Threat Assessment: Royal Ransomware
Written by Doel Santos, Daniel Bunce, and Anthony Galiette
Unit 42 has published a blog post detailing the Royal ransomware group, which has been recently involved in high-profile attacks leveraging multi-extortion tactics against critical infrastructure including healthcare and manufacturing. Unlike other major ransomware groups (e.g., LockBit 3.0) that operate on a RaaS model by hiring affiliates to promote their services, this group operates behind closed doors – and comprises former members of the notorious Conti ransomware group.
It is important to note that Royal ransomware extends beyond financial losses to small businesses and corporations. Since 2022, Unit 42 has observed this group impacting local government entities in the US and Europe, most recently the group attacked the city of Dallas. In the last 9 months, Unit 42 incident responders have responded to over a dozen cases involving Royal ransomware.
Below are some additional facts about the group from Unit 42’s findings:
- Since 2022, Royal ransomware has claimed responsibility for impacting 157 organizations on their leak site.
- They have impacted 14 organizations in the education sector, including school districts and universities. In the first few days of May 2023, the group has already impacted four educational institutions.
Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti.
The Unit 42 team has observed this group compromising victims through a BATLOADER infection, which threat actors usually spread through search engine optimization (SEO) poisoning. This infection involves dropping a Cobalt Strike Beacon as a precursor to the ransomware execution. Unit 42 incident responders have participated in 15 cases involving Royal ransomware in the last 9 months.
Royal ransomware also expanded its arsenal by developing an ELF variant to impact Linux and ESXi environments. The ELF variant is quite similar to the Windows variant, and the sample does not contain any obfuscation. All strings, including the RSA public key and the ransom note, are stored as plain text.
Time for the Gaming Industry to Level Up Against DDoS Attacks
Written by Matthew Andriani, CEO, MazeBolt Technologies
Distributed denial of service (DDoS) attacks present a significant threat to organizations as they grow in sophistication and frequency. According to several studies, the average successful DDoS attack in 2022 lasted for over 50 hours, compared to 30 minutes in 2021. As the entertainment world’s largest source of income, the gaming industry has become a prominent target for DDoS attacks. The gaming industry houses several different entities that need protection in tandem with gadgets such as online access for consoles, smartphones, and cloud-based casual games – leaving the door open for cybercriminals to capitalize on the ever-expanding attack surface.
Without adequate visibility into DDoS vulnerabilities, an attacker can exploit thousands of entry points without notice, the only way a successful DDoS attack can occur is because of a vulnerability in the DDoS protection. It may only take one attack for an application to experience downtime, costing the businesses hundreds of thousands to millions in revenue along with their reputation within the gaming space. When an attack does occur, organizations are forced to operate in a reactive scenario that will only disrupt business and risk further downtime. As the DDoS attack surface continues to expand, gaming companies must gain insight into their vulnerabilities to close these gaps in protection and ensure players remain online.
The evolution of DDoS within the gaming industry
There are several enticing factors behind launching a DDoS attack in the gaming industry, including competition, extortion, and at times, disgruntled gamers. Threat actors know exactly how much in revenue and reputational costs a minute of downtime will have on the organization. Competition is a particularly critical factor because if one site goes down, users can easily pass to the next online platform to continue their gaming experience.
Likewise, extortion has become an easy way for attackers to monetize the industry by threatening to attack an online gaming company unless a payment is made, specifically after a demonstration that the threat is real. Online gaming platforms especially house big players in this field with great sums of money at stake, placing a large target on these organizations for cybercriminals to exploit.
There is also a growing trend among disgruntled gamers, known as ‘DDoS for hire’. Individuals no longer need to be knowledgeable about the functions of DDoS attacks, rather, they can have someone else launch the attack on their behalf. Gaming organizations are heavily investing in DDoS protection. The problem is that they are not consistently scrutinizing every vulnerability across the attack surface – the only reason gaming companies are experiencing downtime is because of a vulnerability in the protection they have already implemented.
Deploying a tier-one DDoS protection provider can only ensure around 60% automated protection into the attack surface, the other 40% must be continuously scrutinized with visibility tools. While many of these gaming organizations have the best protection in place, they don’t have the list of vulnerabilities within that solution. Without this critical insight, it’s impossible to manage the vulnerabilities and protect against this growing threat.
A race against time
It’s no longer an if, but when a gaming organization will suffer from a DDoS attack. This is not a new concept to the industry – it is well-known that these attacks are being launched at an alarming rate. To transform DDoS protection processes, gaming companies should start with a trusted solution that continuously identifies vulnerabilities across the attack surface, while speeding up the remediation process to ensure the damaging downtime is minimized.
Once these vulnerabilities are identified, organizations must confirm their closure to provide a more solid defense. At this stage of the process, the company is battling the clock to prevent further damage. Organizations that cannot keep up with this process will continue to experience downtime, and DDoS mitigation vendors not actively engaged in vulnerability management will be at a major disadvantage when working to avoid damaging DDoS attacks.
If you are not at the top of your game with DDoS protection, your organization will be knocked offline, costing millions in downtime and reputational losses.
The Chief Zero Trust Officer: A New Role for a New Era of Cybersecurity
Written by John Engates, Field CTO at Cloudflare
Over the last few years, the topic of cyber security has moved from the IT department to the board room. The current climate of geopolitical and economic uncertainty has made the threat of cyber attacks all the more pressing, with businesses of all sizes and across all industries feeling the impact. From the potential for a crippling ransomware attack to a data breach that could compromise sensitive consumer information, the risks are real and potentially catastrophic. Organizations are recognizing the need for better resilience and preparation regarding cybersecurity. It is not enough to simply react to attacks as they happen; companies must proactively prepare for the inevitable in their approach to cybersecurity.
The security approach that has gained the most traction in recent years is the concept of Zero Trust. The basic principle behind Zero Trust is simple: don’t trust anything; verify everything. The impetus for a modern Zero Trust architecture is that traditional perimeter-based (castle-and-moat) security models are no longer sufficient in today’s digitally distributed landscape. Organizations must adopt a holistic approach to security based on verifying the identity and trustworthiness of all users, devices, and systems that access their networks and data.
Zero Trust has been on the radar of business leaders and board members for some time now. However, Zero Trust is no longer just a concept being discussed; it’s now a mandate. With remote or hybrid work now the norm and cyber-attacks continuing to escalate, businesses realize they must take a fundamentally different approach to security. But as with any significant shift in strategy, implementation can be challenging, and efforts can sometimes stall. Although many firms have begun implementing Zero Trust methods and technologies, only some have fully implemented them throughout the organization. For many large companies, this is the current status of their Zero Trust initiatives – stuck in the implementation phase.
But what if there was a missing piece in the cybersecurity puzzle that could change everything? Enter the role of “Chief Zero Trust Officer” (CZTO) – a new position that we believe will become increasingly common in large organizations over the next year. The idea of companies potentially creating the role of Chief Zero Trust Officer evolved from conversations last year between Cloudflare’s Field CTO team members and US federal government agencies. A similar job function was first noted in the White House memorandum directing federal agencies to “move toward Zero Trust cybersecurity principles” and requiring agencies “designate and identify a Zero Trust strategy implementation lead for their organization” within 30 days. In government, a role like this is often called a “czar,” but the title “chief” is more appropriate within a business.
Large organizations need strong leaders to efficiently get things done. Businesses assign the ultimate leadership responsibility to people with titles that begin with the word chief, such as Chief Executive Officer (CEO) or Chief Financial Officer (CFO). These positions exist to provide direction, set strategy, make critical decisions, and manage day-to-day operations and they are often accountable to the board for overall performance and success.
An old saying goes, “When everyone is responsible, no one is responsible.” As we consider the challenges in implementing Zero Trust within an enterprise, it appears that a lack of clear leadership and accountability is a significant issue. The question remains, who *exactly* is responsible for driving the adoption and execution of Zero Trust within the organization?
Large enterprises need a single person responsible for driving the Zero Trust journey. This leader should be empowered with a clear mandate and have a singular focus: getting the enterprise to Zero Trust. This is where the idea of the Chief Zero Trust Officer was born. “Chief Zero Trust Officer” may seem like just a title, but it holds a lot of weight. It commands attention and can overcome many obstacles to Zero Trust.
Implementing Zero Trust can be hindered by various technological challenges. Understanding and implementing the complex architecture of some vendors can take time, demand extensive training, or require a professional services engagement to acquire the necessary expertise. Identifying and verifying users and devices in a Zero Trust environment can also be a challenge. It requires an accurate inventory of the organization’s user base, groups they’re a part of, and their applications and devices.
On the organizational side, coordination between different teams is crucial for effectively implementing Zero Trust. Breaking down the silos between IT, cybersecurity, and networking groups, establishing clear communication channels, and regular meetings between team members can help achieve a cohesive security strategy. General resistance to change can also be a significant obstacle. Leaders should use techniques such as leading by example, transparent communication, and involving employees in the change process to mitigate it. Proactively addressing concerns, providing support, and creating employee training opportunities can also help ease the transition.
But why does an organization need a CZTO? Is another C-level role essential? Why not assign someone already managing security within the CISO organization? Of course, these are all valid questions. Think about it this way – companies should assign the title based on the level of strategic importance to the company. So, whether it’s Chief Zero Trust Officer, Head of Zero Trust, VP of Zero Trust, or something else, the title must command attention and come with the power to break down silos and cut through bureaucracy.
New C-level titles aren’t without precedent. In recent years, we’ve seen the emergence of titles such as Chief Digital Transformation Officer, Chief eXperience Officer, Chief Customer Officer, and Chief Data Scientist. The Chief Zero Trust Officer title is likely not even a permanent role. What’s crucial is that the person holding the role has the authority and vision to drive the Zero Trust initiative forward, with the support of company leadership and the board of directors.
Getting to Zero Trust security is now a mandate for many companies, as the traditional perimeter-based security model is no longer enough to protect against today’s sophisticated threats. To navigate the technical and organizational challenges that come with Zero Trust implementation, the leadership of a CZTO is crucial. The CZTO will lead the Zero Trust initiative, align teams and break down barriers to achieve a smooth rollout. The role of CZTO in the C-suite emphasizes the importance of Zero Trust in the company. It ensures that the Zero Trust initiative is given the necessary attention and resources to succeed. Organizations that appoint a CZTO now will be the ones that come out on top in the future.
The 5 Ways PAM Reduces Unix/Linux Attack Surfaces and Improves Compliance
Written by Colin Bretagne, Senior Product Manager at BeyondTrust
In the hands of an external attacker or even an unscrupulous insider, privileged Unix and Linux accounts represent a potentially very serious cyber security threat to your organization. Through these privileged accounts, an attacker can infiltrate your organization’s environment and expose sensitive data, conduct unauthorized transactions, plant malware, and destroy systems, while erasing traces of his/her presence each step of the way.
Today, it is essential to have a strategy in place to control and audit your Unix/Linux privileged access in order to overcome this inherent security and compliance risk. The principle of least privilege, for example, was developed to encourage organizations to defend against infiltration by restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, authorized activities, and for the least time necessary. In many cases, this equates to standard user access.
What are the challenges associated with managing privileges in Unix & Linux environments?
Many basic OS, management, application, and software functions (e.g. configuration utilities) for Unix and Linux platforms require more than just standard privileged access. Traditionally, this required end users to possess elevated privileges in the form of root or administrative usernames and passwords. To overcome this inherent security and compliance risk, organizations must remove the need to distribute and maintain root and administrative credentials. For this, they need PAM.
The best practice for managing privileges in Unix/Linux environments starts with PAM
One of the best ways to enhance access control for your privileged accounts is to use a Privileged Access Management (PAM) solution to configure and manage your Unix/Linux system. PAM provides a detailed, policy-based delegation of privileges of the Unix/Linux root account. This will enable you to deploy least-privilege access and enhance individual accountability for Unix/Linux root account activity. Plus, its centralized management and reporting capabilities will ensure you meet even the most stringent compliance requirements.
