Modern SIEM Solutions in Action: What to Look For

By: Brittany Holmes, Corporate Communications Manager 

Organizations face increasing cybersecurity challenges that demand a new approach to Security Information and Event Management (SIEM) solutions. The traditional role of SIEMs centered around data ingestion and compliance, is no longer sufficient in the face of complex security threats. As cybercriminals continually find ways to exploit blind spots, organizations need an evolving SIEM to meet these challenges head-on.  

The current state of SIEMs is marked by the need for enhanced visibility across the entire organization. Cybercriminals can easily hide, making the security team’s jobs more difficult. Recognizing this, modern SIEM solutions have emerged, leveraging advanced analytics and machine learning to ensure improved visibility, risk assessment, and accurate alerts. However, given the evolving nature of threats, assessing the effectiveness of these capabilities in practice is essential. 

The demand for SIEM solutions is skyrocketing, with the global market expected to reach $5.5 billion by 2025. Consequently, organizations seek the right SIEM solution to address their unique needs effectively. When evaluating SIEM options, it is crucial to consider how well they adapt to the evolving landscape and challenges. This requires ensuring that the chosen SIEM solution aligns with the organization’s network infrastructure and provides specific criteria. 

5 Things to Look for in a Modern SIEM 

User & Entity Behavior Analytics (UEBA): Your platform should consistently analyze your operational and security data to uncover threats. UEBA goes beyond traditional rule-based detection and can identify known and unknown threats, including insider threats, compromised accounts, and sophisticated attacks.  

It focuses on threats unique to a user’s activity, which is difficult to identify with rule-based detections. UEBA leverages artificial intelligence (AI) and machine learning (ML) algorithms to detect and identify abnormal behavior within an organization’s network and systems.  

UEBA creates a baseline of behavior for each user and entity and then identifies any deviations from that baseline, which may indicate potential security threats. This contextual analysis helps accurately determine the severity and risk associated with identified anomalies. 

Security Orchestration, Automation, and Response (SOAR): With ransomware on the rise along with other threats, it’s important to halt security incidents when they occur. SOAR provides automated playbooks to take action to contain threats as they occur. These capabilities should go beyond isolating a host and include password resets, disabling accounts, and more.  

SOAR also accelerates response and reduces risks for organizations. It provides the space for IT teams to investigate what occurred and the extent, so they can take appropriate actions to strengthen their security defenses.   

No Data Limits: A SIEM’s effectiveness in detecting threats early depends on its access to a wide array of data sources, including network traffic, endpoints, and cloud data. Data limits can hinder the collection of this comprehensive data, potentially leaving security blind spots and not providing full visibility into an organization’s environment.  

By removing data limits, organizations enhance their ability to detect more threats and have the data required to investigate what occurred. 

Easy Deployment: It’s essential to look for cloud-native solutions that provide easy deployment to minimize disruption to ongoing business operations. Organizations can maintain their IT infrastructure without experiencing extended periods of downtime or significant productivity losses. Additionally, since the solutions are easy to deploy, they should offer a chance to try before you buy.  

One-Touch Compliance Reporting: Compliance reporting is time-consuming, often requiring security teams to sift through vast amounts of data to generate accurate reports. One-touch compliance reporting is a critical feature in SIEM solutions because it saves time and resources and enhances accuracy, real-time monitoring, and overall security posture. By automating the compliance reporting process, organizations can better manage their compliance requirements and reduce the risks associated with non-compliance.  

What the Future Holds for SIEMs 

The future of SIEMs promises enhanced capabilities through the integration of machine learning and artificial intelligence, allowing for more accurate threat detection and automated responses. SIEMs will continue to evolve, offering cloud-native solutions, greater scalability, and simplified deployments to adapt to the changing IT landscape. Additionally, they will play a key role in addressing the growing complexities of compliance, privacy regulations, and data protection as organizations seek comprehensive solutions to secure their digital assets while staying agile in the face of evolving cyber threats. 

Take Control of Your IT Environment 

In an era where cybersecurity threats are continually evolving, SIEM solutions play a pivotal role in safeguarding organizations against these risks. With the right SIEM in place, organizations can stay ahead of emerging threats, detect and respond to security incidents more efficiently, and enhance their security posture for the challenges that lie ahead. The SIEM search may not be easy, but with the right approach, it becomes a critical step toward ensuring a resilient and secure digital environment. 

