Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked

Victoria Kivilevich, Threat Intelligence Analyst

Rising ransomware attacks around the world, together with the recent lists of exposed Pulse Secure VPN credentials set the backdrop for KELA’s latest research. While not all ransomware attacks used CVE-2019-11510 (a vulnerability of unpatched Pulse Secure VPN servers) or the previously shared credentials to the compromised corporate networks, it does add another layer to the analysis of possible initial infection vectors used in ransomware incidents. Moreover, the recent exposure of credentials to nearly 50,000 vulnerable Fortinet VPNs raises further concern of possible infection vectors that can be used for ransomware attacks.

Our key findings include:

  • Five victims of ransomware attacks whose credentials to their Pulse Secure VPN servers were exposed as part of two Pulse Secure VPN lists (i.e., directories with folders and files) that were shared by malicious actors in August 2020.
  • Data of three of the victims were leaked to ransomware gangs’ blogs in an attempt to force them to pay a ransom. Based on KELA’s conversation with threat actors related to the attack, at least one victim (unnamed) paid the ransom.
  • A threat actor involved in the attack confirmed that they gained initial access to at least one compromised network via the CVE-2019-11510.
  • Proactive monitoring of darknet threats, such as the Pulse Secure VPN lists, helps enterprise defenders secure their networks and prevent further, more sophisticated attacks, such as ransomware attacks.

Zooming into Darknet Threats Targeting Japanese Organizations

Victoria Kivilevich, Threat Intelligence Analyst

In light of rising cyberattacks and ahead of the 2021 Tokyo Games, Japan is investing in cybersecurity efforts, with one of them being the establishment of a government entity dubbed the Digital Agency. The decision follows recent fraud involving Japanese bank accounts linked to cashless payments services, which could be achieved by brute-forcing, using compromised credentials to banking accounts or via other attack vectors. Attacks on the banking infrastructure is just a part of threats targeting Japanese organizations, recently explored by KELA. They include:

  • Leaked data and compromised accounts. KELA detected that data belonging to Japanese corporations, as well as government and educational entities, is actively circulating in the darknet and being demanded by threat actors. This data can be used to gain initial network accesses, i.e. entry points to targeted networks.
  • Initial network accesses. KELA observed several Japanese compromised companies, ranging from corporations to universities, including one Japan ministry target during June-October 2020. These accesses can be leveraged to eventually deploy ransomware.
  • Ransomware incidents. KELA detected at least 11 Japanese victims of ransomware attacks in June-October 2020. The affected companies are from manufacturing, construction and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue.

KELA’s 100 Over 100: September 2020 in Network Access Sales

Raveed Laeb, Product Manager and Victoria Kivilevich, Threat Intelligence Analyst

While ransomware attacks are on the rise, more and more initial network accesses are being sold in underground forums every day, partially becoming an initial entry point for ransomware operators. Following KELA’s research about initial access brokers, we’ve decided to analyze some of the accesses sold over September 2020 to build a comprehensive picture of the activities in this field.

Major takeaways are:

  • Initial network access is a general term that refers to remote access to a computer in a compromised organization. Threat actors selling it – initial access brokers – are linking opportunistic campaigns with targeted attackers, namely ransomware operators.
  • KELA traced over 100 initial network accesses put on sale by threat actors for one month – three times more than in August 2020. The cumulative price requested for all accesses surpasses $500,000.
  • Of these network access listings, KELA found that at least 23% were reported as sold by the actors for cumulative revenue of nearly $90,000.
  • While establishing a list of the top 5 most expensive accesses and the TTPs of their sellers, KELA examined a hypothesis that the price depends on the victim’s revenue and the level of privileges gained through access. Domain admin access can be 25-100% more expensive than user access.
  • Initial access brokers’ public activity on cybercrime communities provides rare visibility into the inner workings of threat actors; this visibility should be leveraged by network defenders in order to understand the threat landscape and prioritize defense mechanisms accordingly. Moreover, passing network access from one the initial access broker to a ransomware affiliate effectively splits the exploitation process into two distinct phases – a TTP that may be invaluable during threat hunting and adversary simulation.

初期アクセス・ブローカーのツールボックス – リモート監視&管理ツール

プロダクト・マネージャー ラビード・レイブ 脅威インテリジェンスアナリスト ヴィクトリア・キヴィレヴィッチ

2020年10月8日更新情報:ゾーホー社の声明を掲載

  • 初期アクセス・ブローカーの台頭に加え、不正侵入されたネットワークへのリモートアクセスを販売する脅威アクターが増加するに伴い、RMM(リモート監視・管理ツール)が実入りのよい標的となっています。
  • KELAは、ロシア語のフォーラムで活動する某サイバー犯罪者が、最近RMMツールを介したアクセスを多数販売していることを察知するとともに、そのRMMツールがゾーホー社の製品「Desktop Central」であることを突き止めました――この事実は、組織が直面している脅威を示唆しています。
  • 初期アクセス・ブローカー がどのような種類のネットワークアクセスを販売しているのかを監視することは、組織のネットワークを防衛するIT部門やサイバーセキュリティ部門にとって重要なインテリジェンスとなります。

Back to School: Why Cybercriminals Continue to Target the Education Sector | Part Two

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

2020’s back to school is a bit different than usual as most students around the world are getting ready to meet again with their peers online. Rather than worrying about the classic back to school activities, such as purchasing the most in-style school supplies or figuring out the perfect outfit for day 1, students are more invested in finding the comfortable home setup for online learning. School IT admins, on the other hand, are most concerned this year about educating their students and staff regarding cybersecurity as school begins remotely, while in parallel focusing heavily on deterring cyber threats from cybercriminals looking to attack educational institutions.
In our last blogpost, Back to School: Why Cybercriminals Continue to Target the Education Sector, Part 1, we looked into threat actors’ overall interest in targeting organizations in the education sector, diving into some examples of recent attempted attacks that we’ve spotted across the underground ecosystem. This blogpost touched on several key points that helped establish a general understanding of the threat level targeting educational institutions. We decided to circle back to this topic because of the increasing risks that emerged as much of the world begins to return to schools.
Schools already struggling with high cases of COVID-19 now must begin battling other mishaps such as cyberattacks on their online learning platforms within their first days of remote learning. This situation occurred to one of the largest district schools in Florida and was likely caused by a newbie in the underground world – an alleged 16-year old threat actor. This successful attack on a large school, by a supposedly young threat actor, may imply that planned attacks by more sophisticated and experienced threat actors are similarly on their way.

Back to School: Why Cybercriminals Continue to Target the Education Sector | Part Two

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

2020’s back to school is a bit different than usual as most students around the world are getting ready to meet again with their peers online. Rather than worrying about the classic back to school activities, such as purchasing the most in-style school supplies or figuring out the perfect outfit for day 1, students are more invested in finding the comfortable home setup for online learning. School IT admins, on the other hand, are most concerned this year about educating their students and staff regarding cybersecurity as school begins remotely, while in parallel focusing heavily on deterring cyber threats from cybercriminals looking to attack educational institutions.

In our last blogpost, Back to School: Why Cybercriminals Continue to Target the Education Sector, Part 1, we looked into threat actors’ overall interest in targeting organizations in the education sector, diving into some examples of recent attempted attacks that we’ve spotted across the underground ecosystem. This blogpost touched on several key points that helped establish a general understanding of the threat level targeting educational institutions. We decided to circle back to this topic because of the increasing risks that emerged as much of the world begins to return to schools.

Schools already struggling with high cases of COVID-19 now must begin battling other mishaps such as cyberattacks on their online learning platforms within their first days of remote learning. This situation occurred to one of the largest district schools in Florida and was likely caused by a newbie in the underground world – an alleged 16-year old threat actor. This successful attack on a large school, by a supposedly young threat actor, may imply that planned attacks by more sophisticated and experienced threat actors are similarly on their way.

How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing

Victoria Kivilevich, Threat Intelligence Analyst

An average ransomware payment now equals $178,254, which is +60% from Q1 2020. The sum has grown not only because of the continually increasing activity of ransomware operators, but also due to their efforts in finding new ways of monetizing their malicious activities and threatening victims. These new TTPs include:

  • Stealing data and requesting double ransoms;
  • Collaborating with other ransomware gangs;
  • Using stolen data to attack other victims;
  • Selling stolen data on auctions;
  • Notifying media, as well as victims’ partners and clients about leaks;
  • Scraping credit cards.

 

Novel tactics were adopted not only by infamous gangs such as Maze and Sodinokibi (REvil), but also by less-popular runner-ups, such as Netwalker, Ragnar Locker, Ako, and others.

KELA is regularly monitoring these ransomware gangs’ blogs and observes an average of 10-20 new victims each week – implying that the actual number of victims can be much higher since we’re only seeing the victims who did not pay a ransom. In addition, there are those who cooperated with cybercriminals and therefore did not appear in the blogs.

The following piece will focus on how the ransomware operators diversify their schemes and implement so-called “marketing efforts,” related to threatening victims, in order to gain more profits.

Torum is Dead. Long Live CryptBB?

Victoria Kivilevich, Threat Intelligence Analyst

On August 9, 2020, Torum’s administrator announced the forum is shutting down. What was this forum, and will its users find alternatives? KELA explored various darknet sources, as well as Torum itself, to find out. Here is a summary of our findings:

  • Torum was an English-speaking underground forum that posed as a nonprofit cybersecurity website. While both its members and users of other forums agreed Torum was a good place to discuss cybersecurity and learn hacking methods, the site was overwhelmed by newbies and scammers who damaged its reputation.
  • Torum’s administrator announced he is closing the forum because he lost interest in supporting it.
  • Torum was an active, stable community, which will likely be missed by users. The forum has a few alternatives in the darknet, including CryptBB, which recently became public. This post will explore what distinguished Torum and what darknet chatter reveals about possible alternatives.
  • As users struggle to find new forums with a decent community, it is crucial to continue tracking these sources to understand new trends and TTPs, and proactively mitigate potential risks emerging from them.