GandCrab releases decryption codes, gets to work on new ransomware
In our previous Threat Intelligence article, operators of the GandCrab ransomware software, affecting half a million victims and causing hundreds of millions in losses, had announced they were shuttering operations. In July, the FBI released a flash alert announcing the release of decryption tools for all versions of GandCrab ransomware.
- GandCrab operated using a ransomware-as-a-service (RaaS) business model, selling the right to distribute the malicious software in exchange for 40% of the ransom profit.
- GandCrab rapidly rose to become the most prominent RaaS ransomware, estimated to hold 50% of the ransomware market share by mid-2018. Experts estimate GandCrab infected over 500,000 victims worldwide, causing losses of more than $300 million.
- In Q2 2019, the average ransom payment jumped184 percent to $36,295 from the previous quarter.
- Like previous ransomware closures, a newer RaaS offering called Sodinokibi has quickly moved in to fill the major market share GandCrab left behind.
- Mounting evidence is pointing to the developers of GandCrab as the originators of the Sodinokibi ransomware:
- Also known as Sodin and REvil, Sodinokibi first came to light this spring; in an April 30 blog post, researchers from Cisco’s Talos division recounted observing one Sodinokibi attack that later attempted to distribute GandCrab v5.2.
- Like its predecessor, Sodinokibi has been made available on dark web forums to cybercriminal as an RaaS offering. Affiliates are guaranteed $10,000, with an initial cut of 60 percent, and then 70 percent after the first three payments are made. Unlike GandCrab, however, the developers appear to be trying to keep their circle of affiliates smaller and more professional in nature.
- Sodinokobi’s developers also took a page from GandCrab by warning potential affiliates that they should avoid infecting people based in Syria.
- GandCrab and Sodinokibi are also similar in the ways they use strings to generate and incorporate URLs into the infection process.
Federal authorities charge Seattle-based woman in connection with Capital One data breach
A Seattle-area woman has been charged with accessing tens of millions of Capital One credit card applications after allegedly taking advantage of a misconfigured firewall. Page A. Thompson, 33, has been charged with one count of computer fraud and abuse, according to a criminal complaint filed in a Seattle federal.
- Thompson is accused of accessing Capital One files that were stored with an Amazon cloud service provider March 12 and July 17, 2019. Thompson allegedly posted information related to the intrusion on the code-sharing site GitHub and on social media, which apparently led to her quick arrest.
- Capital One acknowledge the breach stating the incident affected approximately 100 million individuals in the United States.
- The data, some of which was encrypted or tokenized, includes 120,000 Social Security numbers and 77,000 bank account numbers.
- Capital One states that "it immediately fixed the configuration vulnerability” and began working with federal law enforcement.
- Capital One does not believe the data had been used to commit fraud or been distributed; the criminal complaint indicates that Thompson may have signaled she intended to do so before her arrest.
- According to the criminal complaint, Capital One received an email on its bug reporting address that someone had "leaked [Amazon cloud] S3 data."
- Capital One examined the material on the GitHub page, which contained three commands and a list of 700 folders
- One file contained the IP address for a specific server, which enabled access to folders or buckets of data in Capital One’s cloud storage space.
- Capital One's logs showed connections to the files from IP addresses belonging to IPredator, a Sweden-based VPN service, as well as TOR exit nodes.
- Investigators also uncovered a Meetup group where Thompson had allegedly created a Slack channel. A review of the Slack channel posted showed a list of files posted by someone going by the nickname "erratic," which is believed to be Thompson's Twitter handle as well.
- The Washington Post reports that Capital One is anticipating a near-term cost as a result of the breach between $100 to $150 million.
- Associated Benefits and Risk Consulting recently posted on protecting your business from third-party cyber breach.
Phishing campaign targeting American Express designed to evade antivirus detection
Researchers have uncovered a phishing campaign targeting American Express card users. Security firm Cofense discovered the attackers had been directing users to update their accounts in an attempt to steal credentials and other account details, using a difficult-to-detect hyperlink to evade spam filters.
- The email used an embedded "base href" URL to help hide the true intent from antivirus and internet security tools.
- Seeking out as many users as possible, the campaign did not discriminate between businesses and consumers and targeted users four types of accounts: credit card and merchant accounts, membership rewards and American Express @Work accounts.
- As part of this new phishing campaign, attackers used the base HTML links to split the phishing URL into two pieces, allowing the malicious link to evade filters.
- At the same time, the base URL acted as the building block for other URLs within the phishing message.
- Amazon Prime users were recently targeted in a similar way by a phishing kit called 16Shop.
- Researchers from Symantec found that spear-phishing emails remained the most popular mechanism for attack, used by 65 percent of cybercriminal groups during 2018.
- The study also noted intelligence gathering was the main focus for almost 96% of these groups.
Third-party breach puts Sprint customers at risk of mobile attacks
Sprint recently notified its customers of a data breach to an undisclosed amount of network users. Hackers had gained access to customer’s online logins and had the ability to see all of the data visible in those accounts.
- Sprint didn’t reveal the nature of the attack other than its partner, Samsung, experienced a breach to its public-facing website.
- Since the accounts did not include credit information or Social Security numbers, Sprint claimed the breach did not create “a substantial risk of fraud or identity theft,” however, enough personally identifying information was revealed to cause concern, including names, phone numbers, and addresses, subscriber account and billing numbers and PINs, and device information, such as type, device ID.
- The compromised information could be used in SIM swap attacks, a form of social engineering in which an attacker takes over a victim’s phone and accounts by convincing the carrier to switch the victim’s phone number to the attacker’s SIM card.
- Attackers can then use the victim’s phone accounts to intercept SMS, or text, authorization codes used for banking and other sensitive accounts. Attackers can also use the compromised account to manipulate carrier settings to allow them to read and compose messages without compromising a victim’s mobile device.Attackers may even be able to use carrier services to secretly track a victim and view call and text message logs.
Cyber Command warns users to patch Outlook vulnerability
The U.S. military is warning users to patch Outlook to prevent Iranian state-sponsored hackers from exploiting a 2017 vulnerability.
- U.S. Cyber Command has issued an alert recommending that Outlook users patch their systems immediately, alleging that state-sponsored attackers are taking advantage of a vulnerability to plant malware on government networks.
- The CVE-2017-11774 vulnerability is a security bug discovered and documented by security researchers from cybersecurity consulting firm, SensePost, which allows cybercriminals to escape the Outlook ‘sandbox’ and run malware on the operating system.
- A patch was issued immediately, however, users that are not current on their security updates may still be vulnerable.
- The attacks have been linked to Advanced Persistent Threat 33 (APT33), a group of hackers that, according to cybersecurity firm, FireEye, is working “at the behest of the Iranian government”.
New report reveals employee weak points in cybersecurity
A new State of the Phish report, released by cybersecurity firm, Proofpoint, report analyzes data related to nearly 130 million cybersecurity questions, providing employers insights into employee knowledge levels across 14 categories, 16 industries, and 20+ department classifications. Key findings include:
- Users struggled with questions on mobile device encryption, protecting personally identifying information (PII), distinctions between private and public data, and actions to take following a suspected physical security breach.
- Categories with the greatest percentage of wrong answers included "identifying phishing threats" (25%), "protecting data throughout its lifecycle" (25%), "compliance-related cybersecurity directives" (24%), and "protecting mobile devices and information" (24%).
- Categories with the most correct answers include "avoiding ransomware attacks" (11%), "passwords and account authentication" (12%), and "unintentional and malicious insider threats" (13%).
- 83% of global organizations experienced phishing attacks in 2018.
- Communications was the best performing department, with end-users correctly answering 84%of questions.
- Finance was the best performing industry, with end-users answering 80% of all questions correctly.
- End-users in the insurance industry delivered the best performance in three of the 14 categories analyzed, performing especially well on the “avoiding ransomware attacks.”
- Customer service, facilities, and security (including both physical and cybersecurity) were among the worst performing departments, incorrectly answering an average of 25%of cybersecurity questions asked.
- End-users in the education and transportation industries struggled the most, incorrectly answering an average of 24% of questions across all categories.
- Hospitality employees scored the lowest in three categories, incorrectly answering 22% of questions in the “physical security risks” category.
Evite reports data breach, 101 million users exposed
A data breach monitoring service has reported a database dump of over 100 million Evite users who’s information had been exposed when attackers gained unauthorized access to the digital invitation company’s servers.
- In May 2019, Evite posted a data incident notice that disclosed an unauthorized third-party had gained access to their servers starting on February 22, 2019 and were able to access member's personal data.
- No financial information or social security numbers were part of the breach.
- At the time the incident was reported, approximately 10 million Evite accounts were being sold on an online underground marketplace by a person named "gnosticplayers,” well-known for selling other large collections of breached data.
- According to a database received by the data breach monitoring service, the number of exposed users is allegedly much larger.
- In April 2019, Evite identified a data breach of their systems. Upon investigation, they found unauthorized access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to invitation recipients. Evite account holders also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed.
- The original leaked database was being sold on the online underground market named Dream Market, which has since been shut down; it is not currently known if or where or the larger database is being sold online.
New indirect tactic targeting finance departments
A new business email compromise (BEC) tactic has been identified, targeting customers by phishing for outstanding invoices from accounting department employees.
- The attackers have been posing as the CEO of targeted companies and requesting information from employees on invoices that are overdue for payment in the form of an “aging” report.
- Name deception and free email accounts were used in an attempt to deceive company employees into following up on their demand for company records.
- BEC attacks typically attempt to scam financial department employees into sending payments to an attacker’s bank account. The indirect approach here is what makes this new tactic so unusual.
- Researchers with email security firm, Agari, responded to intercepted emails by sending a fake aging report. The attackers then asked for a list of customers, their debts and email addresses.
- Armed with this information, the attacker then can create a credible email assuming the identity of an employee on the finance team and request payment for the outstanding balance, often offered at a “discount” to ensure the victim takes the bait.
- BEC scams were the cybercrime with the highest reported total losses during 2018, with victims losing over $1,2 billion according to FBI's Internet Crime Complaint Center (IC3) Internet Crime report published in April.
Business email compromises costs companies $300 million a month
According to an analysis by the U.S. Treasury Department’s Financial Crimes Enforcement Network, business email compromise (BEC) scams cost U.S. companies more than $300 million a month.
- Released in July, the analysis found that the number of reported BEC scams increased to 1,100 per month in 2018, double the monthly incident rate in 2016.
- The increasing number of BEC incidents means scammers are making more money, costing businesses an average total of $301 million in fraud per month in 2018, up from $110 million in 2016.
- The overall financial impact of BEC scams described by the Treasury Department, is much higher than earlier estimates from the FBI.
- U.S. construction and manufacturing industrie shave been especially hard hit BEC scams, accounting for a quarter of all reported incidents in 2018. Commercial services including shopping centers, entertainment facilities and lodging, and real estate have also seen significant increases.
- BEC scams are evolving and giving way to scammers imitating vendors or passing along authentic-looking invoices or work orders in an attempt to collect fraudulent payments.
- Fake invoices are a very popular attack method beyond just BEC; malware phishing attacks often use invoice to trick unsuspecting users and steal passwords, which may then lead to BEC attacks.
Contractor scammed company with faulty spreadsheets
A former Siemens contractor has pled guilty to planting logic bombs inside spreadsheets he created for the company. Contracted to develop spreadsheets for the automated technology company, the contractor set up the spreadsheets to fail in an attempt to get more billable service hours.
- According to court documents, David Tinley provided software services for Siemens' Monroeville, PA offices for nearly ten years.
- The spreadsheets included custom scripts that would update the content of the file based on information stored in other, remote documents, allowing the company to automate inventory and order management.
- The spreadsheets, which had worked fine for years, started malfunctioning around 2014.
- Tinley had planted so-called "logic bombs" that would trigger after a certain date, and crash the files. Every time the scripts would crash, Siemens would call Tinley, who'd fix the files for a fee.
- The scheme lasted for two years, until May 2016, when Siemens employees were given administrative passwords to the spreadsheets to override the bugs and fill an urgent order while the contractor was out of town.
- In September 2018, an Atlanta man was sentenced to two years in prison for planting a logic bomb on one of the U.S. Army's payroll databases that resulted in 17 days of delay in Army Reserve pay.
Phishing “templates” makes it easy for average attackers to launch a phishing campaign
New criminal sites are being developed to provide Phishing-as-a-Service (PhaaS) including low-cost phishing kits and hosting allowing attackers with little technical knowledge to easily start phishing campaigns.
- Instead of hacking into servers to host landing pages and developing their own phishing kits, PhaaS sites are offering variety of pre-made phishing landing pages and site hosting for one month.
- The phishing templates include Sharepoint, Office 365, LinkedIn, OneDrive, Google, Adobe, Dropbox, DocuSign, and many more, ranging in price from $30 to $80, and include one month of hosting for the page.
- With Phishing-as-a-Service sites helping to drive the growth of phishing campaigns, users and security software have become better at detecting them. In response, threat actors have had to come up with more innovative methods to get people to click on the enclosed links and to evade detection, including a recent uptick in
- email notifications of account deletions, undelivered messages, and fake voicemails
- 87% of the phishing campaigns are now utilizing evasion techniques to try and bypass detection.
- This is especially useful for landing pages that attempt to steal credentials for Microsoft services such as Microsoft Accounts, OneDrive, Outlook, and Office 365.
Georgia city falls victim to $800,000 BEC scam
The city of Griffin, Georgia, recently fell victim to a business email compromise (BEC) attack in which scammers redirected two transactions, in the amount of $800,000, to their own bank accounts
- Following a standard BEC attack, the attackers used a phishing email to convince a finance department official into wiring a payment to their account instead of a legitimate vendor expecting to receive those funds.
- Posing as a water treatment facility used by the city, attackers sent an email to the official requesting an account change. Failing to scrutinize the sender’s address, the official took the bait and provided the information.
- The transactions went through a week apart in late June. It was later discovered that the email address used was not the correct one.
FTC issues its largest fine ever in a settlement with Facebook
After a lengthy investigation, the U.S. Federal Trade Commission (FTC) voted to levy a $5 billion fine against Facebook, according to the Washington Post and the Wall Street Journal, the largest fine ever issued by the FTC.
- The FTC voted 3-2 to approve the settlement, with three Republican members voting in favor and the two Democratic members voting against it, according to the news reports. The U.S. Justice Department must approve any final settlement.
- None of the conditions of the settlement restrict Facebook’s ability to collect and share data with third parties.
- The fine is half a billion dollar shy of the tech giant’s $5.5 billion in first quarter profits in 2019.The company had set aside $3 billion of those earnings in anticipation of a fine.
- The FTC and Facebook have been negotiating a settlement for months over whether the social network violated a 2012 agreement with the agency. The FTC investigation was launched in March 2018 as a result of the Cambridge Analytica controversy in which the
- voter-profiling firm improperly obtained profile data for 87 million Facebook users without their consent
- The reported fine ups the risks for tech companies as regulators around the world are increasing their scrutiny of data management practices.
How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats.