The ransomware crisis is only getting worse. According to analysts, government facilities, educational institutions, and healthcare organizations are the most frequently hit sectors.
In this edition of the newsletter we will cover:
- Ransomware trend
- Other cyber trends
- Phishing campaigns
- Evolving tactics, techniques, and procedures
- Vulnerabilities and exploitation opportunities
A team of researchers at Temple University (Pennsylvania, USA) that has been tracking (as part of a project called CIRWA) ransomware attacks worldwide on critical infrastructure since 2013 has identified Government, Education and Healthcare as the three most targeted sectors, while Maze, WannaCry and Ryuk as the top three ransomware culprits.
Per Allan Liska from Recorded Future, there have been at least 80 publicly reported ransomware infections in 2020 against the education sector. This is a massive jump from the previous year and a really concerning trend. DoppelPaymer, Maze and other malware have disrupted the operations of Newcastle University (UK), Hartford Public Schools (Connecticut, USA), Clark County School District (Nevada, USA), Fairfax County Public School (Virginia, USA) among others.
With respect to healthcare, multiple public health facilities have also been hit with ransomware – Germany’s University Hospital of Dusseldorf (the attack had been originally intended for the Heinrich Heine University per an extortion note left by the perpetrators), USA’s University Hospital New Jersey, and Thailand’s Saraburi Hospital. The sector has been recently targeted with several ransomware, including Zeppelin (variant of the VegaLocker/Buran family), Maze, REvil, Netwalker, and SunCrypt.
The energy sector, which continues to be highly appealing to ransomware operators, has had its fair share of attacks. On September 7th Pakistan’s largest private utility company, K-Electric, had its billing and online services impacted by the Netwalker ransomware.
Other organizations that have lately been attacked with ransomware include the data center giant Equinix, the Ukrainian software development and IT services provider SoftServe (present in Bulgaria as well), the Development Bank of Seychelles, and Luxottica (the world's largest eyewear company and owner of well-known eyeglasses brands such as Ray-Ban, Armani, Prada, and Michael Kors).
In Bulgaria, small and medium-sized organizations have solicited the help of Amatas to investigate ransomware infections linked to Barak, Crysis and Dharma infections.
According to Recorded Future, most ransomware infections in 2020 have leveraged the Remote Desktop Protocol (RDP) as an attack vector to gain access to Windows computers and to install malware. Threat actors often use open source port-scanning tools to identify exposed RDP ports online. Next they try to gain access via brute-force tools or via purchased stolen credentials. Finally, they delete backups, disable antivirus software, or change configuration settings before delivering the malicious payloads.
Email phishing campaigns are another favorite when it comes to initial compromise. With respect to ransomware deployment, an intriguing new technique has been observed by Sophos cyber experts. Crooks have started delivering and running specially crafted Virtual Machines (with the software environments of their choice, for instance, Windows XP or Windows 7) from which to launch their file scrambling malware.
Recommendations: educate employees on the risks of phishing and regularly test their understanding with mock phishing campaigns, maintain up-to-date offline backups, deploy endpoint malware protection, secure RDP services using multi-factor authentication, and adopt an effective patch management process.
Other cyber trends
Linux OS: As a growing number of organizations are selecting Linux to run their strategically important servers and systems, Advanced Persistent Threat actors such as Turla, Sofacy, Fancy Bear and Lazarus have been changing their toolsets to take advantage of this trend. The Lemon_Duck cryptomining malware, for instance, was seen compromising Linux machines via SSH brute-force attacks. In another example the Drovorub malware has been reportedly targeting Linux systems to exfiltrate sensitive data. In a third instance, a new Linux malware called CDRThief has been detected in targeted attacks against VoIP software switches to steal phone call metadata.
Business Email Compromise (BEC): Gift cards for eBay, Google Play, Apple iTunes and Steam have been requested in two thirds of these attacks in Q2 2020 according to a study conducted by the Anti-Phishing Working Group’s member Agari. While there is a decrease in the gift card average amount (down to $1,213), there is an increase in the average BEC wire transfer attempt (up to $80,183). The bulk of the attacks leveraged free webmail services with Gmail being the preferred one.
BEC crooks have been found using legacy apps with old protocols (ex. POP, IMAP, SMTP) to bypass Multifactor Authentication and to gain access to business email accounts. Furthermore, SMS-based MFA can be abused by attackers in multiple ways, including SIM-jacking.
SQLi: SQL injection is still a critical attack vector against web applications. Perpetrators could easily extract and disclose sensitive data, erase database content, alter transactions, and force privilege escalation to become administrators of the database server.
The COVID-19 pandemic has led to a major boost in online shopping. Some businesses have been forced to quickly move their operations online without sufficient cyber security consideration. This has opened up new opportunities for the criminal underground. A fresh example of that is the largest automated hacking campaign against Magento-powered ecommerce sites over a single weekend in September leading to the compromise of nearly 2000 online stores.
Credential stuffing: This attack type has now become a major problem for financial organizations. Criminals use stolen usernames and passwords from one financial service to access another, counting on individuals reusing their credentials across multiple online portals.
Endpoint threats: According to Cisco, the three most critical security threats to endpoints in H1 2020 have been:
- Fileless malware such as Kovter, Poweliks, Divergent and LemonDuck. Fileless threats consist of malicious code that is launched directly in memory i.e. without a file stored on the hard drive.
- Dual-purpose tools such as PowerShell Empire, Cobalt Strike, Powersploit and Metasploit that are typically leveraged for both exploitation and post-exploitation tasks.
- Credential-dumping tools such as Mimikatz to scrape login credentials from a compromised computer.
Crypto-mining and the cloud: According to Aqua Security hackers target cloud infrastructure primarily to deploy crypto-miners.
NATO: Security analysts have spotted a targeted phishing attack against government bodies using NATO training materials as a lure.
USPS: A new phishing “smishing” (SMS-based) campaign has been detected using the United States Postal Service as a disguise to trick mobile users into sharing sensitive information.
KnowBe4: Phishing simulation providers Cofense and KnowBe4 have come across an email campaign that uses fake security training notifications from KnowBe4. This comes as a reminder that no online brand is impervious to such malicious actions.
Lloyds Bank: Customers have received nefarious emails and SMS messages asking them to verify their accounts following a temporary freeze due to security reasons. Victims are redirected to a fraudulent site which impersonates the bank.
Evolving tactics, techniques, and procedures
Telegram: Digital credit-card skimmers continue to evolve their tactics to avoid detection. Experts have come across a stealthy new script which relies on the Telegram messaging platform to exfiltrate stolen data.
Hexadecimal IPs: In a recent spam campaign researchers from Trustwave have spotted the use of Hex IP addresses to evade spam detection systems.
Vulnerabilities and exploitation opportunities
Windows Domain: An attacker could gain Windows domain administrator access by exploiting a vulnerability in the Netlogon protocol (CVE-2020-1472) which is primarily used to verify login requests in the Windows Client Authentication Architecture. The new attack is known as Zerologon.
Windows OS: The list of native executables that can download or run malicious code keeps growing.
- In a recent change to the Microsoft Defender antivirus, the command-line tool “MpCmdRun.exe” has been updated to include the ability to download files from a remote location, which could be abused by rogue parties.
- Another example is the “finger.exe” command that ships with Windows to retrieve information about users on remote computers running the Finger service. According to security researcher John Page, Command and Control commands could be masked as finger queries that fetch files and exfiltrate data, without Microsoft Defender triggering an alarm.
MFA and the cloud: Critical vulnerabilities in multi-factor authentication implementations in cloud environments with WS-Trust enabled could allow attackers to bypass MFA and access applications such as Microsoft 365.
WordPress: In the past few weeks millions of sites that rely on the WP Content Management System have been automatically probed by bots attempting to exploit a vulnerable version of its File Manager functionality.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
Amatas, Cyware, The Hacker News, Bleeping Computer, ZDNet, Security Affairs, Dark Reading, Recorded Future, Infosecurity Magazine, SC Magazine, Sophos Naked Security, Cofense, KnowBe4, Tripwire, Trustwave, Tech Radar, Threat Post, Reuters, Security Week, Creative Commons