Bank of America Insider BEC Scam, FontOnLake Malware, New Findings About Ransomware Costs, Python-based ESXi Server Attack, Office365 Password Spraying

1. Bank of America employee charged with insider BEC scam 

• A Bank of America employee and two other perpetrators were accused of money laundering, aggravated identity theft, and alleged involvement in Business Email Compromise (BEC) scams. The three actors targeted small and large companies across the globe, but mainly in the United States.  
• By using phishing techniques and deploying malware, the threat actors gained access to email accounts and servers of corporate employees. They then spent many months understanding the companies’ communication styles, billing systems, and vendor-client interactions. 
• Finally, when the right moment arrived, they hit the companies by mimicking email addresses and domain names to successfully divert transactions to their bank accounts. Initial investigations indicate that the threat actors have stolen $1.1 million by targeting at least five companies.  

Expert Commentary: Most cybersecurity measures are often focused on threats stemming from outside an organization, rather than untrustworthy individuals with authorized access to critical data and systems. Due to the effectiveness of insiders arising from their use of official access credentials, Business Email Compromise (BEC) and ransomware attackers are turning to insiders for help to facilitate their attacks. The notion of a disgruntled employee as a cybersecurity threat is nothing new – often, said insider threat actors are promised up to 40% of the ransom payment if they installed malicious code into their company’s systems. Thus, enterprises should consider including controls that detect and defend against insider threats in their 2022 IT budget. 

Learn More 

2. FontOnLake malware conceals itself using legitimate system infrastructures to infect Linux Systems  

• FontOnLake malware is a newly discovered malware family that infects Linux Systems while remaining concealed in legitimate binaries. The malware deploys a sophisticated stealth technology to maintain long-term persistence on an infected system while delivering backdoor and rootkit components.  
• The authors of the malware use trojanized applications for distribution and employ unique command and control (C2) servers and non-standard ports. The compromised Linux utilities discovered so far include cat, kill, sftp, and sshd. It is highly likely that trojanized utilities have been modified at the source code level and replaced with the original ones.  
• The modified binaries then provide remote access to the infected system, load additional payloads and steal information, including sshd credentials. Some researchers have also associated this malware with an advanced persistent threat incident. 

Expert Commentary: There is a growing trend of ransomware attackers leveraging virtual machines to deploy ransomware payloads. By targeting virtual machines, an attacker can hide their payload much longer and lower the risk of discovery by security experts while the encryption process occurs. Typically, when a malicious script is used to comprise a virtual environment, the attackers aim to access a company’s active directory (AD) controller, check what services are running on a network, and rewrite system configuration rules to obfuscate malicious activities. Major ransomware attackers notorious for compromising virtual machines include the Conti and RagnarLocker ransomware gangs.  

Learn More 

3. Ransomware costs U.S. companies $21B in downtime alone  

• According to security researchers, close to 186 U.S. companies were victims of successful ransomware attacks. Said ransomware attacks amounted to nearly $21 billion in losses due to attack-induced downtime – a whopping increase of 245% compared to 2019. On average, the targeted companies lost nine days in downtime and two-and-a-half months investigating the incidents.  
• In these ransomware attacks, threat actors typically requested payments between $500,000 and $21 million, with some threat actors resorting to double extortion tactics. The average cost of downtime to impacted U.S. businesses was $8,662 per minute.  
• Furthermore, these ransomware attacks resulted in over 7 million individual records being breached, an 800% increase compared to previous years. The number of cyberattacks in the first half alone lead security researchers to suggest that 2021 will be a record-breaking year for ransomware incidents. 

Expert Commentary: It’s no surprise that the COVID-19 pandemic played a significant role in increasing ransomware attacks between 2020 and 2021. Rapid changes to how we worked and moved around led cybercriminals to shift their targets from government entities to healthcare enterprises and other businesses with fast-moving supply chain infrastructures. Therefore, we experienced unforeseen levels of downtime within critical industries, which also reminded security professionals about the importance of having robust endpoint management solutions, including a proactive patching cadence and system backup plans.  

Learn More 

4. Attackers encrypt ESXi server infrastructure with Python-based ransomware  

• In a recent attack, threat actors targeted organizations’ virtual machine (VM) hypervisors by compromising the availability of all VMs. The threat actors deployed a custom Python-based script specially written to interact with VMware ESXi servers, which encrypted and disabled all virtual disks. This attack process allowed the threat actors to gain initial access to systems with Domain Administrator Credentials running a TeamViewer account in the background.  
• Security forensic experts discovered that the TeamViewer account in question lacked multi-factor authentication. After the initial access compromise occurred, the attackers could remotely exert command and control (C2) on the ESXi shell, and they copied a custom python script therein. When executed, the script encrypted all virtual disks and their settings files. Thus, knocking the virtual disks offline.  
• Interestingly, the python scripts that were copied into the ESXi shell were only 6Kb in size. Still, it was able to generate a unique encryption key for each iteration of the encryption process.                                   

Expert Commentary: This security incident showcases a unique attack methodology: the attackers introduced a Python script that contained encryption keys hardcoded to generate new keys each time the script ran. Security experts trying to mitigate this incident had to combat the dynamic nature of the attack process. Unfortunately, ESXi servers provide a lucrative opportunity for attackers because they can engage in multiple attacks at once against virtual machines. As VMs run applications critical to business operations, organizations are inclined to respond to ransom payment requests to ensure the continued availability of their services.  

Learn More 

5. Office365 password spraying campaign targets major defense contractors 

• A new threat actor, dubbed DEV-0343 by Microsoft, has been targeting American and Israeli defense contractors. Discovered by Microsoft intelligence, threat actors are using zero-day vulnerabilities in Office365 to enact password spraying techniques to take over privileged accounts.  
• Password spraying is when hackers try different combinations of usernames and passwords in hopes of finding a match. During these attempts, changing IP addresses for every username-password variety is a common practice known as IP rotation.  
• According to Microsoft, the group responsible for this widespread malicious campaign appears to have ties with Iran, and as many as 250 defense contractors (that use the cloud-based Microsoft Office suite) have been targeted so far. Fortunately, less than 20 organizations suffered a compromise. Although the DEV-0343 group is rapidly refining its attack techniques, security experts suggest that organizations must enable multi-factor authentication as one of their first lines of defense. 

Expert Commentary: To ensure that security experts cannot capture the indicators of compromise (IoCs) used throughout this widespread password spraying campaign, the threat actors are using proxy addresses. As such, the use of Autodiscover to validate accounts and passwords has helped increase the attack impact and its overall success. Iranian-sponsored threat actors are known to target military-based organizations with maritime and aerospace development capabilities, including attack drones to satellites. In the interest of the Iranian government, said threat actors focus on gaining access to strategic critical assets that will help to boost the posture of Iran in the Gulf region.  

Learn More