All right, welcome. My name is Joel Bork, senior Threat Hunter. Iron net and with me is Greg Clarkson now, we’ve been impacted by a number of unfortunate events. I know it’s a movie series. But this is real world, we’re talking about reavell, who have propagated malware through 1800 plus organizations around the world. And they’ve been impacted by Kaseya servers, these servers were left vulnerable to DLL search order hijack vulnerabilities. And what this did was it allowed malicious DLL is to be injected in the path of the same directory as Microsoft defender. Now they used an older version, but it loaded a copy. Instead, it would load your copy of the DLL instead of the legitimate DLL. Now, what happened since then is a number of things. What happened was, they released a article saying $70 million, they would release a universal decrypter key, since then they’ve discounted it for a low amount of 50 million, and that is yet to be paid. Now, also, recently, they all of their servers went down all their websites, they have a client facing website that if you’re paying and you need customer support to pay ransom, you can hop on there and get support. Well, a number of organizations paid $45,000. And those decryption keys didn’t work, and they can’t get support.
And it’s significant that you know, and I, market world leader in this environment, like I say I got done over smaller than solar winds. But Similarly, a well established company that when they get hacked, it impacts a lot of other businesses.
And let’s talk about the supply chain attack, because I’m going to pull up a quick image. And this was a tweet from a security researcher who would actually help disclose this vulnerability over Kaseya. Because he said, technically, it was a zero day, right, we were in a coordinated vulnerability disclosure process with the vendor. When this happened, the CVS were ready to be published, the patches were made in prepared for distribution, right? So imagine that now once the encryption happens, it’s too late. But they were on the verge of patching this, so that would not impact any of their servers. And this is another reason why we need these organizations to be working with security researchers to make sure that I mean, we were right on the cusp of 1800 organizations not being impacted by this ransomware.
If you have a network detection and response system. Does does that help in any way be now determine what data left the organization and where did it go? And how much?
Those are great questions. And so let’s go back to this one specifically. So this was very much a cut and dry where they had access to multiple network segments, right? You mentioned servers, endpoints like it disabled endpoints. And it’s interesting, they actually did. And I want to share click image real quick. There was an article that was released on Twitter. And they actually ran a number of injections against every single endpoint. And a checkmark over here is a successful attack. And you can see that when they when they side loaded the DLL, almost every single one just had issues with it. Right. And they didn’t detect it. It was a successful attack. So when we talked about EDR, and Sims, yes, those are great. You’re protecting the endpoint, you know, but what happens when something like this hits? What? Well, if it’s a DLL, you can see we’re having issues on the endpoint detection response. But okay, you’ve logged some things. It’s in the SIM, but you talked about how do we go back? And how do we a make sure did something x. Phil, right. So we’re working with your organization to see, okay, hey, if we go back in time, what does that look like? Was there extra? Well, we know this was a straight encrypt, and charge ransom scenario. But others aren’t. Right? Other ransomware campaigns are, hey, we need to exfil data, and you need to be able to go back into that raw network traffic and, and understand, hey, did we see flows leaving to these indicators? And if so, how much and what traffic and Where from? Right. And those are things that network detection tools excel at.
And the other thing, too, is, is that in the middle of this, there’s a Microsoft printer spooler vulnerability, right? So it’s like, so when, as we restore our service, we cannot afford to get hacked again, when and and the risk is actually something different to the casaya event, like the principle. So when we bring them online, we need to patch to this known vulnerabilities. And we need assurance that that happens.
And so that comes back is are you monitoring those servers? are you creating a baseline for that service that when you bring them up, you know, you’re making sure that you’re not having anomalous flows then hit again or you’re not having see two communications happening once you restore your backup from a Trojan that was already there, right? I mean, we’ve seen numerous times in ransomware campaigns where, hey, they encrypted your environment you paid, they gave you the decryption keys, well, guess what, they encrypt you again, and they try to doubletap you, right? Or they’ve exfil the data, and they say, hey, will decrypt you, but we also have a copy. So if you want us to delete this not released to the general public, you’ll pay us this way. So now, you talked about this printer spooler. vulnerability, that opens up a whole new window of vulnerabilities across the world, right, and it has yet to be truly abused yet. So understanding that you’re building this baseline now. And you need to be conscious, consistently aware of what’s happening on your network to make sure you’re not impacted that by that. And if you are to stop that attack chain, in its steps.
Yeah, exactly. As Paul, who was on our webinar last month, said, like, the network is like your undeniable truth of the network, there’s nothing that can be hidden with it, because like, we talked about antivirus software or endpoint detection, and response, software can be turned off. firewalls can be turned off. And network monitoring gives you that true reflection of what’s really happening. And so in these environments, where everything it gets doubted, like, Oh, I don’t know, if I can trust my firewall, I don’t know if I can trust my pal, my DMZ or my separations, our network is the truth. But I can tell you whether there’s a problem or there’s not. And then obviously, if there is a problem, you can narrow it down to where the source of that problem is, and you can do something about it. And so therefore, an organization that has such a monitoring device, and there’s a whole lot more confidence in that network, compared to an organization that doesn’t have it, no matter how good their sim firewall or the EDR czar.
And we’ve seen it right solar winds, we’ve now seen it here. I mean, it’s been really backed backs, but both times those EDR is right, so even if you have state of the art EDR, as you’re running defender in something else, right, whatever you’re doing, they’re just they’re able to test those disable those, for us were a passive device, right? So you can’t pull your processlist and cancel Iron Net, right? It doesn’t work like that, like, whatever network traffic is, there it occurs. Now, this one once again, was an interesting one, right, zero day impacted an organization impacted their entire supply chain by pushing updates. So Greg talked to me about, I mean, lessons learned, when it comes to patch management and pushing patches to everything, what is your organization looking at doing?
So like, we’re gonna have a different process for patching our production servers, compared to backup servers. And simpler that, you know, its kind of data cost is more effort if you’ve got different technologies that you’re using to push out your patching. But it will middle minimize the risk. So So basically, there’s a whole re architecture of how it is done, because the big move in IT across the industry is centralization, a single pane of glass, where you can see everything, but the abilities to build that single pane of glass creates its own single point of failure, and single vector for a security attack. So there’s, you know, the, again, it just emphasized the the ability of immutable data, and an offline data in terms of your backups, and and those procedures. Because this ransomware attack with the asking point of 70 million US dollars, was officially the largest so far. But what that tells me, it’s not going to be the largest in 10 years time, it’s going to be nothing. You know, it was a What was it? $11 million? A few years, like a few months ago, gone to 70. The next one’s going to be 200 million, you know, and so on. So we got pre prepared that this is going to happen again.
No, I think that’s fantastic. And it’s one of the reasons I love working with you, Greg is that you are learning from events that happened in your implementing process and procedural change across environments that you’re responsible for. Right? And I think organizations should be most wary of people who aren’t learning from the things that have happened within environments, right? If you if somebody said, oh, there was nothing we could do about that one, we’ll get it fixed for you. You know, don’t worry about it. We got this. Once we get it cleaned up, all will be good to go right? Instead, you’re saying hey, look, we’re fundamentally taking our production servers and our backup servers. We’re segmenting these even further. You know, here at Iron Net was looking at this we’re saying okay, well organizations who are developing software are being impacted, and then their supply chain, subsequent sub sub sequentially is being impacted. What we’re doing now doing is we have AWS and Azure sensors. And we’re helping monitor these Jenkins and these build systems to say, Okay, if that’s compromised, the organization is all about it, right? solar winds, for example, it was turning off their logging. But if you have a sensor that’s ingesting all the traffic, like you said, that’s the ground truth, right? So not only do we need to do that, but also we’re helping organizations look at the, the possibility of, hey, what does it look like if we have a sensor in your testing environment, where you’re pulling the patch, testing the patch, before you move it to production? Right? So all of these things, this is defense in depth, this is one of the ones you hope and pray your endpoint detects and catches? Well, they use Microsoft defender on this one.
Yeah. And, you know, like, if you say, I don’t use defender, well, like, is it fundamental to the operating system. So even if you use another antivirus, or an endpoint detection and response application, there’ll be a defender DLL sitting on your machine anyway. So we were going to reimagine re engineer our clients for this new reality that we think is coming down the track so that they will be the most robust for the coming 10 years. Iron Net there’s a central part of that in our strategy. Because like that network layer is like the fundamental truth that we need to base any sort of security defense on. And, and, and, and so therefore, we will be organized for much better than others for whatever happens next, because we can’t predict what’s going to happen. So if you know, if you know how someone’s going to get to you, software is a great way to protect against that because it can block that port or, you know, stop that that process from happening. But if you can’t predict what type of software that’s going to happen, and then the network is really helpful. Like we said, last week, last time we spoke last month, we spent a lot of time, which is where we want to be in that proactive phase of detecting abnormal behaviors before an event. And I think we unpack that really well. And unfortunately, this month, we’re really focused on how Iron Net can help in that forensic paper, about answering those difficult questions and having that sort of third party validation, or when you when a vendor like Kaseya says, Well, this is the way it is, you got another resource, I can say, Yep, that sounds right matches the reality of the network. And it also helps in that assurance, like I said, with this principle of got everyone out there who’s listening, make sure you serve the patch, make sure all your desktops are patched. Because that is waiting to happen. And if that happened,that would be so much worse. And now, the vision of the collective defense in this is the ability to be able to share this ability. So if you spend all this money investing in this sock visibility trial and for your own organization, and you do it in a way that you don’t help anybody else in the industry, is it’s kind of like a waste of money. So if I understand you need to do it, you need to, you need to buy the best tools for yourself. But if that if you can buy a tool that not only satisfies your requirements, but can protect others in your sector, or others that you care about in your supply chain, I would have thought that’s a no brainer. That’s a better way to go from a strategic point of view.
It’s the future. I mean, you have you we can’t outspend this problem by ourselves. Yeah, Greg, I, I’m sorry, I have to tell you this, never be able to hire enough cybersecurity professionals to stop reavell right or any other ransomware group. But together, imagine these organizations working together in verticals in countries across the globe, different cybersecurity analyst talents and skill sets, different tools and visibility across networks, and then bring that all together to help defend each other. It has to be what we do. It has to be it’s the only way. Yeah.
Well, perhaps we’ll finish here, Joel.
I agree. And once again, it comes back to this. Even though these attacks are becoming more and more sophisticated. There are opportunities to cut these attacks in half right and stop that attack chain in its tracks. And that’s where we need to come together and it’s a pleasure to work with you Greg. I look forward to doing it. And let’s stop these tacks in the tracks.
Transcribed by https://otter.ai