Blog Post Archives

Unraveling Cyber Defense Model Secrets: The Future of AI in Cybersecurity

September 28, 2023/in Blog Post/by Ellen Loughlin

By: Arijit Dutta, Director of Data Science

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape.

The increasing threat landscape for organizations has forced cybersecurity teams to adopt digital transformation. The COVID-19 pandemic has further complicated matters by accelerating the adoption of cloud services, leading to a proliferation of cloud providers and a surge in the number of IoT devices transmitting data to the cloud.

This complex web of interconnections has brought about greater scale, connectivity, and speed in our digital lives but has also created a larger attack surface for cybercriminals. Responding to these challenges, cybersecurity teams are turning to AI-powered automation, especially machine learning, to uncover, evaluate, and effectively counter system, network, and data threats. Understanding the role of AI in cybersecurity is critical for organizations to protect themselves against malicious cyber activities effectively.

In this blog, we explore the current technologies available, the exciting developments on the horizon, and the transformative impact of AI.

Current, Upcoming, and Future AI Technology

As in most industries, AI technology is indispensable in organizations today for distilling actionable intelligence from the massive amounts of data being ingested from customers and generated by employees. Organizations can choose from various available data mining and AI methods depending on desired outcomes and data availability. For example, if the goal is to evaluate each customer for digital marketing suitability for a new product, “supervised” methods such as logistic regression or decision-tree classifier could be trained on customer data.

These use cases require customer data on prior actions, such as historical responses to marketing emails. For a customer segmentation problem, “unsupervised” methods such as density-based clustering algorithm (DBSCAN clustering) or principal component analysis (PCA) dimensionality reduction are called for, where we don’t impose prior observations on specific customer actions but group customers according to machine-learned similarity measurements. More advanced methods, such as Artificial Neural Networks, are deployed when the use case depends on learning complex interactions among numerous factors, such as customer service call volume and outcome evaluation or even the customer classification and clustering problems mentioned earlier. The data volume, frequency, and compute capacity requirements are typically heavier for artificial neutral networks (ANNs) than for other Machine Learning techniques.

The most visible near-term evolution in the field is the spread of Large Language Models (LLM) or Generative AI, such as ChatGPT. The underlying methods behind these emergent AI technologies are also based on the ANNs mentioned above – only with hugely complicated neural network architectures and computationally expensive learning algorithms. Adaptation and adoption of these methods for customer classification, segmentation, and interaction-facilitation problems will be a trend to follow in the years ahead.

Cybersecurity Solutions That Use AI

At Adlumin, we develop AI applications for cyber defense, bringing all the techniques above to bear. The central challenge for AI in cyber applications is to find “needle in haystack” anomalies from billions of data points that mostly appear indistinguishable. The applications in this domain are usefully grouped under the term User and Entity Behavior Analytics, involving mathematical baselining of users and devices on a computer network followed by machine-identification of suspicious deviations from baseline.

To skim the surface, here are two solutions cybersecurity teams use that incorporate AI: 

Two Automation Cybersecurity Solutions for Organizations 

User and Entity Behavior Analytics (UEBA) 

UEBA is a machine learning cybersecurity process and analytical tool usually included with security operation platforms. It is the process of gathering insight into users’ daily activities. Activity is flagged if any abnormal behavior is detected or if there are deviations from an employee’s normal activity patterns. For example, if a user usually downloads four megabytes of assets weekly and then suddenly downloads 15 gigabytes of data in one day, your team would immediately be alerted because this is abnormal behavior.

The foundation of UEBA can be pretty straightforward. A cybercriminal could easily steal the credentials of one of your employees and gain access, but it is much more difficult for them to convey that employee’s daily behavior to go unseen. Without UEBA, an organization cannot tell if there was an attack since the cybercriminals have the employee’s credentials. Having a dedicated Managed Detection and Response team to alert you can give an organization visibility beyond its boundaries. 

Threat Intelligence 

Threat intelligence gathers multi-source, raw, curated data about existing threat actors and their tactics, techniques, and procedures (TTPs). This helps cybersecurity analysts understand how cybercriminals penetrate networks so they can identify signs early in the attack process. For example, a campaign using stolen lawsuit information to target law firms could be modified to target organizations using stolen litigation documents.

Threat intelligence professionals proactively threat hunt for suspicious activity indicating network compromise or malicious activity. This is often a manual process backed by automated searches and existing collected network data correlation. Whereas other detection methods can only detect known categorized threats.  

AI Risks and Pitfalls to Be Aware of

When building viable and valuable AI applications, data quality and availability are top of mind. Machines can only train on reliable data for the output to be actionable. Great attention is therefore required in building a robust infrastructure for sourcing, processing, storing, and querying the data. Not securing a chain of custody for input data means AI applications are at risk of generating misleading output.

Awareness of any machine-learned prediction’s limitations and “biases” is also critical. Organizational leadership needs to maintain visibility into AI model characteristics like “prediction accuracy tends to falter beyond a certain range of input values” or “some customer groups were underrepresented in the training data.”

Operationally, an excellent way to proceed is to build and deploy a series of increasingly complex AI applications rather than being wedded to a very ambitious design at the get-go. Iteratively adding functionality and gradually incorporating more data fields can make measuring performance easier and avoid costly mistakes.

Organizations Embracing AI 

Organizations need to build a cybersecurity infrastructure embracing the power of AI, deep learning, and machine learning to handle the scale of analysis and data. AI has emerged as a required technology for cybersecurity teams, on top of being one of the most used buzzwords in recent years. People can no longer scale to protect the complex attack surfaces of organizations by themselves. So, when evaluating security operations platforms, organizations need to know how AI can help identify, prioritize risk, and help instantly spot intrusions before they start. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.

Shadows to the Light: The Key Role of Visibility in Strengthening Cybersecurity

September 20, 2023/in Blog Post Brittany Demendi/by Adlumin Staff

By: Mark Sangster, VP, Chief of Strategy

Visibility in Three Parts: Part 1

Fiat Lux: Lighting the Way to Cybersecurity

Detection is key in many aspects of life, from medical diagnosis to positive treatment to more existential threats posed by massive storms like hurricanes or destructive tornadoes. The quicker we can detect something threatening or dangerous, the sooner we can respond accordingly. While we take this for granted in everyday life, we don’t always appreciate the value of early detection in cybersecurity. Put another way, making cyber threats visible is key to mitigating the risk.

This three-part blog series focuses on how we bring light to the threats and make them visible. In this series, I will explore what we mean by visibility in terms of cybersecurity, methods to detect or make visible threats, and how to measure your ability to detect and respond to those threats, measured in terms of business outcomes.

Part I: There is More to This Than Meets the Eye

When it comes to understanding the meaning of this statement, astronomy is a good teacher. Throughout the ages, scientists and novices alike have stared into the night skies, seeking answers. They looked to understand the celestial motions to predict the season for agriculture, suitable times for trade and travel, or simply to understand the world around them. Until the invention of the telescope in the early 1600s¹ only six planets in our solar system were visible. Not nearly 200 years later, advances in telescope lenses aided William Hershel in discovering a seventh planet, Uranus.

Yet observers of this planet were perplexed that the Newtonian physics thought to govern the motion of the planets could not account for certain anomalies in Uranus’ orbit. Astronomers predicted the presence of another planet that would explain these perturbations. In 1846, advances in telescope acuity and predictive orbital calculations led to the discovery of Neptune. Yet it wasn’t until 1989 that Voyager 2’ flyby discovered additional moons and dark rings that orbit the blue gas giant.²

The Power of Visibility in Cybersecurity

Lesson 1: The Need for Tools

There are two critical lessons from this brief history of planetary discovery. The first is that there is more to this than meets the eye. We need to develop tools and instruments to detect invisible objects. As thriller author Chris Pavone mused, “The best hiding spots are not the most hidden; they’re merely the least searched.³

In terms of cybersecurity, we develop new instruments to detect threats year after year. Firewalls, antivirus, endpoint detection and response, and so on. Each technology provides a set of detection capabilities that overlap the least searched locations, as Pavone suggests.

Lesson 2: The Presence of Inferential Threats

The second lesson is that not everything is obvious to the naked eye, even with the help of a telescope or similar augmentation of acuity. Consider another comparison to visible light. The portion of the electromagnetic (EM) spectrum that our eyes can detect is visible light.⁴ Yet this visible portion of the EM spectrum accounts for about 0.0035 percent of its entirety. The vast majority remains invisible. Our eyes cannot detect radio or microwaves or see infrared or ultraviolet light or X-rays.

Yet we can hear radio waves when captured by a sensor and converted into sound waves. We use microwaves to heat food. We can feel the heat of infrared and ultraviolet light, leading to sunburn when skin is unprotected. And X-ray imaging is a staple of medical care. We can’t see these forms of EM energy, but we can infer their presence from secondary evidence.

That’s the second lesson: not all cybersecurity threats are obvious or come in the form of an alert thrown by a firewall, endpoint defense, or antivirus. Those obvious threats like spam emails or messages from streaming services about declined payments are the background radiation of the internet. While primarily harmless at this point, they have the negative consequence of lulling too many pre-victims into a false sense of security.

Harnessing Implicit and Inferential Detections

Many threats are inferential, they don’t elicit an alert. They are the signals hiding in Pavone’s “least searched spots.” For example, most attacks begin with compromised credentials accessing security controls to create the appearance of legitimate activity. Credentials that were stolen using subtle phishing lures like student requests for mentoring or notification of fake lawsuits.

Once in, criminals use compromised accounts and devices to map your network, connect to critical services to identify valuable assets, and even create new user accounts in Active Directory. Lateral movement, privilege escalation, reconnaissance, staging, and more are all precursors to attacks. In many cases, these events go undetected. And these activities traverse your remote access gateways. Using your tools against you is a broad category of tactics called “living off the land.”

Leveraging Threat Hunting and Artificial Intelligence

Creating a robust cybersecurity defense requires multiple, overlapping sources that cover your entire attack surface. Full spectrum coverage includes more than internet traffic, endpoints and in-network communications, and cloud-service access. It’s covering remote access points and correlating those data points to create a contextual fabric of visibility: who is accessing what and why. Beyond tactical visibility, your attack surface includes vulnerability management and patching, simulated attacks, asset discovery, and security awareness programs.

Detecting these threats requires line speed analysis of network traffic and the correlation of users, groups, devices, and systems. It means collecting enormous volumes of data, normalizing and aggregating the data, and then analyzing it as fast as criminals can move inside your environment.

Of course, like light, the more security information you collect, the harder it is to focus the data to create a big picture. As you open the security aperture, the resource load is almost exponential. Most security teams will attest that exhausted resources and diminished budgets are no match for increasing cyber threats and growing regulatory requirements.

Up Next: Parts 2 & 3

In the next part of the series, we will explore how we harness implicit and inferential detections, use threat hunting to take the fight to the adversary and employ artificial intelligence to manage alert overload and spot invisible threats.

For more information about why implementing proactive security measures is essential to visibility, download “The Executive’s Guide to Cybersecurity.”

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.

Understanding the Fine Print: Cybersecurity Insurance vs. Warranties

September 14, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Brittany Holmes, Corporate Communications Manager

The rise in cybercrimes and attacks has reached an alarming rate, putting organizations at risk of losing sensitive information and digital assets. The need to remain protected against these threats has led to the adoption of two key tools: cybersecurity insurance and cybersecurity warranties. While both aim to strengthen defense mechanisms, their approach to ensuring protection differs.

Adlumin’s latest Cyber Threat Insights report highlights a 20% surge in security threat detections, further emphasizing the importance of these tools in safeguarding businesses and organizations. But what exactly do these terms entail, and how do they differ in ensuring protection?

This blog covers cybersecurity insurance and warranties, unveiling the key distinctions and highlighting their role in safeguarding against cyber threats that lurk in the dark.

Understanding Cybersecurity Insurance

Cybersecurity insurance, also known as cyber insurance, cyber liability insurance, or cyber risk insurance, provides financial protection and assistance to organizations in the event of a ransomware attack, data breach, or any other form of cyberattack. It is designed to address the frequency and complexity of cyber threats and the potential financial losses that can result from them. Organizations purchase a contract where the organization’s liability for financial damages is minimized, alleviating the overall consequences if an incident occurs.

What does it protect against?

Cyber insurance covers any type of theft, compromise, or loss of electronic data that negatively impacts an organization. It can help reduce financial risk and keep an organization from paying out of pocket. Any organization that stores, manages, or creates electronic data can benefit from cyber insurance. Sensitive information like customer login information, social security numbers, contact numbers, or any personally identifiable information are all targets for cybercriminals.

