Firstly, I would like to apologise to Terry and all the people that waited patiently, refreshing their inboxes expecting my monthly threat report, but it didn’t come. Unfortunately, I was again on an incident response for a company in the West Midlands, following a ransomware attack.
If this company had read my previous reports, they might not have fallen victim to this attack. There was nothing out of the ordinary with this attack, RDP entry, moved laterally through the network and then deployed PYSA ransomware across all servers, and interestingly amongst PCs as well. Their current managed service provider had used the same password for domain administration and their disaster recovery solution, which meant that the attacker was able to delete the backups.
Ransom was set at £130,000 in Bitcoin.
What was interesting was that the attacker did demonstrate to the customer that they had taken sensitive data (contracts, spreadsheets and downloaded bank statements) and threatened to release this data if they were not paid. We have discussed this change in tactic in previous reports, but this was the first time I have seen this on a live incident response.
Another interesting change in tactic is that when the customer emailed to say they would not be able to get hold of this amount of bitcoin (it was the weekend), the cyber-criminal suggested they could provide bank details for an international money transfer. This is an extremely risky move as it would allow for the money to be tracked as it passed through the international banking system, greatly increasing their risk of either getting caught or having the money seized. This may be something we see more of. One of the big problems cyber-criminals have when they are asking for this much, is the target getting hold of this amount of bitcoins to pay. You cannot walk into a bank and purchase these and most of the Bitcoin platforms will limit account transactions to £20k. To get hold of 20 bitcoins is difficult, so we might see this more often.
I got into big trouble from our HR Department yesterday. As part of our monthly phishing campaign we deliver simulated phishing attacks to all OGL Group companies. We (I use the word “we” lightly) sent the following email to 270 users:
Out of 270 people 35 people clicked on the attachment and enabled macros. This is a technical company that have all been cyber trained and are used to being targeted.
Our HR team were not happy, mainly because they were due to send out our business continuity planning guide, updated with the Coronavirus update and they felt that this would stop people opening the real one.
I did apologise to everybody, as when we are simulating these types of attacks, we do need to be sensitive to people’s fears and concerns, but a cyber attacker wouldn’t. As you can see 35 well trained people fell victim to this attack. Cyber-criminals will always play on human fears and emotions to launch their attack.
Something that did make me smile was that our main Cyber Salesman clicked! So, if you do speak to James Colwell over the next month you might want to ask him about this.
For those of you that are running Microsoft Exchange on-site 2010 to 2019, Microsoft released a patch last Tuesday for CVE-2020-0688 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688. This vulnerability, in all versions of Microsoft Exchange servers, allows an attacker with a valid set of user credentials to run code on the server, as SYSTEM account. Our Threat Intel team are reporting proof of concept exploits are already on GitHub. Shodan is currently crashing, probably due to the number of searches for Exchange servers being performed. Patch this immediately... If you have patch management with OGL then this is been treated as urgent, a detection rule for this exploit is being written for detection by our Security Operations team.