Press "Enter" to skip to content

A review of cybersecurity from the past week

So let’s make today’s security day as I catch up on notable news from the previous week.

Security researchers have discovered Daxin, a China-linked stealthy backdoor specifically designed to deploy into hardened corporate networks that feature advanced threat detection capabilities.  According to a technical report published by Symantec’s Threat Hunter team today, Daxin is one of the most advanced backdoors ever seen deployed by Chinese actors.   The form is unique – a Windows Kernel driver, a unique entry point.     The back door hijacks TCP communication, thus hiding within legitimate network traffic. 

A Chinese cybersecurity company accused the NSA of using a hacking tool over ten years, accusing the agency of using zero-day exploits to mind for data.    Researchers believe this may be a sign that Chinese cybersecurity companies are starting to follow the example of their Western counterparts and do more attribution. It could be “a shifting strategy to become more name and shame as the US government has employed,” Robert Lee, a former NSA analyst and founder of cybersecurity company Dragos 

Microsoft has warned Windows 10 and Windows 11 users that files might not be deleted after resetting the device using the “Remove everything” option. 

The issue stems from Microsoft’s OneDrive cloud file service. It could mean files that were synced locally remain on a computer after a local or remote reset, which admins might do before handing the device to a new owner. It can occur via a manual or remote reset from Intune or other mobile device management.  

The CyberRisk Alliance released data on the attack vectors for ransomware. After surveying IT cybersecurity decision-makers, The top attack vectors were all from outside the organization, with 37% citing remote worker exploits as a critical issue. An additional 35% said cloud infrastructure was to blame, and 32% reported security problems with cloud-based apps. 

Most organizations, 58%, paid the ransom demand, with 44% reporting a significant financial loss and 29% finding their data on the dark web.

Coro looked at SMB security and found that attacks against these SMBs have increased by 150% in the past two years.  On average, according to the study, Coro found that SMBs faced roughly 6,300 attacks per day over the course of 2019. A year later, that number rose to 17,500, and by the end of 2021, the average was 31,000 for the year. If this increase continues at its current pace, SMBs will face between 56,000 and 86,000 attacks in 2022 alone. The specific industries seeing the highest growth in the rate of attacks from 2020 to the end of 2021 fell into the areas of:

  • Transportation (195% increase)
  • Healthcare (178%)
  • Retail (149%)
  • Manufacturing (131%)
  • Professional services (119%)
  • Education (97%)

 Looking at the victims, cybersecurity specialist Venafi conducted a survey and found that 18% of victims who paid the ransom still had their data exposed on the dark web.

  • 8% refused to pay the ransom, and the attackers tried to extort their customers.
  • 35% of victims paid the ransom but were still unable to retrieve their data. 

As for the ransomware actor extortion tactics, these are summarized as follows:

  • 83% of all successful ransomware attacks featured double and triple extortion.
  • 38% of ransomware attacks threatened to use stolen data to extort customers.
  • 35% of ransomware attacks threatened to expose stolen data on the dark web.
  • 32% of attacks threatened to directly inform the victim’s customers of the data breach incident.

The lack of credibility in ransomware actors’ empty promises to their victims stems from several factors.

First, most RaaS operations are short-lived, so they look to maximize their profits in the shortest possible period of time. As such, they don’t care about long-term reputation.

Secondly, many renegade affiliates don’t follow the rules set by the core ransomware operators, and enforcing these rules is rarely considered a priority for these groups.

Thirdly, even if the data isn’t leaked right away, the remnants of data breaches may be maintained for a long time in multiple threat actor systems and almost always find their way to the broader cyber-crime community sooner or later.

Why do we care?

Trend wise, I don’t think there is nothing new here.    Clear examples of the further investment in cyber as a war space, and I found it notable the possible change in Chinese disclosure strategies. 

No industry was spared, but the increases are not necessarily consistent.    

Keep in mind the extortion data as we go into the next story.