by Sophos • Sep 16, 2022
Cybersecurity pros have seen countless organizations fall victim to multiple cyberattacks over the years — it’s not a new trend. In the past, these instances typically occurred over the course of a year or two. But now it’s becoming common for multiple threat actors to attack the same organization within months, weeks or days of each other — sometimes even simultaneously.
Author: Scott Barlow, global VP of MSP and cloud alliances, Sophos
In 2022, Sophos’ Managed Threat Response (MTR) team identified an uptick in cases where multiple threat actors hit an organization in close proximity. The challenge is that multi-attack incidents can complicate an organization’s security monitoring, incident response and threat intelligence as security teams balance business continuity and preventative security measures. With multi-attack incidents showing no sign of slowing down anytime soon, managed service providers (MSPs) need to pay close attention to their customers’ security operations to help them defend against concurrent attacks.
How do threat actors execute overlapping attacks?
There are two key drivers of overlapping exploitations: existing vulnerabilities and unaddressed misconfigurations after an initial attack. Despite the similarities in how adversaries gain network access, each type of cybercrime group tends to operate under different principles. Threat actors like cryptominers often kick rivals out of compromised systems and eliminate access points for rival groups by patching vulnerabilities. On the other hand, ransomware groups are less concerned with competition and instead rely on tactics that directly or indirectly benefit other groups.
For example, the ransomware group Karma recently infiltrated a major healthcare provider’s network, exfiltrated data and demanded ransom — but failed to encrypt the organization’s files. Less than a day after Karma sent its ransom note, a second group, Conti, exploited the same vulnerability to gain network access, encrypt files and demand its own ransom.
Regardless of whether this cooperation is intentional, any multi-attack scenario poses a heightened risk to an organization’s network security. After an initial attack, organizations are so focused on remediation and business continuity that they often place proactive threat detection on the back burner — leaving them vulnerable to additional attacks.
Six tips for leveling up customer security operations
It’s no longer a matter of “if” an organization will experience a cyberattack — it’s now a matter of when and how many attacks it will encounter. And with consequences ranging from financial to reputational, the impact of overlapping attacks can devastate an organization’s bottom line. As the frequency of these incidents rises, it’s important to understand threat actors’ evolving tactics and behaviors — and how to best protect your customers against them.
To get started, here are six initiatives you can take based on Sophos’ latest report, Multiple Attackers: A Clear and Present Danger:
- Don’t neglect updates. It may seem simple, but regular hardware and software updates are critical for proactive threat prevention. While patch management is an effective way to avoid future compromises, there have also been instances where malware already exists on an organization’s system. With this in mind, it’s worthwhile to ensure your customers haven’t already been breached before patching.
- Take immediate action. You must act fast to address an ongoing attack — if a threat actor posts your customer’s information on a leak site, other adversaries are likely to follow suit and execute a follow-up attack. Close the initial entry point and carefully follow your incident response plan.
- Prioritize the most harmful bugs. With more than 50 vulnerabilities disclosed per day in 2021, it can be difficult to know where to focus your efforts. Pay close attention to bugs that are affecting your customers’ specific software stack and high-profile vulnerabilities that could pose a risk. You can follow CVE Trends or sign up for alerts from Bug Alert for updates on the latest vulnerabilities.
- Assume the worst. The period after an initial attack is not the time to sit still. More often than not, groups will infect a network with multiple strains of ransomware, or IABs will resell or relist their products (access to an organization’s networks). Assume other attackers will find these vulnerabilities and exploit them in a subsequent attack.
- Beware of misconfigurations. One of the biggest mistakes an organization can make after an initial attack is failing to fix misconfigurations. Unresolved misconfigurations remain a top cause of multiple exploitations because threat actors seek out exposed remote desktop protocols and virtual private network ports on cybercrime marketplaces.
- Consider new vulnerabilities. When an attacker gains initial access, they may expose additional vulnerabilities or create backdoors for a future threat actor to exploit. Consider whether any new ingress points have appeared and if misconfigurations or weaknesses exist that a subsequent threat actor could use to gain access.
No organization is immune to overlapping attacks. But with the right security tools and protocols in place, you can help your customers reduce the likelihood of experiencing these harmful incidents.
For a better understanding of how and why organizations fall victim to multiple attackers — and how MSPs and security professionals can help protect their customers — check out our most recent Active Adversary white paper, Multiple Attackers: A Clear and Present Danger.