Welcome back! Following a short festive break, Threat Thursday returns with 2020’s first weekly round up of cyber threats, vulnerabilities and system updates.
There are few new threats to report this week but the Christmas period has, expectedly, provided several examples of cyber crime’s impact; not to mention the importance of a strong security setup.
DeathRansom Struck Down, Returns More Powerful Than We Could Possibly Imagine
If you missed DeathRansom - for reasons which are about to become abundantly clear – then good news! It’s back!
First spotted in November of 2019, DeathRansom strutted into the internet’s virtual playground, its chest puffed out and its nose upturned, bragging about how tough his dad was and how he was going to infect everybody’s computers, like, super-duper hard. Yet, as is often the case in this scenario, DeathRansom turned out to be all mouth and no trousers; it was a feeble excuse for Ransomware, boasting no file encrypting capabilities. Its true ‘abilities’ amounted to little more than renaming a victim’s files ever so slightly, and adding a hyperbolic ransom note onto their desktops. DeathRansom was subsequently laughed off the great playground of the internet. Some of the bigger viruses, like EmoTet, even kicked it in the shins as it left.
Well, DeathRansom hasn’t forgotten. After a brief gestation period (presumably spent lifting weights and listening to Linkin Park), it’s returned; only this time, it has some muscle. Researchers at Fortinet discovered that the threat has returned, with stronger encrypting abilities and a successful phishing campaign – the most effective method of spreading Ransomware.
Yet it continues to blunder; with some basic cyber-sleuthing, Fortinet were able to trace what’s highly likely to be DeathRansom’s author to an underground Russian hacking forum. They also managed to unearth what they believe to be the perpetrator’s email address, YouTube, Instagram and Facebook profiles.
At this point, DeathRansom truly is like the villain from a Saturday morning cartoon; turning up every week with an evil scheme, stumbling over its own inflated hubris, and shuffling off with its tail between its legs. Still, even with the culprit possibly identified, DeathRansom is back in the wild and should now be taken much more seriously.
Networking Software Suffering a Serious Case of Cisco Fever
That’s right, I’m recycling the same Cisco/Disco pun twice in the space of a year. Look, there’s only so much you can do with a brand name, guys.
Cisco has updated its Data Centre Network Manager software with fixes for no less than 12 CVEs. Of the 12 exploits, there are three with a rating of ‘critical’; CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977, each existing in any Cisco Data Centre Network Manager software version below 11.3(1).
These vulnerabilities, left unpatched, allow for remote access attacks which bypass authentication and allow an attacker to perform actions with full admin privileges. Best get yours updated to the latest version, then.
This patch follows a less-than-stellar week for Cisco, which saw security researcher Steven Seeley discover more than 120 vulnerabilities in a single Cisco product. This comes only a few months after Steven was rejected for a role within Talos, Cisco’s security team. That dull ‘thudding’ noise is the sound of said team’s heads hitting their desks.
Remember – Windows 7 Reaches End of Life this Month
Windows 7 users: now might be the time to upgrade to Windows 10. On the 20th of this very month, Microsoft will stop supporting their most popular operating system; that means no further security updates are planned, nor is the OS likely to be compatible with any future software or hardware releases.
Essentially, anyone using 7 after this date is sitting on a proverbial time bomb. As evidenced in previous editions of Threat Thursday, cyber criminals often target users of old or unsupported software, taking advantage of newly discovered vulnerabilities that they know will never be addressed. Updating to Microsoft’s latest operating system, Windows 10, is highly recommended to keep your protections updated.
Windows 7 was released over 10 years ago, and is arguably Microsoft’s most popular operating system - even though its startup sound is vastly inferior to Windows 95’s. Some might tell you that the successor to Windows 7 isn’t Windows 10 but is, in fact, Windows 8. These people are not to be trusted. Windows 8 was nothing more than an urban legend, created to scare our children into behaving properly.
If anyone offers you Windows 8, please alert the relevant authorities.
CryptoMix Drops Crop of Clops; Stops Laptops, Causing Non-Stop Strops
A Ransomware named Clop, first discovered in February 2019, has taken a leaf out of DeathRansom’s book and spent the year upping its proverbial game. The Ransomware, part of the Cryptomix school of malware, was rediscovered this December with some show-stopping new capabilities.
This new variant now has the capacity to terminate over 660 Windows processes before decrypting its victim’s files, all for the usual cash ransom. Self-described ethical hacker Vitali Kremez discovered this new strain and shared the details of his findings over on his Twitter account, along with a list of all affected executables.
Once again, the Malware may have changed, but the methods haven’t. Clop is thought to be spread via phishing emails like almost every other Ransomware – all the more reason to familiarise yourself with the tell-tale signs.
A Warning From America
A US-based business, with over 60 years of experience, was forced to close its doors over Christmas following a Ransomware attack in October.
Arkansas-based fundraising firm The Heritage Company was hit by Ransomware which compromised the company’s accounting and email systems, blocking funds entering or leaving the business and making it impossible to send invoices to clients. CEO Sandra Franecke elected to pay the ransom to secure the business and reclaim the system from the attackers.
Following months of recouping costs, rebuilding systems and even paying employee wages from her own funds, there was unfortunately no option left but to cease trading.
It’s a devastating story, but it perfectly demonstrates the dangers of Ransomware to a small or medium business. The Heritage Company is determined to recoup costs and recover, eventually reopening its doors, but managers estimate a 70% chance that the company will be sadly forced to close its doors.
This incident is also the perfect example of how investing in a solid Disaster Recovery solution is ultimately cheaper than paying the price for any ransomware attack. Charities and their partners are especially susceptible to cyber attacks over the festive period, and The Heritage Company is just one of many fundraising organisations that criminals will have been targeting.
Travelex Breached Thanks to Irregular Pulse
Foreign exchange company Travelex has also been compromised, this time by the Sodinokibi Ransomware and with a ransom demand of a cool $6 million (£4.6 million).
Following the strike on New Year’s Day, the perpetrators claimed to have stolen 5GB of personal customer data – including names, payment card information and social security numbers – and are threatening to release the decrypted information online if the ransomware demands aren’t met. Travelex says otherwise, asserting that no personal data has been compromised. Your move, hackers.
Nonetheless, Travelex has taken 30 of its international websites offline as a precautionary measure. The company has also suspended support with trading partners such as Sainsbury’s, First Direct and Virgin Money and disabled its mobile apps.
It has been reported that for most of 2019, Travelex was operating on an unoptimized Virtual Private Network; specifically, the Pulse Secure VPN. At the time, a critical flaw in the software allowed hackers to inject ransomware into business servers, delete crucial backups and conduct all manner of cruel shenanigans. Pulse issued an urgent patch as far back as April, and insisted all businesses update their versions accordingly.
Predictably, a campaign by hackers to exploit any unpatched instances of the Pulse Secure VPN kicked off shortly afterwards, and it’s theorised that Travelex is the latest casualty of this campaign.
That wraps up another Threat Thursday, and the first of 2020. With the holiday period now over, we’re back on track to deliver regular weekly updates – we’ll see you back here in 7 days for more of the latest infosec news!
Want the latest Threat Thursday updates the moment they’re released? Sign up to our weekly reports and get them straight into your inbox every Thursday!