Industry Intel

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Podcast: Can we fix IoT security?

For many U.S. workers the switch to remote work is a permanent one. That means more high-stakes work is being conducted on self-configured home networks. For others, home networks are simply hosting more devices as smart doorbells, thermostats and refrigerators now connect to the internet.

Security experts warn that while the internet of things (IoT) isn’t inherently a bad thing, it does present concerns that must be considered. Many devices come pre-configured with inherently poor security. They often have weak or non-existent passwords set as the default.

As our guest and host Joe Panettieri discuss, these are issues that would be addressed on corporate networks by a professional IT administrator. The conversation covers the issues of IoT and home network security both from the perspective of the average family household and what the age of remote work means for employees working on their own networks.

Security intelligence director Grayson Milbourne brings a unique perspective to the podcast. Having held senior roles in both threat intelligence and product management, Milbourne is acutely aware of what the threats security products come up against. He knows both the cyber threat landscape and the consumer internet security market, so he’s able to provide insightful advice for how tech-loving homeowners can keep personal networks powerful and protected. 

Milbourne suggests problems of IoT and home network security could be addressed with a cybersecurity version of ENERGY STAR ratings. A program could formalize current IoT security best practices and incorporate them into a standard consumers recognize.  

During this informative podcast, Panettieri and Milbourne discuss that idea and more cybersecurity topics related to IoT devices. They cover:

  • The difference between device security and the security of the app used to control it
  • How to leverage user reviews while researching IoT devices and what security concerns to check on before buying
  • Privacy and data collection issues, including why one of the most common IoT devices may be among the most intrusive
  • Configuring IoT devices to prevent them from joining rogue IoT zombie networks

Whether you’re an IT administrator trying to secure remote workers or just own a smart TV, there’s something in this conversation for you. Be sure to give it a listen.

Targeted assets: The need for cyber resilient infrastructure

Aging infrastructure in the United States is not confined to crumbling roads and bridges. Recent events have shown that connected devices in our pipelines, water treatment facilities and power grids are also vulnerable to exploitation.

As of now, we still don’t know much about the ransomware attack against the operators of the Colonial Pipeline. Details about how and when cybercriminals were able to compromise Colonial’s network have yet to emerge. The FBI has confirmed that Darkside, a ransomware as a service (RaaS) group, was behind the attack but background on that group is about the only place where information is plentiful.   

We still don’t know if a ransom has been paid. Or if Colonial was able to completely isolate its operational network from its corporate systems – the intended target of the attack according to the company – or if Darkside could have bridged that gap.

Based on the Darkside’s own statements and analyses of its past behavior, experts believe the attack wasn’t intended to seriously disrupt the nation’s gasoline supply or cause major harm to its critical infrastructure. But that’s beside the point.

It was enough for states of emergency to be declared up and down the Eastern seaboard and for the federal government to issue warnings to other utility providers to be on the lookout for similar attacks.  

And this cyberattack against critical infrastructure is far from the first of its kind and unlikely to be the last. A 2019 attack on a power grid control center responsible for supplying several sites in the Western U.S. was considered a near miss in which the country got off easy.

Early this year, remote access software at a water treatment facility in Oldsmar, Florida was compromised and hackers used the access to attempt to increase the concentration of a tissue-damaging chemical normally used to prevent the corrosion of pipelines. Only an attentive employee and the delay needed to get the added chemical into the water supply prevented serious harm.

The sorry state of cybersecurity in U.S. critical infrastructure is well-known within the industry. The rise of the Internet of Things (IoT) isn’t limited to the consumer sector. These devices help with automation and make industrial control systems (ICSs) smarter than they’ve ever been before, but cybersecurity is often an afterthought in their design if it’s one at all. One source claimed it was communication between an ICS and Colonial’s corporate networks, responsible for simplifying the billing process, that caused concern about the attack spreading to operational systems.

Making more cyber resilient infrastructure

After several shots across the bow have luckily not resulted in direct hits, what can we do to bring about a hardening of U.S. infrastructure cybersecurity? How can we prevent a replay of the 2017 attacks against Ukraine’s power grid from happening here?

Here are a few suggestions:

  • Don’t disincentivize cybersecurity investment. – Ransomware insurance isn’t a bad idea, but providers won’t subsidize poor security practices forever. We’re already seeing some pushback against companies who happily shell out for ransoms knowing a reimbursement will soon follow. Well-insured but under-protected organizations may have gotten away with it for a while, but surging ransomware incidents are ushering those days out the door.
  • Actively promote that investment. – Policy analysts who have studied this issue urge government, at whatever level, ensure that critical infrastructure providers have the financial wiggle room to invest in better cybersecurity. Designing these investment incentives is beyond the scope of this post, but our near misses should make it clear that this is a national security imperative. Even private companies like Colonial, until now under less pressure than a public utility to account for compromises, should be invited in.
  • Don’t forget to secure corporate networks, too. – Just because the computer in the lobby of corporate HQ can’t crank up the sodium hydroxide in the drinking water doesn’t mean it’s not worthy of an antivirus. If access between corporate and operational networks exists, it can be exploited by determined cybercriminals. Endpoint protection for all devices and network-level security are the bare minimum. And with phishing attacks enabling the majority of breaches year after year, it’s important to train workforces on how to spot them.
  • Make smarter ICSs more secure. – IoT devices are not going anywhere. Their applications are many and varied and they make us more effective. But they’re seldom designed with cybersecurity in mind. In high-stakes applications like water treatment, oil and gas delivery and power distribution, this cannot be taken for granted. Manufacturers should consider OEM applications for threat intelligence feeds that make their smart devices more secure. This problem has been well studied but should be addressed with greater urgency.

For the time being, major damage and fears of prolonged fuel shortages may be unfounded with the Colonial Pipeline attack. But we need to act deliberately now in order to avoid relying on the same luck in the future.  

We explored the dangers of pirated sport streams so you don’t have to

Coauthored by Dominick Bitting, Sr. Threat Research Analyst, and Colin Maguire, Web Content Specialist.

Manchester City win the Carabao Cup Final, many illegal streamers lose

The COVID pandemic has led to a surge in content consumption as people stayed home and turned to Netflix, Youtube and other streaming services for entertainment. Not everyone agrees with paying for the latest episode or album, however, and this rise has ran parallel with a rise in  digital piracy.

Piracy is widespread and – ethical issues aside – makes for an interesting case study from a threat research perspective. In terms of sports, European football is the most commonly pirated, making up more than a quarter of all illegal sports streams according to one recent study

There is a sizable online community that shares bootlegged movies, TV and live sports streams without copyright protection over HTTP/HTTPS. Sites streaming pirated sports, specifically the English football “free-to-view” sites, were the subject of an April 2021 Webroot study on the week of the Carabao Cup final game between Manchester City and Tottenham Hotspur.

This was not meant to be an exhaustive study, but rather focused on getting a snapshot of the dangers involved in spending 90 minutes illegally streaming a match online.

The sites we analysed

We analysed a total of 20 sites in the study, of which 12 “game sites” were analysed in greater detail for the duration of the Cup Final. 92% per cent of illegal streaming sites analysed by Webroot were found to contain some form of malicious content.

Site Ratings

Sites ranged from having a “trusted” Webroot Brightcloud® reputation score of 92 to an “untrusted” rating of 44. All sites at time of testing had a safe, zero detection rating in Virus Total except for one, “daddylive”, with a rating of 1/85.

However, when examined more closely, most hosting IPs were found to have hosted malicious content (such as some serious malware) in the past, and had connections to other high-risk IPs. Some of the sites caught our attention for leading to a massive amount of URLs. For instance, rojadirecta[.]me pulled 565 different URLs. We focused most of our attention on these suspicious sites.

Virustotal.com graph for hulkstreams. Contextual graphs such as these show the relationships between web hosts and dropped malware
Brightcloud’s Threat Investigator Showing Contextual Information for jokerstream

Insecure Sites

Most of the sites analysed were insecure and running HTTP. The lack of security on these sites means any personal data shared across the site’s connection is out in the open. While the more secure HTTPS isn’t always a guarantee a site is completely safe, the lack of certification and security protocol were red flags, making sharing details or sensitive information risky.

Malvertising/Dishonest links

Most of these sites (more specifically the advertising on these sites) use dishonesty and social engineering to fool users into opening links, enabling an action on their browser or downloading a file they never intended to. This is done using an array of tricks like fake “X” boxes on video overlays, false “notification enable” messages and outrageous promises and warnings.

Redirects

Redirects are not bad in and of themselves, but when links jump between a number of unrelated sites (e.g. sports to dating to bitcoin to online shopping) this is a definite red flag. And we observed it a lot on illegal streaming sites. This signals that the site or site network admins must constantly change what their links direct to as they introduce new URLs. The presence of zero-day (or brand new) sites is a related bad indicator when looking at any site and it’s connected IPs.

Types of threats we saw on pirated streaming sites

Bitcoin scams

“With cryptocurrency values soaring again, executable based cryptojacking has been on the rise.”
Webroot’s 2021 Threat Report

We observed targeted and localised bitcoin scams promising riches and asking users for banking details. The price of Bitcoin and other cryptocurrencies have been booming over the last year, and the rise and fall of these prices affects cryptocrime levels. We observed convincing ads and websites that link directly to fake news sites or feature local(ised) celebrities and politicians selling scams.