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Experience a tour of Adlumin’s platform, schedule a demo, or sign-up for a free trial. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Adlumin Secures $70M in Series B for Mid-Market Security Mission

SYN Ventures Leads Investment in the Security Operations Platform and Managed Detection and Response Provider Making Sophisticated Security Attainable  

Adlumin, a security operations platform and managed detection and response (MDR) provider, has announced the closure of a $70 million Series B funding round led by SYN Ventures with participation from First In Ventures, Washington Harbor Partners and BankTech Ventures. The funding will accelerate Adlumin’s growth and meet the demand for enterprise-grade security solutions for small and mid-market organizations. 

Adlumin’s proven ability to meet this demand through its modern platform, expert services, and channel-first approach has propelled the company to rank among the top 10% of America’s fastest-growing private companies and earn a spot on The Information’s 50 Most Promising Startups list for 2023.  

With the new funding, Adlumin plans to expand its channel partnerships and continue innovating to better address the evolving needs of its partners and end-users. The company aims to empower service providers who can deliver expert support that may be difficult for organizations to hire and retain. Adlumin also offers its own MDR services and collaborates with managed service providers and managed security service providers to ensure customers have access to 24/7 human insights, threat hunting, and trusted support. The company has recently introduced subscription-based incident response services and additional financial protections, such as a no-cost warranty and discounted cyber insurance policies, to cater to the specific needs of middle-market organizations.  

Read the full press release here. 

Cybersecurity Time Machine Series: Solutions Through the Years

By: Brittany Holmes, Corporate Communications Manager 

Cybersecurity has rapidly transformed in protecting valuable data and systems from malicious threat actors. From its inception as a simple notion of secure protocols to the complex and sophisticated solutions of the present day, the journey of cybersecurity has been nothing short of extraordinary.  

This year’s Cybersecurity Awareness Month’s theme celebrates 20 Years of Cybersecurity Awareness. In relevance, we took you through the evolution of threat actors over the past two decades in Cybersecurity Time Machine Series: The Evolution of Threat Actors to showcase the complexity of the threat landscape. Now, we explore the past 20 years’ advancement of cybersecurity solutions, tracking its progress through various stages and highlighting the milestones that have shaped its current landscape. 

Cybersecurity: The Early Years (2000-2005) 

A digital revolution was underway in the early years of the new millennium. This era saw the rise of antivirus software, emerging as the first line of defense against malicious software and cyber threats. This development was accompanied by firewalls, protecting the digital boundaries of networks and systems.  

However, understanding cyber threats and vulnerabilities was limited, exposing organizations to unknown dangers. Comprehensive cybersecurity strategies were absent within this landscape, leaving organizations struggling to navigate this deep digital landscape. These early years were marked by a race against time to understand and combat the threat landscape. 

Increased Awareness: Mid-2000s (2006-2010) 

In the mid-2000s, a sense of unease began to settle over the digital landscape. Organizations were becoming increasingly aware of the lurking threat of cyberattacks, launching a new era of caution and vigilance. As the world connected and information flowed freely on the Internet, the need for protection became essential. This is where there were intrusion detection systems, powerful gatekeepers that tirelessly monitored network traffic, searching for any signs of malicious intent.  

Simultaneously, encryption technologies created shields around sensitive data and communications. However, as defenses strengthened, so did the adversaries. Cybercriminals grew increasingly sophisticated, their tactics to match the advancing digital landscape. These developments raised the stakes. 

Introduction of Behavior-Based Threat Detection (2010-2015) 

Between 2010 and 2015, traditional reactive approaches were gradually replaced by innovative strategies to stay one step ahead of threat actors. With the introduction of behavior-based threat detection, security experts began analyzing patterns and anomalies to anticipate potential attacks, neutralizing them before any damage could occur.  

As technology advanced, cloud-based security solutions emerged as a game-changer, providing organizations with scalable, efficient, and cost-effective protection against rapidly changing threats. Machine learning and artificial intelligence brought a new era, empowering cybersecurity systems to continually learn, adapt, and predict potential vulnerabilities with uncanny accuracy.  

