In a shocking development, many people last week suffered from massive ransomware attacks all over the world. Several precautions are taken by users these days as awareness about cybercrime grows, but there are always new ways discovered by attackers to steal more information. Although millions of dollars are being spent by government agencies to rectify the errors that allow such incidents to happen, these incidents continue to occur with alarming regularity.
The K-12 schools in America are now protected with the K-12 cybersecurity Act. Many other governments and organizations all over the world are taking necessary actions, such as focusing more efforts on building anti-phishing software that will provide a strong defense against phishing, malware, ransomware, and other cyber-attacks.
The news highlights given below include incidents that occurred last week and also the measures being taken by different agencies as well as officials to keep these attacks in check.
Malware Attacks Through Windows Remote Desktop Services
There has been a recent malware attack, which operated by breaching company networks over the RDP (Remote Desktop Protocol). The unusual thing about the malware attack is that it doesn’t leave any trace on target hosts, which implies that experts’ investigation will not be able to catch the perpetrators.
The miners or crypto hackers execute their attack in RAM, through a remote connection. This same strategy is employed to extract information from an insecure machine.
What Is Windows RDS?
There are features in Windows that allow clients and employees to share any drive to a server. These features come with a read and write permission, and the attackers leveraged this remote desktop service (RDS) in Windows to execute their plan. These drives appear on the network location called ‘tsclient,’ and the attackers used a feature of these drives that allow them to be mapped locally. These features have been available for a long time.
Malware Cocktail In-Network Shares
An analyst who works on preventing such attacks explained that the attackers misuse the feature and use the local drivers to upload malware in vast quantities, and they then name it as worker.exe. Through this component, the attackers communicate and send instructions to their malware.
This feature is used for reconnaissance capabilities, and the worker.exe device is an off the shelf tool that has been used since February 2018 by multiple threat actors. These features of the malware are complemented by the ability to take screenshots. The malware can also identify all connected network shares that are mapped locally. Not only this, but the malware also can include a screenshot so it can be saved offline. These attacks can be stopped by extracting all the documents that are suspicious and updating all phishing protection services from time to time.
FIN8 Threat Group and The Operations Performed By Them
FIN8 is a well-known, financially motivated threat group targeting the retail, hospitality, and entertainment industries. Although the origin of the group is unknown, it is known to use tailored spear-phishing emails to launch attacks against companies in the US. FIN8 is not an unfamiliar name in the world of cybercrime.
Their track record includes targeting major US-based retail, hospital, and entertainment industries.
The operations performed by them are as follows-
- It was around March 2016, when FIN8 came into limelight for launching multiple spear-phishing emails. These were launched against hospital industries, restaurants, and retail shops too. These emails did not have links but included many Microsoft documents that had macros. A mere click can enable these macros, and after they are launched, they automatically download the software known as PUNCH BUGGY.
- Then in 2017, FIN8 carried out attacks using the PowerShell code that was paired with an environment variable. The PowerShell mechanism had the feature of receiving various commands via Stdln, and the attackers benefitted by using its capacity of evading detection.
- One of the techniques that were implemented was a phishing Microsoft document named as “Complaint homer glynn.doc.” Here too, the group used a macro, and this time it was created by using a WMI that spawns the cmd.exe execution.
- In 2019, even after several spear-phishing prevention techniques had been implemented to combat similar eventualities, FIN8 came back, and this time they notably improved their Shell tea backdoor. As we know, the usual targets of FIN8 are the hospital and entertainment field, they continued with the same and attacked these two industries via their old tactic of implementing malicious macros.
- These macros present common and widespread everyday use documents that anyone can click. After being clicked, attackers can take over control.
Cyber-Attack Lead To Cancellation Of Various Flights
It is currently the holiday season, and everyone is excited to celebrate the end of the year with their loved ones. The transportation industry is busiest around this time of the year, and this makes it an attractive target for hackers. One victim of an attack was RavnAir, which had to cancel at least a dozen flights in Alaska. The reason stated for this cancellation is that a malicious cyber-attack attacked their computer networks. Until the situation was secured, flights were not permitted to fly as they could have been affected. This attack impacted around 260 passengers.
The company issued a written statement wherein they stated that they had to cancel all flights, including the Dash 8 aircraft. The reason reported was that the said cyber-attack was compromising the whole network and forced them to shut down the entire Dash 8 system. What compounded the issue was that the passengers could not travel by road this time of the year. The airline is making every possible attempt to prevent further attacks by using several methods for protection against phishing. They have asked for help from the FBI and the other concerned authorities. A cybersecurity company was also hired to work on the case and prevent the network from getting compromised.
A big issue here is that there are details of many people on the system, and this attack invaded the privacy of several individuals. RavnAir later announced that they were adding flights, would reschedule the passengers as soon as possible and regretted the inconvenience caused. The network that managed the connecting flights between PenAir and RavnAir was operating normally, and there were no red flags over there. The whole system was under scrutiny and was under monitoring.
New Orleans Is Recovering From Its Recent Cyberattack
Almost a week ago, New Orleans was struck by a cyber-attack in which the city’s computer systems were brought down, and one significant point of concern for the officials was that they couldn’t determine the cost of the damage. Since last week, authorities were unsure when they could bring back the system online. Several volunteers in a large group are trying to fix the computer systems but have achieved normalcy for only one-tenth of the city’s computers.
For city officials, determining the price tag of the cyber-attack is crucial as they have a $3 million policy for cyber insurance. Once the present situation has been rectified, city officials will be trying to extend the cyber insurance policy to $10 million. The insurance policy was not discussed in detail by the officials. The reason why they are taking a cautionary approach in this regard is to keep a regular check on the network for more infected systems and finally determine the actual value, say the authorities.
Also, the volunteers are slowly upgrading the systems to prepare for future attacks and make their servers less vulnerable. An officer on Wednesday said that they had recovered more than 3500 laptops and about 10% of the city’s 450 servers after the attack. According to city officials, the goal is to maintain a good pace for recovery and to form a better and secure defense mechanism in the form of an excellent anti-phishing solution. Not only the volunteers are bringing back the systems quickly and safely, but they are also smoothly shifting it towards a more secure position than before. The administration wants to bring its financial systems back online as soon as possible as the holiday season is on its way.
Moreover, getting back on their financial operations is essential for gaining control of the cloud servers and paying their contractors and employees on time.
Maze Ransomware Releases Stolen Files
Earlier this month, there was a malicious attack that took place in the city of Pensacola. The attackers behind the Pensacola cyber-attack released around 2 GB of files that they had stolen during the attack. The said attack had affected email services, and some phone services were also targeted. This attack was very severe and led to shutting down the computer system. Such attacks often have the potential of taking down entire infrastructures, and the WannaCry attack is an example of this. The cyber-attack launched used ransomware malware. Ransomware is a type of cyber-attack that encrypts user files and then prompts users to pay a determined amount of ransom in exchange for returning control of their data. The primary objective of these attacks is extortion.
Several sources confirmed that Maze Ransomware made the attack, and the group demanded $1 million to decrypt the files. The sources stated that before encrypting the said email networks and other services, Maze had stolen data from the city. As no one was taking these threats seriously, they released 2 GB of files to prove they had compromising data. According to maze ransomware, they still have 32 GB worth of data files. The data they have might carry sensitive information, and there is an on-going investigation to check the sources.
Entercom Radio Hit by A Cyberattack
A radio network called Entercomwas was hit by a cyber-attack this Christmas. This incident is the second time the radio network was affected, and the type of cyber-attack was the same as last time. In this instance, the cyber-attack affected back-office functions, and there were some cases in which the network involuntarily ran a few recorded programs. The intention behind this attack has still not been identified. For those who don’t know, Entercom is a major radio network, and they cater to an audience of 170 million people every month. They are a top-rated station among radio listeners and have a loyal fan following.
The first attack that Entercom suffered was in September, which caused losses worth $400,000 in revenue. The CFO of Entercom stated that the breach cost around $1 million in cost, and $400,000 in revenue was lost. The representatives also reported that to secure their company from these attacks, they increased their IT CAPEX investment to $2 million by investing in advanced anti-phishing tools.
Technically the second attack should have hit the radio network harder, but surprisingly, it was on a smaller scale. Some speculate that this was a temporary outage of the system. This time the company also suffered connectivity problems. These issues led to the disabling of email communication, and some digital platforms lost access to the content. Recovery is expected to be slow.
Entercom themselves stated that they are facing IT issues, and they also said that the problems would be resolved by Monday. However, they did not comment on the speculation that this might be a system outage and not a cyber-attack.
As promised, the operation was recovered by Monday, although some reports indicated that few markets could not import the logs of music and some other content.
New Patch To Be Released To Fix Vulnerabilities In Samsung Phones
Some Samsung Galaxy models, such as Galaxy A5 (2017), Galaxy A30s, and the Galaxy Tab S3 (LTE), were discovered to have vulnerabilities in their software. These vulnerabilities are why the company released a patch soon in the form of an Android update. The Android security patch for Galaxy A5 (2017) fixed an issue where a remote attacker could run code in the software, using a select file.
Nine critical vulnerabilities were discovered in the Galaxy A30’s. These issues affected the OS directly, which is why these phones have already received the November ’19 patch. In October ’19, the last update was released for the Samsung Galaxy Tab S3. The issue in its OS was that when a user installed an untrusted app, it allowed attackers to exploit user details stored in the device.
Samsung is taking necessary actions to safeguard its customers from being a victim of another cyberattack. Anti-phishing solutions and firmware are being sent as a manual update in each of the devices.
Malware Hits Truckstop.com Sites, Services Shut Days Before Christmas
Truckstop.com is one of the popular means of delivering products. And recently, it was hit by a computer attack, which led to shutting down to access its online services. This forced the customers to find workarounds just prior to Christmas. It is said that the outage began on December 20, and this went public on December 21. Truckstop.com said that it was facing many technical difficulties, and was on solving the matter as soon as possible. Later it was stated that the outage was due to a ‘malware’. They also said that no customer’s information was compromised and that they will inform if any such customer is potentially affected.
On December 22, seven sites were of truckstop.com were down due to the attack. Truckstop.com is not a small scale company but one of the biggest truck freight transportation platforms, so it is implied that a lot of customers are dependent on them to reach home, and given it is the busiest time of the year the pressure spikes automatically.
German Cities Under Attack By Emotet Botnet
Frankfurt, Germany, was attacked by the Botnet called Emotet. This cyber-attack led to a temporary shutdown of computer systems in the city. This was not the first attack. Similar cyber attacks were faced by three other organizations, viz., Justus University, Bad Homburg, and Catholic University. Emotet is specifically designed to install malicious software on infected devices. And they are distributed through those malicious attachments like word documents or pdfs.
The cyberattack at Justus University was also caused by the Emotet botnet, and the malware it deployed was called Ryuk ransomware. This attack was not detected immediately due to a lack of knowledge. And to prevent the attack from taking sensitive information, the university hanged all the email accounts linked to the college database. The cyberattack in Frankfurt was the biggest one, amongst others. Due to the attack, even public transportation services were also shut down. According to a few sources, this attack was caused due to an employee who opened a malicious email attachment.
Canadian Lab Test Firm LifeLabs Pays Ransom After Data Breach
Life labs, Canada’s largest specialty laboratory, recently were under a cyber attack that led attackers to have unauthorized access to their computer systems. The information they had included name, address, login id credentials, health card number, etc. all these are susceptible information that could breach the privacy of any individual. The life lab services stated that 15 million individuals’ information was breached. They further stated that preventing customer information is their number one priority because people have trusted them with their health information, and they take this responsibility very seriously.
The cybersecurity firms said that the risk of leakage of customer information is low because if releasing that information was the aim, the attackers would have asked some ransom. Life lab services said that they had fixed almost all the entire issues that the systems were facing and are upgrading the protection to ensure this kind of attack does not repeat.