Jerry, Author at Safernet

Identity Theft Concerns Rise As 48.6 Million T-Mobile Customers Data Exposed in Breach

Post On: 27 August, 2021 By : Jerry

Identity theft concerns are being raised among T-Mobile Customers as the telecommunications company disclosed they suffered a colossal data breach in which 48.6 Million individuals had information exposed by hackers. The attacks breached T-Mobile servers and stole files containing the personal information of tens of millions of customers.

The breach impacts 7.8 million T-Mobile postpaid customers, 850,000 T-Mobile prepaid users, and approximately 40 million former or prospective ones. In total, the attackers stole records of 48.6 million individuals.

“Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers,” T-Mobile said in a press release.

“Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.”

While the company has put importance on phone numbers not being exposed, the success of identity theft hangs on information like SSNs, dates of birth, and driver’s license/ID information – All items that were exposed in the attack and are likely already for sale on the Dark Web.
to current or prospective T-Mobile customers.

“At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were also exposed. We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files.” the carrier added.

T-Mobile has reset all PINs for affected accounts to prevent takeover attempts and is currently notifying these users.

The company has issued a list of steps in its press report to protect individuals who may experience identity theft.

“Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.
Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling Customer Care team by dialing 611 on your phone. This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised.
Offering an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.
Publishing a unique web page later on Wednesday for one stop information and solutions to help customers take steps to further protect themselves.”

T-Mobile confirmed the claims of the hacker selling the database containing information. Not only can hackers use the details for traditional identity theft, they can also use stolen data or SIM swapping attacks, allowing them to take over other online accounts belonging to the victims.

It is advised that T-Mobile customers should be on the lookout for suspicious emails, calls, or texts from entities pretending to be the telecommunications company.

This is the sixth major data breach suffered by T-Mobile in just four years, the others being:

In 2018, info belonging to millions of T-Mobile customers was accessed by hackers.
In 2019, T-Mobile exposed prepaid customers’ data.
In March 2020, hackers gained access to T-Mobile employees’ email accounts.
In December 2020, hackers accessed exposed customer proprietary network information (phone numbers, call records).
In February 2021, threat actors targeted up to 400 customers in SIM swap attacks after gaining access to an internal T-Mobile application.

The Dangers of Identity Theft

Identity Theft can be absolutely devastating for an individual. Usually, in the world of malware, we know certain things can be harmed. Our devices may need to be replaced, we may lose access to accounts for a few days or even forever, we may even need to pay a ransom for access to our data. The point is, with most types of Malware, we can eventually rebuild, though it may take longer than we anticipate. The fallout from identity theft is much longer.

Once your stolen information is used once, it can take anywhere from a few days to six months for that one incident. But your information is out there for a very, very long time. This means you could end up dealing with identity theft for many years, even decades.

Identity Theft has been around for a very long time and predates our modern technology by thousands of years. There have always been individuals that try to impersonate others for their own gain, financial or otherwise. However, the internet’s birth and wide adoption have led to new attack vectors, dwarfing any possible past attempts.

Now more than ever do we have data tied into our personal identity. Email addresses, banking numbers, phone numbers, social security numbers, home addresses – All of these and more form a picture of us as lines in a database.

And when this information falls into the wrong hands, it can do a lot of damage. Bank accounts can be drained, and your credit rating can get rattled; you can end up with medical bills or even a criminal record. The list of potential mishaps that can arise from identity theft is endless.

To hackers, identity theft represents a lucrative stream of income, and they can very easily cover their tracks. After they have seized personal information, they sell it on the dark web. This information can be sold over time, repeatedly, meaning that if you notice your identity has been stolen and used, it can be used in several instances over a long period of years.

There are some guidelines from the US government in discovering if you are a victim of identity theft if it is not immediately obvious:

You stop receiving your regular bills and credit card statements.
You receive statements for accounts you never opened.
Debt collectors start calling you day and night about debts you’ve never heard of.
The IRS alleges you failed to report income for a company you never worked for.
You see withdrawals/charges on your bank or credit card statement that you didn’t make.
You try to file your taxes only to discover that someone else beat you to it.
You try to file your taxes and find someone claimed your child as a dependent already.
Your credit report includes lines of credit you never opened.
Your credit score fluctuates wildly and for no apparent reason.
The most obvious sign—you receive a notification that you’ve been the victim of a data breach.
If you are unsure, it is always best to check with the authorities on the US government’s identity theft website.

Protection

In some cases, a victim cannot be faulted for identity theft. For example, those affected by the data breach handed their information over to companies in good faith in the story above. Unfortunately, these companies, or more specifically the vendor, failed in protecting this information. However, many other times, business owners and families are singled out and targeted in their offices and homes.

For times like these, it is critical that you have the right tools to protect yourself. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

MountLocker Ransomware Now Abusing Windows Active Directory To Propagate Through Network

Post On: 19 June, 2021 By : Jerry

MountLocker Ransomware is undergoing continuous development and is now using Windows Active Directory APIs to worm through networks it infects. MountLocker began life in July 2020 as Ransomware-as-a-Service (RaaS), where developers create strains of malware and lease them out to other hackers to use on businesses and organizations. The RaaS market is highly competitive, and MountLocker Ransomware has been making a name for itself as one of the best. As part of the business arrangement, the MountLocker Ransomware team gets a cut of about 25% of every ransom, while affiliates bag the remaining 75%. Different RaaS manufacturers have different terms, but a divide similar to this is most common.

In March 2021, a new group ransomware group emerged called ‘Astro Locker‘ that began using a customized version of the MountLocker ransomware with ransom notes pointing to their own payment and data leak sites. This was thought by many in the cybersecurity community to be some sort of rebranding by the developers.

In a statement to BleepingComputer, Astro Locker said, “”It’s not a rebranding, probably we can define it as an alliance”.

Astro Locker appeared as a more sophisticated version of MountLocker Ransomware. In May 2021, an even newer version appeared – XingLocker.

The sample was shared by MalwareHunterTeam on Twitter and further analyzed by BleepingComputer. Both confirmed that the sample contains a new worm feature that allows it to spread and encrypt to other devices on the network. The worm can be enabled by running the malware sample with the /NETWORK command-line argument, meaning it could still be in a state of very early development.

The sample was sent to Advanced Intel CEO Vitali Kremez, who discovered that MountLocker is now using the Windows Active Directory Service Interfaces API as part of its worm feature.

MountLocker ransomware first uses the NetGetDCName() function to retrieve the name of the domain controller. Then it performs LDAP queries against the domain controller’s ADS using the ADsOpenObject() function with credentials passed on the command line.

Using the Active Directory Service Interfaces API

Once it connects to the Active Directory services, it will iterate over the database for objects of ‘objectclass=computer’, as shown in the image above.

For each object it finds, MountLocker will attempt to copy the ransomware executable to the remote device’s ‘\C$\ProgramData’ folder.

MountLocker ransomware will then remotely create a Windows service that loads the executable so it can proceed to encrypt the device.

Creating and launching the ransomware service

Using this API, MountLocker ransomware can find all devices that are part of the compromised Windows domain and encrypt them using stolen domain credentials.

“Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan,” Kremez stated

“This is the quantum shift of professionalizing ransomware development for corporate network exploitation.”

As Windows network administrators commonly use this API, Kremez believes the threat actor who added this code likely has some Windows domain administration experience.”

While this API has been seen in other malware, such as TrickBot, this may be the first “corporate ransomware for professionals” to use these APIs to perform built-in reconnaissance and spreading to other devices.

MountLocker Ransomware Analysis

This analysis was carried out by independent ransomware researcher Zawadi Done.

For encryption, MountLocker ransomware uses Chacha20 to encrypt files and RSA-2048 to encrypt the encryption key. But before the encryption procedure runs, MountLocker ransomware performs a few tasks that increase the effectiveness of the ransomware.

Both files are packed with a packer written in Visual Basic. The packer checks if the process is being debugged using IsDebuggerPresent if not it continues to unpack the executable into a created segment. Using x64dbg and PE-bear I dumped the full executable from memory and modified the image base and section headers.

The serial number of the used drive is retrieved and used as mutex value. Every time an encrypted file is opened the recovery manual of the ransomware is also opened.

To run a Powershell script it will create a file in the temporary folder C:\Users\IEUser\AppData\Local\Temp\.tmp and write a Powershell script to the file shown belown.

The Powersehll script is then executed by calling:

powershell.exe -windowstyle hidden -c $mypid=’972′[System.IO.File] :: ReadAllText (‘C:\Users\IEUser\AppData\Local \Temp\~1399171.tmp’)|iex”)

This results in the shadow copies being deleted and a list of services and processes being stopped.

Using the API calls CryptAcquireContextW, CryptImportKey, CryptEncrypt an embedded RSA-2048 key is imported and used to encrypt 32 bytes generated by the instruction rdtsc. The plaintext and ciphertext of the bytes will later be used to encrypt other values. MountLocker ransomware will search for all types of drives and it skips the following file extensions and directories.

Using CreateFileW and CreateFileMappingW it creates a filehandle and a handle to the file in memory. Instead of using MoveFileW to change the file name, it uses the SetFileInformationByHandle to change the extension of the file.

Using Chacha20 file_32_bytes will be encrypted with 32_bytes as key and the first 12 bytes of 32_bytes as the nonce. Let’s call the ciphertext encrypted_32_bytes. Then it writes file_encrypted_32_bytes and encrypted_32_bytes to the end of the file that will be encrypted.

Using MapViewOfFile the file is mapped in memory with as length the files size or 0x4000000 bytes. This buffer will then be encrypted with Chacha20 using file_32_bytes as key and the first 12 bytes of file_32_bytes as the nonce. After the buffer is encrypted it calls MapViewOfFile to store the buffer to the file on disk.

The encryption procedure is described in the diagram below.

After the files are encrypted, MountLocker ransomware will delete itself.

The MountLocker ransomware drops a ransom note in every folder that it encrypts with the name RecoveryManual.html. This note includes a ClientId which can be used to contact the threat actor on their own “support” portal. This ClientId is based on the computer name XOR’ed by a hardcoded value.

Protection

With threats like Mount Locker Ransomware evolving and expanding everyday, it is important individuals and business owners have adequate protection tools to keep their devices safe. One of these tools is SaferNet.

QNAP confirms devices still under assault by Qlocker Ransomware

Post On: 19 June, 2021 By : Jerry

Qlocker Ransomware remains a thorn in the side of network-storage company QNAP, who are now advising customers up update their Hybrid Backup Sync (HBS 3) disaster recovery app as it has become a backdoor for the ransomware strain. The recovery app is a feature of QNAPs’ Network-attached-storage (NAS) devices, which Qlocker ransomware has been targeting. “The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3. To prevent infection from Qlocker, we recommend updating HBS 3 to the latest version.” the Taiwan-based NAS appliance maker said in a security advisory issued last week.

QNAP Systems is a Taiwanese corporation that specializes in Network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications. Headquartered in Xizhi District, New Taipei City, Taiwan, QNAP has offices in 16 countries and employs over 1000 people around the world.

QNAP’s problems with Qlocker ransomware began on April 19, when the company were attacked by a devastating ransomware campaign. Qlocker ransomware breaches thousands of QNAP NAS devices, replacing victims’ files with password-protected 7-zip archives.

At the time, the attack vector for Qlocker ransomware was unknown. Since then, QNAP has confirmed that the hackers abused the CVE-2021-28799 hard-coded credentials vulnerability. This flaw acts as a backdoor accounts, and allows attacks to access devices running out-of-date HBS 3 versions.

QNAP added that CVE-2021-28799 has already been fixed in the following HBS 3 versions (HBS 2 and HBS 1.3 are not impacted):

QTS 4.5.2: HBS 3 v16.0.0415 and later
QTS 4.3.6: HBS 3 v3.0.210412 and later
QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later

Though this is not the first time QNAP specifically mentioned Qlocker Ransomware targeting the HBS 3 backdoor, it is the first time that company have stated that this method is the primary attack vector.

For many of QNAP’s customers, these warnings come much too late. 5 weeks after the initial attacks, the campaign has slowed down considerably – the hackers have already made off with the money.

In these 5 weeks, hackers stole over $350,000 from users, forcing them to pay 0.01 bitcoins (about $500) to obtain the password for their files. This is a relatively low ransom amount but stretched out over the entire userbase to adds up to a considerable payday. Lower ransom amounts such as these also give a hacker’s campaign a higher chance of success.

It is believed the hackers behind Qlocker Ransomware also wanted to make an abrupt end to the campaign instead of continuing to infect new users. Cybersecurity researchers have confirmed that Qlocker TOR sites on the darkweb are no longer accessible, with the gang apparently vanishing.

These actions are following a new trend – Since the Darkside attack on the Colonial Pipeline, ransomware gangs are going offline or laying low for now. It is believed that the attack has drawn unwanted attention to the world of cybercrime, so gangs are forced to play it safe.

While Qlocker ransomware might have shut down, this is not the only ransomware currently targeting QNAP NAS devices. During the last few weeks, QNAP customers were also urged to secure their devices against new Agelocker and eCh0raix ransomware campaigns.

QNAP has released a list of best practice steps for customers to secure their NAS devices, which can be found here.

Qlocker Ransomware Anaylsis

Note: The Analysis of Qlocker Ransomware was carried out by cybersecurity researchers at BleepingComputer.

The attackers use 7-zip to move files on QNAP devices into password-protected archives. While the files are being locked, the QNAP Resource Monitor will display numerous ‘7z’ processes which are the 7zip command-line executable.

When the ransomware has finished, the QNAP device’s files will be stored in password-protected 7-zip archives ending with the .7z extension. To extract these archives, victims will need to enter a password known only to the attacker.

After QNAP devices are encrypted, users are left with a !!!READ_ME.txt ransom note that includes a unique client key that the victims need to enter to log into the ransomware’s Tor payment site.

From the Qlocker ransom notes seen by BleepingComputer, all victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files.

After paying the ransom and entering a valid Bitcoin transaction ID, the Tor payment site will display the password for the victim’s 7Zip archives, as shown below.

During the research, independent security researcher Jack Cable reached out to Bleeping Computer about a bug he discovered in the Qlocker Tor site that allowed users to recover their 7zip passwords for free.

Sadly, within an hour of announcing the bug, Qlocker Ransomware operators made a hotfix, removing the flaw. In that time, at least some victims files were freed.

At this point, there is no way to recover the files without a password, which can no longer be retrieved for free.

The Qlocker threat actors exploit vulnerabilities in QNAP devices that allow them to execute commands on your NAS device remotely.

While most ransomware operations deploy specially crafted malware programs, the Qlocker attackers are simply scanning for QNAP devices and using vulnerabilities to remotely launch the built-in 7zip archive utility to password-protect files.

With this type of attack, QNAP devices are not being infected with any malware but simply being abused by vulnerabilities taking advantage of software already bundled with the operating system.

Protection

In cases like Qlocker Ransomware, we see supply-chain vulnerabilities, where a weak link in the software pipeline can affect an entire network. These attacks are becoming more and more common, and it is important that business leaders and home owners use the right tools to protect themselves from evolving threats. One of these tools is SaferNet.

Hackers Aim To Capitalize On Post-Covid Return To Office With Phishing Scheme

Post On: 19 June, 2021 By : Jerry

Phishing campaigns nearly always spike with any major event, and the post-covid return to office is proving to be no different. As if anticipating the shift back to the office, threat actors have been preparing sophisticated spear-phishing ploys to gain access to credentials illegitimately. This latest scam includes firing targets with emails purportedly from their CIOs welcoming workers back into offices. The phishing email supposedly outlines the company’s post-pandemic cubicle protocols.

“The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO,” Cofense outlined in a report.

The fake newsletter explains return-to-work procedures are forcing employees to take new precautions relative to the pandemic, according to the researchers.

The spoofed CIO email prompts victims to link to a fake Microsoft SharePoint page with two company-branded documents, both outlining new business operations. Eventually, the scam will lead the victim to handing over their credentials.

COVID-19 has been a treasure-trove for hackers in every stage of the pandemic. Spear-phishing vaccine-related attacks shot up 26% between October and January, just as the news of the vaccine came and the rollout began globally. Healthcare organisations, crushed under the weight of the pandemic, were targeted night and day by various forms of Malware. Last year alone, 10% of all organisations hit by ransomware were hospitals or medical organisations.

“COVID-19 has given us a window into how hackers can exploit human vulnerabilities during a crisis, with healthcare and pandemic-related attacks prevalent in 2020,” Sivan Tehila with Perimeter 81 wrote recently in a report for Threatpost.

CIO Spear-Phishing Attack Methodology

This attack campaign has been analysed by cybersecurity researchers at CoDefense.

The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO. By pretending to be an executive, the threat actor has sent a false newsletter explaining the new precautions and changes to business operations the company is taking relative to the pandemic.

It is likely in these times that many companies are making changes to their operations and providing their employees guidelines. However, in this case, the threat actor is trying to capitalize on sometimes confusing change to steal credentials and personal information.

If an employee were to interact with the email, they would be redirected to what appears to be a Microsoft SharePoint page with two documents. These documents appear to be legitimate, outlining changes to business operations referenced in the original email. Instead of simply redirecting to a login page, this additional step adds more depth to the attack and gives the impression that they are actual documents from within the company. When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials.

Clicking on either of the documents produces a login panel that prompts the recipient to provide login credentials to access the files. This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel. By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.

Another technique that the threat actor uses that we have seen in other campaigns is the use of fake validated credentials. For this example, the first few times login information is entered into the panel, the result will be the error message, “Your account or password is incorrect.”

After entering login information a few times, the employee will be redirected to an actual Microsoft page. This gives the appearance that the login information was correct, and the employee now has access to the OneDrive documents. In reality, the threat actor now has full access to the account owner’s information. Thus, the phishing attack has been successful.

Protection Against Phishing

Often in hacker circles some claim to have a sense of ‘honor amongst thieves’, but the COVID-19 Pandemic and the associated hacking campaigns that went on during it are a sure sign that these individuals do not have a clear sense of right and wrong. As the world gradually readjusts to the ‘normal’ we once knew, hackers are certain to use every tool at their disposal to steal information from whomever they target. Phishing attacks like these will continue to be widespread.

It is important that business owners use the rights tools to protect them against cyberthreats. One of these tools is SaferNet.

Second Largest Meat Producer in the US Under Assault By REvil Ransomware

Post On: 19 June, 2021 By : Jerry

REvil Ransomware extends its reputation as the world’s deadliest malware in an attack that occurred over the weekend on JBS foods. JBS is the second-largest meat producer in the US and the largest meat producer globally. Plants across the world have had to be shut down following the REvil Ransomware infection. The plants include those in the US, Australia, Canada, the UK, and Mexico. The company has a team of 245,000 employees around the world, serving an extensive portfolio of brands including Swift, Pilgrim’s Pride, Seara, Moy Park, Friboi, Primo, and Just Bare to customers from 190 countries on six continents.

JBS USA issued a press release on May 31st confirming the ransomware attack. “On Sunday, May 30, JBS USA determined that it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems,” JBS USA said.

“The company took immediate action, suspending all affected systems, notifying authorities and activating the company’s global network of IT professionals and third-party experts to resolve the situation. The company’s backup servers were not affected, and it is actively working with an Incident Response firm to restore its systems as soon as possible.”

The company added that there was no evidence of customer, supplier, or employee data compromised during the REvil ransomware attack.

The company also expects transactions with customers and suppliers to be delayed until the incident is fully resolved.

The Australian government has also been informed of the incident and is currently working with JBS to bring back online production facilities around the country.

“The technology they use goes to the heart of the quality assurance of the beef they are processing,” Australia’s Agriculture Minister David Littleproud told ABC. “We need to make sure we can get that up and going to give confidence not just to consumers in Australia, but also to our export markets. They are obviously working with law enforcement agencies here in Australia, and we’re working in partnership with other countries to get to the bottom of this. Since it is a global attack it’s important not to speculate that it’s emanated from any particular place, just yet.”

The US Department of Agriculture has said it expects beef prices to climb 1 percent to 2 percent this year, poultry as much as 1.5 percent, and pork between 2 percent and 3 percent.

If JBS were to shut down for even one day, the U.S. would lose almost a quarter of its beef-processing capacity, or the equivalent of 20,000 beef cows, according to Trey Malone, an assistant professor of agriculture at Michigan State University.

JBS did not say which of its 84 US facilities were closed on Monday and Tuesday because of the attack.

Earlier, a union official confirmed that two shifts at the company’s largest US beef plant, in Greeley, Colorado, were canceled. Some plant shifts in Canada were also canceled Monday and Tuesday, according to JBS Facebook posts.

The attack vector and malware strain used was initially unknown. On Tuesday, the White House announced the attack came from Russia. By Wednesday, the FBI released a short statement confirmed the malware strain to be REvil Ransomware.

“As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” the agency said.

“We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries.

“A cyber attack on one is an attack on us all. We encourage any entity that is the victim of a cyber attack to immediately notify the FBI through one of our 56 field offices.”

REvil Ransomware Analysis

REvil Ransomware is a Ransomware-as-a-Service (RaaS), meaning it can be sold on a subscription basis and is usable by just about anybody. In 2020, it extorted large amounts of money for corporations and individuals. According to researchers, it is the most widespread ransomware strain. Groups using have a knack for shaking down businesses that don’t meet their demands, often through threats or leaking dating.

REvil Ransomware, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in an interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.

The group behind REvil Ransomware and other groups selling RaaS often do so on a commission basis. Usually, this means a cut of between 20% and 30% of the money earned through infecting victims with ransomware.

In 2020, the IBM Security X-Force Incident Response reported that 1 in 3 Ransomware infections were caused by REvil Ransomware.

In February 2021, the REvil ransomware operation posted a job notice where they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their partners.

In March, a security researcher known as 3xp0rt discovered that REvil has announced that they were introducing new tactics that affiliates can use to exert even more pressure on victims.

These new tactics include a free service where the threat actors, or affiliated partners, will perform voice-scrambled VOIP calls to the media and victim’s business partners with information about the attack. The ransomware gang is likely assuming that warning businesses that their data may have been exposed in an attack on of their partners, will create further pressure for the victim to pay.

REvil Ransomware is also providing a paid service that allows affiliates to perform Layer 3 and Layer 7 DDoS attacks against a company for maximum pressure. A Layer 3 attack is commonly used to take down the company’s Internet connection. In contrast, threat actors would use a Layer 7 attack to take down a publicly accessible application, such as a web server.

It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:

Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
Whitelists files, folders and extensions from encryption.
Kills specific processes and services prior to encryption.
Encrypts files on local and network storage.
Customizes the name and body of the ransom note, and the contents of the background image.
Exfiltrates encrypted information on the infected host to remote controllers.
REvil Ransomware uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.

REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.

Protection Against Ransomware

REvil Ransomware and other Ransomware clients are some of the most common and deadly cybersecurity threats out there today. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.

A New Threat Emerges as Epsilon Red Ransomware Aims for Microsoft Vulnerabilities

Post On: 19 June, 2021 By : Jerry

Epsilon Red Ransomware is an explosive newcomer to the malware and ransomware scene and has been seen leveraging Microsoft Exchange server vulnerabilities to encrypt machines across the network. Epsilon Red Ransomware attacks rely on several scripts before reaching the encryption stage, and the strain is also notable for using a commercial remote desktop utility. Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a fairly large U.S. company in the hospitality sector.

The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server. Andrew Brandt, principal researcher at Sophos, says in a report today that the attackers may have leveraged the ProxyLogon set of vulnerabilities to reach machines on the network.

The ProxyLogon bugs have been widely publicized as hackers jumped at the occasion and started to scan the web for vulnerable devices and compromise the systems.

On March 2, Microsoft released critical security updates for four crucial zero-day vulnerabilities discovered in Exchange Servers and reported that the exploits are being actively exploited by an actor called HAFNIUM, a state-sponsored group operating out of China.

Within one week, at least 30,000 U.S. organizations and hundreds of thousands of organizations worldwide have fallen victim to an automated campaign run by HAFNIUM that provides the attackers with remote control over the affected systems.

Researches at Radware have listed the Proxy Logon exploits as follows:

CVE-2021-26855: SERVER SIDE REQUEST FORGERY
The Server-Side Request Forgery (SSRF) vulnerability provides a remote actor with admin access by sending a specially crafted web request to a vulnerable Exchange Server. The web request contains an XML SOAP payload directed at the Exchange Web Services (EWS) API endpoint. The SOAP request bypasses authentication using specially crafted cookies and allows an unauthenticated, remote actor to execute EWS requests encoded in the XML payload and ultimately perform operations on users’ mailboxes. This vulnerability, combined with the knowledge of a victim’s email address, means the remote actor can exfiltrate all emails from the victim’s Exchange mailbox.

Organizations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.

CVE-2021-26857: REMOTE CODE EXECUTION VULNERABILITY
A post-authentication insecure deserialization vulnerability in the Unified Messaging service of a vulnerable Exchange Server allows commands to be run with SYSTEM account privileges. The SYSTEM account is used by the operating system and services that run under Windows. By default, the SYSTEM account is granted full control permissions to all files. A malicious actor can combine this vulnerability with stolen credentials or with the previously mentioned SSRF vulnerability to execute arbitrary commands on a vulnerable Exchange Server in the security context of SYSTEM.

CVE-2021-26858 AND CVE-2021-27065
Both of these post-authentication arbitrary file write vulnerabilities allow an authenticated user to write files to any path on a vulnerable Exchange Server. A malicious actor could leverage the previously mentioned SSRF vulnerability to achieve admin access and exploit this vulnerability to write web shells to virtual directories (VDirs) published to the internet by the server’s Internet Information Server (IIS). IIS is Microsoft’s web server, a dependency that is installed with Exchange Server and provides services for Outlook on the web, previously known as Outlook Web Access (OWA), Outlook Anywhere, ActiveSync, Exchange Web Services, Exchange Control Panel (ECP), the Offline Address Book (OAB) and Autodiscover.

Epsilon Red Ransomware Analysis

Note: The Analysis of Epsilon Red Ransomware has been carried out by Sophos and BleepingComputer.

Epsilon Red Ransomware is written in Golang (Go) and is preceded by a set of unique PowerShell scripts that prepare the ground for the file-encryption routine, each having a specific purpose:

kill processes and services for security tools, databases, backup programs, Office apps, email clients
delete Volume Shadow Copies
steal the Security Account Manager (SAM) file containing password hashes
delete Windows Event Logs
disable Windows Defender
suspend processes
uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)
expand permissions on the system
Most of the scripts are numbered 1 through 12 but there are a few that are named as a single letter. One of these, c.ps1, seems to be a clone of the penetration testing tool Copy-VSS.

Powershell scripts before Epsilon Red Ransomware takes hold

fter breaching the network, the hackers reach machines over RDP and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts that ultimately deploy Epsilon Red Ransomware executable.

Sophos researchers noticed that the threat actor also installs a copy of Remote Utilities – a commercial software for remote desktop operations, and the Tor Browser. This move is to ensure that they still have a door open if they lose access through the initial entry point.

The ransomware itself, called RED.exe, is a 64-bit Windows executable programmed in the Go language, compiled using a tool called MinGW, and packed with a modified version of the runtime packer UPX.

The executable contains some code taken from an open source project called godirwalk, which gives it the ability to scan the hard drive on which it’s running for directory paths and compile them into a list. The ransomware then spawns a new child process that encrypts each subfolder separately, which after a short amount of time results in a lot of copies of the ransomware process running simultaneously.

Epsilon Red Ransomware itself is quite small as it only really is used to perform the encryption of the files on the targeted system. It makes no network connections, and because functions like killing processes or deleting the Volume Shadow Copies have been outsourced to the PowerShell scripts, it’s really a simple program.

In the sample Sophos saw, it doesn’t even contain a list of targeted file types or file extensions. In fact, it will encrypt everything inside the folders it decides to encrypt, including other executables and DLLs, which can render programs or the entire system nonfunctional, if the ransomware decides to encrypt the wrong folder path. After it encrypts each file, it appends a file suffix of “.epsilonred” to the files, and drops a ransom note in each folder.

Strangely enough, the Epsilon Red Ransomware note closely resembles the note used by REvil, a much more widely used ransomware. But where the REvil note is typically riddled with spelling and grammatical errors, the note delivered by Epsilon Red Ransomware has gone through a few edits to make its text more readable to an audience of native English speakers.

Victims are encouraged to visit a special URL on a website operated on the normal web (epsilons[.]red) to engage with the attackers.

Epsilon Red Ransomware is just one of many new malware strains being produced and developed almost daily. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.

Ryuk Ransomware Continues Assault in Spain as Ministry of Labor and Social Economy is Brought Offline

Post On: 19 June, 2021 By : Jerry

Ryuk Ransomware is continuing its attacks against state and private enterprises in Spain after the Spanish Ministry of Labor and Social Economy (MITES) was forced offline last Wednesday. Presently, they are working to restore services. MITES is a ministerial department with an annual budget of almost €39 million, charged with coordinating and supervising Spain’s employment, social economy, and corporate social responsibility policies.

“The Ministry of Labor and Social Economy has been affected by a computer attack,” MITES’ media office said after the attack. “The technical managers of the Ministry and the National Cryptological Center are working together to determine the origin and restore normality as soon as possible.”

The Ministry website remained online after the Ryuk Ransomware attack, however both the communications and multimedia offices were down.

Spain has suffered from a spree of Ryuk Ransomware attacks since March this year, when the Spanish Servicio Público de Empleo Estatal (SEPE), which is a part of MITES, was compromised by Ryuk.

The incident impacted more than 700 agency offices across Spain after hackers encrypted the agency’s network systems. According to an announcement made on the agency’s website at the time, the ransomware also spread beyond SEPE’s workstations and reached the agency’s remote working staff’s laptops. As a direct result of the ransomware attack that hit SEPE’s network, hundreds of thousands of appointments made through the agency were delayed throughout Spain.

Ransomware attacks have been common in Spain, with a leading Spanish managed service provider (MSP), and Cadena SER (Sociedad Española de Radiodifusión), Spain’s largest radio station, hit by ransomware in November 2019.

Ryuk Ransomware Analysis

Note: This Analysis of Ryuk Ransomware was carried out be independent researcher Abdallah Elshinbary.

The dropper first checks the windows MajorVersion and if it’s equal to 5 (windows 2000 | windows XP | Windows Server 2003), it drops the ransomware executable at C:\Documents and Settings\Default User\ , otherwise it drops it at C:\users\Public.

The name of the dropped executable is five randomly generated characters.

f the creation of this file failed, Ryuk drops the executable at the same directory of the dropper with replacing the last character of its name with the letter ‘V’ (If the dropper name is ryuk.exe, the dropped executable will be ryuV.exe).

Next we can see a call to IsWow64Process() and if it returns true (which means Ryuk is running at a 64 bit system), it writes the 64 bit binary to the dropped executable, else it writes the 32 bit binary. The 2 binary files are stored at the .data section.

The last step is a call to ShellExecuteW() to execute the second stage executable with passing it one argument which is the dropper path (This is used later to delete the dropper).

Before the dropper exits, it passes its path to the second stage executable as a command line argument which in turn deletes the dropper.

Ryuk uses the very well know registry key to achieve persistence, It creates a new value under the name “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos” and its data is set to the executable path which in my case is “C:\users\Public\BPWPc.exe”.

Ryuk has a long list of predefined services and processes to kill using net stop and taskkill /IM respectively. During this process, Ryuk Ransomware will try to kill off many antivirus services.

Ryuk drops a batch script at C:\Users\Public\window.bat which deletes all shadow copies and possible backups, then the script deletes itself.

Ryuk uses a multi threading approach for the encryption process, it creates a new thread for each file it encrypts which makes it very fast.

It starts enumerating files using FindFirstFileW() and FindNextFileW() then it passes each file name to a new encryption thread. Each encryption thread starts by generating a random 256 AES encryption key using CryptGenKey(), Ryuk utilizes the WindowsCrypto API for the encryption. Then it goes into the typical encryption loop, the files are encrypted in chunks with a chunk size of 1000000 bytes.

Finally Ryuk write a metadata block of size 274 bytes at the end of the file. The first 6 bytes are the keyword HERMES. After that, The AES key is encrypted with an RSA public key before it’s written to the end of the file and then exported using CryptExportKey(), This function generates 12 bytes of Blob information + 256 bytes (the encrypted key).

The RSA public key is embedded in the executable, it’s imported using CryptImportKey() and passed to every encryption thread.

The Malware enumerates network shares using WNetOpenEnumW() and WNetEnumResourceA() respectively. For each network resource found, the resource’s name will be appended to a list separated by a semicolon. This list will be used later to encrypt these network shares with the same encryption process above.

Protection

Malware is an ever-present threat for governments, businesses, and homes. It is important to also have the tools necessary for protection against threats at any level. One of these tools is SaferNet.

Identity Theft Fears Grow as Audi and Volkswagen Suffer Data Breach Affecting 3.3 Million Customers

Post On: 19 June, 2021 By : Jerry

Identity theft concerns are growing as Audi and Volkswagen have suffered a data breach affecting 3.3 million customers. The breach occurred when a vendor exposed unsecured data on the internet. Volkswagen Group of America, Inc. (VWGoA) is the North American subsidiary of the German Volkswagen Group. It is responsible for US and Canadian operations for Volkswagen, Audi, Bentley, Bugatti, Lamborghini, and VW Credit, Inc. According to data breach notifications filed with the California and Maine Attorney General’s office, VWGoA disclosed that a vendor left unsecured data exposed on the Internet between August 2019 and May 2021.

In March, VWGoA was notified by the vendor a threat actor had accessed the exposed data and possibly obtained customer information for Audi and Volkswagen.

VWGoA states that the breach involved 3.3 million customers, with over 97% of those affected relating to Audi customers and interested buyers.

With regards to what data has been exposed – It varies per customer. For some it could simply be contact information, but for many others the data contains social security numbers and loan numbers.

“The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages,” explains the VWGoA data breach notification first reported by TechCrunch.

“The data also included more sensitive information relating to eligibility for a purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.”

SSNs, TINs, and other information found the bedrock of the illegal identity theft market.

For those whose sensitive information was leaked, Volkswagen is providing free credit protection and monitoring services. This include $1 million of insurance against identity theft.

VWGoA began notifying affected customers and prospective customers yesterday via mail and warn that customers should be on the lookout for suspicious emails, calls, or texts.

As the Audi and Volkswagen data was unsecured for a long time, there is no telling how many people had gained unauthorised access.

The Dangers of Identity Theft

There are some guidelines from the US government in discovering if you are a victim of identity theft if it is not immediately obvious:

You stop receiving your regular bills and credit card statements.
You receive statements for accounts you never opened.
Debt collectors start calling you day and night about debts you’ve never heard of.
The IRS alleges you failed to report income for a company you never worked for.
You see withdrawals/charges on your bank or credit card statement that you didn’t make.
You try to file your taxes only to discover that someone else beat you to it.
You try to file your taxes and find someone claimed your child as a dependent already.
Your credit report includes lines of credit you never opened.
Your credit score fluctuates wildly and for no apparent reason.
The most obvious sign—you receive a notification that you’ve been the victim of a data breach.
If you are unsure, it is always best to check with the authorities on the US government’s identity theft website.

Protection

For times like these, it is critical that you have the right tools to protect yourself. One of these tools is SaferNet.

Ragnar Locker Ransomware Strikes Computer Memory and Storage Company ADATA

Post On: 19 June, 2021 By : Jerry

Ragnar Locker Ransomware has struck against Taiwan-based memory and storage manufacturer ADATA, who were forced to take their systems offline after the attack. The attack occurred in May, and ADATA is still dealing with the fallout. ADATA is a publicly listed Taiwanese memory and storage manufacturer, founded in May 2001 by Simon Chen. Its main product line consists of DRAM modules, USB Flash drives, hard disk drives, solid-state drives, memory cards, and mobile accessories. ADATA is also expanding into new areas, including robotics and electric powertrain systems.

In addition to its main ADATA brand, the company also sells PC gaming hardware and accessories under its XPG (“Xtreme Performance Gear”) brand. In 2017 ADATA was the second-largest DRAM module manufacturer in the world and had a market capitalization of US$680 million. In recent years ADATA has extended its business to Europe and the Americas while competing strongly with Samsung in Asia.

The Ragnar Locker Ransomware infection as initially reported by BleepingComputer in June.

The Taiwanese memory manufacturer took down all impacted systems after detecting the attack and notified all relevant international authorities of the incident to help track down the attackers.

“ADATA was hit by a ransomware attack on May 23rd, 2021,” the company stated in an email.

ADATA’s business operations are no longer disrupted according to the memory maker, with affected devices being restored and services closing regular performance.

“The company successfully suspended the affected systems as soon as the attack was detected, and all following necessary efforts have been made to recover and upgrade the related IT security systems,” ADATA added.

“Gladly things are being moved toward the normal track, and business operations are not disrupted for corresponding contingency practices are effective.

“We are determined to devote ourselves making the system protected than ever, and yes, this will be our endless practice while the company is moving forward to its future growth and achievements.”

ADATA did not confirm what strain of ransomware hit them, but the attack has confirmed and claimed by the Ragnar Locker Ransomware gang afterward.

Ragnar Locker Ransomware claimed they stole 1.5TB of sensitive data from ADATA’s network before deploying the ransomware payloads.

At present, the gang has only posted screenshots of the files they took. They are threatening to leak the files fully if the ransom isn’t paid. According to the screenshots already posted by Ragnar Locker Ransomware on their dark web leak site, the attackers could collect and exfiltrate proprietary business information, confidential files, schematics, financial data, Gitlab and SVN source code, legal documents, employee info, NDAs, and work folders.

Ragnar Locker Ransomware activity was first picked up on in December 2019.

On compromised enterprise endpoints, Ragnar Locker operators terminate remote management software (such as ConnectWise and Kaseya) used by managed service providers (MSPs) to manage clients’ systems remotely.

This allows the attackers to evade detection and ensure that admins logged in remotely do not block the payload deployment process.

The FBI warned private industry partners of increased Ragnar Locker Ransomware activity after an April 2020 attack that impacted the network of multinational energy giant Energias de Portugal (EDP).

Demands from Ragnar Locker Ransomware since its inception range from $200,000 to $600,000.

Ragnar Locker Ransomware Analysis

Note: This analysis was carried out by the Infosec Institute.

Ransomware in this line often disables some services as a way to bypass security protections and also database and backup systems to increase the impact of the attack. Also, database and mail services are stopped so that their data can be encrypted during the infection process.

One of the particularities that spotlight Ragnar Locker is that it is targeting specifically remote management software often used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.

This data encryption malware infects computers based on their language settings. When first started, Ragnar Locker checks the configured Windows language preferences. This piece of malware terminates the process if the setting is configured as one of the former USSR countries.

After that, Ragnar Locker will begin the encryption process. When encrypting files, it will skip files in the following folders, file names and extensions.

Ragnar Locker adds the hardcoded extension “.ragnar_” appended to the end of the file name and “” is replaced by a generated and unique ID. All the available files inside physical drives are encrypted and, in the end, the notepad.exe process is opened and showing the ransom note file created on the victim’s system directory.

This ransomware is not equipped with a mechanism to detect whether the computer has already been compromised. A particularity is that if the malware reaches the same device more than once, it will encrypt the device over and over again. This can be seen below where Ragnar Locker Ransomware encrypts the files three times in a row.

SaferNet – Creating A Safer Internet

Post On: 20 May, 2021 By : Jerry

The Internet and Digital World are inseparable from our own lives. All users of the internet – individuals, families, and businesses – are interconnected by a global tool that allows for the free exchange of data like never before in history. However, behind this wonderful tool is a dark underbelly rife with cybercrime. This leads the denizens of the Internet to search for expensive and complex services to keep themselves safe. At SaferNet, we recognize that cybersecurity doesn’t need to be this costly or complex – We make cybersecurity simple. Visit www.safernetvpn.com today to learn more.