm” system on when an attacker is spotted in your environment, as we currently “make critically bad assumptions” on how to manage threat hunting and when reacting. “As we know, we are in a brave new world, and the greatest cybercrime crews are protected by regimes, and with a dramatic spike in social unrest, businesses have been forced to use digital transformation to exist in the pandemic,” he said. This means being less visible in the response and hunting efforts.
This has born the concept of “island hopping,” where an attacker infiltrates an organization’s network to launch attacks on other businesses along the supply chain. This is the concept of an attacker doing a series of compromises along a supply chain, hitting multiple victims. Kellermann said there has been a “dramatic escalation and punitive measures deployed from the adversary,” and this has resulted in 55% of attacks targeting the victim’s digital infrastructure for the purpose of island hopping.
“Imagine when a corporate infrastructure pushes payloads to its constituency,” he said, stating that many businesses do not understand their supply chain, and attackers can “move from MSSP to cloud provider to marketing forum.” Kellermann said this concept of attack works in four steps:
- The network is attacked and the attacker pushes malware code using your infrastructure and to all VPN tunnels
- They add watering hole attacks, expand the attacks to mobile devices so common vulnerabilities are effective
- Reverse access to Office 365 to scrape messages and use them to create context and for social engineering so fileless malware comes from you and your account
- Target APIs
Kellermann said: “The rapid shift to a remote world combined with the power and scale of the dark web has fueled the expansion of e-crime groups. Now ahead of the election, we are at a cybersecurity tipping point, cyber-criminals have become dramatically more sophisticated and punitive focused on destructive attacks.”