Tuesday, December 17, 2019 - Jake Omann, CIC, CPCU

Third-party ransomware attack threatens care facility operations across the country

A ransomware outbreak has besieged a Wisconsin-based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States. The strain of ransomware strain that infected the Virtual Care Providers Inc (VCPI) network is a private ransomware-as-a-service known as Ryuk, distributed by the operators of Trickbot. While Ryuk operators often choose large corporations as targets, but the risk of attack is high for small and medium-size businesses as well. Ryuk victims typically encounter very high ransom demands.

• Milwaukee-based VCPI provides IT consulting, internet access, data storage and security services to some 110 nursing homes and acute-care facilities in 45 states. VCPI is responsible for maintaining approximately 80,000 computers and servers that assist those facilities.
• At around 1:30 am on November 17, 2019, unknown attackers launched a ransomware strain known as Ryuk inside VCPI’s networks, encrypting all data the company hosts for its clients and demanding a Bitcoin ransom equivalent to a whopping $14 million in exchange for the digital key needed to unlock access to the files.
• Ryuk has made a name for itself targeting businesses that supply services to other companies, particularly cloud-data firms, with the ransom demands set according to the victim’s perceived ability to pay.
• VCPI owner and chief executive, Karen Christianson, said the attack  affected all of their core offerings, including internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees.
• The care facilities that VCPI serves access their records and other systems outsourced to VCPI by using a Citrix-based virtual private networking (VPN) platform, and Christianson said restoring customer access to this functionality is the company’s top priority right now.
• Christianson said her firm cannot afford to pay the ransom amount being demandedand said some clients will soon be in danger of having to shut their doors if VCPI can’t recover from the attack.
• The ongoing incident at VCPI is just the latest in a string of ransomware attacks against healthcare organizations, which don’t often have the training or resources to prevent cyber incidents.

Source: KrebsOnSecurity.com

Hackers re-use usernames and passwords to access online customer accounts

Retail giant Bed Bath & Beyond revealed in a recent filing with the U.S. Securities and Exchange Commission (SEC) that some online customer accounts were accessed by a third party. Unauthorized access was achieved through “credential re-use,” using stolen usernames and passwords from a different source to access accounts. Hackers are able to do this because of the prevalence of using the same username and password to access multiple accounts.

• Bed Bath & Beyond Inc. discovered that a third party acquired email and password information from a source outside of its systems which was used to access less than 1% of its online customer accounts.
• Bed Bath & Beyond says that the investigation determined that the usernames and passwords were likely acquired as a result of a breach at a different source and the attackers relied on the fact that many users set the same password for multiple accounts.
• The retailer has also said no payment cards were compromised as a result of the incident.
• Bed Bath & Beyond started notifying impacted customers in November.
• The company has hired a security forensics firm to investigate the incident and claims to have taken steps to mitigate.

Source: SecurityWeek.com

Phishing scam posing as pay raises to steal Office 365 access

In a recent phishing campaign, scammers attempted to use the promise of pay raises to bait employees into revealing their Microsoft Office 365 account credentials.

• Emails came from what appeared to be the targets’ human resources (HR) department, asking them to open a “salary increase” Excel spreadsheet.
• Cofense email security experts noted the email contained language that sounded legitimate to trick the recipient into clicking on the link to the spreadsheet: "As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.”
• The link redirects to the attackers' phishing landing page, designed to look like an Office 365 login page, prompting users to enter their password.

Source: BleepingComputer.com

Windows update ransomware campaign

Attackers have been using a Windows update spam campaign to deploy a relatively new ransomware known as “Cyborg.” The email appears to come from Microsoft, and directs recipients to an attachment described as the “latest critical update.”

• The attachment is an executable file masked to appear innocuous. The attachment appears as a small JPEG file, around 28KB, and file names are randomized.
• The executable file is a malicious .NET downloader designed to deliver malware to the infected system.
• When clicked, the bitcoingenerator.exe attachment downloads the payload from Github.
• Attackers have been demanding $500 in Bitcoin in exchange for the decryption key.
• This attack is an example of a “spray and pray” spam campaign, targeting individual consumers in the hopes that someone takes the bait. While consumer-focused, employers could just as easily be targeted by this type of campaign.

Source: SecurityWeek.com

Business email compromise costs employers $300 million per month

The Financial Crimes Enforcement Network (FinCEN) reports losses from business email compromise (BEC) scams average over $300 million per month.

• Two of the largest BEC losses include Nikkei ($29 million), and a member of the Toyota group ($37 million). In a recent instance, the city of Ocala, FL in Florida redirected over $742,000 to a fraudulent bank account.
• The latest trend involves impersonating vendors or clients, also known as “vendor email compromise.”
• This type of scam requires a lot of preparation to create a convincingly genuine message.
• In the Ocala incident, scammers sent a phishing email to the city’s accounting department appearing to come from an employee of a construction company the city is using to build a new airport terminal.
• The email directed the recipient to send further payments to a different bank account.
• To appear legitimate, the scammers provided a routing number and a bank account number along with a copy of a voided check. The senders used a fake email domain closely ressembling the construction company’s legitimate address, by simply adding an “s” to the end of the address.
• A report from the Ocala Police Department  estimates losses in excess of  $742,000.

