(844) 627-8267
(844) 627-8267

Repeated cyberattacks on court systems raise security concerns for the US | #ransomware | #cybercrime

Through a statement issued last month, Jackson County, Missouri, confirmed that a ransomware attack was responsible for the disruption of several county services, including the shutting down of the Assessment, Collection, and Recorder of Deeds offices at all county locations.

Jackson County is but one of the many US counties where court systems were attacked in the last year, suggesting a sudden, heightened adversary interest in these systems. The attacks include one on the Wisconsin court system’s computer network in March 2023, another on the Kansas courts computer system in October 2023, the Fulton County IT outage in January 2024, the Bucks County Emergency dispatch system attack in January 2024, and a denial-of-service attack on Pennsylvania courts’ website in February 2024.

“Court systems represent a crucial component of a nation’s infrastructure, responsible for upholding the rule of law and administering justice, and compromising a court system can have far-reaching implications beyond immediate financial gain,” said Lisa Plaggemier, executive director at the National Cybersecurity Alliance. “It can disrupt legal proceedings, compromise sensitive information, undermine trust in the judicial system, and potentially influence political or economic outcomes. Therefore, targeting court systems aligns with broader strategic objectives for attackers seeking to exert influence or gain intelligence at a national level.”

These recent attacks indicate a broader trend where cybercriminals or state-sponsored actors recognize the value in disrupting judicial functions, according to Plaggemier.

The recent attacks do indeed shape an undeniable pattern, albeit one that is yet to be explained. The safest is to assume that these attacks are either a result of a targeted, coordinated campaign against US court systems and their networks, which dangerously scream nation-state interests, or are part of random adversary activities. While there isn’t enough evidence to accept either of these theories with certainty, experts seem to be lining up heavily behind one of them. 

Random attacks or nation-state motivated?

Though extremely plausible given the upcoming US presidential election, the theory of nation-state involvement has yet to be backed by evidence. The FBI has repeatedly submitted proof of a Chinese cyber espionage campaign that has allegedly established persistence for the last five years in the US critical systems using various high-profile vulnerabilities. So far, no connection has been made between those findings and the ongoing attacks on court systems.

“While specific details about the perpetrators of these attacks may vary, there is a growing concern over state-sponsored cyber espionage campaigns targeting critical systems, including those within the US,” Plaggemier said. “While direct attribution can be challenging, there are indicators suggesting links to nation-state actors, including those from China. However, conclusive evidence linking these attacks to a particular nation-state actor may require further investigation and analysis.”

John Hammond, principal security researcher at Huntress, a cybersecurity research and services provider, said a nation-state involvement is rather unlikely. “It’s unlikely that there is supposed to be a large, looming, coordinated, or mass-scale trend in these attacks,” he said. “Truthfully, it’s more reasonable that these are just random, opportunistic hits. Cybercriminals tend to cast a wide net, and whatever targets are vulnerable will be the first to fall.”

Sometimes court systems, according to other experts, may get caught up in the crossfires of an unrelated threat event or campaign. “Although there are certainly examples of threat actors claiming to target court systems for specific gain, like the LockBit/Fulton County story, court systems are more often an unfortunate victim in the ripple effect of a ransomware attack on public sector entities,” said Dan Schiappa, CPO of Arctic Wolf.

Whether these attacks are being carried out with a nation-state interest, or are part of random targeting, the fact that multiple court systems were successfully obstructed within a short span paints a rather gloomy picture of these systems’ cybersecurity infrastructure.

Courts fell victim to ransomware and DoS attacks

Generally, the kind of attack a system experiences is a clear telltale of the perpetrator’s real motives. The court system attacks being majorly affected by ransomware indicates attackers were financially motivated.

LockBit, a Russian ransomware gang recently shut by global authorities, had later claimed that the takedown was particularly in response to its targeting of the Fulton County systems as the hack enabled the gang to possess sensitive documents relating to many high-profile cases including on former US president Donald Trump.

The breach threatened to impact the upcoming US elections and if the takedown hadn’t happened at the time it did, LockBit’s leader “LockbitSsup” had said, the threat actor was due to make stolen documents public. While no further evidence of that claim was ever revealed, the incident sure highlights the lure court systems have for threat actors looking for a good payday.

Apart from Jackson County and Fulton County incidents, the attacks on Texas high courts, and the Bucks County were also carried out with ransom interests.

