Symantec Security Summary #6

Ransomware Ramps Up

Ransomware has hit the enterprise radar screen in full force with a growing number of U.S. companies coming under attack. An analysis of Security and Exchange Commission (SEC) filings found 1,139 companies calling out ransomware as a potential threat to their business last year, up from 749 in 2018. In the first weeks of May, 745 companies have already flagged ransomware as a major risk, indicating that the attack vector shows few signs of abating.

While ransomware isn’t new, it’s a relatively recent phenomenon in the enterprise. By way of comparison, just eight companies cited ransomware as part of their SEC filings in 2015. In part, the surge speaks to the growing presence of targeted ransomware groups, which have escalated attacks to encrypt an entire organization’s network.

For example, in the last month, the Maze ransomware gang claims to have breached a state-owned Bank of Costa Rica. The ransomware gang, which alleges to have stolen 11 million payment card details, said it hacked into the bank’s network in August 2019 and then again in February 2020. While they stole the payment card data in the second breach, they refrained from encrypting files because of companies were already significantly challenged by the global pandemic. Wasn’t that considerate? Still, the Maze gang blustered that they’ve made a ransom demand with the bank but have so far been unsuccessful. Now they are threatening to sell the stolen data on the dark web.

A logistics giant is also grappling with the fallout from a ransomware attack. The company said it was hit with the Nefilim malware on at least one corporate server containing information relating to past and present employees and some details on commercial agreements. Nefilim typically gives victims a week to pay a ransom or their data and documents wind up on the dark web. So far, the logistics company is not biting. Healthcare has also been a target, with a company reporting it was hit by a ransomware attack on April 11, 2020. While the company didn’t name the ransomware family used in the attack, it confirmed that attackers did steal login credentials and passwords of several current employees.

Even celebrities and their lawyers are not immune to this flavor of cyber attack. A New York law firm, which handles the private legal matters of high-powered icons like Elton John, Madonna, Lady Gaga, Barbra Streisand, and LeBron James has fallen victim to a REvil ransomware attack. The perpetrators are threatening to expose nearly 1TB of celebrity client private data unless the firm forks over a ransom in Bitcoin.

While the number of ransomware attacks are on the rise, so too are the average payment amounts. Research from Coveware revealed that average payments soared by 33% in the first quarter of 2020 compared to fourth quarter last year to hit $111,605. While the median payment held steady at around $44,000, the stepped-up average indicates there are plenty of victims willing to shell out some very large ransom payments.

Cyber Attack Smorgasbord

Ransomware isn’t the only kind of cyber attack in the news as of late.  The number of Remote Desktop Protocol (RDP) brute-force attacks significantly increased in mid-March, just around the time the global quarantines rolled out in response to the COVID-19 pandemic. While RDP has always been a factor, the number of instances picked up significantly as people began to work from home and were using RDP technology to log into networks and work-based computers remotely.  Meanwhile, the pace of brute-force attacks against Internet-facing RDP servers spiked from 200,000 a day in early March to over 1.2 million during mid-April—and that’s just in the United States.

Spear-phishing campaigns are also front and center. One cyber crime gang that’s been around since mid-2019—dubbed PerSwaysion—is reported to have successfully compromised the email accounts at top-ranked execs at more than 150 companies, according to Group-IB. Most of the group’s victims are in the financial sector and were targeted with classic spear-phishing tactics that ask recipients of an email with a clean PDF file to click on a link to view the content, which eventually tricks them into revealing their Office 365 credentials and provides access to their email data.

In another wrinkle in the phishing world, criminals have started to use Google’s anti-bot tool reCAPTCHA to hide their attacks. Researchers from Barracuda found that perpetrators are using reCAPTCHA walls to block the content of their phishing pages from being scanned by URL scanning services. Moreover, the use of a reCAPTCHA test could make the site more believable to potential victims.

North Korea Strikes Again

On the three-year anniversary of the WannaCry ransomware outbreak, US officials—which originally pinned the attacks on North Korea government-sponsored hackers—claim the Pyongyang regime is at it again.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) published advisories for three malware strains it says is being used by the North Korea-sponsored Hidden Cobra group (aka Lazarus, Appleworm). In a joint alert issued by DHS CISA, the FBI and the Department of Defense (DoD), the agencies warned of tools being used to “conduct illegal activity, steal, funds, and evade sanctions.”

The three strains are:

COPPERHEDGE, a remote access tool (RAT) used in the targeting of cryptocurrency exchanges and related entities;

PEBBLEDASH, a Trojan capable of downloading, uploading, deleting, and executing files; enabling Windows CLI access; creating and terminating processes; and performing target system enumeration; and

TAINTEDSCRIBE, a modular Trojan with similar capabilities to PEBBLEDASH.

Time to Get Serious About Cyber Security Training

As hackers ramp up attacks to capitalize on the shift to remote-work prompted by COVID-19, a scary reality has emerged: The lack of serious cyber security training is making companies even more vulnerable.

A recent study found that 66% of remote workers have received no form of cyber security training in the last year with 77% confirming they are just not that concerned about security while working from home. Moreover, 61% of respondents to the Promon survey are using personal devices during remote work hours, which creates additional risks as these devices are typically less secure than corporate-issued gear.

Since the pandemic forced the global workforce to work from home whenever possible, the number and variety of cyber attacks has been on the rise. Cyber criminals are taking advantage of decreased levels of security on personal devices connecting to corporate networks and finding workarounds to initiate enterprise breaches. Wake-up call for enterprise security professionals: Time to send employees back to cyber security school even if the learning is remote.

No Escape from COVID

All across the world, research labs, companies, and governments are frantically pouring time and money into coronavirus research in the hopes of coming up with a vaccine and treatments. Yet even that ground-breaking societal work isn’t exempt from the ills of cyber hacking.

The FBI and CISA just issued a joint alert warning that groups linked to bad actors are targeting U.S. institutions to try to steal COVID-19-related data and intellectual property. The U.S. agencies said they would release technical details on the purported attacks in the next few days. CISA and the United Kingdom’s National Cyber Security Centre (NCSC) recently issued a similar joint alert, warning that hackers are using password spraying campaigns against health care and medical research organizations. The warning advised staff at those entities to change passwords and to implement two-factor authentication to reduce the threats.