Cyber Threat Briefing 16 October 2020: ransomware tidal wave; notable ransomware victims from the last week; BEC Attacks: Nigeria no longer epicentre, losses top $26B; Trickbot back; MS fix 87 vulns
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Threats
Ransomware
Ransomware is growing and growing and getting worse all the time, with the G7 this week warning of ‘a tidal wave of ransomware attacks’ [source]. It is fast approaching becoming such a problem that it may soon reach epidemic status with few organisations left unaffected as firm after firm falls victim.
The ransomware gangs have turned crime into a multi-million pound business empire, it is estimated that $7.5 billion was extorted from victims last year in the United States alone [source], putting any legitimate industry or business sector to shame in term of meteoric growth. This is not small scale actors working out of their bedrooms, they have customer support centres and 24/7 helplines, they have plush offices and flash cars, paid for by the victims of their crimes, paid for by firms like yours paying ransoms.
And here's how attackers are getting in: in nearly half (47%) of ransomware cases gangs used the open remote desktop protocol, a tool that has been used by many companies to help staff work from home, but which can also give attackers a way in if it is not correctly secured.
More than a quarter (26%) of cases were traced back to a phishing email, and a smaller number used specific vulnerability exploits (17%), including Citrix NetScaler CVE-2019-19781 and Pulse VPN CVE-2019-11510. This was followed by account takeovers, at 10%. [source]
Criminal gangs have earned so much money and power they are now outsourcing much of the labour, allowing them to live of their spoils while their empires continue to grow, while they do next to nothing, with more and more joining their ranks [source]
As long as even a small number of victims pay the ransom this remains highly lucrative for attackers.
The ransom for Software AG is $23m, but they will demand much smaller sums from much smaller firms – so how are they doing this? Are larger firms being specifically targeted with tailored phishing campaigns, where they hope they will get lucky in getting an employee to fall for the bait, where lower value targets are being hit with machine/algorithmic generated phishing attacks, with lower levels of sophistication and more of a ‘spray and pray’ approach, hoping casting a wide enough net will still result in larger numbers of lower value victims.
We keep trying to warn firms how bad this is getting, and we don’t do this to drum up business, we do this because we are hugely concerned about the direction this is going and how damaging this can be for any firm.
Many firms are reluctant to take cyber security seriously, believing it won’t happen to them, but it is happening to firm after firm after firm who believed it wouldn’t happen to them. It’s too late to start thinking about what you should have done after you’ve become a victim, it’s far better, and far cheaper, to take steps to avoid being a victim in the first place than trying to recover or pay the ransom.
Of the increasing number of firms that do go hit, many don’t survive, and those that do often find things are never the same again, with impacts on confidence levels in your staff and in your IT and information security departments [source]
Ransomware is not only affecting desktops, laptops and servers, but also now increasingly Android and other mobile platforms [source]
Protecting against ransomware is not a luxury or something that can kicked down the road to look at another day, firms need to ensure they are protecting themselves against this threat now – before they become a victim.
Notable ransomware victims of the last week
There have been a number of high profile victims of ransomware in the last week, notably Software AG, a German conglomerate with operations in more than 70 countries, which was attacked by the Clop group who are threatening to dump stolen data if the $23 million ransom is not paid.
Carnival Cruises were hit with ransomware affecting data and personal information for guests, employees and crew for Carnival Cruises, Holland America and Seabourn as well as casino operations.
Early indications point to the disruption being experiences by Hackney Council with their systems stemming from a ransomware attack, although this has not been confirmed.
BEC
BEC Attacks: Nigeria No Longer the Epicentre as Losses top $26B
Business Email Compromise (BEC) Fraudsters now have bases of operation across at least 39 countries and are responsible for $26 billion in losses annually, and growing.
A study of more than 9,000 instances of BEC attacks all over the world shows that the number has skyrocketed over the past year, and that the social-engineering scam has expanded well beyond its historic roots in Nigeria.
Why this matters:
A recent report entitled The Global Reach of Business Email Compromise, found that these attacks cost businesses a staggering $26 billion every year. And that trend appears to be accelerating. In fact, researchers found BEC attacks currently make up a full 40 percent of cyber crime losses globally, impacting at least 177 countries.
For context, the Anti-Phishing Working Group recently find that the average wire transfer in a BEC scan is around $80,000.
In a BEC attack, a scammer impersonates a company executive or other trusted party and tries to trick an employee responsible for payments or other financial transactions into writing money to a bogus account. Attackers usually conduct a fair amount of recon work, studying executive styles and uncovering the organisations vendors, billing system practices and other information to help mount a convincing attack.
Read more: https://threatpost.com/bec-attacks-nigeria-losses-snowball/160118/
Trickbot back after disruption attempts
The Trickbot botnet looks to be working once again, despite separate efforts in the past few weeks aimed at disrupting its operation.
Earlier this month the Emotet spam botnet – which is often the precursor to TrickBot being loaded onto a system – began receiving spam templates intended for mass distribution. These spam templates contained Microsoft Word document attachments with malicious macros that fetch and load a copy of Emotet onto the victim machine. The Emotet bot reached out to its controllers and received commands to download and execute Trickbot on victim machines.
The Trickbot group tag that researchers identified is tied to a typical infection campaign that information security researchers have been observing for the past 6 months or more.
Additionally, Intel 471 researchers saw an update to the Trickbot plugin server configuration file. Fifteen server addresses were added, and two old servers were retained in the configuration, along with the server’s ‘.onion’ address. This was likely done as a fix that would help operators maintain that their infrastructure remains operational. [link]
Why this matters:
The fix is another round in the back-and-forth between Trickbot’s operators and the separate public and private sector parties that have attempted to disrupt the botnet’s actions. This includes actions by the US Cyber Command and Microsoft, who issued a public statement that it had taken legal action to “combat ransomware ahead of U.S. elections.” The legal action involved Microsoft attempting to disrupt a number of Trickbot command and control server IP addresses in the United States.
The fact that Trickbot has resumed normal operations despite the best efforts of the likes of the US Cyber Command and Microsoft shows how resilient of an operation Trickbot is, and how much more effort is needed to fully take the botnet offline for good. The botnet’s operators have all the IT support of legitimate enterprises – continuity planning, backups, automated deployment, and a dedicated workforce – that allow them to quickly react to disruptive measures.
Read more: https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/
Vulnerabilities
Microsoft October 2020 Patch Tuesday fixes 87 vulnerabilities
Microsoft this week released its monthly batch of security updates known as Patch Tuesday, and this month the OS maker has patched 87 vulnerabilities across a wide range Microsoft products.
By far, the most dangerous bug patched this month is CVE-2020-16898. Described as a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, this bug can allow attackers to take over Windows systems by sending malicious ICMPv6 Router Advertisement packets to an unpatched computer via a network connection.
Another bug to keep an eye on is CVE-2020-16947, a remote code execution issue in Outlook. Microsoft says this bug can be exploited by tricking a user to open a specially crafted file with an affected version of Microsoft Outlook software. [source1] [source2]
Why this matters:
The bug was discovered internally by Microsoft engineers, and OS versions vulnerable to CVE-2020-16898 include Windows 10 and Windows Server 2019.
With a severity score of 9.8 out of a maximum 10, Microsoft considers the bug dangerous and likely to be weaponised, and rightfully so.
Patching the bug is recommended, but workarounds such as disabling ICMPv6 RDNSS support also exist, which would allow system administrators to deploy temporary mitigations until they quality-test this month’s security updates for any OS-crashing bugs.
Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE
A critical security bug in the SonicWall VPN Portal can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said.
The flaw (CVE-2020-5135) is a stack-based buffer overflow in the SonicWall Network Security Applicance (NSA). According to researchers who discovered it, the flaw exists within HTTP/HTTPS service used for product management and SSL VPN remote access. [source]
Why this matters:
An unskilled attacker could trigger a persistent denial-of-service condition using an unauthenticated HTTP request involving a custom protocol handler.
Adding insult to injury, this particular flaw exists in a pre-authentication routine, and within a component (SSL VPN) which is typically exposed to the public internet.
‘More Than A Billion’ Phone Wide Open To ‘Backdoor’ Remote Code Execution in Adtech Company’s Code
Malicious code impacting more than a billion smartphone owners is currently in the wild and enabling remote code execution. [source]
Why this matters:
Remote code execution is a very serious security violation, and basically enables the owner of that code do almost anything they want on your phone.
Miscellaneous Cyber News of the Weeks
Malware gangs love open source offensive hacking tools
In the cyber security field, the term OST (Open Source Tools) refers to software apps, libraries, and exploits that possess offensive hacking capabilities and have been released as either free downloads or under an open source license.
OST projects are usually released to provide a proof-of-concept exploit for a new vulnerability, to demonstrate a new (or old) hacking technique, or as penetration testing utilities shared with the community.
These discussions have been taking place for more than a decade. However, they have always been based on personal experiences and convictions, and never on actual raw data.
That changed this week when a security researcher compiled data on 129 open source offensive hacking tools and searched through malware samples and cyber-security reports to discover how widespread was the adoption of OST projects among hacking groups — such as low-level malware gangs, elite financial crime groups, and even nation-state sponsored APTs. [source]
The results were compiled in an interactive map – available here
Why this matters:
Today, OST is one of the most (if not the most) controversial topics in the information security community.
On one side, you have the people who are in favour of releasing such tools, arguing that they can help defenders learn and prepare systems and networks for future attacks.
On the opposing side, you have the ones who say that OST projects help attackers reduce the costs of developing their own tools and hiding activities into a cloud of tests and legitimate pen-tests.
Fitbit Spyware Steals Personal Data via Watch Face
A researcher has found they can take advantage of lax Fitbit privacy controls to build a malicious spyware watch face.
A wide-open app-building API (Application Programming Interface) could allow an attacker to build a malicious application that could access Fitbit user data, and send it to any server.
A proof-of-concept was created to do just that, after realizing that Fitbit devices are loaded with sensitive personal data. [source]
Why this matters:
Essentially, the API could send device type, location and user information including gender, age, height, heart rate and weight and it could also access calendar information. While this doesn’t include PII profile data, the calendar invites could expose additional information such as names and locations.
The researcher was able to make the app available through the Fitbit Gallery (where Fitbit showcases various third-party and in-house apps). Thus, the spyware appears legitimate, and increase the likelihood it would be downloaded.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.