homepage
Open menu

SANS NewsBites

Organizations Paying Ransomware Extortion as More Exfiltrated Data Is Published

August 4, 2020  |  Volume XXII - Issue #61

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-08-04

Ransomware Operators Publish Data Allegedly Stolen from LG, Xerox

Maze ransomware operators have published data they claim to have taken from internal networks at LG and Xerox after the companies declined to pay a ransom. In a June email exchange with ZDNet, Maze operators say they did not launch ransomware on LG's network, but only exfiltrated data.

Editor's Note

Both systems ran Citrix ADC servers, vulnerable to CVE-2019-19781, which has been characterized as a favorite entry point for Maze Operators. Keeping your boundary and remote access devices patched, expeditiously, is critical with today's threat environment. Verify you can monitor and alert on exfiltration of data, including tuning and testing. Also, when considering breached data, remember to include assessing loss of intellectual property. Too often, the review is of customer or employee personal information.

Lee Neely
Lee Neely

2020-08-03

Blackbaud Paid Ransomware Demand

Blackbaud's CEO says the company "discovered and stopped a sophisticated attempted ransomware attack." Blackbaud paid the ransomware demand in May 2020; the attack was publicly disclosed in July. Blackbaud provides customer relationship management (CRM) software for colleges and universities, non-profit groups, and others.

Editor's Note

In this issue we have several articles where the ransom was paid. Back in October, the FBI published updated guidance on payment (https://www.ic3.gov/media/2019/191002.aspx) acknowledging that there are cases where companies will pay. With exfiltrated data being published, payment is vastly incentivized. Beyond payment, ensure that adequate steps are taken to prevent recurrence as well as timely notification of the incident, status, and resolution to affected parties to allow them to take appropriate actions, and to include required breach notifications to regulators and customers.

Lee Neely
Lee Neely

2020-08-03

Bleeping Computer: Garmin Paid Ransomware Demand

According to a report in Bleeping Computer, Garmin received the WastedLocker ransomware encryption key on July 25, two days after its network was hit with the malware. While it is not known how much Garmin paid the WastedLocker operators, the initial demand was reportedly $10 million. Bleeping Computer obtained "access to an executable created by the Garmin IT department to decrypt a workstation and then install a variety of security software on the machine."

Editor's Note

Dealing with the Covid virus has reinforced the importance of data-based decision making. There are many good reasons not to pay ransomware demands but there is not good data to support when/if it does make financial sense. One factor that can swing the decision: if your company has extortion insurance and the language in that policy covers/does not exclude ransomware, management may find that the cost of paying off is reduced enough to be well below the business disruption costs. In next week's NewsBites DrillDown I'll publish a deeper dive into the issues with a few example data sets.

John Pescatore
John Pescatore

2020-07-31

US Travel Agency CWT Reportedly Paid $4.5M Ransomware Demand

Corporate travel agency CWT, formerly known as Carlson Wagonlit Travel) has confirmed that its network was shut down due to a ransomware attack in late July. The company reportedly paid $4.5 million to regain access to its encrypted data. The strain of ransomware used in the attack appears to be Ragnar Locker.

2020-07-31

Texas School District Will Pay Ransomware Demand

The Athens (Texas) Independent School District (ISD) will pay $50,000 to ransomware operators to regain access to the data in its servers that have been encrypted. The district's board of trustees voted to pay the ransom, which will be covered by insurance. The attack will postpone the start of the school year by at least a week.

2020-07-27

No More Ransom Website Helps Ransomware Victims

The No More Ransom decryption tool repository was established four years ago this month. No More Ransom offers free tools to decrypt 140 strains of ransomware. "The website is an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals."

Editor's Note

This site doesn't eliminate the need for good disconnected differential backups; it provides a potential resource where you could retrieve the decryption key for your particular ransomware attack. Be sure to take steps to fix and verify that the entry point is closed to prevent recurrence first. This also doesn't eliminate the need to respond to ransom demands for exfiltrated and published content.

Lee Neely
Lee Neely

The Rest of the Week's News

2020-08-01

Three Arrested in Connection With the Twitter Hack

Authorities have arrested and charged three people in connection with the July 15 Twitter hack that took over several high-profile accounts and used them in a Bitcoin fraud scheme. The attackers allegedly used social engineering to gain access to internal Twitter tools. One of the suspects, a 17-year-old, faces 30 felony charges and will be tried as an adult.

Editor's Note

With enhanced working from home, there are more opportunities for accessing malicious content from outside the company perimeter. Take a pause to identify and resolve gaps. Ask whether your users are using personal phones or the corporate softphone with its VoIP firewall and associated protections? Are users able to browse to disallowed sites normally blocked by NGFW or outbound proxy rules? Even with remote or virtual desktops, understand what work is permitted off those systems as well as data interchange capabilities between the remote and local systems. Take steps to minimize data exchange to prevent paths for inbound malfeasance.

Lee Neely
Lee Neely

2020-08-03

GandCrab Suspect Arrested

Authorities in Belarus have arrested an individual allegedly involved in the distribution of the GandCrab ransomware. GandCrab ceased operations in June 2019. The FBI released master encryption keys for GandCrab, and Bitdefender released a decryptor.

2020-08-03

FastPOS Author Pleads Guilty to RICO Conspiracy

A Moldovan citizen has pleaded guilty to RICO (Racketeer Influenced and Corrupt Organizations) conspiracy in a Nevada courtroom for his role in the Infraud cybercriminal organization. In a plea agreement, Valerian Chiochiu admitted to creating malware known as FastPOS, which was designed to facilitate payment card data theft. Chiochiu is the second person in just over a month to plead guilty in connection with Infraud; in late June, Sergey Medvedev also pleaded guilty to RICO conspiracy.

2020-08-03

Taidoor RAT

The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense have issued a joint malware analysis report about malware that China has been using since 2008. Taidoor, as the malware is known, is a remote access trojan (RAT) and has been used in cyberespionage campaigns.

2020-07-31

BootHole Fix is Causing Problems

Users are urged to take steps to mitigate the issue. Linux distributions have released fixes for the GNU GRUB2 bootloader vulnerability, a.k.a. BootHole. However, some users are reporting that these fixes are causing problems themselves. Users are rebooting booting and dual-booting issues in Debian, Ubuntu, Red Hat, CentOS, and Fedora. The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories that include suggestions for mitigating the BootHole vulnerability.

2020-08-03

Update Available for WordPress Newsletter Plugin Flaws

Flaws in the Newsletter plugin for WordPress can be exploited to establish backdoors, create admin accounts, and possibly take control of vulnerable sites. The plugin's developers have released an updated version, Newsletter 6.8.3, which addresses these vulnerabilities.

Editor's Note

This flaw includes a PHP Object Injection as well as a reflected Cross-Site Scripting (XSS) vulnerability. The good news is that the plugin author provided an update the day after the vulnerability was disclosed. The bad news is you still need to update your plugins, or make sure you have an application firewall rule to detect attempted exploitation. While Wordfence premium has the firewall rule, and it will be released to the free version users on August 14th, don't wait to update.

Lee Neely
Lee Neely

2020-08-03

Citizen Lab: NSO Used to Spy on Clergy, Supporters of Political Opposition in Togo

A report from Citizen Lab says that spyware made by NSO Group was used to target political opposition members and members of the clergy in Togo. All of the targets had spoken out about the need for government reform in the West African country.

Internet Storm Center Tech Corner

Pages Hit By Bad Bots

https://isc.sans.edu/forums/diary/What+pages+do+bad+bots+look+for/26414/


VBA Macro With Multiple Command and Control Channels

https://isc.sans.edu/forums/diary/Powershell+Bot+with+Multiple+C2+Protocols/26420/


KeePassRPC Vulnerability

https://forum.kee.pm/t/a-critical-security-update-for-keepassrpc-is-available/3040


QNAP Updates Malware Remover

https://www.bleepingcomputer.com/news/security/qnap-urges-users-to-update-malware-remover-after-qsnatch-alert/


Android Phone Updates

https://www.theregister.com/2020/07/31/nearly_a_third_of_secondhand/


BootHole Patch Causes Unbootable Systems

https://access.redhat.com/solutions/5272311

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass#Recovery


Disabling MacOS TCC

https://objective-see.com/blog/blog_0x4C.html


CISA Publishes Details about Chinese Malware

https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity