Among the multitude of existing cyberattack techniques, most of which are multi-vector, there are three to be particularly wary of: ransomware, Distributed Denial of Service attacks (DDoS) and Supply Chain attacks. Let’s take a look at each of them, and consider how to avoid and detect them.
Ransomware has the distinguishing characteristic of taking personal data hostage and claiming to be able to return it for a ransom (usually in cryptocurrency). Ransomware is currently riding the back of three trends.
First of all, this type of attack is increasingly targeted and structured, in line with the increasing professionalism of the threat. This more vertical, planned targeting is emerging because some organisations are more willing to pay ransom than others. This is true of hospitals, local authorities and the Colonial Pipeline company, mentioned above. The financial, economic, social – and in some cases even safety – risks to human life leave them with no choice. As a result, the proportion of organisations opting to pay ransoms has soared in recent years, with almost 65% of companies now choosing to pay at least part of the ransom demanded.
Ransomware is also an attack subject to the “as-a-service” rule, making it accessible to all, with the complexity of implementation being outsourced by the service operator.
Finally, it is important to mention the concept of double jeopardy, a new “idea” developed by hackers. Not only do the hackers encrypt the data, but before that, they steal it. There is therefore no guarantee that once the data has been recovered from the hackers, it will not be retained in some way by them for potential future attacks, or even for a further extortion attempt using the threat of revealing confidential or sensitive data. The threat of double jeopardy thus remains constant.
Several groups, such as LockBit, Conti or ALPHV, have been particularly active in this field in recent months.
DDoS attacks refer to the saturation of a server by thousands of machines, made possible mainly by the use of “botnets” (networks of compromised machines).
The associated trend is that the price of entry for carrying out such attacks has been considerably reduced, due to the transformation of DDoS into “DDoS as a service”. These services enable third-party organisations to carry out attacks, for a fee, with shared infrastructure.
Increasingly frequent in recent years, DDoS attacks have seen their size records increase fourfold in 8 years.
This exponential development can also be explained by the widespread use of smurf attacks. With this method, the size of the botnets becomes less critical. Moreover, since the attacks are carried out by bouncing off uncompromised servers, they are seen by the target as traffic. This trend, and its associated attacks, will continue to accelerate; and ultimately, only the large web players will have the resilience to deal with it. Microsoft suffered a record-breaking attack at 3.47 terabits per second, breaking previous records. Even more surprisingly, Andorra suffered widespread internet outages in January 2022, leaving its 80,000 subscribers without internet access due to DDoS attacks that spanned several days. The probable motive for the attack was to prevent players from participating in a Minecraft competition…
More recently, the Ukrainian conflict has highlighted the use of DDoS attacks to destabilise opposing IT infrastructures. DDoS attacks are tactical weapons that are easy to deploy in an armed conflict, as they are quick to set up and do not require privileged access that can take a long time to obtain.
The latest example of “celebrity” attacks in cybersecurity: supply-chain attacks. Their principle? Attack one of the target’s suppliers in order to hit the target itself. The risk of this type of attack is increasing.
Today, more than 60% of attacks on the supply chain are successful (compared to 44% in 2020).
There are two ways of achieving this, which equate to two different modes of attack.
The first is to attack the network by bouncing off a network of suppliers. The most high-profile example is that of Target, a North American retailer: in 2013, hackers broke into Target’s information system using the supplier’s access to its air-conditioning system obtained as a result of a phishing campaign. Such forms of access, which normally have a purely technical use linked to the management of air conditioning units, were not considered sensitive but nevertheless constituted a link with the company’s network which the hackers were able to exploit. This type of threat is taken very seriously by major industrial companies, whose networks are regularly connected to those of their subcontractors and suppliers to enable data sharing, as a means of delivering efficiency and performance.
The second type of supply-chain attack uses a software production chain to infect a legitimate program (the aforementioned example of SolarWinds is an illustration of this, with pirated software distributed to third parties).
What makes this mode of attack different is the way in which it targets open-source components, making its spread potentially wider and faster. Contrary to popular belief, open source – with its verifiable open code – does not offer a guarantee that it has been properly reviewed and verified, and therefore secure. Faced with the quantity of existing software and the billions of lines of code associated with it, exhaustive and perfect checking is unattainable, and flaws (whether intentional or not) can easily slip in. Some hacker groups therefore take advantage of this to add loopholes to serve their purposes. This is a very recent trend, but one that is sure to accelerate.
Indeed, supply-chain attacks have also proliferated in recent months on open-source frameworks. They sometimes target the core of the software, such as PHP (CVE-2021-29472), to create a backdoor. They can also target peripheral modules such as Python, which suffered an automated attack creating 3,500 packages with spelling close to legitimate “typosquatting” packages, in an attempt to trick developers into unknowingly downloading malware with the aim of turning them into unwitting crypto-currency miners. More recently, npm has been the target of typosquatting campaigns specifically targeting Microsoft Azure users, with more than 200 malicious packages stealing user and network data, with the possible aim of paving the way for a larger attack.