Benefits of Cybersecurity Insurance:

Financial protection against losses
Assistance in incident response and recovery
Access to specialist resources and expertise

Exploring Cybersecurity Warranties

A cybersecurity warranty or cyber warranty can be described as when a provider guarantees they will pay a certain amount if their customer experiences a breach or incident. The purpose is to instill confidence in customers that their product or service has undergone rigorous testing and meets security standards. It helps mitigate the risks associated with cyberattacks and provides a form of assurance that the provider will take responsibility in the event of a security breach.

The conditions for a warranty vary based on the provider; some will expect the customer to abide by a set of security standards to be covered by their contract, or some expect the customer to prove that they were using the product or both. The losses a warranty can cover can vary, but they are typically a set amount.

What does it protect against?

Cybersecurity warranties cover various events, including:

Legal Liability: The warranty may cover the costs of letting the individuals affected by a data breach know and the legal expenses related to potential lawsuits.
Business Interruption: The warranty may cover the losses resulting from business interruption, including revenue loss, extra expenses incurred, and reputational damage.
Compliance Event: If a compliance event results in a breach of applicable regulations or standards, a cybersecurity warranty may cover the costs of fines and penalties imposed by regulatory authorities.
Ransomware/Business Email Compromise: ransomware, including payouts for ransoms or business email compromise, resulting in financial loss.

It is important to note that a cybersecurity warranty’s specific coverage and terms may vary depending on the policy and the provider.

Benefits of Cybersecurity Warranties:

Compliance support
Customer trust
Enhanced security
Liability transfer
Risk mitigation

Understanding the Fine Print: Cybersecurity Insurance vs. Warranties

While cybersecurity warranties can function well with cybersecurity insurance, they are not alternatives for each other. Instead, they are complementary. Warranties have more limitations than insurance, but they fill in the gaps in situations where insurers won’t pay out. For example, having a cybersecurity warranty in place may assist in reducing insurance premiums. They are both tools designed to mitigate the financial risk associated with cyberattacks and data breaches.

While cybersecurity insurance and warranties serve different functions, they go hand in hand with a comprehensive risk management strategy. Cybersecurity insurance helps organizations transfer the financial risks associated with cyber incidents to an insurance provider, while warranties provide an additional layer of assurance that the products or services being used have met certain security standards.

For example, if a breach occurs despite the organization implementing robust cybersecurity measures, cybersecurity insurance and warranties can cover the costs of incident response, legal expenses, and any financial losses. Together, they can help organizations mitigate potential financial losses and give them peace of mind knowing that they have protection against cyber threats.

The Ultimate Protection Complement

By combining cybersecurity insurance and warranties, organizations can ensure comprehensive coverage and minimize their financial exposure in the event of a cyber incident. It is important for organizations to carefully assess their cybersecurity risks, evaluate the warranties provided by vendors, and work with insurance providers to customize a cybersecurity insurance policy that suits their specific needs and risk profile.

Let’s Get Started

Learn more about how Adlumin Protect Warranty Certification can safeguard you against business continuity and insure against loss, protecting your revenue and recovery.

A Threat Actor's Playbook: Behind the Scenes of Akira Ransomware

September 7, 2023/in Blog Post/by Ellen Loughlin

By: Adlumin Threat Research and MDR Teams

Adlumin’s Threat Bulletin Series

A Threat Actor’s Playbook: Behind the Scenes of Akira Ransomware is a part of Adlumin’s Threat Bulletin Series content series.

In the world of cybercrime, a new player continues to rise: Akira Ransomware. With historical evidence pointing towards nation-state sponsorship, particularly from Chinese Advanced Persistent Threat (APT) groups, this insidious malware has been targeting businesses in the supply chain. However, what sets Akira apart is its focus on smaller tech companies and startups, which are often backed by wealthy investors and at the forefront of technological innovation.

