If there is one thing that unites us all at Open Systems, it is our mission to protect our customers. As any seasoned security professional will tell you, prevention of all security incidents is simply not possible. This means we must be prepared to deal with incidents when they occur to limit the impact of the incident. In other cases, we may have had late visibility into an incident, such as when we start onboarding for our MDR (Managed Detection and Response) service and surface an active threat actor in a customer’s environment.

Companies are impacted by cybersecurity incidents for a variety of complex and varied reasons, but I will illustrate a few themes by way of example.

Mergers and Acquisitions (M&A)

Companies that are growing through M&A also increase their cybersecurity risk. Typically, negotiations for an acquisition can be a lengthy and complex process. In an ideal world, security professionals might assume that the necessary due diligence is already completed on the security front prior to a deal being sealed. However, this is often not the case. Such was the issue for one of our SASE (Secure Access Service Edge) customers, who reported a ransomware incident to us that occurred in a newly acquired business unit in the Far East.

Following a brief investigation, we determined that the customer had allowed the remote desktop protocol (RDP) through their firewall from the internet to one of their servers. The threat actor had managed to guess the password to an account through a brute force attack and gained a foothold into the infrastructure. In the past, this issue was one of the most common methods threat actors used to gain initial access; however, this method is in decline as companies tighten up their policy and infrastructure.

At the time of this case, it was clear from our inquiries that no one was really looking at the logs, as there were multiple opportunities to detect and contain the incident. Luckily for all, the scope of the breach was limited to a single business unit as the attacker failed to move laterally on the global WAN, but it could have been a different story.

Securing Remote Access

One of the strengths of our MDR+ service is that we gather relevant and thorough telemetry from the customer environment and can then analyze that information. Typically, new customers simply have not had the capability or resources to gather and consume this level of detailed information, nor the expertise to know what to look for. We’ve had multiple instances during the initial rollout of MDR+ resulting in an incident response and containment exercise after we identified compromised accounts and devices.

Another common theme we find in these circumstances is that customers have failed to adequately protect systems that allow remote access to their IT environment. Two sub-themes emerge here.

First, companies often fail to properly maintain their remote access platform. Security devices also have safety requirements and the rules around patching consistently apply here too. Unfortunately, overlooking the importance of patching happens frequently in small- to medium-sized enterprises. Managed firewall services can take care of this kind of maintenance, but companies often do not realize this is a task they have to do, or the accountability for maintenance is not well defined. This can lead to compromised remote access systems and perimeter firewalls, which themselves can become a target.

The second theme we see is failure to use multi-factor authentication. Even companies with highly trained employees report phishing click rates of five percent. A miscreant targeting a company doesn’t have to run many campaigns to harvest credentials from a user, and we all know that valid credentials can be acquired in underground forums for a price. If a simple username/password combination is the only barrier preventing remote access into an organization, that spells disaster. Ideally, we would recommend our customers use our secure remote access services that incorporate multi-factor authentication, but there will always be companies that prefer to operate this on their own.

The Return of the Removable Media Threat

The year 2022 has seen the return of an old friend, malware that spreads through removable media. While this kind of attack has an old-school flavor, it was remarkable to see how a more recent threat, known as Raspberry Robin, affected businesses. Microsoft reported widespread detection, clearly illustrating why removable media is still a very viable attack path. Often, infections occur because a customer’s employees share removable media between personal, third-party, or work devices. Compromising these source devices with malware is easy because they don’t have adequate security controls. Once infected with malware, the removable media can subsequently infect any connected device.

Several aspects make the Raspberry Robin case remarkably interesting. The detection rate of this threat was incredibly low when it started. The threat actor also maintained an exceptionally low profile and delayed follow-on action for a considerable period. Finally, thanks to the investigative work of the Microsoft Threat Intelligence Center (MSTIC), Raspberry Robin was linked to the Evil Corp ransomware gang.

The good news here is that Open Systems actively tracked and mitigated this threat for our customers, in some instances prior to it being a named threat. Stopping the attack early in the attack path meant the ransomware did not affect our customers.