Cyber Defence Report - November 2020

I wanted to talk about something other than ransomware this month but unfortunately, I can’t… As we pass through the Halloween season things appear to be getting scarier and scarier, so many organisations are currently in for a trick or treat… choosing the trick rather than the treat.

In 2019, the Maze ransomware group (more about these later), introduced a new tactic known as double-extortion. This is when attackers steal unencrypted files and then threaten to release them publicly if a ransom is not paid.

Now, not only are victims being extorted through the encryption of their files, but also by the risk of their data being published and causing a data breach.

This tactic was quickly adopted by other ransomware operations, who began to create data leak sites, used to publish victims' stolen files.

These data leak sites (DLS) are not hard to find and quickly show how big a problem ransomware is becoming. In fact, ransomware and Office 365 breaches have so far made up over 90% of all cyber incidents dealt with by CyberGuard’s Incident Response team in 2020.

The victims are listed on a wall of shame with details about the company, and the ability to download the first part (about 1%) of the data. The Egregor group have been extremely active and these current data leak sites are over 12 pages.

Interestingly, a Bleeping Computer blog referred to an extract in the recently released Coveware Q3 2020 ransomware report, that stated some ransomware gangs do not keep their promise to delete stolen data after a ransom is paid.

According to the new report, certain groups are leaking stolen data after a ransom was paid, using fake data as proof of deletion, or even re-extorting a victim using the same data that was paid not to be released.

  • Sodinokibi: Victims that paid were re-extorted weeks later, with threats to post the same data set.
  • Netwalker: Data posted of companies that had paid for it not to be leaked.
  • Mespinoza: Data posted of companies that had paid for it not to be leaked.
  • Conti: Fake files are shown as proof of deletion.

Maze, Sekhmet, and Egregor, who appear to all be related, were also mentioned as having a problem keeping data secret after getting paid. In a conversation with Bleeping Computer, Coveware's CEO Bill Siegel explained that as Maze grew larger, their operation became disorganised, and the victim's data was mistakenly posted on the data leak site.

This is not a situation you want to find yourself in. 

In news away from ransomware…

Microsoft has released details of this month’s ‘Patch Tuesday’ including a Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-16952) and a Windows TCP IP Remote Code Execution Vulnerability (CVE-2020-16898). Both marked critical.

CISA has reported threat actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability (CVE-2020-1472) in Windows Netlogon, mentioned in our recent alert in September. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities during a single intrusion to compromise a network or application. CyberGuard has seen the Windows netlogon vulnerability being used in a number of attacks against our honeypots.

Just when you thought 2020 couldn’t get any worse… 

Some Nandos customers have seen their online accounts hacked, following a credential stuffing attack.

Credential stuffing takes advantage of people reusing username and password combinations across different accounts. Stolen credentials from data breaches can be used against multiple online accounts, with an eventual match giving attackers access.

Hackers who have gained access to accounts have placed large orders and caused huge bills for those affected.

Nandos have promised to reimburse affected customers and have said in a statement that their systems had not been hacked.

Thank you to Bleeping Computer, CrowdStrike Threat, Kaspersky Lab and the NCSC.

Stay Safe 
Paul Colwell, Technical Director