At a glance.
- Smaug marketed as a multiplatform, easy-to-use ransomware-as-a-service.
- Water Nue BEC gang targets financial executives.
- A look at cyberattack trends in 2019.
- Magecart Group 8 suspected in Inter skimming attacks.
- Operation Skeleton Key targets Taiwan's semiconductor sector.
Smaug marketed as a multiplatform, easy-to-use ransomware-as-a-service.
Anomali has released a report on a new ransomware-as-a-service offering, "Smaug." which can target Windows, macOS, and Linux machines. Smaug is being offered on an Onion site to aspiring ransomware operators who register for a fee of 0.2 bitcoin (currently $2,300) and provide the ransomware's proprietors with 20% of their haul. Thus it combines both the licensing and affiliate marketing aspects of criminal-to-criminal commerce. The ransomware and its web-based dashboard are designed to be straightforward and simple for operators to use, and Smaug offers tech support for both operators and their victims.
The malware itself is simple compared to other offerings on the market, and its "only functionality is the encryption of files." It doesn't delete shadow copies or backups on Windows, which may enable file recovery if users have these services enabled.
So far, Smaug doesn't seem to have enjoyed much market success. The malware's owner advertised it on a criminal forum in May, then discounted it and offered a free trial after it failed to gain traction. A forum administrator locked the thread after ten days because Smaug's owner failed to deposit $8000 in escrow, and the owner's profile on the forum has been inactive since June 6th.
Water Nue BEC gang targets financial executives.
Trend Micro warns that a business email compromise (BEC) gang has targeted financial executives at more than a thousand companies around the world since March 2020. The group, dubbed "Water Nue," uses spearphishing emails that direct recipients to spoofed Office 365 login portals. After compromising an Office 365 account, the attackers will send "emails containing invoice documents with tampered banking information...to subordinates in an attempt to siphon money through fund transfer requests." The attackers rely on public cloud services to host their infrastructure, and they use legitimate cloud-based email distribution services to send their phishing emails.
While the Water Nue gang isn't technically sophisticated, its techniques have been effective. So far, they've successfully stolen credentials from more than eight-hundred of their targets.
A look at cyberattack trends in 2019.
Kaspersky published its Incident Response Analyst Report for 2019, sharing statistics gleaned from cyberattacks observed over the past year. The most common method of initial entry was through exploitation of unpatched vulnerabilities, which accounted for just under 38% of attacks. Malicious emails were the second-most common entryway at 31%, followed by brute-force attacks at 13%. Removable media, insiders, leaked credentials, and misconfigurations each accounted for 4.4% of attacks. While most of the exploited vulnerabilities were disclosed in 2019, Kaspersky notes that MS17-010, the 2017 Server Message Block vulnerability used by EternalBlue, is still "being actively exploited by a large number of adversaries."
The researchers found that the attacks with the longest dwell times usually began with "vulnerability exploitation on an organization’s network perimeter," with most of those attacks lasting weeks, months, or even years. Attacks that lasted longer than a month were "almost always" focused on cyberespionage and theft of sensitive data. Social engineering and brute-force attacks were more commonly observed in incidents that lasted days or weeks. Attacks that lasted less than a week primarily involved ransomware.
Magecart Group 8 suspected in Inter skimming attacks.
Malwarebytes says an operator of the Inter skimming kit is using homoglyph attacks to disguise malicious favicon files on compromised websites. A homoglyph attack is simply the use of similar-looking characters to craft a deceptive domain name. This technique is widely used in phishing campaigns, but in this case the attacker was trying to hide the fact that the compromised sites were communicating with a separate domain.
The attacker compromised several websites belonging to the same victim and injected a small snippet of JavaScript that would replace certain letters in the path from which the favicon (the small image displayed in the browser tab) was loaded. In one instance, for example, the attacker compromised "cigarpage.com" and modified its source code so the favicon would be loaded from the attacker-controlled domain "cigarpaqe[.]com." The malicious favicon contained a large chunk of embedded JavaScript code, which was the popular Inter skimmer (described by Fortinet last year). The victim has since removed the skimming code from their websites.
Notably, one of the domains used in this campaign was used in the past by Magecart Group 8. While Group 8 hasn't previously been observed deploying Inter, the actor has been known to reuse skimming code from other Magecart groups. Group 8 has also used homoglyphs in past attacks, although Malwarebytes notes that this technique isn't unique to the group.
Operation Skeleton Key targets Taiwan's semiconductor sector.
At Black Hat on Thursday, researchers from CyCraft Technology described a suspected Chinese government threat group, "Chimera," that's successfully targeted Taiwan's semiconductor industry. According to WIRED, the hackers were after source code, chip designs, software development kits, and similar intellectual property. The group targeted at least seven chip manufacturers in 2018 and 2019. CyCraft doesn't name the victims, but says they were based in the Hsinchu Science Industrial Park (where most of Taiwan's semiconductor companies are headquartered).
CyCraft calls the campaign "Operation Skeleton Key" after its use of SkeletonKeyInjector, which "implanted a skeleton key into domain controller (DC) servers to continuously conduct lateral movement." The operators' principal remote access Trojan was Cobalt Strike, and they used an old version of RAR to exfiltrate data.