Neu Cyber Threats – 9th September 2021
Ransomware uses new way of encryption to avoid detection
The ProxyShell Microsoft Exchange vulnerabilities have seen a novel ransomware emerging. The threat has been dubbed LockFile and uses a unique ‘intermittent encryption’ method as a way to evade detection, as well as tactics adopted from other ransomware gangs.
Researchers discovered that LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don’t notice it because an encrypted document looks very similar to the unencrypted original.
The ransomware exploits unpatched ProxyShell flaws, before using a PetitPotam NTLM relay attack to seize control of a victim’s domain. This type of attack allows a cyber criminal to use Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to connect to a server, hijack the authentication session, and manipulate the results to trick the server into believing the attacker has a legitimate right to access it.
Other tactics, such as forgoing the need to connect to a command-and-control center to communicate, were put in place in order to hide its nefarious activities.
The ransomware then uses the Windows Management Interface (WMI) command-line tool WMIC.EXE–which is part of every Windows installation—to terminate all processes with vmwp in their name, repeating the process for other critical business processes associated with virtualisation software and databases. Terminating these processes ensures that any locks on associated files/databases are released, so that these objects are ready for malicious encryption.
LockFile renames encrypted documents to lower case and adds a .lockfile file extension, and also includes a HTML Application (HTA) ransom note. In its ransom note, the LockFile adversary asks victims to contact a specific e-mail address, before adding that the domain name appears to refer to the Conti Gang, a still-active ransomware group.
The feature that differentiates LockFile from its competitors is the unique way it employs this type of encryption, which has not been observed by a ransomware before. It doesn’t encrypt the first few blocks, instead LockFile encrypts every other 16 bytes of a document. This means that a text document remains partially readable.
Once it has encrypted all the documents on a machine, LockFile disappears without a trace, deleting itself with a PING command. This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.
Neuways advises users to remain on top of their phishing awareness. Training can help businesses to stay one step ahead of cyber criminals, by ensuring that the latest cyber threats are well known to as many people as possible, and that threat actors and their cyber attacks can be stopped.
Warning issued for the OnePercent ransomware group
An advisory has been issued regarding the ransomware gang, the OnePercent Group, which has been attacking businesses since November 2020. The cyber criminals involved in the gang target select individuals inside an organisation using social engineering tactics to trick them into opening malicious Word documents contained within an attached ZIP file.
Rather than encrypt the data on the user’s PC, macros embedded within the document install a modular banking Trojan horse known as IcedID onto the victim’s computer. Also known as BokBot, IcedID can steal login credentials for financial institutions as users attempt to access their online bank accounts, but it can also download and drop other malware.
One of the additional pieces of software IcedID can download is Cobalt Strike, a penetration testing tool much loved by malicious hackers for the way it can assist the compromise of an organisation.
Cobalt Strike moves laterally through the targeted business, opening up the company for remote hackers to exfiltrate sensitive data and leave it encrypted on the corporate victim’s system. Cyber criminals have been observed within victims’ networks for “approximately one month prior to the deployment of the ransomware.”
This gives them plenty of chances to learn more about the organisation and find success in accessing highly sensitive company data. This is then swiftly followed up with a ransom note being left for the victim, explaining that data has been encrypted and stolen. The only way to retrieve this data? By responding within one week with payment of thousands of pounds.
If your company doesn’t pay its ransom within a week, then the OnePercent Group doesn’t seem to forget about you. They make contact with late-paying victims via email or telephone, applying additional threats and pressure to convince them to pay. If payment is still not made quickly enough, the OnePercent Group threatens to release a portion (1%, which is where the group seemingly gets its name from) on the Dark Web. Then, eventually, the exfiltrated data will be sold on a cyber crime group to be auctioned off to the highest bidder.
Neuways advises that businesses follow the following tips to avoid becoming the next victim of the OnePercent Group:
- Back up critical data in multiple locations, ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised corporate network.
- Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
- Keep computers, devices, and applications patched and up to date.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Use multi-factor authentication with strong passphrases.
The risks of hybrid working to your cyber security
The likelihood of a full-time return to the office is mixed depending on each individual business, the probability of an ongoing hybrid home/office work environment is much higher. Security teams will need to continue and possibly expand their plans to secure remote personal devices operating in a hostile environment perhaps indefinitely.
A recent study is trying to better understand user behaviour in the home working environment, which at the moment is completely unknown. The fear is that with hybrid working, will come a wave of weakened cyber security measures that could lead to easier access to corporate networks for cyber criminals.
After more than 500,000 malicious emails and 500,000 visits to dangerous websites made by staff ranging from entry-level to executive in more than 20 countries were analysed, the top five ‘risky behaviours’ were:
- failing authentication
- clicking on phishing emails
- installing adware
- using P2P software and private VPNs
Failing authentication may not seem a huge security problem since it demonstrates that access controls are working. However, the volume puts an unnecessary strain on the security team, with repeated failure in MFA making it difficult to distinguish between human error and genuine malicious activity. 50% of home workers have failed MFA at least once per month.
Phishing scams, and clicking on them, is the most clear and obvious threat to home workers and the statistics are disturbing. While 99% of spam and phishing emails are caught by filters, 1% still reach inboxes, which leads to an average of 5 phishing emails received by an employee every month, with about 8% of these being clicked on. Researchers said: “In a business of 5,000 employees this equates to 20 phishing emails opened and clicked each month.”
3% to 4% of employees have installed adware inadvertently by installing untrusted software sourced online. Without users’ consent or knowledge the download will include additional software containing adware that can spy and export data to malicious entities. Around 5% of employees install P2P software and private VPNs, such as BitTorrent and Golden Frog, to bypass media paywalls, access content in restricted geographies, and download media without being recognised. Private VPNs are a major risk, as the study suggests that 38% of private VPNs contain malware, while 82% read their clients’ data.
The data gained from the study also shows that senior management figures are more likely to be targeted by cyber criminals than the average employee. Senior managers are targeted by phishers almost 50 times more frequently than average employees.
Neuways advises businesses to ensure that their employees are aware of the potential pitfalls of a hybrid working solution. The dangers illustrated above can all be halted by ensuring that each and every member of staff follows secure cyber security measures that are put in place for a reason. Some employees could benefit from Phishing Awareness Training, that helps them to stay cautious and test themselves against the kind of phishing campaigns that cyber criminals distribute on a regular basis.
Ransomware gang ignore their own countdown clock and publish encrypted files
Following an attack on a major airline last week, the LockBit 2.0 ransomware gang ignored its own countdown clock and published what it claims are the airline’s encrypted files on its website.
A publication posted an image of LockBit’s “Encrypted Files Are Published” post, dated Saturday, August 28th, 19:37:00. This is a full three days earlier than its original countdown clock, in that post, the ransomware-as-a-service (RaaS) gang promised that encrypted files would be published by August 31st if the airline didn’t pay the ransom.
The LockBit gang told the publication that the Accenture breach from earlier this month yielded the credentials used in the airline attacks. LockBit also claimed to have encrypted the systems of an unnamed airport using Accenture software. The airline announced the breach last week and LockBit 2.0 started a countdown clock almost immediately. In its initial post, the gang claimed to have stolen 103GB worth of compressed files that it would release and that they had a lot more – over 200GB of files – that they could release to add to the misery of the victims.
The airline breach involved various personal data belonging to passengers, including:
- Passenger name
- Family name
- Phone number
- Email address
- Other contact information
- Passport information and more
Researchers say that this isn’t the first time that LockBit has shared its victim’s data ahead of its own countdown clock: “The gang repeatedly delayed its own threats in the earlier Accenture breach because of its use of a clearweb site – Mega.nz, a cloud storage and file hosting service that’s known for offering the largest fully featured free cloud storage in the world, at 20GB. The threat actor’s account on Mega was banned and the files are no longer accessible.”
131 victims of LockBit 2.0 have been identified since the creation of the website in July 2021 this year. Another researcher observed that LockBit may have been motivated by the airline’s public disclosure, given that attackers generally prefer for the attack not to be made public until after a ransom is paid. The delaying tactic provides a further pressure point to ensure that victims buckle under the pressure and pay.
Earlier this month, LockBit attacked global business consulting firm Accenture. The firm’s clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. According to its 2020 annual report, that includes e-commerce giant Alibaba, Cisco and Google. Accenture is one of the world’s largest tech consultancy firms, and employs around 569,000 people across 50 countries.
It isn’t clear whether or not LockBit have been able to take advantage of Accenture’s customers, but they might well be worried. The threat actor is claiming to have gutted their security provider (a claim denied by Accenture), thus potentially compromising an untold number of its customers. It appears as though recent attacks carried out by LockBit 2.0 have featured a souped-up encryption method, just one of many times it’s polished its arsenal.
Researchers added: “Stealing credentials is often just the opening salvo to such an attack, organisations need to be more resilient to the next steps in these human-operated attacks. The move from a purely preventive mindset and to one of visibility, detection and response is a critical step in that journey.”
With that in mind, Neuways advises that you have a conversation with your MSP to discover how well prepared your business is for a ransomware attack, such as those operated by LockBit. Business Continuity and Disaster Recovery plans are one method that help a business to get back on track, should they be the unfortunate victim of a cyber attack, but a BCDR plan must form one part of a whole IT business plan. Call the experts at Neuways today on 01283 753333 or email firstname.lastname@example.org to find out more.