OpenAI's chatbot has the promise to revolutionize how security practitioners work.

ChatGPT took the world by storm after OpenAI opened it for testing on Nov. 30, 2022. For an industry calloused by years of largely unsatisfying AI and machine learning "innovations," the reactions have been quite telling. Like many who are excited by its potential, I believe this is finally the moment of clarity for how truly revolutionary AI can be for information security.

It's also quite sobering, as there are already countless examples of how it changes the game for black hats of all stripes. In one of the first proofs-of-concept, NYU professor Brendan Dolan-Gavitt used ChatGPT to exploit a buffer overflow vulnerability. Other examples include writing malware with lightning speed and crafting convincing, grammatically correct phishing emails.

The weaponization of AI within cybersecurity is not new, but what excites me the most about ChatGPT is its potential for closing information security's biggest gap: the lack of sufficient talent, in both breadth and depth of cybersecurity skills (i.e., specializations). To illustrate this further, here are three ways ChatGPT will change infosec in 2023.

**Advancing Crowdsourced Threat Intelligence**

For quite some time, one of the industry's holy grails has been successfully crowdsourcing threat intelligence. The promise stems from the ability to see what's happening across a wide swath of companies within a single vertical industry. Unfortunately, the greatest impediment has been the lack of trust between organizations to share the intelligence.

This is the problem that the array of ISACs across industries have been trying to solve — with mixed results. Going forward, an information sharing and analysis center (ISAC) could take an iteration of the ChatGPT model with its natural language interface and feed it log data submitted by ISAC constituents, based on implicit trust within the group. The ISAC could then use ChatGPT to correlate network connections, categories of malicious IP addresses and domains, and similar behaviors. The results could produce a set of IDS rules that the ISAC constituents should implement to protect themselves from threats. The ISAC also would gain insight into the overall risk posture of the industry it represents.

**Doing More With Existing Resources**

The uncertain economy is putting pressure on security organizations to implement hiring freezes to squeeze more productivity out of existing resources. ChatGPT can be extremely beneficial here as a force multiplier that enables one analyst to do the job of multiple people.

Generalists and entry-level staff can describe what they are seeing in alerts and detections, and then ask ChatGPT to decipher their observations to jumpstart the triage process. A specific example is helping with practitioners' daily de-obfuscation of suspected malicious code, which typically takes an hour or more. It now can be performed in seconds.

ChatGPT also has the potential to transform incident response. A team can use the existing model and natural language processing to feed all available data about an incident and describe the rationale for a potential response. ChatGPT could then immediately prove or disprove a theory about a compromise. Today, that involves several days of work by an incident response lead, an engineer, and several analysts to fully resolve an incident. I can foresee a future where the process doesn't need an analyst at all.

**Taking the Malware Cat-and-Mouse Game to a New Level**

Today, adversaries generate 100 million new malware samples per year. Because they all require manual coding, it is still a finite, manageable amount for signature detection. With ChatGPT, however, a hacker can say, "Here's what I'm trying to do, and here's the OS I'm trying to do it on," and it can generate hundreds of thousands of iterations of one piece of malware.

This will mean that the detection engines' ML models must be recomputed faster. It's far more complicated, because they're working against a much larger data set. Fortunately, ChatGPT will supercharge the reverse-engineering process and give anti-malware efforts a fighting chance.

For instance, a significant reverse engineering challenge is working with a generic file name, which doesn't provide necessary context about where it was found. This requires much more manual work to identify the system for which it was built. There are minor changes in binary assembly that have marked changes on the end result — e.g., was it written for a 32-bit or 64-bit architecture? Is the system using Little Endian or Big Endian? The answers determine the direction in which you read the machine language (forward or backward).

All these efforts require trial and error if you have no context. ChatGPT can run through these iterations at blazing speed and give reverse engineers the final assembly language and process it from there. They can take it further and have ChatGPT tell them what it thinks the application is doing — in natural language. More importantly, ChatGPT could do all of this at scale, analyzing hundreds of thousands of binary samples and proving insights to an analyst.

It also can help fight back against common cat-and-mouse techniques. For example, malware often contains anti-reverse engineering techniques, such as nested loops, to make it much harder for reverse engineers to keep track of what is happening and the end state. ChatGPT can figure that out much faster than humans. It also can analyze the genetic code of the malware and see where there may be code reuse to identify the fingerprint of the author more quickly.

