Colonial Pipeline ransomware attack fallout, President Biden’s executive cybersecurity order, triple extortion, Truist Bank spear-phishing campaign, AXA Insurance becomes victim

1.  Congress introduced two bills in the wake of the Colonial Pipeline ransomware attack

• Following the recent ransomware attack against Colonial Pipeline, which caused gas shortages in several states, the U.S. Congress introduced two bipartisan bills designed to mitigate cybersecurity weaknesses across the nation’s critical infrastructure, including the oil and gas sector.
• The first congressional bill, the Pipeline Security Act, designates more responsibilities to the Transportation Security Administration (TSA) related to securing oil and gas pipelines against cybersecurity threats, such as acts of terrorism and other malicious activities.
• The second congressional bill, the CISA Cyber Exercise Act, would reinforce CISA’s mandate to support the cybersecurity efforts of local and state governments as it relates to the maintenance of critical infrastructures within their jurisdictions.

Expert Commentary: U.S. critical infrastructures are riddled with vulnerabilities, such that script kiddies can cause actual harm to vital resources across the nation. This Colonial Pipeline ransomware attack and the SolarWinds attack further reaffirms the need for more funding to implement proactive security to prevent, detect, and correct system flaws before they become disasters. If properly enacted, these congressional bills should kickstart the development of more cyber resilience systems to help reduce the physical impact of malicious activities.

Learn More

2.  Top cybersecurity experts call President Biden’s executive order a “dramatic game-changer”

• On Wednesday, President Biden signed an Executive Order to boost America’s cyber defenses and free up restrictions that prevent information sharing between the private sector and government entities.
• The Biden administration received high praise from the former Director of the Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, on its active efforts to combating current and emerging cyber threats and strengthening U.S. critical infrastructures.
• This Executive Order will create a baseline of cybersecurity standards for all software sold to the federal government. The executive order also mandates a robust audit of all software used to facilitate government-related activities.

Expert Commentary: It’s clear that the Biden Administration is firm in its decision to curb cyber threats targeting U.S.-based institutions. Although the implementational logistics of this executive order is unknown, it remains a significant step towards hardware, software, and firmware security assurance. Undoubtedly, this executive order will dramatically enhance security standards, improve the security training and awareness levels, and increase the software’s transparency to facilitate critical operations in both the private and government sectors.

Learn More

3. Ransomware attacks introduce the ‘triple extortion’ tactic to maximize profits

• For many years, the double extortion tactic has brought success for ransomware attackers. With the double extortion tactic, ransomware attackers encrypt their victim’s data and threaten to leak the stolen data if certain ransom payments are not made.
• On the other hand, the triple extortion tactic is a more sinister add-on to the double extortion method. With this new tactic, ransomware groups not only target a victim but also target their victim’s customers, vendors, employees, or other third parties that the leaking of sensitive data would also harm. In this case, ransom payments are extracted from victims and their associates. This tactic increased the average ransomware payout by 171% since 2020.
• According to security researchers, the first case of a triple extortion tactic occurred in October 2020 against a 40,000 patient psychotherapy clinic in Finland, which led to the theft of protected health information (PHI) and eventually the bankruptcy of the clinic.

Expert Commentary: Ransomware is nothing new. But the techniques, tactics, and procedures (TTPs) leveraged by these attackers have reached enormous levels of sophistication over the recent years. At the height of the COVID-19 pandemic, ransomware attackers used double extortion tactics to penetrate some of the world’s most secure spaces. However, this triple extortion tactic will further embolden attackers and motivate all vulnerable parties to work together to combat ransomware incidents across every industry. Said ransomware attackers would most likely introduce other attack methodologies to the triple extortion, such as DDoS, vishing, domain spoofing, etc., to increase the impact of their malicious activities.

Learn More

4.  FBI spots spear-phishing campaign at a U.S. bank holding company

• The FBI Cyber Division spotted a new spear-phishing campaign, which uses a Remote Access Trojan (RAT) malware to gain unauthorized access. In this case, said RAT malware was observed impersonating Truist Financial Corporation, the sixth-largest bank holding company in the United States.
• The cybercriminals behind this malicious campaign lured their victims into downloading an application that mimicked a legitimate application from Truist Bank, called Truist Financial SecureBank App. Furthermore, victims were then required to complete a registration form to qualify for a $62 million bank loan. Said cybercriminals then manipulated the records to extract personally identifiable information (PII) and launched password spraying attacks.
• With the harvested information from infected systems, the cybercriminals could steal their victims’ credentials and various other sensitive data to perform lateral movement across networks further and gain elevated privileges.

Expert Commentary: One of the most notable peculiarities of the attack technique introduced by the RAT malware is its ability to manipulate human psychology, thus triggering interesting emotions such as a sense of urgency, greed, etc. Unfortunately, spear-phishing emails tend to appear legitimate; therefore, organizations with a poor security awareness posture tend to become victims. As a preventive measure, an organization ought to have a robust security training and awareness program, including attack simulations and lesson learned sessions. Although this type of proactive security measure is often overlooked, it helps to highlight evolving dangers associated with the emerging cyber-threat landscape.

Learn more

5.  An Insurance Giant, AXA, Becomes a Victim of a Ransomware Attack After Speaking Out Against Ransomware Payouts

• One of the world’s largest insurance companies, AXA, and its subsidiaries in Asia were ransomware and DDoS attack victims. The Avaddon ransomware group took credit for this ransomware attack by publishing details of their exploits on the dark web.
• Based on details shared by Avaddon, about three terabytes of data were stolen from AXA Group. The stolen data included sensitive information, such as bank account details, government-issued IDs, contract details, payment invoices, etc.
• Following massive insurance claims from organizations that were victims of ransomware attacks, AXA decided to stop processing insurance claims related to ransomware payouts. As such, security experts believe that this very decision is most likely one of the core reasons the Avaddon ransomware group targeted AXA.

Expert Commentary: Ransomware attacks exploit system and process flaws to encrypt systems and lock an owner out until a ransom payment is made. To date, more than 1,000 organizations are impacted by ransomware every week. Statistically, the healthcare sector has been facing the highest volume of ransomware attacks, with around 109 attacks per organization each week. Security researchers observed that the utility sector experiences 59 ransomware attackers per week; meanwhile, the insurance and legal sectors experience 34 ransomware attacks per week.

Learn More