Insights

Historical attack indicators point to nation-state-sponsored groups such as Chinese Advanced Persistent Threat (APT) groups using the new Akira ransomware to target businesses in the supply chain.
Adlumin has observed that Akira ransomware has been used against smaller tech companies/startups since it debuted in March. These firms tend to develop innovative solutions using the latest technology and often have the backing of wealthy investors – all valuable information in the dark web.
Some of the IP addresses involved in an attack that Adlumin recently investigated were registered to Alibaba Cloud, a subsidiary of Alibaba Group, making the connection to Chinese APTs stronger.
Akira ransomware gains access through various attack vectors, including phishing campaigns and exploiting vulnerabilities in remote monitoring and management software (RMM). Notably, the actors behind these attacks also target vulnerabilities in VPN products, again hinting at potential involvement from Chinese APTs who have historically leveraged exploitation through VPNs.
Akira ransomware utilizes various tools and techniques, including the use of distinct tools during operation and the encryption mechanisms used to generate and safeguard encryption keys.

Disrupting the Technology Sector

With the recent targeting of yet another American technology startup in a cyberattack last week, cybersecurity analysts at Adlumin are now considering a crucial question: Could nation-state-sponsored groups potentially be utilizing the Akira ransomware to disrupt the supply chain?

Newcomer malware, Akira ransomware, continues to impact mid-market entities in the utility, construction, manufacturing, education, and transportation sectors, not just in the U.S. but also in countries like Sweden, Australia, Argentina, Japan, and others.

The threat actors behind these attacks have been increasingly targeting smaller tech companies and software makers of IT solutions aimed at educators, office administrators, consultants, entrepreneurs, and even hobbyists.

Akira ransomware attack victims in the IT sector include Cequint, Wilcom, GC&E, WTI Western Telematic, Computer Information Concepts, and Optimum Technology.

The recent Akira ransomware incident examined by Adlumin’s Managed Detection and Response (MDR) analysts also targeted a firm within the IT industry. The malicious actors employed typical tactics, techniques, and procedures (TTPs) like brute force attacks, lateral movement, and credential theft. Nevertheless, indications suggest the potential involvement of a significantly larger entity in these breaches. This assumption stems from the historical behavior of advanced persistent threats (APTs), which often disrupt the supply chain by targeting small enterprises.

Vectors and Exploitation

Akira ransomware made its debut in the malware landscape in March 2023. Since then, threat actors have been using methods like phishing campaigns, exploiting vulnerabilities in remote monitoring and management software (RMM), remote desktop protocol (RDP), and tools like RustDesk for remote access. There have also been recent news reports about threat actors using vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products as additional ways of carrying out attacks.

Adlumin MDR analysts theorize that threat actors behind last week’s attack infiltrated the victim’s network through their VPN due to the numerous VPN events detected by the Adlumin Security Operations Platform in the initial stages of the attack.

Analysts also found that numerous IP addresses used by the threat actors in the attack were registered to Alibaba Cloud, a subsidiary of the Chinese conglomerate Alibaba Group. Researchers at RSA have previously found that Chinese APTs frequently use VPNs and VPN tunneling as a tactic for exploitation and to hide their tracks and exfiltrate data. Furthermore, upon review of network data logs, numerous destination ports during the attack were to servers in China. However, other destinations included servers in Singapore, Paris, Russia, and even cities within the U.S., such as Los Angeles.

Lateral Movement

Once in the networks, the malicious actors initiated lateral movement — compromising hosts running Windows Servers 2012, 2016, and 2019.

Akira ransomware distinguishes itself by its ability to exploit vulnerabilities in Linux systems, marking a departure from conventional ransomware. Research indicates that attacks on Linux machines surged by 75 percent in 2022.

Notably, two endpoints running Ubuntu Bionic Beaver 18.04.6 LTS and Ubuntu 18.04.03 LTS were indeed targets of the attack.

Data Deletion and Exfiltration

Threat actors escalated tactics using PowerShell commands to delete shadow copies with “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject.”

Threat actors then moved to file encryption. MDR analysts identified encrypted files marked with the “.akira” extension, such as “foo.doc.akira.” Additionally, an accompanying ransom note named “akira_readme.txt” was discovered.

Adlumin MDR analysts suggested that the data theft might have occurred using DNS, a method commonly employed by APTs to minimize detection. This technique involves breaking down the stolen data into smaller encrypted chunks, which are then sent to external servers using UDP instead of TCP. The exact amount of data taken in the attack is still unknown, and the investigation is ongoing.

Akira Ransomware Analysis

The following is an analysis of the Akira Ransomware from Adlumin’s Threat Research Team with supportive information from other sources (listed at the end of this section).

Attack Process: The incursion initiates when an instance of the Akira ransomware is activated. Upon execution, the ransomware eliminates Windows shadow volume copies on the targeted device. Subsequently, the ransomware encrypts specific file types with predetermined extensions. It modifies each encrypted file’s name by adding the ‘.akira’ extension during this encryption procedure.

During encryption, the ransomware halts active Windows services using the Windows Restart Manager API to ensure an uninterrupted encryption process. It focuses on encrypting files within various hard drive directories, excluding certain folders like program data, recycle bin, boot, system volume information, and Windows folders.

Notably, Windows system files with extensions such as .sys, .msi, .dll, .lnk, and .exe remain untouched to maintain system stability. In most infiltration cases, unauthorized parties exploit compromised credentials to gain initial entry to the victim’s environment.

It is noteworthy that a significant number of victim organizations did not enable multi-factor authentication (MFA) for their VPNs. The source of the compromised credentials is uncertain, but it is plausible that threat actors acquired access or credentials from illicit sources on the dark web.

Toolset: Upon obtaining initial access, the Akira ransomware employs a distinct variety of tools, including PCHunter, Advanced IP Scanner, AdFind, SharpHound, MASSCAN, Mimikatz, LaZagne, AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, Ngrok, WinRar, WinSCP, Rclone, FileZilla, and PsExec.

During operation, the ransomware generates a symmetric encryption key using the CryptGenRandom() function, a Windows CryptoAPI random number generator. The symmetric key undergoes further encryption using the RSA-4096 cipher and is appended to the end of the encrypted file. The specific public key used is hardcoded within the ransomware’s binary code and varies across different instances.

Malware Analysis Supportive Sources:

Conclusion

There could be many reasons why APTs may be going after smaller, lesser well-known IT companies. Among these is the prospect of acquiring intellectual property, particularly considering that these startups may be developing new technology that holds significant value in the dark web.

Perhaps threat actors are looking for information on how these companies are funded, including names of investors who could potentially become targets of future spear and whale phishing campaigns.

Whatever the case may be, adversaries are finding that these IT firms have weaker network security than tech giants and thus become easy targets for their aggressive attacks.

Akira Ransomware Indicators of Compromise (IOCs)

Hashes

431d61e95586c03461552d134ca54d16
af95fbcf9da33352655f3c2bab3397e2
c7ae7f5becb7cf94aa107ddc1caf4b03
d25890a2e967a17ff3dad8a70bfdd832
e44eb48c7f72ffac5af3c7a37bf80587
302f76897e4e5c8c98a52a38c4c98443
9180ea8ba0cdfe0a769089977ed8396a68761b40
1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

Summer 2023: Uncovering Cyber Threats in Education

September 7, 2023/in Blog Post/by Ellen Loughlin

By: Brittany Demendi, Corporate Communications Manager

With classes now back in session, the education sector continues to face unique cybersecurity challenges due to its diverse user base, limited IT resources, and increasing adoption of Chromebook and other devices.

Adlumin’s Threat Research Team uncovers double extortion ransomware as one of the leading threats against educational institutions. This type of attack focuses on hackers encrypting data and threatening to leak it. Threats like this put educational institutions at risk of emotional distress, privacy loss, and legal consequences.

To better understand the cybersecurity challenges and emerging threats facing the education sector, download Cyber Threat Insights: Education Edition. This report provides valuable insights into the risks faced by educational institutions and emphasizes the importance of investing in proper cybersecurity measures to protect sensitive data and safeguard against cyberattacks.

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network by learning more about the challenges and solutions in the education sector.

Learn More

Schedule an Adlumin Demo

September 6, 2023/by Ellen Loughlin

Summer 2023 Threat Insights: Unlock the Latest Cybersecurity Trends

August 31, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Brittany Demendi, Corporate Communications Manager

Protecting your IT environment from cyberattacks is more crucial than ever. Adlumin’s Cyber Threat Insights: Summer 2023 provides a comprehensive overview of the latest threats and vulnerabilities. Revealing a concerning 20% surge in security threat detections, highlighting the increasing frequency of cyberattacks on organizations.

Not only are these threats becoming more frequent, but their severity is also escalating, with a higher percentage of critical ‘High’ severity detections compared to previous periods. It is essential for organizations to stay one step ahead of these evolving threats. Adlumin’s Cyber Threat Insights emphasizes the importance of leveraging Security Orchestration and Automated Response solutions, which have seen a 30% increase in use.

By downloading Adlumin’s Cyber Threat Insights: Summer 2023, you will gain valuable insights into the latest trends and developments and actionable recommendations to enhance your proactive defense strategies and mitigate cyberattack risks.

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network.

Learn More

8 Essential Questions to Ask: Choosing the Right MDR Provider

August 24, 2023/in Blog Post Jen Thompson/by Adlumin Staff

Adlumin’s industry expert and Senior Director of Product Marketing, Jen Thompson, discusses essential questions you need to ask when considering an MDR provider and provides answers that will help you make informed decisions when protecting your organization.

Adlumin Named to Prestigious Inc. 5000 List for the Third Consecutive Year

August 18, 2023/in Blog Post/by Ellen Loughlin

We’re excited to share that we’ve been named to the Inc. 5000 list ranking America’s fastest growing private companies. This is Adlumin’s third straight year on the list and our continued rapid growth propelled us to number 438. This ranking was fueled by an average median three-year revenue growth rate of 1,320%, which boosted our rank by more than 100 spots from the 2022 list.

Adlumin is focused on addressing the inequities that exist today between an organization’s size and its ability to effectively protect itself against the growing threat of sophisticated cyberattacks. For too long, only the world’s largest organizations – in both the public and private sector – have had the tools and resources needed to defend themselves. Our success over the past year and the steep growth trajectory we’ve maintained for the past several years is a testament to our mission and our amazing team’s ability to execute against it.

While the cybersecurity industry has discriminated, in many ways, against smaller organizations, cybercriminals have not. Growing and mid-market organizations (like many of our fellow honorees on the Inc. 5000 list) have personal and proprietary information and valuable operations to protect. These organizations are targeted by the same threat actors and with the same aggressive tactics as the world’s largest organizations.

“Adlumin is here to ensure organizations of all sizes have the capabilities they need to defend against any cyber threats they face. We’ve made significant strides to further that mission over the past year by continuing to enhance our security operations platform and most recently, with the launch of a new offering that makes incident response services affordable and attainable for organizations of all sizes, said Robert Johnston, founder and CEO of Adlumin. “Our growth this year and our ranking among the top 10% of America’s fastest growing companies is a strong validation for the impact we’re having at our expanding list of partners and customers.”

For this year’s Inc. 5000 list, we join a class of honorees that have driven rapid revenue growth while navigating inflationary pressure, the rising costs of capital, and seemingly intractable hiring challenges. Among this year’s top 500 companies, the average median three-year revenue growth rate ticked up to an astonishing 2,238 percent. In all, this year’s Inc. 5000 companies have added 1,187,266 jobs to the economy over the past three years.

“Running a business has only gotten harder since the end of the pandemic,” says Inc. editor-in-chief Scott Omelianuk “To make the Inc. 5000—with the fast growth that requires—is truly an accomplishment. Inc. is thrilled to honor the companies that are building our future.”

Thank you to Inc. Magazine for the gargantuan effort of pulling this list together. Thank you to our entire Adlumin team who make this company better and stronger every day. And most of all, thank you to our partners and customers for placing your trust in us. We’ll only get better and stronger from here.

For complete results of the Inc. 5000, including company profiles and an interactive database that can be sorted by industry, location, and other criteria, go to www.inc.com/inc5000.

PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers

August 17, 2023/in Blog Post/by Adlumin Staff

By: Kevin O’Connor, Director of Threat Research

Key Takeaways

The Adlumin Threat Research team uncovered a concentrated global campaign employing sophisticated Play ransomware (also identified as PlayCrypt). The campaign is currently targeting mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. The PlayCrypt ransomware group was previously linked to the City of Oakland attack in March 2023.
Cybercriminals are directing their efforts towards the managed service providers (MSPs) of these enterprises, utilizing techniques such as remote monitoring and management (RMM) software as vectors or entry points into the targeted systems, which provides complete administrative access.
Additional attack vectors are Fortinet firewalls with 3–5-year-old vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.
PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.
This article examines the tactics, techniques, and procedures (TTPs) of threat actors utilizing PlayCrypt, as mapped in the MITRE ATT&CK framework, and observed during an attack and subsequent investigation by the Adlumin MDR and Incident Response Teams.

Initial Access

Last month, in the wee hours of the night, a threat actor used PlayCrypt to leverage Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer’s environment, bypassing the majority of its defenses.

RMM software serves as the central nervous system of modern-day service providers. It gives users unfettered, privileged access to networks so operators can deliver seamless support and IT operation functions to a distributed cohort of customers.

But the PlayCrypt ransomware group can utilize the same remote access capability to wreak havoc on mid-market firms.

The ransomware debuted in June 2022 and is strongly affiliated with the Balloonfly malware group. It employs double-extortion tactics, stealing victim data before encrypting their networks.

Recently, PlayCrypt expanded its toolkit with new tools and exploits like ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution.

Aside from hackers using remote desktop protocol servers as a vector for network infiltration, they can also use FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.

In the incident involving PlayCrypt ransomware, Adlumin analysts believe there were at least two potential methods of intrusion. The first possibility is that the hackers gained access through compromised remote desktop software credentials. The second is that they may have exploited a vulnerability in the software itself.

Execution

Once inside the victim’s network, attackers can move quickly to deploy more exploits to gain a solid foothold on the system. These exploits include PowerShell scripts, Microsoft Server Remote Code Execution, and batch files.

Defense Evasion

When exploits have given threat actors root access, they begin creating admin-privileged accounts that can be used to disable security tools. For example, the Adlumin MDR team noticed that hackers utilized the Windows registry to shut down Windows Defender after creating a privileged account.

Adversaries can also replicate the traffic patterns of legitimate users, thereby making it complicated for network security tools to discern between malicious and normal activities.

During the defense evasion stage, threat actors can also delete signs that they are in the system to throw off cybersecurity teams.

Credential Access

To evade detection, threat actors incorporate the use of tools such as Mimikatz to extract credentials. These compromised usernames and passwords are subsequently exploited to escalate privileges, execute lateral movement across the network, and facilitate data exfiltration.

Halting The Attack

The AI-powered Adlumin Security Operations platform was successful in detecting and stopping malicious activity when PlayCrypt ransomware was used. The platform uses automated Security Orchestration Automation and Response (SOAR) actions to isolate impacted endpoints, disable suspicious accounts, reset passwords, initiate scans, and more. As a result of the detections and SOAR actions taken, the MDR team immediately received notifications and started to investigate further and take additional mitigation actions.

During the incident, the MDR team discovered and stopped data exfiltration processes through the FTP port that the hacker had initiated. The team also found malware executables hidden in temporary and system folders.

Command and control (C2) systems activity was also detected. This information allowed an analyst to gather information on the hacker’s location through IP and geolocation.

Finally, analysts found that the hacker(s) also deleted volume shadow copies to prevent the customer from restoring from backups.

Incident Response

Adlumin Incident Response (IR) team joined the investigation to take a deeper dive into the threat actor’s TTPs and examined the malware used through reverse engineering.

The IR team found that PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.

Once in a network, threat actors utilize “lolbins” binaries in the ransomware attacks. They distribute executables through Group Policy Objects, employing scheduled tasks, PsExec, or WMIC. Upon achieving full network access, they encrypt files with the “.play” extension.

Recommendations

Adlumin recommends that customers choose MSPs with strong security records and know-how for identifying and handling data breaches.
As for MSPs, we recommend the use of stronger credentials and the implementation of multi-factor authentication to prevent threat actors from taking advantage of RMM software.

The Adlumin Advantage

The combination of automated SOAR actions implemented by the Adlumin’s Security Operations Platform and the rapid response of the MDR and Incident Response teams successfully thwarted the attacker’s advances. Had the hacker been successful, they would have held all the customer’s sensitive data hostage through encryption, demanding a ransom.

With the threat neutralized, Adlumin strengthened its defenses, armed with valuable insights from the reversed-engineered PlayCrypt ransomware samples. The IOCs uncovered during the investigation now serve as a robust shield against future attacks, ensuring the protection of customer data and upholding their commitment to cybersecurity excellence.