**Long-Term Implications**

Whenever new advances in AI come to fore, there is the inevitable concern about whether it will replace humans and their jobs. I don't believe ChatGPT will make this happen, but it will make us more powerful consumers of information. The force multiplier effect will be profound at all levels. I can see CISOs feeding it a set of information about its risk register for it to return policies and procedures, incident response plans, and more — all tailored to their environments.

While ChatGPT is only a research preview, I share the excitement of my industry colleagues about its promise to revolutionize how security practitioners work.

3 Ways ChatGPT Will Change Infosec in 2023

Highlighting continued attacks on game developers, attackers stole source code from and issued a ransom demand to the maker of League of Legends.

Cyberattackers have compromised and demanded a ransom from Riot Games, the developer behind the popular League of Legends game, in the latest attack to target video-game makers.

In a series of posts on Twitter, Riot Games acknowledged the breach this week and confirmed that the attackers had exfiltrated source code for the League of Legends (aka LoL) and Teamfight Tactics (TFT) games, as well as source code for an older anti-cheat platform. The attackers issued a ransom demand for $10 million, threatening to otherwise release the source code.

The attack disrupted Riot Games' development environment but appears to have failed to compromise player data, the company stated.

"We've made a lot of progress since last week and we believe we’ll have things repaired later in the week, which will allow us to remain on our regular patch cadence going forward," the company said on Twitter. "The League and TFT teams will update you soon on what this means for each game."

Riot Games joins other major video-game makers as a victim of online attackers. In September, Take Two Interactive's Rockstar Games — the maker of Grand Theft Auto — acknowledged that an unknown third party had compromised its network and gained access to videos and files for its coming Grand Theft Auto 6. And in 2021, cybercriminals used social engineering to gain access to the Slack channel for developers at Electronic Arts, giving them access to source code for the company's FIFA 21 and Battlefield franchises.

More recently, Rockstar Games has scrambled over the past week to deal with hackers exploiting vulnerabilities in the PC version of its Grand Theft Auto Online.

Industry analysts estimate that more than half of the US population plays games, with games on mobile devices about twice as popular as those on PCs or consoles. And attackers go where the people are, Tonia Dudley, CISO at Cofense, said in a statement to Dark Reading.

"In recent years, the gaming sector has become an increasingly popular target for cybercriminals," she said. "As investments in everything from e-sports to video games have increased, cyberattacks — particularly distributed denial-of-service (DDoS) attacks — have skyrocketed."

**Cyberattackers Playing Games**

Part of the reason that attackers focus on video-game makers is the large overlap between gamer and hacker interests. For instance, some are driven by a desire to find cheats to gain an advantage in online play. 

Attacks targeting online gamers typically make up a plurality of DDoS attacks detected each year and accounted for 46% of all attacks in 2020.

Cybercriminals also often target game makers that, arguably, have alienated their fan bases. In February 2021, for example, hackers targeted CD Projekt Red — the maker of the Witcher and Cyberpunk 2077 video games — because they were angry with the buggy state of the Cyberpunk 2077 game.

Yet games also make good platforms to distribute malware. Pirated games are often a vector for opportunistic malware. With most games connected to, and downloading data from, the Internet, games and their online services make ideal vectors of attack, says Boris Larin, lead security researcher at Kaspersky’s Global Research and Analysis Team.

"\[T\]hey have compromised a victim's build environments to conduct supply chain attacks, \[which\] could be considered as a very effective strategy for infection of a large number of PCs with a single attack," he says. "Massive multiplayer online (MMO) games have large user bases, and those users expect to receive automatic updates, so if attackers Trojanize a game update, a very large portion of players will be infected all at once."

**No Pay to Play**

Riot Games' response to the attack highlights another trend in the industry: Victims of ransomware attacks are refusing to pay. Last week, digital currency trackers estimated that ransomware revenues fell nearly 40% to nearly $460 million, with the average attack returning less in revenue per transaction.

The cybercriminals behind the attack on Riot Games demanded $10 million to not release the company's source code, according to an article in Motherboard.

Riot Games had a simple response.

"Today, we received a ransom email," the company stated in its post to Twitter. "Needless to say, we won't pay."

