Cybersecurity Week in Review: 12/7
Posted by: GuidePoint Security
In this week’s article, we highlight the increasing ingenuity of cybercriminals when it comes to ransomware attacks. From enhancing ransomware to evade detection—to creating surprisingly simple attack methods based on weak passwords and configurations—to developing complex methods to ensure a ransom payout by destroying backup files—criminals will stop at nothing to steal a business’s money and data.
MountLocker ransomware seeking mountains of money
Researchers are warning that the MountLocker ransomware—which demands millions of dollars in the form of bitcoins from victims—could become a major threat soon.
While many of the features of MountLocker are similar in scope and style to other types of ransomware, MountLocker contains some new and unique features that may contribute to its overall ability to impact businesses.
First and foremost, it appears that the criminals behind MountLocker may be working with affiliate hackers to locate victims via networks that have already been compromised with malware. By targeting already compromised networks (and presumably paying a fee to the affiliate hackers in the process), the MountLocker gang is likely saving significant time gaining access to target systems. Once access is achieved, the MountLocker cybercriminals deploy the ransomware. While researchers didn’t specify whether the MountLocker gang is using a Malware-as-a-Service (MaaS) to gain access, this has all the earmarks of a typical MaaS arrangement, not unlike the Buer Loader MaaS that we wrote about in this article—MaaS Makes Crime Easier.
Once inside a system, the MountLocker criminals can spread the ransomware throughout a network in a short period of time, leaving the business paralyzed when they deploy the ransomware.
Additional enhancements to MountLocker include improved file encryption and the ability for the malware to evade security solutions.
Researchers find these incremental improvements noteworthy as they indicate an inclination by the criminals to both improve the software and grow their criminal enterprise.
To prevent becoming a victim of MountLocker, security professionals recommend updating networks with the latest security patches, as well as using two-factor authentication and changing passwords frequently.
You can read more about the growing MountLocker ransomware threat here.
Cybercriminals create ‘KISS’ ransomware
We’ve all heard about the K-I-S-S approach—“Keep it simple, stupid!”—and it seems cybercriminals have too.
Last week researchers reported on what they call a “malwareless” ransomware campaign—that is, one in which criminals effectively used people’s own laziness against them by targeting bad passwords and misconfigurations. According to the researchers, this technique enabled the criminals to “pwn” 83,000 victims, garnering approximately $25,000 total to date.
The campaign is delivered from UK and Irish IP addresses and focuses on weak security in internet-facing MySQL servers. Once the servers are compromised, the criminals threaten to publish the stolen data unless victims meet the payment demand. Ransoms appear to average around 0.03 Bitcoins (~$575).
The attack chain begins with a brute-force hack on the MySQL server. Once in the server, the criminal runs a series of database queries to steal the data, which is then archived in a zip file and stored on the attackers’ database. All that’s left is a ransom note for the victim.
Researchers have identified a total of 92 attacks since January of 2020, originating from 11 different IP addresses primarily located in the UK and Ireland. There have been two main phases during the attacks. During the first, criminals demanded that payment be made directly into a bitcoin wallet. In the second phase, the criminals directed victims to a ransom page on a TOR site which also contained all of the leaked databases for which no ransom had been paid. The second phase also included some noticeable improvements, such as automatic mapping between the victim and the stolen database and the assignment of a unique alphanumeric ‘token’ to each victim.
Ultimately what makes this attack different from any of the other run-of-the-mill ransomware out there is its simplicity. Everything is automated and there are no binary payloads in the attack chain—in other words, there is no malware. A simple script targeting weak passwords and misconfigurations is used to crack the database, steal the information, and leave the ransom note.
Internet-facing MySQL databases containing usernames and login information are particularly attractive for attack because they are fairly common among popular blogging tools. Researchers estimate there are approximately 5 million Internet-facing MySQL servers worldwide.
You can read more about the KISS ransomware here and here.
