From SolarWinds to Log4j: The global impact of today’s cybersecurity vulnerabilities

0

By Harish Kumar, Head, Enterprise & Government, Check Point Software Technologies, India & SAARC

If the past year has taught businesses anything, it’s that the impact of targeted cyberattacks and security vulnerabilities is now, without doubt, universal. From the fallout of the SolarWinds software supply-chain attack to the exposed Apache Log4j vulnerability, the case for organizations of all shapes and sizes to have a comprehensive and robust security infrastructure in place has never been stronger, even if they themselves aren’t necessarily in the crosshairs.

Many regard the now-infamous SolarWinds breach in late 2020 as a major catalyst for what would become a frenzy of “Gen V” or fifth-generation attacks that persist to this day. Such large-scale, multi-vector attacks have virtually unlimited reach, with devastating security consequences for businesses and governments around the world. A year later, the Apache Log4j vulnerability was exposed, which made it possible for malicious actors to execute code remotely on almost any targeted computer to take control, steal data or even hijack a user’s machine to mine cryptocurrency.

The former was an orchestrated attack by an advanced persistent threat group, the latter was an exposed zero-day vulnerability that nobody saw coming. One thing both incidents have in common, however, was that they increased risk and vulnerability for businesses in every sector, in every corner of the world. As organizations plot their course through 2022 and beyond, it’s never been clearer that cybersecurity is a global issue rather than a local one, and this should be reflected in every cybersecurity strategy moving forward.

The rise of “Gen V” attacks

Gen V attacks are unique in the way that they leverage broad attack surfaces and multiple infection vectors to infiltrate large numbers of organizations, and they are increasing at an unprecedented rate. At a time when businesses and government agencies are expanding their network footprint, adding more endpoints and connected devices into their technology mix, the risk of being impacted by a Gen V attack has also never been higher. As outlined in our 2022 Security Report, the SolarWinds breach, which impacted organizations around the world, kickstarted a torrent of supply-chain attacks that still plague businesses today. In a year that saw cyberattacks against corporate networks increase by 50% across the board, software vendors like SolarWinds experienced the largest year-on-year growth in attacks with an increase of 146%. Today’s corporate economy is built on an intricate web of software supply chains, which means that with every additional attack on a software vendor, the vulnerability of businesses around the world is further amplified.

Fuelling attacks: the Sunburst catalyst

The SolarWinds software supply-chain attack was facilitated by a back door known as ‘Sunburst’, which was added to the SolarWinds Orion system before being distributed to customers globally via a routine update. This gave the APT (advanced persistent threat) group involved covert access to thousands of SolarWinds customers’ networks, from government agencies to Fortune 500 companies. Unfortunately, this mode of attack from APT groups is now on the rise. As our report details, the REvil ransomware group targeted multiple managed service providers (MSPs) throughout 2021, and in July managed to embed a malicious software update in IT company Kaseya’s patch management and client monitoring tool. Thousands of unsuspecting businesses were impacted, with millions of US dollars demanded in ransom.

Sunburst also likely inspired the attack on Colonial Pipeline, which carries almost half of the fuel consumed by the US East Coast. The nation-state APT group, DarkSide, was allegedly behind the attack, employing a Ransomware-as-a-Service model, meaning it relied on third-party affiliate programs to orchestrate the breach. This is one of the most striking examples to date of how tools used to carry out such attacks are becoming democratized and more widely used, again ramping up the pressure on businesses to guard their perimeters.

While the assets of the REvil ransomware group have since been seized and its ringleaders arrested, you cannot arrest code. Once one threat group makes headway with a particular attack, it doesn’t take much for an affiliate member to keep that momentum going. Emotet, one of the most dangerous botnets in history, made a return in November 2021 following its takedown a year earlier. It’s a trojan primarily spread through links, spam emails, malicious scripts and macro-enabled document files, and once it infects a user it can spread like wildfire without detection, stealing banking credentials and financial data from individuals, companies and governments around the world.

Ambushed by zero-day vulnerabilities

While targeted attacks like the ones outlined above are presenting an increased threat to organizations around the world, so are exploits and vulnerabilities. In December last year, a remote code execution vulnerability was reported in Apache Log4j, the most popular java logging library in the world. This library is embedded in almost all of the services and applications we use in our day-to-day lives, from Twitter and Amazon to Microsoft and Minecraft. Initially used by some threat actors to leverage cryptocurrency mining resources at the expense of their victims, there’s no reason an exploit like this couldn’t be used for more sophisticated and nefarious attacks. Check Point Research detected approximately 40,000 attack attempts just 2 hours after the Log4j vulnerability was revealed, and a further 830,000 attack attempts 72 hours into the event.

These zero-day vulnerabilities earn their name from their ability to completely blindside businesses, giving them virtually no time to react before they become potential victims. It then becomes a race between threat actors and their ability to exploit the vulnerability, and how quickly businesses can close the gap in their defenses.

Global threats require a global solution

The threat climate has changed. The traditional defensive line that businesses can draw between themselves and the rest of the cyber landscape has become blurred to the point that it may as well not exist. Instead of guarding a static perimeter, businesses need to take a more holistic and real-time view of their security infrastructure. Security practitioners need to be able to maintain 360-degree visibility of their entire network, regardless of how far and wide it has been distributed. They also need access to real-time threat intelligence on a global scale, so they can pre-empt far-reaching zero-day vulnerabilities and targeted software supply-chain attacks like the ones outlined above.

Check Point’s Infinity platform, for instance, is the only security platform of its kind that offered pre-emptive protection for customers against the Log4j exploit. It’s the first modern, consolidated security platform specifically designed to guard against zero-day vulnerabilities and sophisticated fifth-generation attacks across all networks, cloud deployments and endpoints. Part of Infinity’s success is its ability to leverage Check Point’s ThreatCloud, a real-time global threat intelligence platform that monitors networks around the world for emerging threats and vulnerabilities.

If organizations around the world want to operate safely and securely in 2022 and beyond, they need to start seeing cybersecurity as a global issue rather than a local one, and evolve their security strategies accordingly. Only then will they be able to confidently defend themselves against a threat landscape that knows no bounds and cannot be contained by borders.

LEAVE A REPLY

Please enter your comment!
Please enter your name here