This Halloween, the Monsters Are Coming from Inside the Network!
Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – Since A Nightmare on Elm Street premiered in 1984, there have been eight more Freddy Krueger movies. Jason Vorhees has starred in 11 Friday the 13th movies. Michael Myers has slashed his way through 12 Halloween movies—including the recent reboot. And of course, vampires, werewolves, ghosts, mummies, and Frankenstein have been in far, far too many movies to name. Monsters are exciting. They’re scary. They know how to evoke creeping dread, but they also know how to elicit a satisfying jump scare. How many times have we all seen the heroine lock herself safely in her bedroom, only to turn around and realize that Jason was in there the whole time?
The cybersecurity world has monsters of its own, and they are just as scary as any masked villain—and just as likely to appear inside your network when you least expect it. Halloween is the perfect time to brush up on some of those monsters. By learning the tactics and habits of the most prolific cybercriminal groups, you can help protect yourself and your organization against some of today’s most dangerous threats. These monsters aren’t after your blood, but they are after your information—and just like the characters in a horror movie, you should do everything possible to avoid becoming a victim!
Reviewing the Rogues Gallery
Conti. Conti is a human-operated ransomware-as-a-service (RaaS) that has become popular among attackers. Conti ranks first in market share through the third quarter of this year. Last month, the threat became severe enough that the FBI, NSA, and CISA released a joint ransomware advisory to help organizations reduce their risk of compromise. Conti operates through a “double extortion” technique, spreading laterally throughout the network until it can obtain domain administrator credentials.
Hive. Hive is another example of human-operated double extortion ransomware. It is relatively new on the scene, with the first detection in June 2021. But it has moved fast: just two months later, in August, 30 victims were reported. These victims included the Memorial Health System within the healthcare sector, and the rapid spread of the ransomware led to another FBI alert warning organizations about the danger.
LaZagne. An “accessory” application, LaZagne extracts passwords stored on a local device, which might include data from browsers, databases, remote administration tools, WiFi, and other places where credentials are stored. The creator of LaZagne describes it as an “open-source project,” and known cybercriminal groups like Team TNT have used it to harvest significant numbers of passwords. Team TNT has caused more than 5,000 LaZagne infections globally, making the tool an important part of the group’s arsenal.
DarkSide. The group behind this year’s Colonial Pipeline attack, DarkSide, is an Eastern European hacking group that operates primarily via ransomware and extortion. The Colonial Pipeline attack was a major wake-up call for many in critical infrastructure. It forced the company to suspend operations for several days and resulted in the loss of more than 100 GB of corporate information. DarkSide frequently uses credential theft, Active Directory (AD) access, and privilege escalation to achieve its goals.
LockBit 2.0. Yet another example of double extortion RaaS (are you noticing the pattern?), LockBit 2.0 exploits Active Directory group policies to automate network encryption. Extremely fast and efficient encryption is one of the hallmarks of LockBit 2.0, which currently ranks fourth in market share. The most notable LockBit 2.0 attack was the Accenture hack, in which roughly 2,500 computers were affected. The perpetrators demanded $50 million to return the stolen information.
BlackMatter. This RaaS variant is the ransomware version of Frankenstein’s Monster, incorporating elements from DarkSide, REvil, and LockBit to build a truly scary creation. BlackMatter generally goes after critical infrastructure targets but goes beyond transportation and energy to attack the food and agriculture sectors. Its tactics include targeting exposed credentials and seeking to compromise Active Directory. Japanese technology giant Olympus was attacked by BlackMatter earlier this year, affecting computers in its European, Middle East, and Africa (EMEA) segment.
IcedID. IcedID is a modular banking Trojan that targets the financial information of users while also acting as a means to download other malicious programs, including popular hacker tools like CobaltStrike. It is also worth noting that IcedID has shown up in several recent ransomware attacks. IcedID is generally considered the spiritual successor to Emotet, another widely used Trojan spread via spam emails.
Be Smart: Avoid the Monsters!
There are a few things you can count on in a monster movie: the main characters will make terrible decisions, put themselves in dangerous situations, and ultimately—and inevitably—fall victim to the monster.
Don’t be like them! While the monsters of the cybersecurity world are scary, they aren’t supernatural. Preventing 100% of attacks may not be possible, but you can still put yourself and your organization in the best position to detect, derail, and defend against today’s most dangerous attackers. Being passive never helped anyone, so don’t wait for the monsters to get you! Engage in active defense by deploying tools like Identity Detection and Response, and you’ll be ready for anything.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise