RSA Conference 2022 Event Report

Author: ID America - Hamza Ahmed

Let’s take a look at RSA, the world’s biggest cybersecurity event, which took place on June 6-9 2022 in San Francisco.

About RSA 

This year's RSA conference was the first in two years. In 2020, there were 32,000 participants, but this year the number decreased to 26,000, probably due to concerns for Covid-19. More than 400 companies attended the expo this year, with Cisco and Microsoft seen as the largest sponsors.At RSA, security professionals and CISO (Chief Information Security Officer) from all over the world came together to discuss the latest security attacks and the corresponding techniques to solve these threats.

Theme of RSA 2022: Transform!


※ Source:RSA
Conference“Disruptions catalyze transformations” – Rohit Ghai, RSA CEO

Every year, the theme of RSA was decided based on the latest trends in cybersecurity. This year, the main theme was Transform.

Disruptions catalyze transformations. The pandemic is the catalyst for significant digital changes, and those disruptions in the digital world are spilling over into the physical world, as seen in the gas shortages stemming from the Colonial Pipeline ransomware attack. Cyber is also a major factor in the conflict between Ukraine and Russia, with Ukraine's volunteer hacker army reaching three times the size of its physical army. Our world is becoming one in which the physical and digital world are integrated: what happens in the digital affects the physical, and what happens in the physical world affects the virtual world. Such convergence is expected to accelerate, making it essential to be aware of these changes brought by cybersecurity.

Threat Revealed! Hacker Group "Conti"- Leaks 

The ransomware industry is growing rapidly: in 2018, the ransomware business was $1 billion per year; by 2020, it exceeded $11 billion per year, and by 2021 the number was doubled. The industry has grown rapidly, and as a result, ransomware attacks are now organized and corporate instead of individual. The well-known ransomware crime syndicate Revil not only conducts interviews and background checks on candidates, but also functions as a company, offering medical insurance and paid time off to employees who receive a job offer.

Ransomware group, Conti, has only been in existence for two years, but even in that short time it has been one of the most successful online extortion groups. According to the latest Crypto Crime Report from virtual currency tracking firm Chainalysis, the group generated an astonishing revenue of $180 million last year alone. It looked like the attacks would continue, but they made the fatal mistake of publicly supporting Russia's invasion of Ukraine. Some of the affiliates using Conti are Ukrainian organizations, and they responded to the announcement by leaking Conti's internal information.

The leak of information from Conti, like the ransomware, revealed not only information about how Conti is organized, but also new anecdotal chat logs, including the possibility that the group is connected to the Russian government. The group has anywhere from 65 to over 100 people, including businessmen, and has fluctuated widely in size. They spent thousands of dollars each month buying security and antivirus tools to see if their malware was detected, and installing them on their own systems for protection.

Biggest Threats: Ransomware and New Multifaceted Extortion Techniques 

According to Chainalysis, in 2021, approximately $602 million was paid to those involved in cyber threats. The FBI reported a 69% increase in ransomware-related losses from the previous year. In the 2021 Colonial Pipeline attack, the FBI successfully recovered 40% of ransom payments, but also indicated that 98% of customers who paid ransom did not attempt to recover their funds.

*However, this result is due to the low number of reported ransomware attacks and the fact that reporting of cyber incidents is voluntary. CISA plans to make reporting mandatory in the future.

What security measures were taken by the companies that suffered these losses? Many companies were primarily using endpoint tools that identified credential harvesting (e.g., stolen usernames and passwords) and sent alerts. However, it seems that security personnel did not understand the alerts or what was happening on the endpoints. To improve cyber defenses, Mandiant concluded that companies need to invest around their toolset, i.e., in improving employee and analytical capabilities.

In the past year, attacks have begun to use a multifaceted extortion attack method. Forcing the victim to pay the ransom, using methods such as threatening harassment, as in the following examples:
  • Sell data piece by piece: instead of selling all the data stolen from a company at once, they sell it piece by piece until the ransom is paid;
  • Publicize stolen data: similar to the above tactic, they release the data little by little until the ransom is paid;
  • Harassing the parties involved: exerting psychological pressure on the victim to pay the ransom, for example, by approaching company executives, regulators, or the press;
  • Data destruction: gradually deleting a company's internal data to put pressure on the company;
  • Executive blackmail: directly contacting the CEO of a company and using the information obtained to blackmail them.
Mandiant recommends the following security measures for companies:
  • Build a robust security program and prepare ahead of time for potential cyber attacks. In other words, anticipate potential attacks and have the corresponding solutions in place.
  • Effective cyber defense is not just about having the latest tools, but also about the intelligence, expertise, and execution that are necessary to manipulate those tools.
  • Build a strong cyber defense with security architecture.

What to protect: Supply Chain

Over the last year, we have seen a surge in software supply chain-related breaches, with incidents such as the Colonial Pipeline, Kaseya, and SolarWinds, and all had a different and larger impact than ever before.

Colonial Pipeline 

Colonial Pipeline is the largest pipeline system for refined petroleum products in the United States. The company provides gas primarily on the West Coast, and in 2021, a ransomware attack took down the system, causing the price of oil to rise and car gas stations to have no gasoline. There was a long line in front of the gas station while everything was shut down by the ransomware. The ransom price was $44 million, the largest ransomware amount ever paid at the time, and since Colonial Pipeline was making about $10 million daily, it appears that the inability to provide gasoline was more dangerous than the $44 million damage, so the ransom was paid.

Kaseya 

Kaseya provides IT solutions, including VSA, an integrated remote monitoring and management tool for handling networks and endpoints. It was hit by a ransomware attack in July 2021 that affected more than 1,000 companies that use Kaseya's software. The attackers found a vulnerability in Kaseya's VSA software and launched a supply chain ransomware attack against several MSPs. Kaseya then updated its software to prevent the vulnerability and did not pay the ransom.

Solarwinds 

The Solarwinds attack, which was uncovered in 2020, perhaps had the largest impact of any attacks in the last two years. This cyberattack and data breach was reportedly the worst cyberattack that has ever occurred in the United States. This was due to the sensitivity and reputation of the target, and the length of time hackers had access, which was about eight months. More than 200 companies were affected by the attack, including large corporations like Microsoft and government agencies.

The danger of an attack on the software supply chain is that companies can be attacked in areas they are unaware of or cannot control, which can affect your own security. The use of third-party tools has become commonplace, making it very difficult to predict the source of an attack. Companies are trying to remedy this through SBOM implementation and other compliance efforts, but the more tools and software used within an organization, the more difficult it becomes to secure the entire organization. This will be a security challenge in the future.

The Best Preventative Measure: MFA (Multi-Factor Authentication) 

The most common method of ransomware infiltration is through account takeover. There are many ways for an attacker to obtain passwords, such as compromised account information, phishing passwords, and brutal force. MFA is essential to protect individuals and has been commercially available since 1986, but less than 50% of companies actually use MFA.

Bob Thompson of CISA, speaking from a startup perspective, said that security is now relatively expensive and is often a cost-cutting target for startups with few resources. if the cost of implementing MFA is $5 per user, and if the company has 100 or 1,000 users, then it is difficult to keep the price low. These expensive security measures are limited to companies with plenty of money. “Basic security should not be a luxury that only large companies can afford," Thompson said. In addition, having a certain level of security should be a necessity and governments should develop programs and measures to support its implementation as well.

However, the danger would not disappear even if MFA implementation is adopted 100% of the time. Russian hackers correctly guessed the passwords of unused accounts that had not been deactivated in the company's Active Directory, and to circumvent MFA, they re-enabled the accounts through Active Directory and registered new devices to the company's MFA service. Therefore, it is important to implement MFA but not neglect to prevent unused accounts and Active Directory.

Security Risk: Low-code/No-code 

By 2024, 65% of application development is expected to be done low-code/no-code. While there are many benefits for business in lowering the bar for application development, the ease and speed of deployment can be a nightmare for a company's security department. In most cases, uses of these low-codes tools are not reported to the security team and are used within the team without permission.

The dangers of low-code did not just start recently. For example, the Macro feature in Excel is a useful tool for companies, but because Macro makes work more efficient, people end up launching Macro without thinking about it. This results in multiple vulnerabilities that may lead to cases of hacking. Recently, low-code security has become a hot topic again because of the increasing use of cloud-based low-code and no-code tools.

The danger of low-code in the cloud is that how the data is utilized in a low-code environment is unclear. There is a risk of connecting information from the company cloud to this app and exposing it to the outside world. In fact, these users leverage their own credentials to connect the data, which appears to be normal behavior in the company cloud.

Another problem with low-code is that accessing logs is difficult with low codes, and in many cases there does not exist no such configuration. Therefore, it is impossible to know which part of information is leaked.

We recommend working with your security team to make sure that it is safe before using low-code in the future.

Finally 

Cybersecurity is constantly changing. But these changes are not made to deal with cyber attacks, but to keep up with the evolution of the technology being utilized. Moving to the cloud, use of IoT, and working remotely are new vulnerabilities and risks addressed by cybersecurity. While cybersecurity professionals can proactively respond to new types of attacks from hackers, it is very difficult to proactively set security standards for an ever-changing technological world. However, the general public is also increasingly concerned about cybersecurity in a way they have never been before, and they are beginning to demand improved security-based technology. I believe that the greatest security prevention that security professionals can do is to first raise people’s security-consciousness.