These developments heightened the level of defense and brought about a sense of assurance, as organizations were armed with proactive measures to safeguard their digital assets. With these advancements, the world of cybersecurity was forever transformed, nurturing a future where staying secure is no longer a question of luck but rather a matter of strategic planning and cutting-edge technology. 

Cybersecurity in Recent Years (2016-2020) 

Cybersecurity has witnessed significant advancements and transformations in recent years that have revolutionized how organizations approach data protection and privacy strategies. One crucial development that has taken center stage is the focus on endpoint security. With the rise of remote work and the spread of devices connected to corporate networks, organizations are investing in endpoint security solutions to safeguard their data from threats. 

However, not just endpoint security has gained traction. The importance of data protection has sparked a shift in how organizations handle and secure their sensitive information. In a world where data breaches and leaks regularly make headlines, organizations are under increasing pressure to implement strict data privacy policies and deploy protection mechanisms to safeguard customer and employee data. 

Additionally, the evolution of threat intelligence platforms has played a crucial role in cyber threats. These platforms actively collect, analyze, and interpret vast amounts of data from various sources, allowing organizations to stay one step ahead of cybercriminals. Machine learning, artificial intelligence, and threat intelligence platforms can promptly identify and respond to emerging cyber threats, minimizing potential damage and downtime. 

Examples of Solutions in Recent Years:

  • Endpoint Detection and Response (EDR): EDR continually monitors an endpoint (laptop, tablet, mobile phone, server, or internet-of-things device) to identify threats through data analytics and prevent malicious activity with rules-based automated response capabilities.
  • Managed Detection and Response (MDR): In response to a growing portfolio of security products, organizations turned to Managed Security Service Providers (MSSP) to manage these devices, update and patch systems, aggregate information, and provide frequent reporting. MSSPs manage devices, whereas customers also need a service to manage alerts, investigate threats, and contain attacks. MDR provides a turnkey combination of tools and security expertise to protect clients from cyber threats.
  • Extended Detection and Response (XDR): XDR collects security data from network points, operating systems logs, application logs, cloud services, endpoints, and other logging systems to correlate information and apply threat detection analytics to this data lake of information.  

To find the best solution for your organization, explore comparison guides like EDR vs. XDR vs. MDR: The Cybersecurity ABCs Explained 

Current and Future Cybersecurity Solution Trends (2021-Present) 

Several key cybersecurity solution trends are gaining traction as we move into the future. The adoption of zero-trust architecture is rapidly growing, with organizations realizing that traditional perimeter-based security is no longer sufficient. This approach focuses on granting access based on authentication and authorization, regardless of the user’s location or device, effectively minimizing the potential for breaches.  

Advanced analytics and automation tools are increasingly integrated to enhance threat detection and response capabilities. These technologies provide real-time insights into potential threats, allowing faster and more efficient incident response. Additionally, there is a noticeable shift towards decentralized cybersecurity, with organizations opting for distributed security measures instead of relying solely on centralized systems.  

The rise of emerging technologies like 5G and the Internet of Things (IoT) presents both opportunities and challenges for cybersecurity. While these technologies offer immense benefits, they also expand the attack surface, requiring security measures to be implemented alongside their deployment. The future of cybersecurity lies in these trends, allowing organizations to proactively protect their digital assets while harnessing the full potential of technology.  


Adlumin’s Spot the Lurker Challenge 

Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes. 


Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos

By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.

In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.

Caesars Entertainment Cyberattack

Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.

In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.

Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2

The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.

The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.

MGM Resorts International Cyberattack

On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”

According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5

However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.” 

In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.

Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.  


1. Screen capture of the 9/12/2023 post published by vx-underground.

At some point, ALPHV removed the reference to “vx-underground” and issued another update:

“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.

The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.

According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.

MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6

Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.

Recommendations

How to Protect Yourself from Social Engineering

Verify

In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.

An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.

Training

Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.

This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.

How Adlumin Can Help Protect Your Organization

Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.


