By Charles Smith, Consulting Solution Architect, Data Protection, Barracuda Networks (EMEA)

The constant string of attacks organisations face is an ever-present reminder of how important it is to have an up-to-date, readily accessible copy of everything that matters to your business. Resilient backups allow you to recover more quickly from data damage, disruption, or loss, particularly if a ransomware attack has resulted in encrypted or deleted files.

These are well-known and widely reported benefits of backups — but there’s more. Immutable data backups can also protect you from the underrated threats of data tampering and malicious insiders, unpredictable activities that can significantly damage brand trust and reputation if they’re not addressed.

Data tampering and manipulation

Data tampering such as deletion and manipulation have been called the “next level of cyberattacks.” While attacks on data integrity aren’t new, their growing sophistication in the age of generative AI will make them harder to spot.

The perpetrators could be external, such as activists or nation-state groups, but more often they are internal, disaffected insiders with broad access rights out for revenge, mischief, personal, or financial gain.

Hypothetical external incidents could include an attacker successfully breaching a stock market’s IT system to alter share price updates, leading to panic selling and financial chaos. There are also reported examples of malicious insiders trying to alter data records within their current or former company, changing passwords, disabling servers, deleting files, or engaging in cyberespionage.

Companies need defences that will detect and prevent any attempt at data tampering inside the network, but also provide them with a robust and accurate version of the truth that can restore the original data and set the record straight.

The double defence against data tampering

Your first layer of protection should be a security solution that includes strong access controls, data encryption, secure communication protocols, and AI-driven measures to detect and respond to anomalies that could signpost attempted data interference. The combined impact should prevent external attackers from being able to access your network and alter or delete data, and it should also block internal malicious actions by authorised users.

There is a second, equally important layer of defence: an immutable data backup. Immutable data cannot be changed or deleted. This means that if an attacker does manage to tamper with or manipulate your communications, documents, and more — your backup files are unaffected and can be used to restore data and prove beyond doubt where content has been falsified.

The many benefits of immutable backups

Immutable backups can help an organisation to recover from any incident where data is encrypted, deleted, damaged, tampered with, or lost.

1. They offer an extra line of defence against determined bad actors. Despite the security measures in place, determined attackers may find ways to compromise or bypass security controls. Immutable backups provide an extra safeguard by ensuring that even if the primary data is tampered with, the backup remains intact and unaltered.

• They protect the company from insiders with ill intent.  No one likes to think about insider threats. These are your colleagues after all. But our own recent research suggests that malicious insiders were the root cause of around a third (39%) of data breaches in the last year. Immutable backups help to protect against insider attacks, as they prevent authorised users from altering or erasing data.

• They mitigate the impact of ransomware. Immutable backups can protect against ransomware attacks by ensuring that a clean, unaltered copy of the data is available for restoration, reducing the impact and potential need to pay the ransom.

• They protect you from accidental data corruption. Data can be corrupted due to hardware failures, software bugs, or human error. Immutable backups help protect against these scenarios by providing a point-in-time copy of the data that cannot be modified or corrupted, allowing for reliable data restoration.

• They are essential for compliance and data protection regulations. Some industry sectors and regulatory frameworks require organisations to maintain immutable backups for data retention and compliance purposes. Immutable backups ensure the integrity and authenticity of the data.

By combining security measures with immutable backups, organisations can implement a resilient data protection strategy that addresses both major, common cyberthreats such as ransomware and underrated, unanticipated threats that could do just as much harm. With immutable backups, you’re ready for them all.

Dataiku and KPMG LLP have announced a strategic alliance to modernize analytics and accelerate the adoption of AI technologies by enterprises. The collaboration leverages Dataiku’s comprehensive AI platform and KPMG’s experience in cloud migration, platform modernization, and AI Governance, to help data leaders securely and efficiently advance their AI strategies (including Generative AI).

As enterprises seek to drive innovation and improve optimization, outdated analytics systems, underused cloud commitments, and the need for trusted AI and stringent AI Governance present new challenges. Establishing a robust data infrastructure is also essential for organizations that want to maximize the potential of cutting-edge technologies. Through this strategic alliance, Dataiku and KPMG will help clients streamline their data and AI infrastructures, and foster secure, compliant technology deployments to meet the needs of the evolving market.

“Enterprises that want to fully unlock the transformative potential of AI need to tackle comprehensive platform modernization, and integrate advanced analytics with cloud-native data architectures,” stated Dr. Sreekar Krishna, National Leader of Artificial Intelligence at KPMG US. “Marrying KPMG’s experience in technology strategy, cloud migration and modernization, AI Governance, and business-ready solutions with Dataiku’s enterprise-ready platform to support data, machine learning, and Generative AI, will help our joint clients achieve their AI goals.” 

KPMG plans to incorporate Dataiku into its Digital Lighthouse service offerings and Modern Data Platform solution, with the goal of helping clients:

• • Modernize Legacy Data and Analytics Systems: Transition analytics platforms to the cloud, led by business-driven, cloud-aligned strategies that enhance security and compliance.
• • Maximize Cloud ROI: Efficiently deploy data and AI workloads that fully leverage cloud investments and committed spend, reduce waste and boost financial performance.
• • Operationalize AI at Scale: Implement robust DataOps and MLOps practices to develop, deploy, and monitor AI-enabled business solutions, while enabling clients to implement and operationalize governance policies.
• • Launch Secure, Cost-Effective Generative AI: Rapidly prototype and deploy Generative AI applications with Dataiku LLM Mesh, with a critical focus on value creation supported by the business knowledge and experience from KPMG.

“Generative AI will continue to disrupt industries and put pressure on C-suite executives at enterprise companies to adopt solutions that not only enhance AI capabilities, but also prioritize data security and governance,” said David Tharp, SVP of Ecosystems and Alliances at Dataiku. “Our alliance with KPMG not only addresses the technological needs of modern enterprises to meet their business goals, but also ensures that these advancements are implemented in a secure and compliant manner.”

By Sarah Sabotka, Bryan Campbell, And The Proofpoint Threat Research Team

What happened 

Beginning April 24, 2024, and continuing daily for about a week, Proofpoint observed high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering LockBit Black ransomware. This is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorpiex in such high volumes. The LockBit Black sample from this campaign was likely built from the LockBit builder that was leaked during the summer of 2023.  

Messages were from “Jenny Green” with the email address of Jenny@gsd[.]com. The emails contained an attached ZIP file with an executable (.exe). This executable was observed downloading the LockBit Black payload from Phorpiex botnet infrastructure.  

The emails targeted organizations in multiple verticals across the globe and appeared to be opportunistic versus specifically targeted. While the attack chain for this campaign was not necessarily complex in comparison to what has been observed on the cybercrime landscape so far in 2024, the high-volume nature of the messages and use of ransomware as a first-stage payload is notable.  

The attack chain requires user interaction and starts when an end user executes the compressed executable in the attached ZIP file. The .exe binary will initiate a network callout to Phorpiex botnet infrastructure. If successful, the LockBit Black sample is downloaded and detonated on the end user’s system, where it exhibits data theft behavior and seizes the system, encrypting files and terminating services. In an earlier campaign, the ransomware was directly executed, and no network activity was observed, preventing network detections or blocks. 

Attribution 

Proofpoint Threat Research has not attributed this campaign to a known threat actor. Phorpiex is a basic botnet designed to deliver malware via high-volume email campaigns. It operates as a Malware-as-a-Service and has garnered a large portfolio of threat actor customers over more than a decade of operation (earlier versions were first observed on the threat landscape circa 2011). Since 2018, the botnet has been observed conducting data exfiltration and ransomware delivery activities. Despite disruption efforts throughout the years, the botnet persists.  

Proofpoint has observed a cluster of activity using the same “Jenny Green” alias with lures related to “Your Document” delivering Phorpiex malware in email campaigns since at least January 2023.  

LockBit Black (aka LockBit 3.0) is a version of LockBit ransomware that was officially released with upgraded capabilities by the ransomware affiliates in June 2022. In September 2022, the confidential ransomware builder was leaked via Twitter. At the time, multiple parties claimed attribution, but LockBit affiliates claimed the builder was leaked by a disgruntled developer. The leak allows anyone to adopt the configuration for customized versions.  

Why it matters 

Ransomware as a first-stage payload attached to email threat campaigns is not something Proofpoint has observed in high volumes since before 2020, so the observation of a LockBit Black sample in email threat data on this global scale is highly unusual. Additionally, this campaign has been particularly notable due to the high volume of messages in the millions per day, volumes not commonly observed on the landscape. The number of messages and cadence associated with recently observed LockBit Black campaigns are at a volume not seen in malspam since Emotet campaigns. 

The LockBit Black builder has provided threat actors with access to proprietary and sophisticated ransomware. The combination of this with the longstanding Phorpiex botnet amplifies the scale of such threat campaigns and increases chances of successful ransomware attacks. This campaign is another good example of how the threat landscape continues to change, underscored by recurring and significant shifts and pivots in the tactics, techniques, and procedures (TTPs) used by threat actors.