This article was create in partnership with Tokio Marine HCC – Cyber & Professional Lines Group
In today’s digitized world, where both our personal and our professional lives play out online, the case for cyber insurance has never been more prevalent. Figures from Statista found that cybercrime is set to cost businesses up to $10.5 trillion this year and could reach $15.63 trillion by 2029.
But the risk is not solely the headline-grabbing, mega ransomware incidents about which the media reports. Alex Bovicelli, Senior Director of Cyber Threat Intelligence at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), a member of the Tokio Marine HCC group of companies based in Houston, Texas, met with Insurance Business to discuss a growing but underreported crisis in cybersecurity - the ongoing targeting of small and mid-sized businesses by ransomware groups.
“There is often a disconnect between what the cyber insurance industry is seeing in the ransomware space, as far as how attackers gain initial access, and what the cybersecurity space and vendors are publicizing,” he explained.
That disconnect stems from the media’s focus on breaches of large enterprises -organizations with full security stacks, dedicated security teams, and the budget to deploy advanced tools. And while these breaches are dramatic and headline-grabbing, Bovicelli was quick to emphasize that they represent a small slice of the entire threat landscape.
“What goes uncovered is the thousands of smaller companies that are compromised with ransomware by simply indiscriminate targeting,” he told IB.
According to Bovicelli, while large enterprises are often breached by attackers using more targeted and sophisticated tactics, small companies are falling victim to brute-force and password spraying campaigns that require minimal effort from the attackers.
“Threat actors are not doing that level of research and preparation. They're not spending months and money to be able to compromise a particular company. [Instead], they're using techniques to compromise access to thousands of companies at scale. [Here], there is a particular group that in the last few years has been extremely successful doing this. The Akira ransomware group.”
The primary attack vector? SSL VPN brute-forcing, password spraying, and occasional vulnerability exploitation. And a lot of smaller businesses don’t realize how vulnerable they really are to this type of attack.
“A lot of small companies are not aware that their clientless SSL VPN login page is likely to be brute forced, which is a very simple attack vector,” added Bovicelli. “Their SSL VPN is likely to be brute forced by a group like Akira, or access brokers - that’s how they will gain access to their network.”
As Bovicelli went on to explain, SSL VPN is a Secure Socket Layer VPN. For instance, companies may choose to provide remote access to their resources by providing a login page for their employees or third parties to authenticate through and access the VPN via the browser. Clientless SSL VPN is not as secure as a VPN connection that requires dedicated client software on the user’s machine. However, some smaller businesses may opt for the less secure option - a simple login page accessible via the internet. And it’s potentially very dangerous.
“That login page is internet-facing,” explained Bovicelli. “It's going to be discoverable.”
And attackers know exactly what to look for. According to Bovicelli over the last two years his team has noticed cybercriminals increased their focus on this attack vector, looking for these login pages and then brute-forcing them. Brute forcing is like trying to open a locked door by testing every possible key until one finally works. In the digital world, it means guessing passwords (or other secret codes) by trying every possible combination and starting with the most common ones until the right one is found.
Again, Bovicelli pointed out that smaller companies are particularly exposed due to lack of internal oversight.
“They are less likely to be monitoring the failed login attempts against a VPN. They're likely not to be decommissioning accounts that are no longer in use. They are likely not to enforce multi-factor authentication on that particular access. Ransomware groups are aware of this. [As such] they’ve been brute-forcing their way into all these smaller companies by essentially discovering these login pages and launching thousands of brute-forcing attacks against them.”
These brute-force campaigns don’t require sophistication, just persistence. And when defenses like account lockout policies or multi factor authentication (MFA) are absent they succeed far too easily.
“Smaller companies benefit from the convenience of having this type of access,” Bovicelli added. “And because smaller companies are less likely to monitor who's accessing those pages or enabling lockout policies, especially if only a handful of device and service accounts have access, they're less likely to enforce MFA. Then ransomware groups are likely to be more successful in brute-forcing them and getting access to their environment.”
