Ransomware groups, supply chain attacks led to large operational disruption in second half of 2021

Cybercrime continued to increase in the last six months of the year, as threats from ransomware groups and supply chain attacks dominated the headlines with the most impact and operational disruption, Nozomi Networks said on Wednesday in its semi-annual OT/IoT Security Report covering the second half of 2021. 

The report also highlighted how critical infrastructure industries such as transportation and healthcare are being targeted, provided an analysis of recent ICS-CERT vulnerabilities and exploitation trends, and offered remediation strategies to address current emerging threats by way of including network monitoring, zero trust, and attack surface reduction.

“Security organizations and law enforcement are punching back,” Moreno Carullo, Nozomi’s co-founder and CTO, said in a media statement. “We are seeing some good signs that more security professionals are modernizing their defenses to address both prevention and resiliency, and that a post-breach mindset is paying off. Threats may be on the rise, but technologies and practices to defeat them are available now as we have greater insights into the nature of the vulnerabilities and attacks.”

Much like the first half of 2021, the second half of the year was filled with news of ransomware disruptions, Nozomi said in its latest report, as ransomware groups and attacks continued to make headlines and cause operational disruption and supply chain attacks providing an opportunity to spread damage quickly. 

Nozomi also said that it was reported that the Conti ransomware group extorted upwards of US$150 million over the course of the year. Other prolific ransomware groups were active, with REvil targeting the software supply chain of IT solution provider Kaseya and BlackMatter— who many believe to be a successor to REvil— demanding a $5.9 million ransom from a U.S. farmer’s cooperative.

Critical infrastructure sectors continued to be highly targeted, particularly transportation, healthcare, and food, Nozomi said in its report. “All are now perceived as high-value targets by ransomware groups as well as nation-state actors with geopolitical motives. Law enforcement organizations (LEO) also took significant actions against ransomware organizations and affiliates, often long-term operations involving the cooperation of many countries,” it added. 

Nozomi said that supply chain attacks have the potential to disrupt hundreds or thousands of organizations, depending on how widely a common software component is used and the ease with which a vulnerability can be exploited. 

The first widely reported supply chain attack was over a year ago when a SolarWinds vulnerability compromised dozens of critical network operations across industries and the federal government, according to the report. “Since then, we have seen growing concerns surrounding actual vulnerabilities and exploits in open-source code. When vulnerabilities are announced in open-source software, which can be used by many applications, the damage can be just as, or even more, extensive than single-vendor software. It depends on how widely used the library component is,” it added.

​​This was the case with the December disclosure of the Log4Shell vulnerability, Nozomi said in its report. Log4Shell was found in the Apache Log4j open-source logging library, widely used in commercial applications and large online platforms. Due to the simplicity of this exploit, attackers were quickly able to launch attacks ahead of remediation and patch efforts across the globe. Two additional vulnerabilities, CVE-2021- 45046 and CVE-2021-45105, were later disclosed, but their impact was limited as they required a non-standard configuration to be used, in addition to the latter vulnerability being only a denial of service.

Nozomi said in its report that one of the largest ransomware groups was able to use the Log4j exploit within a week, launching an attack against VMware vCenter deployments. Ransomware groups quickly designed repeatable attacks with a complete process for exploiting the vulnerability to encrypt files and extort payment. Organizations now realize the importance of maintaining a software bill of materials for their software applications so they can more quickly identify and remediate vulnerable systems. 

The fallout from organizations not quickly remediating Log4j libraries could be felt for months or years to come, the company added. 

Nozomi Networks Labs also focused on some of its key research areas, including vulnerabilities within supply chains, cloud platforms, and specific enterprise software platforms, the report said. In addition to reviewing some of the most impactful vulnerability disclosures made by the Labs team over the second half of 2021, Nozomi has covered research regarding the attack surface of surveillance systems and what asset owners should keep in mind before deploying them within a network.

OT and IoT devices are the primary research areas for Nozomi Networks Labs. In the last several years, IoT devices have become a common entry point to the entire network and are often overlooked compared to widely deployed IT platforms and operating systems, Nozomi said. 

“IoT devices often run stripped-down operating systems with security features removed due to power and cost constraints. While OT systems such as SCADA and ICS equipment could once rely on air gaps between Wi-Fi, the internet, and the larger IT cloud network, that is no longer the case. Security defenses need to be shored up accordingly,” it added. 

Nozomi also provided suggested remediation strategies for improving network reconnaissance and monitoring with an understanding of normal process activity, which can help quickly identify potential threats and correlate anomalies to prioritize alerts and remediate efforts more efficiently. 

A multi-pronged approach to cybersecurity, including knowing what devices are on the network, what versions of software and third-party libraries they are running with known vulnerabilities, and who or what they are communicating with, is going to be key to staying ahead of emerging threats in 2022 and beyond, it added.

“We encourage companies to move forward by improving OT/IoT visibility, security, and monitoring,” Nozomi said. “With the sophistication and ruthlessness of today’s adversaries, it is also important to adopt a postbreach mindset. Continuous advancement of your IT/OT security posture is the best way to ensure the availability, safety, integrity and confidentiality of your operational systems,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.