Introduction

Although the cybersecurity landscape has changed irrevocably over the last few years, the threat trends do not come and go quickly. As our Security Operations Center (SOC) team and Adversary Pursuit Group (APG) reflect on 2022, they predict that many of last year’s threats will persist in 2023. We will prepare for and diligently protect against the following hacker tactics:

  • The use of ransomware, and with it
  • The use of data exfiltration within double extortion methods, as well as
  • MFA abuse and bypass, and
  • The malicious use of enterprise software.

Ransomware

What is it?

Ransomware is a type of malware that encrypts the victim’s data and demands a ransom payment for its restoration. Over the last few years, it has continually taken up more space within the cybercrime landscape, with threat actors advancing their tactics, techniques, and procedures (TTPs) in response to increased security measures.

What are we on high alert for?

This threat, and with it, ransomware groups, are not going anywhere. Deploying ransomware is only getting easier and more cost effective with the growing presence of Ransomware as a Service (RaaS). This service allows individuals or organizations to purchase and deploy ransomware attacks without having technical knowledge or expertise. The most recent tactic we have seen is ransomware being paired with double extortion. Not only is the victim’s data encrypted and withheld, but threat actors also threaten to publicly release or sell the sensitive information in order to demand payment.

That is the end goal for all criminal ransomware groups – to generate maximum profits with little spending. Therefore, they will continue to target large enterprises and critical infrastructures, as well as Managed Service Providers (MSPs) who are connected to a multitude of companies’ networks and data. MSPs, to them, are a one-stop shop.

What do we recommend?

Increase security measures for both your team and your clients. Robust, around-the-clock cybersecurity and live security analysts are necessary to catch these attacks, some of which can occur within seconds. Additionally, you should establish regular backups, implement log monitoring, and operate from a Zero Trust mentality.

Data Exfiltration

What is it?

Data exfiltration is the unauthorized transfer of sensitive data from an organization’s network to an external source. It can be caused by a variety of factors, such as malware infections, poor access controls, and weak passwords. Monitoring and controlling data access is crucial.

What are we on high alert for?

In 2022, we saw an increase in the attempts of data exfiltration linked to ransomware in the tactic, double extortion, as discussed above. Threat actors do so in order to encourage a ransomed victim to pay, monetizing the stolen information.

What do we recommend?

Use encryption and data loss prevention (DLP) technologies, and conduct regular security audits. Ensuring that your data is not only kept safe, but is only accessible to the necessary people, is key.

What are we doing about ransomware and data exfiltration?

We are always innovating—creating new technology and new rules within it to protect our partners. Our 24/7 SOC is armed with our automated anti-ransomware capability, Ransomware Response, enabling us to stop even the swiftest ransomware attacks from deploying. Additionally, our Adversary Pursuit Group is aiding in our efforts to always stay ahead of cyberthreats. They are continuing to raise awareness of ransomware groups, such as Project Relic, LockBit 3.0, BlackCat, Lorenz, Conti, and more. With this level of security and threat intel in place, malicious actors won’t stand a chance.

Enterprise Software

What is it?

Enterprise software is used by organizations to manage their business processes and operations. Oftentimes, it is highly trusted and therefore has privileged capabilities. For example, an MSP’s Remote Monitoring and Management (RMM) software has high privileges with capabilities such as remote control, network mapping, and patch management.

What are we on high alert for?

Threat actors maliciously use these trusted tools. Again – they want to generate maximum profits with little spending. Why should they spend time and money to build their own software for an attack when they can simply take advantage of the tools they know are widely used? One way they do so is through trial deployments. We have observed software offering free trials, with little checks and balances in place, being easily exploited by threat actors. For example, Dridex, a form of malware that targets bank account information, uses a modified version of Ammyy Admin, a zero-configuration free remote desktop software.

What do we recommend?

Be extremely cautious of the trust you put in your IT tools. They will continue to be necessary to run your business but can also be a foothold for an opportunistic threat actor. Regarding RMMs specifically:

  • keep it updated and patched,
  • assess your integrations,
  • ensure you aren’t exposing your Remote Desktop Protocol (RDP), and
  • review your RMM’s IP access.

Don’t unknowingly open the door for threat actors to walk right in.

What are we doing about it?

We have continually raised this red flag over the last year. The awareness has thankfully grown, as more security firms and government entities see this exploitation play out. At Blackpoint, we have observed Conti, BlackCat, and Malsmoke all exploiting trial versions of RMM tools. In fact, in 2022, our SOC found that 15% of all our responses involved an RMM. With APG and SOC sounding the alarm, we are able to update our technology consistently to stay ahead of software abuse.

MFA Abuse and Bypass

What is it?

Multi-factor authentication (MFA) is a security feature that requires users to provide multiple forms of authentication to access an account.

What are we on high alert for?

While MFA is an effective security measure that should be adopted, attackers have gone where the flock is. They’re finding ways to bypass MFA via stolen credentials, alert fatigue, and social engineering tactics. These attacks can cost as low as a few dollars and take mere minutes to execute.

What do we recommend?

Swap your MFA push notifications for a different MFA method such as multi-digit vault codes or biometric authentication. If you solely rely on push notifications, hackers can use alert fatigue (constant notifications coming through) until you allow them access into your account. Remember – convenience does not always equate to security.

What are we doing about it?

Last year, we extended our MDR capabilities to the cloud. With Cloud Response, Microsoft 365 users can set up custom notifications and rules for their cloud accounts, further limiting access. For example, countries can either be marked as authorized or unauthorized, for a specified amount of time, adding another line of defense in the malicious actor’s way.

Summary

Cybersecurity measures are constantly evolving, and if they’re good enough, they’re staying ahead of the malicious actors’ TTPs. These hackers are playing poker the smart way – they aren’t playing their hand; they’re playing their opponents. We trust MFA, they exploit MFA. We trust RMM, they exploit RMM. They will follow the trends, figure out how to bypass security measures, and remain relentless until they have the next victim. With Blackpoint’s true MDR, 24/7 SOC, live data, and threat intel, you can make structured decisions to beat them to the punch. Cybersecurity is not something you can turn off outside of business hours, nor metaphorically put on cruise control. With Blackpoint’s ever-advancing cybersecurity ecosystem, our patented MDR can proactively protect you from all angles.

Want something new to listen to?

Check out our podcast, The Unfair Fight, where you can hear industry insights from Blackpoint Cyber leadership and our special guests firsthand.