Security experts spent years warning enterprises to expect cyberattacks and to plan their defenses accordingly, now Sophos researchers are saying organizations shouldn’t be surprised if they get attacked multiple times.
In a 23-page report [PDF] released this week, the researchers unwind the multiple factors that are fueling a rise in the number of entities hit by more than one attack. For instance, in one case, a company was the victim of three ransomware attacks over two weeks.
“In recent months, we’ve noticed an uptick in the number of cases where organizations have been attacked multiple times,” wrote Matt Wixey, principal technical editor and senior threat researcher at Sophos. “Some attacks take place simultaneously; others are separated by a few days, weeks, or months. Some involve different kinds of malware, or double – even triple – infections of the same type.”
Some of this falls at the feet of the organizations themselves, which too often fail to address vulnerabilities and misconfigurations after the first attack, opening the door to ensuing attacks, according to the report.
Other factors are features of a rapidly evolving cybercrime environment, with different threat groups exploiting high-profile vulnerabilities like ProxyShell and Log4Shell, interdependence among groups, the rise of ransomware-as-a-service, and growing “coopetition” among the cybercrime gangs.
“Whatever the root cause, multiple attacks can be devastating for victims,” Wixey wrote. “Not only do they complicate remediation and business continuity plans, but the financial, reputational, and psychological impacts can be overwhelming. Just when you think that the worst has finally happened – and you now know for certain that it’s ‘when,’ and not ‘if’ – you’re hit with another attack.”
In cases that Sophos’s Managed Detection and Response and Rapid Response teams have investigated recently, there is usually a gap of about six weeks between attacks when an enterprise is hit multiple times.
In most instances, the root causes of multiple attacks are the failure to address significant software or hardware vulnerabilities and, after an attack, not dealing with the misconfigurations left in place by earlier attacks.
“But there’s a little more complexity to it than that,” he explains. “There’s often a specific sequence of exploitation – cryptominers (a proverbial canary in the coal mine) arrive first, followed by wormable botnet builders (such as Mirai), then malware delivery systems (webshells and/or [remote access trojans]), who may feed data to initial access brokers (IABs), and finally, ransomware.”
IABs do what their name suggests, gaining initial access into compromised systems. They then sell that access to other threat groups that use it to launch their own attacks.
John Gunn, CEO of authentication technology vendor Token, told The Register: “Victims of simultaneous attacks will be less likely to pay and may not be able to pay multiple attackers a full ransom. As such, you can expect IABs to charge a premium for first rights or exclusive rights for a target organization.”
Some of these are interdependent, such as IABs enabling ransomware attacks. Others co-exist, such as cryptominers and ransomware, which have disparate objectives and don’t interfere with each other. At the same time, organizations can be hit with multiple ransomware attacks because such threat groups often don’t care if others are attacking the same enterprise. In one case, Sophos saw the same attacker using first Conti ransomware and then Hive within days of each other against the same victim.
In another incident on May 1, after initial access was gained via the Remote Desktop Protocol (RDP) and Mimikatz was used for stealing credentials, a company was hit by Lockbit ransomware attack. Less than two hours later, a Hive ransomware affiliate attacked the same company and two weeks later, the organization was attacked a third time by a BlackCat ransomware group.
All three gangs used the same misconfigured RDP server to gain access. Sophos later found some files that had been encrypted by all three attackers, Wixey says.
The mixture of so many threat groups is a driver of the rise of multiple attacks on organizations, according to Peter Mackenzie, Sophos director of incident response.
“It’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry,” Mackenzie said in a statement.
Coopetition is something enterprises want to keep in mind. Some operators, such as cryptominers, include code in their malware that will remove competitive malware from systems they infect. Others, like ransomware groups, aren’t worried about competition and at times will intentionally or incidentally help other attackers by leaving open backdoors or misconfigurations for others to use.
While shutting down the initial attack, enterprises need to ensure that no malicious code is left behind, according to Wixey.
“As odd as it may sound, we could easily see scenarios where the ‘first-in’ attacker assumes the role of defending the victim network from follow-on attacks in order to protect their ability to realize the full ransom payout potential,” Gunn adds.
Disclosures of major vulnerabilities also creates a land rush of sorts among various threat groups looking to exploit them. The ProxyLogon and ProxyShell flaws disclosed last year saw cryptominers, RATs, botnets, “clipper” malware – which swaps crypto wallet addresses on a victim’s clipboard – and eventually ransomware all taking advantage.
The same pattern played out after the Log4Shell flaw was disclosed in December 2021 and the Atlassian vulnerability was detected last month, according to Sophos.
It highlights the need for enterprises to update everything and prioritize the most dangerous bugs first, Wixey wrote. That means focusing on critical bugs impacting an organization’s specific software stack and high-profile vulnerabilities that may affect its technology.
Organizations also need to ensure misconfigurations are fixed, particularly after an attack.
“Cryptominer operators, IABs, and ransomware affiliates always look for exposed RDP and VPN ports, and they’re among the most popular listings on most criminal marketplaces,” he wrote. “If you do need remote access and/or management over the internet, put it behind a VPN or a zero-trust network access solution that uses [multi-factor authentication] as part of its login procedure.” ®