header image

Cyber Threat Intelligence Briefing: 11 September 2020

Tyler Oliver, Mona Damian 11 September 2020
11 September 2020    Tyler Oliver, Mona Damian

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders

Download Report

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

  • Ransomware DDoS strikes again. Extortion schemes centered on DDoS attacks return.
  • Back to school for ransomware. A number of schools and universities in both the US and UK have been impacted by ransomware attacks, coinciding with the start of the new academic year.
  • In other stories this week, Emotet continues to thrive, Thanos ransomware becomes deadlier, and more is revealed about US attempts to keep vaccine research secure from hackers.

 

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

 

SECURITY ROUND-UP

Phishing: A Resurgence of Emotet
  • After a five-month decrease in the frequency of Emotet phishing attacks, Emotet has resurged in recent weeks. In one case, a European company in the healthcare and pharmaceuticals sector was infected by Emotet via a phishing email.[1]
  • One of the prominent dangers associated with Emotet malware is its involvement in Ryuk ransomware cases, where Emotet partners with a second banking trojan, TrickBot, to deliver and execute the Ryuk payload.

So what for security teams? The threat posed by Emotet to organisations typically declines over the May-September period, before revamping during September as observed in September 2018 and September 2019. In the last two weeks, the frequency of Emotet-laden phishing campaigns has increased significantly. The type of infection vector has not changed, and so security teams should continue to monitor for Emotet attacks, including monitoring for emails containing malicious links or macro-embedded attachments, SSL connections to external IP addresses, connection attempts over SMB port 445, and kernel crashes on devices.

Ransomware: Thanos increases destructive capability
  • On 8 September, security researchers observed a new variant of Thanos ransomware which is far more aggressive and destructive than previous strains.
  • This latest variant has been designed to overwrite the master boot table (MBT), which means a user will not be able to launch Windows when starting up their machine. Instead, the infected device will display the ransom note upon start-up.[2]

So what? While ransomware strains continue to multiply and diversify, we have not observed this type of technique in many ransomware attacks. Overwriting the MBT is not a common feature of ransomware attacks because it makes it much more difficult for a victim to recover from the attack, lowering the likelihood of payment. As such, this new strain of Thanos ransomware may be an advanced persistent threat (APT) threat actor disguising themselves as a financially motivated cyber-criminal group. Examples of ransomware which overwrites the MBT and is linked to state-sponsored groups include the NotPetya global cyber-attack in 2017.

Ransomware: Attacks continue against British universities
  • Two universities in the north-east of England, Newcastle and Northumbria, were the victim of suspected ransomware attacks in the past two weeks.
  • The cyber security incident at the University of Northumbria has resulted in the university closing campus for over a week and rescheduling examinations, however, it has not confirmed whether this attack involved data theft.
  • In the second attack that took place on 30 August, the University of Newcastle was infected by ransomware which took offline most of the university’s systems except for Office 365 applications and a virtual learning environment.
  • A notorious cyber criminal group, DoppelPaymer, has claimed responsibility for the incident and has begun posting documents it claims are stolen from affected servers to its dedicated Doppel Leaks site.[3]

So what? Both incidents are representative of the current threat environment in the UK and elsewhere, as financially motivated cyber-criminals have been increasingly focusing on the education sector. This is an attractive target for a potential threat actor for several reasons, as universities have very large digital footprints, increasing the attack surface, educational institutions typically do not have the security budget of organisations in other sectors and as such cannot invest in defensive technology on a similar scale. Furthermore, educational institutions service a large number of customers, or students, and are under commercial pressure to ensure uptime for staff and students. The most recently available data indicates that a third of UK universities have been attacked with ransomware in the past decade.

Cyber battles for a vaccine
  • There have been numerous accounts over the last few months of state-sponsored actors using their cyber toolkit to glean research on a COVID-19 vaccine. New reporting details how the US government has worked to defend vaccine research from hacking under “Operation Warp Speed”.[4] The research shows that US government defense of a potential COVID-19 vaccine is not only focused on the pharmaceutical companies developing a vaccine, but also on the rest of the supply-chain, encompassing those organisations working on manufacture and distribution planning.
  • Protecting research into a vaccine from hackers is one thing, ensuring deployment of a vaccine is not impacted by cyber threat actors will become another priority soon. Centre for Security Studies (CSS) considered the threat of information operations to vaccine deployment.[5] The research highlights that influence attempts could disrupt attempts to effectively and securely deploy a vaccine.

So what for security teams? Any organisation involved in COVID-19 research and patient trials should continue to remain on high alert for attempts to overcome their network defenses. Actors behind such attacks are likely to be highly sophisticated, given their state-sponsored nature, but in all likelihood will leverage well-known tricks of the trade, in particular social engineering / phishing tactics.


So what for leadership? Leadership teams of organisations involved in vaccine research must recognise the heightened threat landscape their organisation is facing and realign resources to appropriately protect this research from hackers.  

RDoS attacks reignite
  • Extortionist DDoS attacks – or Ransom Denial of Services (RDoS) attacks – have made a recent come-back. Beginning in August, a number of high-profile victims were threatened with DDoS attack, if no ransom was paid, by actors claiming to be associated with notorious state-sponsored groups such as Fancy Bear and Lazarus Group. While RDoS attacks are certainly not a new phenomenon, they appear to have enjoyed a recent resurgence. Analysis of tactics, techniques, and procedure, indicate the extortion is coming from scammers, impersonating the notorious hacking groups in order to scare victims into payment.[6]
  • The FBI has issued an alert warning that organisations in the retail, financial, travel, and e-commerce industry are being targeted by this new wave of RDOs campaign.[7] 

So what for security teams? The recent RDoS attacks highlight the importance of technical controls designed to protect business critical systems that have a high-availability requirement to mitigate against such attacks. This might include business continuity planning, a web application firewall, and a primary and second internet service provider.


So what for leadership? Leadership teams in the retail, financial, travel, and e-commerce industries should take heed of the recent wave of RDoS attacks and ensure security teams have the resources to put procedural and technical controls in place.

 

Indicators of compromise

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.

Emotet command and control servers to monitor for:[8]
 

Thanos – SHA256 hashes:[9] 

fd8c3259b8e80b8220c6053aa9b045676d1e3fe09356ed94b5e47fb5b895ff92

23d7693284e90b752d40f8c0c9ab22da45f7fe3219401f1209c89ac98a4d7ed3

e256a9f20479f29e229f594ef6ab91be75bff9e3f0784030ac0feb8868f4abc1

7a38f70d923669a989ea52fa1c356c5ac7ccce4067a37782973466102e3d27f6

53806ba5c9b23a43ddbfa669798d46e715b55a5d88d3328c5af15ba7f26fbadd

871eef727aaad88b734bb372f19e72ccf38034195666c35390f5c3064f5469a3

edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e

aae00e2532ae5093e8c0a623bffcc4c447d04e89237438c52cb473854c715724

8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2

cea80fe543aec9c6b4a4628ec147e8a41cac766c2cd52c0ca86a19f9ef348fc3

f1388fbe51253d8f07a98eabfe0422e39821d936166cc85c92a0418854ae15fb

049425dac929baf288c44c981ef63417d097fb95f5199c9f33e5ef5e2ec20590

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5

db3ef67666e18047aa24a90bfa32ca456641209147703853413d56eb74d44673

989a9d2e08fcba4059ebc55afc049f34d2a12bfdd1e14f468ee8b5c27c9e7bda

b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad

e67fa8978e6c22f4d54604a54c3ac54e631128eed819d37355c2ad80e74507a5

a1bab429b3b18fdb8e4fec493bd53e89c0f87147d902ff41a0f6dcd61c159553

940df3b1cf603388cf9739cc208c1a88adfe39d2afe51e24a51878adca2be4e3

e63aeb1aa61c38a5bed126b41ca587a892de0311730b892aee77541a761e1a02

d1b634201a6158a90f718a082c0fe0ee1769ff4b613dd9756a34318fa61eea47

7e6db426de4677efbf2610740b737da03c68a7c6295aca1a377d1df4d35959e5

5b5802805784b265c40c8af163b465f1430c732c60dd1fbec80da95378ae45b7

7a7a5110cb9a8ee361c9c65f06293667451e5200d21db72954002e5725971950

References

[1] ‘Defense in depth: The resurgence of Emotet, as seen in the email and network layers’, Darktrace, 26 August 2020.

[2] ‘Thanos ransomware tries to overwrite Windows master boot record’, CyberWire, 8 September 2020.

[3] ‘DoppelPaymer ransomware hits Newcastle University, leaks data’, Bleeping Computer, 7 September 2020.

[4] ‘How the government is keeping hackers from disrupting coronavirus vaccine research’, CyberScoop, 8 September 2020.

[5] ‘Information Battleground: Vaccines’, Center for Security Studies – ETH Zurich, 1 September 2020.

[6] ‘Ransom demands return’, Akamai, 24 August 2020.

[7] ‘FBI: Thousands of orgs targeted by RDoS extortion campaign’, Bleeping Computer, 3 September 2020.

[8] 'Emotet 03/09/2020', Pastebin, 3 September 2020.

[9] 'Indicator of compromise for Thanos ransomware', Edison New World, 11 June 2020.

To discuss this article or other industry developments, please reach out to one of our experts.

Tyler Oliver
Tyler Oliver Director, Cyber Security Email Tyler
Mona Damian
Mona Damian Senior Analyst, Cyber Security Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report