LATEST BLOG POSTS
The double extortion technique: the Campari case
In recent weeks the Campari group has suffered a serious ransomware attack of the so-called “double extortion” technique. The damage would amount to two terabytes of stolen data, with attached the threat to publish it if the company does not pay $15 million. The attack and the reaction of the company The ransom was carried out by the Ragnar Locker criminal group that, using the same technique, struck Capcom about a month ago, threatening the publication or auctioning of data. The nature of the information stolen from Campari remains confidential, even if the well-known Italian company has admitted the possibility of a loss – not quantified – of personal data and information related to its business. The attack had also caused a series of disruptions on the network in early November. The criminals claim to be in possession of accounting and financial documents, intellectual property, personal data of customers and employees, including identity data, as well as documents and business contracts of various kinds. Campari publicly responded to the cyber-attack on November 3rd, identifying the nature of the threat and notifying the data protection authorities, the Postal Police and the US FBI. On the 9th of November, Campari Group announced the restoration and restart of its IT systems, carrying out sanitization activities and the installation of security add-ons, while warning that the company would temporarily suspend some features of its systems in order to fully sanitize them and to re-establish full business operation in the shortest possible time. The attack is part of the sudden increase in cybercrime cases in Italy that began in the second quarter of 2020 that claimed “high-profile” victims such as Enel, Geox and Luxottica (a total of 171 cases compared to 47 recorded in the same period in 2019, registering an increase of 250%!) The “double extortion” technique and the Ragnar Lockers The “double extortion” technique is an unpleasant novelty in the cyber universe. It involves encryption, theft and publication threats that make the victims vulnerable on two levels: Data loss and temporary unavailability of services as a result of encryption. At this level, the damage is similar to that of classic ransomware, including the subsequent ransom note.Publication of data involving loss of intellectual property. frequently, this information is auctioned off and can end up in the hands of a competitor, making the affected organization’s position more difficult on the market. In addition to being economical, the damage is expressed in terms of image and reputation, causing a possible loss of customers and a reduction in stock exchange value in the event of a listing. Analysts and observers believe that the organizers of the attack are the Ragnar Locker group, which arose – together with Egregor – on the ashes of Maze, one of the most insidious groups of criminal hackers who recently announced the cessation of their criminal activity. The group is based in Eastern Europe and does not attack computers with a keyboard or system language layout corresponding to that of a country in the former Soviet Union. Ragnar Locker allegedly participated with his own malware in the Maze attack against Honda last June. The first noteworthy independent attack occurred in mid-April 2020 against Portuguese electricity company Energias de Portugal, resulting in a 10-terabyte leak. Maze therefore revealed itself as a creature halfway between a mythological Hydra and a Phoenix: two distinct and dangerous criminal groups born from the ashes of a severed head.
Cybersecurity and the implementation of smart working
Faced with the unexpected health crisis, institutions and companies around the world are trying to facilitate the implementation of smart working through the dispersion of adequate rules and procedures. The widespread training of people involved in teleworking is urgent if we are to avert the real risk of cyber-attacks, for profit or political destabilization, aimed at public, corporate or personal networks and systems. The introduction of digital devices in the workplace such as smartphones and tablets has undoubtedly increased productivity, while exposing companies to a greater risk of cyber-attacks. A threat that is all the more tangible and probable the more time employees spend working on these devices, especially remotely. The adoption of secure hardware and software instruments therefore becomes an imperative for the protection of corporate information assets. Recognize and mitigate risks Among the many risks, working on the move exposes access to insufficiently secure networks – primarily home internet connections. Remote work requires the company to implement procedures and solutions aimed at regulating and managing the traffic of information in accordance with the enforced European directives. Such organizational and information tools could help organizations to prevent threats by defining how to use the equipment provided to the worker. Providing its employees with encrypted and secure work tools is the first concrete step to mitigate the risk of cyber-attacks. Furthermore, one of the most frequently adopted tools in the business world is the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST). The procedure identifies a series of macro-processes to be used as a guide to manage cyber security incidents. They are: 1. Identify 2. Protect 3. Detect 4. Reply 5. Reset The combination capable of defending against cyber-attacks must, in any case, consist of physical security measures, understood as the adoption of measures to guarantee a protected work environment (even remotely) and to protect intellectual assets and in logical security such as the protection of confidentiality from any accidental or unintentional threat, coming from inside and / or outside the company structure. External and internal risk: how can companies intervene? Regarding external risks, the GDPR regulation identifies an extensive number of provisions that cybersecurity companies must comply with in remote working mode. We point out: 1. Use of encryption techniques 2. Use of specific authentication systems 3. Constant monitoring of the company network 4. Preparation of prevention and identification tools 5. Use of secure back-ups 6. Activation of a cyber-risk management model Forms of internal risk mitigation consist in the adoption of specific company procedures, codes of conduct, regulations, etc. able to regulate the activity of smart workers. These rules may include regulating the use of company email and the applications that can be used by workers. Furthermore, the training of employees on risks can prove to be fundamental in making remote work safe, as well as the revision of the principles and management processes of the company itself (Legal Department, HR, certification bodies, etc.).
QNodeService stepped up its features while operated in widespread credential-theft campaigns
Since mid-year 2020, a new piece of malware emerged in the cyber threat landscape. It seems to be linked to the crimeware matrix due its main purpose and use, which is exfiltration of browsers and email services credentials against a fairly extensive range of potential targets. The group that operates this threat is currently unknown for us (internally tracked as RedMoon) but we know that it likely operates, at least for malware samples involving Italian assets, from a West Asia country and we noted it seems to be very focused on keeping their detection rates as low as possible. A variant of this threat was originally spotted by @malwrhunterteam on April 30, 2020 (https://twitter.com/malwrhunterteam/status/1255840193745215489) and firstly analyzed by industry on May 14, 2020 (https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/) which dubbed it QNodeService referring to the use of Node.js as execution engine of the malicious script that represents the core of the malware. Recently Telsy Threat Intelligence Division observed variants of this malware to be operated against entities and individuals located in European countries. Download the full PDF report below:
Trying not to walk in the dark woods. A way out of the Maze
After numerous ransomware attacks since its appearance in May 2019, the popular Maze Team recently claimed the end of its criminal activity through a press release on its Dedicated Leak Site. The Maze Team is responsible for the development and maintenance of Maze Ransomware, one of the most advanced and infamous piece of malware in today’s threat landscape, and has been the first adversary to adopt the Double Extortion technique, which allows attackers to maximize their chance of making profit asking ransom payment both from operation recovering and from avoiding the disclosure of stolen data. Indeed, while for a period of time other threat actors had only threatened to release stolen information if the ransom wouldn’t get paid, Maze Team first created a DLS (Dedicated Leak Site) where to publish data if victims refuse to pay or were not collaborative. On 01/11/2020 Maze Team claimed its project has officially closed. However, it posed a very serious threat to many organizations and for this reason, in March 2020, Telsy Threat Intelligence Research Team developed and tested a vaccine to prevent files encryption operated by variants of popular Maze Ransomware. This vaccine has been made available to Telsy customers, to some Italian and international entities operating in the healthcare sector and has been released on closed communities to trusted individuals only. Download the full report below: