Anatomy of a Sextortion Scam
In This Issue:
- The lowest of the low The growing popularity of a scam that threatens to embarrass recipients if they don’t send bitcoin. It’s our job to protect our users
- SamSam rages on The ransomware notorious for crippling the City of Atlanta continues infecting high-value targets. 24% of 2018 attacks were on healthcare organizations, putting literal lives at risk
- Ransomware-as-a-Service featuring 24/7 customer support For $50, anyone in the world can deploy sophisticated ransomware that demands up to $7,800 ransoms and they’re fully supported by the manufacturer!
- Cisco ASA zero-day A new vulnerability discovered in the SIP inspection engine threatens to DoS and/or reload Cisco firewalls
Anatomy of a Sextortion Scam
h/t: Jaeson Schultz - Talos Security Blog
As security professionals, it is our job not only to secure the data of the organizations we serve, but to protect our coworkers, customers, suppliers, and the world at large. We have a duty to the people who can be affected by the IT in our care, and this duty includes helping to combat the rising tide of sextortion scams.
Just as ransomware became the dominant form of malware, reigning supreme for many years, sextortion scams look set to become the next top technique of digital malefactors in the near future. This must-read analysis of a typical sextortion scam provides a comprehensive look at these emerging threat category.
Countermeasure:
Know your enemy and educate your coworkers. If they haven't already been targeted by sextortionists, it is only a matter of time. As with ransomware, user education is our most important weapon against this threat.
SamSam: Targeted Ransomware Attacks Continue
h/t: Security Response Attack Investigation Team - Symantec Threat Intelligence Blog
The ransomware that cost the city of Atlanta over $10 million continues to cause mayhem. While the SamSam ransomware has impacted organizations in other nations, the overwhelming majority of compromise events are impacting organizations in the United States.
The SamSam attackers appear to be deliberately targeting high-value organizations, with healthcare sector accounting for 24% of all known attacks in 2018, while governments remain popular victims. The Symantec blog goes in to detail about SamSam's compromise vectors, noting that SamSam tends to use features native to compromised operating systems, as well as legitimate network administration tools.
Countermeasure:
If your data doesn't exist in at least two places it doesn't exist. Take backups. Make sure at least one copy of your backups exists off site. Have a disaster recovery plan. Test both your backups and your disaster recovery plan regularly.
Crypto-Locking Kraken Ransomware Looms Larger
h/t: Jeremy Kirk – Healthcare Info Security
Hybrid vigour applies to malware as well as to biological organisms. Commercial ransomware Kraken Cryptor has been growing in complexity since it was first spotted in August. The malware is under continuous development. It has adaptations to avoid modern endpoint security solutions, with the latest versions making use of the Fallout exploit kit.
What's notable about this marriage of ransomware and exploit kit is that one of the tools in the Fallout exploit kit makes use of malicious advertisements. Worse, Fallout regularly changes traffic patterns, making it a cat-and-mouse game for IDS solutions to try to block it. The Fallout exploit kit is primarily a threat to systems which are not fully patched. However, the resurgence of malicious advertisements as an attack vector is once more igniting the debate over ad blocking.
Countermeasure:
Consider deploying advertisement and/or script blocking browser extensions. These should be used with care, but when combined with good intrusion detection, they might buy enough time to detect endpoints compromised with exploit kits before they have a chance to download ransomware and ruin everyone's day.
Cisco zero-day exploited in the wild to crash and reload devices
Cisco has revealed that there is a zero day threat in the wild affecting Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) software. Officially designated CVE-2018-15454, the bug exists in the SIP inspection engine shared by both products. The bug allows attackers to remotely cause a DoS attack by triggering high CPU usage, and/or to trigger a reload.
Countermeasure:
With any luck, by the time this newsletter goes out, Cisco will have patched the bug. Network and security teams need to apply this patch ASAP, as the SIP inspection engine is enabled by default. If, for whatever reason Cisco has not patched this by the time you read this, apply the workarounds listed here, and keep an eye peeled for the patch.
Tweet of the Week
"A new #ransomware CommonRansom has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim's files."
Quick Links
Yahoo to pay $50M & give free credit monitoring to victims of 2016 hack <-- Never forget
Exploiting Software: How to Break Code <-- Must read book
2018 Thales Data Threat Report - Global Edition <-- These numbers are just depressing
Awesome Red Teaming <-- Have a red team? Want one? Start here.
Using Shodan: The World's Most Dangerous Search Engine <-- Everyone needs to learn Shodan
Windows Defender: First Full Antivirus Tool to Run in a Sandbox <-- It's about time!
How To Negotiate The Relationship Between Security, Privacy, And Trust <--Easy solutions remain elusive
Quote of the Week
"If you think technology can solve your security problems, then you don't understand the problems, and you don't understand the technology."
~ Bruce Schneier