How MSPs are at risk of buffalo jumps, dark auctions, leaks, exploits, and evasions

It’s time for another usually weekly threat report. So many interesting things happened over the last week, with a few key threats catching our eye:

  • A large MSP was buffalo jumped
  • Admin access to a large MSP was auctioned
  • SBA leaked COVID-19 loan applicant data
  • Two Windows proofs of concepts were released
  • Emotet learned new evasion techniques

Cognizant buffalo jumped and dark web auctions

In our recent 2020 MSP Threat Report, we discussed buffalo jumping, a new tactic for ransomware distributors to ransom a service provider and many of their customers at once. Ransomware authors can collect more money through a buffalo jump than they can with big game hunting. That makes MSPs a valuable target.

On April 18, 2020, Cognizant, one of the largest IT managed service providers in the U.S., announced that Maze ransomware impacted the company, resulting in service disruptions for some of its clients. Cognizant has begun notifying its clients of the compromise and provided a preliminary list of indicators of compromise to monitor and secure their systems. This indicates that attackers were able to access and ransom some customer systems, and Cognizant was likely buffalo jumped.

According to BleepingComputer, the Maze ransomware operators were likely present on Cognizant’s network for several weeks before the incident. After gaining administrator credentials on the targeted network, the attackers deployed the ransomware using PowerShell Empire (a post-exploitation tool we recently discussed). When contacted, the Maze ransomware operators denied the allegations behind the attack. This is standard for operators leaking data. They want to protect their client’s anonymity until they don’t comply, indicating that Cognizant is potentially working to pay the ransom.

Cognizant stated they are working with cyber defense companies to contain the incident and engaged law enforcement authorities.

For recent indicators of compromise on Maze, check out McAffee research. Indicators include the IP addresses of servers and file hashes for the “kepstl32.dll,” “memes.tmp,” and “maze.dll” files. These filenames are known to be used in previous attacks by the Maze ransomware operators.

Buffalo jumps seem to be occurring with more frequency, and we also found another on the horizon.

Admin access to a large IT service company was auctioned recently on the dark web. The company was described as having $18B in revenue, 60 international clients, 1,200 PCs, and an unspecified number of servers. What’s missing from these numbers is the number of endpoints each of those clients had.

Access to the company’s ticket system and routers was available through RDP, VNC, and Splashtop Remote. The opening price of the auction, which closed on April 14, 2020, was $135K. The winner of the auction is unknown, but if properly ransomed, it could easily be worth over $10M. You should expect to hear about this becoming another large buffalo jump soon. This is exactly the kind of thing a crypto-rich, ransomware cyber-criminal would bid on.

COVID-19 SBA Loan Website Exposes Applicants

On March 25, 2020, the United States Small Business Administration (SBA) discovered that the personal information of 7,913 Economic Injury Disaster Loan program (EIDL) applicants might have been exposed to other applicants. There were reports from business owners that, when they tried to access the site and apply for the loans, the fields were already filled out. The SBA’s website inadvertently exposed names, Social Security numbers, addresses, birth dates, email addresses, phone numbers, citizenship status, and insurance information.

An SBA representative stated that the affected portion of the website was disabled while they addressed the issue, with the application portal relaunching after they implemented a patch. The report did not disclose how long the information was exposed or how the vulnerability was discovered. It’s possible that hackers could have gotten in and scraped some of the information.

Letters were sent by the government agency on April 13, 2020, to notify business owners of the exposure and to offer one year of free credit monitoring services.

Windows SharePoint and GDI Exploit Examples Hit the Streets

On April 22, 2020, l33terman6000 released a proof of concept (POC) exploit targeting CVE-2020-0929 on GitHub. This is a remote code execution (RCE) POC that exploits a security flaw in Microsoft SharePoint. The script checks whether the SharePoint instance is vulnerable and runs arbitrary code. Microsoft’s latest Patch Tuesday addresses this vulnerability. Make sure to update your instance to the latest version!

On April 16, 2020, curtbraz released a proof of concept (POC) exploit targeting CVE-2020-0883on GitHub. This exploit takes advantage of a Windows Graphics Device Interface (GDI) vulnerability. It’s a remote code execution exploit allowing threat actors to gain elevated privileges and modify the system. Microsoft’s March Patch Tuesday addresses this vulnerability.

Emotet Evolves New Evasion

On April 18, 2020, Twitter user @MalwareTechBlog (Marcus Hutchins), shared an update on the Emotet malware family that included new anti-analysis and evasion techniques.

He highlighted two evasion techniques: a control flow obfuscation method and hashbusting, or adding randomized data to each file to ensure every infection has a unique hash. The inclusion of hashbusting into the latest version of Emotet makes hash-based detections for Emotet obsolete.

Hutchins also noted that the security company he works for, Kryptos Logic, has observed the Emotet botnet E2 deploying credential and email stealing modules. The consensus among researchers is that these changes are likely in preparation for a new campaign. Keep your wits about you.

Don’t forget to subscribe to our blog to stay up to date on all threat reports and other critical information.

Stay safe, healthy, and keep it Perchy!
-Paul