Cyber Threat Advisory Bulletin: October 2019

Current Highest-Risk Cyber Threats


As long as the criminals can make money infecting networks, Ransomware is going to be a problem.  The vast majority of Ransomware is delivered through email or takes advantage of unpatched (and exposed to the public Internet) services.  Patch your machines.  Don’t open unsolicited attachments or click unsolicited links.  Don’t expose Microsoft Remote Desktop (RDP) or any other unnecessary services to the public Internet.  Store backup archives off your network and protected by different authentication than you use on your workstations.  Lock down your workstations using industry-accepted best practice configurations (including blocking PowerShell on workstations). This list covers just the basic blocking and tackling of ransomware.

The most common Ransomware variants these days are Ryuk, Sodinokibi (rumored to have been written by the same people that wrote Gandcrab), and Phobos (related to the Dharma family of Ransomware).

Here are some resources that dive into how certain strains of ransomware are deployed and how they behave:

How to Assess Your Relative Risk in Regard to Ransomware

Tetra launched a free self-assessment tool called The Ransomware Stress Test™.  Our incident response team knows the technical areas that ransomware exploits most. The Ransomware Stress Test (RST) evaluates over 15 areas of an organization’s configuration and procedures and measures the organization’s ability to Identify, Protect, Detect, and Respond & Recover to ransomware based on the NIST framework. Your test results reveal your strengths and challenges, as well as a clear list of action items to improve your score based on the downfalls we encounter most.

Wire Transfer Fraud: How it happens and why you might be at risk.

The term “Wire Transfer Fraud” started in the origin of this type of crime – wire transfers. The transfer of funds between banks across telegraph wires and shortly thereafter phone lines. It has grown to cover any bank fraud that involves electronic communication mechanisms instead of face-to-face communication at a financial institution. It also involves the fraudulent attainment, by way of false pretense, of banking information to gain access to another person’s bank account.

This kind of attack against business and other organizations (municipalities and schools have been hit hard by this kind of attack) has become a significant threat to an organizations financial well-being.  Much of business today is conducted remotely – either over the phone or (more often) through email.  Without that face-to-face verification of someone’s identity, it is possible for an attacker to trick one or other party in a transaction into transferring money to their bank account instead of the intended recipient’s, or deceiving a party into thinking that a transfer of funds is necessary when it is not, providing fraudulent bank account information.

Two real-world examples illustrate the most common methods these attackers use to accomplish this crime (neither takes particular technical skill):

Example 1:

An email shows up in a director of finance’s inbox (he handles mergers and acquisitions).  The email is from the CEO and he says to the director that earnest money for the new purchase has to be transferred by the close of business today or the deal will fall through.  The email provides account information for the money transfer and includes a personal apology for the “fire drill” but “you know how these things can fall apart.”.  The director initiates the transfer only to find out that the email was not sent by the CEO and that the money was sent to a fraudulent account and is now gone. The request came in on a Friday and it wasn’t until Monday that the truth of the situation came to light.  This was a publicly-traded company and there was a public record of a letter of intent to purchase the company. The attacker created a very targeted and very realistic-looking email that seemed plausible given this specific information.

Example 2:

A company’s remote location uses Microsoft’s remote desktop protocol (RDP) to allow the central office to remotely log into their systems for administration purposes. This access was not locked down to specific source IP addresses and was available to the entire Internet.  Exploiting an unpatched vulnerability on the system, an attacker was able to take control of the workstation.  Once on that system, they worked their way through the network to the workstation of someone in the finance department. They checked the email on the host periodically and watched activity until they saw a large transfer was being arranged to an overseas factory (they were on the system for over 6 months waiting for something interesting to happen that they could exploit).  They altered the account information in the form that was emailed to point to another, fraudulent account.  The money was transferred (over $1.5M) and no one noticed until the supplier called and asked when that money was going to get transferred. By then the attacker was long gone with the money and the account was closed.

What can I do to prevent wire transfer fraud?

Most wire transfer fraud involves one-off or infrequent payments or fund transfers (or one for which automated mechanisms are difficult or not allowed, such as international wire transfers).  As a result, these transfers and payments do not use automatic computer-to-computer transfers.  Organizations must develop written procedures with multiple-party verification steps and approvals to ensure that the transaction is authentic and that the account information is accurate. This written procedure is then used for any bank or payment card transaction that involves the exchange of account information. While this does slow things down, it greatly reduced the chance of a fraudulent transaction from occurring.

If account numbers are exchanged, steps must be taken to authenticate both parties to each other using a mechanism other than email by phone or in-person preferably.  If verifying by phone ensure that the phone number is the correct phone number for the intended party.  Having a second party review these transactions ensures that the data in the transfer is correct and appropriate.  Having this entire procedure documented and recorded makes legal and insurance efforts easier in the event that fraud still occurred. Obviously, just having a documented procedure means nothing if all relevant personnel are not trained in the procedure and that its use is audited and reviewed regularly for compliance.

Developing Specific Threats

MageCart Skimmers

Over 2 million (!) websites have been compromised by the credit-card skimming MageCart malware.  MageCart was first seen in 2010 but has re-emerged as a significant threat.  The attackers utilize weaknesses in a website’s supply chain by compromising JavaScript modules that are the incorporated into production websites.  This attack was the root cause of the Ticketmaster compromise in 2018.  The only way to protect yourself is to carefully vet third party modules incorporated into your websites.

Here is an overview from Dark Reading.

Nodersok Malware

A very new malware that seems to still be under development delivers an “.hta” file through email to infect a workstation, creating a remote point of access for external attackers (through which then can compromise data or infect the organization with ransomware).  Thousands of infected hosts have been found.

Here is an overview of the Nodersok malware from Threatpost.

DoppelPaymer Ransomware

A variant of BitPaymer (and perhaps a splinter group diverging from the BitPaymer group, or a more targeted variant going after “big game” organizations.  This Ransomware variant if very difficult to detect at the time of this article, only a small percentage of anti-malware solutions are able to detect this variant.  Commonly delivered after an Emotet compromise, followed by a Dridex 2.0 infection (Emotet is just a “foot in the door” tool that then downloads a more capable tool that infects the host in a more persistent and capable way).  DoppelPaymer can have ransoms that exceed $1 Million.

Flaw in Sudo Command in Linux

A new vulnerability has been discovered in Sudo—one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system.  Update all Linux-based hosts asap.

Here is an overview of the Sudo command flaw from The Hacker News.

Check out some related content on our blog: