THIS MEMORIAL DAY WEEKEND: RANSOMWARE

THIS MEMORIAL DAY WEEKEND: RANSOMWARE

May 21, 2020 | Threat Intelligence Brief

Blog | Threat Intelligence Brief

THIS MEMORIAL DAY WEEKEND: RANSOMWARE

Extensive Remote Workforce and Upcoming American Holiday Likely to Attract Significant Increase in Ransomware Attacks

 

Since May 4th, we have seen an eye-catching increase in cyber incidents, email compromise, and ransomware attacks.

As we approach the US Holiday, Memorial Day, we expect this increase to continue. To help improve your awareness, we offer the following trends and fairly consistent indicators pointing back to Eastern European and Russian criminal actors.

Trends

Here are some of the prevalent trends that we have seen recently:

  • Attackers are using compromised admin credentials. The credentials appear to be coming from successful phishing attacks, or brute forcing/guessing. In at least one case we worked, a laptop appeared to be infected with password-harvesting malware—when an administrator remotely logged in, the attackers were able to collect the admin credentials.
  • Organizations with open ports on 3389 and 21 seem to be especially susceptible to attack.
  • Domain controllers are being encrypted, making deployment of recovery tools difficult. We strongly recommend having good backups of domain controllers.

Recommendations

We are sharing the following recommendations, in order of importance, based on recent research and incidents we’ve worked throughout May:

  • Mandate multifactor authentication (MFA), wherever possible. Even if an attacker can obtain login credentials (password and user name), MFA is very effective at deterring full compromise.
  • Implement advanced endpoint protection, such as CrowdStrike. Traditional antivirus is increasingly becoming less effective (as evidenced by the AV server getting encrypted in a cited case).
  • Use complex passwords for admin accounts, especially those shared with outside vendors.

Network Monitoring 

The knowledge we gain through our Incident Response Practice, often gets “re-invested” into PacketWatch as alerts and queries watching for anomalous trends and threats.

Following is a PacketWatch graph showing activity for the past week from Russian IP addresses. This activity is collected via an externally-facing PacketWatch node not filtered by a firewall, affording us tremendous visibility into the holistic nature of internet traffic.

As you’ll notice in the following graph, Russian activity last week noticeably spiked starting around 00:30 AM HRS on Friday, May 15, and subsided the following Tuesday morning.

 

 

When we break this traffic out by Autonomous System Number (ASN), we see that two ASN’s seem to be primarily responsible for this increase in traffic. Please see the following graph.

 

 

We traditionally see a surge in cyber attacks on or around major American holidays, since attackers are keen to exploit victims they suspect may be less vigilant due to vacations, remote work, or the typical excitement and distractions that accompany holiday activities.

Lately, the surge in attack traffic appears to be focused on ports 445, 23, and 3389 (SMB, Telnet, and RDP, respectively). These ports are typical threat vectors for wormable exploits and ransomware deployment. Based on the timing in this swell of activity as well as the targeted ports, we assess with moderate to high confidence that organizations with services open and responding on these ports may face significant targeting over the coming Memorial Day weekend.

Russian Activity Over the Past Seven Days

Looking at Russian activity over the past week, we also see a fair amount of other traffic looking for interesting services such as Secure Shell (port 22, SSH) and port 5900. Port 5900 is associated with Apple’s remote network computing. Database administrators will be interested to see 1433, SQL, makes an appearance here as well.

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/

Tags: business email compromise | Incident Response | phishing | ransomware
THIS MEMORIAL DAY WEEKEND: RANSOMWARE

A Closer Look at a COVID-19 Phish

Apr 17, 2020 | Threat Intelligence Brief

Blog | Threat Intelligence Brief

A Closer Look at a COVID-19 Phish

Fresh Catch

As cybercriminals continue to exploit the COVID-19 pandemic, we’ve been on guard keeping watch for any phish that may get caught in our nets that look particularly interesting. This week, we caught some.

This phish arrived Tuesday morning around 1044 local time for the client. This particular phish did a fine job of pretending to be a health alert from a few different organizations apparently, including:

  • Department of Health (they didn’t specify which one)
  • National Contact Center
  • National Center for Health Marketing
  • Division of eHealth Marketing
  • Centers for Disease control and Prevention

Additionally this message had a nice link in it that appeared to be leading to cdc.gov:

 

 

 The Analysis

 However, a closer look at the source of this very simple yet alarming phish reveals something just isn’t quite right:

 

 

The text claiming to be the link to cdc.gov is actually a hyperlink leading to a page that redirects to an Outlook Web Access (OWA) themed phishing page.

Here’s a closer look at the coding in the email that shows a simple “a href=” is all it took for this message to weaponize the CDC’s website.

 

 

 

Once the user hit that link they would be redirected to a phishing page hosted at rc-hobbies[.]co[.]uk. This site had an especially interesting directory: /cdcgov/.

 

The OWA-themed landing page was nothing special, but given the severity of events at the moment, effective nonetheless.

 

 

Diamond Model: A Visualization of Findings

Further investigation of the attacker’s infrastructure found a number of email addresses indicating individuals associated with various financial and investment firms had been targeted by this campaign. Further digging also found a number of state, local, and federal .gov emails had all been targeted as well. The vast majority of these consisted of current and former staff with fiduciary responsibility. This diamond model helps us visualize the infrastructure, tactics, and targeting of this campaign from a broader standpoint:

 

 

Conclusion

This campaign, on top of our experience in some recent Business Email Compromise cases, tells us that financially motivated attackers are willing to play dirty and use the Coronavirus to target your finance personnel.

The old advice of “just don’t open attachments” doesn’t work anymore when attackers are using clever phishing pages from trusted sources with high-urgency themes.

PacketWatch has experience and capability providing security, investigations, and incident response and can help protect your organization from threats like these that abound, especially in our current environment.

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/

Tags: COVID-19 | phishing
THIS MEMORIAL DAY WEEKEND: RANSOMWARE

The Noise of Missing Traffic

Apr 9, 2020 | Threat Intelligence Brief

Blog | Threat Intelligence Brief

The Noise of Missing Traffic

The World’s Most Populous Country Just Got Significantly Quieter

 

Key Findings

As the Coronavirus continues its march across the globe the last few weeks, it has forced countries into lockdown. Recently, our intelligence team started looking for countries that have suddenly gone silent. Our research and analysis found a major drop in traffic starting around late March. This post will share what we’ve uncovered, details in the change in traffic, as well as a few predictions about what this means for the future.

 

How It Started

As all research begins, this one started the same way: virtual, water cooler chitchat. A chance conversation discovered that a partner organization was concerned about their colleagues in India. That lead to a theory – what would happen if the world’s most populous country, which is also a key partner in the technology world, suddenly was hit with the nastiest virus we’ve seen in over a century? So, we ran a search in our PacketWatch systems looking for traffic coming from India. Below is a screenshot that provides a glimpse into our monitoring capability at one listening point:

 

Screenshot: Activity from India over the last 30 days using PacketWatch

 

The decrease in activity is truly startling. Let’s take a closer look to see what the exact date and time was that we see the drop in activity.

An enhanced view of that time segment shows traffic took a steep drop around 16:00 on 3/18/2020 UTC, or, around 21:30 India Standard Time Zone. (The entire country of India is on the same time zone, UTC +5:30.)

 

Then vs. Now

So, what changed? Here’s some analysis of the traffic before and after March 18. Because it’s been about 3 weeks since this drop occurred, we’ll evaluate the previous 3 weeks compared to the 3 weeks since.

2/26/2020-3/18/2020
Number of sessions for top 5 IP addresses and top 5 destination ports:

Note: port 0 activity indicates probable ping sweeping.

3/18/2020-Present
Number of sessions for top 5 IP addresses and top 5 destination ports:

 

 

 

It’s worth pointing out that while overall traffic was down almost 70%, certain ports actually showed an increase in traffic during this time period.

 

Analysis

The sessions from the top 5 IP’s dropped by about 84%, and sessions for the top 5 targeted ports dropped by about 70%. Overall, we’ve noticed a total drop in traffic of about 70%.

We also find it interesting that India’s Prime Minister Modi did not declare a lockdown until March 24, almost a week after the drop in activity was detected. However, the top 5 IPs continued to be Amazon AWS from Mumbai.

 

What does this mean for you?

If India is a key part of your operations, this could be indicative of significant disruption coming in the future, if not here already.

Our incident response experience has also taught us another key lesson that is worth bringing up right now: bad guys love unpatched systems. As India goes into lockdown, we assess with moderate to high confidence that a significant number of information systems may not be receiving critical updates and patches against security vulnerabilities during this time. We expect to see these unpatched systems exploited by attackers in the coming weeks and months as organizations scramble to play catch up with missing updates.

Given the sheer volume of systems that are undoubtedly going to need updating and the disruption this is causing, things will likely be missed, therefore alternative strategies need to be considered.

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/

Tags: Coronavirus | Traffic

PacketWatch
6263 N. Scottsdale Rd., #255
Scottsdale, AZ 85250
1.800.864.4667
1.480.444.7070
info@packetwatch.com

Solutions
PacketWatch BEC
PacketWatch IR
PacketWatch NSA
PacketWatch MDR
PacketWatch Enterprise
PacketWatch Advisory Services
Contact Us