Threat Report

Wednesday June 26th 2019

This week in the threat report, we are stuck in an ongoing Iran-U.S. cyber war shooting range that is moving towards scorched Earth. But not all attackers are out for blood, after GandCrab’s recent retirement, ransomware campaigns pivot to Sodinokibi to cash in on the Bitcoin boom and score moon Lambos.

Iran targets U.S. companies in scorched Earth cyber campaign

CISA warns of an increase in cyberattacks that utilize destructive wiper tools that targets the U.S. industries and government agencies by Iranian actors. In the past, Iranian actors are known for deploying data-wiping malware via credential stuffing attacks, password spraying, and spear phishing.

Iranian actors launched waves of cyberattacks against U.S. targets amid tension between the U.S. and Iran. In this recent campaign, the threat actors are largely concerned with wiping data and causing as much damage as possible to the American economy.

An account compromise can quickly become a foothold, enabling additional attack vectors and leading to wiping all networked assets. U.S. companies have been advised to take protective measures against the actors most common practices to prevent any potential attacks.

At Perch, we’ve seen an upwards trend of activity from Iran. The dip in activity around June 20th occurred around the time of U.S. drone downing by Iran. Earlier spikes in activity appear to be around news of tougher sanctions. To confirm reports, we have seen a large increase in the Iran-U.S. cyber war.

This activity is largely focused on Remote Desktop Protocol (RDP) servers, but there is evidence of other services being targeted as well. Threat actors are hoping that by gaining access to RDP servers they will be able to harvest credentials and pivot to access other connected systems.

Increase in Iranian cyber attacks over the past thirty days

It’s not all scorched Earth with Sodinokibi

Since GandCrab’s retirement, Sodinokibi affiliates began spreading the ransomware in a wide variety of techniques such as supply chain attacks, exploit kits, and malvertising. The recent attacks were done through advertisements on the PopCash ad network that redirected users to the exploit kit based on certain conditions. The Sodinokibi campaign has been detected using the RIG exploit kit.

The exploit kit compromises vulnerable outdated software and leads to deeper infection. With the addition of exploit kits to the distribution arsenal, this ransomware is poised to be a big threat for users and organizations.

Users and organizations best defense against ransomware attacks is to have a reliable and tested backup on an offline storage device that can be restored.

High-profile ransomware infections

Recently, we’ve seen a number of cities impacted by ransomware. More than 50 cities across the United States, large and small, have been hit by ransomware attacks during the past two years.

For some cities it has meant extended loss of services, increased recovery time, and increased recovery costs. Two Florida cities in our backyard just paid out over 1.1 million dollars in ransom, which might be worth more like 1.5 million today based on Bitcoin’s recent boom in value.

Taking lessons from Baltimore and Atlanta, Riviera Beach City, FL has decided to pay the ransom.

“The Riviera Beach City Council authorized the city’s insurer to pay nearly $600,000 worth of ransom to regain access to data walled off through an attack on the city’s computer systems,” the Palm Beach Post reports.

“The city’s email and computer systems, at City Hall, the city’s Port Center offices and elsewhere, including those that control city finances and water utility pump stations and testing systems, are still only partially back online, two weeks after the ransomware attack was disclosed. But crucial data encrypted by the attackers remains beyond reach and there was no explanation of whether the city has any guarantee that the ransomers will release it if paid.”

And following in Riviera’s foot-steps, Lake City, FL has also decided to pay a $500,000 ransom rather than attempt to recover on their own.

According to a statement from Lake City, they were targeted by a malware attack known as “Triple Threat.” This ransomware program combines three different methods of attack to target network systems. As a result of this attack, many city systems were unavailable for a period of two weeks.

MSPs, not just cities, are juicy targets for ransomware

MSPs are being more frequently targeted because of their access to many other enterprises. In a recent case, a service provider for MSPs was targeted resulting in multiple MSPs and their customers being breached.

Details have been sparse although it appears that a common service provider was breached, and that service provider was able to access RMM/AV tools (WebRoot and Kaseya) for the MSPs through which they were able to deploy Sodinokibi to the endpoints.

This did not represent a vulnerability in either WebRoot or Kaseya.

Email from Webroot to their customers

Moon Lambos

As a security leader at your enterprise, it’s important to plan for disaster. If ransomware strikes do you have a plan to recover or a policy against no payment? From observing lessons learned at other organizations, it’s best to have no policies on ransomware payments so you’re free to make the best choices. Although it seems reasonable to say that you won’t pay ransoms. What’s the impact of that decision?

Booming values in Crypto currency lead to renewed interest in ransomware and miners. Watch out for all those folks chasing moon Lambos.

Moon Lambo

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn