Top Threats April 2018: nation states, abandoning integrity, and we “called it”!

April is traditionally a big marketing month. With events such as the RSA Conference there’s usually a lot of “breaking news” and big threats. We at SecureLink take pride in digesting all of this, removing the FUD, and correlating with our own numbers… As always, we hope this helps you find some honesty in the increasing amount of cyber security related news.

1. State sponsored network infra hacking

In mid-April, a hacker group associated with the Russian Government, known as Grizzly Steppe, was accused by several countries to have targeted network infrastructure, more specifically internet routers. It’s not the most innovative attack, and the US government was tracking this specific group for two years already. What the attackers might be after is a wide spectrum of vulnerable routers which are simple to exploit. Whether they’re cheap, or end-of-life devices, going after low hanging fruit is apparently not only criminal behavior but government behavior too.

2. Orangeworm targets healthcare

Attack group ”Orangeworm” was first seen in 2016 and has re-emerged. It’s associated with ”Kwampirs” malware. Researchers observed the malware primarily targeting healthcare across the United States, Europe and Asia. Kwampirs has worm-like behaviour and infects medical devices, but also goes for network shares and servers, online patient platforms and supply chains. Kwampirs propagates through unprotected network shares in old Windows networks that are rather common in healthcare environments. It uses old tricks to propagate, so avoid using unsupported Windows systems such as Windows XP and patch devices as soon as security patches are available.

3. Cryptojacking growing: “called it”

More reports of cryptojacking surpassing ransomware emerged in April. We’re humbly saying “called it” as we reported on this in March.  Cryptojacking is obviously less destructive than ransomware, but let’s not forget these parasites can morph into anything else at the will of the bad guys. There’s still the issue of a false sense of security amongst budget holders: “they’re only stealing electricity”. Our repeated advice: if you’re infected with a parasite, you need to binge on medicine, rather than trust the parasite will treat you well.

The latest is a python-based malware that uses the ExternalRomance exploit (one of the batches stolen from the NSA by Shadowbrokers). PyRoMine is capable of enabling Remote Desktop Protocol (RDP) on the system, and thus opens up the affected device for further attacks. It also gives system privileges, which enables the attacker to have full control of the system and can cryptomine without the victim’s knowledge. Obviously, it mines Monero, the criminals currency of choice.

4. Ransomware: don’t feed the seagulls

If you’re hit with what could be one of the last ransomware campaigns, you should never pay the criminals. Please don’t. Especially if you’re a forensic company, hired to mitigate one of these situations. Paying the ransom is a particularly lazy way of recovering files, and then quoting a much higher sum than the ransom makes you… well, kind of criminal too, right? This month’s top 3 threats, we’re sad to say, is our beloved industry itself. With the demand for cyber experts on the rise, creative entrepreneurial spirits will abandon their integrity for a $6000 fee.

5. Lazy GDPR responses

We’re observing a particularly lazy response to GDPR regulations over the last weeks. The solution is to simply not service European customers anymore. There’s even a website plugin you can load, that automatically blocks users from the EU. It is being advertised as a way to “save thousands on GDPR”, and demand seems to be rather high as the server has been unavailable for some time. Dozens of online businesses follow this example.


GRIZZLY STEPPE – Russian Malicious Cyber Activity | US-CERT
Medic! Orangeworm malware targets hospitals worldwide • The Register
PyRoMine uses NSA exploits to mine Monero and disable security features 

2018-05-17T12:56:00+00:00May 17th, 2018|

About the Author:

Eward Driehuis
Chief Research Officer, SecureLink Group

Leave A Comment