The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- Ransomware DDoS strikes again. Extortion schemes centered on DDoS attacks return.
- Back to school for ransomware. A number of schools and universities in both the US and UK have been impacted by ransomware attacks, coinciding with the start of the new academic year.
- In other stories this week, Emotet continues to thrive, Thanos ransomware becomes deadlier, and more is revealed about US attempts to keep vaccine research secure from hackers.
Phishing: A Resurgence of Emotet
- After a five-month decrease in the frequency of Emotet phishing attacks, Emotet has resurged in recent weeks. In one case, a European company in the healthcare and pharmaceuticals sector was infected by Emotet via a phishing email.
- One of the prominent dangers associated with Emotet malware is its involvement in Ryuk ransomware cases, where Emotet partners with a second banking trojan, TrickBot, to deliver and execute the Ryuk payload.
So what for security teams? The threat posed by Emotet to organisations typically declines over the May-September period, before revamping during September as observed in September 2018 and September 2019. In the last two weeks, the frequency of Emotet-laden phishing campaigns has increased significantly. The type of infection vector has not changed, and so security teams should continue to monitor for Emotet attacks, including monitoring for emails containing malicious links or macro-embedded attachments, SSL connections to external IP addresses, connection attempts over SMB port 445, and kernel crashes on devices.
Ransomware: Thanos increases destructive capability
- On 8 September, security researchers observed a new variant of Thanos ransomware which is far more aggressive and destructive than previous strains.
- This latest variant has been designed to overwrite the master boot table (MBT), which means a user will not be able to launch Windows when starting up their machine. Instead, the infected device will display the ransom note upon start-up.
So what? While ransomware strains continue to multiply and diversify, we have not observed this type of technique in many ransomware attacks. Overwriting the MBT is not a common feature of ransomware attacks because it makes it much more difficult for a victim to recover from the attack, lowering the likelihood of payment. As such, this new strain of Thanos ransomware may be an advanced persistent threat (APT) threat actor disguising themselves as a financially motivated cyber-criminal group. Examples of ransomware which overwrites the MBT and is linked to state-sponsored groups include the NotPetya global cyber-attack in 2017.
Ransomware: Attacks continue against British universities
- Two universities in the north-east of England, Newcastle and Northumbria, were the victim of suspected ransomware attacks in the past two weeks.
- The cyber security incident at the University of Northumbria has resulted in the university closing campus for over a week and rescheduling examinations, however, it has not confirmed whether this attack involved data theft.
- In the second attack that took place on 30 August, the University of Newcastle was infected by ransomware which took offline most of the university’s systems except for Office 365 applications and a virtual learning environment.
- A notorious cyber criminal group, DoppelPaymer, has claimed responsibility for the incident and has begun posting documents it claims are stolen from affected servers to its dedicated Doppel Leaks site.
So what? Both incidents are representative of the current threat environment in the UK and elsewhere, as financially motivated cyber-criminals have been increasingly focusing on the education sector. This is an attractive target for a potential threat actor for several reasons, as universities have very large digital footprints, increasing the attack surface, educational institutions typically do not have the security budget of organisations in other sectors and as such cannot invest in defensive technology on a similar scale. Furthermore, educational institutions service a large number of customers, or students, and are under commercial pressure to ensure uptime for staff and students. The most recently available data indicates that a third of UK universities have been attacked with ransomware in the past decade.
Cyber battles for a vaccine
- There have been numerous accounts over the last few months of state-sponsored actors using their cyber toolkit to glean research on a COVID-19 vaccine. New reporting details how the US government has worked to defend vaccine research from hacking under “Operation Warp Speed”. The research shows that US government defense of a potential COVID-19 vaccine is not only focused on the pharmaceutical companies developing a vaccine, but also on the rest of the supply-chain, encompassing those organisations working on manufacture and distribution planning.
- Protecting research into a vaccine from hackers is one thing, ensuring deployment of a vaccine is not impacted by cyber threat actors will become another priority soon. Centre for Security Studies (CSS) considered the threat of information operations to vaccine deployment. The research highlights that influence attempts could disrupt attempts to effectively and securely deploy a vaccine.
So what for security teams? Any organisation involved in COVID-19 research and patient trials should continue to remain on high alert for attempts to overcome their network defenses. Actors behind such attacks are likely to be highly sophisticated, given their state-sponsored nature, but in all likelihood will leverage well-known tricks of the trade, in particular social engineering / phishing tactics.
So what for leadership? Leadership teams of organisations involved in vaccine research must recognise the heightened threat landscape their organisation is facing and realign resources to appropriately protect this research from hackers.
RDoS attacks reignite
- Extortionist DDoS attacks – or Ransom Denial of Services (RDoS) attacks – have made a recent come-back. Beginning in August, a number of high-profile victims were threatened with DDoS attack, if no ransom was paid, by actors claiming to be associated with notorious state-sponsored groups such as Fancy Bear and Lazarus Group. While RDoS attacks are certainly not a new phenomenon, they appear to have enjoyed a recent resurgence. Analysis of tactics, techniques, and procedure, indicate the extortion is coming from scammers, impersonating the notorious hacking groups in order to scare victims into payment.
- The FBI has issued an alert warning that organisations in the retail, financial, travel, and e-commerce industry are being targeted by this new wave of RDOs campaign.
So what for security teams? The recent RDoS attacks highlight the importance of technical controls designed to protect business critical systems that have a high-availability requirement to mitigate against such attacks. This might include business continuity planning, a web application firewall, and a primary and second internet service provider.
So what for leadership? Leadership teams in the retail, financial, travel, and e-commerce industries should take heed of the recent wave of RDoS attacks and ensure security teams have the resources to put procedural and technical controls in place.
Indicators of compromise
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.
Emotet command and control servers to monitor for:
Thanos – SHA256 hashes:
 ‘Defense in depth: The resurgence of Emotet, as seen in the email and network layers’, Darktrace, 26 August 2020.
 ‘Thanos ransomware tries to overwrite Windows master boot record’, CyberWire, 8 September 2020.
 ‘DoppelPaymer ransomware hits Newcastle University, leaks data’, Bleeping Computer, 7 September 2020.
 ‘How the government is keeping hackers from disrupting coronavirus vaccine research’, CyberScoop, 8 September 2020.
 ‘Information Battleground: Vaccines’, Center for Security Studies – ETH Zurich, 1 September 2020.
 ‘Ransom demands return’, Akamai, 24 August 2020.
 ‘FBI: Thousands of orgs targeted by RDoS extortion campaign’, Bleeping Computer, 3 September 2020.
 'Emotet 03/09/2020', Pastebin, 3 September 2020.
 'Indicator of compromise for Thanos ransomware', Edison New World, 11 June 2020.