What a year it’s been for cyberattacks.
In February, the trojan malware, TrickBot, became capable of stealing remote server credentials from VNC, PuTTY and Remote Desktop Protocol (RDP).
Then, as we covered in August, attacks such as the SamSam Ransomware use VPN access as a key vector to break into networks.
And, in November, researchers found additional capabilities were added to steal credentials from OpenSSH and OpenVPN.
Overall, we saw a major rise in three classic malware attacks: Trojans, Distributed Denial of Service (DDoS) and Ransomware.
During the second half of the year, Bleeping Computer revealed how the TrickBot Trojan became a very popular vehicle for launching other malware programs and exfiltrating passwords due to new advancements.
Additionally, cybercriminals targeted banks by using the TrickBot’s features that steal pin numbers. By July, it was not only upgraded to steal browser cookies, it became capable of self-propagation.
Are you relying upon Windows Defender?
TrickBot was even upgraded with Windows Defender circumventing capabilities. Lastly, TrickBot creators now offer Access-as-a-Service for other attackers who want to take advantage of any TrickBot compromised networks.
ThreatPost notes that DDoS attacks also spiked recently. Reported attacks targeted private entities, such as IBM’s SoftLayer subsidiary and Amazon. International telecom and financial industries also suffered attacks in Italy, South Korea and Turkey.
These attacks use TCP SYN-ACK reflection attacks, in which the attacker makes a TCP synchronization request to the victim’s server using a spoofed SYN request that replaces the original source IP address.
The replaced IP address can be the victim’s own IP address, random IP address, or even pre-selected IP addresses.
That means that these hackers not only target your bank, but they might also use a bank customer’s IP address as the spoofed IP address and cause secondary outages for the customer.
Unfortunately, it seems that most targeted networks did not properly disable the TCP retransmit amplification, which allowed the recent attacks to degrade service significantly.
A second type of DDoS attack of the UK’s Labour Party’s server infrastructure was attributed to sources in Russia and Brazil. Fortunately, the British political party only suffered a slowdown instead of complete infrastructure failure.
Hot For Security notes that DDoS can be challenging to counter without specialized services, and that nine times out of ten, cybercriminals use the attacks to mask other attacks such as data exfiltration from the victim.
As we enter the 2020 election cycle, all governments and political party offices in the US should make sure they consult with experts to prepare for potential assaults.
As mentioned last week, a new feature of some ransomware attacks is the threat to release the encrypted data unless the ransom is paid. That possibility is now a reality.
On Nov. 15, the “Maze Crew” behind the Maze ransomware attacks emailed BleepingComputer to announce they had breached the $7 billion security firm, Allied Universal. Later that day, they posted links in the BleepingComputer forums to 700MB of “termination agreements, contracts, medical records, server directory listings, encryption certificates and exported lists of users.”
Later, they threatened to release the other 90% of the 5GB of stolen documents to the public if the Maze Crew did not receive their ransom by Nov. 22.
In a bit of a twist, apparently the first ransom demand was $1.5 million, but Allied stopped negotiating after receiving proof of data seizure.
Upset, the Maze Crew raised the ransom to $2.3 million and announced the breach to the public. Included in that public announcement was an ominous postscript: “P.P.S. Canadian Insurance company (we will not disclose the name yet), please, collect money faster!”
In a subsequent email exchange, the Maze Crew describes how they always exfiltrate the files prior to encryption, but that they will delete the data if the ransom is paid. If the ransom is not paid, the Maze Crew also threatened to escalate the attack by “conducting a spam campaign using Allied’s domain name and email certificates.”
Your data does not even need to be locked within ransomware to have a data leak threatened.
In late October, the Shadow Kill Hackers launched a logon screen message to the employees of the City of Johannesburg, South Africa, demanding 4 bitcoins (about $30,000) to prevent the release of seized data.
Although the computers were not disabled by ransomware, Johannesburg shut down its IT infrastructure immediately. However, the Shadow Kill Group posted screenshots of the city’s active directory server to Twitter as proof of access to back up their threat.
Back in the US, on Nov. 19, the state of Louisiana was struck by its second ransomware attack in just a few months.
Government entities have been key targets in 2019, and apparently previous victims were given no mercy. Fortunately, the state was prepared for an eventual breach. Officials announced that they will not pay any ransom, they expect no data loss, and full service would resume in a few days’ time.
How to Prepare for Malware Attacks
When it comes to malware attacks, organizations have three key goals.
First, make your organization as difficult a target as possible by hardening servers, securing firewalls, mirosegmentation, etc.
Second, actively search your environment for signs of malware activity. Had Allied Universal noticed 5GB of data being exfiltrated to an unknown IP address, they’d have avoided much suffering.
Third, expect that, eventually, your organization may be compromised and prepare it to recover quickly. The Louisiana attack demonstrated how preparedness can minimize an attack’s impact.
The best cybersecurity strategy should be tailored to your specific needs and budget.
Ideal Integrations & Blue Bastion are by your side. We’ll help improve your security profile and test its effectiveness with red teaming to make sure your data and your organization remain safe.
It’s time to maximize your return on IT!
For a risk-free demonstration, contact us today by completing the form below, or by calling us at 412-349-6680.
If you’ve been actively breached, and you need immediate support, call our incident response team at 412-349-6678.
Building networks and partnerships, we are on your side.