Source: BleepingComputer.com

Spear phishing campaign alleges sexual harassment complaint with the EEOC

Hackers are targeting the employees of large companies with a fake email appearing to come from the U.S. Equal Employment Opportunity Commission (EEOC) alleging sexual harassment in an attempt to get the employees to download the  “TrickBot” banking Trojan payload..

• The campaign operators have been taking the time to collect information on their targets, including their name, and company name, job title, and phone number to make the email seem legitimate,
• The email uses the subject line “[Victim’s name] – A grievance raised against you  to draw the attention of the victim.
• The payload delivered by this campaign, TrickBot (also known as TrickLoader, Trickster, or TheTrick),is a continuously evolving banking Trojan with new and frequently upgraded capabilities since first observed in October 2016.
• Originally designed to harvest and exfiltrate as much sensitive info as possible from an infected system, it has slowly evolved into a popular malware dropper that can infect compromised devices with other more dangerous malware strains including ransomware.
• TrickBot is also one of the most aggressive malware strains distributed via email.

Source: BleepingComputer.com

Scammers already cashing in on tax scams ahead of the filing deadline

A new threat actor is using email to impersonate U.S. and European government agencies in an attempt to deliver ransomware, backdoors and banking Trojans through malicious attachments.

• Researchers with cybersecurity firm, Proofpoint, detected a spam campaign in October, using email to impersonate the United States Postal Service, the German Federal Ministry of Finance, and the Italian Revenue Agency in an attempt to deliver a variety of malware.
• Threat actors are sending out low-volume emails to targeted organizations, appearing to come from finance-related government entities regarding tax assessments and refunds.
• Tax-themed email campaigns targeting filers have been used seasonally leading up to the annual tax filing deadline, with upticks in tax-related malware and phishing campaigns.
• Spammers most recently targeted the U.S. healthcare vertical in November, using an email appearing to come from the post office, containing a malicious Word doc attachment named "USPS_Delivery.doc".
• The documents appear encrypted, requiring the user to "enable content" to view.
• Once enabled, the campaign installs the IceID banking Trojan on the affected computer, which will attempt to steal online banking credentials.

Source: ProofPoint.com

Attackers turn to ZIP files to avoid malware detection

As cybersecurity advances, so do methods of distributing malware undetected by antivurus and email security programs, best illustrated by  a new phishing campaign that using a malicious ZIP file designed to bypass secure email gateways to distribute a remote access Trojan (RAT) known as NanoCore.

• ZIP files are used to compress large files or data into a smaller size that is easier to send and store.
• Every ZIP archive has a special structure that contains compressed data and information about the compressed files. Each ZIP archive also contains a single "end of central directory” (EOCD) record, used to indicate the end of the archive structure.
• Security researchers encountered a new spam email designed to appear as shipping information from an Export Operation Specialist of USCO Logistics.
• Attached to this email was the SHIPPING_MX00034900_PL_INV_pdf
• File size was the first red flag, appearing higher than the uncompressed content.
• The ZIP archive was specially crafted to contain two distinct archive structures, each marked by their own EOCD record.
• The first ZIP structure was a decoy  image file. The second ZIP structure contained an executable file for the the NanoCore RAT.
• Attackers created this ZIP archive to bypass secure email gateways with archiving utilities that may only see the harmless decoy and not properly detect the malware.

Source: BleepingComputer.com

“Something for nothing” scams targeting online shoppers this holiday season

Cybercriminals were cashing in on Black Friday and Cyber Monday shoppers with an array of scams and malware, including domain impersonation, social media giveaway scams, and a malicious Chrome extension. While online shopping scams are not new, researchers warn of an uptick in more sophisticated scams this year.

• Cybersecurity firm, ZeroFOX, identified 61,305 potential scams across 26 brands in November, leading up to the annual online shopping weekend.
• The vast majority of these scams targeted customers of brick and mortar retail stores. A smaller percent targeted electronics brands and online marketplaces, with a small fraction targeting luxury and jewelry brands.
• These kinds of scams generally offer victims “something for nothing” such as a giveaway, gift cards or some kind of discount or coupon. Users are urged to provide personal information, such as an email and physical address, to be entered to win or to receive a discount.
• Operating year-round, these scams also capitalize on gift-givers during the holiday season, instilling a sense of urgency in their targets.. Of the retail scams, analyzed:

1. 4,593 contained the word “holiday”
2. 1,1741 contained language related to gift-giving
3. 637 were specifically related to Black Friday or Cyber Monday
4. 353 mentioned “Christmas” or “Thanksgiving”

• An additional 554 scams took advantage of charitability and included the word “donate."
• To increase visibility, Black Friday scammers often leverage social media algorithms by using hashtags such as #blackfriday, #cybermonday and #giveaway. to increase the likelihood of being shown to social media users and making the posts searchable. Scammers may also use fake social media accounts to like,share or retweet scam posts, giving them more legitimacy.
• Online shopping and electronics retailers were the number one target for suspicious domains. ZeroFOX researchers filtered 124,000 domains by certificate issuer for legitimate domains and found that Apple, Amazon and Target were the top impersonated domains.
• Further research on a small sample of the list found phishing websites, giveaway scams, coupon scams and even some suspicious browser extensions.

Source: Zerofox.com

Payment card data from hacked restaurant chains appear for sale on the black market

On November 23, Joker’s Stash, one of the largest black market sites for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards.

• This latest batch of cards was siphoned from four different compromised restaurant chains across the Midwest and eastern United States.
• Two financial industry sources who track payment card fraud say the four million cards were taken in breaches recently disclosed by restaurant chains Krystal, which announced a breach in October and Moe’s, McAlister’s Deli and Schlotzsky’s, all part of the Focus Brands parent company that disclosed breaches in August 2019.
• Of the 1,750+ locations, nearly 50% were breached and had customer payment card data exposed, concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.
• Focus Brands was breached between April and July 2019.Krystal claims to have been breached between July and September 2019.

Source: KrebsOnSecurity.com

Ransomare as a service targeting networks with exposed protocols

The operators of the ransomware as a service (RaaS) known as Nemty have found a new distributor for their file-encrypting malware; Trik. The malware is spread to systems with its Server Message Block (SMB) network communication protocol exposed on the web and protected by weak credentials.

• While Nemty was first detected in August, activity from the Trik botnet, also known as Phorpiex, can be traced as far back as 10 years ago.
• Known for distributing sextortion emails, Trik was recently updated to add an SMB component and hardcoded credentials to enable delivery of the Nemty ransomware payload.
• The component first searches in the compromised system's AppData directory for the presence of the file 'winsvcs.txt,' which indicates if Nemty is downloaded and executed.
• The SMB component checks if it runs as a service and then tries to spread through the SMB protocol
• Spreading is possible by generating random IP addresses and attempting to connect to them on port 139 using a hardcoded dictionary with authentication credentials. It combines the usernames 'Administrator,' 'administrator,' 'admin,' and 'Admin' with a password list; if there is a match, the malware spreads to the remote machine via SMB protocol and repeats the process that checks for Nemty.
• The malware appears to be deployed predominantly in China and Korea, archived in email attachments.
• he U.S. so far has accounted for just 7% of infections, though this may change as the ransomware matures and becomes more profitable for user affiliates.

Source: BleepingComputer.com

Ransomware targets sleeping systems to avoid detection

The strain of ransomware, known as Ryuk and distributed by the Russian-speaking Wizard Spider financial crime syndicate, is innovating by using the Wake-on-LAN (WoL) utility to reach snoozing systems that it otherwise would not be able to encrypt. Ryuk operators have been using the Emotet Trojan to deliver a Trickbot payload to install the Ryuk ransomware.

• Ryuk has added two features to enhance its effectiveness: The ability to target systems that are in “standby” or sleep mode, and the use of address resolution protocol (ARP) pinging to find drives on a company’s local area network (LAN). Both are employed after a network has been compromised.
• To identify machines on the LAN, Ryuk reads entries in the host Address Resolution Protocol (ARP) cache. For each address in the cache, it sends a WoL “magic packet,” over a user datagram protocol (UDP) using destination port 7.
• The WoL addition to the Ryuk arsenal gives cybersecurity researchers another way to detect the malware. UDP packets observed being sent specifically to destination port 7 during a ransomware incident may indicate the presence of the Ryuk ransomware.
• CrowdStrike analysts also point out its limitations. The default ARP cache timeout is short-lived on modern versions of Windows, making Ryuk’s WoL implementation somewhat simple compared to other ransomware strains, and only systems that have recently been put to sleep would still have their MAC address present in a remote system’s ARP cache.
• Ryuk, which is mainly seen in corporate-focused attacks, sets the ransom according to the victim’s perceived ability to pay.
• First seen in August 2018, Ryuk detections are on the rise and increased by 88 percent between the second and third quarter of 2019.
• Ransomware operators are shifting their targets from the consumer sector to businesses with overall ransomware detections against businesses rising 363% year-over-year. As of August, Ryuk had targeted more than 100 U.S. and international businesses in 2019.
• Municipalities, educational institutions and healthcare organizations have become prime Ryuk targets, likely because of a surplus of outdated infrastructure, hardware and software applications, and a lack of security funding in these sectors.

Source: ThreatPost.com

How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats.