It’s a year like none we’ve ever experienced. COVID-19’s effects have reverberated around the world, and around cyberspace too. What’s been happening in the threat landscape while we were all preoccupied with the pandemic? How have cyber attackers adapted to the new normal, and how are they exploiting COVID-19? Christine Bejerasco and Calvin Gan, of F-Secure’s Tactical Defense Unit, joined us for episode 44 of Cyber Security Sauna to discuss. In this episode: How threat actors are taking advantage of remote work; email and phishing threats; infostealers and how they profile a company network; and why a ransomware infection may be just the tip of the iceberg.
Learn more details about threats from the first half of the year in our new report, Attack Landscape H1 2020.
Janne: Welcome, guys.
Calvin: Thank you Janne for having us.
Christine: Happy to be here.
I’m sure COVID-19 will feature prominently in this discussion, but while we were looking at the COVID situation in the news, and that was all the news, all the time, what did we miss in the threat landscape?
Calvin: I think one of the things we really missed or really didn’t highlight a lot was about ransomware, where organizations are getting breached with all these infections. While everyone is talking about COVID-19 and how it’s affecting the remote workforce, what we also are seeing at the moment is how ransomware is affecting organizations. We have bigger ransomware group cartels now forming, targeting organizations, building up their resources, and making much more solid attack grounds. And basically it’s a modernized APT, if you want to call it.
Okay, so while we were looking at the real world outbreak, there was another outbreak happening in cyber space.
Calvin: In a way, yes. We have seen companies coming out saying that they are breached by ransomware, and we have also seen some companies caving into the demands of this ransomware.
Christine: What we have noticed ransomware has now been doing as well, in addition to just asking for ransom and demands, has also been that if you don’t pay the ransom, your data, which they have also already exfiltrated in the first place, will now be exposed to the outside world. Essentially telling you that, okay, if we expose your data, then you will end up paying these GDPR fines instead. Because these are data that your customers have.
The previous extortion that ransomware had has evolved to this data exfiltration, which evolved to a different type of extortion and exposure. And the funny thing about this is that for instance, Ramner ransomware, they call this a bug bounty program, like a security assessment program, that they did a security assessment for you and you’re not even paying them. It’s amazing.
You’re not paying a ransom, you’re paying a fee for their findings.
Christine: Yes, exactly.
Yeah, that’s a narrative I’ve seen once or twice in the space, and I’m like, that’s not how that works, guys.
Calvin: And I think what’s happening is this ransomware as a service, we talked about it last year, is I think these people are really thinking of it as if it’s a business. So to them it’s just running a service, getting paid for what they are doing. But in the eyes of the victim it’s a completely different story.
Is this just a natural evolution of ransomware, or does this tell us something about a change in tactics? Is the compromise that leads to a ransomware attack now more comprehensive or something like that? Because I think we’re seeing these attackers selling off the access they have into a network, and just selling information to competitors and doing all sorts of things, and the ransomware attack is almost like an afterthought in some of these cases.
Christine: I don’t think that it’s limited to ransomware, but it’s definitely a natural evolution of how threats evolve. So threats have always been opportunistic. Whenever there is a new area that exposes itself for them to exploit, they try to get in and try to exploit that. So for instance, when attaching executables to emails no longer works, they start attaching Word documents.
Now when there’s these GDPR fines that are already out there, it’s something that they could potentially exploit as well, whenever their ransom demands don’t get paid. So they keep on evolving, the threat actors, not just limited to ransomware of course, whenever there’s a new area for them to exploit.
Calvin: I think one of the things we are also seeing is it’s just like how fashion evolves, the same thing with these sort of attacks as well. First they target organizations. When organizations are much more aware, they buck up their security, then they start targeting consumers, and then when consumers are now having so much more awareness about all these happenings, now they are back to targeting organizations. So I think it’s just a cycle that keeps on going. And like everyone says, it’s a cat and mouse game in this industry.
So do you have any predictions as to any new directions ransomware will take for the rest of the year or in the future?