An example of a bitcoin scam site that has been localised to appeal to users browsing with an Irish IP address
An example of a bitcoin scam site that has been localised to appeal to users browsing with an Irish IP address

This “Mirror” fake news page is clearly designed to copy the popular UK newspaper. It is a front for a “get rich quick” scam designed to gather users’ cash and personal details. Different versions of this scam have been observed localised for different countries. This was pushed on the vipleague[.]lc streaming site.

“Appearing on the ‘BBC Breakfast’ show, Bill Gates revealed that he invested substantial amounts of money. The idea was simple: allow the average person the opportunity to cash in…”
Text from one scam we witnessed

An example of a bitcoin scam site that has been localised to appeal to users browsing with a UK IP address
A fake AV scam claiming to have found threats on your machine.

Hijacked search results

Hijacking browsers allows cybercriminals to switch a user’s default browser and take over its notifications. This means different search results are served up or users can be spammed with junk notifications and explicit content. Even if users shut down their laptops, the changes will remain.

Notification hijacking

Users looking to watch a stream are also tricked into allowing notifications, which bombard them with explicit and extreme content, as well as scams and links to other malicious sites.

Users of Technoreels are asked to allow notifications to see a stream. This button does not need to be clicked to view content so the messaging is dishonest and those that allow the content will get constant notifications for porn, dating, scams and other content.
An example of spam browser notifications. This one localised to appear to German IP addresses.

Browser Hijacker

Links on jackstream. push users into installing a browser hijacker known as mysearchflow.com, which is blocked as Spyware/Adware by Webroot. Clicking on the stream causes a popup which asks to allow notifications. These particular notifications were pop-up ads appearing in the screen’s right corner that were very intrusive and not easy to disable.

Mobile Threats

All these sites supported mobile browsing and the advertising, social engineering and malicious content targeting mobile users, too. For instance, links pointed to fake mobile apps with privacy issues and useless in-app purchases ranging from £2.09 – £114.99. It’s important for users to note that many of these mobile apps can also be installed on PCs and are often difficult to remove. Here’s a mobile advertisement from hulkstreams.com that earns clicks by claiming a device is infected with viruses.

Figure 2 The initial false “Google” warning on Hulksteams pushing

We installed and ran this particular product. It turned out to be an example of fleeceware, a type of malware that tries to sneak excessive fees past subscribers. It had over 10 thousand downloads on the Google Play store already. The product offered in-app purchases ranging from £2.09 – £114.99 per item and has since been marked as malicious by our threat intelligence.

The sites we analysed. Starred sites indicate “game sites.”
hulkstreams.com*
jackstreams.com*
0eb.net*
jokerswidget.com*
strims.world*
livetotal.tv*
vipleague.lc*
fotyval.com*
footybite.com*
daddylive.co/*
elixx.me/schedule.html*hdstreamss.club/*
liveonscore.tv/
red.soccerstreams.net/
www.blacktiesports.net/soccerstreams/
www.hesgoal.com/
www.ovostreams.com/soccer-streams.php
www.sportnews.to/schedule/
www.sportp2p.com
Figure 3 After installation the app incorrectly advises that you have “several trojans” and then offers to “repair your device”. This is a front for pushing more bogus upgrades and charges.

Our advice

Since pirate streams operate outside the law, they often sell advertising space to entities that are also operating outside the law. Although we found some advertising from reputable vendors, we would not recommend visiting these sites for the good of your overall online safety.

We do recommend that, when browsing any site on the web, users update their software and operating systems, employ AV and anti-phishing detection, and double-check any links before clicking, especially when they profess to offer something that seems too good to be true.

We Finally Got Businesses to Talk About Their Run-ins With Ransomware. Here’s What They Said.

“It is a nightmare. Do all you can to prevent ransomware.”
 
– A survey respondent

Many businesses are hesitant to talk about their experiences with ransomware. It can be uncomfortable to cop being hit. Whether it’s shame at not doing more to prevent it, the risk of additional bad publicity from discussing it or some other reason, companies tend to be tight-lipped about these types of breaches.

By offering anonymity in exchange for invaluable quantitative and qualitative data, Webroot and professional researchers surveyed hundreds of business leaders and IT professionals about their experiences with ransomware attacks.

Perhaps the most surprising finding from our survey, and certainly one that presents broader implications for those involved, is that the ransom demanded by attackers is only a small part of the loss that accompanies these crimes. There are also lost hours of productivity, reputational suffering, neutralized customer loyalty, data that remains unrecoverable with or without paying a ransom and the general sense of unfairness that comes with being the victim of a crime.

Our ransomware report seeks to quantify these knock-on effects of ransomware to the extent possible. We looked at the value of a brand and how likely customers are to remain loyal to one after their data is compromised in a breach. We studied the relationship between the time to detection of the incident and its cost. We added up the labor cost spent during remediation.

But we were also interested in real people’s stories concerning their run-ins with ransomware. What advice would they give to those who may find themselves in their same position? Respondents talked about the inevitability of attack, the relief when frequent backups mitigate the worst effects of ransomware, the importance of a plan, and advised against the payment of ransoms.

Finally, we provide advice for defending against or at least reducing the disruptive impact of ransomware attacks. As a security company, it won’t be surprising that we recommend things like endpoint and network security. But it goes deeper than that. We stress the importance of empowering users with the knowledge of what they’re up against and implementing multiple layers of defense.

Most importantly – no matter how comprehensive or scattershot a business’s protection is – is that that it’s are in place before it’s needed. During the fight is not the time to be building battlements. If your organization has avoided the scourge of ransomware so far, that’s excellent. But IT administrators and other decision-makers shouldn’t count on their luck holding out forever.

Here are a few of the report’s most enticing findings, but be sure the download the full eBook to access all of the insights it delivers.

KEY FINDINGS

  • 50% of ransomware demands were more than $50k
  • 40% of ransomware attacks consumed 8 or more man-hours of work
  • 46% of businesses said their clients were also impacted by the attack
  • 38% of businesses said the attack harmed their brand or reputation
  • 45% were ransomware victims in both their business and personal lives
  • 50% of victims were deceived by a malicious website email link or attachment
  • 45% of victims were unaware of the infection for more than 24 hours
  • 17% of victims were unable to recover their data, even after paying the ransom

Is the Value of Bitcoin Tied to Ransomware Rates?

With investors currently bullish on Bitcoin, is its high value driving cybercriminals to pursue crypto-generating forms of cybercrime like ransomware and illicit miners?

At time of writing, the value of one Bitcoin is north of $58 thousand. Famously volatile, a crash is widely expected to accompany the current bubble, perhaps before the end of 2021. The reason for this volatility is at least partly attributed to an event known as “the halvening,” where the reward generating supply of the cryptocurrency is cut in half, simultaneously increasing demand.

At the same time, the average cost of a ransomware incident is also rising steeply. A study by Palo Alto Networks charted a growth rate of 171 percent in ransoms paid between 2019 and 2020, with the average cost now over $312 thousand. The steepest ransom doubled between 2015 and 2020, from $15 million to $30 million.

An iron law?

So, is it fair to argue that the two trends positively correlated? When the price of Bitcoin rises we should expect ransomware activity to rise with it? Not necessarily, says threat researcher and cryptocurrency expert Tyler Moffitt.

For one, Moffitt cautions it’s important to keep the relative values of U.S. dollars and the various cryptocurrencies in mind when comparing the cost of ransomware. Demanding $50 million in Monero last month for hacking the Taiwanese PC manufacturer Acer and demanding $10 million in Bitcoin for a hack last year will not have netted cybercriminals the same amount. Patient ones, at least.

“Ransomware actors can always grow their demands based on the value of the U.S. dollar,” says Moffitt. “But they have the added benefit of being able grow profits exponentially by riding the Bitcoin market.”

As could be expected with such a volatile asset, these swings sometimes happen quickly. Like when ransomware actors had Baltimore’s public schools between a rock and hard place with WannaCry. The price of Bitcoin had crashed in 2018, but as the ransom demand was on the desk of the city the price surged, sending the total value of the ransom up with it.

In a sense, it’s the volatility of Bitcoin that undermines any direct, positive relationship with ransomware rates. While it’s tempting to see today’s sky-high price and assume cybercriminals would rush to get their slice of that pie, they too know how markets work. It’s possible a ransom of Bitcoin this year could be worth far less next year. For ransomware actors, it’s better to ride out the market, treating their Bitcoin stash like a cybercrime savings plan for aging hackers.

“A lot of ransomware actors aren’t turning their Bitcoin into cash as soon as they get it,” says Moffitt. “Many of them live cheaply on the hope that the $200 million they made in their cybercrime careers will one day net them billions.”

A more direct relationship

Cryptojacking—the process of secretly hijacking a victim’s computing power to generate cryptocurrency—has a much simpler relationship with the value of various currencies. Because miners only collect their currency after doing the work (redirected CPU in this case), it’s only worth doing when values justify it.

“With cryptojacking, we do actually see an increase or decrease in the number of attacks based on its price. So right now, in a bull year when the price keeps rising, you’re going to earn more when you mine,” says Moffitt.

Browser-based cryptojacking uses scripts injected into the webserver, usually by exploiting an unpatched server or capitalizing on an out-of-date WordPress plugin, etc. Then any browser that visits that webpage will mine cryptocurrency using the viewers browser. This attack skyrocketed from its inception in 2017 into 2018.

A watershed moment in browser-based cryptojacking followed the great crypto-crash of 2018 mentioned above. At least according to their official statement, the drop in mining profitability caused the ostensibly-legitimate mining script company Coinhive to shut down in early 2019.

“The ‘crash’ of the crypto currency market, with the value of [Monero] depreciating over 85% in the last year,” was cited by the company as a reason for closing up shop, though some researchers doubt how much truth there is to that claim.

In reality, Coinhive scripts were used by cybercriminals to mine on unsuspecting users’ devices. Researchers at Cornell University discovered that 99 percent of the sites they found running malicious mining scripts were no longer running them following the shutdown of Coinhive.

Its authors concluded, “It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the websites, ads are still more profitable than mining.”

Executable-based cryptojacking is when criminals leverage a breach on a machine, whether through phishing, exploits, RDP, and then drop a payload that on execution will use the machines resources to mine crypto. This attack was around before browser-based scripts and is still alive today. In fact, it’s the tactic seeing the most growth during cryptocurrency bull markets.

Monero, a favored cryptocurrency for miners based on its efficiency using consumer-grade devices, witnessed a rebound during this period. Over the course of 2020 and into 2021, the value rose from around $50 to around $250, perhaps explaining why Webroot found 8.9 million cryptojacking scripts in use in 2020.

In summary, both of these crypto-generating schemes require patience from their perpatraitors. When ransomware actors land a big payment from an extorted business, they may be forced to wait out market forces to maximize their earnings. For cryptojackers, profits trickle in over time. First they must determine whether they’re worth the effort and if they too want to play the long game with their take.

Cyber News Rundown: Phishing Targets NHS Regulatory Commission

Spanish labor agency suffers ransomware attack

Multiple systems were taken offline following a ransomware attack on the Spanish government labor agency SEPE, which has affected all 700 of their offices across the country. While some critical systems were impacted by the attack, officials have confirmed that the systems containing customer and other sensitive payroll data were not compromised. The Ryuk ransomware group are believed to be behind the attack. The group were involved in nearly a third of all ransomware attacks in 2020.

Latest phishing campaign targets NHS regulatory commission

Officials for the Care Quality Commission (CQC) have been received roughly 60,000 malicious phishing emails over the past three months that seems to be linked to the release of the COVID- 19 vaccine. The campaign has followed a pattern of spreading false information and requesting sensitive information for user’s NHS accounts. The use of the pandemic to scare recipients of fraudulent emails continues as many look forward to their turn to receive the vaccine.

Hackers gain admin access to surveillance company cameras

Hackers from a known collective were able to gain access to over 150,000 Verkada surveillance cameras in various sensitive locations across the globe after finding an access point available on the web. Viewable feeds included jails, banks and internal entry cameras for top companies like Cloudflare, which has since confirmed that they have taken these cameras offline. It remains unclear how long the hackers had access to the systems. They have stated they were able to steal roughly 5GB of data from the Verkada systems, which will likely be leaked in the coming months.

Ransomware distributor arrested in South Korea

An individual was arrested by South Korean police late last month after a lengthy investigation tracked ransomware payments to withdrawals made by the individual. The man in custody is believed to be responsible for distributing more than 6,000 phishing emails spoofing local law enforcement. These used malicious attachments to trigger GandCrab ransomware payloads to encrypt systems. This is the second reported GandCrab affiliate caught by law enforcement in the past year as global law enforcement agencies work together to transnational ransomware organizations.

REvil ransomware group puts 170GB of data up for sale

Officials for the Pan-American Life Insurance Group have issued a statement regarding recent outages in their systems, which were the result of a ransomware attack. Though there was a post on a known REvil ransomware group forum claiming to have taken 170GB of data from this breach, that post has since been removed, which could indicate that Pan-American could be in negotiations with the group to restore their systems.

Cyber News Rundown: Italian Banks Hit with Ursnif

Italy targeted by Ursnif banking Trojan

Over 100 banks in Italy have fallen victim to the Ursnif banking trojan, which has stolen thousands of login credentials since it was first discovered in 2007. The attack may have compromised up to 1,700 additional pairs of banking credentials through a payment processor, some of which were already confirmed to be legitimate by multiple Italian banks. The attack likely began as a malicious email using social engineering to trick users into clicking links.

Telemarketer leaves thousands of records exposed

A California-based telemarketing firm was recently alerted to an exposed Amazon AWS bucket containing over 100,000 records and requiring no authentication to access. Among the records were hours of customer phone calls and text-based communications. These contained sensitive information that could be used to launch further social engineering attacks, endangering the identities of thousands of clients. The AWS bucket has remained unsecured for more than two months since the company was notified.

Third party exposes decade of Malaysia Airlines customer data

Officials for Malaysia Airlines have announced that a third-party IT service provider had suffered a data breach that may have exposed information belonging to the airline’s Enrich frequent flyer program members for nearly a decade. While it remains unclear how many members had their information leaked, the airline has reached out to all members regarding updating their login credentials. None of their internal systems have been reported compromised.

Microsoft releases patches for multiple zero-day vulnerabilities

Microsoft has pushed out fixes for at least seven known vulnerabilities related to Exchange Servers in an off-cycle release. Four of the zero-day exploits are being actively targeted by malicious actors. These vulnerabilities were believed to have been compromised for nearly two months and are being used to steal sensitive information from within the affected systems. Users looking to deploy the patches should note that it will not cleanse already compromised systems, but would only prevent future exploitation.

Cyberattack takes PrismHR offline

Officials for PrismHR are working to restore functionality to their payroll platform after a suspected ransomware attack. IT workers were able to shut down the remainder of their unaffected systems before the attack could spread further, though the attack occurred over a weekend. The company has also confirmed that no customer information was stolen during the attack and that it is working to restore functionality from backups.

Cyber News Rundown: Dairy Farm Ransomware

Dairy farm group faces $30 million ransom

The Dairy Farm Group, one of the largest retailers in Asia, has suffered a ransomware attack by the REvil group, which has demanded a roughly $30 million ransom. The attack is still ongoing nearly nine days after being first identified. The attackers still have full control over the company’s email systems, which they will likely use for additional phishing attacks or identity theft operations. Officials have confirmed the attack was isolated to a small number of devices, but they have not been able to stop the continuing transmission of data to the attacker’s systems.

Norway to fine dating app over user data sharing

The dating app Grindr will receive a fine from Norwegian government for sharing user data with several of their advertising partners. Multiple complaints were made against the app in the past year for making users accept their license agreement without being able to opt out of third-party data sharing. The fine equates to $11.7 million, or nearly 10 percent of Grindr’s annual revenue.

Multiple zero-day exploits patched by Apple

Apple has just released patches for three zero-day iOS exploits that may have already been used. Two of the exploits involved remote execution through a vulnerability in their WebKit browser, while the other could have been used to elevate privileges on multiple devices. An unknown researcher is responsible for bringing these vulnerabilities to Apple’s attention and likely received compensation through their bug bounty program.

Global authorities take down Emotet botnet

In the wake of a push earlier this week by global law enforcement, authorities have gained control of the servers responsible for operating the infamous Emotet botnet. This organization was responsible for infecting millions of devices across the world and using them to further the devastating spread. Police in Ukraine have also arrested individuals who face up to 12 years for their involvement in criminal activities. Emotet started out as a banking trojan but has since become an entry point for other ransomware variants.

Austrian crane manufacturer hit by ransomware

The Palfinger Group, which owns companies in 30 countries around the world, has recently fallen victim to a ransomware attack. For the past three days the organization has been under a steady assault on their networks, causing major issues with email communications and other crucial internal systems. It is still unclear on how the attack was initiated or the extent of the damage since the attack is ongoing.

Cyber News Rundown: Cryptomining Malware Resurgent

Skyrocketing Bitcoin prices prompt resurgence in mining malware

As the price of the cryptocurrency Bitcoin pushes record highs, there’s been a corresponding resurgence in cryptomining malware. Illicit miners had slipped off the radar as Bitcoin’s value plummeted in recent years, but now authors are hoping to profit off the latest price increase. Researchers have identified multiple forms of cryptominers, from browser-based applications to fileless script miners used against a variety of system configurations.

Major increase in malicious vaccine-related domains

The number of domains containing the word “vaccine” has increased 94.8% in the month since the first COVID-19 vaccine became publicly available. As with malicious COVID-related domains registered since March of last year, cybercriminals are taking advantage of the pandemic’s hold over the public’s consciousness in order to turn a profit. With over 2,000 new domains with COVID-related keywords, finding accurate and reliable information has become more difficult.

