By Charles Smith, Consulting Solution Architect, Data Protection, Barracuda Networks (EMEA)

The constant string of attacks organisations face is an ever-present reminder of how important it is to have an up-to-date, readily accessible copy of everything that matters to your business. Resilient backups allow you to recover more quickly from data damage, disruption, or loss, particularly if a ransomware attack has resulted in encrypted or deleted files.

These are well-known and widely reported benefits of backups — but there’s more. Immutable data backups can also protect you from the underrated threats of data tampering and malicious insiders, unpredictable activities that can significantly damage brand trust and reputation if they’re not addressed.

Data tampering and manipulation

Data tampering such as deletion and manipulation have been called the “next level of cyberattacks.” While attacks on data integrity aren’t new, their growing sophistication in the age of generative AI will make them harder to spot.

The perpetrators could be external, such as activists or nation-state groups, but more often they are internal, disaffected insiders with broad access rights out for revenge, mischief, personal, or financial gain.

Hypothetical external incidents could include an attacker successfully breaching a stock market’s IT system to alter share price updates, leading to panic selling and financial chaos. There are also reported examples of malicious insiders trying to alter data records within their current or former company, changing passwords, disabling servers, deleting files, or engaging in cyberespionage.

Companies need defences that will detect and prevent any attempt at data tampering inside the network, but also provide them with a robust and accurate version of the truth that can restore the original data and set the record straight.

The double defence against data tampering

Your first layer of protection should be a security solution that includes strong access controls, data encryption, secure communication protocols, and AI-driven measures to detect and respond to anomalies that could signpost attempted data interference. The combined impact should prevent external attackers from being able to access your network and alter or delete data, and it should also block internal malicious actions by authorised users.

There is a second, equally important layer of defence: an immutable data backup. Immutable data cannot be changed or deleted. This means that if an attacker does manage to tamper with or manipulate your communications, documents, and more — your backup files are unaffected and can be used to restore data and prove beyond doubt where content has been falsified.

The many benefits of immutable backups

Immutable backups can help an organisation to recover from any incident where data is encrypted, deleted, damaged, tampered with, or lost.

1. They offer an extra line of defence against determined bad actors. Despite the security measures in place, determined attackers may find ways to compromise or bypass security controls. Immutable backups provide an extra safeguard by ensuring that even if the primary data is tampered with, the backup remains intact and unaltered.

• They protect the company from insiders with ill intent.  No one likes to think about insider threats. These are your colleagues after all. But our own recent research suggests that malicious insiders were the root cause of around a third (39%) of data breaches in the last year. Immutable backups help to protect against insider attacks, as they prevent authorised users from altering or erasing data.

• They mitigate the impact of ransomware. Immutable backups can protect against ransomware attacks by ensuring that a clean, unaltered copy of the data is available for restoration, reducing the impact and potential need to pay the ransom.

• They protect you from accidental data corruption. Data can be corrupted due to hardware failures, software bugs, or human error. Immutable backups help protect against these scenarios by providing a point-in-time copy of the data that cannot be modified or corrupted, allowing for reliable data restoration.

• They are essential for compliance and data protection regulations. Some industry sectors and regulatory frameworks require organisations to maintain immutable backups for data retention and compliance purposes. Immutable backups ensure the integrity and authenticity of the data.

By combining security measures with immutable backups, organisations can implement a resilient data protection strategy that addresses both major, common cyberthreats such as ransomware and underrated, unanticipated threats that could do just as much harm. With immutable backups, you’re ready for them all.

By Sarah Sabotka, Bryan Campbell, And The Proofpoint Threat Research Team

What happened 

Beginning April 24, 2024, and continuing daily for about a week, Proofpoint observed high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering LockBit Black ransomware. This is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorpiex in such high volumes. The LockBit Black sample from this campaign was likely built from the LockBit builder that was leaked during the summer of 2023.  

Messages were from “Jenny Green” with the email address of Jenny@gsd[.]com. The emails contained an attached ZIP file with an executable (.exe). This executable was observed downloading the LockBit Black payload from Phorpiex botnet infrastructure.  

The emails targeted organizations in multiple verticals across the globe and appeared to be opportunistic versus specifically targeted. While the attack chain for this campaign was not necessarily complex in comparison to what has been observed on the cybercrime landscape so far in 2024, the high-volume nature of the messages and use of ransomware as a first-stage payload is notable.  

The attack chain requires user interaction and starts when an end user executes the compressed executable in the attached ZIP file. The .exe binary will initiate a network callout to Phorpiex botnet infrastructure. If successful, the LockBit Black sample is downloaded and detonated on the end user’s system, where it exhibits data theft behavior and seizes the system, encrypting files and terminating services. In an earlier campaign, the ransomware was directly executed, and no network activity was observed, preventing network detections or blocks. 

Attribution 

Proofpoint Threat Research has not attributed this campaign to a known threat actor. Phorpiex is a basic botnet designed to deliver malware via high-volume email campaigns. It operates as a Malware-as-a-Service and has garnered a large portfolio of threat actor customers over more than a decade of operation (earlier versions were first observed on the threat landscape circa 2011). Since 2018, the botnet has been observed conducting data exfiltration and ransomware delivery activities. Despite disruption efforts throughout the years, the botnet persists.  

Proofpoint has observed a cluster of activity using the same “Jenny Green” alias with lures related to “Your Document” delivering Phorpiex malware in email campaigns since at least January 2023.  

