DEALING WITH DoS

Denial of Service (DoS) attack

When legitimate users are denied access to computer services (or resources), usually by overloading the service with requests.


DoS attacks can range in duration, and may target more than one website or service at a time. A DoS attack becomes a Distributed Denial of Service (DDoS) attack when requests come from multiple devices (which have usually been compromised). It's important that your devices are secured so that they aren't used in this way.

Last year a global law enforcement investigation resulted in the takedown of 'webstresser.org', which is believed to have been the world's biggest marketplace to hire DDoS services. In the United Kingdom, a number of webstresser.org users have recently been visited by police, with over 250 users of that and other DDoS services due to face action for the damage they have caused.

Advice

Although there is technical advice which can help defend against DoS attacks, the majority of this may not be applicable to people outside of an IT role, and not suitable to include in this format. More detailed guidance on DoS attacks can be found on the National Cyber Security Centre (NCSC) website outlined in the 'Useful Links' section below. However, we have included some brief points to consider below:

Prepare
Ensure that you and your service providers are prepared to deal with an overload of resources. Ask for an outline of how they're prepared for these (and other) incidents.


Incident Response
Understand what impact a DoS attack would have on your business and create an incident response plan. Think about who needs to be involved internally/externally, and clearly define roles and responsibilities for each. DoS attacks can be very public, so also think about how you would deal with any PR related issues. Be thorough, and test your plan!

Smokescreens
DoS attacks can be used as a smokescreen to distract from other attacks which have a different aim (e.g. data breaches). Be aware of this and monitor closely for other suspicious activity which could indicate follow up attacks.

Reporting
If you have fallen victim to this or any other type of cyber crime, report the incident to Action Fraud. You can report through phone (0300 123 2040) or on their website at https://www.actionfraud.police.uk

Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.

BRUTE FORCE ATTACKS

Brute Force

Using computational power to automatically enter a huge number of combination of values, usually in order to discover passwords and gain access.

Attackers usually employ software to launch different types of brute force attacks. For example, they may configure an attack which tries all the words in the dictionary, or tries lists of common passwords (e.g. 123456), or one that tries a combination of letters and numbers. 

Brute force attacks can be time consuming and resource consuming, and the success of an attack relies on computing power, the number of combinations tried (i.e. time), and the security of the target organisation.

Advice

There are a number of protective measures you can take to mitigate the risk of Brute Force Attacks. These are:
Strong passwords
Make sure that everyone in your organisation knows how to create strong passwords, and more importantly know why it's important to do so. The National Cyber Security Centre (NCSC) has some excellent guidance on this, which also covers the use of 'two-factor authentication'. You can find the guidance on their website at https://www.ncsc.gov.uk/collection/small-business-guide/using-passwords-protect-your-data


Additional technical measures
By combining a variety of technical measures, and along with the likelihood of guessing a correct password, it can make things significantly more difficult for an attacker to be successful. One common method is to use a 'CAPTCHA'. A CAPTCHA is an automated test to identify whether the entity trying to log in is a human or a computer (you may have seen these in the form of a picture split into segments which asks you to select only those segments with something in them like traffic lights for example). OWASP is an excellent source of guidance for technical IT professionals here, you can find the entry on blocking brute force attacks at https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

Limit unsuccessful logins
Setting some sort of lockout policy can also protect against brute force attacks. This means that if an attacker has tried to login unsuccessfully a number of times, the account is temporarily locked down. Although this does come with some associated risks, this can make it much more time consuming and difficult for a successful attack. Again, the OWASP link above covers this in great detail.

Principle of least privilege
Ensuring that accounts have only the necessary account privileges needed to do that job function means that if an account is compromised through brute force, it limits the amount of damage that the attacker can carry out using that account. For example, not every employee needs access to financial systems/website CMS logins/HR systems etc.

If you have fallen victim to this or any other type of cyber crime, report the incident to Action Fraud. You can report through phone (0300 123 2040) or on their website at https://www.actionfraud.police.uk

Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.

A Cyber Crime Business Model

The Cyber Crime Business Model

The Internet is a major enabler for Organised Criminal Group (OCG) activity. Compared to making money from more traditional crimes, hacking individuals, SMEs and large organisations is a relatively low-cost, low-risk proposition for criminal groups - and there are many parts of the world where such activity is not actively prosecuted by the authorities.

Many of these OCGs share similar techniques and services, and communicate with each other over heavily vetted closed criminal forums on the ‘dark web’ where they can collaborate and advertise new services, tools and techniques.

The cyber crime threat spans different contexts, and covers a wide range of online criminal activity, from scamming activity through to sophisticated attacks against financial institutions and other large organisations. 

However, very few people are aware of the extent of the online criminal ecosystem that supports and enables these attacks, and the business model behind it. It's very important to know what you're up against so you can defend yourself adequately.

How an OCG is set up
Most of the people within organised crime groups will have unique and valuable skill sets. Typically, these roles will comprise:

Team leader
A successful criminal group needs a team leader to oil the wheels and keep everyone in check. Sophisticated and successful cyber crime activity is managed by a co-located, or closely connected, OCG.

Coders
Coders, also known as malware developers, will write and update new code for malware, or plagiarise or modify publicly available malware. Cyber crime malware has progressed significantly in the past 10 years, from enabling basic access to a network or system to being able to: • execute a wide range of commands on a host • hide from antivirus • remotely control the victim’s machine • wiping Master Boot Records. Some forms of criminal malware are also able to hide in memory, so that even when you think you have removed them from the machine, they can re-establish themselves when it’s rebooted.

Network administrator
Not every group will have a network administrator or bot herder, but when present, they are responsible for hijacking (compromising) hundreds of online servers and devices which, when linked together, are referred to as a ‘botnet’. Having such a large network of devices within their control means bot herders have a significant network of machines to exploit.

Intrusion specialist
If an OCG manages to successfully install malware on a business network or other major target, then an intrusion specialist will step in with their own toolkit to ensure the malware presence is enduring and that they can exploit the network, often working to gain administrator privileges to gain access to the most valuable applications and databases.

Data miner
A cyber crime group will also often employ a data miner . Cyber criminals are now adept at stealing data in bulk. However, data is also valueless if it cannot be viewed in a format that can be easily sold on or exploited. A skilled data miner can identify and extract the data of value so that it is ‘clean’, categorising it and presenting it in a way that can be used to make money, or sold on a criminal forum to other criminals to exploit.

Money specialist
Once an OCG has clean data, they can ‘monetise’ it. A money specialist can identify the best way to make money from each type of dataset. This could be selling in bulk to trusted criminal contacts, or by using specialist online services.

How criminals access networks and steal data
The most common way your computer might become infected with data stealing malware is still via phishing emails which contain malicious links or attachments. In a report from Action Fraud, it was found that over 90% of cyber attacks used phishing as an attack vector. Other common ways your computer might be compromised are through visiting genuine websites that have been compromised with malicious code (known as a watering hole attack) or adverts that redirect you to a malicious server that will serve up advertisements to your computer (known as malvertising).

How phishing works
Spam emails have been used for years to deliver malware, but these have evolved significantly. By using interesting or concerning topics within the spam email (like fake invoices or banking security notifications), you’re encouraged to open them quickly out of curiosity, or concern. When you do, malware is deployed which will attempt to exploit your device. Whether it succeeds or not is often dependent on how up-to-date your antivirus is, and how well patched your operating system and software are.

The attachment in the spam email will often only contain a basic piece of malware or a ‘loader’ which, when deployed to your computer, is used to determine whether or not a full exploitation is possible or worthwhile for the cyber criminal. Once this determination is made, the loader will reach back to the cyber criminal’s malicious server and download a full malware package to it. An example of this can be seen in one of our recent case studies looking at Emotet/Ryuk/Trickbot (available from our archives at https://us17.campaign-archive.com/?u=e6b7db71ed9534fb8e793da56&id=6083137585).

Watering holes and exploit kits
In the case of watering holes (or some spam emails containing malicious links), you will be redirected to an exploit kit - a suite of computer programmes which scan your computer for exploitable vulnerabilities. When one of these vulnerabilities is discovered, an appropriate exploit will be deployed, which will then enable the installation of other malware to exploit your device. Once the malware is deployed, the whole range of tools contained in its code can be used to obtain what the criminal needs.

How criminals turn data into cash
Criminals monetise data in a number of ways, but generally the OCG will either do it themselves, or they will sell any stolen data on to other criminals to exploit in what is known as ‘secondary fraud’. To exploit bank accounts, an OCG will use specialists (known as money mules and mule herders) to launder stolen money through a myriad of accounts, eventually overseas and into the hands of the OCG.  If an OCG is going to sell the data, there are hundreds of criminal websites to facilitate this, including something called an Automated Vending Cart (AVC) where data can be bought in bulk with digital currencies such as Bitcoin.

How cyber criminals use the ‘online marketplace’
For the most organised and technically advanced groups, many of the services described are carried out ‘in-house’ as part of their own business model. For smaller groups or individual criminals, these services can be hired on the cyber criminal ‘online marketplace’ using a plug and-play approach to crime. Most of these services will be openly advertised in criminal forums. Some of the other typical services that are also regularly used by cyber criminals include:

Counter Anti-Virus (CAV) Services, which scan malware against all of the Anti-Virus packages currently on the market to ensure it goes unnoticed when it is deployed against a victim’s device.
Bullet Proof Hosting Services , which rent servers to host online criminal activity, but will not co-operate with local or international law enforcement (hence ‘bullet proof’).
Escrow Services, which will act as a 3rd party during transactions between untrustworthy criminals, holding onto their payments until they are happy with the quality of the service provided.
Cryptor Services, which put an encryption ‘wrapper’ around your malicious code to give it the best chance of being undetected.
Drop Services, which help any criminal business translate ill-gotten gains into cash. This service helps multiple crime types (including cyber criminals) transfer money between bank accounts, or physically move currency across international borders, or into other less traceable currencies such as Bitcoin.

(This article summarises the NCSC's report on criminal online activity - to read the full report visit the NCSC website at https://www.ncsc.gov.uk/blog-post/ever-wondered-how-cyber-crime-gang-operates).

How to Protect yourself

The NCSC publishes two key products covering how best to protect individuals and businesses from cyber crime:

Cyber Aware: (https://www.cyberaware.gov.uk/) cyber security advice for individuals and small businesses, including software updates and information on creating effective passwords

Cyber Essentials: (https://www.cyberessentials.ncsc.gov.uk/) industry-supported scheme to guide businesses in protecting themselves against cyber threats 

We (the SWRCCU) offer advice and guidance to organisations of all sizes and sectors based in the South West. We offer a range of workshops ranging from awareness presentations to incident response sessions, if you're interested in hosting or running these types of workshops then get in touch with us.

If you or your organisation have been a victim of ransomware or any other type of cyber crime, report to Action Fraud, the UK's national cyber crime reporting centre at https://www.actionfraud.police.uk/ or via phone on 0300 123 2040. Action Fraud have a 24/7 reporting capability for live incidents.

Man-in-the-Middle Attack (MitM)

Man-in-the-Middle Attack (MitM)

A type of cyber attack where attackers eavesdrop on and possibly alter the communications between two parties.


A MitM attack allows criminals to see what websites a victim is visiting, read their emails, steal credentials, and/or impersonate others for further malicious purposes.

Attackers can do this in a few different ways. For example, they could set up their own 'fake' Wi-Fi access point which users connect to - all of their web traffic and information will then be captured by the attacker. Similarly, an attacker can set up their access point to have the same identifying name as one which a user has previously connected to - the user's device may then automatically attempt to connect, and again the attacker can capture a lot of potentially sensitive information whilst the device is connected.

If you are communicating without secure encryption (e.g. through public open Wi-Fi spots that don't require a login, or websites that don't use HTTPS), then there is a risk of an attacker being able to take advantage of common openings to hijack that communication.

Alternatively, routers are another way in which an attacker can carry out MitM attacks. If a router has a weak password, or is still using the default factory settings, then it is relatively straightforward for an attacker to gain access to it. They can then gather information about the devices connected to that router, or even redirect those users to malicious websites.

Advice

There are a number of protective measures you can take to mitigate the risk of MitM attacks. These are:

Don't use open/public Wi-Fi hotspots to conduct sensitive transactions or correspondence.
Be wary of connecting to hotspots that do not require a password to connect.

Disable 'auto-connect to networks' (or similar setting) on your devices
This can help prevent your devices connecting to compromised networks/spoofed networks.

Change the default/factory admin and password settings for your routers to mitigate the risk of them being compromised.

Look for HTTPS
Avoid exchanging infomation across wesites that do not have the security HTTPS. (Note: just because a website uses HTTPS, it does not mean it is 100% legitimate - you still need to verify that a site is authentic through other means before you exchange any sensitive login details e.g. check for mispelled URLs / suspicious or out of place links etc.).

If you have fallen victim to this or any other type of cyber crime, report the incident to Action Fraud
You can report through phone (0300 123 2040) or on their website at https://www.actionfraud.police.uk. Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.

REMOTE ACCESS TROJAN

Remote Access Trojan

A tool used to enable criminals to connect to a victim's machine remotely and perform a number of unauthorised actions.


A RAT can allow attackers to access all files, features of your computer (e.g. microphone/webcam), and even use your computer to distribute malicious software to other devices. Recently, criminals have also used RATs to install cryptomining software, which then uses a device's processing power to generate cryptocurrency.

Remote access tools are used legitimately by IT professionals to perform maintenance on devices. However, the type of tools used to gain unauthorised access on victims' devices are often designed to aid malicious intent. For example, these tools do not request permission on the accessed device. They tend not to notify a user that the service is running, and any command interfaces are generally hidden.

Advice

Signs of a RAT on your system include a slow internet connection, unknown processes running on your systems, and files that have been modified/deleted/installed without permission. Here is some advice to protect against this type of attack:

Updates
Make sure that software and operating systems on your computers/laptops/phones/tablets/IoT devices are updated with the latest security patches.

Antivirus
MInstall reliable antivirus software, and keep this updated!

Firewalls
Firewalls act as a filter for malicious traffic. Make sure that you them set up and configured correctly (ask your IT provider if you're not responsible for this).

Phishing
Always be careful when being asked to click on links or downloading attachments from emails/websites/social media. There's usually a way to get you whatever it is you need without clicking or downloading something. If there isn't, then be positive that the source of the request is trusted. NCSC Phishing advice.

If you suspect that you have been infected with a RAT, here's what to do:

Disconnect your device from the network in order to prevent further malicious activity

Run a full security scan of your devices and remove the threats by following the recommended steps from the security software.

Once you believe that the infection has been removed, change the passwords for your online accounts and check any financial activity. If there is any unusual banking activity, inform your bank.

Report the incident to Action Fraud (0300 123 2040 / https://www.actionfraud.police.uk. Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.

RANSOMWARE

RANSOMWARE RUNDOWN

Ransomware is still a huge threat to organisations, and continues to feature in our investigations. In this issue, we take a look at a few ransomware variants which have emerged as prominent threats. We also share some highlights from social media and the Cyber Security Information Sharing Partnership (CiSP).

#1 - RYUK

RYUK is a type of ransomware which infects victims via Remote Desktop Protocol (RDP) attacks. Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally. This variant is a targeted ransomware where demands are set according to the victim’s perceived ability to pay.  

The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack.

Unlike most other ransomware variants, RYUK doesn't rename or change the victims file extensions. It does however still create a HTML file on the desktop called ‘RyukReadMe.txt’ giving the instructions on how to pay the ransom. It also provides a unique ID to the victim which they should include in any email when contacting the suspects.

Earlier this year the NCSC released an advisory document regarding Ryuk ransomware campaigns targeting organisations globally, including in the UK. This can be found at https://www.ncsc.gov.uk/news/ryuk-advisory.

#2 - Snatch

Snatch ransomware is distributed via spam emails that contain infected attachments, but has also been known to hack victims' RDP ports and attempt to brute force the password.

Once encrypted, a file is placed on the victim’s desktop and in every file that has been encrypted called “Readme_Restore_Files.txt". The text file contains the ransom note with instructions for the victim to follow in order to get their files back and the ransom amount.

All the victims’ files are also renamed with the ".snatch" extension. There are currently no tools able to decrypt Snatch, with the remaining solutions being paying the ransom (not advised) or restoring files from a backup/system restore.

#3 - STOP

The STOP ransomware variant surfaced at the back end of 2017, and is typically delivered via phishing attacks.

Once infected the ransomware encrypts victims’ devices, and places a file on the victim’s desktop called "!!!YourDataRestore!!!.txt”.

It was previously seen using the “.DJVU” extension however it now uses the original “.STOP” file extension.
 
The ransomware demands between $300-$600 and leaves two email addresses and a Bitmessage address for victims to get in touch with to get their files back.
 
There is currently no tools available to decrypt the data once it has been encrypted, therefore the only way of getting this back is to restore everything from a backup.

#4 - Bitpaymer

Bitpaymer is another variant which has been consistently affecting organisations for some time.

We covered an investigation looking at the interplay between Bitpaymer, Emotet and Trickbot in an earlier case study. You can read this at https://mailchi.mp/efbab03fcde5/cyber-intelligence-report-541609.

#5 - LockerGoga

LockerGoga is found to abuse the same system administration tool used by various other ransomware strains such as Bitpaymer. Cybercrime botnets such as Emotet, Dridex and Trickbot are commonly used as an initial infection vector, prior to retrieving and installing the ransomware.

In many cases it’s difficult to know the root causes of the preceding compromise, especially when the ransomware can encrypt some of the sources which might be used for analysis. Cases observed often tend to have resulted from a trojanised document, sent via email. The malware will exploit publicly known vulnerabilities and macros in Microsoft Office documents.

LockerGoga encrypts files stored on systems such as desktops, laptops, and servers. After the encryption process, LockerGoga leaves a ransom note in a text file (README_LOCKED.txt) in the desktop folder.

Points to consider

  • Ransomware was extensibly covered in the NCSC's recent Incident Trends Report, including how to remediate the threat. You can find the guidance on their website at https://www.ncsc.gov.uk/report/incident-trends-report#ransomware.
  • In line with national advice, we do NOT recommend paying the ransomware for a number of reasons.
    • Firstly, there is no chance that you will actually receive a decryption key if you choose to pay, and even if you do receive a decryption key there's no guarantee it will work as intended.
    • Secondly, if criminals know that you are an organisation which is likely to pay out on ransomware, then there is a chance you could be a target for repeat attacks.
    • Finally, all ransom payments fund criminal activity, and criminals will continue to employ this tactic if it is consistently successful.
  • A good backup policy is essential to countering the effects of ransomware. Know what data is on your backup, and test that they work as expected! In one of our previous ransomware investigations, when it came to restoring from a backup, a company found that their outsourced IT support were only backing up HR files. As a result they lost 6 years' worth of financial and project data.
  • Below are a couple of other resources from the National Cyber Security Centre around good backup policies/procedures:
    https://www.ncsc.gov.uk/collection/small-business-guide/backing-your-data
    https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world
  • Another proactive way to mitigate the effects of ransomware is good internal network segmentation. If done correctly, this means that any malware infestation is limited in its ability to affect the whole network. The NCSC guidance on Preventing Lateral Movement is a useful resource which expands on this (found at https://www.ncsc.gov.uk/guidance/preventing-lateral-movement).
  • If you or your organisation have been a victim of ransomware or any other type of cyber crime, report to Action Fraud, the UK's national cyber crime reporting centre at https://www.actionfraud.police.uk/ or via phone on 0300 123 2040. Action Fraud have a 24/7 reporting capability for live incidents.

By using this website you agree to our use of cookies to enhance your experience. I understand