Millions of Nitro PDF user records leaked

A database containing over 77 million user records belonging to Nitro PDF has been found available for almost nothing on a dark web marketplace. The data was leaked in an October data breach, which Nitro confirmed, and was bundled for auction with a high price tag. Now, several months later, a member of the hacking group ShinyHunters has released access to the download link for a mere $3.

Scottish environmental agency falls victim to ransomware attack

Officials for the Scottish Environmental Protection Agency (SEPA) have confirmed that data stolen in a ransomware attack last month has been posted for sale on the dark web by the group responsible for the Conti ransomware variant. While it remains unclear how the attackers gained access to the agency’s systems, many of the infected systems are still not operational and have timetable for a return to service.

Hackers leak nearly 2 million Pixlr records

The ShinyHunters hacking group posted a database containing nearly 2 million user records for the Pixlr photo editing application to the web in recent days. The group claims to have stolen the database during a breach at another photo site, 123rf. Both sites are owned by the company Inmagine. Though Pixlr has yet to confirm the breach, it’s recommended users change passwords on Pixlr and any other sites sharing the same login credentials.

Cyber News Rundown: Gaming Industry in Crosshairs of Cybercriminals

Top gaming companies positioned to be next major cyberattack target

After healthcare and higher education emerged as lucrative targets for cyberattacks in 2020, researchers have identified the video gaming industry as another key target. By scouring the dark web for stolen data belonging to any of the top 25 largest gaming firms, over a million unique and newly uploaded accounts were discovered. Additionally, researchers found credentials for over 500,000 gaming company employees exposed in previous data breaches but used for multiple accounts.

Hardcoded backdoors discovered in Zyxel devices

Researchers recently stumbled upon an undocumented admin account on multiple Zyxel devices using basic login credentials and granting full access to devices commonly used to monitor internet traffic. This vulnerability was first spotted when several warnings for unauthorized login attempts were identified using admin/admin as the username and password, presumably in hopes of accessing other unprotected devices on the network. This undocumented account can only be viewed through an SSH connection or a web interface and could be an issue for over 100,000 Zyxel devices currently connected to the internet.

Vodafone operation reveals major data breach

Vodafone’s budget operators ho. Mobile has revealed their systems were compromised late last month and a database containing sensitive information belonging to nearly 2.5 million customers was leaked. Along with personally identifiable information is data related to customer SIM-cards, which can be used to enable SIM-swap attacks that allow attackers to control specific users’ messaging services. The stolen database has been for sale on a dark web for a starting price of $50,000 since shortly after the attack was discovered.

ElectroRAT quietly steals cryptocurrency across multiple operating systems

After operating for nearly a year the silent cryptocurrency stealer ElectroRAT has finally been identified using multiple different Trojanized apps to operate on Windows, Mac and Linux systems. To make these malicious apps appear more credible, authors placed advertisments on social media and cryptocurrency-related websites that have led to thousands of installations. By spreading the attack across multiple different operating systems, the attackers increased their chances of accessing information of value.

Vancouver’s TransLink Suffers Ransomware Attack

Nearly a month after officials identified technical issues with IT systems at Metro Vancouver’s TransLink transportation authority, the interruption was discovered to be the work of the Egregor Ransomware group. While the attack didn’t compromise customer data, it is believed that employee banking and personal information was stolen. TransLink employees are working to restore systems to proper functionality, though some seem to have been more damaged than others.

Maze Ransomware is Dead. Or is it?

“It’s definitely dead,” says Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies. “At least,” he amends, “for now.”

Maze ransomware, which made our top 10 list for Nastiest Malware of 2020 (not to mention numerous headlines throughout the last year), was officially shut down in November of 2020. The ransomware group behind it issued a kind of press release, announcing the shutdown and that they had no partners or successors who would be taking up the mantle. But before that, Maze had been prolific and successful. In fact, shortly before the shutdown, Maze accounted for an estimated 12% of all successful ransomware attacks. So why did they shut down?

I sat down with Tyler to get his take on the scenario and find out whether Maze is well and truly gone.

Why do you think Maze was so successful?

Maze had a great business model. They were the group that popularized the breach leak/auction website. So, they didn’t just steal and encrypt your files like other ransomware; they threatened to expose the data for all to see or even sell it at auction.

Why was this shift so revolutionary?

The Maze group tended to target pretty huge organizations with 10,000 employees or more. Businesses that big are likely to have decent backups, so just taking the data and holding it for ransom isn’t much of an incentive.

Now think about this: those huge businesses also would’ve been subject to pricey fines for data breaches because of regulations like GDPR; and they’re also more likely to have big budgets to pay a ransom. So, instead of simply saying, “we have your data, pay up,” they said, “we have your data and if you don’t pay, we’ll expose it to the world – which includes the regulators and your customers.” Most of the time, paying the ransom is going to be the more cost effective (and less embarrassing) option. We don’t know if the Maze group invented this tactic, but they definitely set the trend, and a bunch of other ransomware groups started following it.

