Cybersecurity Week in Review: 10/26

Cybercrime hit new lows the past few weeks as criminals resorted to blackmailing children, engaged in what was reported as “one of the worst breaches seen in years,” and shifted to an easier way to deliver ransomware.

Cybercriminals Target Children

The doctor-patient relationship has always been considered sacred. No doctor would contemplate breaching the privacy of a patient by exposing sensitive health records. 

Unfortunately, it appears that cybercriminals have no such compunction. 

This past week reports surfaced that the patients of a large, nationwide psychotherapy clinic in Finland were receiving blackmail threats due to data breaches dating from November 2018 and March 2019. Victims included children and former government officials.

According to reports, it appears that the cybercriminals had initially contacted the psychotherapy clinic and demanded 40 bitcoins (approximately $537K) to keep the patient records private. The clinic refused to pay. So, the cybercriminals resorted to blackmailing individual patients. 

Victims reported that they received emails from someone named the “ransom_man,” stating that since the psychotherapy clinic had refused to pay the ransom, the victim would now have to pay €200 (~$233) in Bitcoin. If payments weren’t received in 24 hours, the ransom would increase to €500 (~$582). After 72 hours, “ransom_man” would publish the data.

According to one victim whose treatment took place when he was a teenager, the psychotherapy sessions’ notes contained highly personal information that he was “not ready to share with the world.” Also, one of Finland’s former Members of Parliament (MP) announced that she was also one of those that received the threat of blackmail. As a result of the breach, the therapy clinic announced last week that it fired its CEO.

Initial reports suggest that the cybercriminals had already published approximately 300 records from patients on the dark web. 

More on the clinic breach and the blackmailing of patients can be found here and here.

Third-Party Risk Is Still Crucial

With the announcement that a popular PDF editing tool suffered a major data breach, we are once again reminded of the risk posed by third-party vendor software. The particular company in question develops commercial software to create, edit, sig, and secure PDF files. The company’s website claims they support more than 10,000 businesses globally, including 65% of the 2019 Fortune 500. 

According to reports, criminals gained access to a database containing 70 million user records, including email addresses, full names, encrypted passwords, titles, company name, and IP addresses. 

The criminals also accessed another terabyte of documents, including financial reports, non-disclosure agreements for new products, and merger and acquisition activities. The private auction price for the data on the dark web started at $80,000. Cybersecurity professionals are calling it “one of the worst breaches” seen in years.

Third-party breaches are nothing new in the world of cybercrime. Readers may remember the infamous breach of a major American retail chain in 2013 that resulted from an HVAC contractor that maintained a data connection with the retailer. This particular breach resulted in the release of names, mailing addresses, phone numbers, email addresses and credit card information for up to 70 million people.

According to a 2017 study by the Ponemon Institute, more than 56% of large corporate data breaches originated with a third-party entity, such as a vendor or supplier. Despite repeated news reports and warnings of the risks associated with third-party vendor access to major corporate systems, reports of third-party data breaches from 2019 and 2020 continue to include some of the most prominent national and global organizations.

Organizations need to work harder at evaluating the safety of third-party vendor access. The types of questions companies should be asking about their third-party vendors include:

• What data and networks do the vendor have access to?
• What are they doing with the information?
• What is the risk to our organization if that vendor is breached?
• Does that vendor share our data with any other external organizations?

Organizations should also maintain an inventory of all third parties with whom any corporate information is shared. Furthermore, organizations should evaluate all third-party vendors’ security practices and consider keeping supplemental agreements requiring vendor security audits and assessments.

More information on tackling the risks with third-party vendors can be found in the GuidePoint Security White Paper Key Components To Addressing Third-Party Risk.

Additional information on the PDF data breach incident can be found here.

Maas Makes Crime Easier

Research suggests that Malware-as-a-service (MaaS) is gaining popularity over botnets as the preferred choice to deliver threats. 

This past week reports surfaced that cybercriminals were electing to deliver the Ryuk ransomware strain via the MaaS tool—the Buer loader—rather than the well-known botnets’ Trickbot and Emotet. 

The advantage of MaaS is that it quickly enables set up and deployment of malware without the added complexity of coordinating with the individuals running the botnet. With MaaS, criminals need to only focus on delivery and control. Researchers also speculate that the increasing shift from botnets to MaaS could also be due to the ongoing response to bring down global botnet infrastructure, such as Trickbot. (See our article from 10/12, on the Microsoft Trickbot takedown.)

The Buer loader is a MaaS tool that enables cybercriminals to gain a foothold within a network by compromising the victims’ Windows devices. It was often tied to banking Trojans but now seems to be increasingly popular with criminals delivering ransomware. Samples of the Buer loader have been discovered hidden within Google Docs delivered via phishing emails. To activate the loader, victims were required to enable scripted content. In the Buer MaaS, because it leverages cloud storage, forensic analysis is more complicated.

Advertisements for the Buer loader began appearing on dark web forums about one year ago. Buer’s creators describe it as a ‘modular bot’ written in the C programming language, with a command and control server in .NET.

The advertisements promoted the malware loader for rent for a flat fee of $350, including some customization and access to the command and control (C&C) IP addresses. The IP address could also be changed if necessary, for a small additional charge of $25.

Regarding the Ryuk ransomware, researchers noted that activity surged last Spring and Summer, with confirmed attacks against several corporations, including a French IT services firm and a major office furniture maker. During the research, analysts also noted that Ryuk threat actors were increasingly eschewing Trickbot and Emotet to deliver the ransomware; instead, they relied on Buer.

You can read more about the Buer loader and the Ryuk Ransomware here and here.

Final Words

The past weeks have increasingly illustrated how criminals are beginning to value cybercrime tools and the illegal data gathered differently. 

Take the case of the Finnish therapy clinic. While criminals have always considered health care organizations low-hanging fruit, historically, social security numbers and credit card information was the intended target because this data could be easily monetized on the dark web. Now that cybercriminals are ransoming mental health notes suggest a potential shift in the type of data criminals consider valuable, and this has significant implications for not only the organizations that maintain digital patient notes and records but also the patients themselves. Many of them may be children or hold sensitive or high-profile corporate and public positions.

In the Buer loader case, we’re seeing criminals make an economic and operational ease-of-use shift from traditional delivery models—such as botnets—to malware as a service, a less cumbersome and potentially less costly threat delivery approach.

With the breach of the popular PDF editing tool, we see criminals recognizing the value of less-than-obvious sources of critical organizational information and leveraging third-party relationships for criminal gain.

Cybercriminals are always adapting. And cybersecurity professionals are still trying to stay one step ahead. As we begin to see shifts in the cybercrime paradigm, we must understand that cybersecurity will require more than just tenacity.

It requires constant vigilance, action and a commitment to protect the vulnerable.

More than ever, we need to remember that security is an action. We get out what we put into it.