And when asked whether any of these breaches could be considered misconfigurations, Bovicelli doesn’t hesitate.
“Short answer: yes, it is. Because there are things that companies can do to protect that type of access - the login pages. When you [consider] a brute-forcing attack, [cybercriminals] take thousands of usernames - and then they try to guess the password associated with that username. Essentially, if you only allow five consecutive incorrect guesses on the passwords, then that account will lock. That prevents successful brute-forcing.”
The second recommendation is just as critical - always enforce MFA.
“We still find that many companies are not enforcing MFA because they think [an attack] isn’t going to happen to [them]. [That they’re] not going to be successfully brute-forced because [they’re] not likely to be targeted by a ransomware group. Wrong - [they] are.”
Here Bovicelli believes the cybersecurity ongoing media’s focus on advanced attacks is partially to blame by continually focusing on larger attacks and not explaining that SMEs are particularly vulnerable.
“There is a false sense of security that is provided by cybersecurity news covering only the big events - the events that require a lot of sophistication of the ransomware attacker to break through that perimeter. But the reality is that the vast majority of events are not that.”
This false confidence, he told IB, extends to businesses that outsource their IT to managed service providers (MSP).
“Some of this extends to smaller companies that rely on a MSP (Managed Service Provider) or an external company to configure their IT because they are not technically capable. They're paying a third party to do this - but the third party itself is not taking the correct approach [either].”
CPLG, and Bovicelli’s team in particular, are trying to close that gap. As Bovicelli told IB, they’re here to help the smaller companies.
“My team doesn't just alert of a vulnerability or exposure that the company might have,” he added. “We also provide support to mitigate and patch. We want to make sure that companies understand that we’re very focused on alerting on critical exposures that we see ransomware groups are leveraging right now. And so, when they receive that alert, we provide the one-on-one support needed to confirm mitigation or support mitigation.
“I'm saying this because smaller companies are why we're here. We're here to support those companies. [And] we take pride in that.”
But brute-forcing isn’t the only technique in play - attackers are also purchasing stolen credentials harvested through infostealer malware.
“Sometimes they’re leveraging the correct username/password combination, because they found it as exfiltrated from a machine [or] part of an infostealer log dump. Infostealer malware will infect computers and exfiltrate browser data – that browser data contains your username/password that you use to log into your work resources on the browser. That is also something that we alert on.”
CPLG has access to millions of such logs and notifies clients if their credentials appear on underground markets - something that’s unparalleled in the market right now.
“We alert companies when an infected computer has resulted in the exfiltration of a username/password, because they’re now being put up for sale. The importance of protecting remote access with multi-factor authentication has never been more critical. It's not just the brute-forcing, it's also the fact that they might be phishing one of your employees on a personal device for a username/password combination. They might be acquiring a username/password combination for your VPN through a previous stealer infection.”
Bovicelli also revealed another common pitfall - namely an overreliance on, and false confidence in, geolocation restrictions.
“[Some of our insureds tell us] that they are protected because they’re geo-blocking traffic from outside of the US. We tell them that this is not a mitigating strategy, because ransomware groups and associates [already] know this. [As such] they are leveraging infrastructure located within the US, to bypass those controls.
“[That means] when they're brute-forcing your username/password combination, or using valid credentials they acquired via logs, they are likely not to be using IP ranges in Russia or Eastern Europe. It's coming from the US, because they're trying to circumvent that rule.”
To thrive in the future and protect yourself from attacks, Bovicelli advises organizations to restrict access even more narrowly, to be more specific and try to disallow authentication via anonymizing software, and only allow trusted IP ranges, if you must use a clientless SSL VPN. “This is essentially the biggest problem that we have seen in the last two years. We have seen these lack of security controls and overall cyber hygiene around SSL VPN or web VPN - and that has been the driving vector of ransomware.”
Because for Bovicelli, the future of cyber security rests in smaller businesses understanding just how vulnerable they are and acting upon that sooner rather than later.
