Posts

A Hard Study in Ransomware: Education Being Held Hostage

There’s been a dramatic rise in ransomware attacks on educational institutional networks, whether K12 schools and districts or higher education colleges and universities. Academic and administrative services have been locked up, and cumulative ransomware costs running in the millions.

According to the mid-year update of the 2019 SonicWall Cyber Threat Report, despite overall declines in malware volume, ransomware continues to pay dividends for cybercriminals. All told, global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase.

Ransomware targeting schools, colleges more than a trend

Apart from the direct financial damage caused by ransomware attacks (for example, the Rockville Center School District paid $88,000 in ransom), the inability to access computer systems paralyses the academic institution. The cost of the damage only accelerates the longer the university is unable to send emails, record working hours or allocate classrooms and study resources, including university computers and internet access necessary for many learning activities.

Educational institutions that refuse to pay can be incapacitated for extended periods of time — like Walcott County, Connecticut, which suffered a ransomware attack three months ago and was locked out of its affected devices until early September 2019, when the ransom payment was finally approved by the county board. In other cases, districts chose to rebuild infected systems and were similarly delayed.

“It’s a deliberate and strategic shift from hospitals and other soft targets to K12 districts and schools, where security controls and technology resources aren’t as always as robust despite housing some of the most sensitive and private data,” SonicWall President and CEO Bill Conner wrote for Forbes. “It’s so common now that discussions about ransomware attacks have moved from the board room to the principal’s office and PTA meetings. But conversations need to turn into action.”

The infamous Emotet malware has also been striking schools, with attackers using spearphishing to infect systems with the malware trojan. As many services are now entirely computerized, this can even affect infrastructure like heating and cooling, cafeteria services and security systems. The K-12 Cyber Incidents map provides a graphic overview of just how widespread the problem is.

As noted by SonicWall technology partner Sentinel One, last September, just when teachers, parents and children across the nation were looking forward to the beginning of the school year, parents in New York’s Orange County received an unwelcome announcement. The superintendent of Monroe-Woodbury school district had been forced to inform them that the school would remain closed as a result of a cyberattack that had disrupted the district’s computer systems.

Monroe-Woodbury is just one of the many schools and educational institutions in the United States and throughout the world whose operations have been disrupted by cybercriminals. Earlier, in the summer, Rockville and Mineola school districts were targeted with Ryuk ransomware. In all, over 500 attacks against U.S. public schools have been reported in 2019 to date.

In addition, many U.S. universities and colleges have suffered from ransomware attacks, information leaks and email hacking in the past year. Universities and academic institutes are being targeted by more sophisticated attackers interested in stealing the intellectual property (IP) and research data that they produce.

Ransomware locked onto schools globally, too

The situation in other parts of the world is as bad. In Australia, the head of the local intelligence agency was recruited to inform universities about cyber threats and ways of prevention. This was one of the initiatives put in place after an extremely sophisticated threat actor compromised ANU and persisted within the university’s network for months at a time.

In the U.K. in April 2019, penetration testing conducted by JISC, the government agency that provides many computerized services to U.K. academic bodies, tested the defenses of over 50 British universities. The results were unflattering: the pen testers scored 100% success rate, gaining access to every single system they tested. Defense systems were bypassed in as little as an hour in some cases, with the ethical hackers easily able to gain access to information such as research data, financial systems as well as staff and student personal information.

Ransomware analysis: common threads

It is no coincidence that universities are among the most attacked. Higher education institutions manage substantial sums of money, store personal information for students and teachers and connect with many external bodies and providers and, of course, parents, who primarily communicate with the school via email. This means that the school has a very large attack surface.

“It is too easy to demand and receive ransom payment without the risks associated with traditional data exfiltration,” Conner said when more than 20 Texas state agencies were affected with ransomware. “Until organizations are serious about ransomware protection, these types of wide-reaching ransomware attacks will, unfortunately, continue. As we’ve witnessed past year, ransomware attacks are highly disruptive. Today’s distributed networks can be compromised in minutes. Everyday operations are then held for ransom at high costs.”

Coupled with enticing rewards is the fact that students make for easy victims of phishing scams, too. Students’ lack of experience combined with a tendency to use simple passwords across multiple services makes them prone to credential harvesting and password-spraying attacks. In one incident in September 2019, over 3,000 Kent State student emails were hacked in this way. In addition, the awareness of parents, teachers and faculty regarding cyber risks is often much lower in education than in other sectors.

