5 Devastating Endpoint Attacks: Lessons Learned
Many cybersecurity attacks, including some of the biggest and most recent attacks, target corporate endpoints. Reviewing these five large attacks that leveraged weaknesses in endpoints can teach organizations important lessons and identify a few best practices that can help them avoid becoming the next victim.
Recent Cyberattacks Against Corporate Endpoints
1. SUNBURST SolarWinds
SUNBURST was a fifth-generation cyberattack that targeted tech companies and U.S. government agencies. This massive supply chain attack indirectly targeted the systems of large organizations via their suppliers.
Cybercriminals exploited SUNBURST to compromise the software development process of the U.S.-based software company SolarWinds, which offers technologies for managing and protecting computer networks. The attackers hid a Trojan in an update of SolarWinds’ Orion software, which reached 18,000 customers.
Nearly all Fortune 500 companies were affected. Over 40 government agencies were compromised, among them the National Nuclear Security Administration (NNSA) that oversees nuclear weapons. Outside the U.S., systems in countries like Belgium, Canada, Britain and Israel were also affected.
The breach, which initially took place in April 2020, remained undiscovered for eight months, until December 2020.
2. Verifications.io
Verifications.io was a company that offered enterprise email verification services. A vulnerability was exposed when a MongoDB database with over 808 million records was left accessible to the public Internet.
The exposed data included personal information like home and email addresses, birth dates and phone numbers, as well as business-critical information like business leads, IP addresses and employer data. The company has since shut down. This attack illustrates the massive impact that unprotected cloud endpoints can have on an organization.
3. CNA Financial
Ransomware is, according to many experts, the most severe threat affecting endpoints today. On March 21, 2021, a sophisticated ransomware attack targeted CNA Financial, one of the largest cyberinsurance companies in the U.S. The ransomware used was a new version of Phoenix CryptoLocker.
The company shut down its operations to contain the damage and prevent further spread of the attack, resulting in a disruption to employee and customer services over the course of three days. On their website, CNA notified the public of the breach, stating that they experienced a disruption to the network and that the organization’s systems, such as their corporate email, were impacted.
The insurance company investigated the incident in collaboration with law enforcement and forensic specialists and initiated a migration strategy to mitigate the disruption caused to its systems and restore operations.
4. Harris Federation
The Harris Federation in London, which manages 50 academic institutions, was also struck by a ransomware attack in March 2021. It had to temporarily disable all its acadamies’ email systems and devices—more than 37,000 students were unable to access their coursework or correspondence.
The Federation stated that it was taking all the necessary steps to mitigate the effects of the attack, which encrypted the academies’ data. It said it was engaging with the National Cyber Security Centre and the National Crime Agency, as well as specialized cybersecurity consultants. The details about any ransom demanded or paid have not been made public.
5. Acer
The global computer equipment brand Acer experienced a ransomware attack during which attackers requested a ransom of $50 million, the largest known ransom to date. The attack was probably performed by an organized group of cyberattackers known as REvil, which claimed responsibility for the breach online and showed images of Acer’s stolen data.
Acer reported that it cooperated with law enforcement to investigate the incident, and that the incident was reported to the relevant data protection authorities in several territories. Acer said that they were well-defended against ransomware and that they were able to contain the attack with limited damage.
Lessons Learned from Recent Endpoint Cyberattacks
What can you do to prevent similar devastating attacks on your organizations’ endpoints? Here are a few proven practices that can strengthen endpoint protection.
Establish a Vulnerability Management Strategy
Introduce a program for managing vulnerabilities with automated tools. Antivirus is essential, but it has its limits. Many organizations are adopting endpoint security tooling, which provides multiple layers of protection against known malware, unknown malware, ransomware and social engineering attacks. In addition, vulnerability scanning tools can ensure all endpoints are patched and do not contain known vulnerabilities and misconfigurations.
Manage Machine Identities with Zero Trust
Employ a zero-trust framework to secure your organization’s production environment. If you are forced to use unsecured devices, like machines with old or unsupported software, IoT devices and sensors, make sure you implement microsegmentation. Adopt a least-privilege approach to control access and secure devices.
This helps prevent attacks exploiting vulnerabilities, as well as botnet attacks, such as the malware-based Mirai that managed to take advantage of large numbers of IoT devices and machines that relied on default security credentials.
Protect the Software Supply Chain
The SolarWinds attack showed that state-sponsored attackers can break into software supply chains and modify executables, while manipulating protocol traffic to evade detection.
It is important to understand that SolarWinds was, in the end, an endpoint attack, with attackers compromising software repositories and build servers to infect the supply chain with malicious software. Enterprise software companies must add strict access controls to all endpoints in their DevOps pipeline, and complement them with behavioral detection measures.
SolarWinds made it clear that precautions should be taken as part of a company’s product information management (PIM) strategy. Key factors include setting strong passwords, rotating passwords, adopting federated authentication credentials and using multifactor authentication (MFA) as well as requiring privileged users to log in directly to increase auditing and accountability.
Back Up Your Data
Ensure that you have proper data backups in place—you will need them if you are targeted by an attack that blocks access to the data. Ransomware can encrypt your data and deny access to employees and clients, resulting in potentially devastating disruption to business operations. Backups are your last line of defense against ransomware, and the more data you have backed up, the faster you’ll be able to restore your information and services.
Perform data backups on a daily basis, at the very least, and ensure IT receives alerts and monitors backup systems to confirm that backups are successful. Test the backups periodically to make sure they can be used to recover information in the event of an attack.
Consider how you can better protect your backup data—an aggressive ransomware attack may attempt to encrypt your backups, as well. Store your backup data in a separate location; either in the public cloud or in a physical, off-site location.
Secure Endpoints Against Human Error
Implement a security strategy that factors in human error. Employees can be careless or tricked into providing access to an attacker via social engineering. Endpoints are the easiest entry point for attackers, and employees are the easiest vulnerability for an attacker to exploit.
Social engineering techniques, like phishing, can trick employees into downloading malware or exposing their credentials. According to multiple research studies, phishing is the cause of over 90% of malware infections.
To protect your organization’s systems, you should treat every employee as a potential threat. To ensure your employees are aware of the dangers, provide training to raise awareness of phishing. Some organizations provide focused training for individuals who were affected by a phishing attack.
Another strategy is to check which phishing strategies are more common or impactful in your industry, so you can focus on them when training your employees. Perform regular penetration testing to simulate various phishing scenarios so you can identify which phishing methods and which employees pose the greatest risk.
These five attacks had a catastrophic impact on the affected organizations, and all began with a weakness in corporate endpoints. To improve and strengthen endpoint protection, it’s important to establish a vulnerability management strategy, including endpoint protection technology; manage machine identities with zero-trust to reduce the impact of compromised endpoints; protect endpoints that are part of the software supply chain to prevent attacks like SUNBURST; back up your data and protect those backups to defend against ransomware and secure endpoints from human error and social engineering. These approaches will help you boost security and prevent the next breach caused by endpoint vulnerabilities.