Cybersecurity Time Machine Series: The Evolution of Threat Actors

By: Brittany Holmes, Corporate Communications Manager 

In an interconnected world, the digital landscape has become the breeding ground for opportunities and dangers. Cybercriminals have taken advantage of this evolution every step of the way and have become more prevalent. As a result, all organizations are now targets. Staying one step ahead is imperative. For organizations to protect themselves and their assets effectively, they need to understand how threat actors adapt and refine their strategies.

The 2023 Cybersecurity Awareness Month’s theme celebrates 20 years of cybersecurity awareness. In relevance, we want to look back on the past 20 years to shed light on the significance of understanding a few prominent threat actors’ evolutions.

Threat Actors in The Early 2000s 

During the early 2000s, the internet was crawling with cybercriminals and script kiddies as primary threat actors. A script kiddie is a cybercriminal who uses existing code or computer scripts to hack into a computer. They usually lack the knowledge to come up with it on their own.

Motivated by a thirst for knowledge and the desire to showcase their technical skills, these individuals exploited vulnerabilities across networks. Their targets varied, encompassing everything from corporate entities to personal computing systems. Using a wide range of techniques, script kiddies mimicked the actions of their more experienced counterparts on a less sophisticated level. As time went on, their motivations began shifting towards financial gain.

As a result, advanced phishing and malware attacks started gaining traction within the digital world. These malicious actors honed their skills in deceiving unsuspecting individuals, often using highly sophisticated techniques to harvest personal information and turn it into profits. This transition marked a turning point in the world of cyber threats, setting the stage for more organized and financially driven attacks in the years to come.

Rise of Nation-State Actors 2005-2010 

The rise of nation-state actors has significantly impacted cybersecurity. One trend is the emergence of state-sponsored cybercriminals, who are employed by governments to sabotage operations and carry out cyber espionage. These cybercriminals are motivated by various factors, including gathering intelligence, financial gain, and gaining a competitive edge in certain industries. Their targets often include government agencies, defense contractors, and critical infrastructure.  

Two Notable Cyberattacks: 

  • In 2007, Estonia experienced a massive wave of distributed denial-of-service (DDoS) attacks, believed to be orchestrated by Russia in response to a diplomatic dispute.  
  • In 2010, the Stuxnet worm created a new era of cyber warfare by targeting industrial control systems (ICS) used in Iran’s nuclear program. It was later revealed to be a joint effort by the United States and Israel. 

These incidents demonstrate the extent to which countries are now leveraging cyberattacks as a strategic tool for achieving their geopolitical goals.

Rise of Hacktivist Groups (2010-2015) 

Between 2010 and 2015, groups such as Anonymous and LulzSec came onto the scene. Their targets and motivations were wide-ranging, as they aimed to challenge authority, expose secrets, and promote freedom of information. Using tactics like data breaches and DDoS attacks, these groups looked to disrupt and damage the systems and credibility of their targets. 

Two Notable Hacktivist Groups:

  • Anonymous, founded in 2003, is a group that often attacks with a justice philosophy in mind. They targeted corporations, governments, and organizations that they thought were corrupt, oppressive, or unethical. Their actions included taking down the websites of major financial institutions during the Occupy Wall Street movement.  
  • LulzSec focused on causing chaos and amusement within the online community. Operating as a small team of cybercriminals, they deployed various cyberattacks targeting high-profile organizations like PBS, Fox, the X Factor, and individuals. Their motivations were often driven by the pursuit of “lulz,” or laughter, as they exposed vulnerabilities.

Ultimately, hacktivist groups demonstrate cyber activism to challenge authority and expose injustices. Their actions, whether through DDoS attacks or data breaches, highlighted the potential power of the internet in promoting transparency and holding institutions accountable. This period also raised questions about the lines between activism, vigilantism, and criminal activity, forcing governments and corporations to adapt their cybersecurity measures in response to this new digital landscape.

Shift Towards Advanced Persistent Threats (APTs) and Ransomware (2015-Present) 

Over the past few years, we have seen a significant shift in threats with a rise in APT groups. These groups have a specific goal and aim to infiltrate and maintain long-term access to systems and networks. Another growing threat in the cyber landscape is ransomware attacks. Unlike APTs, ransomware attacks focus on quickly encrypting or disabling systems data until a ransom is paid. The reason behind these attacks is usually financial gain. Ransomware groups target small and large businesses. What is particularly concerning about ransomware attacks is the evolution and sophistication of the strains being used. 

Notable ATP Examples:

  • Deep Panda: This group mainly targets US government institutions looking to steal intellectual property and state secrets. They focus on high tech, education, legal services, telecommunications, finance, energy, and pharmaceuticals. They have been known to be highly organized and remain undetected on networks for months at a time.  
  • GhostNet: This has been a large-scale cyber spying operation that tricked users into downloading a malicious file. Once the user interacts with the file, a remote access trojan, known as ‘Ghost Rat,’ is then installed on their computer. They are known to have breached over 1,200 computers belonging to foreign ministries, government offices, and embassies in 103 countries.  

These attacks often target governments, corporations, and other high-value organizations, stealing sensitive information or conducting espionage.

Notable Ransomware Attacks:

  • WannaCry: In 2017, malicious software spread globally, encrypting Windows operating systems. It encrypted files and demanded ransomware to restore access. These attacks went after hundreds of thousands of computers in over 150 countries.  
  • LockBit: In 2019, LockBit deployed advanced encryption algorithms to make files inaccessible and display a ransomware note demanding payment. There are various delivery methods, including gaining access to unauthorized networks, phishing emails, and software vulnerabilities. They use double-extortion methods, setting LockBit apart from other ransomware.  

The overall evolution of threat actors will continuously change and become more sophisticated. They are growing in scale, posing a significant risk to organizations of all sizes. Educating yourself and your organization on the latest threat actors can help prepare you.  

Take Proactive Security Measures 

The past two decades have shown a significant evolution in the cybersecurity landscape, particularly in the sophistication and complexity of threat actors. The market has shifted and now every organization, big or small, is a target. Organized groups have emerged, adding a new level of threat to mid-market organizations that previously believed they were too small to be targeted. The financial gains associated with cyber threats have become the main motivator, and it is crucial to recognize the evolving nature of these attacks in order to stay protected.  

Stay tuned for our blog next week to explore the next steps to protect your organization from cyber threats. 


Adlumin’s Spot the Lurker Challenge 

Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes. 


Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Unraveling Cyber Defense Model Secrets: The Future of AI in Cybersecurity

By: Arijit Dutta, Director of Data Science 

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape. 

The increasing threat landscape for organizations has forced cybersecurity teams to adopt digital transformation. The COVID-19 pandemic has further complicated matters by accelerating the adoption of cloud services, leading to a proliferation of cloud providers and a surge in the number of IoT devices transmitting data to the cloud.  

This complex web of interconnections has brought about greater scale, connectivity, and speed in our digital lives but has also created a larger attack surface for cybercriminals. Responding to these challenges, cybersecurity teams are turning to AI-powered automation, especially machine learning, to uncover, evaluate, and effectively counter system, network, and data threats. Understanding the role of AI in cybersecurity is critical for organizations to protect themselves against malicious cyber activities effectively. 

In this blog, we explore the current technologies available, the exciting developments on the horizon, and the transformative impact of AI. 

Current, Upcoming, and Future AI Technology  

As in most industries, AI technology is indispensable in organizations today for distilling actionable intelligence from the massive amounts of data being ingested from customers and generated by employees. Organizations can choose from various available data mining and AI methods depending on desired outcomes and data availability. For example, if the goal is to evaluate each customer for digital marketing suitability for a new product, “supervised” methods such as logistic regression or decision-tree classifier could be trained on customer data.  

These use cases require customer data on prior actions, such as historical responses to marketing emails. For a customer segmentation problem, “unsupervised” methods such as density-based clustering algorithm (DBSCAN clustering) or principal component analysis (PCA) dimensionality reduction are called for, where we don’t impose prior observations on specific customer actions but group customers according to machine-learned similarity measurements. More advanced methods, such as Artificial Neural Networks, are deployed when the use case depends on learning complex interactions among numerous factors, such as customer service call volume and outcome evaluation or even the customer classification and clustering problems mentioned earlier. The data volume, frequency, and compute capacity requirements are typically heavier for artificial neutral networks (ANNs) than for other Machine Learning techniques. 

The most visible near-term evolution in the field is the spread of Large Language Models (LLM) or Generative AI, such as ChatGPT. The underlying methods behind these emergent AI technologies are also based on the ANNs mentioned above – only with hugely complicated neural network architectures and computationally expensive learning algorithms. Adaptation and adoption of these methods for customer classification, segmentation, and interaction-facilitation problems will be a trend to follow in the years ahead. 

Cybersecurity Solutions That Use AI 

At Adlumin, we develop AI applications for cyber defense, bringing all the techniques above to bear. The central challenge for AI in cyber applications is to find “needle in haystack” anomalies from billions of data points that mostly appear indistinguishable. The applications in this domain are usefully grouped under the term User and Entity Behavior Analytics, involving mathematical baselining of users and devices on a computer network followed by machine-identification of suspicious deviations from baseline. 

To skim the surface, here are two solutions cybersecurity teams use that incorporate AI: 

Two Automation Cybersecurity Solutions for Organizations  

User and Entity Behavior Analytics (UEBA)

UEBA is a machine learning cybersecurity process and analytical tool usually included with security operation platforms. It is the process of gathering insight into users’ daily activities. Activity is flagged if any abnormal behavior is detected or if there are deviations from an employee’s normal activity patterns. For example, if a user usually downloads four megabytes of assets weekly and then suddenly downloads 15 gigabytes of data in one day, your team would immediately be alerted because this is abnormal behavior.

The foundation of UEBA can be pretty straightforward. A cybercriminal could easily steal the credentials of one of your employees and gain access, but it is much more difficult for them to convey that employee’s daily behavior to go unseen. Without UEBA, an organization cannot tell if there was an attack since the cybercriminals have the employee’s credentials. Having a dedicated Managed Detection and Response team to alert you can give an organization visibility beyond its boundaries. 

Threat Intelligence

Threat intelligence gathers multi-source, raw, curated data about existing threat actors and their tactics, techniques, and procedures (TTPs). This helps cybersecurity analysts understand how cybercriminals penetrate networks so they can identify signs early in the attack process. For example, a campaign using stolen lawsuit information to target law firms could be modified to target organizations using stolen litigation documents.

Threat intelligence professionals proactively threat hunt for suspicious activity indicating network compromise or malicious activity. This is often a manual process backed by automated searches and existing collected network data correlation. Whereas other detection methods can only detect known categorized threats.   

AI Risks and Pitfalls to Be Aware of 

When building viable and valuable AI applications, data quality and availability are top of mind. Machines can only train on reliable data for the output to be actionable. Great attention is therefore required in building a robust infrastructure for sourcing, processing, storing, and querying the data. Not securing a chain of custody for input data means AI applications are at risk of generating misleading output. 

Awareness of any machine-learned prediction’s limitations and “biases” is also critical. Organizational leadership needs to maintain visibility into AI model characteristics like “prediction accuracy tends to falter beyond a certain range of input values” or “some customer groups were underrepresented in the training data.”

Operationally, an excellent way to proceed is to build and deploy a series of increasingly complex AI applications rather than being wedded to a very ambitious design at the get-go. Iteratively adding functionality and gradually incorporating more data fields can make measuring performance easier and avoid costly mistakes. 

Organizations Embracing AI 

Organizations need to build a cybersecurity infrastructure embracing the power of AI, deep learning, and machine learning to handle the scale of analysis and data. AI has emerged as a required technology for cybersecurity teams, on top of being one of the most used buzzwords in recent years. People can no longer scale to protect the complex attack surfaces of organizations by themselves. So, when evaluating security operations platforms, organizations need to know how AI can help identify, prioritize risk, and help instantly spot intrusions before they start. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.


A Threat Actor's Playbook: Behind the Scenes of Akira Ransomware

By: Adlumin Threat Research and MDR Teams

Adlumin’s Threat Bulletin Series

A Threat Actor’s Playbook: Behind the Scenes of Akira Ransomware is a part of Adlumin’s Threat Bulletin Series content series.

In the world of cybercrime, a new player continues to rise: Akira Ransomware. With historical evidence pointing towards nation-state sponsorship, particularly from Chinese Advanced Persistent Threat (APT) groups, this insidious malware has been targeting businesses in the supply chain. However, what sets Akira apart is its focus on smaller tech companies and startups, which are often backed by wealthy investors and at the forefront of technological innovation.