Denial-of-Service (DoS) was the second top reason for these attacks, which may or may not suggest a monetary endgame. The tactics, techniques, and procedures (TTPs) used for these attacks are usually non-complex as compared to ransomware attacks.

“In the case of a denial-of-service attack, like the Pennsylvania and Wisconsin court systems observed, truthfully, there is nothing fancy in terms of tradecraft or TTPs,” Hammond said. “The technique is simply overwhelming their systems with an onslaught and barrage of traffic, by taking advantage of traditional network protocols and abuse functionality to amplify their attack.”

Ransomware involves rather complex techniques, all ultimately aimed at gaining internal access to deploy ransomware across an entire organization. While much isn’t known on the hacks used for the court systems attacks, a few mass-exploited, vulnerabilities used recently in the wild include Ivanti VPN vulnerabilities, ScreenConnect flaws, Fortinet N-days, and JetBrains TeamCity supply chain bugs.

What’s making the attacks possible?

Schiappa believes the attacks have to do with the slack associated with security regimes within these systems. “State and local governments (including counties) are likely the oversight for any IT and security programs used by court systems,” he said. “Unfortunately, despite ongoing pleas across both the public and private sectors, gaps in budgets and technology still exist.”

He added that Arctic Wolf’s incident response team has found that government victims typically struggle to maintain a regular patching cadence and have weak security posture, which opens them up to a wide range of exploits.

Hammond too agrees that basic due diligence could prove effective in protecting these court systems and, likewise, the failure to implement it will open them up to a host of attacks.

“Security professionals often sound like broken records when we say, ‘don’t click links on emails,’ or ‘use multi-factor authentication’ and ‘use long complex passwords,’ ‘configure your antivirus and endpoint protection tools,’ ‘patch your systems,’ etc.,” Hammond said. “The reason we say that over and over again is because it is the right answer. It’s just hard to do right. US court systems, and any authoritative or government body in any form, should certainly be held to the highest standard for security and be examined with the utmost scrutiny.”

To government bodies (including court systems), operations and outcomes are paramount, and security usually takes a backseat, leading to de-prioritizations of security in these systems, John added.

Michael Sampson, an analyst with Osterman Research finds a court system’s willingness to pay ransom in favor of decrypting their high-value, sensitive data, makes them a lucrative target for ransomware actors. “As ransomware gangs have pivoted from malicious unwanted encryption to exfiltration of sensitive data for extortion, anything that is a secret could cause embarrassment, could undermine public perception on an issue, is a high-value target,” he said.

US government’s fightback

Though none of these attacks have been linked to any nation-state campaigns or events, the US government is certainly concerned with the heightened adversary activities involving its critical systems and infrastructures.

The FBI has reported, on several occasions, on various cyber espionage activities affecting the country, including a five-year-old Chinese campaign the federal body has found persistence for within critical government systems.

“The US authoring agencies (including CISA, FBI, and NSA) have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” said a joint advisory warning organizations against China-sponsored Volt Typhoon. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

The advisory also explained that the threat actor had been using many known N-day vulnerabilities, including Fortinet N-days, to gain initial access to US critical systems.

“In addition to exploiting known vulnerabilities like the Fortinet N-days, nation-state actors often utilize a combination of tactics to gain initial access, escalate privileges, move laterally within networks, and maintain persistence,” Plaggemier said. “Common techniques include spear-phishing, password spraying, exploiting misconfigurations, and leveraging compromised credentials. As for backdoors, attackers may implant custom malware or exploit existing vulnerabilities to establish persistent access and evade detection.”

The US government is actively working on improving cybersecurity defenses and responding to cyberthreats, including those attributed to nation-state actors, according to Plaggemier.

“This often involves coordination between various agencies, law enforcement, private sector partners, and international allies. Measures such as re-sanctioning FISA 702 could enhance surveillance capabilities and aid in detecting and mitigating malicious activities. However, it’s essential to balance security efforts with protecting individual privacy and civil liberties,” Plaggemier added.

Section 702 of the Foreign Intelligence Surveillance Act (FISA), would allow federal officers to spy on foreigners’ overseas electronic communications.

Additionally, recently, CISA opened a federal malware analysis and threat-hunting tool for organizations to submit malicious files and URLs for analysis. The US and global governments have alerted organizations to the onslaught of nation-state cybersecurity incidents and have taken down several state-sponsored ransomware and hacker groups in multiple joint efforts.

Source link


National Cyber Security