Site icon Connected World

Security in a Shadowy World

The 1930s radio vigilante The Shadow had the “power to cloud men’s minds so they can’t see him.” Today, we have computer villains who adopt the same approach, clouding a computer’s “mind” so they are invisible and can operate in the shadows. They are called hackers.

What is needed, then, is a comparable hero, a Shadow, that can fight the evil at its own level. It is known as cybersecurity. And the war has been ongoing for decades, each side winning some and losing some battles, technology shifting from one side to the other, success one day replaced by failure the next. Nations and individuals are all “playing the game,” playing in the shadows.

Lamont Cranston, The Shadow’s alter ego, was a New York playboy, rich enough to have time and money to play the game of avenger, much like the later Gotham hero Bruce Wayne/Batman. In the current world, having enough money to support the work of cybersecurity against often nationally funded hackers is just as important, even more so when the attacks are against a country’s infrastructure. Lack of financial support for security equals weakness and vulnerability in the eyes of those who would do computerized evil.

Cybersecurity experts work in the sun—or in the shadows. They can be private firms—even individuals—or they can be government agencies. They can be software developers “with skin in the game” or the stereotype “good guy hacker” working from a laptop in his—or equally likely, her—bedroom or basement. Whether a security department at Microsoft or a department of one in a loft, the challenge is to find the flaws before the other guy(s).

In business and government, security professionals need to engage with ethical hackers, the White Hats, or implement bug bounty programs where organizations pay individuals who report security bugs or other vulnerabilities before ill-intentioned hackers become aware of them, claims ABI Research.

Zero Day

As security firm Tenable notes, when vulnerabilities are unknown to the organization that developed the software, application, or device  and an attacker or someone else uncovers it before the organization has a chance to remediate it— it’s referred to as a zero-day vulnerability. Zero-day vulnerabilities introduce great risk for users who don’t know about them or haven’t been offered the right patch or other resources to fix them. If a zero-day vulnerability is unresolved, attackers will have full opportunity to take advantage of it, exploit the vulnerability (known as a zero-day exploit), and potentially do additional harm to systems, data, and networks.

The normal response of a developer to finding a vulnerability—or having it revealed through an attack—is to rush its user base a patch or update. Depending on the extent of the problem, that can take hours or weeks. Publishing a patch should be a quiet response, as making known the vulnerability can encourage others to exploit it before that door is closed. And it can panic for users who maintain critical operations with the software.

Information on a zero-day exploit is just about the most valuable thing a hacker can possess. These exploits can carry price tags of $1 million or more on the open dark net market. In 2021, cybersecurity defenders caught at least 66 zero day exploits, according to multiple databases, researchers, and cybersecurity companies and reported by MIT. The amount of damage done is rarely quantified since companies are hesitant to divulge their cost.

Where are the attacks coming from? Who—or what—is defending against them? Every nation has agencies to fight cybercrime, and unfortunately, most if not all have agencies to seek vulnerabilities in other countries’ systems. In the United States, one agency dealing with cybersecurity is the CISA (Cybersecurity and Infrastructure Security Agency). CISA, along with the NSA (National Security Agency), FBI (Federal Bureau of Investigation), and key U.S. and international government agencies publish reports on cyber-attacks and their origin.

China Rising

For example, a Joint Cybersecurity Advisory on malicious activity by a PRC (People’s Republic of China) state-sponsored cyber actor, known as Volt Typhoon, compromised critical infrastructure and associated actions was urgently undertaken by all organizations. CISA and its U.S. government partners have confirmed this group of PRC cyber actors has compromised entities across multiple critical infrastructure sectors including communications, energy, transportation, and water and wastewater, in the United States and its territories. The data and information CISA and its partners have gathered strongly suggest the PRC is positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States.

China, indeed, is becoming the world’s biggest threat in cyberspace, challenging Russia for the “honors” of being the one to watch most carefully. According to CISA, in recent years, the U.S. has seen a strategic shift in PRC cyber threat activity from a focus on espionage to pre-positioning for possible disruptive cyber-attacks against U.S. critical infrastructure. One effort, called ransomware, has been used to disrupt both private and government agency systems.

Living off the Land and RaaS

RaaS (ransomware-as-a-service) gangs have been making headlines globally with their disruptive attacks on organizations, reaping millions of dollars and causing major disruption of business.  One of the behaviors of RaaS gangs is their use of LOTL (living off the land) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more.

There are scripts using commands an attacker could use to steal data from the company’s network, but which also resembled legitimate administrative tasks used by IT professionals for various system administration tasks. They appear in logs and reports, but IT sees them as part of a routine IT maintenance operation and moves on. The attacker understood the tools and processes typically used by employees, and so they managed to avoid raising suspicion by blending in with typical PowerShell usage. By conducting the attack during normal business hours, the attackers also avoided any of the usual scrutiny that would come from moving across a network late at night. 

This is exactly why LOTL attacks are so dangerous: by mimicking normal behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities. Experienced analysts might be able to pick up on subtle anomalies or patterns that indicate a LOTL attack, but the normal IT response is to move on and not worry about it.

Blackcat, a group of cyber stalkers, is one of the most notorious of the internet’s many ransomware gangs—cybercriminals who encrypt data to hold it hostage with the aim of securing massive payouts. It has previously struck major businesses including MGM Resorts International and Caesars Entertainment. In December 2023, Blackcat was the subject of a takedown by U.S.-led international law enforcement, which seized several websites used by the group as well as hundreds of digital keys used to decrypt victims’ data.

The hackers threatened to retaliate against critical infrastructure and in February 2024, Change Healthcare, a unit of UnitedHealth that processes insurance claims for tens of thousands of pharmacies nationwide, was hit. A Change Healthcare spokesman called it the company’s “Colonial Pipeline,” a reference to the 2021 ransomware attack on one of America’s biggest pipelines that disrupted fuel shipments for days and made ransomware a national security concern in the minds of senior U.S. officials.

Forensic evidence recovered in the investigation indicates the Blackcat ransomware gang was responsible for the hack. The gang also rents out their malicious software, also known as Blackcat. Hackers using the malware have claimed a slew of attacks on U.S. universities, health care providers, and hotels. Almost immediately, the ransomware gang claimed responsibility for hacking Change Healthcare, listing the company as a victim on its dark web site.

Detecting and mitigating “living off the land” malicious cyber activity requires a multi-faceted and comprehensive approach to separate legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting.

Dealing with the Future

The efforts of governments and large computer hardware and software companies are only part of the response to cyber threats. Because of the modern interconnected world, every company—and every individual using a home computer—creates an opening for malicious attacks. As is all too often the case, brute force attacks are being replaced by social and behavioral attacks. And behaviors are much harder to change than software code.

If cybersecurity is taken to heart by all companies and governments, the closing words of The Shadow radio show, circa 1931—updated for 2024—will come true:

 “The weed of crime bears bitter fruit! [Cyber]crime does not pay…The Shadow knows!”

Want to tweet about this article? Use hashtags #construction #IoT #sustainability #AI #5G #cloud #edge #futureofwork #infrastructure #cybersecurity

Exit mobile version