Calvin: We have started seeing this already, and this probably will continue: Ransomware, while we talked about email being a vector of distribution, but we are also seeing them starting to exploit known vulnerabilities. For example, we are seeing VPN software, conferencing software, communication software, all having vulnerabilities disclosed. And these are probably new vectors that these ransomware authors are going to dig into.
And as we move off to cloud services, and as we move to more remote workforces, these tools are just going to be added on to those default computer systems. And again, patch management is probably going to be something that is going to be hard to control. This will likely be the next vector that they will look for.
Christine: It’s interesting that Calvin mentioned that, because ransomware, previously in the past few years, has been the type of threat that’s casting a wider net, and just trying to infect whoever is available. But then when they realize that organizations are the ones who are actually paying the ransom, not individuals, now they have moved towards targeting organizations more and more. But since organizations pay a lot of money, you don’t actually have to spread out your ransomware via automation. You can perform manual attacks. You can really have attackers on the keyboard deploying ransomware, and the payoff would still be worthwhile.
So most likely this will continue, the exploitation of networks and systems using manual methods, using attackers on the keyboard in addition to the tooling that they will be performing as they deploy this ransomware. And of course when you have attackers on the keyboard, the moment you get in, you can start killing security systems that have been put in place. For example, the endpoint protection products. And this is something that we have continued to see as well.
Ransomware is one thing, but where do we stand with other malware, like banking Trojans or cryptominers or stuff like that?
Calvin: For those, we still see them in a steady stream. We have seen Bitcoin prices surge, and then we have also seen cryptominers taking advantage of that. These are still going on, but they are not as prominent as let’s say for example, infostealers, in a way. Because those harvest much more personal information that can be used longer term, and can be used for much better and larger pool of financial gain, versus just cryptomining, for example.
Christine: That’s actually really fascinating, these infostealers. Because when it comes to the bulk of the malware that’s massively spread at the beginning of the infection chain, if you may, infostealers are there. And I don’t think that we have seen enough extortions, or we have seen enough output of what they are stealing and what they are using this for nowadays. But there’s so many infostealers that are gathering information, and the only thing we typically see is that they give this information to ransomware threat actors, because this is related to the networks of those they are trying to gather information from, and then the ransomware threat actors are using this to deliver their payload.
But what else are they doing with this information? Because they most likely have been gathering so much, and they’re just storing it out there. So in a way it’s kind of interesting if there’s going to be at some point like a second wave of potential extortion that’s going to happen because they are sitting on these piles of information related to these companies that they have infected.
Should we maybe clarify what we mean by that, like what’s an infostealer and how is that different from other types of malware that we’re looking at?
Christine: Infostealers essentially, they are what their name indicates. They just steal information, and that is the main purpose for what they’re there for. So they will either steal information related to the computer that they have infected – is this computer a system administrator? Does this belong to a domain admin? What is the information that’s inside this computer? Is this a file server? Is this a domain controller, for instance? And what is the topology, what is the structure of this network that I’m in, whenever I move from one device to another?
So understanding the network, understanding the system, and understanding what’s inside the system, the files and the accesses, that is the purpose of these infostealers. So basically they’re just doing reconnaissance, gathering information.
Yeah, and that happens automatically after I get compromised?
Christine: Not necessarily. So, the compromise, for instance, if you talk about Emotet, it’s really just about penetrating into the networks and the systems, and then the malware stays there.
But the infostealer, it’s like automating the reconnaissance that is being done by a typical attacker on the keyboard. So when you’ve automated that, then you have just a malware that moves from one machine to another. Maybe some slight controls may be done remotely. But the only purpose of them moving from one machine to another is really to profile the network, to gather files perhaps, to exfiltrate them in advance, but not yet to deliver anything else. So just really mapping the network and profiling it.
Okay. But the point is that the attacker sort of wakes up one morning and instead of just having a shell into my computer, there’s all this information he already knows about my system.
Calvin: And when we are looking into consumers as well, infostealers are known to steal browser credentials and things like that as well. So while we talked a lot about corporate information that’s valuable, consumers as well, information such as this is quite valuable as well. And we have also seen infostealers just looking into cryptowallets that’s available in these consumer systems. That’s probably a much faster way to gather Bitcoins, for example, than just mining from the system.
Christine: What we have seen as well is that in the darknet, we do have some of these threat actors selling a bunch of credentials that they have stolen. So they sell piles of PayPal information, and then they even mention that okay, this one has this much credits under this PayPal. Or they sell credit card information with CVV information. So they do have piles of this being sold in bulk as well, whenever a target is an individual, or a consumer. So these are the mass targets that they have. It’s a data dump, essentially, that they sell.
So how has the COVID-19 pandemic been evident in the cyberthreats we’re seeing?
Christine: The interesting thing about COVID-19 is that, compared to all the other events previously, in different geolocations, never have we seen before that different threats have aligned their themes under one topic. So the moment January hit, we have seen Emotet using information from Japan related to COVID. And when COVID moved from one country to another, there’s other threats, like Agent Tesla, Lokibot, using the COVID theme, until eventually, it looks like everyone is using the same theme now for spreading the malware. Everywhere. And they are using different languages.
For instance while COVID was spreading in Italy, they were using the Italian language and targeting an Italian-speaking audience. They were using the Vietnamese language, they were sending Japanese emails for those that were in Japan and the topic was everything COVID. So especially during Q2, the second quarter of this year, a lot of this was happening as the virus in the real world was hopping from one country to another.
I mean, we’ve seen spammers for example, or phishers, use local catastrophes before as their theme, but like I said, those have been local catastrophes. So do you think a reason why everybody’s talking about COVID-19 is because everybody’s talking about COVID, and this is the first truly global catastrophe that we’ve seen?
Christine: Exactly. So it is truly global, and it is truly evolving. There are sub-topics, of course, under COVID, like at the beginning, the topics were all about how do you make your own mask? Where can you buy a mask? We are now trying to scam you and sell new masks. And eventually it evolved to, where can you get vaccines? Who is now at the forefront of making vaccines? And there are also scams saying that okay, here is some medical equipment, this is the price list that we are offering you. And apparently the price list has a malicious macro inside of it, so it’s an Excel with a malicious macro.
So whenever the topics even under COVID itself have evolved globally, the subtopics that the malware have been using have also evolved. Maybe they tried to keep it interesting and relevant and timely for the potential targets of the malware.
Calvin: And I’d like to add on also, while the topics are evolving based on the current use, one thing for sure that malware authors are still doing is to make topics that are really relatable to end users. So we still see shipping-related malspam, but just with the theme of shipping thermometers to you, for example. So these are still the same lures in a way.
So we’ve gone from “Here’s an Amazon package of whatever arriving to you,” we’ve gone to like, “Here’s an Amazon package of masks arriving to you.” (Laughing)
Christine: Exactly. And I mean, it’s true. There are even times that it’s saying that “An Amazon package is arriving, but due to quarantine measures in your community, it’s going to be late.” So it’s still related to COVID, but still relevant to what the potential target of the message may be doing.
Oh, that’s nice. That’s interesting. All right, so we’re talking about email now. How big is email as a distribution vector?
Calvin: Well, we have noticed an increase for sure compared to the end of last year versus this year itself. We have seen it up a few notches in percentage here and there. But it’s slightly attributed to how successful email as a vector is. Email is still having a huge success rate of infecting a system.
Christine: This is probably because email is easy. I mean, if you’re the type of attacker who just wants to try this thing out and see if it works, does it stick, you send it out via email, maybe it works out. And also nowadays, the attachments that they put in the email are not exactly the final malware payload.
So for instance, Emotet, it is a distribution vector for other malware. So the only point of installing that really, is that so other malware can then be distributed on top of that. So they try to spread it out so that they can cover as much ground as possible, and then they sell that ground, that land if you may, that they have amassed, to whoever would like to install something on top of it. So it’s not very targeted at the beginning, but it gives them more opportunities to open up to other threat actors what they have to offer.
So these attackers are really thinking in terms of like, install base. Like, here are all my customers, would somebody like to hit these guys with something?
Christine: Yes, exactly. And that’s also quite fascinating, actually, because I don’t think they planned this at the beginning. Emotet, for instance, started as a banking Trojan spreading via email of course, for, at least, I think it was three years. And after that, it looks like they realized that they have amassed such a large user base that they changed. They weren’t a banking Trojan anymore. They started to sell that user base to distribute other malware. And other malware did come and start distributing through the space that they have already acquired.
But this has the worrying implication that, you know, if I’m a CISO defending an organization and my organization gets hit by something that looks like run-of-the-mill ransomware, for example, that could just be the tip of the iceberg. Like, I don’t know what’s happening underneath. Maybe these guys just dropped the ransomware but also sold off the access to whoever. Anything from APT groups to criminals.
Christine: That is entirely possible. For instance, I’ll use Emotet once again as an example. The moment Emotet is in, the next malware that it typically installs is an infostealer, for example, Trickbot. And then what it does is that it gathers information from different systems within the network. It tries to see which are potentially high value targets. And then that information coupled with the land that was amassed by Emotet, is then the one that is sold to a herd malware author who will now decide like for example, “Okay, I want to install ransomware. Because it looks like if I encrypt the files within this important file server, then this organization might pay.”
So it’s not only one malware anymore that they install. They can install several ones, and then when they amass that information, maybe indeed, ransomware is only the tip of the iceberg, maybe. Maybe afterwards there’s some extortion that’s going to happen. So the organization cannot be certain at all.
Calvin: Putting it easy, basically, malware like Emotet is offering rental as a service. They have all the tools needed, they just rent it to whoever wants it, and they just perform whatever is needed.
What does that look like? What kind of a person rents something like this? Does that person already have access, or is it just like “I want to be a criminal, let me just rent out all the skills and capabilities and tools, because I don’t know anything myself.”
Christine: This is actually not new. Previously, in the world of exploit kits, it was almost a decade ago, I guess, Blackhole exploit kits. They also evolved from doing things themselves to renting it out. And in the same way as Emotet, this usually happens when they have amassed a large enough user base, and they have actually amassed a success story. When it looks like they are very successful in distributing themselves, others who are trying to push different types of malware most likely notice this as well.
Plus, of course, in the cyber security community, we do write blog posts about this, that this is a very popular malware now and it’s very successful, and then the other bad guys would most likely notice and say “Hey, why don’t I just partner up with this guy? Why do I need to worry about my distribution when I can just focus on developing my payload to the best of my ability?”
That makes sense. I do want to get back to the COVID emails a little bit, because I’m seeing people all around me getting sick and tired of always everything being about COVID. COVID news, they just switch the channel, and stuff like that. So is that happening in the spam email, that they are becoming less effective because people are – I mean, you talked about how they are about COVID while not being about COVID. So is that the trend that we are seeing and we think is going to continue?
Calvin: I think it’s just – it’s happening, I think people are growing fatigued of this already, with the COVID-19 topics. So we have also seen some malware going back to their usual Amazon shipping, DHL shipping themes. But at the same time, we are also seeing malware authors following trends and trendy topics at the moment. So for example in June we have seen Black Lives Matter-related spam email that comes with a malware attachment.
So what we get out of this is basically these guys are quite fast in adapting to new topics, and when something doesn’t work anymore they just switch immediately to something else.
Yeah. All right. So how about the switch to remote work for companies around the world? What are some of the things we saw threat actors doing to take advantage of that situation?
Calvin: Well, one, Office 365 has been quite a popular topic, at least on the phishing front, as more companies switch to cloud software, they are getting less on-prem software. So phishing pages have been updated to quite realistic-looking ones as well. We have seen Microsoft telling people and warning people that their Azure login page has been spoofed as well in phishing emails, we have seen an Office 365 quarantine email notification being spoofed. So again when remote workers are at home and when they are starting to onboard more of these new toolings on their systems, we see attackers targeting these new attack vectors, either through software or through these types of different phishing emails.
A remote workforce means more firewall ports that need to be opened, and one external report actually mentioned an increase in RDP attacks. And this is basically quite common because Remote Desktop Protocol is something that’s enabled for IT personnel to access remote work systems, so we have also seen an increase in this area as an attack vector, and that also has been proven with external studies as well.
Okay. Is there any chance that this move to remote work has made people assume more responsibility of their own security, and sort of, that in the end it will make us remote workers more resilient?
Christine: There is some chance. We don’t know if that is really catching up fast enough. This is definitely a relationship between the employee and the employer as well, because while you are at home, what are the types of security controls that are deployed in your home network versus what you have in the environment in the business? So for instance, yes, if you use RDP, you can RDP to your business. The network probably has better controls than what you have at home. Therefore, your home becomes the point where it’s most likely most vulnerable to attack.
So we have seen as well that there are some employers that have now included a security package like an EPP package, and included their employees’ homes for instance, for that distribution. So they’re offering that to their employees, so that they can secure their employees’ homes and the computers within that network as well, as an extension of the office.
Calvin: I think it’s quite controversial in the sense where, I think there have been questions posed outside asking, should the employers be protecting the employees’ home? Or should they be busy protecting the employer’s networks, hardening them?
Yeah. But do we think people are becoming better at using tools, like you mentioned endpoint protection, or VPNs?
Christine: It’s definitely interesting now that you mention VPN as well, that during the time when these things started, the VPN providers were also providing quite sizeable discounts when it comes to their offerings. Which most likely means as well that there has been some demand and they are competing against each other when it comes to offering VPN solutions to their customers. And the small and medium businesses are now also thinking, okay, whenever my employees are at home, then maybe the first thing to give them is a VPN, at least to secure, or to hide, to cloak their traffic when they visit my corporate network. So the VPN things, it looks like they are rising. I mean, of course, the videoconferencing things are rising, and the potential security vulnerabilities when it comes to these online meetings are getting exposed, and actually getting plastered quite publicly.
So there is definitely awareness that is increasing when it comes to security and the use of the tools that we need in order to perform remote work. But the part whether that is enough for the employees themselves to be very vigilant in protecting their homes, maybe it will take a while to go to that level of vigilance, but the awareness is definitely already starting and it’s already there. So they’re thinking about how some of these tools may be more secure than others.
Okay. So what should organizations be doing to keep their company safe as we finish out the year?
Calvin: Things like patch management, also securing your whole network, making sure that your office networks are properly secured and hardened before deploying, proper vendor management, especially if you are onboarding new cloud services for shifting towards remote work. And of course the evergreen password management is a huge topic as well that we have to address as an organization.
Yeah, probably now more than ever. What about consumers, any tips we have for them, or people at home?
Christine: When it comes to consumers, all of those unsolicited emails you see in your inbox, just don’t fall for them. If the name of the sender is someone you know, and the email actually doesn’t look legitimate, but you feel like you trust the sender, try to send the sender a message using another avenue to confirm the email. So for example, you can send them an SMS. So do not confirm it with the same avenue where the potential threat could have been sent to you, but try another avenue to confirm it.
But that’s so hard though, because back in the day, I remember you know, doing quaint little things like going to shops to get stuff I wanted. But these days I’m shopping online. So when I get a notification saying “You’re expecting a package from Amazon,” I’m like, “Damn straight I am, at least three or four different packages, which one is this? Let me just click on the email and find out which one is getting delayed now.”
Calvin: I think the advice is to start listing down what you’ve purchased so that you can keep track of those deliveries.
Christine: (Laughing) And also, one more thing, by the way. If there are Word documents attached to the emails, or PDFs, for instance, there are online tools that allow you to actually open that content in there rather than in your own computer. So when you don’t really trust that information and you think, okay, there’s not going to be any personally identifiable information here anyway. Just open it in one of these online tools so that you don’t compromise your local machine.
Calvin: And I think speaking of online shopping, I’m pretty sure most of the online websites have this, where you can track your order status. So those are likely the best place to track, rather than waiting for an email to come. While that can be legitimate as well, the best way would be going back to the website where you purchased it from.
Right. So instead of opening that email, log onto the website and see if that information’s there. Yeah, that makes sense. All right, so for more details about the threats we’ve seen in the first half of the year, please check out our report, Attack Landscape H1 2020. Thanks for being on the show guys, Christine and Calvin.
Christine: Thank you for having us.
Calvin: Thanks for having us again.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.