Security researchers have discovered that attackers have been using the ONI ransomware to hide an elaborate hacking campaign that targeted Japanese companies which went undetected for months. IT security experts commented below.
Josh Mayfield, Director at FireMon:
“Ransomware has several capabilities that are now becoming widely known. Specifically, ransomware has the ability to capture files and total systems and shut them down until a ransom is paid. This capability can be repurposed and used to command the system to do all number of things.
By using ransomware to cover the hacking, the attackers get two benefits: 1) reduce the digital residue of the infected system, and 2) multiply the number of would-be alerts.
With the first, by reducing the activity of an infected system, its log data hides the markers for compromise. Put yourself in the shoes of a threat hunter. You often are looking at myriad systems and combing all the data together to look (hunt) for indications of compromise. However, if the systems supplying the data are cloaked, you cannot get a full picture of what is happening. Without data confidence, you just can’t be sure you have a compromised system.
Coupled with this hunter misdirection is the ability to hopscotch from system-to-system without being detected. After all, there is not linked data indicating the same activity as the adversary traverses the network. Without seeing a noticeable footprint, it is virtually impossible to organise the hunting effort through the kill chain – most importantly, lateral movements.
The second benefit from using ransomware to cover an attack is the flood of alerts you can generate. Organisations have bolstered their ransomware detectors and are using precision techniques to uncover ransomware in their networks. Attackers can use this enthusiasm against the organisation; intentionally triggering an alert here just when I’m going there.
When looking at any new tactic, technique or procedure (TTP), it is important to inject a morsel of human psychology into the analysis. We have to see the motives that drive the human attackers to deploy new weapons. ONI in particular is actually an amalgam of damaging malware’s. By hurdling into the network with a mixture of malware’s, you can improve your probability of success. Effectiveness is what an attacker is looking for, mixing the quiver with multiple weapons aids effectiveness.
This is where real-time monitoring is so essential. Prior to seeing anything wiped, the activity on the machine can be analysed without having to worry about missing data at the point of malware execution. Once that has happened, these wipers will dissolve outgoing communication (logs) and prevent a threat hunter from seeing what’s happening on a given asset.
Security vendors have been trying to address this problem, because the standard agents and polling mechanisms only get a scoop of data from systems at specified times or during a problem. This ‘collection’ is antithetical to real-time analysis. Only by having a live stream can a security team notice the changes, even if the changes in their environment are seemingly benign.
Lastly, the systems have buried in their memories the history of their polls and agent pulls. Well, if I know the history of the system requests for data harvest, then I can know precisely when and how to deploy the ransomware to avoid any notice. However, with real-time monitoring, organisations can reduce this risk.
Unfortunately, we have invested so much in detection that we continue to miss the opportunity to apply policy to these issues. Policy can be the supreme dictator of what happens, but often policy stops at gateways and traffic allowed within a given context.
Next generation policy management should allow Asset-Centric security controls. This puts a policy down to the device level, instructing the system what it can and cannot do. This to-do list can be exhaustive. It can instruct the system how it can communicate with other systems, users, outside entities. It can inform the system which kinds of services, protocols, and methods are permissible under a set of circumstances. This Asset-Centric policy control moves well beyond the typical security settings on a particular device, because it takes into account that devices are all interconnected. Only by using asset-centric policy control can we uncover new TTPs and ultimately prevent ourselves from their harm.”
Manoj Asnani, VP Product and Design at Balbix:
Most attacks, including ONI ransomware, rely on users clicking on a malicious payload, which allows attackers to propagate through the network and compromise critical assets. To defend against these types of attacks, organizations must get ahead of the threat by using predictive technologies, rather than reacting to data breaches. Predictive technologies could prevent an attack scenario like ONI by highlighting where the phishing attack might start (which users, which assets) and whether there is proper segmentation in place to stop the lateral movement, while also providing visibility into which critical assets the adversaries might prioritize targeting.
Stephan Chenette, Founder and CEO at AttackIQ:
“In the latest case of ONI ransomware, attackers waited a month after compromising these machines to activate the ransomware that had been installed. Defenders had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact. To avoid mass system compromises, organizations need to have secondary detection and response controls in place after their prevention controls. They should continuously test their entire defensive security prevention and detection stack to verify each control is working effectively against the latest techniques, tactics and procedures. Anything else is pure negligence.”