Ransomware no longer infects a singular device but often multiple devices with the intent to infect the entire network. First made infamous with the WannaCry attack, ransomware authors now try to leverage vulnerabilities like SMB in Windows to spread to other drives. Not all computers are up to date and this leaves an opportunity to not only infect that device but to also infect others.

Some academic institutions are rich in data and poor in security, which makes them a prime target.  They also have student information, including grades, which are vital to their future endeavors, plus some jurisdictions must keep this data for up to 100 years.

Institutions that worked to digitize older records — and without proper backups in place — may be at risk of losing this data or having to go back and digitize them again. Educational organizations must continually keep everything backed up with those backups off the network whether it is on LTO tape or in the cloud.

Further exacerbating the security situation is that educational establishments typically have limited staff dedicated to security. Unlike banks, schools typically do not have dedicated information security personnel who are engaged in 24/7 protection.

‘You’ve got ransomware’

Most ransomware attacks come unsolicited in email. They come in attachments with subject lines such as:

  • Here is my resume
  • This is an unpaid invoice
  • Here is the invoice for your flight, package, etc. (in hopes people will be shocked into thinking their credit card info was stolen).

Malicious URLs are also used. They will look like real URLs but lead to other places on the dark web. Common subject lines are:

  • Your card has been charged, please review
  • Is this you in this video?
  • Your package has arrived

Ransomware protection: best practices

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) recommends the following precautions to protect users against the threat of ransomware:

  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
  • Never click on links or open attachments in unsolicited emails.
  • Backup data on a regular basis. Keep it on a separate device and store it offline.
  • Follow safe practices when browsing the Internet.

CISA also recommends that organizations employ the following best practices:

  • Restrict users’ permissions to install and run software applications and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on a network.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.

In addition, SonicWall suggests the following best practice steps:

Unfortunately, with differing approaches on responding to ransomware demand being driven by budget and resources, cybercriminals have found education to be a lucrative target for ransomware attacks. While these ransomware attacks are widespread, there are commonalities to consider. It is critical to be prepared by implementing known best practices and the latest ransomware countermeasures.

Black Friday Cyberattacks: Businesses Face Surge of Malware, Ransomware on U.S. Shopping Holiday

Cyber Monday and Black Friday are the proverbial holiday shopping seasons for cybercriminals and their strategic cyberattacks, including malware, ransomware and phishing attacks. Eager online shoppers are hurried to fill holiday dreams — often at the detriment of cybersecurity best practices and common sense.

According to Adobe Analytics, consumers spent $7.4 billion online during this year’s Black Friday event, up $1.2 billion over 2018. Those numbers jumped for Cyber Monday, where retailers collected $9.4 billion in online sales on the frantic shopping holiday.

That kind of volume — in terms of both people and dollars — makes for a lucrative target for the modern cybercriminal. In 2018, SonicWall Capture Labs threat researchers discovered a spike in ransomware attacks during the Black Friday and Cyber Monday shopping events, as well as a 45% jump in phishing attacks.

Black Friday and Cyber Monday in 2019 resulted in much of the same. SonicWall Capture Labs threat researchers recorded* a double-digit malware spike (63%) in the U.S. between the eight-day holiday shopping window from Nov. 25 to Dec. 2.

  • 129.3 million malware attacks (63% increase over 2018)
  • 639,355 ransomware attacks (14% decrease over 2018)
  • 51% increase in phishing attacks on Black Friday (compared to the average day in 2019)

Cyber Monday attacks dips, Black Friday takes the hit

Cybercriminals weren’t waiting until Cyber Monday to launch their campaigns, either. In the U.S., both malware (130%) and ransomware attacks (69%) were up on Black Friday compared to 2018. This trend continued on Cyber Sunday with increases in malware (107%) and ransomware (9%).

Interestingly, ransomware attacks were down on Cyber Monday (-41%) and Small Business Saturday (-55%), resulting in an overall 14% decrease in U.S. ransomware attacks during the eight-day shopping window.

Malicious Android apps spotted during Black Friday

It’s no secret that much of holiday shopping is done on mobile apps. Busy online shoppers often leverage mobile apps that keep track of deals, provide discount coupons and offer the convenience of skipping long lines at shopping malls.

To diversify their attack strategies, cybercriminals and malware writers use this opportunity to spread malware under the guise of shopping and deal-related apps — particularly during this eight-day Thanksgiving holiday shopping window.

In the past few weeks alone, SonicWall Capture Labs threat researchers observed a number of malicious Android apps that use the shopping theme to trick users into downloading and installing these apps.

One of the more notable malicious apps is this Amazon Shopping Hack, which is tied to a range of survey scams that attempt to steal user data and sensitive information.

Name: Amazon Shopping Hack
Package: com.amazon.mShop.android.shopping.hack
SHA: fa87b95eead4d43b2ca4b6d8c945db082b4886b395b3c3731dee9b7c19344bfa

After execution, this app shows a human verification page to continue using this app. This “verification” essentially leads to survey-related scams that attempt to extract sensitive user information, such as email address, credit card details, address, etc.

One of the domains contacted by this app during execution is mobverify.com. A quick search about this domain revealed a number of other survey related pages:

The mobverify.com domain is associated with a number of malevolent apps, survey scam links and malicious executables. During analysis, we observed a GET request to mobverify.com, which downloads a json file containing a list of different survey scams:

For additional examples of malicious Android apps, please review the in-depth findings of the Capture Labs threat team: Malicious Android Apps Observed During Thanksgiving Season 2019.

Intelligence for this report was sourced from real-world data gathered by the SonicWall Capture Threat Network, which securely monitors and collects information from global devices and resources including more than 1 million security sensors in nearly 215 countries and territories.


* As a best practice, SonicWall routinely optimizes its methodologies for data collection, analysis and reporting. This includes improvements to data cleansing, changes in data sources and consolidation of threat feeds. Figures published in previous reports may have been adjusted across different time periods, regions or industries.

Cyber Security News & Trends

This week, SonicWall strengthens MSSP security offerings, cyberthreats to the upcoming census, and the end of decade lists begin.


SonicWall Spotlight

SonicWall Strengthens MSSP Security Offerings, Simplifies Account Management, Product Registration, Licensing Control. – SonicWall Press Release

553: Opening a Spin-off’s Liberated Growth Chapter – CFO Thought Leader podcast

  • How do you take a business unit, extract it, and set it up to be a running company on its own, all within one year? SonicWall CFO Ravi Chopra sits down with the CFO Thought Leader podcast and explains exactly how he did it with SonicWall. He also discusses his career path, his experiences in the dot com crash, and how he learns from his mentors.

Cybersecurity Should Be the Core Pillar of Any Modern Digital Hospital: Dmitriy Ayrapetov – The Economic Times of India

  • SonicWall’s Dmitriy Ayapetov is interviewed talking about the impact of cyberattacks on the health industry – with ransomware attacks growing and the rise of the Cloud and Internet of Things devices leading to potentially many new entry points for a cybercriminal, he stresses the need for greater cybersecurity awareness.

Cybersecurity News

Black Friday UK: Just One in 20 Discounts Are Genuine, Research Finds – The Guardian (UK)

  • Research by consumer group Which? Has found that the majority of Black Friday deals are sold at the same price or cheaper throughout the year. SonicWall figures on ransomware are also referred to, highlighting the increase in cyberattacks around the Black Friday period.

Special Report: 2020 U.S. Census Plagued by Hacking Threats, Cost Overruns – Reuters

  • An in-depth investigation into the upcoming 2020 US census has found that despite a major technology overhaul, fears of hacking attempts are running high and a lack of adequate training and understanding of cybersecurity risks internally is not helping.

Report Highlights Nation-State Cyberthreats Facing SMBs in 2020 – Tech Republic

  • A new survey of over 1000 cybersecurity officials working at SMBs has found that more than 60% of respondents intend to increase their cybersecurity budgets next year due to growing fears of cyberattacks from both at home and abroad, especially during the upcoming elections.

India Plans Security Audit of WhatsApp After Hacking Attempt – Reuters

  • The Indian government is pushing for a security audit of WhatsApp after revelations emerged last month that spyware inserted by surveillance groups allowed access to the phones of roughly 1400 users.

44 Million Microsoft Users Reused Passwords in the First Three Months of 2019 – ZDNet

  • Microsoft has completed an audit of their accounts and found that 44 million people are still using usernames and passwords that were leaked online in 2019. A forced password reset has been enacted to help solve the problem.

FBI Issues Smart TV Cybersecurity Warning – Infosecurity Magazine

  • The Federal Bureau of Investigation has issued a warning to holiday shoppers over the cyber-risks an unsecured smart TV might pose to a household. Default passwords should be changed, and a familiarization of all connection options is recommended at a bare minimum.
And Finally

A Decade of Malware: Top Botnets of the 2010s – ZDNet

  • It’s the end of a decade, and with it comes the lists! ZDNet round up some of the biggest, in both size and infamy, botnets that hit throughout the 2010s, including those old favorites, Emotet, Trickbot, and Dridex.

In Case You Missed It

Meeting a Russian Ransomware Cell

Ransomware is one of the most notorious and effective types of cyberattacks in the last decade. And I had the opportunity to go inside the minds that operate a real-world ransomware cell.

It starts with the young leader — nicknamed “Twig” — of a Russian ransomware cell. After two weeks of chatting through a secure channel, what I found was very interesting.

On social media, some cybersecurity firms like to portray him in black hoodies with leather gloves and a backdrop of matrix-style digits. They namedrop buzzwords like advanced-generation V attacks and other trumped up terms, which could be more fitting for nation-state attacks, but this isn’t the case with most hacking groups.

Carrying out successful ransomware attacks typically only requires a mixture of scripts, common vulnerabilities, brute-force efforts, bad IT policies at target organizations, and generations of frustration between eastern and western politics.

MINDHUNTER

On-Demand Webinar: My Two-Week Conversation with a Ransomware Cell

Join SonicWall security expert Brook Chelmo as he gives you an inside look into the human-side of a modern ransomware cell, their advice on how to stop them from infiltrating your organization, encrypting your endpoints, and spreading to other drives and segments of your network.

How does a ransomware attack work?

The number of organizations and verticals targeted each week, including the demands they make on the compromised device(s), are all private. Twig, however, is open to saying that their attack style is generally through spear-fishing and port-scanning for common vulnerabilities.

Twig’s favorite ports are “5900 and 5901 which are open and unpassworded.” Together, these two ports rank as the 19th most scanned port. These ports are used by virtual network computing (VNC) for desktop-sharing and remote-control application for Linux and Windows machines.

Over the years, several vulnerabilities related to these ports have allowed attackers to bypass authentication and gain access to the system. If Twig can get in, then your participation isn’t even required to activate the ransomware script (e.g., enable macros on a malicious Word document received in email). In fact, SonicWall research shows that anywhere between 17% and 20% of all malware attacks come through non-standard ports.

While Twigs scripts are pinging a range of IP addresses for vulnerabilities, he runs a PHP script alongside unnamed services that spam targets to gain remote access to their systems.

HILDACRYPT, for example, uses file extensions that are not normally scanned, such as .vbox, to evade inspection and detection by firewalls or email security services. Once access has been granted, he will log in after-hours and run a batch file through PsExec throughout the entire network to make it “go boom.”

Or, in less dramatic words, to “make Hilda run on the entire network.” It’s the same headache caused by the likes of WannaCry, NotPetya and SamSam ransomware strands, the infamous attack wave from three years ago. Since admins tend to have access to multiple drives — and sometimes read/write ability on endpoints via access manager roles — exploiting them is critical to mission success.

“If Twig can get in, then your participation isn’t even required to activate the ransomware script.”

Once systems are compromised, they don’t exfiltrate the files and sell the data like some do. They just set the demand and wait.

Initially, they asked victims to watch the Hilda series on Netflix (yes, really), join their Discord server for support, then pay the stated ransom amount in bitcoin (a popular way to couch the demand).

What can you do to stop ransomware attacks?

First of all, Twig says to “use proper passwords” for ransomware protection. He said many passwords are either written by the ‘crazy or the lazy.’ Most of them are too simple and are often guessed by his scripts. His favorite story was when he found a password to be two quotation marks. I guess the administrator thought it was too simple to guess. Well, he was wrong and had to pay for it.

Second, he said “write your programs in a real programing language.” He said that real programmers write in C or C++, and that Java or PHP is for the lazy and stupid (an opinion not shared by all professional programmers).

When he sees programs written in Java, he feels he is dealing with a non-qualified individual and, therefore, an easy target. It is also worth noting that some security professionals advise not to program in C when it comes to security.

Third, he casts shade on Americans and tech workers over the age of 35 either because of his belief in their lack of modern skills or energy to do the job properly. He says organizations should hire qualified people who can both code and understand security. If he was in charge of hiring at your company, and didn’t discriminate by age or nationality, he would hire people who hold qualifications in C or C++ and have the energy to follow security best practices.

Misconfigured firewalls leave doors open for ransomware attacks

Finally, Twig points out that misconfigured firewalls are his best friend. In fact, he has strong opinions for some firewall makers that enable him “to uninstall [the firewall] from the computer.” In the case of network firewalls, misconfigurations are easily done and can be one’s downfall. It happens more than you think.

In the case of endpoint firewalls, end-users should be under the principle of least privilege (POLP), which means they will have just enough rights to do their job and without the ability to modify their endpoints. In 2016, Microsoft reported that 94% of critical vulnerabilities can be mitigated by removing administrative rights from users.

Four ways SonicWall stops ransomware attacks

Stopping ransomware attacks isn’t always easy. A conversation with Twig makes that apparent. But he also highlights that if you follow best practices and implement security across different layers, ransomware attacks won’t be nearly as successful. Leverage the four key ways SonicWall helps organizations block ransomware attacks — automatically and in real time.

  • Deploy a firewall and keep security services active. Firewall vendors like SonicWall are now security platform providers that protect the traffic to and from branches (SD-WAN), and examine traffic through the firewall with gateway antivirus to stop known versions of malware. It’s also smart to leverage Intrusion Prevention Services (IPS) to identify known communication patterns within malware and stop what it wants to do, like travel laterally to other drives or networks. The combination of gateway security and IPS was critical in stopping WannaCry ransomware attacks for SonicWall customers on Day 1.
  • Block unknown ransomware with a sandbox. However, all of the updated versions of the strain that came after Version 1 were blocked automatically by the Capture Advanced Threat Protection (ATP) sandbox (if the other ransomware variants were found by a customer before SonicWall could create a definition/signature to block it on firewalls and email security).
  • Protect your inbox. To make it even more difficult to attack your network or users, use secure email solutions to block spoofed emails and examine attachments within all email to look for malware. Email is still highly effective at getting malware exploits onto your network.
  • Secure your endpoints. Finally, protect your endpoints with a next-generation anti-virus (NGAV) For example, Capture Client will help stop intrusions and ransomware attacks from initiating. Even if a ransomware strain did execute, Capture Client would give the administrator the ability to roll back the damage to a previously known clean state.

For the full story on my chats with Twig, I urge you to attend my upcoming webinar, “Mindhunter: My Two-Week Conversation with a Ransomware Cell.”

Cyber Security News & Trends

This week, SonicWall partners with Etisalat Digital and appears at GITEX Technology Week 2019. Meanwhile, several governmental level warnings about cyberthreats are issued, and the Magecart group chalks up another successful month.


SonicWall Spotlight

SonicWall, Etisalat Digital Partnership Delivers Network Security in Bundle Offer to SMBs – SonicWall Press Release

  • Etisalat Digital is now offering SonicWall technology in its ‘Business Quick Start’ SMB bundle that provides businesses with telco-grade network security devices and a zero-touch feature, making installation less than one hour. SonicWall and Etisalat celebrated this news with a ceremony at GITEX Tech Week.

SonicWall at GITEX Tech Week 2019 – Tahawultech.com

  • GITEX Technology Week, the biggest tech show in the Middle East, North Africa and South Asia, took place this week at the Dubai World Trade Centre. SonicWall showcased its networking and security solutions including our powerful Capture ATP with RTDMI technology. At the show, SonicWall’s Michael Berg was kept busy with interviews at outlets like Tahawultech and ChatterBoxPRE.

5 Steps to Deploy Fast, Secure WiFi in K-12 Schools – MSSPAlert

  • Schools and school districts connecting to the internet via Wi-Fi is par for the course in 2010; SonicWall’s Srudi Dineshan lists five ways K-12 schools can protect themselves from cyber threats.

Cybersecurity News

In the Last 10 Months, 140 Local Governments, Police Stations and Hospitals Have Been Held Hostage by Ransomware Attacks – CNN

  • With ransomware increasingly recognized as much more than a niche concern, CNN has created an accessible article with video and text intended to introduce the malware method and execution to a wider audience.

White-Hat Hacks Muhstik Ransomware Gang and Releases Decryption Keys – ZDNet

  • A frustrated hacker, annoyed after being caught by a successful ransomware attack, analyzed the ransomware software and successfully infiltrated the online database connected to the database. As a result, he has now released a free decryption method for anyone else caught by the same ransomware.

Copycat Coders Create ‘Vulnerable’ Apps – BBC News

  • A new study has found that developers who take shortcuts by copying and pasting code are leaving applications with security holes. Code chunks with no purpose have been found to be riddled with obsolete commands that could be taken advantage of by a hacker who recognized the programming.

EU Warns of 5G Cybersecurity Risks, Stops Short of Singling out China – Reuters

  • The European Union had issued a warning about the risk of increased cyberattacks by state-backed entities, especially with the advent of next-gen 5G mobile and Internet of Things objects.

NIST is Hunting for Tech to Secure the Energy Sector’s Network – NextGov

  • With the thoughts of a nationwide cyberattack on the power grid growing in people’s minds, the National Institute of Standards and Technology is seeking input from tech and cyber experts on how to secure the countless internet-connected devices that could be used as a way in to the network.
And Finally:

Magecart Attack on eCommerce Platform Hits Thousands of Online Shops – SecurityWeek

  • Everyone’s least favorite online card skimming group Magecart has continued its hacking spree with another successful campaign on online retailers. In the past month the group has been found to be active on over 3 thousand online stores, including the Sesame Street Live online store.

In Case You Missed It

Cyber Security News & Trends

This week, spyware is found in the Android store, maritime cybersecurity protections are considered, and your gas pump could be the next target for a hacker.


SonicWall Spotlight

The CyberWire Daily Podcast – The CyberWire

  • SonicWall CEO Bill Conner speaks with The CyberWire for their story on the dangers of side-channel malware attacks. He details how previous big side-channel attacks like Spectre and Meltdown worked and explains that it’s only a matter of time before someone else manages to find a way of exploiting similar chipset vulnerabilities in the wild.

Rich, Smart and Sensibly Grown-Up? You’re the Hackers’ Dream – The Telegraph (UK)

  • The Telegraph builds a profile of the standard person who gets hacked and takes a look at the “hacker’s menu” – an itemized list detailing the cost of hacking personal information. To make their case they refer to the SonicWall 2019 Cyber Threat Report Mid-Year Update for information on ransomware.

RB Music Uses Spyware to Steal Sensitive Information From the Infected Device – VARINDIA

  • Following up on the SonicWall Alert detailing spyware in the RB Music player on the Android Store, VARINDIA talks to SonicWall’s Debasish Mukherjee. Mukherjee explains that it is common for malware code to be reused by different developers over time and even when an app appears to be legitimate it may contain dangerous code waiting to be activated.

Cybersecurity News

FBI Cyber Warning: Attacks on Key Employees up 100%, as 281 Are Arrested – Forbes

  • The FBI has warned that Business Email Compromise attacks have doubled between June 2018 and July 2019, even as a worldwide crackdown on the practice led to 281 arrests worldwide. Learn how you can protect yourself from Business Email Compromise with SonicWall’s Email Security Appliances.

Cyber-Security Incident at US Power Grid Entity Linked to Unpatched Firewalls – ZDNet

  • A recently released report has detailed how the “cyber-incident” reported on the US Power Grid in June of this year turned out to be a cyberattack that was able to take place because of unpatched firewalls.

Exploit for Wormable BlueKeep Windows Bug Released Into the WildArs Technica

  • A rough but workable exploit for the Bluekeep vulnerability has been coded and released into the wild. While it is highly unlikely that the exploit will be successful in infecting any users in its current form it serves as a proof-of-concept and could be the first step towards bigger problems in the future.

Swedish GDPR Fine Highlights Legal Challenges in Use of Biometrics – Security Week

  • A school in Sweden has been fined for using biometrics on its students, even though the school had obtained consent from both the students and their parents. A court ruling decided that due to the imbalance of power between students and the school, freely-given consent could not be possible. The case highlights the possibility of future problems in wider biometric implementation if, for example, it is argued that employees cannot consent to employers using biometrics in the workplace for similar reasons.

The State of Maritime Cybersecurity – WorkBoat

  • Maritime magazine WorkBoat interviews the creators of a recent survey on the current state of maritime cybersecurity. They discuss why the survey was created, why many companies are not prepared in the current threat landscape and what needs to be done to prevent another problem like the 2017 ransomware attack on global shipper Maersk.

Think Your iPhone Is Safe From Hackers? That’s What They Want You to Think… – The Guardian

  • The Guardian investigates the world of zero-day exploits that are sold on dark web marketplaces and warn that despite Apple’s iOS having a reputation of being close to unhackable, there are, in fact, vulnerabilities in it that have been exploited for years.
And Finally:

IoT Security: Now Dark Web Hackers Are Targeting Internet-Connected Gas Pumps – ZDNet

  • As hackers turn their sights on Internet of Things devices, and the number of these devices worldwide grow, hackers online have been turning their sights on web-connected Gas Pumps. It’s early days yet but researchers hypothesize that the reasons for this could range from obtaining cheap fuel to something much more explosive…

In Case You Missed It

Ransomware Infects 23 Texas Government Agencies

The Texas Department of Information Resources (DIR) announced that 20-plus state agencies have been infected by ransomware.

In an Aug. 17 update, DIR stated that “the evidence gathered indicates the attacks came from one single threat actor” and “investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time.”

“Ransomware is not going to subside anytime soon,” said SonicWall President and CEO Bill Conner. “It’s too easy to demand and receive ransom payment without the risks associated with traditional data exfiltration. Until organizations are serious about ransomware protection, these types of wide-reaching ransomware attacks will, unfortunately, continue.”

According to ZDnet, the “infection is blamed on strain of ransomware known only as the .JSE ransomware.”

Texas is hardly the first state to be the victim of coordinated attacks against municipalities. The last 12 months have seen ransomware attacks bring city services to a halt, including those in Arizona, Florida, Georgia, Indiana, Maryland, Nevada, New York and more.

Ransomware escalates again

Ransomware continues to be one of the most lucrative cyberattack options for criminals. According to the mid-year update of the 2019 SonicWall Cyber Threat Report, ransomware volume raced to 110.9 million in the first half of 2019 — 15% year-to-date increase over 2018.

Exclusive SonicWall data highlights an escalation in ransomware-as-a-service (RaaS) and open-source malware kits in the first half of 2019. As more RaaS and open-source options are available, the volume and ferocity of ransomware attacks will only increase.

RaaS is no different than any legitimate cloud-hosted service used by businesses every day. Instead of buying software, criminals subscribe to a service delivery model to reduce CapEx, always have the latest ransomware offerings, gain predictable pricing and receive support. While there are only so many bona fide malware authors creating new ransomware, these services will ensure cybercriminals have plenty of variants to purchase or obtain freely on the Dark Web.

Webinar: Prep Your Business to Face 2019’s Most Advanced Cyber Threats

Cyber threat intelligence is a must-have component for any security-conscious organizations. And for those who couldn’t get enough of the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall security experts hosted an exclusive webinar to go inside the exclusive threat data, ask questions about the threat landscape and offer best practices for improving your security posture.

This edition, “Prep Your Business to Face 2019’s Most Advanced Cyber Threats,” was hosted by Brook Chelmo, a charismatic storyteller who will help you make sense of the numbers. Watch the exclusive on-demand webinar to gain a better understanding of what’s at stake. You’ll explore:

About Brook Chelmo

Brook handles all product marketing responsibilities for SonicWall security services and serves as SonicWall’s ransomware tsar.

Fascinated in the growth of consumer internet, Brook dabbled in grey-hat hacking in the mid to late ‘90s while also working and volunteering in many non-profit organizations. After spending the better part of a decade adventuring and supporting organizations around the globe, he ventured into the evolving world of storage and security. He serves humanity by teaching security best practices, promoting and developing technology.


Ransomware-as-a-Service, Open-Source Malware Fueling Attack Spikes in 2019

Ransomware is too lucrative to fade away. Its brilliance is in its simplicity. And shifting trends make it easier than ever to leverage in cybercriminal activity.

As each passing day presents us with a new ransomware victim, we can clearly see that ransomware is here to stay — and businesses and organizations should invest now to protect their brand, networks, data and customers.

According to the mid-year update of the 2019 SonicWall Cyber Threat Report, ransomware volume raced to 110.9 million in the first half of 2019 — a 15% year-to-date increase over 2018.

The most alarming ransomware data was sourced from the U.K. After enjoying a 59% decline in ransomware in 2018, the region saw ransomware volume jump 195% year-to-date for the first half of the year.

RaaS, open-source malware on the rise

But it’s not just about volume. Globally, cybercriminals continue to pivot toward new tactics. Exclusive SonicWall data highlights an escalation in ransomware-as-a-service (RaaS) and open-source malware kits in the first half of 2019.

Cerber has long been one of the most powerful and damaging ransomware families in use. This is primarily because it is available as a service offering for low monthly prices.

Other ransomware — like HiddenTear and Cryptojoker — are available via open-source kits. This means that criminals with very basic coding skills can grab an open-source malware and customize it to meet their objectives. In many cases, this changes the core of the malware and helps it evade signature-only security controls (e.g., antivirus, unsupported firewalls).

In June 2019 alone, SonicWall Capture Labs threat researchers logged more than 3 million hits by the Cerber.G_5 RaaS signature alone.

