Posted: 3 Min ReadFeature Stories

Symantec Security Summary – July 2020

Ransomware, Elections and Cyber Insurance

Ransomware on the rise. Russian hackers are at it again, this time trying to infiltrate the networks of 31 organizations, including eight Fortune 500 companies, to stage ransomware attacks designed to cripple their IT infrastructure.

The attackers breached the corporate networks with the intent of unleashing the WastedLocker ransomware. WastedLocker is a relatively new malware associated with Evil Corp., a cyber crime outfit once associated with the Dridex banking Trojan and BitPaymer ransomware. The attack was proactively detected and disrupted by Symantec, a division of Broadcom (NASDAQ: AVGO), using its Targeted Attack Cloud Analytics, which employs machine learning to spot activity patterns that might indicate a targeted attack. Symantec’s Threat Hunter team swooped in as back up, verifying the attack while linking it closely to publicly documented activity seen in prior WasterLocker strikes.

What to watch for. The attacks are seeded with a malicious JavaScript-based framework dubbed SocGholish, which masquerades as a software update and was tracked by Symantec to more than 150 compromised websites. Once the attackers gain access to the victim’s network, they use Cobalt Strike commodity malware in tandem with a number of living-off-the-land tools to steal credentials, escalate privileges, and move across the network in order to deploy the WastedLocker ransomware on multiple computers.

Russian hackers are at it again, this time trying to infiltrate the networks of 31 organizations, including eight Fortune 500 companies, to stage ransomware attacks designed to cripple their IT infrastructure.

The fallout. Upon further investigation, Symantec was able to confirm that dozens of U.S. newspaper websites owned by the same parent company were compromised and used by the Evil Corp. attackers to infect potential victims. The Broadcom subsidiary is now identifying tools and tactics used by the attackers to strengthen its defenses against all stages of the attack. Among the interesting, but more alarming things Symantec discovered was that the malware, deployed on common websites, looked for signs that a computer was part of a corporate or government network before infecting.

The bigger picture could be even more alarming. Officials are concerned that ransomware like WastedLocker could be a real problem leading up to and during the Nov. 3 election. According to the New York Times report on the WastedLocker campaign, the FBI has warned that ransomware attacks on county and state government networks could threaten the availability of “data on interconnected election servers” even if that isn’t the original intent of the bad actors.

There’s more where that came from. In other ransomware news, other large corporations appear to be among the latest victims of the Maze ransomware. The Maze gang claims to have stolen more than 100GB of files and has threatened to publish the information if a ransom isn’t paid.

Security researchers have also discovered a new strain of Mac ransomware called EvilQuest. The malware appears to have been found hidden inside pirated Mac software uploaded to torrent websites and online forums, tucked into a Google Software Update, in a pirated version of Mixed In Key DJ software, and slipped into a Mac security tool called Little Snitch.

* * * 

Election interference concerns mount. Just as the WastedLocker attacks portend trouble for the Nov. 3 election, this summer’s most high-profile attack aimed at Twitter is considered by many to be another warning shot. The hack seized control of well-known blue checkmark accounts for Bill Gates, Joe Biden, Barack Obama, and host of key business leaders, tweeting links to bitcoin scams. Twitter ended up shutting down verified accounts while it investigated the breach—a move, cyber security experts claim, that would be disastrous closer to election time as it could incite chaos and erode confidence in democracy and institutions right before the vote.

The Twitter hack should also be a wake-up call to organizations about the realities and risks of social engineering attacks. Twitter said an internal employee was the conduit for accessing the social network’s internal administrative tools, which provided entrée to the hackers. However, the

exploit underscores that employees continue to pose significant cyber security risks, and enterprises need to step up efforts in training and insider-threat detection and prevention to close those gaps.

* * * 

Insurance policy. One way companies are protecting themselves against the fallout from cyber security risks is by adopting cyber insurance. Cowbell Cyber, a company that deals with threats and exposure, did an analysis which found that Subject Matter Experts (SMEs), in particular, are embracing cyber insurance as part of their cyber resilience plans. According to the report, 65% of SMEs are planning to spend more on cyber insurance over the next two years compared to 58% of large companies.

SMEs believe the investment is well worth it: Forty-five percent of those surveyed believe their businesses will experience a breach over the next year, and 62% of SME respondents said that cyber insurance is well worth the protection.

Symantec Enterprise Blogs
You might also enjoy
Video
5 Min Read

WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations

Attackers were preparing to attack dozens of U.S. corporations, including eight Fortune 500 companies.

Symantec Enterprise Blogs
You might also enjoy
5 Min Read

Symantec Security Summary - June 2020

COVID-19 attacks continue and new threats on the rise

About the Author

Beth Stackpole

Journalist

Beth is a veteran journalist covering the intersection of business & technology for more than 20 years. She's written for most of the leading IT industry publications and web sites as well as produced custom content for a range of leading technology providers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.