Cyber Defence Report - September 2020

Ransomware continues to be the biggest threat to many businesses, and we continue to see the evolving tactics of the large criminal gangs responsible for many of these attacks.

We are seeing new and clever ways to get initial footholds into organisations, and we are noticing more sophisticated ways of escalating privileges and evading defences. 

In August we saw a novel way of attempting to get malware into an organisation at Tesla. 

Last week the FBI released information concerning the arrest of Egor Igorevich Kriuchkov, a 27-year-old Russian citizen, who they claim was part of a group who attempted to extort millions of dollars from a company in Nevada, which has now been identified as Tesla.

According to the complaint, Kriuchkov travelled to the US in July on a tourist visa and made contact with a Russian-speaking employee at Tesla Gigafactory Nevada.

He met the employee (who remains anonymous in the complaint) several times socially, before approaching him with a proposition whereby the employee would receive payment for helping to introduce malware into Tesla’s internal computer system in order to extract corporate data and affect Tesla’s operations.

Kriuchkov alleged that he was representing a group that would then demand a ransom from Tesla in exchange for not releasing the information and to stop affecting its operations.

The employee did not refuse the proposition, but he immediately informed Tesla, who in turn informed the FBI. The employee was offered one million dollars to deliver the malware.

This is a threat model that not many have thought about, but it shows what lengths these cyber criminals will go to because of the large sums of money involved in these types of attacks against large companies.

The full article can be found here: https://electrek.co/2020/08/27/tesla-fbi-prevent-ransomware-hack-gigafactory-nevada/

It is not just large companies who are targeted. CyberGuard have attended two ransomware attacks on much smaller companies in the last five weeks.

Neither company paid, but one must now seriously consider what effect a potential data leak could have on a business

In a bid to maximise their return on investment, major ransomware groups have escalated beyond simply encrypting a victim’s files. To better ensure payment they also steal that data and hold it hostage, threatening to make it public should the target attempt to restore their systems on their own. Many of these groups have now created Dedicated Leak Sites (DLS) where customers can bid to get their data back, but so can other cybercriminals - so don’t expect ransomware to go away anytime soon.

More than 10,000 phishing scams are being investigated by Her Majesty’s Revenue & Custom (HMRC).

HMRC does offer support for individuals and businesses coping with the COVID-19 crisis. However, its role in programmes introduced to support businesses and people during lockdown have also made it an attractive lure for criminals to use in phishing scams.

In May alone, more than 5,000 scams were reported to HMRC by the public. This is a rise of 337% compared to March figures, when lockdown began. During the month, HMRC asked internet service providers to remove 292 scam websites to help combat the issue. It might be worth alerting your finance teams.

Stay safe. 

Paul Colwell, Technical Director