Penetration Testing with Kali Linux OffSec
|
|
“Lapsus$”
37 group performed a number of attacks on a wide range of companies, stealing proprietary information and engaging in extortion. These attacks resulted in a loss of corporate data - including proprietary data such as source code, schematics, and other documentation. The attacks further resulted in the public exposure of data, and financial losses for companies that submitted to extortion. The variety and sophistication of techniques used by the group show how this kind of malicious actor can be so dangerous. In particular, individuals within a group can bring their own specialties to the table that people working alone wouldn’t be able to leverage. In addition, they can launch many different types of attacks at targets at a volume and velocity that an individual wouldn’t be able to. There’s a common truism in the cybersecurity industry that the attacker only needs to succeed once, while the defender must succeed every time. The efficacy of groups of attackers highlights this asymmetry. There are also only a few targeted mitigations available for such a wide variety of attack vectors. Because recruiting employees was one of the techniques used, awareness of internal threat actors and anomaly detection are key. Palo Alto Networks 38 additionally suggests focusing on security best practices such as MFA, access control, and network segmentation. Insider Threats : Perhaps one of the most dangerous types of threat actor, an insider threat is anyone who already has privileged access to a system and can abuse their privileges to attack it. Often, insider threats are individuals or groups of employees or ex-employees of an enterprise that become motivated to harm it in some capacity. Insider threats can be so treacherous because they are usually assumed to have a certain level of trust. That trust can be exploited to gain further access to resources, or these actors may simply have access to internal knowledge that isn’t meant to be public. During a PPE shortage in March 2020 39 at the beginning of the COVID-19 pandemic, Christopher Dobbins, who had just been fired as Vice President of a medical packaging company, used a fake account that he had created during his employment to access company systems and change/delete data that was critical to the company’s distribution of medical supplies. This attack resulted 40 in the delayed delivery of critical medical supplies at a crucial stage of the pandemic and the disruption of the company’s broader shipment operations. The danger of an insider threat is showcased clearly here. The attack was enabled by a fake account created by a 37 (Avertium, 2022), https://www.avertium.com/resources/threat-reports/in-depth-look-at-lapsus 38 (Palo Alto Networks, 2022), https://unit42.paloaltonetworks.com/lapsus-group/#Mitigation-Actions 39 (DOJ, 2020), https://www.justice.gov/usao-ndga/pr/former-employee-medical-packaging-company-sentenced-federal-prison- disrupting-ppe 40 (ZDnet, 2021), https://www.zdnet.com/article/disgruntled-former-vp-hacks-company-disrupts-ppe-supply-earns-jail-term/ Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 38 vice-president, who may have had access to more permissions than what might be considered best practice for a VP of Finance. This attack likely could have been prevented by applying the principle of least privilege , which we’ll explore in a later section. Since the attack was enabled by a fake account, it also could have been prevented by rigorously auditing accounts. Lastly, since this activity was performed after the VPs termination, better monitoring of anomalous activity may have also prevented or mitigated the attack. Nation States : Although international cyber politics, cyber war, and digital intelligence are vast subjects and significantly beyond the scope of this Module, we should recognize that some of the most proficient, resourceful, and well-financed operators of cyber attacks exist at the nation-state level within many different countries across the globe. Since 2009, North Korean threat actors, usually grouped under the name Lazarus , 41 have engaged in a number of different attacks ranging from data theft (Sony, 2014), to ransomware (WannaCry, 2017) to financial theft targeting banks (Bangladesh Bank, 2016) and cryptocurrencies - notably, the 2022 Axie Infinity attack. These attacks have resulted in the loss and leak of corporate data, including proprietary data (Sony) and financial losses for companies that paid a ransom. An information assurance firm called Yüklə Dostları ilə paylaş:
|