At a glance.
- Update on UHS ransomware incident.
- Facebook describes SilentFade.
- Smaug RaaS is a new offering in the criminal souks.
- Supply is high, and stolen RDP credentials show a corresponding drop in price.
- Comments on third-party risk.
Universal Health Services ransomware incident update.
The Washington Post reports that Universal Health Services have now determined that all two-hundred-fifty of its US facilities were affected by last weekend's Ryuk ransomware attack.
Facebook explains the SilentFade operation.
Two members of the Facebook security team appeared at the Virus Bulletin 2020 Conference on Thursday to deliver a presentation on SilentFade, one of the more elaborate malware operations the social media giant has ever faced, reports ZDNet. The operation, which impacted Facebook users from late 2018 until it was detected by the security team in 2019, was a complex scheme that combined malware with ad fraud. Here's the way it worked: operators would use a Windows Trojan to hack into the user’s browser and steal the user’s Facebook credentials. They would then collect any payment information stored in the user’s account and purchase Facebook ad space in the user’s name to place malicious ads for fake products. The ad links would infect new users with malware, beginning the cycle again. The threat actors even identified and exploited a bug that disabled Facebook security protocols. Over the course of just a few months, SilentFade stole over $4 million from users. Once Facebook caught on, the security team patched the bug and traced the operation to a Chinese software company, which Facebook sued in December 2019.
Smaug RaaS makes malware easy to purchase.
Threat detection outfit Anomali's Threat Research unit reports that they've uncovered a Ransomware-as-a-Service (RaaS) scheme they’re calling "Smaug." If cybercriminals want to carry out an attack but lack the means (or skill) to create their own ransomware, all they have to do is go to Smaug’s Onion site on the Dark Web, sign up, create a campaign, and purchase the malware for 0.2 Bitcoin, or about $2100 US. Smaug’s operators also assist with the purchase of decryption keys and victim tracking, all through a user-friendly dashboard interface. Anomali has traced Smaug to a threat actor (or possibly two sharing one account) that goes by the username "Corinda."
RDP login prices decrease as supply increases.
ZDNet reports that the price of stolen Remote Desktop Protocol (RDP) logins has fallen, probably because the market has become saturated with an over-abundance of supply. RDP allows employees to access a company’s network remotely, and is mostly used by teleworkers and IT administrators. RDP credentials tend to be low-hanging fruit for cybercriminals, as such credentials often involve simpler usernames and passwords that are easy to crack. Once stolen, they're sold in underground criminal markets. The drop in price may well be due to the way the COVID-19 pandemic has forced employees to access company networks remotely, and this has tended to flood the criminal market with a large number of credentials. To protect against RDP theft, organizations should encourage the use of strong passwords and multifactor authentication.
A look at third-party risk (more in sadness than anger).
Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks shared some thoughts with us about the continuing Blackbaud affair:
“It used to be that computers were secure and that only communication was vulnerable to interception. But that time has long gone. We seem to focus so much on securing communication with encryption that we forget that data security has three essential components: securing data at rest so no one can steal it, securing communication so no one can snoop in on it and ensuring data integrity so no one can tamper with it. Every organization has to take a hard look at the data it stores and make sure no sensitive data is ever stored or moved around in the clear and that data integrity is verified at critical processing steps. Unfortunately, I have little faith this will just happen out of good will. We will need some legislation that mandates this policy and punishes organizations that egregiously ignore this mandate and end up exposing troves of sensitive customer data.”