Riot Games handled the notification aspect of the breach very well, laying everything out to its customers, noting that personal information was likely not compromised, and detailing what code had been stolen, according to Kaspersky's Larin.

"We think that Riot Games did the right thing choosing not to pay," he says. "If you become a victim, never pay the ransom. \[Paying\] will not guarantee you get your data back nor that it will not be leaked online, but it will encourage criminals to continue their business."

Riot Games plans to release a full report on the incident to the public, "detailing the attackers' techniques, the areas where Riot's security controls failed, and the steps we’re taking to ensure this doesn’t happen again," the company stated.

Riot Games Latest Video-Game Maker to Suffer Breach

Whether you dream of your child growing into a CISO or just want them to improve their security hygiene, consider this roundup of literary geekery.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

A Child's Garden of Cybersecurity

Hackers don't need a key to get past your defenses, if they can essentially teleport using RMMs, warns CISA and the NSA.

It has come to light that hackers cleverly utilized two off-the-shelf remote monitoring and management systems (RMMs) to breach multiple Federal Civilian Executive Branch (FCEB) agency networks in the US last summer.

On Jan. 25, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing the attacks, warning the cybersecurity community about the malicious use of commercial RMM software, and offering mitigations and indicators of compromise to watch out for.

IT service providers use RMMs to remotely monitor and manage clients' networks and endpoints. But hackers can use the same software to bypass typical software control policies and authorization requirements on victim computers — as the US government found out.

**How Hackers Breached the Government With RMMs**

Last October, CISA conducted a retrospective analysis of Einstein — its intrusion detection system, deployed across FCEB agencies. The researchers found, perhaps, more than they'd bargained for.

In mid-June last year, hackers sent a phishing email to an FCEB employee's government address. The email prompted the employee to call a phone number. Calling the number prompted them to visit a malicious Web address: "myhelpcare.online."

Visiting the domain triggered the download of an executable, which then connected to a second domain, which is where two RMMs — AnyDesk and ScreenConnect (now ConnectWise Control) — came into play. The second domain didn't actually install AnyDesk and ScreenConnect clients onto the target's machine. Instead, it went backward: downloading the programs as self-contained, portable executables, configured to connect back to the threat actor's server.

Why does this matter? "Because," the authoring organizations explained, "portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software's installation on the network."

Having made a mockery of admin privileges and software controls, the threat actors could then use the executable "to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service."

It turns out, though, that the June compromise was merely the tip of an iceberg. Three months later, traffic was observed between a different FCEB network and a similar domain — "myhelpcare.cc" — and further analysis, the authors recalled, "identified related activity on many other FCEB networks."

Despite targeting government employees, the attackers appear to have been financially motivated. After connecting to target machines, they enticed victims to log in to their bank accounts, then "used their access through the RMM software to modify the recipient’s bank account summary," the authors wrote. "The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to 'refund' this excess amount to the scam operator."

**Why Hackers Like RMMs**

Hackers have a long history of utilizing legitimate software for illegitimate ends. Most popular are red-team tools — like Cobalt Strike and Metasploit — which cyber defenders use to test their own systems but can be seamlessly applied in the same way in an adversarial context.

Even software with no obvious relationship with cybersecurity can be repurposed for evil. As just one example, North Korean hacking clusters have been observed hijacking email marketing services to send phishing lures past spam filters.

In this case, RMMs have become ubiquitous in recent years, allowing attackers who use them an easy way to hide in plain sight. More than anything, though, it's the degree of autonomy that RMMs require in order to perform their normal functions that hackers turn to their advantage.

"Many RMM systems use tools that are built into the operating system," Erich Kron, security awareness advocate at KnowBe4, explains to Dark Reading. "These, as well as purpose-built RMM tools, typically have very high levels of system access, making them very valuable to attackers."

"To add to the issue," Kron notes, "RMM tools are often excluded from security monitoring as they can trigger false positives and appear malicious and unusual when doing their legitimate work."

Added together, "it makes the activities much harder to spot as they blend in with normal computing operations," he adds. Organizations that manage to spot the difference will find further headaches in preventing malicious use of RMMs, while maintaining legitimate use of RMMs over the same systems.

