Global Security Report: Mid-Year 2019
Cities Under Siege- Cyberattacks Disrupt Essential Services
In part of our 2018 Global Security Report predictions, we shared that we “expect to see more disruptive cyberattack events committed by Nation States that masquerade as financially motivated attacks.” While it remains to be seen if any of the recent attacks were ultimately the work of any nation state, the first half of 2019 has already been a record year for some very disruptive attacks which appear to be affecting municipalities at an alarming rate.
Government agencies are not blind to the risk they face. According to data collected in the Q1 and Q2 AppRiver Cyberthreat Index for Business Survey*, 58% of all C-level and IT decision makers at government organizations with employee size up to 250 say cyberattacks are “prevalent” on organizations such as their own. Add to that, 36% or respondents believe an attack on their organization is “imminent.”
Even though these agencies see the threats as very real, it is concerning that a whopping 75% estimate the technology and strategies available to hackers who are likely to target their organization are more sophisticated than the threat prevention technology and strategies they have available. Respondents even recognized the damage an attack could cause, with more than half (56%) estimating a successful cyberattack would cause long- and short-term damages to their organizations.
At first glance these latest survey figures may point to a rather pessimistic forecast among government executives when it comes to their cybersecurity and preparedness against hackers, however, it appears their fear is not unwarranted. Attacks targeted at local municipalities and government agencies are proliferating in frequency and the carnage they leave behind.
Here is a look at some of the most significant breaches of local governments we have seen in 2019:
In April, the City of Greenville, NC, suffered prolonged downtime due to a successful ransomware attack on city systems. Local officials and security experts spent many weeks recovering from this attack while basic services to local residents were notably impacted.
In April, the City of Tallahassee had nearly half a million dollars diverted out of city employee payroll accounts and into accounts of the attackers. Public officials tasked with investigating this incident later disclosed their suspicion of a foreign adversary’s involvement behind the attack.
On May 7, the City of Baltimore, MD, fell victim to a ransomware attack that affected thousands of computers and resulted in major disruptions to email communications, health alerts, water bills, real estate transactions and other city services. Recent estimates put the cost of this incident on the city at over $18 million in recovery fees. Diagnostics of the attack provided a swift conclusion that the Robinhood ransomware was the cyber weapon used in this attack.
Unlike many ransomware attacks before it, Robinhood does not use email as its infection vector; rather, it relies on hacking remote desktop services and/or previously existing trojans. Once unleashed, it spreads to any endpoint it could reach, disabling countless security controls, clearing event logs and disabling Windows automatic repair, all prior to encrypting the user’s files and leaving several ransom notes behind. What’s more alarming – this Baltimore case is far from an isolated incident and appears to be part of a pattern of similar attacks happening with greater frequency.
It was not long ago when the City of Atlanta had to deal with a crippling attack of the SamSam ransomware which cost the city millions in recovery fees after major disruptions. It was later reported that the two Iranian men responsible for the SamSam ransomware infections were indicted and found to have been targeting other public entities such as Newark, NJ, the Port of San Diego, the Colorado Department of Transportation, and many others. The two foreign nationals from one of our greatest global adversaries did not disclose whether they launched the attack under the direction of Iran or any nation state.
As recently as May 29th, the City of Riviera Beach, FL, was attacked, reportedly via email, by a ransomware infection that left the city government crippled. In this attack, the hackers were demanding roughly $600,000-worth in bitcoin ransom payment to unlock the infected devices, to which the city eventually complied. This is an unfortunate decision given that ransom payments of this magnitude will certainly serve to embolden and entice attackers, encouraging further attacks. While unlike many other municipalities, Riviera Beach opted to pay the ransom demand, that was not the end of the extent of the attack damage. The city is also expected to spend another million or more on network enhancements.
The latest government or city-level cyberthreat victim is Lake City, FL, according to a report on June 10. The city suffered a ransomware attack that caused a shutdown and loss of multiple city services. It was later reported that Lake City, just like Riviera Beach, made the difficult decision to pay the ransom demands to receive the decryption keys from the attackers. It was reported that these demands totaled roughly $460,000 and were made in bitcoin. And similar to the incident in Riviera City, the majority of this payment was covered by their cybersecurity insurance policy.
As this list grows and new attacks on local governments are reported on what is resembling a daily basis, this security trend will likely get worse before it gets better. Knowing it is unlikely we could expect an abrupt end of these attacks, it is prudent to examine them as a whole, on a macro level, in addition to their local, practical and financial effects. These attacks disrupt infrastructures and daily services, no doubt, but they create other damages beyond what is on the surface. These attacks could wobble citizens’ confidence in their local government, and gradually erode their sense of peace and stability. Americans depend on their city services to protect and provide for them. When those agencies are under attack, it could breed doubts, unease or even discontent.
We also need to ask more strategic questions: are these attacks more than what they seem? Could they be orchestrated vehicles deployed by foreign adversaries to test and rehearse for larger-scale and potentially more detrimental attacks? We don’t know yet, but it is wise not to rule out any sensible scenarios if we are to stay one step ahead of – or at least in steps with – our attackers.
Data breaches continue to proliferate on a massive scale. While there have been several major breaches in 2019, none was as eye-popping as the breach of Quest Diagnostics and Labcorp.
In early June it was reported that Quest and Labcorp suffered a data breach exposing 11.9 million patient records. In a statement, Quest Diagnostics disclosed their third-party billing collections service provider notified them that an unauthorized user had access to the system containing personal information from various companies, including Quest.
Attackers were able to gain access to personal information such as social security information, medical information and financial data (which could include credit card numbers). This is the type of data that typically fetches top dollars on the Dark Web, and not coincidentally, more severely affects every day civilians.
Many other breaches have been made public thus far in 2019. Below is a noncomprehensive list that includes just a sampling of breaches so far this year:
- >Ascension – More than a decade worth of data sat unprotected in an Elasticsearch database. This included more than 24 million financial and banking documents spanning more than a decade and from various US banking institutions. This included documents that would be classified as highly sensitive and detailed. Among the many details included were W-2 tax forms, which are often leveraged by cybercriminals to initiate phony refunds.
- Instagram – The breach included private contact information of 49 million Instagram records including some very high-profile influencers. The breach was later reportedly traced back to Mumbai-based social media marketing firm Chtrbox
- Checkers/Rally’s - More than 102 locations suffered a malware infection on their point-of-sale system leading to the breach of magnetic card data including name, card number, verification code and expiration date.
- Evernote – Through Evernote’s Web Clipper Extension for Chrome hackers gained access to data of 4.6 million users. Among the data believed to have been exposed are emails addresses, usernames and encrypted passwords.
- WhatsApp – A vulnerability discovered in the app (on various versions) allowed it to be exploited with commercial spyware, created by Israel’s NSO group, which can control the phone’s camera and microphone, collect location data and access emails and text messages. This could all be accomplished via a buffer overflow vulnerability with simply a single call to the target’s device.
- Georgia Tech – In late March, the university learned that a central database had been accessed by an unauthorized outside entity. More than a million individual’s data – including names, addresses, social security numbers and dates of birth – was exposed in this attack.
- UConn Health – In February, UConn Health announced that a phishing attack breached sensitive data of more than 300,000 patients. Information poached included personal such as birthdates and addresses and limited medical data such as billing and appointment details. At least 1,500 patients had their social security numbers breached.
- Huddle House – In an attack spanning from August 2017 to February 2019 attackers were able to infect point-of-sale systems and capture card data of customers throughout that span. It is still unknown how many customers were affected.
- Singapore’s Ministry of Health – In January, it was revealed that an unknown hacker had obtained 14,200 HIV-positive patients’ records, which were then posted online.
- Facebook – Researchers discovered more than 540 million records were exposed including account names, Facebook IDs and user-specific data. It was reported that the breach was due to a server being inadvertently left publicly available by a third-party company.
Chained Malware Attacks
Chained malware attacks have become more prevalent this year. In order to ensure profitability, successful malware attacks have been observed chaining multiple attack strategies by sharing a single foothold gained into the system. One example we blogged about was the Phorphiex/Trickbotnet campaign that dropped a Monero cryptominer, Ursnif banking trojan, and Gandcrab ransomware onto the compromised system.
Another more commonly-seen chained attack example that has been blocked by our filters is Emotet. These infections have been repeatedly documented to result in the Trickbot banking trojan payload dropped onto the system. A Ryuk ransomware is then installed afterward.
Examples of simple Trickbotnet emails that kick off a chained malware attack
A recent example which gathered media attention was the spear phishing attack geared toward administrators at cryptocurrency companies, such as Coinbase. The spear phishing emails contained links to a page where attackers would load info stealers onto systems of employees who are using Firefox. This multi-stage attack utilized two Firefox browser zero-day exploits to attempt to steal employee credentials.
The first exploit was a remote code execution bug that allowed the attacker to run code in the browser. The second was a Firefox sandbox escape which would allow the attacker to run arbitrary code at the operating system level.
We anticipate chained-attack strategies will increase. These will not only be used for the traditional scenarios by attackers to escalate privileges and network resources, but also to ensure maximum profitability via multiple payloads.
During the first half of 2019, Emotet was reclassified from what began as a banking trojan in 2014 to a botnet. The botnet can turn infected devices into spam, malware, or DDoS zombies at the beckoning of their operators, known by researchers as the Mealybug threat group. Emotet has been using two different botnet networks dubbed as Epoch 1 & Epoch 2 by researchers. This provides redundancy and a development-capable environment, where changes to malware and command-and-control communication may be tested.
Mealybug actors have continued to expand profits by utilizing the botnet’s Malware-As-A-Service delivery model for not only Emotet loader, but also Qakbot and IcedID as well. However, the main email traffic we capture uses Emotet as the primary trojan loader and utilizes it to cater to other malicious threat actors who pay for the delivery model by retrieving their follow-up payloads post-Emotet infections.
One of Emotet’s most recent module additions include the ability to scrape the past 180 days of mail from compromised accounts, including every subfolder in the client’s interpersonal message root folder. This year, hackers have increased usage of this capability to send malicious attachments using previous conversations the victim had held. This increases the perception from unknowing recipients that the message is legitimate, which helps the group add more infected machines to its botnet.
Recent Emotet message example with malicious attachment
Office Memory Corruption Vulnerability
During the second quarter of this year we saw a dramatic uptick of malicious attachments attempting to exploit the Microsoft Equation Editor buffer overflow vulnerability (CVE-2017-11882). The Equation Editor is utilized for OLE-based equations in Office products but most attacks we capture using it are in the most popular DOC and XLS formats. This 17-year-old vulnerability contains the potential to allow attackers to run arbitrary code and load malicious payloads onto a system with successful exploitation.
Microsoft released a security update patch on Nov. 14, 2017 that resolved the issue. However, the tenacity at which attackers still attempt to exploit it indicates there are a great number of unpatched systems still vulnerable to exploitation. Many of these attacks over this past quarter attempt to pull down remote access trojan payloads. Some of the common infostealers, keyloggers, and remote access trojans we see in these payloads include Remcos, Agent Tesla, HawkEye, LokiBot, Formbook, NanoCore, Azorult, njRAT, and Orcus.
Hex of an Office RTF document with obfuscated script exploiting CVE-2017-11882
Conversation Hijack Attacks- Gozi/Ursnif Update
Unfortunately, there’s been no shortage of Conversation Hijack Attacks so far this year. These threat actors have gained access to a large volume of compromised mailboxes that they use in the malware attacks.
This year, encrypted ZIP files have been their bread and butter. This campaign comes and goes as they frequently pivot from different iterations of the attack for maximum effectiveness. These adaptations include utilizing different languages, different passwords, different file name schemes, and verbiage.
Here’s an example:
To appear more legitimate, we have observed these actors customizing the name of the encrypted ZIP file to match the name of the recipient’s company. If you unzip the encrypted ZIP file using the provided password, then you will gain access to the macro-enabled DOC file (Shown below, filename in this case was “info_06.11[dot]doc”). For a brief time, we also saw them utilize XLS files.
These threat actors attempt to coax the end user into selecting “Enable Editing” or “Enable Content” which then allows the embedded macros to run. In this example a powershell script is run which reaches out to an exploited site and brings down the payload. In the majority of this year’s CHA campaigns, the attack delivers the notorious Gozi/Ursnif banking trojan.
Additionally, in a separate but parallel campaign, the banking trojan Emotet also utilized the same attack vector by using the same delivery method (CHA’s with encrypted ZIP files). This indicates a possible link between the Emotet and Gozi/Usnif threat actors. Either way, these are particularly nasty trojans that work silently in the background while stealing stored credentials and any other pertinent financial data that is accessible.
They study business dealings in depth and learn about relationships with vendors, who’s paying who and for what, which enables them to craft a spoofed message for a phony invoice that comes across so naturally that it far more likely to be treated as legitimate
and paid. It is not unusual to hear of organizations that have suffered seven figure losses
in these elaborate phishing attacks.
Business Email Compromise – Wire Fraud
The business email compromise attacks continue to increase in frequency and complexity. Attackers prefer to live off the land by using legitimate services and compromised accounts (obtained via spear phishing) to perpetrate and attempt to add further legitimacy to their scams. Many of these involve impersonating executives, finance and human resources staff to convince unknowing recipients to purchase gift cards or conduct wire transfers.
Attackers often compromise an account but invest time to monitor email activities for days or even months to map out the who’s and how’s of financial transactions in an organization. In addition, they will gather legitimate user signatures and learn how the financial transactions are conducted in their environment. Once they have this data, they would attempt to perpetrate their fraud using all the information gathered. Unfortunately, we have had new clients who added our email protection for the Impersonation feature offers after damage was already done. Some of the example attacks we have seen only took the attacker one email to dupe the recipient into wiring away tens of thousands of dollars.<
BEC Wire Fraud Example – Spoofing CFO
The attacker was able to compromise the email account of Company A. Once inside the email account, he was able to gather information to initiate an attack.
Once the attacker had what he needed, he went to work crafting a simple invoice email from a vendor Company A had previous and multiple dealings with. To add an air of legitimacy, the attacker went so far as to create a false history of previous responses and dates on the email chain – giving it the appearance of a typical invoice payment request. Taking it one step farther, the cybercriminal registered a domain just one letter different from the vendor’s legitimate domain.
Similar to most higher-end BEC attacks, this one simple invoice led to banking information changes combined with the wire transfer request.
Thankfully, AppRiver’s Advanced Email Filtering service was able to stop the transaction from happening.
How Deep Does This Rabbit Hole Go?
This specific actor/group responsible for the attack had sent two of these wire transfer attacks that same day using the exact same techniques, tactics and procedures. Since
their emails were so easily attributable, our curiosity was sparked, we wanted to see how much more could be exposed. We began to perform DNS who is queries and ended up with some common patterns. <
The actors had used the same nonexistent street address with minor, but easily recognizable, variations when registering their fictitious domains. That pattern alone made it much easier to find additional information on their attacks. For the domains still active, they use the same hosting provider who specializes in payment via Bitcoins for domain registration and hosting.
During our research, we found other internet posts related to this actor or group on ripoffreport and reddit. These detailed similar scams or fraudulent purchases this same actor/group had used in the past.
After the dust settled, we had uncovered the below:
- 1,103 fraudulent dspoofing legitimate companies going back to June 2015 - present
- 293 fictitious personal names used to register the domains (including one Biggy Smallz)
- 77 unique phone numbers for the registrations
Visualizing the Infrastructure Connections
Pardon the vagueness in defining what every detail means below. However, we wanted to provide a quick visualization of the DNS-related connections they used - without giving away the attacker’s techniques. This way AppRver can continue monitoring them and using intelligence gathered for the benefit of all 60,000+ AppRiver customers.
This first map is a zoomed-out overview of common DNS-related connections utilized by the attackers.
BY THE NUMBERS
Email Virus Traffic
Through the first six months of 2019 we quarantined more than 124 million emails with malware attached. This puts us on track for a very similar volume of malware-laden traffic as we saw in 2018.
Though we saw a shift away from Ransomware to Banking Trojans in 2018, the first half of 2019 saw a shift back toward more Ransomware infections. Many of these are coming as a result of a secondary payload being pulled down by an existing infection. Additionally, in June we observed an increase in the delivery of Remote Access Trojans (RAT) which can be exploited to deliver many secondary malware payloads.
Spam traffic remained level throughout the first six months of the year. In all, we quarantined just over 4 billion spam messages.
In the first half of 2019, our Advanced Email Security solution quarantined 20.1 million spear phishing attacks bound for recipient’s inboxes. Many of these attacks would be classified as Business Email Compromise (BEC). Attackers continue attempts of exploiting human targets by impersonating sender’s identity when committing these attacks. These attacks reached an apex in February of 2019.
This year’s malicious traffic was similar in that malicious Word files with embedded macro’s were the most prevalent attack vector. Word Documents were flowed closely by PDFs and Excel spreadsheets(XLSX).