Insights

  • Historical attack indicators point to nation-state-sponsored groups such as Chinese Advanced Persistent Threat (APT) groups using the new Akira ransomware to target businesses in the supply chain.
  • Adlumin has observed that Akira ransomware has been used against smaller tech companies/startups since it debuted in March.  These firms tend to develop innovative solutions using the latest technology and often have the backing of wealthy investors – all valuable information in the dark web.
  • Some of the IP addresses involved in an attack that Adlumin recently investigated were registered to Alibaba Cloud, a subsidiary of Alibaba Group, making the connection to Chinese APTs stronger.
  • Akira ransomware gains access through various attack vectors, including phishing campaigns and exploiting vulnerabilities in remote monitoring and management software (RMM). Notably, the actors behind these attacks also target vulnerabilities in VPN products, again hinting at potential involvement from Chinese APTs who have historically leveraged exploitation through VPNs.
  • Akira ransomware utilizes various tools and techniques, including the use of distinct tools during operation and the encryption mechanisms used to generate and safeguard encryption keys.

Disrupting the Technology Sector 

With the recent targeting of yet another American technology startup in a cyberattack last week, cybersecurity analysts at Adlumin are now considering a crucial question: Could nation-state-sponsored groups potentially be utilizing the Akira ransomware to disrupt the supply chain?

Newcomer malware, Akira ransomware, continues to impact mid-market entities in the utility, construction, manufacturing, education, and transportation sectors, not just in the U.S. but also in countries like Sweden, Australia, Argentina, Japan, and others.

The threat actors behind these attacks have been increasingly targeting smaller tech companies and software makers of IT solutions aimed at educators, office administrators, consultants, entrepreneurs, and even hobbyists.

Akira ransomware attack victims in the IT sector include Cequint, Wilcom, GC&E, WTI Western Telematic, Computer Information Concepts, and Optimum Technology.

The recent Akira ransomware incident examined by Adlumin’s Managed Detection and Response (MDR) analysts also targeted a firm within the IT industry. The malicious actors employed typical tactics, techniques, and procedures (TTPs) like brute force attacks, lateral movement, and credential theft. Nevertheless, indications suggest the potential involvement of a significantly larger entity in these breaches. This assumption stems from the historical behavior of advanced persistent threats (APTs), which often disrupt the supply chain by targeting small enterprises.

Vectors and Exploitation 

Akira ransomware made its debut in the malware landscape in March 2023. Since then, threat actors have been using methods like phishing campaigns, exploiting vulnerabilities in remote monitoring and management software (RMM), remote desktop protocol (RDP), and tools like RustDesk for remote access. There have also been recent news reports about threat actors using vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products as additional ways of carrying out attacks.

Adlumin MDR analysts theorize that threat actors behind last week’s attack infiltrated the victim’s network through their VPN due to the numerous VPN events detected by the Adlumin Security Operations Platform in the initial stages of the attack.

Analysts also found that numerous IP addresses used by the threat actors in the attack were registered to Alibaba Cloud, a subsidiary of the Chinese conglomerate Alibaba Group. Researchers at RSA have previously found that Chinese APTs frequently use VPNs and VPN tunneling as a tactic for exploitation and to hide their tracks and exfiltrate data. Furthermore, upon review of network data logs, numerous destination ports during the attack were to servers in China. However, other destinations included servers in Singapore, Paris, Russia, and even cities within the U.S., such as Los Angeles.

Lateral Movement 

Once in the networks, the malicious actors initiated lateral movement — compromising hosts running Windows Servers 2012, 2016, and 2019.

Akira ransomware distinguishes itself by its ability to exploit vulnerabilities in Linux systems, marking a departure from conventional ransomware. Research indicates that attacks on Linux machines surged by 75 percent in 2022.

Notably, two endpoints running Ubuntu Bionic Beaver 18.04.6 LTS and Ubuntu 18.04.03 LTS were indeed targets of the attack.

Data Deletion and Exfiltration

Threat actors escalated tactics using PowerShell commands to delete shadow copies with “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject.”

Threat actors then moved to file encryption. MDR analysts identified encrypted files marked with the “.akira” extension, such as “foo.doc.akira.” Additionally, an accompanying ransom note named “akira_readme.txt” was discovered.

Adlumin MDR analysts suggested that the data theft might have occurred using DNS, a method commonly employed by APTs to minimize detection. This technique involves breaking down the stolen data into smaller encrypted chunks, which are then sent to external servers using UDP instead of TCP. The exact amount of data taken in the attack is still unknown, and the investigation is ongoing.

Akira Ransomware Analysis 

The following is an analysis of the Akira Ransomware from Adlumin’s Threat Research Team with supportive information from other sources (listed at the end of this section).

Attack Process: The incursion initiates when an instance of the Akira ransomware is activated. Upon execution, the ransomware eliminates Windows shadow volume copies on the targeted device. Subsequently, the ransomware encrypts specific file types with predetermined extensions. It modifies each encrypted file’s name by adding the ‘.akira’ extension during this encryption procedure.

During encryption, the ransomware halts active Windows services using the Windows Restart Manager API to ensure an uninterrupted encryption process. It focuses on encrypting files within various hard drive directories, excluding certain folders like program data, recycle bin, boot, system volume information, and Windows folders.

Notably, Windows system files with extensions such as .sys, .msi, .dll, .lnk, and .exe remain untouched to maintain system stability. In most infiltration cases, unauthorized parties exploit compromised credentials to gain initial entry to the victim’s environment.

It is noteworthy that a significant number of victim organizations did not enable multi-factor authentication (MFA) for their VPNs. The source of the compromised credentials is uncertain, but it is plausible that threat actors acquired access or credentials from illicit sources on the dark web.

Toolset: Upon obtaining initial access, the Akira ransomware employs a distinct variety of tools, including PCHunter, Advanced IP Scanner, AdFind, SharpHound, MASSCAN, Mimikatz, LaZagne, AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, Ngrok, WinRar, WinSCP, Rclone, FileZilla, and PsExec.

During operation, the ransomware generates a symmetric encryption key using the CryptGenRandom() function, a Windows CryptoAPI random number generator. The symmetric key undergoes further encryption using the RSA-4096 cipher and is appended to the end of the encrypted file. The specific public key used is hardcoded within the ransomware’s binary code and varies across different instances.

Malware Analysis Supportive Sources:

Conclusion 

There could be many reasons why APTs may be going after smaller, lesser well-known IT companies. Among these is the prospect of acquiring intellectual property, particularly considering that these startups may be developing new technology that holds significant value in the dark web.

Perhaps threat actors are looking for information on how these companies are funded, including names of investors who could potentially become targets of future spear and whale phishing campaigns.

Whatever the case may be, adversaries are finding that these IT firms have weaker network security than tech giants and thus become easy targets for their aggressive attacks.

Akira Ransomware Indicators of Compromise (IOCs) 

Hashes

  • 431d61e95586c03461552d134ca54d16
  • af95fbcf9da33352655f3c2bab3397e2
  • c7ae7f5becb7cf94aa107ddc1caf4b03
  • d25890a2e967a17ff3dad8a70bfdd832
  • e44eb48c7f72ffac5af3c7a37bf80587
  • 302f76897e4e5c8c98a52a38c4c98443
  • 9180ea8ba0cdfe0a769089977ed8396a68761b40
  • 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

Summer 2023: Uncovering Cyber Threats in Education

By: Brittany Demendi, Corporate Communications Manager

With classes now back in session, the education sector continues to face unique cybersecurity challenges due to its diverse user base, limited IT resources, and increasing adoption of Chromebook and other devices.  

Adlumin’s Threat Research Team uncovers double extortion ransomware as one of the leading threats against educational institutions. This type of attack focuses on hackers encrypting data and threatening to leak it. Threats like this put educational institutions at risk of emotional distress, privacy loss, and legal consequences.  

To better understand the cybersecurity challenges and emerging threats facing the education sector, download Cyber Threat Insights: Education Edition. This report provides valuable insights into the risks faced by educational institutions and emphasizes the importance of investing in proper cybersecurity measures to protect sensitive data and safeguard against cyberattacks.  

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network by learning more about the challenges and solutions in the education sector.