This Turkey Day, Don’t Let Attackers Feast on Your Data
Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – Cyberattacks are on the rise, and 2021 has been a particularly brutal year for breaches. This year, significant cybersecurity incidents have touched nearly every industry — a veritable cornucopia of breaches. Like the famous “horn of plenty,” the list of breaches this year contains something for everyone – a little critical infrastructure here, a little software exploitation there, and some automotive hacks for good measure.
Despite the barrage of recent breaches, there are still many innovations to be thankful for that make it harder and harder for attackers to complete their missions successfully. Before looking at the year in review, let’s take a closer look at the challenges and things that make defenders grateful while leaving cybercriminals left with an empty plate.
Let’s start with what we know attackers are after and what they need to succeed. First, we know they will move laterally within the network, and we know they will target Active Directory (AD). We also know they will try to escalate their privileges, identify valuable information, and steal or encrypt it. And thanks to the rise in credential theft and social engineering attacks, we even know exactly how attackers will try to get into the network in the first place.
As seen in the recent Committee’s investigation of three ransomware attacks (CNA Financial Corporation, Colonial Pipeline, and JBS Foods USA), three systemic issues create opportunities for attackers. One, small lapses in security led to major breaches. A single infected endpoint with a weak password let the attackers inside. Two, clear points of contact with the federal government led to confusion. Three, attackers pressured companies to pay the ransomware quickly, which put pressure on the organizations to respond, often without fully understanding the depth of the breach or complexity to restore operations.
A common denominator in most ransomware attacks has been the compromise of credentials and Active Directory (AD). You’ll see more details on this below. AD has truly become an organization’s Achille’s Heel, though it has many new innovative options for derailing its adversaries.
Technology that we can be thankful for in 2021 includes the ability to see orphaned, exposed, or duplicate credentials at the endpoint as well as the attack paths they create. Remediation is automated, making cleanup fast and simple. From one domain-connected endpoint, one can also get insights into over 200 exposures and vulnerabilities in AD. Actionable reports show changes to trusts and health checks at the user, device, and domain level. The latest in Cloud Infrastructure Entitlement (CIEM) technology easily extends visibility and attack surface management into multi-cloud environments.
Next, as the attacker attempts to break out from the endpoint, businesses can also hide and deny access to production credentials, preventing theft and misuse. This same cloaking technology can apply to Active Directory to hide critical objects, denying access and the ability for the attacker to gain Domain control. Cloaking also extends to data, hiding and denying unauthorized access to files, folders, or mapped network and cloud shares.
Clearly, there are many new fronts of innovation that make defenders thankful and the attackers at bay. Let’s take a closer look at how attackers have feasted in 2021 by examining some of the biggest breaches of the year:
A Cornucopia of Breaches
- Colonial Pipeline: Perhaps the most impactful breach of the year was the Colonial Pipeline attack, which forced the shutdown of a major fuel pipeline. Attackers allegedly accessed the network using a compromised password and engaged in a ransomware attack the disrupted operations for nearly a week. The company paid the requested $4.4 million ransom in bitcoin (a portion of which the authorities later recovered). Still, the cost of the resulting operational downtime and reputational harm is more difficult to calculate.
- The United Nations: Early in 2021, attackers breached the United Nations using credentials obtained in a previous data breach. Experts believe that the attackers conducted reconnaissance within the network for months and used the data they obtained to further additional attacks, underscoring the need for lateral movement detection capable of alerting defenders to an attacker’s presence within the system.
- SolarWinds: While the SolarWinds breach technically occurred in 2020, its repercussions have resonated well into 2021. Compromised SolarWinds software went out to the company’s many partners, resulting in downstream effects that impacted a wide range of enterprises worldwide. It serves as an effective reminder that in-network protections are necessary to defend against third-party attacks.
- Microsoft Exchange: The Microsoft Exchange hack might challenge Colonial Pipeline as the most high-profile hack of 2021. Hafnium, a Chinese-backed hacker group, exploited vulnerabilities in the Exchange server software to affect organizations across the globe. While it is hard to gauge the full scope of the attack, it affected at least 30,000 organizations in the US and another 60,000 systems in Germany. Victims ranged from small businesses and municipalities to major corporations.
- ParkMobile: In March, attackers breached parking giant ParkMobile due to infected third-party software, accessing data from more than 21 million users. While they did not steal credentials, they did take identifying information such as email addresses, license plate numbers, and more.
- Socialarks: Chances are, you’ve never heard of Socialarks. But early this year the Chinese social media management company left an ElasticSearch database unsecured, resulting in attackers making off with user data from more than 214 million users of Facebook, Instagram, LinkedIn, and other social networks. Leaving a database unprotected is never a good idea, and this was not the first-time attackers had breached Socialarks, driving home the point that users should be careful who they trust with their information.
- Volkswagen/Audi: 2021 has been the year of third-party breaches, and Volkswagen/Audi is just one more example. Attackers breached an unnamed marketing provider earlier this year, resulting in more than 3.3 million people getting personal and vehicle information leaked. The company noted that it found out about the breach in March but could not determine the data’s source until May. Third-party breaches are not always easy to pin down, further underscoring the need for stronger preventative measures.
- Twitch: Twitch, best known as a video game streaming service, was breached early in 2021 due to what the company termed a “human error.” In short, a misconfigured server left Twitch’s network vulnerable, and attackers exploited that vulnerability to the tune of more than 5 billion leaked private business records.
- SeniorAdvisor: More than three million seniors had their personal information compromised this summer when researchers discovered that a misconfigured Amazon S3 bucket had exposed their personal details, leaking names, emails, and phone numbers and giving attackers access to personal information for an already vulnerable segment of the population.
Plenty to Be Thankful For
While third-party breaches have been a major theme in 2021 and credential theft, misconfigurations, exploitation of Active Directory, and other attack vectors continue to cause concern, there is good news. Today’s network defenders have more tools available to them than ever. Tools designed to strengthen identity security, network visibility, AD protection, and more are becoming increasingly accessible and easy to use. Within the past year alone, Attivo Networks has launched a new identity security category, Identity Detection and Response, multiple new Active Directory protection tools, ADAssessor and ADSecure, and IDEntitleX that provides actionable visibility into cloud entitlement overprovisioning.
Even as attackers continue to dine on a cornucopia of vulnerabilities and accidental misconfigurations, these new tools are giving defenders plenty for which to be prepared. Let’s all hail our turkeys this Thanksgiving and give a special thanks to the tools that keep cybercriminals feasting at home and out of our data centers. We wish everyone good health, strength, and laughter throughout this holiday season!
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise