Image Source: SOPHOSLABS 2019 THREAT REPORT
We’ve written quite a bit about municipalities large and small (think Atlanta, GA and Batavia, IL) becoming the focus of hackers and cybercriminals. Today we’ll shed a little more light on the malware that brought Atlanta to its knees in March.
SaMSaM for Ransom
Dubbed SaMSaM, researchers at Sophos have dedicated a portion of their SOPHOSLABS 2019 THREAT REPORT to this highly profitable group of malware maestros. Sophos describes SamSam’s highly personalized, hi-touch ransomware attacks as being akin to a “cat burglar” as opposed to the more “smash and grab” approach of automated ransomware attacks that utilize commodity ransomware such as GandCrab.
The Advantages of Being Hands-On
Rather than relying on automation to rapidly attack hundreds of systems at once and hoping that some sort of exploitable vulnerability surfaces, for nearly 3 years SamSam has applied an old school hands-on approach to infiltration and infection. It typically begins by brute-forcing RDP passwords, which ultimately leads to harvesting domain admin credentials. With these credentials in hand SamSam then waits for just the right moment, say Friday evening on a holiday weekend to strike – pushing out the malware to as many machines as possible simultaneously
This hi-touch, cat burglar approach has allowed SamSam to focus on vulnerable targets with deep pockets and has yielded known ransom payments totaling $6.5 Million USD in a little under 3 years.
Imitation is the Sincerest Form of Flattery
Even though the mysterious folks behind SamSam do not appear to collaborate, or even brag in forums, their high value exploits have not gone unnoticed and several impersonators have spawned such as the ultra-high ransom group BitPaymer which reportedly charges ransoms in the $50,000 to $1MM dollar range.
Konsultek’s Recommendation – Rein in RDP and Get the Fundamentals Locked Down
Since many of the worst manual ransomware attacks have relied upon Windows Remote Desktop as a point of entry it stands to reason making sure you have this potential avenue of ingress secured should be a top priority. Once this basic vulnerability is secured you should also make sure that your team is practicing good password management and keeping systems up to date and patched. Even the most sophisticated security solutions will be hamstrung if sloppy network hygiene virtually invites hackers in!
If you’d like a free visibility report to potential problems mentioned in this blog, please contact us immediately.
A couple weeks ago British Airways confirmed that the personal data of 380,000 customers had been stolen.
Magecart Again. Still?
On September 11th the simplicity of this surgical strike was revealed by RiskIQ and the details are pretty amazing. According to RiskIQ the incident, which lasted 15 days, was very similar to the breach of Ticket Master UK earlier in the year. That similarity combined with crawl data allowed them to quickly confirm that the threat actors were one in the same, Magecart.
Magecart is a group of criminals that specialize in web based credit card skimmers. RiskIQ actively monitors 2 billion pages of the world wide web for Magecart activity and Magecart is so active that RiskIQ gets hourly notifications of sites being hacked!
The 22 Line Scalpel
The same code also appears to have affected the British Airways mobile app for the same period of time. This is because the app was developed as an empty shell that simply pulled in functionality from the desktop site. While past Magecart attacks grabbed form data indiscriminately, these 22 lines were highly targeted, extracting payment information and sending it off to their own servers.
Konsultek Knows Security
Threat prevention, detection and quarantine are the hallmarks of a robust security solution. If your current approach to network security is a patchwork quilt of boxes and software that has been cobbled together over time it’s probably time to have us perform a comprehensive review. Simply give us a call and we’ll schedule a time to chat. It’s really that easy to get started.
Recently, Fortnite has been used as malware bait for gamers who are looking to cheat their way to a win. TheHackerNews.com informs us that many of these game cheat download links might actually be downloading malware onto the eager-to-win gamer’s computer. The fake Fortnite hacking tools infect personal computers mainly through advertisements on YouTube videos and allow the attackers to modify the victim’s network with a man-in-the-middle strategy. This gives them the access they need to spread targeted, malicious ads over webpages visited by the user.
Gamers Guide to Staying Safe
- Only download content from a developer making sure that the source is safe and reputable
- Use a Mac or IOS software because it doesn’t affect those as of yet. NOTE: this is most likely a temporary solution until the hackers adjust to infect those operating systems as well
- Beware of Youtube videos promoting Fortnite cheat downloads and avoid them, they might be hiding malware
- Don’t cheat! J Playing the game honestly to win more of the in-game rewards is obviously the safest way to obtain them and hopefully more fun!
