Back 15 companies from Gipuzkoa have participated in a ZIUR project to detect and analyze cyberattacks
15 companies from Gipuzkoa have participated in a ZIUR project to detect and analyze cyberattacks
Over the course of two years, 15 industrial companies in the territory have participated in a project to study the evolution of cyberattacks that daily threaten their security. To this end, from ZIUR, the Gipuzkoa Industrial Cybersecurity Center, a counterintelligence campaign has been promoted, based on 'Deception' or deception technologies, with the intention of studying the movements of the attackers. The objective of the project is to reinforce current cybersecurity capabilities in companies to reinforce early detection of attacks and activate response mechanisms.
For the development of this initiative, technology developed by the Gipuzkoan firm Counter Craft was used to detect attacks and collect information on threats. To do this, a technological infrastructure was created on the Internet that realistically simulated being part of the technological platform of each client and different decoys were designed and implemented with the intention of leading the attackers interested in said company to the 'Deception' infrastructure. . Said deception platform, despite being linked to each client virtually, was actually in a completely isolated and secure environment.
Fifteen companies from the territory that are prominent benchmarks in their respective sectors have participated anonymously in the project: industry, distribution, machine tools, automotive, research, education, etc.
Results
The results of the study indicate that the 'Deception' infrastructure was attacked intensely, even identifying critical impact attacks that, if materialized in vulnerable technology, would have compromised its confidentiality, integrity and availability. Despite this, the infrastructure was not violated at any time.
The environments where the attacks have been most focused have been both in IT and OT, and the most attacked services have been the WordPress Blog and FTP.
The type of activity detected indicates that companies are exposed, mainly, to automatic attacks whose objective has not been any specific organization. Attackers try to find weak configurations and vulnerabilities in order to carry out an attack against vulnerable technology.
However, this fact does not rule out that more sophisticated malicious actors are interested in the companies that participated in the exercise since an automated attack itself can serve as a form of reconnaissance for a more sophisticated manual attacker.
Another common practice among malicious actors who have gained access to a business system or network is access selling, a practice that consists of selling access to this compromised system or network to other malicious actors on the 'darknet' or 'dark network' with the intent of to obtain economic benefits.
In the opinion of the general director of ZIUR, Koldo Peciña, "the use of advanced tools together with the information collected on tactics, techniques, and procedures indicates that cybercriminals act professionally and invest a lot of time and resources in designing and launching attacks."
Faced with this, he adds, "it is essential to define and operate cybersecurity processes to prevent, detect, and respond to cyberattacks, which reduces the risk of data loss, business interruption, and damage to a company's reputation." .
Recommendations
The project allows extracting some recommendations based on the most relevant facts detected.
- Reduce the attack surface by exposing only the necessary services to the Internet. This reduces the number of potential entry points for an attacker and allows stricter security measures to be applied to critical services.
- Disable unnecessary features that may pose a cybersecurity risk like xmlrpc.php in WordPress.
- Patch and update exposed services to fix known vulnerabilities and ensure that the latest available security measures are being used.
- Investigate and learn about leaks (data leaks) and leaked passwords that can be used by attackers to access company systems and accounts.
- Enforce a password policy that establishes guidelines for the creation and use of strong passwords, difficult to guess or discover through brute force attacks such as those suffered by xmlrpc.php and FTP, which used simple passwords in most cases. These guidelines include the length of passwords, the use of special characters, upper and lower case letters, and the need to change them regularly, as well as measures to avoid the use of common or easily guessed passwords, such as the prohibition of using personal information or common words.
- Pay special attention to configuration errors in WordPress. It is safe software, but some common misconfigurations can allow attackers to exploit WordPress-based web pages. For all these reasons, it is recommended to apply hardening processes to reduce vulnerabilities and install, as far as possible, additional detection systems such as WAF (Web Application Firewall) filtering malicious traffic before it can reach the application.