Cyber attacks and cyber security

Cyber attacks: a global problem.

There are several threat groups that have been remarkably successful in their attacks, which has caused great concern in the international community.

The US government has identified ransomware as a major national çsecurity threat due to its ability to compromise critical American infrastructure.

Other governments also have this great concern about cyber attacks and consider cybersecurity a priority in their public security policies.

How do these cybercriminals work?

Threat groups have embraced the use of services such as Ransomware-as-a-Service (RaaS), which is nothing more than a type of ransomware that attackers can acquire through a subscription, trade, and/or commission model. Malware-as-a-Service (Maas) that allows anyone to carry out a large-scale malware attack without the need for prior technical knowledge or experience to carry out malicious attacks. Furthermore, they use Initial Access Agents (IABs) to confuse their victims and also exploit vulnerabilities in programming languages such as Go, D, Nim, and Rust to achieve their goals.

Other types of threats are SMS phishing attacks (smishing) which have increased by 300% in North America in the last two years. A vulnerable app called SHAREit allowed remote code execution and was downloaded more than a billion times. A recent study found that 63% of mobile apps tested use open source, which is known to be vulnerable.

These cyberattacks have affected people and organizations of all types, including transportation companies, public organizations, public services, medical organizations, and more.

What actions are being implemented against hackers?

The increasingly real threat of cyber-attacks makes it vital for organizations and individuals to take, among other things, keeping their programs up-to-date or keeping critical data backed up offline. But implementing software updates as a reactive measure doesn't do much to prevent attacks. Therefore, many organizations are looking for alternative security approaches such as. For example, Zero Trust Network Access (ZTNA) and Extended Detection and Response (XDR), the latter of which enables detection and response to security incidents at all layers of the IT environment. XDR technology automatically collects and links data from various sources, which can include endpoints, networks, and users. This enables more threats to be identified and gives analysts the comprehensive view of behavior and data they need to respond faster and more effectively.

Security teams are combining defenses and technologies to make security measures more robust.
New strategies include:

• Technology with priority in prevention
• Protection-first approaches
• Technology with priority in prevention
• Signature-Based Analysis
• AI and ML-based threat and anomaly detection at the network layer
• Advanced correlation of various telemetry data sources

CYBER ATTACKS

According to a study from the University of Maryland, every 36 seconds a cyberattack occurs, that is, 2244 attacks every day

Let's talk a bit about the attacks that made the most headlines around the world.
In February 2021, a group of hackers tried to contaminate the water supply of a Florida town called Oldsmar by using chemicals. Fortunately, the attempt it was detected and controlled in time, otherwise it could have affected more than 15,000 people.

Several companies and organizations in different countries were attacked by different groups. These include CD Projekt Red (hit by "HelloKitty"), the University of Highlands and Islands (hit by Cobalt Strike), public schools in Buffalo, New York (hit by ransomware), CNA Insurance (hit by Evil Corp), Colonial Pipeline (DarkSide victim), AXA (Attacked by Avaddon), Brenntag (DarkSide victim), the basketball team Houston Rockets (attacked by Babuk), Acer (attacked by REvil), JBS Foods (also attacked by REvil), Irish Health Services (affected by Conti), and investment platforms such as Robin Hood (which suffered a data breach of seven million accounts of users). These attacks occurred in Chile, Italy, Taiwan, the United Kingdom, and 40 other countries.
This gives us an idea of the how frequent and accurate these types of cyberattacks have been worldwide and how far we are from finding a solution.
According to a study from the University of Maryland, every 36 seconds a cyber attack occurs, that is, 2,244 attacks every day, this It means that no one is immune to these attacks and that they are more frequent than most of us think.
The small and medium-sized companies represent 70% of the victims of attacks by cybercrime and in many of these cases these companies close their operations because they cannot recover after the attack.
These attacks on SMEs are increasing exponentially around the world and very few cases are reported.
In 43% of cases, these SMEs do not have an action plan against these threats.

RECENT CYBER ATTACKS

Ransomware

Ransomware is malicious software that blocks a user's access to their data and then demands a ransom in exchange for the key that unlocks this data. Recently, there have been several cyber attacks using ransomware on infrastructures and technology companies. Some of the most prominent include the attack on Technopharm in October 2021, the attack on Blackbaud in May 2022, and the attack of REvil ransomware to JBS Food and Acer. Also the criminal ransomware enterprise DarkSide attacked Colonial Pipeline in May 2021, which was the largest successful cyberattack in history against oil infrastructure.

Below are some of the most successful and dangerous ransomware that have affected the computer security of many organizations, companies and personalities in the world.

REvil

The REvil group, also known as Sodinokibi, was an organization whose base it is believed that he was in Russia because the group did not attack organizations of Russian origin.

The REvil group, also known as Sodinokibi, was an organization whose base it is believed that he was in Russia because the group did not attack organizations of Russian origin.
This group ran ransomware-as-a-service (RaaS) operations and is responsible of many of the attacks in the last 2 years worldwide, an example is the attack against JBS, the world's largest meat supplier. This coup occurred in mid-2021 and forced the closure of all or part of many of the beef processing plants in various countries such as USA, Brazil, Australia and from which they obtained 11 million dollars for the ransom payment.
The REvil group is also blamed for recent attacks against the computer manufacturers, such as the attack on the Taiwanese giant Acer which in March 2021 was affected by a ransomware attack.
Documents obtained from Acer would include financial spreadsheets, bank balances, banking communications and Acer user data.
Other attacks by this group were:
- In May 2020, a terabyte of information was stolen from the law firm Grubman Shire Meiselas & Sacks (GSMS). In the attack on this firm, confidential data was leaked, people like Lady Gaga, Madonna, Bruce Springsteen, Elton John and Donald Trump, who was then president of the United States and who was asked $42 million.
- In July 2020, theft of 800 GB of information from the railway company of Spain Adif and threatens disseminate sensitive information.
- In July 2021, hundreds of service providers were attacked by REvil ransomware via Kaseya remote management software.
- July 2021, REvil leaked into the computers of the HX5 weapons technology company, who are suppliers to the US Army, Navy and Air Force.

REvil disappeared.

After these attacks, the websites, forums and other instruments used by this group, surprisingly they disappeared. This has made the authorities believe that the hacker group ceased his criminal activities, however, a possibility that is handled among the researchers is that the REvil group is back, but under another name.

DARKSIDE

Researchers believe that the DARKSIDE group have been able to extort about 90 companies in the US alone.

DarkSide is a group of cyber criminals who carry out attacks using ransomware and extortion, appear in mid-2020 and also provide ransomware as a service(RaaS).
Among its most significant attacks are:
- The cyber attack on Colonial Pipeline, which occurred in May 2021. The Colonial Pipeline company is the owner of the largest oil pipeline in the US. The attack affected some of its information systems and halted all pipeline operations for a few weeks. Colonial Pipeline paid $5 million ransoms.
- The Toshiba unit, which sells self-checkout technology and point-of-sale systems to retailers, was attacked by DarkSide in May 2021. In the attack, a minimal amount of work data. Toshiba refused to pay the ransom.
-At the beginning of May, Brenntag, which is the chemical products company largest in the world based in Germany suffered a ransomware attack in its North American division. The DarkSide group stole 150 GB of data during his attack and after negotiations, Brenntag paid a ransom of 4.4 million.
Investigators believe they have been able to extort about 90 companies in the US alone. DarkSide disbanded in May 2021.

CONTI

Many analysts consider this ransomware as one of the threats most worrisome out there.

Conti is a ransomware that made its appearance in mid-2020. It is believed to be distributed by a group based in Russia and its main targets are companies that provide services of manufacturing, insurance, health care, legal and professional services, construction and engineering and retail. Their attacks are focused on Japan, Europe and the US, but they have been A total of 40 countries have been affected. Since this threat is presented as a service Ransomware (RaaS) Many analysts consider this ransomware as one of the threats most worrisome that exist.
His most notorious attacks are:
- In September 2021, Conti attacked the Japanese manufacturer JVCKenwood. This attack compromised approximately 1.7 terabytes of data that was stolen and encrypted. The criminal group demands a payment of $7 million for the return of information.
- In May 2021, the Irish Health Service became another victim after for Conti to attack the nation's public health system. The attack caused chaos throughout the healthcare infrastructure. The group of attackers managed to gather 700 GB of data unencrypted, including sensitive patient information and financial statements. Criminals demanded a ransom of $20 million to provide a decryptor and delete stolen data.
- In April 2022, Conti attacked the information systems of the Costa Rican government, which led officials to declare a national emergency. The leak spread to multiple government entities that were forced to stop their operations for months.
In this attack, the criminal group asked for a payment of $20 million.

AVADDON

Avaddon is another ransomware variant and this one appeared in 2020. Their latest attacks have targeted organizations based in Australia and Asia-based cyber insurers. This group of hackers of Russian origin with a track record of more than 170 infected companies, employed a double extortion scheme where cybercriminals subjected their victims to a denial of service (DDoS) attack in order to to push even harder and thus achieve the rescue of the stolen information.
After several attacks, Abaddon's team halted operations in December 2021.
- In June 2021, they managed to steal information from the administrative area of the Mexican national lottery Many government agencies to companies in the healthcare or telecommunications sectors from countries such as Brazil, Colombia, Chile, Costa Rica, Mexico and Peru were victims of Avaddon.
Abaddon stopped its operations in June 2021 and the criminal group decided to share the keys of decryption so that victims can recover their files.

RAGNAR LOCKER

Industries that Ragnar Locker has breached include energy, critical manufacturing, services finance, government and information technology.

Ragnar Locker discovered in April 2020, Ragnar Locker is a ransomware and a gang of ransomware. He appeared in international headlines for his attacks on a manufacturer Taiwanese NAND flash memory products and high performance DRAM memory modules.
Industries that Ragnar Locker has breached include energy, critical manufacturing, services finance, government and information technology. This group also uses the double extortion to encourage victims to pay.
Some of Ragnar Locker's attacks:
- In November 2021, the video game giant, Capcom, was breached by Ragnar Locker. The ransomware attack affected the company's email and file servers. The gang ended up stealing 10TB of confidential company data and demanded a ransom of 1,580 Bitcoin, which is equivalent to 11 million dollars.
- Campari Group is known for its popular spirits brands, including SKYY Vodka, Wild Turkey and Grand Marnier. In November 2020, threat actors stole 2TB of unencrypted files and demanded a ransom of $15 million (in Bitcoin) to recover the files.
- In December 2020, Ragnar Locker attacked the aviation giant Dassault Falcon Jet, which is a subsidiary of the French aerospace company Dassault Aviation.

Among the main objectives of this band are the Banking, Public Sector, Business and professional services, Medical services and equipment, insurance and transportation.
This ransomware gang demands a cryptocurrency payment in exchange for the safe recovery of the encrypted data. The ransoms reach an approximate value of 25 Bitcoins.
There are cases where the sums exceed 1,500 bitcoins.

HIVE

The Hive ransomware family are among the top ten ransomware gangs important in the world. First appeared in June 2021, made headlines afterwards to attack real estate trading software company Altus Group. this threat he also uses double extortion techniques. Victims who refuse to cooperate with the attacker risks publishing their details on the group's website, Hive Leaks.

The Hive samples are written in the Go programming language and compiled to 32 and 64 bit computers.
Hive is famous for attacking healthcare facilities, but recently decided to make an even bigger name for yourself by attacking the retail industry.

- In November 2021, Hive attacked the largest consumer electronics retailer in Europe, MediaMarkt. The company's servers and workstations were encrypted by Hive and their IT systems had to be shut down to prevent further spread. The attack affected numerous stores in the Netherlands and other countries in Europe.

Hive demanded that the company pay a $240 million ransom for the decryption, a figure that has since been reduced to a fraction of that amount (50 million dollars in bitcoin).

- In August 2021, the ransomware gang attacked Memorial Health System, a Ohio non-profit organization, forcing staff to work with paper records, which interrupted many of the scheduled activities.

Infoestealers

Infostealers are malicious programs that enter a computer through internet with the aim of fraudulently stealing confidential information.

It is a Trojan designed to collect information from a system. collect information login information, such as usernames and passwords, screenshots, network activity and other information from the systems you have infected. Is Information is sent to another system by email over a network.

You can also covertly monitor and obtain information such as the user behavior and personally identifiable information (PII), including keystrokes keystrokes from emails, chat programs, websites visited, and financial data.

Below is a list of the most famous and dangerous malware that have affected by computer security in recent years. These malware have caused significant damage economical and to the privacy of thousands of users around the world.

RED LINE

Malware like FICKER can direct victims to sites that claim to offer free downloads from paid services legitimate, like Spotify and YouTube Premium™

RedLine is a collection of information-stealing malware that is distributed via phishing email campaigns referencing COVID-19. It has been an active threat throughout 2020. In 2021, it was distributed via from phishing campaigns and malicious ads from Google. RedLine is very flexible and it has come in the form of various Trojan services, games, cracks and tools.
The malware collects information from web browsers, FTP clients, messaging instant, cryptocurrency wallets, virtual private network (VPN) services, and game clients.
You also have the ability to remotely drop and run other malware on the victim's machine.

FICKER

Ficker is an information theft sold and distributed on Russian underground forums by a cybercriminal under the pseudonym [@]ficker. In circulation for the first time in 2020. Ficker was previously distributed via Trojan web links and hacked websites. For example, you can direct victims to sites that claim to offer downloads from legitimate paid services like Spotify and YouTube Premium™. I also know distributed via the popular Hancitor malware downloader. specifically written in Rust.

HANSITOR

Hancitor was first discovered in 2013. It was distributed using social engineering techniques, How to pretend to be from the legitimate DocuSign® document signing service. when you cheat on victims to allow this malicious macro to run, it infects their systems. Later, Hancitor connects to the C2 infrastructure and tries to download a variety of components malicious.

Other malware includes:
WannaCry ransomware virus, Zeus banking Trojan, Conficker worm, and Stuxnet spyware.

Secure software development to ensure cybersecurity

Many security problems can be solved by covering all threat vectors, including sources generally considered benign.

An organization's Product Security Incident Response Team also it is an important part of improving the information security posture. For example, this response team can work closely with other teams and provide them with valuable security information during the development life cycle of software, this helps ensure that products and build processes are as safe as possible.

The risk of an attack is reduced when the lines of communication between computers are solid. It is important that security analysts reduce their natural subjectivity when they search for trusted apps and services. Although the signing of certificates, provenance, tooling and other implementation steps are valuable From a security perspective, it is imperative that security operations teams security remain skeptical at all times.

rapid disclosure and prevention of a breach of security protocols are also necessary to protect organizations and customers who trust your products or services.