Growing Avenues of Threats
Gamers are an easy target for hackers since winning is difficult without cheat codes. Fortnite is certainly not the first game that has been targeted and will probably not be the last. The growing online presence of video games combined with the desire of many to win at all costs will make an ever larger portion of gamers more susceptible to devious hackers. The game cheat vector is really quite similar to email phishing scams that take unsuspecting victims to malware laced websites. The only difference is the bait. Gamers, like email users, need to be prepared, stay safe, and maintain a sense of vigilance in regards to their security.
Safety Under Control
Konsultek excels at the game of preventing, detecting, and responding to data breaches and unauthorized network access. If you are wondering about potential disruptions that your organization could be facing, look no further. We would be happy to assist you with a security assessment and we are always game for a phone call to discuss your cyber security needs.
Remember that time you let your tween borrow your phone and they “helped” you out by downloading WhatsApp for you? Well let’s hope what they downloaded was a legitimate copy of the app from a legitimate source or you may now be unwittingly sharing way more of your personal life with total strangers than you ever thought possible!
Dubbed GhostCtrl by the researchers at Trend Micro who first caught it in the wild, this nasty little malware beast, which typically masquerades as popular apps such as WhatsApp and Pokémon Go can give the hackers who unleashed it unprecedented control over a victim’s device.
A Rapidly Evolving Scary Ghost
GhostCtrl continues to evolve and there are at least 3 versions operating in the wild right now. The first iteration steals information and controls some of the devices function, the second added the ability to hack more features and according to Trend Micro, “The third iteration combines the best of the earlier versions’ features—and then some.”
Based upon clues in its source code, GhostCtrl appears to be a scion of OmniRAT, the commercially sold Remote Access Tool that allows the takeover of Windows, Linux and Mac systems with the push of an Android button.
You Will Obey My Commands
Like some evil hypnotist, GhostCtrl can make the victim’s device do virtually anything the hacker wants it to do by sending commands from a remote control server.
Here is a partial but frightening list of those commands:
- ACTION CODE =10, 11: Control the Wi-Fi state
- ACTION CODE= 34: Monitor the phone sensors’ data in real time
- ACTION CODE= 37: Set phone’s UiMode, like night mode/car mode
- ACTION CODE= 41: Control the vibrate function, including the pattern and when it will vibrate
- ACTION CODE= 46: Download pictures as wallpaper
- ACTION CODE= 48: List the file information in the current directory and upload it to the C&C server
- ACTION CODE= 49: Delete a file in the indicated directory
- ACTION CODE= 50: Rename a file in the indicated directory
- ACTION CODE= 51: Upload a desired file to the C&C server
- ACTION CODE= 52: Create an indicated directory
- ACTION CODE= 60: Use the text to speech feature (translate text to voice/audio)
- ACTION CODE= 62: Send SMS/MMS to a number specified by the attacker; the content can also be customized
- ACTION CODE= 68: Delete browser history
- ACTION CODE= 70: Delete SMS
- ACTION CODE= 74: Download file
- ACTION CODE= 75: Call a phone number indicated by the attacker
- ACTION CODE= 77: Open activity view-related apps; the Uniform Resource Identifier (URI) can also be specified by the attacker (open browser, map, dial view, etc.)
- ACTION CODE= 78: Control the system infrared transmitter
- ACTION CODE= 79: Run a shell command specified by the attacker and upload the output result
With this type of control the hackers can choose to be a nuisance, ransomer, evil spy or blackmailer depending upon their motives.
Scared? Who ya Gonna Call?
When it comes to mobile security, BYOD security and Network security our engineers are real life “ghost” busters who can develop comprehensive and holistic security solutions for your organization. So, who ya gonna call? Call Konsultek!
In a recently released report on crime in the United Kingdom, the UK’s National Crime Agency breaks serious and organized crime into three principle categories, Vulnerabilities, Prosperity and Commodities.
A Crime of Prosperity
According to the National Strategic Assessment of Serious and Organised Crime, Cyber Crime, once a relatively benign area of crime whose offenders were solo techno-geeks has matured into a full-fledged organized crime alongside activities such as:
- Money Laundering
- Fraud and Other Economic Crime
- Bribery, Corruption and Sanctions Abuse.
Cyber Crime and Technology Enable Fraud
The report notes that fraud in the UK is increasing and it is estimated that losses could be as much as GBP 193 billion. UK residents are now more likely to be a victim of fraud than any other type of crime. The use of malware and phishing emails to obtain customers’ details is a key driver of fraud. And, it is probable that new technology value transfer methods (you have to love how the British can make even hacking sound cool!) will increase in criminal use as their popularity for legitimate use increases.
Cyber Crime In the UK Similar the USA
It is interesting to note that the findings of this report, specific to the UK, are quite similar to what we are experiencing in the USA. For example, the most competent cyber criminals are moving towards targeting businesses as the potential for higher returns on investment is much greater. Readily available hacking toolkits and ransomware are making it easier for less sophisticated individuals and organizations to enter the cyber crime space.
Some Businesses Stockpiling Bitcoins
One very interesting finding in the report that I have never seen documented anywhere else is their finding #79…
“79. A survey of security professionals by industry identified that some businesses are stockpiling bitcoins in anticipation of a ransomware attack. Ransomware has become one of the most profitable malware types in history. Its success is best illustrated by the sharp increase of varieties in the marketplace.”
Konsultek Knows Security
Konsultek’s UK office enables us to respond to the needs of our European clients quickly and efficiently. So whether your organization is located in the UK or continental Europe our expertise is ready to be deployed to help your organization become more secure.
Having your sensitive information held for ransom is never good. But what if your sensitive data were the before and after pictures of tens of thousands of plastic surgery patients that had entrusted their bodies, faces and privacy to your clinic?
How much ransom would you pay to keep your patients most intimate secrets private? That is exactly the dilemma facing the Lithuainian based Grozio Chirurgija clinic and its director Jonas Staikunas according to the BBC. And apparently the ransom demanded was more than the director was willing to pay…
“An Outrageous Fee”
The breach, perpetrated by the Tsar Team, this April was quickly followed up with a ransom demand the group called “a small penalty fee” – 344,000 Euros – for having a vulnerable network.
On Tuesday this week the images were made public after the clinic refused to pay the ransom. On or about the same time, the hackers started contacting individuals with compromised images directly demanding smaller, single serving ransoms of up to $2,000 Euro. Tsar Team has also lowered the demands for the whole database to 133,500 Euro stating “a lot of people have paid us to delete their data.”
Medical Facilities Will Continue to be Targeted
With their highly sensitive and personal data, as well as life-support systems ripe for extortion, medical facilities will continue to be targeted by opportunistic cyber-thieves looking to cash in. The recent ransoms of the MedStar Health Network and the Hollywood Presbyterian Medical Center in Los Angeles are just two of the more well publicized breaches. On the heels of WannaCry, you can bet there will be more.
Konsultek Can Help
Our custom security solutions for the medical industry help eliminate the vulnerabilities cyber-criminals use to gain access to sensitive data. So, if you don’t “wanna cry” over lost records or ransoms, please give us a call. Our experienced team is ready to help get your network secure and make sure you never have to cry or shed a tear again!
Symantec’s 2017 Internet Security Threat Report (ISTR) lists the Services Industry at the top of its 2016 list of most hacked industries followed by Finance, Insurance, & Real Estate. These two industries were at the top of the list for 2015 showing that their popularity with cyber-criminals has not waned.
Drilling down to a more granular level we see that specifically, Business Services and Health Services top the charts. Given the strict reporting requirements in the healthcare segment it is really no surprise to see this niche at the top of the list. Business Services, a still rather broad sub-niche, tops the list accounting for nearly a quarter of all incidents.
Some Historical Perspective
According to Symantec’s data, by the end of 2016 over 7 billion identities have been stolen over the last 8 years! That is nearly 1 identity for every single living person on the planet.
Looking at just the past 3 years, the trend in breach and data loss looks like this:
At first glance 2015’s Identities Stolen figure might seem like a misprint with approximately half the identities stolen as compared to 2014 and 2016. But as the chart below shows, major breaches just on either side of 2015 led to the spikes in its neighboring years.
2014 of course reflects both the Home Depot and Target breaches while 2016 includes the mega breach of Friend Finder Networks.
You have a friend in Konsultek
No matter what your industry or your business size, Konsultek can help you secure your business network and data. Our custom solutions are both robust and cost effective and our suite of managed services give even the smallest organizations access to world class security solutions with little to no capital expense. Gives us a call and learn more about our free vulnerability assessments.
There has been a major shift in the type of breach incident happening in the education services sector according to the Verizon 2017 Data Breach Investigations Report.
Can you spot the shift in the graphic below?
Source: Verizon 2017 DBIR
Cyber-Espionage has exploded since mid-2012! That’s right, because of the cutting-edge research that happens at many colleges and universities they have become a target for state-sponsored hacking.
As Verizon puts it…
“So college isn’t just pizza and tailgates—research studies across myriad disciplines conducted at universities put them in the sights of state-affiliated groups.”
So while of course the personal information of students and faculty were commonly extracted during breaches (a little more than half of all breaches) intellectual property losses were tied to a little more than a quarter of all breaches.
Targeted or Random Acts of Unkindness?
The evidence is clear that state-sponsored hacking and some criminal, profit based hacking is specifically targeting the hallowed halls of our academic institutions.
How do They do it?
Good question. Here is the answer in a graphic from the Verizon report.
Phishing email was the predominant threat vector in the social category while the use of stolen credentials was the dominant hacking technique. One interesting thing to note is the number of incidents involving Social and one or more other vector.
How Would You Like to Get a Threat Vulnerabilty Education for FREE?
At Konsultek we believe an educated client is the best client. That’s why we offer a variety of free vulnerability assessments to help you determine both your risk exposure and the likelihood of that exposure in regards to the veracity of your current security measures. Who would you rather educate you, the good guys at Konsultek or the bad guys out in the wild? Well, what are you waiting for? Pick up the phone and give us a call today so we can get your vulnerability assessment scheduled ASAP!
The 2017 Verizon Data Breach Investigations Report (DBIR) has been released and as always, it is chock full of fascinating facts about the current state of the hacking and cyber threat world. You can get the full report from Verizon for free here.
Who are the Perps?
According to this year’s DBIR the breakdown of who’s been doing the most hacking looks like this:
- 75% Perpetrated by outsiders
- 51% Linked to organized criminal groups
- 25% Involved internal actors
- 18% Starred state affiliated actors
- 3% Featured multiple parties
- 2% Involved partners
How Did They Do it?
- 62% Of breaches featured hacking
- 51% Involved Malware
- 81% Leveraged stolen or weak passwords
- 43% Were social attacks
- 14% Were linked to errors or privilege misuse
- 8% Involve physical actions
The above information is just a sneak peek at a portion of the summary data contained in the 2017 DBIR. Next week we’ll take a deeper dive into what industries were hardest hit and by whom as well as get into specifics of how these industries were attacked.
So what does motivate the latest generation of hackers? “Idealism and impressing their mates.” This according to a study by the British National Crime Agency.
The purpose of the study was to ascertain why teens, who ordinarily be involved in traditional crime, would be drawn into the world of cybercrime.
What the agency found through debriefs of the study participants is that financial reward is not a prime motivator for this younger generation of hackers. The recognition gained and the challenge of accomplishing the hack are far larger motivators.
“During his debrief, Subject 7, who was jailed for Computer Misuse Act and fraud offences, told officers, “…it made me popular, I enjoyed the feeling… I looked up to those users with the best reputations”.”
Easy Access to Tools a Contributing Factor
As noted many times on this blog, malware, DDOS-for-hire services and other hacking tools are easy to come by if you are looking for them and this easy access to tools was found to be a contributing factor to young people slipping over to the dark side.
No Socio-economic Bias
Unlike other crimes such as selling drugs, the study found no socio-economic bias. Essentially kids from all walks of life and privilege are equally likely to end up being attracted to cyber-crime and at a much younger age. The data collected during the study indicates that the average age of a cybercriminal was just 17 as compared to 37 in drug cases and 39 in economic crime cases.
Konsultek has You Covered
Whatever their motivation, hacking an cybercriminals pose a significant threat to organizations of all sizes and all types. That’s why you need to be certain that your network is not vulnerable to penetration, not matter what type of technique is used. That’s why our Vulnerability Assessment service has become so popular. During a Vulnerability Assessment our team of skilled engineers identifies all the potential vulnerabilities BEFORE they are found by hackers and cybercriminals.
Interested? Give us a call and see when we can get your assessment scheduled.