FY 2018 1H 2019
Family Volume Type Family Volume Type
Cerber 101.6 Million RaaS Cerber 39.5 Million RaaS
BadRabbit 7.8 Million Custom Gandcrab 4.0 Million RaaS
Dharma 7.3 Million Custom HiddenTear 4.0 Million Open Source
LockyCrypt 6.1 Million Custom CryptoJoker 2.4 Million Open Source
CryptoJoker 5.6 Million Open Source Locky 1.8 Million Custom
Locky 2.4 Million Custom Dharma 1.5 Million Custom
Petya 1.9 Million Custom

As more RaaS and open-source options are available, the volume and ferocity of ransomware attacks will only increase. While there are only so many bona fide malware authors creating new ransomware, these services will ensure cybercriminals have plenty of variants to purchase or obtain freely on the Dark Web.

What is ransomware as a service (RaaS)?

Ransomware as a service, or RaaS, is no different than any legitimate cloud-hosted service used by businesses every day. Instead of buying software, you subscribe to a service delivery model to reduce CapEx, always have the latest offerings, gain predictable pricing and receive support.

Legitimate or note not, business models always have to tackle the method of distribution. Will they sell directly to end users, through a channel of distributors or a mix of both?

The same holds true with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution — all the while collecting a cut of the prize.

BleepingComputer offered an informative breakdown on how a typical payment model would work.

“Unlike most ransomware-as-a-service offerings, in order to become an affiliate a would-be criminal has to pay to join a particular membership package,” BleepingComputer wrote. “These packages range from $90 USD, where the affiliate earns 85% of the ransom payments, to $300 and $600 packages where the affiliates keep all of the revenue and gets extra perks such as Salsa20 encryption, different ransomware variants, and different payment cryptocurrency options.”

Cyber Security News & Trends

This week, SonicWall is featured on Reuters TV, federal cybersecurity is found to be seriously out of date, and a young hacker is taking down Internet of Things botnets by bricking as many IoT objects as he can.


SonicWall Spotlight

To Pay or Not To Pay: U.S. Cities With Ransomware – Reuters

  • SonicWall’s Dmitriy Ayrapetov is featured demonstrating a ransomware attack in this Reuters video segment investigating the current increase in ransomware attacks on US cities.

HiddenTear Ransomware Variant Encrypts and Gives Files .Poop Extension – SonicAlert

  • The SonicWall Capture Labs Threat Research Team came across some childish ransomware which, after replacing your files with a “.poop” extension, updates your background with a poop emoji. It is, however, real ransomware and should be treated as such; SonicWall protects you from it.

Cyber Security News

U.S. Carried Out Cyberattacks on Iran – New York Times

  • Multiple news outlets report that the United States Cyber Command conducted online attacks against an Iranian intelligence group after physical strikes were called off. Full details on what was attacked are not known and US Cyber Command have not released any information.

Federal Cybersecurity Defenses Are Critical Failures, Senate Report Warns – CNBC

  • After a 10-month review of federal agencies, a damning 99-page report on federal cybersecurity has been released. Details include failures to apply mandatory security patches, ignoring well-known threats and weaknesses for a decade or more, and outdated systems with at least one case of a 50-year-old system still in use in 2019.

NASA Hacked Because of Unauthorized Raspberry Pi Connected to Its Network – ZDNet

  • NASA confirmed that in April 2018 a hacker breached their security using a Raspbery Pi device and accessed around 500 megabytes of data, including information on the ongoing Mars Curiosity Rover mission. The full investigation into what happened is still ongoing.

The Hotel Hackers Are Hiding in the Remote Control Curtains – Bloomberg

  • Bloomberg hitch a ride with some IT consultants who are investigating the rise of cyberattacks on hotels – seen by the hacking community to be both lacking in basic cybersecurity and as a massive database of personal information.

Hackers Strike Another Small Florida City, Demanding Hefty Ransom – Wall Street Journal

  • Lake City officials in Florida agreed to pay 42 bitcoins, around $500,000, in a ransom less than a week after another Florida City, Riviera Beach, paid a similar amount to retrieve their data.

A Firefox Update Fixes yet Another Zero-Day Vulnerability – Engadget

  • Mozilla patched two zero-day vulnerabilities over the past week, with the second coming only 48 hours after the first. Both zero-days used the same attack and they appeared to be targeting Coinbase employees directly.

Riltok Banking Trojan Begins Targeting Europe – SC Magazine

  • The Riltok banking trojan, originally intended to target Russians, has been modified to target the European market. It is spread via a link in a text message that, if clicked, directs the user to a website that prompts them to install a fake update of advertising software.

And finally:

Thousands of IoT Devices Bricked By Silex Malware – Threat Post

  • A 14-year-old hacker has been spreading anti-Internet of Things malware because he wants to stop other hackers using the devices for botnets. At the time of writing at least 4,000 devices have been bricked by his malware.

In Case You Missed It