Weekly Cyber Risk Roundup: Bad Rabbit Halted, Law Firm Breach Raises Questions

The week’s top trending event was the outbreak of Bad Rabbit ransomware, which quickly spread across Russia and Eastern Europe before most of the infrastructure behind the attack was taken offline hours later. 

2017-10-28_ITT.PNG

Bad Rabbit was largely spread via watering hole attacks using compromised news media websites that prompted users to install a fake “Flash Update.” Symantec reported that the vast majority of infection attempts occurred in Russia within the first two hours of the malware’s appearance, but there were also infection attempts observed in Japan, Bulgaria, Ukraine, the U.S., and other countries.

The malware used an SMB component as well as the “Mimikatz” tool, along with some hard-coded default usernames and passwords, to attempt to spread laterally across a network after infection. It was later discovered that the malware also leveraged the leaked NSA exploit EternalRomance in a way that was “very similar to the publicly available Python implementation of the EternalRomance exploit” used by NotPetya (or Nyeta) malware.

“The BadRabbit exploit implementation is different than the one in Nyetya, although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak,” Cisco researchers wrote. “We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor.”

Those infected with Bad Rabbit were directed to a Tor payment page and presented with a countdown timer for when the ransom demand would increase, starting at 0.05 bitcoin (around $280). The Register reported that various researchers have found that recovering infected machines appeared difficult, but not impossible.

2017-10-28_ITTGroups

Other trending cybercrime events from the week include:

  • TheDarkOverlord targets surgery clinic: TheDarkOverlord said it has stolen terabytes of data from London Bridge Plastic Surgery, including sensitive photos and information on some high-profile clients. “We have TBs [terabytes] of this shit. Databases, names, everything,” a representative from The Dark Overlord told The Daily Beast. “There are some royal families in here.” The clinic confirmed that it was likely breached and said it has launched an investigation into the stolen data.
  • Cryptocurrency-related cybercrime: A phishing scam impersonating MyEtherWallet managed to trick several users into handing over the passwords to their wallets, and as a result approximately $16,000 was stolen. Coinhive, which provides websites with a JavaScript miner, said that its Cloudflare account was hijacked due to the use of an insecure password and lack of two-factor authentication, and as a result the attacker was able to steal hashes from users. Coincafe said that an unauthorized third party gained access to a system that was decommissioned in 2014 containing customers’ personal information, and the third party then contacted some of those customers and said they would erase their compromised data for a fee. The website for the new cryptocurrency Bitcoin Gold was taken offline by a DDoS attack.
  • Updates on previously disclosed breaches: Whole Foods said its payment card breach affected nearly 100 locations. U.S. Cellular said an investigation into automated attacks against online user accounts in June revealed that the incident also exposed bank account and routing numbers. West Music, which operates westmusic.com and percussionsource.com, is the latest company to notify customers of a payment card breach tied to third-party payment processor Aptos. Alliance College-Ready Public Schools said they are one of multiple school districts and charter networks affected by a vulnerability that exposed information from the school data platform Schoolzilla. The NSA contractor tied to the leak of confidential hacking tools allegedly disabled his antivirus and infected his computer with malware when installing a pirated version of Microsoft Office.
  • Other notable events: A contractor lost control of a Dell customer support website designed to help customers restore their data and computers to their factory default state, and the hijacked website may have been used to push malware while it was compromised. Researchers discovered two publicly exposed MongoDB databases belonging to Tarte Cosmetics that contained the personal information of nearly two million customers. FirstHealth of the Carolinas, which has more than 100 physical locations, said that a WannaCry variant forced the shutdown of its network to prevent the malware from spreading. Memory4Less is notifying customers that their personal information may have compromised due to an unauthorized user installing malware on its network between November 2016 and September 2017. LightHouse Management Services and the Iowa Department of Human Services announced employee email account breaches. COL Financial Group said it has experienced a “possible breach.” Two websites run by the Czech Statistical Office that reported the results of the country’s parliamentary elections were temporarily taken offline by DDoS attacks.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-10-28_ITTNew

Cyber Risk Trends From the Past Week

2017-10-28_RiskScoresThe offshore law firm Appleby said that client data was stolen last year, and the International Consortium of Investigative Journalists (ICIJ), which obtained the hacked data, has contacted the firm over allegations of wrongdoing and says it plans on publishing a series of stories related to the breach.

Business Insider reported that the law firm’s super-rich clients are “bracing themselves for the exposure of their financial secrets.” The incident has echoes of the 2016 “Panama Papers” leak, which involved the Panama-based law firm Mossack Fonseca and has led to numerous consequences around the globe — including the resignation of prime ministers in Iceland and Pakistan, and calls for the impeachment of Ukraine’s president.

It is unclear at the moment what fallout, if any, may occur due the breach at Bermuda-based Appleby, and it is important to note that the company said in a statement that it has found no evidence of wrongdoing.

“We are disappointed that the media may choose to use information which could have emanated from material obtained illegally and that this may result in exposing innocent parties to data protection breaches,” the company said. “Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector.”

However, there have already been reports that leak has led to renewed scrutiny of Glencore Plc’s acquisition of Katanga Mining Ltd., which runs copper and cobalt mines in Congo, and claims that aircraft buyers may have used Isle of Man for abusive Value Added Tax (VAT) avoidance.

Appleby’s clients include FTSE 100 and Fortune 500 companies, and the breach serves as a reminder that law firms are often the target of malicious actors due to the combination of sensitive documents they hold along with the potentially weaker security inherent in some third parties. Additional documents and reporting related to the Appleby breach will likely be published throughout the coming months.

Weekly Cyber Risk Roundup: Banks Threatened with DDoS Attacks and Researchers Investigate NotPetya

South Korean financial institutions dominated the week’s top trending targets due to a series of extortion demands that have threatened distributed denial-of-service (DDoS) attacks unless those institutions pay between 10 and 15 bitcoins ($24,000 to $36,000) in ransom each.

2017-06-30_ITT.PNG

At least 27 financial institutions received the extortion demands from a group claiming to be the Armada Collective, including major banks, security companies, and the Korea Exchange, the Korea Joongang Daily reported. It is unclear if the group behind the threats is associated with the real Armada Collective, or if it is yet another group that is attempting to leverage the popular extortionists identity in order to gain credibility. In early 2016, a group was able to successfully extort more than $100,000 by threatening DDoS attacks under the Armada Collective name — but researchers concluded that specific threat was empty and the group never actually carried out any attacks — despite being profitable.

According to The Korea Times, the group carried out a small attack last Monday on the Korea Financial Telecommunications & Clearings Institute (KFTC), Suhyup Bank, DGB Daegu Bank, and JB Bank — with a promise of more powerful attacks to come in the future if the institutions do not pay their ransoms by the July 3 deadline. The DDoS attacks did not disrupt any services, the Times reported, and the small DDoS attack against KFTC last Monday lasted for only 16 minutes. Previous extortion campaigns have seen groups using a similar tactic of small DDoS attacks to prove they have some capability and lend credibility to their threats; however, the full capabilities of the group behind the most recent demands is unclear.

It is possible that the group is simply looking for easy blackmail targets following the recent $1.1 million dollar ransom payment that was made by South Korean web hosting firm Nayana. Researchers had previously speculated that the large ransom payment could lead to more South Korean organizations being targeted.

2017-06-30_ITTGroups

Other trending cybercrime events from the week include:

  • Attackers target government: Dozens of email accounts belonging to members of parliament and peers were breached during “a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.” A hacker going by the name “Vigilance” said that he gained access to 23 state of Minnesota databases and was able to steal 1,400 email addresses and some corresponding “weakly encrypted” passwords. The hacker then published the information in protest of the police officer charged with killing Philando Castile being found not guilty. Multiple government websites were defaced with pro-ISIS propaganda and a logo saying the hack was carried out by “Team System DZ.”
  • Organizations expose more data: The personal information of 2,200 Aetna customers in Ohio and Texas was compromised due to their data being “inappropriately available for a period of time.” Corpus Christi Independent School District said that it is notifying 6,100 individuals that employee names and Social Security numbers from late 2016 through early 2017 were inadvertently made visible online. The Campbell River School District is warning parents and guardians of Timberline Secondary students that their personal information may have been “inappropriately accessed” due to a file being left on a shared drive that students and staff could access. Users of the UK government’s data dashboard, data.gov.uk, were asked to change their passwords after a file containing their names, email addresses, and hashed passwords was left publicly accessible on a third-party system.
  • Other notable incidents: Internet radio service 8tracks said that a copy of its user database has been leaked, including usernames, email addresses, and SHA1-hashed passwords. The full leaked dataset includes around 18 million accounts. Information security consultant Paul Moore reported a data breach involving Kerv after he received both an email from an “anonymous” Kerv user that “had inside information which wouldn’t otherwise be available” and admin credentials from a Tor address. Acting State Supreme Court Justice Lori Sattler told police that she was scammed out of $1,057,500 when she responded to an email impersonating her real estate lawyer and wired the money to an account at the Commerce Bank of China. Two men who are suspected to be part of an international group that hacked into Microsoft’s network in early 2017 have been arrested by British police.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-06-30_ITTNew

Cyber Risk Trends From the Past Week

2017-06-30_RiskScoresOne of the biggest stories that occurred last week was the spread of a ransomware/wiper malware known as NotPetya.

The outbreak was similar to May’s quick spread of the WannaCry ransomware, and those that were infected across the Ukraine, the UK, the Netherlands, India, Spain, Denmark, and elsewhere were shown a ransom demand asking for $300 in bitcoin along with contact details. However, various researchers quickly concluded that  the intention behind the attack was likely disruption, not monetary gain.

Previous versions of similar ransomware like Petya used a personal infection ID that contained crucial information for the key recovery, Kaspersky explained in its analysis. However, the NotPetya malware uses randomly generated data in place of that personal key. That means that the attackers have little hope of actually recovering their data, even if they wanted to do so.

As Ars Technica noted, other researchers have come to similar conclusions about NotPetya. Matt Suiche of Comae Technologies concluded that the ransomware aspect of NotPetya may a have been a front to push the media narrative towards the attacker being an unknown cybercriminal group rather than a nation-state attacker with data destruction in mind.

The head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection agreed with that assessment, saying “I think this [NotPetya malware] was directed at us” and that the event was definitely not a criminal attack, but likely a state-sponsored one carrying over from Ukraine’s ongoing cyberwar with Russia. That theory is not confirmed, but as SurfWatch Labs noted, “strong evidence points to the attack beginning with the hacking of the Ukrainian accounting software MeDoc where the automatic update feature was used to download the worm.”

Ukraine’s security service SBU announced that a number of international organizations are helping to investigate the NotPetya attacks and identify the culprits, so more information about the attacks will likely be announced in the near future.

Weekly Cyber Risk Roundup: Million Dollar Extortion Payments and TheDarkOverlord Loses Credibility

Ransomware made headlines this past week due to several infections that disrupted business operations, as well as a million dollar extortion payment that was negotiated by South Korean web hosting firm Nayana after its servers were infected with Erebus Ransomware on June 10. Nayana said the payment was necessary to restore 150 servers and the 3,400 affected client websites, most of which were for small companies and startups.

2017-06-23_ITT.PNG

The initial ransom demand was for 5 billion won ($4.4 million) in bitcoin, but the company managed to negotiate the payment down to 1.3 billion won ($1.1 million or 397.6 bitcoin). In a statement on the company’s website (Korean language) on Thursday, Nayana CEO Hwang Chilghong said he knows the company should not negotiate with hackers, but that the damage was too widespread and too many people would be harmed if the company did not pay the extortion.

WannaCry was also back in the news this week due to Honda Motor saying that plants in Japan, North America, Europe, China, and other regions were recently infected with the ransomware despite efforts to protect their networks following last month’s WannaCry outbreak. One location, a Sayama automobile plant located near Tokyo, was idled due to the infection. Authorities in Victoria, Australia also announced that 55 traffic and speed cameras were accidentally infected with WannaCry due to a maintenance worker using an infected USB stick. Local media reported that the police have decided to cancel 590 fines sent to road users caught by the WannaCry-infected cameras.

Other ransomware news includes Waverly Health Center in Iowa being infected with an unknown ransomware variant and having to shut down their IT systems for a period of time, and Proofpoint researchers saying that the ransomware infections recently reported at several UK universities were part of a larger malvertising campaign carried out by the AdGholas group that leveraged the Astrum Exploit Kit to spread Mole ransomware.

2017-06-23_ITTGroup

Other trending cybercrime events from the week include:

  • Massive voter database leaked: A database containing detailed information on 198 million U.S. voters and compiled by GOP political consultant Deep Root Analytics was left exposed to the Internet for 12 days. The information included data pulled from voter lists maintained by the RNC that was augmented by other sources such as social media sites. The leak includes data on some voters such as ethnicity, religion, contact information, and views on a variety of political issues. In addition, the data included proprietary information such as unique RNC identifiers for each voter.
  • POS breach discovered at The Buckle: The clothing store chain The Buckle announced that point-of-sale (POS) malware was discovered on some of its retail POS systems and that some payment cards used between October 28, 2016 and April 14, 2017 may have been affected. The Buckle believes that the malware did not collect data from all transactions or all POS systems for each day within that time period. The company also said that all stores had EMV technology enabled during the time that the incident occurred, which helped to limit the impact of the breach.
  • Services disrupted: The CyberTeam hacking group announced on Twitter that it was responsible for the outage that affected Skype on Monday and Tuesday. Microsoft has not confirmed the cause of the outage, but the service was reported down in multiple countries across Europe, as well as Japan, Singapore, India, Pakistan, and South Africa. Square Enix said that Final Fantasy XIV game servers were being repeatedly targeted by DDoS attacks from an anonymous third party.
  • More incidents tied to errors and glitches: The email addresses of registered consultancies of the UK government’s Cyber Essentials scheme were exposed due to a configuration error in the Pervade Software platform, according to the IASME Consortium, which runs the accreditation. The sensitive personal information of students was compromised when a staff member at the UK’s University of East Anglia “mistakenly” emailed a spreadsheet with confidential data to 320 American Studies students. A man used a glitch to steal more than £99,000 from the Clydesdale Yorkshire Bank last December when, for approximately one hour, the man’s account showed a credit balance even though he did not have any money.
  • Other notable incidents: Online banking service Ffrees notified its users that some of their personal information was “temporarily exposed” due to an “information security incident.” Virgin Media is advising more than 800,000 customers using the Super Hub 2 router to change both their network and router passwords if they are using the default passwords shown on the device’s attached sticker. Torrance Memorial Medical Center said a phishing attack compromised email accounts containing “work-related reports” and the personal data of patients. The latest batch of CIA documents released by WikiLeaks, dubbed “Brutal Kangaroo,” revolves around “a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” A joint law enforcement action known as the eCommerce Action 2017 led to the arrest of 76 professional fraudsters and members of Internet-based criminal networks across 26 countries.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-06-23_ITTNew

 

Cyber Risk Trends From the Past Week

2017-06-23_RiskScoresLarson Studios, the family-owned audio post-production business that was hacked by TheDarkOverlord, has finally provided public comments about the December 2016 attack that led to the theft of a variety of unaired episodes from major studios. That incident led to leak of ten episodes of Netflix’s Orange is the New Black and eight episodes of ABC’s Steve Harvey’s Funderdome.

The takeaway from company president Rick Larson following the ordeal: “Don’t trust hackers.”

He learned that lesson after Larson Studios eventually paid TheDarkOverlord a $50,000 ransom as part of an agreement between the two to keep the breach private. However, a few months later the FBI told Larson Studios that TheDarkOverlord was attempting to extort the company’s clients with the stolen video, and the group then tried to publicly pressure Netflix and others into paying a ransom demand.

Why TheDarkOverlord would attempt to double-dip on the group’s ransom demand is somewhat puzzling. As SurfWatch Labs has noted in multiple blogs, the group has spent the past year carefully projecting an image of professionalism, framing its extortion demands as straightforward “business proposals” and using the media to try to spread the group’s message: pay up and everything will quietly go away. For example, in June 2016 when the group first began making headlines, TheDarkOverlord used the media to warn companies, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” They also warned that the ransom payment would be “a modest amount compared to the damage that will be caused” from a public leak. The group’s tone did not change when it came to extorting Netflix nearly a year later: “You’re going to lose a lot more money in all of this than what our modest offer was.”

It appears that after a full year of trying to build that image as a “trustworthy” extortionist, TheDarkOverlord has now lost its credibility — and, it should be noted, that credibility is what pushed companies like Larson Studios over the edge when deciding if the company should pay. As Rick Larson told Variety, previous media reports suggested that paying TheDarkOverlord actually worked.

TheDarkOverlord appears to be in damage control now, and the group is trying to regain that credibility by arguing that Larson Studios violated its agreement by contacting the FBI. The group also continues to leak data on other organizations, but hopefully those organizations will take heed of the message from Rick Larson to never put their trust in hackers — and it’s clear that now includes TheDarkOverlord.

Weekly Cyber Risk Roundup: WannaCry Updates and Sensitive Leaks Continue

WannaCry remained as the week’s top trending cybercrime target as organizations continued to deal with the fallout from being infected and researchers uncovered more information on the ransomware. On Friday, a Kaspersky Lab researcher tweeted that machines running Windows 7 were the most impacted by WannaCry, accounting for more than 97 percent of total infections observed by the firm. Other firms observed Windows 7 infection rates as low as 67 percent; however, both numbers contradict the initial focus on outdated systems such as Windows XP, which Kaspersky dismissed as having an “insignificant” number of infections.

2017-05-19_ITT.PNG

As Reuters reported, computers running older versions such as Windows XP were individually vulnerable to attack, but they appear incapable of spreading infections and played a far smaller role in last week’s attack.

In addition, the past week saw a variety of manufacturers issue warnings about WannaCry potentially impacting their products. Siemens warned customers that some of its Healthineers products may be affected by the vulnerabilities exploited by WannaCry, and the Health Information Trust Alliance said that medical devices manufactured by Bayer were also vulnerable. Medical device manufacturer Becton, Dickinson and Company as well as Swiss robotics and automation firm Rockwell Automation and ABB also issued more general WannaCry advisories to their customers.

It is also worth noting that a small portion of WannaCry infections have been successfully decrypted. A French security researcher discovered a flaw in the WannaCry ransomware that allowed him to successfully decrypt several Windows XP computers using a tool called “WannaKey,” and a separate pair of French researchers then adapted the decryption tool to work for Windows 7 computers with a tool called “WannaKiwi.” If users left their computer untouched after the infection and did not reboot, they may be able to access parts of the memory and regenerate a key; however, the researcher warned it won’t work every time even in that situation.

2017-05-19_ITTGroup

Other trending cybercrime events from the week include:

  • Another large point-of-sale breach: A POS breach at Brooks Brothers locations lasted for more than a year and affected more than 300 locations, the company announced. Customers who made purchases at approximately 320 different Brooks Brothers and Brooks Brothers Outlet retail locations in the U.S. and Puerto Rico between April 4, 2016 and March 1, 2017, may have had their payment card data stolen. An unauthorized individual was able to gain access to and install POS malware on the stores’ POS systems, the company said. Online purchases were not impacted.
  • Hollywood targeted by extortionists: The upcoming Pirates of the Caribbean movie has been stolen by hackers who demanded “an enormous” amount of money in ransom to not release the movie. The Hollywood Reporter reported that talent agencies UTA, ICM, and WME have been targeted by hackers attempting to steal sensitive information, and the attacks are so common that their frequency has overwhelmed the FBI’s Los Angeles field office. At least one unnamed Hollywood company has paid a ransom. In addition, TheDarkOverlord said that more of the group’s previously stolen shows from Larson Studios will be released soon since “none of the affected parties has paid the ransom.”
  • Third-party breach leads to source code theft: The app maker Panic said the source code for several of its apps was stolen due to downloading a malware-infested version of HandBrake during a three-day window when that company was compromised and serving up a Trojanized update to its users. The attacker then sent an email demanding a large bitcoin ransom to prevent the release of the source code, but Panic did not pay that ransom. The company is warning its users to beware of any unofficial versions of their apps, as they will likely be versions using the company’s old code but with malware added.
  • Other notable cybercrime news: Zomato announced that 17 million user records were compromised by a grey-hat hacker. The font sharing website DaFont was hacked and the usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen. Bell Canada said that a hacker managed to access the email addresses of approximately 1.9 million customers, and 1,700 customers also had their names and phone numbers accessed. The University of New Mexico Foundation is notifying approximately 23,000 donors, annuitants, foundation employees, and vendors that their personal and financial information may have been compromised. The Clinton County Board of Developmental Disabilities and Walnut Place announced they were the victims of ransomware attacks. The National University of Singapore and the Nanyang Technological University in Singapore were targeted by sophisticated hackers who broke into the school’s IT systems in an attempt to steal sensitive government and research data. A former employee of Carolina Neurosurgery & Spine Associates has been charged with selling the information of more than 150 patients to an identity thief for $10 each. United Airlines said that information regarding its flight deck access security procedures “may have been compromised” and that “some cockpit door access information may have been made public.” However, the possible public release of the security procedures was not due to a hack or data breach, CBS News reported.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-05-19_ITTNew

Cyber Risk Trends From the Past Week

2017-05-19_RiskScoresAs WannaCry continues to dominate cybercrime news, the past week saw even more leaks of government-created malware and promises of additional leaks to come in the future. WikiLeaks has continued to dump files allegedly stolen from the CIA, and TheShadowBrokers group has announced a new monthly service providing various data dumps and exploits to its customers.

WikiLeaks has dumped stolen CIA documents every Friday for the past eight weeks, and the two most recent dumps include:

  • AfterMidnight, which is a malware framework that “allows operators to dynamically load and execute malware payloads on a target machine” and “disguises as a self-persisting Windows Service DLL.”
  • Assassin, which is a malware framework similar to AfterMidnight that “is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”
  • Athena, which “provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10).”

In addition to the continuing leaks of sensitive CIA material from WikiLeaks, TheShadowBrokers is using the attention around WannaCry to promote a monthly exploit service that it is launching in June. TheShadowBrokers have previously dumped stolen exploits allegedly developed by the NSA, including the EternalBlue exploit recently leveraged by WannaCry.  “TheShadowBrokers Data Dump of the Month” service provides subscribers with various cybercrime tools and data for a monthly fee. According to TheShadowBrokers rambling blog post, these monthly dumps could include:

  • web browser, router, and handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group said that more details will be announced in June. It’s unclear if the group has more sensitive data and exploits they’re willing to publish, or if they are using their fifteen minutes of WannaCry fame in an attempt to generate some income. Either way, WannaCry serves as a reminder that organizations need to monitor the leak of government tools as they can cause serious damage when they fall into the wrong hands.

As WannaCry Spreads, Law Firm Reveals Separate Ransomware Cost Them $700,000

Businesses across the world are still recovering from last Friday’s outbreak of the WannaCry ransomware. On Monday, White House homeland security adviser Tom Bossert said that the ransomware had hit more than 300,000 computers, and security researchers have since detected several new versions of the malware — at least one of which doesn’t have the widely reported “kill switch” built in that has been used to slow the malware’s spread.

Much has been written about the effects of the ransomware on patients at NHS facilities, on downtime at factories, and on disrupted services at numerous other organizations. Various groups have estimated that the potential costs from the WannaCry outbreak may total between several hundred million and $4 billion.

The attention on WannaCry is deserved; however, there is a much smaller piece of ransomware news that emerged last month that highlights the devastating impact ransomware can have on a single organization. In a complaint filed in April against its insurer, the law firm Moses Afonso Ryan Ltd. (MAR) claims that a ransomware infection took more than three months to resolve, costing the firm more than $700,000 in lost billings.

“During the three months that the documents and information of MAR was held captive by the perpetrators of the ransomware attack, the attorneys of the firm were unproductive and unable to work at a reasonable efficiency,” the firm wrote in its complaint. “Year to year billing comparisons reveal a reduction of over $700,000 of billings for the three months of interruption.”

Dispute Over Insurance Policy Coverage

MAR is suing its insurer, Sentinel Insurance Company, claiming that the policy it purchased “is designed to protect MAR against precisely the type of loss it has now incurred as a result of the ransomware attack and interruption of its business.”  

Sentinel countered that it did, in fact, pay $20,000 in damages, but it denied the additional claim for the alleged lost “business income” as it exceeded what Sentinel believes are the limits of the policy.

Like the other insurance-related lawsuits — such as the Fourth Circuit ruling against Travelers Insurance in August 2016 — the dispute appears to revolve around the language of the policy and what specifically the policy covers when it comes to cybercrime.

“Sentinel admits that it has not paid for all of the losses MAR has claimed resulted from the ransomware attack it suffered, as certain of the losses claimed are not covered by the policy,” Sentinel argued in court documents. “The only coverage under the policy for loss or damage caused by a computer virus is under the Computers and Media Endorsement [section], which changes the policy to provide additional coverage [up to $20,000] for certain computer-related losses.”

Three Months to Resolve the Ransomware?

The lawsuit is yet another reminder that organizations need to ensure they know what their insurance policies cover in regards to cyber-attacks, but that is not the only cyber risk management lesson worth noting from the lawsuit. The court documents also revealed that it took several months for MAR to recover from the single ransomware incident — far more than the average of 42 hours that Ponemon found most ransomware victims spend.

2017-05-17_LawFirmRansomware.PNG
The process to recover encrypted documents and recreate lost ones took more than three months, MAR said.

The long recovery time was due to a variety of reasons, which the law firm outlined in its complaint:

  • In May 2016, a ransomware infection led to all of the documents and information stored on the MAR computer network being disabled and the computer network losing all functionality. MAR then hired security experts to fix the problem, but those experts were unable to gain access to the files.
  • In June 2016, the firm made contact with the attacker and negotiated a 13 bitcoin ransom. It took several days to purchase the bitcoins and pay the extortionist because the firm said they were unaware that new account holders could only purchase 2 bitcoins per day.
  • In July 2016, the firm had to re-establish communication with the attacker after discovering the decryption keys and tools it purchased did not work. A second bitcoin ransom was then negotiated and paid.
  • In August 2016, MAR had to recreate documents after discovering that it could not recover documents saved on a temporary server during the three months of business interruption.

All of this resulted due to a combination of events: an attorney at MAR clicking on an email attachment from an unknown source, a lack of proper backups and incident response plan to address a well-known security issue, and a malicious actor that took advantage of the situation by demanding multiple ransom payments.

MAR is just one example of a business that was unprepared for a ransomware attack, and numerous other organizations are likely experiencing similar issues this week. As Elliptic noted, WannaCry has generated over $80,000 in ransom payments since Friday.

2017-05-17_wannacry

However, organizations that decided to pay the WannaCry ransom were lucky that it only required a $300 or $600 payment depending on how quickly they acted. In addition, multiple researchers have reported that organizations were able to successfully restore their files after payment, even as law enforcement agencies have advised there are no guarantees when dealing with cybercriminals.

This is not the case for many ransomware victims. Some recent ransomware campaigns have been observed charging a full two bitcoin in ransom (around $3,700) for any infections, and some organizations have received targeted ransom demands totaling tens of thousands of dollars — and, in cases like MAR, the decryption keys purchased at those inflated prices may not even work.

Hopefully, WannaCry will help push organizations towards better understanding, preparation, and incident response around ransomware since the problem is not going away any time soon.

Weekly Cyber Risk Roundup: WannaCrypt Spreads and Trump Signs Executive Order

The week’s top cybercrime event was the spread of WannaCrypt ransomware, which managed to infect tens of thousands of computers on Friday. The attack affected NHS hospitals and facilities in England and Scotland, Telefonica and Gas Natural in Spain, FedEx in the U.S., and numerous other organizations — largely across Asia and Europe.

2017-05-12_ITT.PNGBy Saturday researchers reported more than 126,000 detections of the ransomware across 104 countries. The number of infections may have been worse, but the security researcher MalwareTech managed to halt the spread of the malware by purchasing a domain name, which essentially triggered a “kill switch.” MalwareTech explained why the ransomware had this design:

“I believe [the attackers] were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan … however, because WannaCrypt used a single hardcoded domain, my [registration] of it caused all infections globally to believe they were inside a sandbox and exit.”

WannaCrypt leverages an allegedly NSA-derived exploit called “EternalBlue” that was made public by TheShadowBrokers last month. Microsoft has patched the flaw (MS17-010), but Friday’s events made it clear that many organizations have yet to apply that patch. Microsoft also announced that it is taking “the highly unusual step” of providing a security update for Windows XP, Windows 8, and Windows Server 2003 to help protect its customers from the threat. Organizations should patch immediately. As MalwareTech noted on Sunday, the last version of WannaCrypt was stoppable, but the next version will likely remove that flaw.

2017-05-12_ITTGroups

Other trending cybercrime events from the week include:

  • Third-party providers lead to breaches: Hackers managed to gain access to the stem files of Lady Gaga last December by sending spear phishing messages to executives at September Management, a music management business, and Cherrytree Music Company, a management and record company. Debenhams Flowers said that 26,000 website customers had their data compromised due to malware stealing their payment details from Ecomnova, a third-party e-commerce company. The email addresses and usernames of individuals who used the dating website Guardian Soulmates were exposed by a third-party service provider, resulting in members of the site receiving explicit spam emails.
  • Malicious actors sell and leak stolen data: A dark web vendor using the handle “nclay” claims to have 77 million records stolen from social learning platform Edmodo and is attempting to sell them on the dark web for just over $1000. The data allegedly includes usernames, email addresses, and passwords that are hashed with bcrypt and salted. Malicious actors leaked 9GB of internal documents from the campaign staff of France’s President-elect Emmanuel Macron in the days prior to the country’s election. A group known as “TuftsLeaks” published financial information belonging to Tufts University, including department budgets, the salaries of thousands of staff and faculty, and the ID numbers of student employees.
  • Healthcare organizations expose data: Patients of Bronx-Lebanon Hospital Center had their sensitive health and personal information exposed to the internet due to a misconfigured rsync backup managed by IHealth Innovations. The records and files from a number of departments were publicly accessible and viewable, including cardiology, surgery, pulmonology, psychiatry, and neurosurgery. A flaw in the website of True Health Diagnostics allowed users to view the medical records of other patients by modifying a single digit in the PDF link to their own records. Diamond Institute for Infertility and Menopause in New Jersey said that 14,633 patients had their data exposed due to an unknown individual gaining access to the third-party server in February 2017.
  • Other notable cybercrime news: An internet-connected backup drive used by New York University’s Institute for Mathematics and Advanced Supercomputing contained hundreds of pages of documents detailing an advanced code-breaking machine that had never before been described in public. The project was a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. A California court has found a former private security officer guilty of hacking into the servers of Security Specialists, his former employer, to steal data on customers; delete information such as archived emails, server files, and databases; deface the company website; steal proprietary software; and set up a rival business that used the stolen software. The incident occurred after the employee was fired in 2014 for logging into the payroll database with administrative credentials in order to pad his hours. Confluence Charter Schools is warning parents and staff that a hack of network servers has impacted email, phones, SISFIN, its financial system, and its student information system Infinite Campus and that the “breach has caused some files to be unrecoverable.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-05-12_ITTNew

Cyber Risk Trends From the Past Week

2017-05-12_RiskScoresOn Thursday, President Donald Trump issued an executive order on strengthening the cybersecurity of federal networks and critical infrastructure. The order includes a variety of mostly reporting requirements designed to protect federal networks, update outdated systems, and direct agency heads to work together “so that we view our federal I.T. as one enterprise network,” said Trump’s homeland security advisor Tom Bossert.

The order also requires  the heads of federal agencies to use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) to assess and manage their agency’s cyber risk. Each agency must submit a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days that outlines their plan to implement the framework. The director of OMB and other supporting officials will then have 60 days to review the reports and pass along information to the president regarding a plan to align budgetary needs, policies, guidelines, and standards with the NIST framework. The Obama administration had previously encouraged the private sector to adopt the NIST framework, but government agencies were never required to follow it — until now.

“It is something that we have asked the private sector to implement, and not forced upon ourselves,” Bossert said at the daily White House press briefing on Thursday. “From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction.”

The order also includes reporting regarding critical infrastructure, which builds upon the order issued by Obama in 2013, and reporting on “strategic options for deterring adversaries and better protecting the American people from cyber threats.”

As many media outlets have reported, the executive order has received a mostly positive response from the cybersecurity community; however, it is largely a continuation of the cybersecurity policy under previous administrations and has received some criticism for being more focused on reporting than actions.

Slew of Source Code and Malware Leaks Increases Risk for Organizations

Earlier this month, an undergraduate student in Korea apologized for creating and making public the joke ransomware “Resenware.” The malware didn’t ask for money to decrypt files; instead, it required victims to score more than 200 million points on the “lunatic” level of the shooting game Touhou Seirensen ~ Undefined Fantastic Object.

The student told Kotaku that he released the joke malware on Github before falling asleep and by the time he woke up it had spread and “become a huge accident.” The source code was quickly removed from Github and a tool was released allowing infected users to decrypt their files without having to play the game. The creator then apologized for making a “kind of highly-fatal malware.”

That’s all well and good, but as Will Rogers once said, “Letting the cat out of the bag is a whole lot easier than putting it back in.”

2017-04-18_Resenware.PNG
A warning from Resenware shared by Malware Hunter Team.

The story highlights how quickly publicly available source code can be spread, copied, and potentially repackaged by malicious actors. That isn’t as likely to happen with Resenware due to the lack of a financial component, though it could be utilized by actors looking to cause harm rather than turn a profit. Nevertheless, profit-driven actors have numerous other recent source code leaks they can pull from.

For example, in December 2016, the source code for a commercial Android banking Trojan, along with instructions on how to use it, was released on a cybercriminal forum. Malicious actors quickly used that code to create the BankBot Trojan, which Dr. Web researchers noted can steal login credentials and payment card details by loading phishing forms and dialogs on top of legitimate applications, as well as intercept and delete text messages sent to the infected device. Since then, BankBot has made several appearances in the Google Play store, confirming Dr. Web’s January conclusion that the leak “may lead to a significant increase in the number of attacks involving Android banking Trojans.” In fact, just last week two malicious applications utilizing BankBot, HappyTimes Videos and Funny Videos 2017, were removed from the Google Play store after receiving thousands of installs.

The BankBot Trojan is just one example of the continuing evolution of malware as the stockpile of effective cybercriminal tools continues to accumulate. The leak of these tools, whether made as a joke by amateurs or for malicious purposes by professional cybercriminals, means that more polished malware is now at the fingertips of malicious actors than ever before.

Even if an inexperienced actor is unable to take and modify public malware source code, they can simply turn to professionally run as-a-service malware options that are likely doing so.

Last week MalwareBytes released a report with an interesting chart on ransomware trends. It shows that the Cerber ransomware-as-a-service (RaaS) has come to dominate the ransomware market with a nearly 90% share as its main competitor, Locky, has declined.

2017-04-19_Cerber
Cerber is dominating the ransomware market as Locky fell off sharply, according to MalwareBytes’ honeypots.

“Cerber [has spread] largely because the creators have not only developed a superior ransomware with military-grade encryption, offline encrypting, and a slew of new features, but by also making it very easy for non-technical criminals to get their hands on a customized version of the ransomware,” the report authors noted.

Those types of criminal operations can greatly benefit from the large amount of exploits and malware source code that has made its way into the public domain this year.

For example, since March 2017 we’ve seen:

  • The release of the source code for the NukeBot banking Trojan, a modular Trojan that comes with a web-based admin panel to control infected endpoints.
  • New allegedly NSA-developed exploits leaked by TheShadowBrokers, including last week’s release of a series of now-patched Windows exploits and a critical vulnerability that can hijack Solaris systems that was released a week prior (and patched today by Oracle).
  • More leaks of alleged CIA exploits and tools, some of which claim the CIA benefited by repackaging components of the Carberb malware source code, which was leaked in 2013, into CIA hacking tools.
  • A report last week claimed that the Callisto APT Group used tools leaked from the surveillance company HackingTeam, which was breached in 2015, in a series of targeted attacks last year.

Whether it’s nation-state actors, cybercriminal groups, or amateur hackers, they can all benefit by the leak of these tools over the past month. If past leaks are any indication, malicious actors will incorporate any effective tools and techniques from the recent leaks into their already-existing cyber arsenals.

As the collective knowledge grows on the cybercriminal side, it’s crucial that organizations harness their own threat intelligence in order to have their finger on the pulse of malicious actors. With that information they can more effectively counter the slew of new vulnerabilities, exploits, and as-a-service tools being used to infiltrate their networks and damage their organization.