Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

Rapid attacks hitting businesses without ransomware

A new report from researchers has found that a new cyber crime group called SnapMC can breach an organisation’s systems in mere minutes. This is achieved by stealing their sensitive data, and demanding payment to keep it from being published with no ransomware required.

Rather than disrupting business operations by locking down a target’s data and systems, SnapMC uses extortion tactics instead. However, the positive for businesses is that this low-tech, ransomware-free approach to extortion on a shortened timeline relies upon taking advantage of known vulnerabilities, before patches become readily available.

Researchers said: “In the extortion emails we have seen from SnapMC they have given victims 24 hours to get in contact and 72 hours to negotiate. These deadlines are rarely abided by, as the attacker usually starts increasing the pressure well before countdown hits zero.”

The researchers were not able to link the group to any known threat actors and, as a result, gave it its name for its speed (“Snap”) and its mc.exe exfiltration tool of choice. As evidence the group has data, SnapMC provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, the attackers threaten to publish the data and report the breach to the victim’s customers, as well as the media.

Researchers said they’ve observed SnapMC successfully breaching unpatched and vulnerable VPNs using the remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections. This is a problem as a recent rise in VPN vulnerabilities has left companies exposed.

“While VPN solutions have their place, there have been multiple stories of vulnerabilities within these solutions that were exploited in the wild. Ensuring that only authorised and secure users/devices can access corporate infrastructure requires strong cyber security policies for on-premises access or private apps and cloud access security broker capabilities for cloud-based apps and infrastructure.”

Neuways advises ensuring any software your business uses is patched and up-to-date. Some programmes may do this automatically, but even still it is worth carrying out regular checks to ensure that everything is as up-to-date as possible – you wouldn’t want to find a vulnerability in a programme you utilise which leaves your business open to attack.

Cyber criminals behind trojan escalating ransomware hits  

The cyber criminals behind the notorious TrickBot trojan have expanded their ransomware operations, which will result in an escalation of ransomware hits on businesses, especially using the Conti ransomware.

Researchers said: “This latest development demonstrates the strength of TrickBot’s connections within the cyber criminal ecosystem and its ability to leverage these relationships to expand the number of organisations infected with its malware.”

TrickBot malware started life as a banking trojan five years ago, but it quickly developed to become a modular, full-service threat. It’s capable of a range of backdoor and data-theft functions, can deliver additional payloads, and has the ability to quickly move laterally through a corporate network. According to researchers, the TrickBot gang (aka ITG23 or Wizard Spider) has now added powerful additional distribution tactics to its bag of tricks.

“Earlier this year, the TrickBot gang relied on email campaigns delivering Excel documents and a call-centre ruse known as BazarCall to deliver its payloads to corporate users. However, the new affiliates have added the use of hijacked email threads and fraudulent website customer-inquiry forms. This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever.”

BazarCall is a distribution tactic that started with emails offering “trial subscriptions” to various services – a phone number was listed to a call customer service to “avoid being charged money”. If someone calls, a call-centre operator directs victims to a website to unsubscribe from the service:  a process the “agent” walks the caller through. The end result is vulnerable computers becoming infected with malware – usually with BazarLoader, which is yet another malware in the TrickBot gang’s arsenal.

The TrickBot family have teamed up with affiliates to increase the distribution of the malware, with one of these being Hive0106. They specialise in massive volumes of spamming and is a financially motivated threat group that’s lately been looking to partner with elite cyber crime gangs, such as TrickBot. Hive0106 campaigns begin with hijacking email threads, this involves jumping into ongoing correspondence to respond to an incoming message under the guise of being the rightful account holder. These existing email threads are stolen from email clients during previous infections. The emails include the email subject line but not the entire thread and within the email is an archive file containing a malicious attachment and password.

To reduce the chances of suffering serious catastrophic damage from an infection or a follow-up ransomware attack, Neuways recommends following these steps:

  • Ensure you have backups of your data, following the rule of three, which includes information stored separately from your company’s network. The availability of effective backups provides companies with the ability to bounce back from any kind of cyber attack.
  • Employ multi-factor authentication on all remote access points into a corporate network.
  • Secure or disable remote desktop protocol (RDP). Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.

If you require any further advice around avoiding ransomware attacks, contact Neuways on hello@neuways.com.

Cyber criminals trying to take over Microsoft 365 accounts

A new group of cyber criminals, named DEV-0343, has been spotted trying to take over Microsoft Office 365 accounts. Microsoft, which began tracking the activity in late July 2021, discussed the attacks in detail in an alert. It stated cyber attackers are “conducting extensive password spraying” against Office 365 accounts.

Password-spraying is the process of trying a list of user names and a series of different passwords against online accounts in hopes of finding a match and gaining access to password-protected accounts. In this case, the attackers typically attack “dozens to hundreds of accounts” within targeted organisations, Microsoft said, and have been seen trying thousands of credential combinations against each account.

So far, the campaign has targeted about 250 specific organisations that use Microsoft’s cloud-based Office suite, with less than 20 of them suffering compromise, according to the company. However, “DEV-0343 continues to evolve their techniques to refine its attacks,” Microsoft warned.

The attacks are being carried out using emulated Firefox or Chrome browsers, before IP addresses are rotated and hosted on a Tor proxy network. On average, each attack uses between 150 and 1,000 unique addresses in an elaborate effort to obfuscate the operational infrastructure.

Microsoft said: “Changing the IP address for every password attempt is becoming a more common technique among sophisticated threat groups. Often, threat groups randomise the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP addresses. These services are often enabled through malicious browser plug-ins.”

This use of the proxy addresses makes developing indicators or compromise difficult, but the patterns that Microsoft has observed in the attacks include:

  • Extensive inbound traffic from Tor IP addresses for password spray campaigns
  • Emulation of FireFox (most common) or Chrome browsers in password spray campaigns
  • Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
  • Use of enumeration/password spray tool similar to the “o365spray” tool
  • Use of Autodiscover to validate accounts and passwords

To protect against password-spraying attacks, Neuways advises that users enable the use of multifactor authentication across their devices.

Microsoft added that other defensive tactics include using passwordless solutions such as Microsoft Authenticator to secure accounts; reviewing Exchange Online access policies; blocking ActiveSync clients from bypassing Conditional Access policies and block all incoming traffic from anonymising services where possible.

Google

Google report gives insight into millions on ransomware samples

Google has released a report taking a close look at the more than 80 million ransomware samples uploaded to its VirusTotal service across the last 18 months. Each day, approximately 150,000 ransomware samples were analysed by the free service after being submitted by suspicious computer users and shared with the security community to enhance their threat intelligence and improve anti-virus products.

The first Ransomware Activity Report from VirusTotal reveals that it received ransomware submissions from over 140 different countries around the world, and discovered at least 130 different ransomware families had been active since January 2020.

During deeper analysis of a smaller, curated and representative set of around one million double-checked ransomware samples, VirusTotal determined that the Gandcrab ransomware-as-a-service operation tops the chart for the most common ransomware family by the number of samples delivered, thanks largely to a surge in activity in early 2020.

The report said: “GandCrab had an extraordinary peak in Q1 2020 which dramatically decreased afterwards. It is still active but at a different order of magnitude in terms of the number of fresh samples.”

Ransomware Samples

In the runner-up position lies Babuk, which had a peak in submissions in July 2021. Babuk has often featured across our Neu Cyber Threats weekly bulletins this year, with the report stating:

“Another sizable peak occurred in July 2021, driven by the Babuk ransomware family. This ransomware operation launched at the beginning of 2021 and was behind many high-profile attacks.”

It is worth recognising that while a large bulk of the ransomware operations is taken up by the top 10, there are still over 100 other ransomware groups that have carried out activity over the last year. That is a huge amount of illicit activity that can bring businesses crashing to the ground. The report mentioned that “there is a baseline of activity of around 100 not-so-popular ransomware families that never stops.”

But, interestingly, what may surprise some people is the finding that typically ransomware doesn’t take advantage of exploits to breach an organisation’s defences. According to the report, only 5% of the submitted samples contained exploits.

The report stated: “This makes sense given that ransomware samples are usually deployed using social engineering and/or by droppers (small programmes designed to install malware). In terms of ransomware distribution, attackers don’t need exploits other than for privilege escalation and for malware spreading within internal networks.”

Neuways, as ever, advises that your employees are kept aware of the latest ransomware ruses that cyber criminals are using to infect and exploit businesses around the world. With hundreds of cyber criminal gangs bombarding businesses with phishing campaigns, it would take one lapse of judgement for a threat group to enter your corporate network and encrypt your information.

Updating your IT systems with the latest security patches, as well as creating a strong culture of cyber security awareness within your business can really help avoid a large headache.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.