Weekly Intelligence Summary | 5 June 2020
Updated: Jun 11
In the spotlight this week:
Several ransomware groups recently launched attacks on victims; O365 users targeted by phishing bait
Reports have uncovered PYSA Ransomware’s techniques on attacking its victims. Once ransomware actors gain access, they dump credentials using mimikatz and conduct lateral movements around the network with the help of psexec. The ransomware group utilizes advanced port and IP scanners to perform network recon. In addition, the group implants a powershell script to stop the antivirus, delete backups, and modify local account passwords to prepare the system for encryption. PYSA Ransomware also leaves behind installations of Putty, WinSCP, Go RAT, and PowerShell Empire penetration-testing tool.
DopplePaymer Ransomware Gang discloses that it breached NASA’s IT contractor, Digital Management Inc. (DMI). It is unclear how deep DopplePaymer had reached inside DMI’s network during the breach.
Abnormal Security discovers an Office 365 phishing bait where email campaigns were sent to O365 users with messages and a phishing landing page that are camouflaged as notifications sent by the companies they work for instructing to update their VPN configuration.
Reports reveal that Maze and Netwalker Ransomware infected Hong Kong firms, Bossini and City Super, with some of their data released on the dark web.
June 04, 2020 | Protect Your System, Amigo: Profiling Pysa Ransomware Crew’s Victim Organizations
Mespinoza ransomware or “Protect Your System Amigo” PYSA Crew has been successfully launching ransomware to its victims. Intelligence news have discovered 20 cases of victim data that were published online. News reveal how PYSA Crew attacks its targets. Upon gaining access, PYSA use mimikatz to dump credentials and psexec to move laterally around the network. PYSA then uses advanced port and IP scanners to conduct network recon. The group also leaves behind installations of Putty, WinSCP, Go RAT, and PowerShell Empire penetration-testing tool.
Source: Medium. Retrieved from https://medium.com/@ransomleaks/protect-your-system-amigo-2520bdfccbba
June 03, 2020 | Ransomware gang says it breached one of NASA's IT contractors
DopplePaymer Ransomware Gang reveals that it recently attacked Digital Management Inc. (DMI), a major US IT and cybersecurity provider to several Fortune 100 companies and government agencies, including NASA. While it is still unclear how deep DopplePaymer had reached inside DMI’s network during the breach and how many DMI customer networks it affected, the gang has taken NASA-related files and posted 20 archive files on a dark web portal, suggesting it breached DMI's NASA-related infrastructure. The 20 archives include everything from HR documents to project plans, with employee details matching public LinkedIn records. DMI spokespersons have yet to answer interviews seeking comments on the issue.
June 03, 2020 | Office 365 phishing baits remote workers with fake VPN configs
Recent phishing campaigns target Microsoft Office 365 users using bait messages camouflaged as notifications sent by the users’ organizations instructing to update their VPN configuration which they use to access company assets while working from home. The phishing emails impersonating VPN configuration update requests sent by users’ company IT support departments have so far landed in the inboxes of up to 15,000 targets according to statistics from researchers at email security company, Abnormal Security. These phishing messages are a lot more dangerous because of the huge influx of employees working remotely and using VPNs to connect to company resources from homes in order to share documents with their colleagues and access their organization’s servers.
Source: Bleeping Computer. Retrieved from https://www.bleepingcomputer.com/news/security/office-365-phishing-baits-remote-workers-with-fake-vpn-configs/
Abnormal Security. Retrieved from https://abnormalsecurity.com/blog/abnormal-attack-stories-vpn-impersonation-phishing/
June 03, 2020 | NetWalker and Maze Ransomware Threatening to Leak Data
A newly created Twitter account Ransomleaks reports about recent ransomware incidents. Ransomleaks claims that the Maze ransomware dropped seven leaks on May 27, 2020, which is a record high. Among the victims include Bossini, Faxon Machining, GCL System Integration Technology, Critical Control Energy Services, Seats Inc., Grupo Cocenzo, and Smith Group. Aside from Maze ransomware, Ransomleaks has also revealed that NetWalker is threatening to leak the data it has obtained from the City Super breach. City Super is Hong Kong’s first-of-its-kind Mega Lifestyle Specialty Store.
Source: Twitter account of Ransom Leaks. Retrieved from https://twitter.com/ransomleaks/status/1265519565271957506 and https://twitter.com/ransomleaks/status/1267731275873468425
June 03, 2020 | Lucy’s Back: Ransomware Goes Mobile
Ransomware attacks have caused a great concern in the cyber security industry for a while already. Infamous malware such as CryptoLocker, WannaCry, and Ryuk have all left significant damage to private assets and organizations worldwide. Although ransomware is just being launched in mobiles, it has been evolving rapidly while malware developers and attackers apply their experiences to create disruptive mobile ransomware attacks. An example is the ‘Black Rose Lucy’ malware family, which was originally discovered in September 2018 by Check Point. After nearly two years, Black Rose Lucy is back with new ransomware capabilities that allow it to take control of victims’ devices to make various changes and install new malicious applications.
Source: Check Point Research. Retrieved from https://research.checkpoint.com/2020/lucys-back-ransomware-goes-mobile/
Freebuf. Retrieved from https://www.freebuf.com/articles/terminal/236081.html