Criminals play the long game. Target back-up files with ransomware
In an effort to thwart business from circumventing having to pay a ransom by using backup files to restore data stolen in a ransomware attack, criminals are now resorting to playing the malware long game—first by compromising a business’s network arrays with keylogging malware and then attacking and destroying the company’s back-up systems before issuing the ransomware attack.
In a rare case, cybersecurity professionals observed this type of ransomware attack as it was happening in real-time. The security professionals were already on the client site and discussing some anomalies in missing and damaged backup data with the client when the criminals launched the attack. A short time later, another client reported a similar scenario of discovering missing or corrupted backup data, followed by a ransomware attack.
During the investigation, security professionals found that the criminals had deleted the backup images before activating the ransomware.
Backup data has long been the thorn in the side of ransomware criminals since most businesses find it to be a fairly reliable contingency plan when attempting to mitigate the damage done by ransomware attacks.
With ransomware attacks on the rise, we can expect to hear about more attacks focused on backup data. To avoid falling victim to a costly ransomware attack due to lost backup data, security researchers recommend maintaining two separate versions of backup data stored in different areas of the cloud or offline in regularly updated and system-segregated areas at a ‘cold site’. Security professionals are also encouraging businesses to carefully monitor their backup data and watch for any anomalies. And, of course, companies should always make sure systems are patched and contain the latest security solutions available.
You can read more about the ransomware attacks on backup systems here.
SUPERNOVA Analysis & Vulnerability Disclosure
This past week has also been very active for the teams here at GuidePoint Security. Our security consultants and practitioners continue to follow the on-going threat landscape and the emerging state-of-the-practice to ensure that the most up-to-date information and methods are being utilized in the services being provided to our clients. With that, two very exciting articles were released this past week.
First, GuidePoint’s application security consultant Taylor Kilkenny and contributing researchers discovered a retailer was utilizing a third-party JavaScript (JS) library developed by SmartyStreets. One of the JavaScript files in use, liveAddressPlugin.js, was a slightly customized version of a codebase that is freely available on GitHub. This third-party JavaScript library does not correctly output-encode data submitted by the user before appending the input to the DOM. This allows for HTML and JavaScript injection, making the application vulnerable to DOM Based Cross-Site Scripting (XSS) attacks.
Upon finding the vulnerability, GuidePoint attempted three times to contact SmartyStreets via their publicized email address on their website. With the final attempt, SmartyStreets stated, the jQuery plugin is deprecated and that they will not update it. With this information, the team shipped the info off to MITRE for a CVE rating, who returned it as a 6.1 MEDIUM.
See more on this vulnerability and its CVE information here.
Second, GuidePoint’s Digitial Forensics and Incident Response team saw as part of the IOCs listed in the recent investigation into the supply-chain compromise of SolarWinds and FireEye, a .NET webshell named SUPERNOVA was identified with no supplemental analysis as to its method of operation or any behavioral indications of this webshell being present in an environment.
This led Managing Security Consultant, Wes Riley, to write up a detailed analysis of the web shell. The post describes the SUPERNOVA webshell’s operation in-depth and shows how this webshell’s activity can be detected within your organization.
Check out the full analysis here.
Final Words
Ransomware is on the rise and it shows no sign of stopping. In a recent 2020 threat report, one major cybersecurity company noted a “seven-fold year-on-year increase” in reports of ransomware attacks. Ransomware offers a quick and often attractive payout for criminals with relatively little effort. No one is immune. In addition to business entities, criminals are stealing and publishing sensitive mental health data on children, they’re targeting school districts, and they’re shutting down hospital systems, leading to actual patient deaths.
As much as decent, law-abiding citizens would like it otherwise, warped criminal minds will always exist. This means that every organization—from businesses to school districts to healthcare providers—needs to do everything in their power to protect their customers and their data. Systems must always be patched and updated with the latest security solutions installed, and organizations need to require employees to use unique passwords that aren’t in use on any other systems internally or externally.
Remember, security equals action. You get out what you put into it.
GuidePoint Security