Image: RiskSense A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts. The Drupal content management system ranked third, followed by Ruby on Rails […] More

The cyber-criminal groups behind some of the most notorious and damaging ransomware attacks are using the same tactics and techniques as nation-state-backed hacking operations – and they’re only going to get more sophisticated as they look for even bigger pay days.
Ransomware has continued to evolve in the past year, with some ransomware crews making off with millions of dollars following each successful attack.

More on privacy

One of the key reasons why ransomware has become such a common cyberattack is because it’s the easiest way for malicious hackers to make money from a compromised network.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
Previously, cyber criminals might have focused on stealing information that could be used or sold on, but by encrypting the network, they can make a large sum of money from demanding a ransom in a shorter amount of time than it would take to make from exploiting stolen credentials or financial information.
And now the skills of ransomware gangs are catching up with the Advanced Persistent Threat (APT) groups associated with nation states.
“Ransomware attackers are essentially just a couple of years behind the tradecraft we’ve seen ATP crews adopt. This is still a growing problem, it’s not going to go away,” Mitchell Clarke, principal incident response consultant at security company FireEye Mandiant, told ZDNet.

Researchers at Mandiant presented analysis of how ransomware – and the cyber-criminal gangs behind it – has evolved and matured in recent times during a presentation at Black Hat Europe 2020, demonstrating how the cyber-criminal groups running these campaigns are increasingly conducting full-scale network intrusions similar to those seen in nation-state attacks.
Ransomware groups like DoppelPaymer and REvil have been highly prolific this year, encrypting networks and making millions. Part of the reason for the success of these campaigns is because they’re highly targeted.
Cyber-criminal hackers uncover vulnerabilities on networks then spend months laying the groundwork to compromise the systems with ransomware before finally unleashing the attack and encrypting the network.
This is similar to how APT groups hide for months or even years without being detected, although their goal is surveillance or stealing sensitive data rather than making money with ransomware.
“If we look back to older cases of ransomware, it was largely opportunistic. Attackers would land on a corporate environment and advance into a small subset of a wide organisation. The transition from opportunistic crime into APT-like campaigns is just a realisation that it’s more profitable to completely cover an organisation with ransomware,” said Clarke.
“The attacker has taken their time to step through that APT process, to understand the victim environment and to move across it as quietly as possible and with as much privilege as they’re able to get. Then when it’s time to deploy ransomware, to cover a whole organisation.”
But that isn’t where the evolution of ransomware campaigns stops; there’s the risk that as these groups gain more experience with successful attacks, the time between initial compromise and an attempted full encryption of the network will become much shorter – meaning there’s even less time to potentially detect suspicious activity before it’s too late.
“We’re seeing a gap from initial compromise to a ransom event being in the months – it’s in that period before a ransom that organisations can implement changes to be able to detect,” explained Tom Hall, principal incident response consultant at FireEye Mandiant.
“But as they get more sophisticated, we’re going to see that window dropping from months to weeks and weeks to days. If organisations don’t grasp the problem of being able to catch them when they’ve got months, there’s no hope when we’re down to shorter time periods,” he added.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
However, one of the key reasons why cyber criminals continue to be successful with ransomware attacks is because they’re able to exploit vulnerabilities that are simple to protect against – but organisations have failed to do so.
Applying the security patches that fix security vulnerabilities shortly after they’re released prevents cyber criminals being able to exploit issues that have been fixed, while applying two-factor authentication and preventing the use of default passwords on the network can also go a long way to protecting against ransomware and other attacks.
“It’s not like these situations couldn’t have been prevented. It really highlights that a solid patch-management programme would have solved having vulnerabilities exposed that kicked off the entire breach,” said Clarke.
MORE ON CYBERSECURITY More

The auditor-general of Western Australia has found four business applications used by state government entities contain control weaknesses, mostly around poor information security and policies and procedures.
In her latest audit, the auditor-general probed the Teacher Registration System, handled by the Department of Education, Teacher Registration Board of Western Australia; the Forest Products Commission’s Deliveries and Billing System; the Housing Management System (Habitat) from the Department of Communities; and the TAFE Student Management System, which is under the watch of the Department of Training and Workforce Development.
The testing was performed during 2019-20. The report [PDF] declared all four applications had control weaknesses. Auditor-General Caroline Spencer reported 75 findings across the four applications — nine findings were rated as significant, 57 moderate, and another nine were considered minor.
The first project probed was the Department of Education’s Teacher Registration System, which it inherited in 2017.
The system is a combination of internally developed and commercial software applications, hosted on public cloud infrastructure and maintained by department staff and contractors.
“There are a number of significant weaknesses in the system which prevent the [Teacher Registration Board of Western Australia] and the department from efficiently managing public resources and effectively managing information security risks relating to sensitive teacher information,” the report said.
The audit determined basic governance and controls, including limiting access and segregation of duties for system changes, were not implemented.

“There is also a risk that insufficient disaster recovery planning and ongoing system failures could result in an outage that impacts teacher registration services,” it added.
IT governance, security, and risk management were poor, with the report saying there is currently no IT strategy; limited oversight; and no risk management, change management, project management, incident and problem management, cloud management, or continuity management.
Roles and responsibilities for managing the cloud environment have also not been defined, the report said, with there being 33 subscription owners that can manage and have full access to the cloud resources.
It also found 119 resources were allocated to data centres outside Australia, including in Southeast Asia and the United States.
The department’s Teacher Registration Directorate also spent approximately AU$240,000 between July 2019 and February 2020 on contracted services that the department could provide. The audit also found a conflict of interest risk, as the same contractor proposed and undertook projects — that contractor pulled in approximately AU$500,000 in a six-month period.
The next application probed was the Forest Products Commission’s Deliveries and Billing System (DAB), which enables it to generate revenue and payment information from the harvest and sale of timber products.
The audit determined security weaknesses in the DAB database and the commission’s network may expose it to malicious attacks and unauthorised access. In addition, weaknesses in controls, including the review of information entered into the DAB and monitoring of compliance with regulations, creates risks of incorrect revenue or payments and non-compliance.
The 2019 DAB implementation project encountered delays and cost overruns — it overspent by approximately AU$720,000 — and the auditor-general said the commission could not demonstrate that an effective project governance framework was in place.
The Department of Communities’ Housing Authority, meanwhile, was found to not have assessed the information security risks for its Habitat program. In addition, the auditor-general said the authority had not implemented adequate processes that provide oversight of Habitat controls, nor was there a disaster recovery plan in place.
The report said the auditor-general identified 178 database user accounts with easy to guess passwords and 1,195 accounts where the password had not been changed for five years. These included accounts with high privileges.
The authority’s IT staff also used and shared a highly privileged account to administer the Habitat database.
Lastly, the Student Management System used by Western Australian TAFE colleges was found to open sensitive student information to risk due to inadequate monitoring of user activity and poor user access management.
The auditor-general said application governance was not fully established, there was inadequate contract management, and service level arrangements were not defined.
In addition, sensitive information was not protected in the database, data was found to be not de-identified, user access management could be improved, 2FA was not adopted, and data files were not appropriately restricted.  
“Application controls need to be considered in conjunction with existing organisational processes and IT controls. A holistic approach towards governance, risk management and security is critical for secure and effective operations,” Spencer said.
“Public facing applications are prone to cyber threats. It is therefore essential to manage system vulnerabilities and other weaknesses that could expose entities to compromise. We found that all audited entities could improve their controls around user access, vulnerability management, and situational awareness to address cyber risks.”
RELATED COVERAGE More

Image: Dimitry Anikin

With today’s news that French shipping giant CMA CGM has been hit by a ransomware attack, this now means that all of the four biggest maritime shipping companies in the world have been hit by cyber-attacks in the past four years, since 2017.
Previous incidents included:
APM-Maersk – taken down for weeks by the NotPetya ransomware/wiper in 2017.
Mediterranean Shipping Company – hit in April 2020 by an unnamed malware strain that brought down its data center for days.
COSCO – brought down for weeks by ransomware in July 2018.
On top of these, we also have CMA CGM, which today took down its worldwide shipping container booking system after its Chinese branches in Shanghai, Shenzhen, and Guangzhou were hit by the Ragnar Locker ransomware.
This marks for a unique case study, as there is no other industry sector where the Big Four have suffered major cyber-attacks one after the other like this.
But while all these incidents are different, they show a preferential targeting of the maritime shipping industry.
“I’m not so sure it’s that they’re any more or less vulnerable than other industries,” said Ken Munro, a security researcher at Pen Test Partners, a UK cyber-security company that conducts penetration testing for the maritime sector.
“It’s that they are brutally exposed to the impact of ransomware.
“After Maersk was hit by the NotPetya crytper, I believe criminals realized the opportunity to bring a critical industry down, so payment of a ransom was perhaps more likely than other industries,” Munro said.
It’s not the ships! It’s the shore-based networks
Over the past year, incidents where malware landed on ships have intensified. This included sightings of ransomware, USB malware, and worms; all spotted aboard a ship’s IT systems.
Maritime industry groups have responded to these increasing reports of malware aboard ships by publishing two sets of IT security guidelines to address maritime security aboard ocean-bound vessels.
But Munro points out that it’s not the ships that are usually getting attacked in the major incidents.
Sure, malware may land on a ship’s internal IT network once in a while, but the incidents where malware gangs have done the most damage were the attacks that targeted shore-based systems that sit in offices, business offices, and data centers.
These are the systems that manage personnel, receive emails, manage ships, and are used to book container transports. There is nothing particularly different from these systems compared to any other IT systems sitting inside other industry verticals.
“That said, if you can’t book a container, there’s no point in having the ship,” Munro added.
For all intents and purposes, it appears that despite efforts to protect ships from external hacking, the maritime industry has failed to treat its shore-based systems with the same level of attention.
While the rare ship hacking incidents are the ones that usually grab headlines, it’s the attacks on a shipping company’s shore-based systems that are more common these days, and especially the attacks on their container booking applications.
These systems have often been hacked by sea pirate groups looking for ship manifests, container ID numbers, and ship sea routes so they can organize attacks, board ships, and steal containers transporting high-value goods like electronics and jewelry [1, 2, 3, 4].
These waves of “cyber pirates,” as these groups have been often named, along with the recent attacks on the Big Four shipping giants, are a clear sign that the shipping industry needs to stop prioritizing the less likely ship hacking scenarios and focus more on its shore-based systems, at least, for the time being. More

The Western Australia Police Force (WAPOL) are seeking further clarification on what exactly it would have access to under the nation’s Telecommunications Legislation Amendment (International Production Orders) Bill 2020. In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the Bill, WAPOL said it would benefit from being able […] More