LockBit Black (aka LockBit 3.0) is a version of LockBit ransomware that was officially released with upgraded capabilities by the ransomware affiliates in June 2022. In September 2022, the confidential ransomware builder was leaked via Twitter. At the time, multiple parties claimed attribution, but LockBit affiliates claimed the builder was leaked by a disgruntled developer. The leak allows anyone to adopt the configuration for customized versions.  

Why it matters 

Ransomware as a first-stage payload attached to email threat campaigns is not something Proofpoint has observed in high volumes since before 2020, so the observation of a LockBit Black sample in email threat data on this global scale is highly unusual. Additionally, this campaign has been particularly notable due to the high volume of messages in the millions per day, volumes not commonly observed on the landscape. The number of messages and cadence associated with recently observed LockBit Black campaigns are at a volume not seen in malspam since Emotet campaigns. 

The LockBit Black builder has provided threat actors with access to proprietary and sophisticated ransomware. The combination of this with the longstanding Phorpiex botnet amplifies the scale of such threat campaigns and increases chances of successful ransomware attacks. This campaign is another good example of how the threat landscape continues to change, underscored by recurring and significant shifts and pivots in the tactics, techniques, and procedures (TTPs) used by threat actors.  

By Bjorn Viedge, General Manager at ALEC Data Center Solutions

Across the Middle East, digital agendas have long been seen as the necessary underpinnings of economic growth — a way to detach from historic dependencies on petrochemical trade and move forward as innovators.

Amid a series of economic visions that prioritise skilling, entrepreneurship, and industry disruption, we have seen the rise of the data centre as a fulcrum of progress. According to recent estimates, the Middle East data centre colocation market is expected to grow at a compound annual growth rate (CAGR) of 6.83% from 2022 to 2028. The United Arab Emirates leads its regional peers in this growth and has become one of the largest data centre hubs in the Middle East. Significant investments continue to flow into the country, with expectations of surpassing USD 1 billion by 2028. In April 2022, the UAE Cabinet launched a strategy to bolster the digital economy, aiming for it to contribute 20% to the gross non-oil GDP in the coming years. This initiative included the formation of a council to oversee digital economy progress, serving as a catalyst for accelerated data centre adoption.

Digitisation vs Sustainability

But the UAE is not nurturing technology in isolation. Part of the country’s vision is an embrace of the UN’s 17 sustainable development goals (SDGs), which cover everything from quality of work and social life to preservation of the environment. Research has shown the mounting environmental impact of data centres. Demand for data centre services has driven them to get bigger, hotter, and more expensive and a peer-reviewed study by Swedish researcher Anders Andrae predicts that ICT industry could use 20% of all electricity and emit up to 5.5% of the world’s carbon emissions by 2025. And in a region that already faces a looming water crisis, Middle East data centre planners should be aware that today’s data centres use up an Olympic swimming pool every two days.

Traditional building and cooling technologies are having trouble keeping pace with increasing chip densities, so those that build their own data centres should account for this impact when looking to comply with government regulations. And with the government signalling clear intent, data centre owners must be ready to play their part. In the age of ESG, they must be climate conscious, and they must look to the latest technologies to ensure their facilities are adding net value to society.

Many such technologies exist and have proven themselves, but not all are applicable in all geographies. For example, heat-recovery may be viable in colder countries, but is not suitable for the sun-soaked Middle East. However, other efficient means are on hand to make the region’s data centres greener. If planners aim for great design, then they must consider not just the exterior — elements such as the location, the resources used, the climate, and the temperature — but also the interior of the facility.

Inner Pieces

Rethinking the design of modern data centres means leaving no component overlooked — from the building itself down to the nuts and bolts of the servers. Indeed, server-cooling technologies are improving all the time and some older ones are making a powerful comeback.

Liquid-immersion cooling, for example, has been around since the 1940s, and with the surging demand for denser computing that we are seeing today, the technology may be the answer to many problems. Modern liquid-immersion cooling uses a dielectric (non-electrically conductive) fluid which is far more effective in conducting and therefore enabling the dissipation of heat produced by hardware, compared to traditional air-based cooling systems.

Liquid-immersion could represent the future of data centre cooling. Facilities can operate with less physical space compared with traditional air-based solutions, while gaining energy savings of up to 50%. Meanwhile, lower maintenance costs, cheaper builds, and power-usage effectiveness (PUE) scores lower than 1.03 (where 1.0 is the ideal) mean organisations can reduce the time needed to realise a full return on their investment.

Building Blocks

But cooling is not the only way to sustainability. Facility planners must also consider the building process itself. Emerging today, and rapidly gaining acceptance for data centres of smaller scale is the technique of prefabricated construction, also known as modular data centres. As the construction of the prefabricated modules primarily occurs offsite in dedicated fabrication facilities, standardised production methodologies can be implemented which improve efficiencies, enhance quality, and significantly reduce wastage.

Because prefabricated data centres have been assembled and tested in a controlled factory environment, construction is faster, less error-prone, and less labour-intensive on site. Additionally, modules can be added whenever the demand arises, meaning data centre companies need not build a large facility to accommodate future expansion. Instead, they can build quickly as needed. All of this leads to a cheaper, more efficient, more sustainable project.

Many regional governments, including that of the UAE, are firmly committed to the UN’s SDGs. Middle East authorities, and their counterparts elsewhere in Asia, the Americas and Europe, are placing greater emphasis on LEED certification and other standards in their regulatory frameworks. Nations everywhere, it seems, have recognised the importance of regulating their way to sustainability. But in playing their part, data centre owners can also take advantage of a lucrative new business model of long-term benefits — from quicker GTM to reduced operational costs.