I recently posted about what we knew about the M&S cyberattack at the time:
https://community.advania.co.uk/kb/articles/23-what-can-you-learn-from-the-m-s-cyber-attack
. We've learned some new things since then, which I want to emphasise here, but there has been some other activity of note that I also think should influence priorities.
- More to learn from the retail attacks: We've learned a few new things about the retail attacks. First, we've found that M&S did in fact lose some customer data, although that was not believed to be the case initially. We've also found out that the Co-op contained their breach aggressively once it was detected, preventing further harm. This seems to have really aggrieved their attacker! This BBC article sheds some light on the more recent developments: 'They yanked their own plug': How Co-op averted an even worse cyber attack - BBC News. It's important to truly examine how ready you might be to contain aggressively. Is this a part of your current defensive plans? Do you have clarity about conditions when you would or wouldn't pull that trigger? As we can see from these incidents, this question is much bigger than detection and response - this is a significant Business Continuity concern. If it isn't being treated that way today, it should be. We're seeing on-going reports about the impact this is continuing to have on the bottom line, and about executives being held to account. This is a board-level concern for many organisations at this time, so you need to be ready to answer these questions with confidence.
- When ransomware gangs get hacked: Separately, we've seen that the Lockbit ransomware gang were hacked, and their victim negotiation data were leaked: LockBit ransomware gang hacked, victim negotiations exposed. This includes negotiation chat data. I think we can safely assume they will not be notifying their data protection regulator any time soon! One implication is that if an organisation had been motivated to pay the ransom to sweep the incident under the rug, that has now failed. It's fair to say that the lifecycle of ransomware transaction data is an unknown at best. If I were a gambling man, I'd say it's likely that in due course, most ransomware transactions will eventually wind up in the public domain. The people in this world are so irreputable that all guarantees we might expect are non-existent.
- More WDAC benefits: In that my post on M&S, I mentioned that Windows Defender Application Control (WDAC) can help defend against vulnerable driver exploits. In other recent breaches, I've noticed an uptick in exploits involving MSHTA.exe. I won't go into massive technical detail, here, but in short, this is a Windows component that can be used to create rich HTML installers. These experiences were common for a time, but this Windows component has many weaknesses that can be abused by attackers. This is reflective of the broader trend for attackers to, "live off the land", where they will use Windows tools (commonly referred to as "LOLBINs") rather than installing malware executables. For many stages of an attack, these are the most common tool choices. In any case, I'm seeing MSHTA specifically being exploited with more frequency again. I think this is important because it's one of the LOLBINs that's easier to block with WDAC. You may have some genuine dependencies on it, but often they will be very narrow in scope, for dated applications, and typically you can find a way to block it broadly. By contrast, some other frequently abused LOLBINs like WMIC.exe (the Windows Management Instrumentation Client) can be hard to block, since many management tools still rely on it, even though it is quite legacy these days. In any case, we've recently completed a WDAC project for one of our clients, and it's pleasing to know that they would be protected from these new attacks that depend on MSHTA.
