Tuesday, July 16, 2019 - Jake Omann, CIC, CPCU

Ransomware GandCrab shutting down lucrative $2 billion operation

The ransomware operation known as GandCrab is shutting down and telling its affiliates to stop distributing ransomware after a year and a half run and $2 billion in ransom payments.

• Capitalizing on the vacuum created by the shutdown of other large-scale ransomware operations, GandCrab exploded into the ransomware world in late 2018, when they started marketing their services on underground criminal sites.
• GandCrab has since become one of the most dominant actors in ransomware operations, only starting to slow down over the past few months.
• Security researchers Damian and David Montenegro who have been following the exploits of GandCrab on the underground hacking forum Exploit.in, report GandCrab has posted that they are shutting down.
• Operators of GandCrab claimed to have generated more than $2 billion in ransom payments, with average weekly payments of $2.5 million dollars GandCrab further claims personal earnings of $150 million, which has been supposedly cashed out and invested in legal business entities.
• Despite hopes that GandCrab would follow other shuttered ransomware operations and release encryption keys, the operators sought one last payout, warning victims to pay for their decryption keys as they would be deleted at the end of June.

Source: BleepingComputer.com

GoldBrute botnet highlights Windows RDP server vulnerability

Security researchers have discovered an ongoing sophisticated botnet campaign that is currently attempting brute-force attacks on more than 1.5 million publicly accessible Windows remote desktop protocol (RDP) servers. RDP is what enables a user, such as an IT professional, to take control of a remote computer over a network connection.

• Dubbed GoldBrute, the botnet is designed to gradually escalate, forcing every system it hacks to search for and hack other vulnerable RDP servers.
• As of June, researchers were yet to determine the extent of the botnet’s network and exact number of compromised servers.
• Rough estimates put the number of publicly accessible Windows RDP servers at 2.4 million; more than half are likely being targeted by brute-force hacking attempts.

Source: TheHackerNews.com

Third-party breach could affect as many as 12 million diagnostics patients

Fortune 500 company, Quest Diagnostics Incorporated, indicates 12 million of its clients may have been affected by a data breach reported by one of its third-party billing providers.

• Quest Diagnostics received notice from billing collection provider, American Medical Collection Agency (AMCA), that the company’s online payment system had been breached.
• AMCA provides billing services to Quest contractor, Optum 360.
• AMCA, which provided billing services to Quest contractor, Optum360, informed the diagnostics services provider that between August 1 of last year and March 30 of this year, an unauthorized user had access to AMCA’s systems containing information that the billing services provider had received from Quest Diagnostics and various other entities
• Information included financial information, such as bank account and credit card numbers, and personal and medical information, including Social Security numbers.
• After being informed of the incident, Quest Diagnostics has suspended sending collection requests to AMCA, provided notifications to affected health plans, and has been working with security experts to identify the potential impact of the breach on the company and its patients.
• As of June, AMCA had not yet provided Quest or its affected contractor detailed information about the data security incident, including which individuals and what information may have been affected. Quest has also not been able to verify the accuracy of the information received from the billing service provider.

Source: BleepingComputer.com

Latest extortion email scam targets website owners through “contact us” forms

Email extortion scam variations are endless, but the basic idea is the same: the sender threatens that bad things will happen unless the recipient pays up. The latest variation threatens to ruin a website’s reputation. The email targets website owners, threatening to “ruin” the  site's reputation and get them blacklisted for spam unless paid, typically in bitcoin

• Scammers use a website’s “contact us” form to send the threatening email, with the subject line "Abuse and lifetime blocking of the site,” attempting to legitimize the claim by including the domain name.
• Demanding bitcoin payment equivalent to about $2,400, the email states that the sender will destroy the reputation of the site by sending millions of emails from your domain, leaving nasty reviews, and using your domain to submit nasty messages to other sites via their “contact us” page.

Source: BleepingComputer.com

Large-scale malware email campaign exploits 2017 Microsoft Office vulnerability

Microsoft is warning about a large-scale spam campaign targeting European users by taking advantage of an old Microsoft Office exploit. The exploit, referred to as CVE-2017-11882, allows hackers to send emails with malicious Rich Text Format (RTF) attachments. Once the user opens the attachment, the embedded malware attempts to run a number of scripts before attempting to deliver a payload — a Trojan virus. Attackers can automatically run malicious code without requiring user interaction.

• First identified in 2017, CVE-2017-11882 specifically targets Equation Editor, a component found in older version of Office enabling users to build complex equations within Word, Excel, and other Office documents.
• Microsoft has since removed and replaced the affected component.
• Microsoft issued a patch for this vulnerability in 2017, however, cybersecurity researchers continue to see the exploit pop up in various attacks, with a significant increase over the last several weeks.
• Once opened, the embedded malware will attempt to run multiple scripts, including ones using VBScript, PowerShell and PHP, before attempting to download the payload — a Trojan virus looking to connect to a malicious domain.
• The malicious domain had been disabled by the time Microsoft issued its warning; however, a renewed campaign still remains a possibility.
• Microsoft’s Security Intelligence team is urging companies using older versions of Office with Equation Editor to apply the critical patch the software giant issued two years ago, or simply disable Equation Editor where still in use.

Source: BankInfoSecurity.com

CISA warns of social engineering scam featuring malicious attachments

The newly created Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on a phishing campaign using attachments that appear to be from the U.S. Department of Homeland Security (DHS).

• Attackers used a fake email address designed to look like a National Cyber Awareness System (NCAS) alert.
• The attackers then attempt to trick users into opening malicious attachments, designed to appear as a legitimate DHS notification.
• CISA states that the agency will never sends notifications containing email attachments.

Source: CISA.com

New York Times reports unprecedented U.S. hacking attack against Russian utilities

In what could have been a show of American reach and capability — or a warning for Russia to back off — the New York Times reported in June that the United States had planted potentially destructive malware in Russia’s electric power grid, claims that President Trump has denied via Twitter. When it comes to government hacking within the power grid, Russia is usually the culprit; historically, Russia has targeted power grids in the Ukraine and Estonia. There have also been reports of Russia-linked hackers targeting control systems in energy facilities in the U.S. including a recent report of a threat actor with apparent ties to a Russian government-backed research institute targeting electric utilities in the United States and the Asia-Pacific region.

• Government officials shared with the publication that the U.S. has been probing Russian power grid control systems since at least 2012 as part of reconnaissance operations. The officials claimed the U.S. recently ramped up its efforts by launching more offensive activities.
• According to The New York Times, the operation was meant as a warning to Russian President, Vladimir Putin, and appear to show how the U.S. Cyber Command has been using its new authorities granted to it from the White House last year.
• There is no evidence that the planted malware was used to cause any disruption.
• U.S. government agencies contacted by the newspaper did not comment on the allegations, but President Trump tweeted that the story was not true.
• Despite several confirmed and unconfirmed reports of cyberattacks launched by the U.S. against adversaries like North Korea, Iran and the Islamic State, the U.S. often takes the reverse track with Russia, accusing Moscow of launching cyberattacks and misinformation campaigns against the U.S.

Source: SecurityWeek.com

Recent wave of ransomware attacks leaves local governments reeling

Lake City, Florida is among the latest of U.S. municipalities to fall victim to a ransomware attack. Following other local cities and counties, Lake City has paid the hackers almost $500,000 to recover its locked down email systems and servers.

• A community of 12,046 located in northern Florida, Lake City officials voted in June to pay the hackers their bitcoin demand, which would be mostly covered by insurance.
• Lake City is the second Florida city in one month to pay hackers and the latest in a string of ransomware attacks targeting state, county and city governments
• Experts warn that paying the ransom could only incentivize hackers to launch even more attacks against municipalities. However, the alternative could be a lengthy and much more expensive recovery process. The city of Baltimore refused a ransomware demand of $75,000 in May and has since spent $18 million so far on recovery efforts.
• While insurance would cover the majority of the ransom payment, $10,000 would need to be collected from taxpayers.

Source: ThreatPost.com

New report highlights emerging cybersecurity trends in the financial services sector

Digital consulting firm, Accenture, highlights five key areas where cyberthreats are poised to evolve within the financial services sector in a new report. Future Cyber Threats: Extreme But Plausible Threat Scenarios in Financial Services focuses on these five key threats:

1. Credential and identity theft — Breaches involving enterprise credentials and consumer financial data continue to grow in frequency and scale. As cybersecurity reacts and adapts, malicious actors may begin to use these large data sets in innovative ways, including simultaneous multiparty access and network abuse.
2. Data theft and manipulation — Whether financially, politically, or ideologically motivated, malicious actors routinely steal data from financial institutions. Sophisticated operations may evolve to incorporate data manipulation for financial gain, destabilizing financial systems and markets.
3. Destructive and disruptive malware — The financial sector has been experiencing ransomware attacks at exponential rates. Increased deployment has coincided with the use of destructive malwares, pseudo-ransomwares and defense evasion techniques. In financially or politically motivated attacks, malicious actors may deploy “wiper” malware to conceal their intentions and slow down the incident response process.
4. Emerging technologies — Driven to deliver faster, more secure and customer-centric services, financial services organizations continually explore the application of emerging technologies. As financial services organizations leverage emerging technologies like blockchain and artificial intelligence, malicious actors may seek to exploit these technologies as part of a new wave of attack campaigns.
5. Disinformation campaigns — Disinformation has played a role in malicious campaigns against financial institutions and markets since the birth of financial transactions. Combined with the other threats, disinformation may factor more prominently during highly targeted, multistage attacks.

Source: BankInfoSecurity.com

Iranian state-sponsored cyber espionage group turns its focus toward financial and other sectors within the U.S. and abroad

U.S. government agencies and at least two U.S.-based financial institutions were targeted by a malicious phishing campaign in June, linked to an Iranian state-sponsored cyber espionage group, according to the U.S. Department of Homeland Security (DHS) and the U.K.'s National Cyber Security Centre (NCSC).

• Domain infrastructure from the campaign has been linked to APT33 (aka Elfin, REFINED KITTEN), an Iranian state-sponsored cyber espionage group.
• Recipients received an email containing a fabricated job offer for an Assistant Director position with the Council of Economic Advisers.
• The email contained a malicious link designed to, when clicked, deliver a payload which would launch PowerShell code
• As of June, authorities had yet to uncover the purpose of the code or associated commands.
• APT33 has previously used malware with a destructive component, historically targeting aviation and energy organizations headquartered in the U.S., Middle East and South Korea.
• The group has been "highly active" in the past three years, according to recent assessments, and has expanded targeting to other sectors, including engineering, chemical, research, energy consultancy, finance, IT, and healthcare.
• U.S. organizations have been targeted specifically as part of supply chain attacks directed at final targets in other sectors.
• The cybersecurity consortium, Financial Services Information Sharing and Analysis Center (FS-ISAC) is encouraging its members to review the “snort” signatures associated with this campaign and available information on APT33 tactics, techniques, and procedures (TTPs).

Source: Symatec.com

U.S. warns against increasing “wiper” attacks

According to a top U.S. cybersecurity official with the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Agency, Iran has been increasing its malicious cyber activity against the U.S, which could manifest in "wiper" attacks that render computers unusable. U.S. institutions are being advised to improve basic cybersecurity defenses.

• Destructive “wiper” attacks, perpetrated by Iranian regime actors and proxies are are looking to do much more than just steal data and money, according to DHS Cybersecurity and Infrastructure Agency director,  Christopher C. Krebs.
• Common tactics include spear-phishing, password spraying and credential stuffing.
• Krebs warns that what may start as an account compromise may quickly escalate to a lost network.
• One of the most devastating wiper attacks, which the U.S. blamed on Iran, occurred against the oil giant Saudi Aramco in 2012, where malware known as Shamoon, disabled tens of thousands of workstations.
• In response to attacks against Japanese and Norwegian shipping vessels in the Persian Gulf, which the U.S. blamed on Iran, Yahoo News reported in June that the U.S. Cyber Command launched a retaliatory digital strike on an Iranian spy group that aided with the attacks — which the Washington Post reported disabled the command-and-control systems Iran uses to control rocket and missile launches.
• The strike was aimed at the Islamic Revolutionary Guard Corps, which is part of Iran's military and which the U.S. designates as being a foreign terrorist organization.
• The U.S. National Counterintelligence and Security Center has identified Iran, with China and Russia as being "the most capable and active cyber actors tied to economic espionage and the potential theft of U.S. trade secrets and proprietary information."

Source: BankInfoSecurity.com

Wipro breach linked to larger, multi-year, multi-target attack

Analysis conducted by the cybersecurity firm, RiskIQ, has determined that the cyberattack against Wipro, the India-based IT services outsource provider, and several of its customers, was part of a much larger, multiyear phishing campaign that involves many more companies used as jumping off points.

• The group behind the campaign, referred to as “Cardshark,” prefers to use commercially available opensource software as part of its attack as a way to cover its tracks. The group also uses PowerShell scripts to steal credentials and certificates.
• Cardshark may also be responsible for a recent breach affecting PCM, a major U.S.-based cloud solution provider, and its clients.
• According to one security expert, the intruders appeared primarily interested in stealing information that could be used to conduct gift card fraud at various retailers and financial institutions.
• RiskIQ believes the campaign is designed to target retailers, employee rewards programs and other organizations dealing in gift cards. Once they had access, the attackers used money transfer services, clearinghouses and other payment processing services to monetize the stolen data.
• The RiskIQ analysis found that the threat group appears to have started targeting victims in May 2016, carrying out at least five separate campaigns targeting companies in various sectors, including retail, gift card programs, point-of-sale and money transfer services, payment services, loyalty rewards programs, and IT vendors.

Source: BankInfoSecurity.com  

How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats.