Back to blog

What We’re Reading This Month: July 2022

Chris Morgan 27 July 2022

Threat Intelligence

Roll up roll up, it’s that time of the month again, where our team of analysts provide the articles and literary pieces that kept them burning the midnight oil. This month we’ve got a report identifying supply chain security risks, methods by which threat actors exploit your psychological biases, and of course, ransomware. Check out these articles below.

Chris: Anchore 2022 Software Supply Chain Security Report

One thing that caught my attention this month was Anchore’s annual report on software supply chains, identifying trends regarding supply-chain attacks. According to Anchore, the proportion of organizations impacted by supply-chain incidents was as high as 62%, a remarkable figure that really demonstrates the massive risk facing businesses in 2022. The report was constructed following responses provided by 428 business executives, with the survey conducted between December 3 and December 22, 2021; the majority of the responses received by Anchore were conducted on or following the Log4 j incident, which also will likely have influenced the scoring.

One issue identified in the report was an increased use of software containers within businesses. The term containers refers to packages of software that contain all of the necessary elements to run in any environment. In this way, containers virtualize the operating system and run anywhere, from a private data center to the public cloud, or even on a developer’s personal laptop. Containers benefit their users with workload portability and overall efficiency. Anchore’s report identified that 88% of respondents planned to increase container use, while 31% of that number planned to increase it significantly.

An area of development that could greatly assist with supply-chain risk, is implementation of software-bill of materials (SBOMs). SBOMs were a key part of President Biden’s Executive Order on improving cybersecurity, which you might remember from May 2021. SBOMs refers to a formal record containing the details and supply chain relationships of various components used in building software. Essentially it enumerates the components within a product, much in the same way you get a list of ingredients in food packaging. Within the survey, Anchor identified that only 18% of respondents had complete SBOMs for all of their applications, which makes it much more difficult to respond to a plethora of threats, including supply-chain attacks and zero-day vulnerabilities. How can you assess your risk, if you don’t know if you use the susceptible component? SBOMs are likely to become much more of a hot topic and commonplace in the future, which was identified by 74% of respondents expecting to increase their use of SBOMs within the next 12 months.

Overall the report was a useful insight in the current landscape of supply-chain risk and how businesses plan to tackle the many problems associated with suppliers. Check out Anchore’s report here.

Fearghal: Gone Phishing—Decision Making Biases and Cyber Attackers

As the cybersecurity of computer systems evolves and advances, one part remains lacking—the human component. In a paper issued on November 2021, authors Chelsea K Johnson, Robert S Guzwiller and Kimbley Ferguson-Walter illuminate how threat actors are mindful of the cognitive biases and heuristics (mental shortcuts) in our decision-making, exploiting them to achieve their goals. One such example is the default effect, which suggests that people will revert to previously made decisions when making a choice in a familiar situation to reduce the amount of mental processing needed.

This can be reflected in users’ choice of passwords, which are often the same as or variants of previous passwords; you might have heard us refer to this problem before. Hackers exploit this tendency to conduct automated credential stuffing, whereby variations of a known password can be mass tested to gain access to accounts where credentials have been reused. The default choice can be influenced by choice architecture—how the options are presented. For example, regarding the creation of a new password, user ID, and password fields can be designed so that they do not allow the user to repeat their default ID or password, in order to reduce the success of credential stuffing.

However, these psychological pitfalls can also be harnessed to obstruct and deter threat actors. Current research has suggested overwhelming malicious actors with distracting information to bolster security; this is known as “honeypotting tarpits”. Through generating appealing, yet falsified, documents and data within a secured network, attackers could be made to sift through large volumes of information which they must subsequently verify. This slows down the decision-making process of attackers, making them more vulnerable to detection and could even be used to misdirect their efforts.

The underlying psychology of this tactic involves the exploitation of the sunk cost fallacy and loss aversion. Costs already spent, in terms of time and effort, are seen as ‘sunk’ and carry less weight than current investments of hacking efforts. Likewise, loss aversion relates to the notion that avoiding losses is preferable to acquiring gains when deciding between the two. An example of this might be an attacker spending too much time in an element of key terrain, such as the domain controller, rather than going through another route. The idea of changing terrains appears costly, particularly as a lot of time and effort has already been spent and a new terrain might be riskier. Ultimately, understanding errors in human decision-making processes is key to the evolution of defensive techniques in cybersecurity. This can inform industrial practice to improve employee decision-making and reduce the effectiveness of cyberattacks.
Check out the report on cognitive bias here and layer 8 tarpits here.

Ivan: Observations on ALPHV

In a new article written by Sophos, the IT security company revealed detailed information about attacks conducted by the “Alphv” (aka “BlackCat”) ransomware group, including their tactics, techniques, and procedures (TTPs); you might also remember our recent blog detailing Alphv. Sophos observed that Alphv has followed a consistent pattern of attacks in the past few months, which consisted of the threat group breaking into victim’s networks by exploiting unpatched or outdated vulnerabilities in virtual private networks (VPNs) and firewall devices.

In two cases observed by Sophos, the Alphv group exploited two vulnerabilities that dated back to 2018, and in another two cases, vulnerabilities from 2021 were exploited. The vulnerabilities allowed the threat actors to obtain VPN credentials from the memory of firewall devices, and then these credentials were used to log in the VPN as an authorized user. The researchers also noted that most targeted VPN accounts did not use multifactor authentication, and in one case the credentials were stolen via a spearphishing email attack.

When inside the network, Sophos reported that the group used remote desktop protocol (RDP) to move laterally between devices and brute-force attacks over the VPN to target Admin accounts. Much of the lateral movement by Alphv was allegedly built into the ransomware executable, allowing it to spread itself to windows machines. The group also used “Brute Ratel” in its attacks, a penetration testing tool that has become a popular alternative to Cobalt Strike for cybercriminals.

This article was very interesting, and it highlights some of the key, but often overlooked, risks we see in security today. Many of the vulnerabilities exploited by Alphv likely had patches available, and accounts targeted did not have two-factor authentication; if you’re getting DeJa’Vu, we’ve talked about the importance of vulnerability intelligence at length before. Patch management and strong password policies that enforce two-factor would also have helped mitigate some of these risks. In addition, password policies should also require users to change password frequently, as leaked credentials can also be used to access VPNs. Other mitigation techniques that would have helped to minimize the effects of Alphv attacks include network segmentation, applying the principle of least privilege, and monitoring of remote-access tools that are often used or abused by threat actors.

Since the release of Alphv, the group has posted more than 140 victims to its data-leak site, and over the past two quarters (Q1 and Q2 2022), Alphv has been one of the top 4 most active ransomware groups. With the recent closure of large groups like “Conti”, it is likely that Alphv will rise to become one of the top ransomware groups active today, which could result in the group attracting many more skilled affiliates. Alphv highlights that many common attack vectors still remain highly effective and regular security best practices can go a long way in preventing large cyber attacks like ransomware incidents.

Check out the blog from Sophos here.

Chris Morgan

Senior Cyber Threat Intelligence Analyst

Chris Morgan is a Senior Cyber Threat Intelligence Analyst on the ReliaQuest Threat Research Team. Before joining ReliaQuest in August 2020, Chris worked as a CTI analyst in the telecommunications and financial sectors. He also has a background in the British military.

Explore Blogs