Other than the leak sites, did they do anything else noteworthy or different from other groups?

One of the bigger threat trends we saw in 2020 was malware groups partnering up for different pieces of the infection chain, such as Trojans, backdoors, droppers, etc. The botnet Emotet, for example, was responsible for a huge percentage of ransomware infections from various different groups. Maze, however, was pretty self-contained. We saw them working with a few other groups throughout 2020, but they had their own malspam campaign for delivery and everything else they needed in-house, so to speak. They were like a one-stop shop.

Do you think the move to remote work during the pandemic contributed to their success?

Absolutely, though you could say that about any ransomware group. Phishing and RDP attacks really ramped up when people started working from home. Home networks and personal devices are generally much less secure than corporate ones, and cybercriminals are always looking for ways to exploit a given situation for their gain.

If Maze was doing so well, why did they shut down?

Probably because they’d gotten too much attention. The more notoriety you get, the harder it is to operate. We see this with a lot of malware groups. They shut down for a while, either to lie low because the heat is on, or to just spend the money they’ve gotten from their payouts and enjoy life. Or, sometimes, they don’t lie low at all but just rebrand themselves under a new name. Either way, they tend to come back. For example, a ransomware variant called Ryuk went dark and came back as Conti. Emotet went away for a long time too and then came back under the same group name.

How can you tell when an old group has rebranded?

Unless they announce it in some way, the only way to really tell is if you can get a sample of the malware and reverse engineer it and look at the code. One of our threat researchers did that with a sample of Sodinokibi and discovered it had “GandCrab version 6” in its code. So, that’s an example of a rebrand, but it can be hard to spot.

Do you think Maze is done for good?

Not a chance. They attacked huge targets and got massive payouts. Most ransomware groups attack smaller businesses who are less likely to have strong enough security measures. Even the ones that targeted larger corporations, like Ryuk, still attacked businesses one-fifth the size of a typical Maze target. Now, the Maze group can relax and take a lavish vacation with all the money they got. But I’d be pretty shocked if they just abandoned such a winning business model entirely.

The verdict: Maze may be gone for now, but experts are fairly certain we haven’t seen the last of this virulent and highly successful malware group. In the meantime, Tyler advises businesses everywhere to use the lull as an opportunity to batten down their cyber resilience strategies by implementing layered security measures, locking down RDP, and educating employees on cybersecurity and risk avoidance.

Stay tuned for more ransomware developments right here on the Webroot blog.

Cyber News Rundown: Trickbot Spreads Via Subway Emails

Trickbot spreading through Subway company emails

Customers of Subway U.K. have been receiving confirmation emails for recent orders that instead contain malicious links for initiating Trickbot malware downloads. Subway has since disclosed that it discovered unauthorized access to several of its servers, which then launched the campaign. Users who do click on the malicious link initiate a process in Task Manager that can be stopped to prevent additional illicit activities typical of Trickbot infections.

Scores of municipal websites attacked in Lithuania

At least 22 websites belonging to various municipalities in Lithuania were compromised after a sophisticated cyberattack allowed intruders to take control. After gaining access to the sites, the attackers began delivering misinformation emails under the auspices of Lithuanian government and military ministries. Much of the misinformation being spread revolved around military enlistment and the suspicion of corruption at an airport housing a NATO facility.

Researchers discover millions of medical records online

Researchers at CybelAngel have uncovered over 45 million healthcare records on unprotected servers. Amongst the sensitive data was personal health information and other personally identifiable data, all left on servers with a login page that allowed access without credentials. It’s likely this data was left unsecured because of the number of medical professionals needing to access, though the security lapse is inexcusable. With healthcare facilities prime targets for ransomware attacks, communications between organizations should entail strict security to protect the valuable data.

Ransomware strikes city of Independence, Missouri

Officials for the city of Independence, Missouri, have been working for weeks to recover from a ransomware attack that forced them to take several essential services offline. Fortunately, recent file backups were available to restore some of the encrypted systems to normal. At this point, officials remain uncertain if customer or employee data was stolen during the attack, and no ransomware group has come forward to take credit for the attack or post the stolen data for sale.

Data Breach Compromises Patient Data at California Hospital

California’s Sonoma Valley Hospital recently delivered letters to roughly 67,000 patients regarding a data breach back in October that may have compromised personally identifiable information and other healthcare records. While the hospital was able to shut down some of their systems to prevent the breach from spreading, the attackers are believed to have gained access to and stole sensitive data.