Symantec Security Summary - November 2020

Post-election cyber drama. For weeks, the cyber security ecosystem had been razor-focused on staving off potential election-related breaches and voting interference. But all the while, bad actors have remained hard at work launching pervasive strikes across industries and threat vectors.

The hospitality industry, already battered by COVID-19 restrictions, became the target of newly-discovered backdoor malware hunting for sensitive customer and transaction information. The ModPipe malware, discovered by researchers at ESET, takes aim at point of sale (POS) devices running Oracle Micros Restaurant Enterprise Series (RES) 3700 management software, which is actively in use by thousands of hotels and restaurants. ModPipe stands out for its downloadable modules, including one GetMicInfo, which instead of conventional keylogging or credit card skimming, employs an algorithm to gather passwords by decrypting them from Windows registry values. While researchers don’t suspect ModPipe is stealing payment card numbers due to encryption standards, it is capable of accessing database contents, including system configuration, status tables, and some POS transactional data.

Hacker-for-hire has global reach. A group of APT mercenaries (dubbed CostaRicto) is targeting victims across the globe with customized malware along with complex VPN proxy and SSH tunneling capabilities. Active since late 2019, this for-hire group has attacked organizations across the globe but has concentrated its efforts on victims in South Asia, particularly India, Bangladesh, and Singapore. Worrisome news for security managers: This group goes to great lengths to avoid detection, with only binaries appearing in-memory, which makes it harder for antivirus and EDR products to keep up.

Texas drivers received a cyber security wake-up call. A provider of insurance software, revealed that an unauthorized third party accessed the personal information of more than 27 million drivers in the Lone Star State. Apparently, the breach took place between March and August when three data files were inadvertently stored in an unsecured external storage service. The files reportedly contained information on driver’s licenses issued before February 2019, and the exposed data included Texas driver license numbers, names, dates of birth, addresses and vehicle registration histories. The relevant authorities have been notified and there is a pending investigation.

In the “is nothing sacred” category, a Finnish psychotherapy clinic reports that it has been hit with extortion attempts after hackers stole patient therapy notes and leaked them on the dark web. The company, with locations across Finland, said the incident happened as early as November 2018, but the attackers didn’t make contact until this September. While few details about the incident are known, reports say the perpetrators initially sought a payment equivalent to around $531,000 to protect approximately 40,000 patient records. The company originally declined to pay up, but when the attackers began posting individual patient records on the dark web and soliciting victims to pay to have their personal information taken down, the company stepped up and reported the incident. The authorities in Finland continue to investigate.

Ransomware attacks linked back to Iran? Two recent ransomware campaigns that targeted Israeli companies involving the Pay2Key and WannaScream ransomware families have been traced back to Iran. The attacks, which began in October and intensified this month, targeted corporate networks and led to the theft of company data and file encryption. Researchers tracked several payments made by victimized Israeli companies to Excoino, a cryptocurrency exchange based in Iran. The latest reports follow on the heels of a warning by the Cybersecurity and Infrastructure Security Agency and FBI earlier in the fall of an Iran-based malicious cyber actor that’s been targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. More recently, the FBI announced that it had seized 27 domains on the day of the Presidential Election that it said were being used to mount Iran-backed disinformation campaigns. The domains were linked to Iran’s Islamic Revolutionary Guard.

Speaking of ransomware, ransomware gangs such as Ryuk have been leveraging the Emotet botnet to gain access to new victims. The resulting sharp increase in Emotet spam campaigns has led to fears of a surge in ransomware attacks. Indeed, one recent report found a 1,200% increase in Emotet detections between July to September compared to the previous three months. At Symantec, a division of Broadcom (NASDAQ: AVGO), we’ve also watched a sharp rise in Emotet activity. Detections of Emotet malware increased fourfold between June 2020 and September. A large proportion of Emotet campaigns are blocked at antispam level, meaning the true increase could be even higher than commonly believed. Enterprises need to remain vigilant: Ransomware attackers have been moving away from their usual spray-and-pray tactics and are targeting businesses to maximize potential payments.

Even the gaming world was not exempt from the latest spate of attacks. A popular online virtual playground suffered a data breach that impacted 46 million accounts. Aimed at children between the ages 7 through 11, the online site has over 300 million animal avatars created by kids and a new player registering every 1.4 seconds. On November 10, a hacker shared a pair of the company’s databases for free on a hacker forum, and a well-known hacking group, ShinyHunters, reportedly got their hands on the stolen data. Based on a preliminary investigation, it looks like the parent company’s AWS key was obtained after compromising the firm’s Slack server. The attack netted the hackers user names, SHA1 hashed passwords, and more significantly, 7 million email addresses of parents whose children had registered for accounts along with the IP addresses used at sign up.

On the flip side, it’s not bad news. In fact, it looks like there’s a year-over-year reduction in the cyber security workforce gap, reversing the recent trend. According to (ISC)² research, a rising number of cyber security professionals coming into the field, coupled with uncertain demand due to the economic impact of COVID-19, have coalesced to grow the number of people currently working in the field to 3.5 million--about 25% over last year’s estimated workforce. The research indicates a corresponding decrease in the global workforce shortage, down to 3.12 million from the 4.07 million shortage reported last year. Even with those improved numbers, experts say the field still needs to grow about 41% in the United States (and 89% worldwide) in order to meet enterprise needs.