header image

Cyber Threat Intelligence Briefing: 13 November 2020

Billy Gouveia, Mona Damian 13 November 2020
13 November 2020    Billy Gouveia, Mona Damian

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders

Download Report

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

  • Working from home - unencrypted. The online videoconferencing company, Zoom, has reached an agreement with the US Federal Trade Commission to settle allegations that it misled its users about its product’s security features, particularly the level of encryption it employed.
  • Microsoft’s Patch Tuesday. Microsoft’s most recent Patch Tuesday released patches for 112 vulnerabilities, including a Windows zero-day vulnerability actively exploited in the wild.
  • In other news this week, RansomEXX, a strain of ransomware, is being altered and used to target Linux servers, Ragnar Locker gang used Facebook ads to extort a victim, and the Trickbot / Emotet banking trojans continue to top the Global Threat Index for October.

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

Security Round-up

Working from home - unencrypted
  • On 9 November, the US videoconferencing company, Zoom, reached an agreement with the US Federal Trade Commission (FTC) to settle allegations that it misled its users regarding its application’s security features [1].
  • The FTC found that Zoom had been deceptive in claiming that calls on its platform were end-to-end encrypted. Instead of only storing the cryptographic key used to encrypt a call on each user’s device, Zoom was found to also have kept a copy of this key for itself, which would technically enable it to intercept communications.
  • Zoom was also found to have failed to encrypt calls that were recorded by its users, as it claimed it did. Instead, these calls were stored on Zoom’s servers for 60 days before being encrypted and stored securely.

So what? Since the beginning of the COVID-19 pandemic, and the consequent global shift to working from home, Zoom has seen its user base expand significantly. Many organisations, including large multinationals, have relied on the application to facilitate communication between employees and with other stakeholders. Indeed, Zoom and other videoconferencing applications have become a fundamental part of work for several organisations, and in many cases used to transmit troves of confidential information. Encryption remains the most useful technique to ensure confidentiality. The need to communicate sensitive information securely and privately, coupled with increasingly onerous data protection obligations, make encryption essential. The case of Zoom highlights the risks facing organisations who employ third party applications to facilitate business communication and transfer sensitive data. Due diligence may be required to find a vendor with the appropriate security controls to meet your organisation’s needs.

Ransomware group targeting Linux servers
  • Security researchers have discovered a type of ransomware called RansomEXX being deployed on Linux servers for the first time. The ransomware is custom built for its targets, with each code sample containing the name of the organisation being targeted. Victims include the Texas Department of Transportation and tech giant Konica Minolta.[2]
  • In August, US authorities flagged a new hacking toolkit called Drovorub, which was allegedly created by a Russian military intelligence cyber ops group.[3] The toolkit includes a kernel module rootkit, a file transfer and port forwarding utility, and beacons to a command and control (C2) server. The cyber ops group that allegedly developed Drovorub was also responsible for hacking the Democratic National Committee during the US elections in 2016.

So what for security teams? While most malware is designed to target the most popular systems, the ongoing development of offensive cyber ops means that attack patterns continue to diversify and become more specialised. Security teams should ensure that defensive systems cover all critical assets, including Linux servers, and basic security precautions have been applied: restrict old password usage, disable root login, secure console user access, check listening ports, among other hardening measures.

Ragnar Locker uses social media to extort victim
  • Ransomware group Ragnar Locker has used social media to place pressure on a victim (Italian beverages company Campari) to pay a ransom. The group purchased Facebook ads in which it claims to have stolen 2 terabytes of data from the victim of the recent ransomware attack.[4]
  • The Facebook account used to place the advertisements, Hodson Event Entertainment, was compromised by the threat actor who then used the account’s budget for its Facebook campaigns to pay for the extortion.

So what? Ransomware variants continue to proliferate with many adopting new tactics and tools to improve their ability to receive as much money as possible. As the cybercriminals observe the success of a new strategy – such as Maze using a data leaks site to double-extort their victims in November 2019 – these then get adopted by competitors and affiliates. Similarly, groups like Ragnar Locker are likely to test and use new forms of extortion and methods of drawing publicity to the victims of their attacks. While a novel strategy at this stage, if successful we are likely to see further use of social media pressure tactics during the ransomware extortion process.

The Kings of the Trojans
  • The Emotet banking trojan, typically propagated through malicious attachments and links contained in phishing emails, remains the most prevalent malware observed in attacks in October.[5] According to Check Point, Emotet was involved in 12% of security incidents globally.
  • The second most prevalent malware is also a banking trojan, Trickbot, which is often deployed with Emotet as part of Ryuk ransomware attacks. The surge in the number of Ryuk infections targeting the healthcare industry in October is largely behind the prevalence of these trojans during this period.

So what for security teams? The real takeaway from this story is the prime importance of banking trojans in the ransomware process. These banking trojans have been repurposed from their original function of stealing banking credentials when users log into their online banking portals, and now primarily act as droppers for other malware, such as ransomware payloads. As such, security teams should verify that their monitoring tools and response processes are aligned to ensure trojans are detected, quarantined and removed as quickly as possible to prevent a phishing incident developing into a full-scale ransomware attack.

Microsoft’s patch Tuesday
  • This past Tuesday 10 November, Microsoft released patches to 112 vulnerabilities across numerous products, including an actively exploited zero-day vulnerability.[6] Of the 112 vulnerabilities identified by Microsoft, 24 were found to facilitate remote code execution attacks in popular Microsoft applications, such as Excel, SharePoint, and even Teams.
  • The zero-day vulnerability, tracked as CVE-2020-17087, has been exploited in conjunction with a Google Chrome zero-day, to target Windows 7 and Windows 10 users. 

So what? Patching remains one of the most important steps to security. It is vital for organisations to ensure they are running the latest version of software, and actively check that they have installed all available patches.


Indicators of compromise

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.

The indicators in the table below relate to Ragnar Locker ransomware. The primary point of entry for this group is poorly secured RDP connections. The group push PowerShell scripts to all accessible endpoints, once they have entered their victim’s network.

 

Type

Indicator

Title

SHA-1

0f944504eebfca5466b6113853b0d83e38cf885a

Win.Exploit.CVE_2017_0213-6306933-0

MD5

7529e3c83618f5e3a4cc6dbf3a8534a6

Win.Exploit.CVE_2017_0213-6306933-0

SHA-256

ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

Win.Exploit.CVE_2017_0213-6306933-0

SHA-1

5938b9900e0c1978802319dc1cbababd70abf597

Nrv2x

MD5

77e84f1baf2b6d0dba6ad7169dab07ad

Nrv2x

SHA-256

1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e

Nrv2x

 

References: 

[1] ‘FTC Requires Zoom to Enhance its Security Practices as Part of Settlement’, FTC, 9 November 2020; ‘https://www.ftc.gov/news-events/press-releases/2020/11/ftc-requires-zoom-enhance-its-security-practices-part-settlement’, Tech Crunch, 9 November 2020; ‘Zoom settles FTC charges for misleading users about security features’, ZD Net, 9 November 2020.

[2] ‘New Ransomware Threat Jumps From Windows To Linux—What You Need To Know’, Forbes, 8 November 2020

[3] ‘Russian Linux Hackers Threaten National Security Say FBI And NSA’, Forbes, 14 August 2020.

[4] ‘Ragnar Locker gang uses Facebook ads to pressure ransomware victim into paying’, Silicon Angle, 10 November 2020.

[5] ‘Trickbot and Emotet Trojans Are Driving Spike in Ransomware Attacks’, Security Week, 6 November 2020.

[6] ‘Microsoft November 2020 Patch Tuesday arrives with fix for Windows zero-day’, ZD Net, 10 November 2020.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy Gouveia Senior Managing Director Email Billy
Mona Damian
Mona Damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report