Developing a SIEM for industrial needs
July 30, 2020
SANS Institute is under a phishing attack
August 20, 2020
Canon is confirmed to become the next victim of the Maze ransomware attack – right after LG and Xerox. The attack disrupted the work of multiple services, including corporate email, Microsoft Teams, the official Canon website in the USA and several internal applications.
According to Maze operators, they managed to penetrate the company’s IT infrastructure and then steal over 10 TB of data. The stolen information, that included some sensitive and confidential data, was encrypted. If Canon does not pay the ransom, the cyber criminals promise to publicly release the data.
Maze is a ransomware managed by a group of cyber criminals, mainly targeting enterprises. Once got into the corporate network, it laterally spreads until it manages to gain access to an administrator’s account. Then it encrypts the data and asks for ransom, that can reach several thousands of dollars.
While Canon is “investigating the situation”, let us look at a ransomware or other cyber-attack stages in more detail.
Attack activation and incubation
Most of the times the attack starts with an email sent to one of the employees. It looks like any other email in his inbox from a contractor sending documents for review, or support asking to log into the system, or a legal team notifying of new guidelines. Some phishing emails are crafted individually, that makes them difficult to recognize. The goal is to make the person click the link or open the attachment and activate malware by downloading cryptors, trojans or accessing software vulnerabilities.
It then takes from 6 weeks to 6 months to get ready for the attack exploitation. The malware remains unnoticed by antivirus solutions due to few lateral movements it makes for the entire period to establish contacts with C&C servers and download the code. Another secret is that it prefers to reside in “yellow zones” – areas of IT/OT networks, neither allowed nor restricted, where it is easy to hide.
If nothing is done at this point, the attack explodes, leading to business process block or malfunctioning. Attacks are most often conducted during weekends, so there is time encrypt corporate data, delete hot backups, and hide traces.
Preventing attack explosion
Security awareness develops 2 major areas that can help your non-IT and OT teams to recognize, ignore and delete phishing messages and minimize human error exploitation:
- emotional intelligence to recognize fear, lack of attention, curiosity, wish to help, and attempts of their manipulation
- practical skills to verify received email, recognize suspicious content, create proper passwords, use VPN, and communicate problems
However, you can stop a complex cyber-attack even after its activation if you detect it during its incubation period. You can do it by monitoring security events in the “yellow zone” for correlations between suspicious patterns. If you do not have a dedicated person to handle this task, outsource it. There are specialists who can monitor events from endpoint, network, and any other security solutions across the network.
Image by Darth Liu
