Cybersecurity Week in Review: 12/21
Posted by: GuidePoint Security
This week we report on a significant ransomware attack targeting a large U.S. supply chain company and a holiday email scam involving fake gift cards. In addition, we provide details on the relaunch of the notorious Emotet botnet.
Major U.S. supply chain company attacked
A large Tennessee-based trucking and air freight logistics company with over 4,000 employees and a 2019 revenue of $1.4 billion, experienced a ransomware attack last week.
According to reports, the attack impacted operational and information technology systems and caused shipping disruptions. A new cybercriminal operation referred to as ‘Hades’ is behind the attack.
Reports suggest that the Hades ransomware gang began operating during mid-December. Notably, the ransom note created by the Hades operation resembles one previously used by the REvil ransomware gang. The note indicated that files were encrypted and unavailable but assured the victim that “everything is possible to recover (restore)” if instructions were followed. The note also threatened that if instructions weren’t followed, the victim would never be able to get their data back. The Hades gang also reportedly tried to assure the shipping company that the attack wasn’t personal: “It’s [sic] just a business. We absolutely do not care about you and your deals, except getting benefits.”
The trucking and air freight company likely will suffer revenue losses as a result of the attack. In a Securities and Exchange Commission filing from Monday 12/21/20, the shipping company states: “Although the company is actively managing this incident, it has caused and may continue to cause a delay in parts of the company’s business and may result in a deferral or loss of revenue as well as incremental costs that may adversely impact the Company’s financial results…”
No additional information was available on the type of ransomware, the amount of the ransom, or whether the shipping company paid the money. News reports did indicate that the criminals behind the attack provided a Twitter account address where the stolen information would reportedly be leaked.
You can read more on this attack here and here.
The holiday gift that keeps giving: Dridex malware
An offer of a fake $100 gift card pretending to come from a major online retailer is making the rounds this holiday season. But instead of a $100 shopping spree, victims are finding themselves the recipients of the Dridex banking trojan.
The socially engineered scam, which originally launched in late October but significantly ramped up over the holidays, offered U.S. and Western European victims a gift card via an email link. The malicious campaign also purportedly includes convincing graphics and naming conventions that resemble those belonging to the retailer.
When victims click on the link, they were directed to one of three options that downloads the malware:
- A Word document that requires the victim to ‘enable content’ (but instead runs malware macros)
- A screensaver file that with a type of file extension that enables the criminals to bypass email filters and deliver malicious code
- A malicious VBScript file downloaded via a link in the email
Researchers indicate that none of these techniques are new and have been used effectively for years. In particular, they note that creating three different ways to install the malware increases the likelihood of attack success.
About Dridex
The notorious banking trojan Dridex has been around in various incarnations since 2012. The malware steals banking credentials and other sensitive user data. While the criminals behind the Dridex—a gang calling themselves ‘Evil Corp’—may not use the stolen credentials directly, they can make significant amounts of money by selling the information on the dark web.
Individuals aren’t the only ones at risk of Dridex. Corporations are targeted as well for things like intellectual property and administrator credentials.
You can read more on the dangers of Dridex here.
Botnet targets 100K email addresses per day
It appears that the two-month lull of the Emotet botnet was simply the quiet before the storm. The botnet sprang to life again last week with spam and phishing campaigns containing secondary malware payloads targeting over 100,000 victims per day. Researchers are seeing attacks in multiple languages, including English, German, and Italian, delivering TrickBot malware—the same malware whose infrastructure was dismantled by Microsoft in October. (You can read more about the TrickBot takedown here.) Attack mechanisms include URLs, as well as Word attachments and password-protected zip files.
In this campaign, the Emotet criminals are using a ‘thread hijacking’ technique in which they insert an email into an existing email conversation by replying to an actual email that was sent by the target account. Since the bogus email appears to be part of the email chain, the target has no reason to be suspicious and may be inclined to click on the malicious link or attachment. The Emotet code itself appears to be similar to that sent in the past. The content of the fraudulent emails varies and may include COVID themes or fake error messages.
Security professionals are being urged to watch the malware’s current activity, due to the Emotet gang’s alliance with other criminal entities, such as TrickBot and Ryuk.
More on Emotet’s resurgence can be found here and here.
Final Words
The attack last week on a major U.S. supply chain company may have seemed like criminal business as usual to many, but the implications are particularly frightening. The COVID-19 pandemic has already wreaked havoc on the supply chain as borders have closed and factories have temporarily shut down. A cyberattack targeting a significant U.S. trucking and air freight company only adds to current logistics woes as hospitals scramble for supplies in the wake of increasing COVID infections and grocery stores worry about keeping shelves stocked for the winter.
To understand the implications of a supply chain attack, look no further than the NotPetya malware attack that hit a global shipping giant a few years ago. This particular attack infected an estimated 50,000 endpoints and thousands of applications and servers across 600 sites in hundreds of countries. The attack also shut down operations in ports around the world, costing the shipping company an estimated $300 MILLION in losses.
While we have no indication of how the Hades gang infiltrated the Tennessee-based trucking and air freight logistics company, researchers speculate that it was likely one of three things: credentials exposed through a phishing attack, weak passwords that allowed access to remote systems, or unpatched servers.
Once again, we’re reminded: Cybersecurity equals action. Companies get out of it what they put into it.
GuidePoint Security