A ransomware gang installed remote desktop software on over 100 machines across a network, and their plans to encrypt the network were only foiled at the last minute when cybersecurity experts were called into a company after suspicious software was found on its network. The efforts made by criminals to lay the foundations for a ransomware attack, which resulted in legitimate remote access software being installed on 130 endpoints, were discovered when security company Sophos was brought in to investigate the unnamed company after Cobalt Strike was detected on its network. 

Cobalt Strike is a legitimate penetration testing tool, but it’s commonly used by cyber criminals in the early stages of a ransomware attack. One of the reasons it is used by cyber criminals is that is it partially runs in-memory, making it difficult to detect. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) The goal of the gang was to encrypt as much of the network as possible with REvil ransomware, but because the cyber criminals were detected before they could finalise their preparations, the attack wasn’t successful – although they managed to encrypt data on some unprotected devices and deleted online backups after they noticed they’d been spotted by investigators.  A ransom note left by REvil on one of the few devices that was encrypted revealed a demand of $2.5 million in bitcoin for a decryption key – although this wasn’t paid. But the attackers had managed to gain enough control of the network in the runup to install software on over 100 machines – and the company that was being targeted didn’t notice.

“As a result of the pandemic, it’s not unusual to find remote access applications installed on employee devices,” said Paul Jacobs, incident response lead at Sophos. “When we saw Screen Connect on 130 endpoints, we assumed it was there intentionally, to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices.” This was just one of several methods that cyber criminals used to maintain their hold on the network, including creating their own admin accounts. But how did cyber criminals get onto the network in the first place in order to use Colbalt Strike, set up remote access accounts and gain admin privileges? “From what we have seen in our investigations, there is a variety of methods used, most commonly it is users being phished often weeks or months earlier, then there is the exploitation over firewall and VPN vulnerabilities or brute forcing RDP if it is exposed to the internet,” Peter Mackenzie, manager of Sophos Rapid Response told ZDNet.

In this instance, the attempted ransomware attack wasn’t successful, but ransomware is so prolific at the moment, organisations are regularly falling victim. REvil, the ransomware used in the incident investigated by Sophos, was deployed in the successful ransomware attack against JBS, with the cyber criminals behind it making off with $11 million in bitcoin. SEE: Security Awareness and Training policy (TechRepublic Premium) However, there are steps that all organisations can take to avoid cyber criminals from being able to gain access to the network in the first place. “Firstly, ensure every single computer on your network has security software installed and managed centrally. Attackers love unprotected machines. Next, make sure they are getting patches regularly and remember if a computer hasn’t rebooted for a year, then it likely hasn’t applied any patches either,” said Mackenzie. But while using technology correctly can help protect against cyberattacks, it’s also useful to have eyes on the network. People who have a good understanding of what’s on the network can detect and react to any potentially suspicious activity – such as the use of Colbalt Strike, which resulted in the ransomware attack detailed in this case being discovered before significant damage was done. “For the best cybersecurity, you need people watching what is happening and reacting to it live, that is what can make the biggest difference,” said Mackenzie.

MORE ON CYBERSECURITY More

Image: Valve Valve told ZDNet today that it’s safe to play games like Counter-Strike: Global Offensive and Team Fortress 2 even after their source code leaked online today on 4chan and torrent sites. The leak has caused panic in the two games’ online communities. For most of the day, gamers have been warning each other […] More

The UK Information Commissioner’s Office and Office of the Australian Information Commissioner (OAIC) announced on Thursday that the pair would be teaming up to conduct a joint investigation into Clearview AI. In April, OAIC asked questions of the company and issued a notice to produce under section 44 of the Australian Privacy Act. Two months […] More

(Image: file photo)

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

In a security alert published on Thursday, US payments processor Visa revealed that two North American hospitality merchants were hacked and had their system infected with point-of-sale (POS) malware earlier this year.
POS malware is designed to infect Windows systems, seek POS applications, and then search and monitor the computer’s memory for payment card details that are being processed inside the POS payments apps.
“In May and June 2020, respectively, Visa Payment Fraud Disruption (PFD) analyzed malware samples recovered from the independent compromises of two North American merchants,” Visa said.
The US payments processor didn’t name either of the two victims due to non-disclosure agreements involved in investigating the incidents.
Visa published on Thursday a security alert [PDF] with a description of the two security breaches and the malware used in the attacks in order to help other companies in the hospitality sector scan their networks for indicators of compromise.
June hack: Hackers used three different POS malware strains
Of the two incidents, the second one that occurred in June is the most interesting, from an incident response (IR) perspective.
Visa said it found three different strains of POS malware on the victim network — namely RtPOS, MMon (aka Kaptoxa), and PwnPOS.
The reason why the malware gang deployed three malware strains is unknown, but it could be that attackers wanted to make sure they get all the payment data from across different systems.
Visa, which also provides incident response services in financial crime-related breaches, said the intruders breached the hospitality firm’s network, “employed remote access tools and credential dumpers to gain initial access, move laterally, and deploy the malware in the POS environment.”
The payments processor wasn’t able to determine how the intruders breached the company’s network in the first place.
May hack: The entry point was a phishing email
They were, however, able to determine the entry point in the first hack, which occurred in May.
“Initial access to the merchant network was obtained through a phishing campaign that targeted employees at the merchant. Legitimate user accounts, including an administrator account, were compromised as part of this phishing attack and were used by the threat actors to login to the merchant’s environment. The actors then used legitimate administrative tools to access the cardholder data environment (CDE) within the merchant’s network.
“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant’s network to target various locations and their respective POS environments. The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means.”
The POS malware used in this incident was identified as a version of the TinyPOS strain.
The two recent attacks show that despite the recent rise and attention that web skimming (magecart) and ransomware incidents are getting in the media, cybercrime gangs have not abandoned targeting POS systems.
“The recent attacks exemplify threat actors’ continued interest in targeting merchant POS systems to harvest card present payment account data,” Visa said. More

Image: Getty/damircudic A cruel business email compromise (BEC) gang is hacking people’s email accounts and sending messages to their contacts claiming the account owner needs to send a gift to an unwell friend in an attempt to manipulate people into sending online gift cards.  ZDNET Recommends Detailed by cybersecurity researchers at Abnormal Security, an organized […] More