In September 2020, cybercrime caused the death of an innocent victim. A patient suffering from a life-threatening illness had to be turned away from a hospital in the city of Düsseldorf since the systems had been blocked due to a ransomware attack. This forced the ambulance transporting her, to drive to a hospital in the nearby city of Wuppertal. The patient died on the way. The threat actors breached the hospital using a hole in Citrix software.
Ransomware Hits Hospitals
Hospitals remain a popular target, even in COVID-19 times. At the end of September, Universal Health Services, which has more than 400 locations, was at the receiving end of a ransomware attack. Since Ryuk ransomware was used, fingers were pointed at Russian cybercrime group Wizard Spider.
Ransomware attacks were rampant again, becoming more sophisticated. Let’s start with Thanos, a Ransomware-as-a-Service (RaaS) advertised on Russian-speaking hacker forums, that allows affiliates to customize their own ransomware through a builder offered by the developer. In September, we saw a new variant that was used to attack two state-run organizations in the Middle East and North Africa. This Thanos version overwrites master boot records (MBR) to deliver its ransom note demanding $ 20,000 in Bitcoin. This particular attack involved multiple layers of PowerShell scripts, inline C# code and shellcode to load the ransomware into memory and to run it on the local network using previously mentioned stolen credentials.
In September, a new ransomware group joined the scene targeting large corporate networks. Dubbed OldGremlin, they used self-made backdoors and file-encrypting malware during the attack. They used custom backdoors TinyPosh and TinyNode, ransomware TinyCrypt, aka decr1pt as well as third-party software for reconnaissance and lateral movement such as Cobalt Strike and NirSoft’s Mail PassView for email password recovery. For now, OldGremlin’s victims are limited to Russian medical labs, banks, manufacturers, and software developers. This could change in the near future.
The attacks follow a familiar path:
- Spear phishing emails were sent, impersonating well-known individuals such as journalists.
- The emails contained malware, TinyPosh or TinyNode backdoor, for initial access
- Once inside the victim’s network, additional modules were downloaded from the C&C server
- Remote Desktop Protocol was used for lateral movement
- OldGremlin identified valuable systems and then initiated file encryption
- Server backups were deleted, and hundreds of corporate computers were locked
- The ransom note was left behind asking for around $50,000 in cryptocurrency for the decryption key
- For contacting OldGremlin, a Proton email address was included in the ransom note
At the end of September, Arthur J. Gallagher & Co., one of the largest insurance brokers in the world, was hit by a ransomware attack. Threat actors gained access via two F5 BIG-IP servers vulnerable to CVE-2020-5902, an unauthenticated remote code execution vulnerability. The company was forced to take all its global systems offline.
During September, FinSpy for Microsoft Windows and Android was distributed through a fake Adobe Flash Player download website. FinSpy is a commercially available spyware suite popular with threat actors, but also used by law enforcement agencies and governments around the world. Produced by Munich-based FinFisher GmbH, FinSpy is known to be used for spying on Human Rights Defenders (HRDs) such as activists, journalists, and dissidents. Once installed, FinSpy can intercept communications, access private data, and record audio and video.
We are concluding this wrap-up with the cyberattacks aimed at the Vatican. China-based RedDelta launched cyberattacks against the Vatican and Catholic institutions ahead of the renewal of the China-Holy See deal. Using spear-phishing emails containing the PlugX remote access tool (RAT), the threat actors gained insight into the negotiating position of the Vatican ahead of renewal. RedDelta used multiple PlugX C2 servers as well as Poison Ivy and Cobalt Strike Beacon C2 infrastructure to communicate with the compromised servers of the Vatican.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!