Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/30/2016
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Business Disruption A Big Focus In 2015 Cyberattacks

In a shift from the low and slow attacks of recent years, many incidents last year were attention seeking and were motivated not just by money, according to Mandiant's annual report.

There’s a bit of an everything-old-is-new-again feel to at least one of the major trends for 2015 in security firm Mandiant Consulting’s recent annual threat report.

As with previous reports, FireEye/Mandiant’s analysis is based on a review of its customer engagements in the past year. The most interesting new trend it discovered over the period was an increase in the number of business disruption attacks its clients suffered. Examples of such attacks included those where corporate data was held for ransom or where the organization itself was held to ransom by attackers threatening to delete data, release it publicly, modify it, or add malware to the data.

In a shift away from the low and slow attacks of recent years, many of the incidents that Mandiant was called in to remediate in 2015 harkened back to older attacks in that they were very public, leaked data, and taunted victims.

Instead of the usual focus on stealth and maintaining access for as long as possible, the attacks that Mandiant investigated in 2015 were deliberately designed to draw public attention to the malicious activity or to data that was compromised. “Some attackers were motivated by money, some claimed to be retaliating for political purposes, and others simply wanted to cause embarrassment,” Mandiant said in its report. 

Publicity-seeking attacks were common a few years ago but have become far less frequent recently. Security researchers have noted how in recent years threat actors have chosen to focus on monetizing their criminal skills and in stealing data rather than displaying their hacking prowess to make a political or social point or to impress peers.

Charles Carmakal, vice president of Mandiant, says that the threat actors responsible for the disruptive attacks typically had very different motivations from those looking to steal data over the long-term.

Disruptive threat actors are motivated by money and fame,” he says. “State-sponsored threat actors tend to steal information that provides economic, military, or political advantage to their countries.”

Usually, such hackers have been careful to avoid disrupting businesses because they want to continue to steal data from their victims he says. 

Digital blackmail schemes were a common occurrence in 2015 among Mandiant’s clients. Such campaigns typically involved situations where an attacker tried to extort money from an organization by threatening to publicly release sensitive data that had been previously stolen from it.

“We’ve observed attackers stealing materially sensitive data, then threatening to release the information publicly, encrypting victim’s data, and conducting denial of service attacks until ransoms were paid,” Carmakal says. In most cases, the ransoms demanded tended to be commensurate with the value of the stolen data, suggesting that attackers had a fine-honed sense of the inherent value of the information.

Mandiant also investigated multiple attacks where the adversaries wiped data from critical business systems, and often the system backup infrastructure as well to keep victims offline, sometimes for weeks. While threat actors have had the ability to take such actions for years, most have refrained from doing so because their focus has been on theft of IP and other data.

“Many of the disruptive attacks that we observed in 2015 appeared to be opportunistic in nature,” Carmakal says. “However, we’ve observed attacks that were clearly targeted and deliberate.”

Somewhat ironically, the disruptive nature of many of the attacks in 2015 may have actually made them easier to spot.

According to Mandiant, last year it took about 146 days on average for organizations to learn they had been breached, or to be notified of one. While that is still a long time, it is better than the 205 days on average it used to take in 2014, and the astonishing 416 days in 2012.

The quicker detection times may be due to a few reasons, including the fact that threat actors are becoming more disruptive, so their malicious actions are more visible and therefore being detected quicker, Carmakal says.

Related stories: 

  

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...