It's no wonder, then, that more hackers are adopting these programs into their attack flows. In a Jan. 26 report covering their incident response findings from the fourth quarter of 2022, Cisco Talos made special note of Syncro, an RMM they encountered in nearly 30% of all engagements.

It was "a significant increase compared to previous quarters," Talos researchers explained. "Syncro was among many other remote access and management tools, including AnyDesk and SplashTop, that adversaries leveraged to establish and maintain remote access to compromised hosts."

To conclude their notice, the NSA, CISA, and MS-ISAC suggested steps that network defenders can take to combat RMM-enabled attacks, including:

*   Good hygiene and awareness around phishing,
*   Identifying remote access software on your network and whether it's only being loaded into memory,
*   Implementing controls against, and auditing for, unauthorized RMMs running as a portable executable,
*   Requiring that RMMs only ever be used over approved virtual private networks and virtual desktop interfaces, and
*   Blocking connections on common RMM ports and protocols at the network perimeter.

Federal Agencies Infested by Cyberattackers via Legit Remote Management Systems

The accused sold an enormous data set stolen from the Austrian radio and television licensing authority — to an undercover cop.

The stolen personal information of tens of millions of people from across the world was put up for sale on a cybercrime forum by a 25-year-old from the Netherlands, according to authorities.

He's now in custody after he sold it to an undercover Austrian cop, Dutch prosecutors said.

The data was lifted from an Austrian radio and television licensing agency and contained personal data on residents of Britain, China, Colombia, Thailand, and the Netherlands, Dutch prosecutors allege.

The unnamed accused, who lives in Amsterdam, has been in Dutch custody for three months, according to reports, but the arrest was just made public this week.

"The man is suspected of trading the personal details of tens of millions of people, stolen from all over the world," Dutch prosecutors told Agence France-Presse.

The suspect faces charges related to stealing personal data, breaking into computer systems, and laundering cryptocurrency.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Dutchman Detained for Dealing Details of Tens of Millions of People

A vulnerability within Microsoft's OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit.

Microsoft is a primary target for threat actors, who scour Microsoft applications for weaknesses. Our security research team at Adaptive Shield recently discovered a new attack vector caused by a vulnerability within Microsoft's OAuth application registration that allows attackers to leverage Exchange's legacy API to create hidden forwarding rules in Microsoft 365 mailboxes.

To understand this new attack vector, you must understand the key components therein. These include hidden forwarding rules and SaaS-to-SaaS app access, all of which amount to a malicious SaaS rootkit that can infiltrate users' accounts and control their mailboxes — without the users' knowledge.

Learn more about the top use cases to secure your entire SaaS stack.

**Hidden Forwarding Rules**

Inbox rules are actions that occur based on preset conditions within a Microsoft mailbox. Users or admins can use forwarding rules to trigger protocols based on different attributes of the user's inbox.

Hidden forwarding rules (Figure 1) were first discovered by Compass Security's Damian Pflammater in 2018. He covered the discovery and Microsoft’s response in a blog post titled "Hidden Inbox Rules in Microsoft Exchange." These rules are fully functional and can be seen on the back end. However, they are not visible common interfaces such as email clients, an admin dashboard, or an API (Figure 2).

    

Figure 1. Hidden forwarding rules are visible on the back end.

    

Figure 2. Forwarding rules don’t appear in searches through common interfaces.

**SaaS-to-SaaS Access Through OAuth 2.0**

SaaS-to-SaaS app access, also referred to as third-party app access, describes the conditions under which one app can connect to another app and, in doing so, gain access and permission to different information and settings. The OAuth 2.0 mechanism simplifies the process of authentication and authorization between consumers and service providers through a seamless process that allows users to quickly verify their identities and grant permissions to the app. The app is then allowed to execute code and perform logic within its environment behind the scenes.

In many instances, these apps are completely harmless and often serve as a valuable business tool. In other instances, these apps can act as malware, similar to an executable file.

    

Figure 3. Connecting third-party apps.

**The Next Evolution: An Attack Method Through SaaS**

With this SaaS rootkit, threat actors can create malware that lives as a SaaS app and can infiltrate and maintain access to a user's account while going unnoticed.

While bad actors can't find Exchange Legacy scopes that can used to add programmatically online hidden forwarding in the Microsoft UI, they can add them through a terminal script.

The attacker's job is simple: Create an app that looks credible, add the legacy scope protocols removed from the UI to the app (exploiting the vulnerability that the Adaptive Shield team uncovered), and send an offer to users to connect to it. The user will see an OAuth app dialogue box on the official Microsoft site, and many will likely accept it (Figure 4).

    

Figure 4. This screen shows a fake app permissions request.

Once a user accepts, the bad actor receives a token that grants permission to create forwarding rules and hides them from the user interface like a rootkit.

An attack through these hidden forwarding rules should not be mistaken for a one-off attack but, rather, the start of a new attack method through SaaS apps.

**Microsoft Response**

In 2022, Adaptive Shield contacted Microsoft about the issue, Microsoft in response said that the issue has been flagged for future review by the product team as an opportunity to improve the security of the affected product.

**How to Best Mitigate a SaaS Rootkit Attack**

There's no bulletproof way to eliminate SaaS rootkit attacks but there are a few best practices that can help keep organizations more protected.

*   **Monitor third-party app access** and their permissions to ensure that apps are legitimate and given only the access they require.
*   **Track activities** and be on the lookout for new inbox rules to identify any new connections from untrusted domains.
*   **Disable third-party app registrations** where possible to reduce risk.

**Conclusion**

Hidden forwarding rules are still a threat, even more so when they appear through the trusted Microsoft website. The traditional controls that were created to stop malware have struggled to keep up with the evolution of malware and the new attack vector that can exploit any SaaS app, from M365 to Salesforce to G-Workspace, etc. Organizations should utilize native security configurations to control the OAuth application installations across SaaS apps to protect users from malicious attacks like these.

Get Forrester's SSPM Report, "Embrace aParadigm Shift In SaaS Protection: SaaS Security Posture Management."

**About the Author**

    

A former cybersecurity intelligence officer in the IDF, Maor Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his B.Sc. in computer science and is CEO and co-founder of Adaptive Shield.

SaaS RootKit Exploits Hidden Rules in Microsoft 365

The US Department of Justice hacked into Hive's infrastructure, made off with hundreds of decryptors, and seized the gang's operations.

The Feds have disrupted the prolific Hive ransomware gang, saving victims from a collective $130 million in ransom demands. But it remains to be seen how much of a blow the effort will be to the overall ransomware landscape.

The group's operations have been buzzing with activity for months, racking up more than 1,500 victims in 80-plus countries around the world since it appeared in June 2021, according to an announcement from the US Justice Department. The gang has been operating with a ransomware-as-a-service (RaaS) model, engaging in data theft and double extortion, and delivering its venom indiscriminately to school districts, financial firms, critical infrastructure, and others. At least one affiliate has become a bit of a hospital specialist, disrupting patient care in some attacks.

In what officials called "a 21st-Century cyber-stakeout," the FBI has been infiltrating the gang's network infrastructure since last July and, perhaps most notably, has now seized its decryption keys.

"The FBI has provided over 300 decryption keys to Hive victims who were under attack," according to Thursday's announcement. "In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims."

**Hive: Gone for Good?**

Aside from swiping the decryptors, the DoJ also worked with German law enforcement to execute a coordinated seizure of the group's command-and-control (C2) infrastructure (including two servers located in Los Angeles) and the group's Dark Web leak site, US Attorney General Merrick Garland said during a press conference.

The actions could have a significant effect on the volume of ransomware attacks, at least in the short term. According to Mandiant, Hive was the most prolific ransomware family that it dealt with in its incident response engagements, accounting for more than 15% of the ransomware intrusions that it responded to.

That said, while the strike will certainly be a blow to the gang, it's unlikely that its affiliates and members will be dormant for long. As with other high-profile takedowns such as those of Conti and REvil, it's likely that they will simply join other teams or regroup to sting another day.

"We've seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727," Kimberly Goody, senior manager at Mandiant Intelligence — Google Cloud, said in an email statement. "Hive also hasn't been the only ransomware in their toolkit; in the past we've seen them employ Conti and MountLocker, among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations."

**Ransomware Is Becoming Less Attractive**

Still, the ransomware game is getting tougher for operators, who are facing declining profit margins, lower valuations for cryptocurrency, intense law enforcement scrutiny, more victims having appropriate backups in place, and increasing refusals from targets to pay up. As such, researchers have seen an emerging trend of ransomware actors pursuing other avenues to make money.

Crane Hassold, former FBI cyber psychological operations analyst and head of research at Abnormal Security, said via email that this latest event is likely to add fuel to that phenomenon.

"It's very possible that we'll start to see ransomware actors pivot to other types of cyberattacks, like business email compromise (BEC)," he said. "BEC is the most financially impactful cyberthreat today and, instead of using their initial access malware to gain a foothold on a company's network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks."

Hive Ransomware Gang Loses Its Honeycomb, Thanks to DoJ

After Berlin pledged tanks for Ukraine, some German websites were knocked offline temporarily by Killnet DDoS attacks.

After Berlin agreed to send its advanced Leopard 2 tanks to Ukraine, Russia-backed threat group Killnet retaliated with DDoS attacks aimed at Germany's government, banking, and airport sites.

Germany's BSI federal agency, which oversees information security, said the attacks caused some small outages, but otherwise did little damage.

"Currently, some websites are not accessible," the BSI said in a statement to Reuters. "There are currently no indications of direct effects on the respective service and, according to the BSI's assessment, these are not to be expected if the usual protective measures are taken."

Last fall Killnet was behind similar DDoS attacks against US airports last fall and has been escalating its nefarious cyber activities throughout Russia's invasion of Ukraine.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

German Government, Airports, Banks Hit With Killnet DDoS Attacks

The rapid maturation and rebranding of ransomware groups calls for relentless preparation and flexibility in response, according to one view from the trenches.

Analysis of ransomware trends in 2022 shows that business was booming last year for extortionary cybercriminals, with the highest volume of ransomware attacks lobbed by sophisticated criminals that organize into groups that utilize very consistent tactics, techniques, and procedures (TTPs) amongst themselves, even if these organizations "retire" and then come back, rebranded.

A Jan. 26 report from the GuidePoint Research and Intelligence Team (GRIT) showed that while at least one new ransomware group emerged every month last year, the majority of attacks were perpetrated by a relatively small group of entrenched players.

The "GRIT 2022 Ransomware Report" examined data and circumstances from 2,507 publicly posted ransomware victims across 40 industry verticals that were carried out by 54 active threat groups.

"The thing that we really wanted to emphasize was that ransomware is not going anywhere," says Drew Schmitt, GRIT lead analyst and an experienced ransomware negotiator for GuidePoint Security. "It's very present. A lot of people seem to think that ransomware is potentially declining, because of things like Bitcoin payments are becoming less valuable. But ransomware is still happening at crazy rates."

    

Source: GRIT 2022 Ransomware Report, GuidePoint Security

As a negotiator, Schmitt works with actively attacked companies to act on their behalf and interface with the extortionist. There are two goals: to either gain enough information and time to help their security operations centers (SOCs) recover, or to negotiate a lower payment.

Using his inside knowledge about how attackers operate, and the data freely available about victimology last year, he and his team were able to put together a number of insights for the report. Dark Reading caught up with Schmitt to not only dig into details the report, but also to glean observations from his ongoing work as a negotiator. He provided seven key points that defenders should keep in mind as they prepare for more ransomware campaigns in 2023.

**1\. There's a Definite Taxonomy to Ransomware Gangs**

A big part of the analysis revolved around the development of a ransomware taxonomy for categorizing ransomware groups, which the team organized into four buckets: full-time, rebrands, splinter, and ephemeral. 

The majority of attacks came from what the taxonomy dubbed full-time groups, which have been active for nine or more months and publicly claim 10 or more victims.

"These are the Lockbits of the world, and they're the ones that are doing very consistent operations \[and\] can maintain a very high tempo," Schmitt says. "They are very consistent in behaviors and have a lot of really robust infrastructure. Those are the ones that have been operating for a very long period of time, and they're doing it consistently."

As the report pointed out, Lockbit alone accounted for 33% of attacks last year.

Then there are the rebrand groups, which have been active for less than nine months but claim nearly the same number of victims as full-time groups, and with some examination of TTPs usually have some correlation with a retired group.

"Really the only difference between the rebrand and the fulltime is the duration of operation," Schmitt says. "Groups like Royal also fit into this type of category where they just have very robust operations and they're able to operate at a high tempo."

Meantime, "splinter" groups are those that have some TTP overlap with known groups, but are less consistent in their behaviors.

"The splinter groups are an offshoot from either a rebrand or a full-time, where it's maybe somebody going off and doing their own thing," he says. "They haven't been around for very long. Their identity is not solidified at this point in time, and they're really just trying to find themselves and how they're going to operate."

Finally rounding things out are "ephemeral" groups that have been active for less than two months, which have varied but low victim rates. Sometimes these groups come and go, while other times they end up developing into more mature groups.

**2\. Rapid Rebranding of Ransomware Groups Makes Threat Intelligence Key**

The classification into those four taxonomy groups looks cleaner in an annual report than it does on the ground when a SOC starts lighting up.

"When you start dealing with these types of groups that are popping up and going away very quickly, or they're rebranding, they're developing new names, it does make it very much more difficult for the blue teamers or the defenders to keep up with these types of trends," says Schmitt, who explains that keeping tabs on rebranding and splintering of groups is where threat intelligence should come into play.

"We really like to focus on emphasizing communication when it comes to threat intelligence — whether it's threat intelligence talking with the SOC or the incident response team, or even vulnerability management," he says. "Getting an idea of what these trends look like, what the threat actors are focusing on, how much they pop up and go away, all of that is very valuable for the defenders to know."

**3\. RaaS Groups Are a Wild Card in Negotiations**

Even though the underlying TTPs of fulltime groups makes a lot of ransomware detection and response a little easier, there are still some big variables out there. For example, as many groups have employed the ransomware-as-a-service (RaaS) model, they employ a lot more affiliates, which means negotiators are always dealing with different people.

"In the early days of ransomware, when you started negotiations, there was a good chance you were dealing with the same person if you were dealing with the same ransomware," Schmitt says. "But in today's ecosystem, there are just so many different groups, and so many different affiliates that are participating as part of these groups, that a lot of times you're almost starting from scratch."

**4\. Ransom Demands Are Climbing Sky High**

One of the anecdotal observations Schmitt made was the fact that he's seen a lot of very high initial ransom demands from ransomware operators lately.

"We've seen $15 million, we've seen $13 million, we had $12.5 million. There's a lot of very high initial ransom demands that have been happening, which is a little bit surprising," he says. "And a lot of times we do successfully negotiate significantly lower ransoms. So starting at $15 million and getting down to $500,000 is not uncommon. But at the same time there are just certain threat actors that are like, 'You know what? This is my price and I don't care what you say, I'm not going to negotiate.'"

**5\. Improved Backup Strategies Are Making a Difference in Preparation**

The ratio of clients he sees who can successfully recover without caving to the extortion demands versus those that need to pay a ransom is coming close to a 1:1 parity, Schmitt says.

"In the early days it was like, 'Well crap, we got encrypted. We can't recover unless we pay this ransom,'" he notes. "As time has gone on, having really effective backup strategies has been huge for being able to recover; there are a lot of organizations that get hit with ransomware and they're able to recover simply because they have a really solid backup strategy in place."

**6\. Double Extortion Is the Norm**

However, there are still plenty of organizations that are still behind the curve, he says, which keep ransomware more profitable than ever. Additionally, the bad guys are also adjusting through doubleextortion, not only encrypting files, but stealing and threatening to publicly leak sensitive information as well. All of the groups tracked in the report utilize double extortion.

"It's a little bit unclear whether that's just because people are getting better at securitynor the groups are really realizing that maybe it's not worth the effort to deploy the ransomware if the client already has a backup strategy in place that's going to allow them to recover," he says. "So, they've been focusing on that data exfiltration because I think they know that that's the best chance that they actually have to make money off of an attack."

**7\. There's No Honor Among Thieves, but There's Business Sense**

Finally, the big question in dealing with criminal extortionists is whether the bad guys are even going to keep their word once the money drops in their account. As a negotiator, Schmitt says that, for the most part, they typically do so.

"Obviously, there's no honor among thieves, but they do believe in their reputation," he says. "There are edge cases where something bad happens, but most commonly the bigger groups are going to make sure they don't post your data and they're going to provide you the decryptor. It's not going to be some malware backdoor decryptor that's going to do more damage. They're very focused on their reputation, and their business model simply just doesn't work if you pay them and then they still leak your data or they don't give you what they're supposed to."

7 Insights From a Ransomware Negotiator

Only one in 10 enterprises will create a robust zero-trust foundation in the next three years, while more than half of attacks won't even be prevented by it, according to Gartner.

The zero-trust approach to security promises to reduce threats and make successful attacks less damaging, but companies should not expect that implementing zero-trust principles will be easy or prevent most attacks, business intelligence firm Gartner said this week.

While interest in zero-trust architectures is high, only about 1% of organizations currently have a mature program that meets the definition of zero trust. The firm also estimates that only a 10th of all organizations will create a mature zero-trust framework by 2026, and by that time, those measures will end up only blocking or minimizing the impact of about half of all attacks. 

Even so, moving from 1% to 10% is significant progress, says John Watts, vice president analyst at Gartner.

"That's a relatively large increase," he says. "\[Ten percent\] may seem low, but at the same time, right now, when we talk to clients, and we look at other industry data points, it doesn't seem like there are many large organizations you can point to that have a mature and measurable zero-trust program."

Zero-trust initiatives continue to be an aspirational goal for companies and their cybersecurity teams, with 80% of executives indicating that the strategy is a top priority and 77% increasing their budget for implementation, according to a 2022 survey published by the Cloud Security Alliance in June. A separate report published by Microsoft in 2021 found that 96% of security leaders considered zero trust critical to their success — and 76% were "in the process" of implementing a zero-trust initiative.

**Turning Zero Trust Into Action**

As companies mull their paths forward, they should recognize that getting to a comprehensive zero-trust architecture is not easy and will take time, says Christopher Hallenbeck, CISO for the Americas at Tanium, a provider of converged endpoint management.

"The process of migrating to zero trust can seem overwhelming, and it often causes paralysis," he says. "I’m surprised the \[forecasted\] number is as high as 10%. While many organizations have zero-trust aspirations, few have made holistic changes to fully embrace it."

It can also be confusing, given the widespread use of "zero trust" in the marketing of cybersecurity products and services. 

In a prior Insights report, Gartner pushed back against the overzealous use of the term. Neil MacDonald, a distinguished vice president and analyst at the firm, said that zero trust requires that the degree of trust granted to users and devices need be explicitly granted, continuously calculated, and then adapted to allow the right amount of access only for as long as necessary.

"Zero trust is a way of thinking, not a specific technology or architecture," he said. "It's really about zero implicit trust, as that's what we want to get rid of."

While the notion of removing implicit trust from enterprise computing infrastructure is a good one, the architecture is difficult and time-consuming to implement and does not solve all problems, the analyst firm stated as part of this week's post.

As such, organizations need to move to integrating zero-trust initiatives into specific pieces of their operations, Hallenbeck notes.

"You need to configure each system to bring it under zero trust and should prioritize those systems holding the most sensitive information," he says. "It all comes down to knowing what you have in order to form a plan."

**Know the Limits of Zero Trust**

Indeed, knowing the scope and limits of zero trust is critical, Gartner's Watts says. The architecture and technologies used in zero-trust implementations are good for blocking lateral movement and containing the impact of an initial breach. However, companies should not expect a zero-trust service to prevent compromises of consumer-facing systems.

Anything that's intended for consumer consumption and exposed to the Internet, where anybody can find and try to use the service, is not a candidate for zero trust and not in scope for a company's initiatives, Watts says. Attackers are already starting to bypass some identity and authentication techniques, such as last year's compromise of Rockstar Games through spear-phishing and an internal collaboration platform. They will continued to find entry points that are not controlled by zero-trust protections, or they will focus on the weakness of zero trust, he says.

The firm, in fact, predicts that by 2026, zero trust will not be able to prevent more than half of all cyberattacks.

Still, adopting zero-trust frameworks will eventually pay off, Tanium's Hallenbeck says. A company with a mature zero-trust program knows "what systems \[they\] have and where data lives," he says. In that way, even if an attacker bypasses a zero-trust protection, the organization can limit the damage by limiting the attacker's access to internal systems and data.

"We're just starting to move past this phase, from where every vendor tells you they can solve all your zero-trust problems, and into the space where organizations now are implementing more zero-trust controls," Watts says. "They're facing a reality of both good and bad, right? And it's not all good, and it's not all bad."

Source

DARKReading