Terry Mayer, Senior Research Specialist and Geo-Political Analyst at Cyjax Ltd, discusses how SMEs can alleviate the threat of cybercrime.
Small and medium-sized enterprises (SMEs) are at ever-increasing risk of being targeted by cyber criminals. In this short article, we offer a few pointers aimed at minimising the threats faced by your organisation.
Cyber criminals are never short of new ideas for profiting from real-life events, tailoring their campaigns accordingly – and yet using the same basic techniques which we have seen being leveraged for years. The COVID-19 pandemic has provided a multitude of opportunities for these threat actors to develop their methods further: phishing attacks have risen dramatically worldwide as a range of adversaries – including well-known state-sponsored groups such as North Korea’s Lazarus – have sought to tempt people into parting with personal information or, in the case of health authorities, pharmaceutical companies or research institutes, data relating to vaccines or drugs.
Phishing scams involve launching targeted attacks against an organisation or an individual. They are likely to begin with a threat actor gathering intelligence on the target by scanning open-source intelligence (OSINT); this might include running searches on media or genealogy websites and collecting information from Companies House or the electoral roll, and of course social media sites such as Facebook or LinkedIn. Publicly accessible information can offer a wealth of data – in many cases enough to provide a threat actor with everything they need to profile an individual or an organisation. From there the attackers will hope to establish contacts in their preparations for a targeted attack.
LinkedIn is increasingly being used by cyber criminals who exploit the information openly available on the platform to trick employees into clicking on phishing emails. LinkedIn users are particularly susceptible because they have their accounts linked to their corporate email addresses: this increases the risk of a phishing attack.
Phishing businesses is a highly lucrative method for threat actors. Known as a Business Email Compromise (BEC) attack, the criminal groups use the publicly available information about a company and its employees to craft particularly effective phishing emails. These threat actors are likely to spend a great deal of time – possibly months – researching and monitoring their victims. To launch a successful attack, they will need to know enough about the organisation to be able to pose as a senior executive or a key supplier with the ability to request or authorise large payments.
A classic example of a BEC scam took place in January 2016, when Austrian aeronautics company Fischer Advanced Composite Components AG (FACC) was duped into wiring some €50m to cyber criminals. CEO Walter Stephan was later fired. Many similar, high-profile BEC attacks have been reported in recent years. In May 2020, for example, threat actors managed to steal $10m from Norfund, a private equity company owned by the Norwegian Ministry of Foreign Affairs and funded by the state budget.
There has been a dramatic increase in the incidence of ransomware attacks over the last couple of years, and this shows no signs of slowing down. A typical successful attack will encrypt the data stored on your networks, with the threat actors then sending a ransom note demanding payment in cryptocurrency to have the information restored. If this money is not forwarded within a certain time, the stolen data will be made available to other threat actors and sold. There is no guarantee that making a payment will result in the files being unencrypted and returned, yet many organisations choose to place their trust in the ransomware operators and pay the demanded sum rather than attempt to restore their systems, due to the costs involved in the inevitable network downtime and the high value of the stolen data.
It is tempting to think that these ransomware groups are highly skilled technical actors, working diligently to identify vulnerabilities in company systems which can allow them access to networks. While this is certainly true in some cases, it is also worth remembering that phishing attacks continue to serve as an important vector. In one survey carried out in July this year, almost 25% of all respondents said their ransomware attacks started through phishing, and of those victims, 65% had conducted anti-phishing training sessions. For enterprises with fewer than 500 employees, 41% said their attacks started with phishing.1
Companies often fail to recognise that an attack on a third-party supplier can result in highly damaging and costly disruptions to supply chains. The Kaseya ransomware attack that took place over the holiday weekend in the USA in July this year serves as one of the most useful warnings to all organisations. Kaseya is a remote monitoring and management (RMM) platform. What was most interesting about this incident was the sheer ambition of the REvil group, which carried it out. These threat actors were not only intent on compromising Kaseya itself: they were aiming far higher. In a post that appeared on their darknet leaks site, they demanded a ransom payment of $70min Bitcoin. They also claimed that their malware had infected over one million systems globally. In the event it appears this was somewhat of an exaggeration: Kaseya later reported that 1500 organisations had been impacted. The company also stated that it did not make any ransom payment. This contrasted with another American company, Colonial Pipeline, which paid out $4.3mafter it was successfully targeted in May.
Another huge supply chain attack took place in December 2020, when SolarWinds, one of the largest network management systems in the US, was attacked by the Russian state-sponsored group @UNC2452, resulting in hundreds of client organisations being affected.
Most recently, Giant Pay, an umbrella company used by many HGV drivers’ contractors across the UK, was hit by a “sophisticated cyberattack” beginning on 22 September. The ensuing service outage reportedly affected the company’s payment systems. Further details were not released, but this was most likely a ransomware attack, despite no group having yet claimed it. It is here that the importance of good communication shows, and the reputational damage that can occur if this is neglected. Comments on Giant Pay’s LinkedIn and Twitter accounts, for example, included complaints from drivers who had allegedly not been paid.
One other point worth mention here is that the company published dubious information for customers in its FAQ section on the incident:
Has any of my data been compromised?
To give you reassurance, all of your data is held on Pure Storage arrays, which is automatically encrypted.2
Kevin McMahon, CEO of Cyjax, commented: “This is just a name they have given to systems with NVMe (Nonvolatile Memory Express) storage devices. These faster, more efficient flash storage devices can be encrypted many times more quickly than traditional ones, allowing back-ups to be carried out much more rapidly. On the other hand, this speed also reduces the time it takes to execute a successful ransomware attack…”
What do SMEs need?
SMEs are increasingly being targeted by cyber criminals who assume, often correctly, that these smaller organisations may fail to have the most robust cyber-security measures in place, leaving them open to exploitation of software vulnerabilities or social engineering techniques.
While it is simply not possible to prevent all ransomware attacks, vital security measures must be taken to minimise the threat: all data should be backed up, and copies of files should be kept in different places – including offline. Do not leave external devices connected to your network if you have one.
Cyber Threat Intelligence
COVID-19 has also led to a big change in our working practices, with working from home at least some of the time now seemingly here to stay. This in turn has resulted in new cyber-security challenges, where the focus is more heavily on the individual and what they are doing on their laptop. Regular audits should be carried out on all computing equipment used for work purposes; training sessions for all staff – from post room to boardroom – are also essential to minimise the risks of employees falling victim to a phishing campaign or downloading viruses from unsafe websites.
Social Media and Dark Web Intelligence
One of the most important issues SMEs are faced with is risk management: most importantly, this means maintaining the good reputation of your company. Social media and instant message monitoring are an important aspect in this regard: carried out effectively, you will be able to pick up critical or even abusive messages on the major platforms and deal with the issues accordingly. But this type of research is useful for another reason, too: casting a critical eye over the information which your staff put on their social media accounts can allow an insight into how threat actors gather information about your company.
Not all threats to SMEs lie in the cyber realm. Events taking place worldwide can also have a serious impact on business operations. These can range from a typhoon in China that disrupts the global supply chain, through to the recent blockage of the Suez Canal, and on to the worrying staff shortages here in the UK that have resulted in empty supermarket shelves and long queues on the forecourts for petrol. Political activism has also increased due to various global issues and concerns such as climate change. In the UK, for example, environmental protesters have been organising successful and well-publicised demonstrations, leading to acute problems for many businesses.
A flexible approach to security
SMEs are faced with a variety of challenges which can have a critical impact on their operations, and cyber-related crime is just one of them. A flexible approach to security is essential: the most useful Threat Intelligence services will devise a solution tailored specifically for the needs of your organisation.