Let’s look in greater detail at how PAM can address the security and compliance challenges that are exclusive to Unix/Linux environments.
1) Prevents root escalation by removing the need to log in as root
Many system and application users of Unix and Linux use the phrase, “I need root,” declaring they can only perform their daily job functions if they can log on as “root”. Root is often referred to as the “God” user because, as the most powerful user on the system, there is little the root user cannot do.
Allowing usage of the root account complicates the ability to audit an individual’s actions (promoting account sharing) and inhibits the use of a strong, changeable password for the root account due to the need for multiple identities to use the account at any given time. These characteristics dramatically increase risk. The organization faces a heightened danger from insider threats via malicious and accidental behaviors, as well as additional exposure from external threats due to weak and non-changing passwords. There is zero accountability when using root to perform administrative functions.
Privilege Access Management solutions for Unix & Linux environments allow an administrator to elevate privileges following the principle of least privilege (PoLP). This enables users to run any command at a higher privilege level, so long as it is allowed by a policy defined in the centralized policy server, keeping the user accountable and keeping the attacker out. Removing the need for users to log on as root enables much tighter security controls around the root user account.
2) Safeguards Unix/Linux privileged passwords
It goes without saying that everything must be password protected. However, the management of your privileged passwords is as important as the password itself. One of the major problems for Unix/Linux root accounts is the tendency for users to share accounts and passwords. Unfortunately, in the case of shared accounts, as well as for certain configuration changes, root access is still required. Access to root passwords needs to be strictly controlled, and only one individual should know a password at any point in time to ensure there is accountability for any actions taken using the account.
These accounts should also have their passwords rotated on a regular basis to prevent any brute-force attacks aimed at hacking passwords. Integrating a PAM-privileged password management system layers on further security and productivity benefits by proactively vaulting and managing privileged credentials.
3) Centralizes Unix/Linux systems management, policy, and reporting
It’s well-established that the command-line nature of Unix and Linux systems doesn’t lend itself to easily consumed searching capabilities. This drawback becomes especially apparent in very large enterprise systems with multiple log servers concurrently running. With that said, consolidating vast amounts of data, and finding what you are looking for, is key to identifying mistakes and mitigating risk. PAM solutions allow the consolidation of logs, making data accessible quickly and efficiently. IT stakeholders benefit from having real-time visibility into the state of privilege-related Unix and Linux risks at their fingertips.
4) Achieves compliance for the root account – indelible audit trail, unimpeachable logs
PAM solutions enable full session logging and session replays, providing a centralized, indelible audit trail and ultimate accountability for each individual system administrator. Logging all Unix/Linux user activity can quickly become untenable. With PAM solutions, activity is recorded in a tamperproof way to meet compliance needs, and event logs can be dynamically named, centrally located, and access controlled in the central management console. When an audit or forensic investigation needs to be performed, organizations no longer need to waste time and manpower performing investigations on an overwhelming amount of data.
5) Analyze behavior to detect suspicious user, account, and asset activity
From time to time, the most senior admins will have a legitimate need to leverage root capabilities. These sensitive use cases may include certain types of system-level changes, or just reflect the ad-hoc nature of the commands the user may need to issue. One challenge is that compliance teams need to monitor ALL activity and ensure accountability for actions, especially considering the privilege level being used during these sessions. Compliance teams need to cleanly identify:
- who was using the root account
- when they were using the root account
- what activities were performed/commands typed by the root account
It is also imperative to protect log files from any sort of tampering. Searching the log files is critical for enabling the compliance team to find what they are looking for quickly and efficiently. PAM solutions enable monitoring and auditing of sessions for unauthorized access, changes to files and directories, and compliance.
The bottom line is that your business depends on the accuracy and privacy of the information you are entrusted with. Therefore, the value of managing the “who, what, where, when, how, and why” regarding access to your information technology cannot be underestimated. Privileged access management has numerous benefits that can solidify your information security. You would be wise to take advantage of this indispensable tool.