Categories
Security

Don’t drink the water — it’s been hacked

That’s a scary title, isn’t it? It could have been the headline in newspapers this week had it not been for the watchful eye of a water treatment plant operator in Oldsmar, Florida.

Last week, a hacker (or group of hackers) attempted to poison a Florida city’s water supply by accessing a dormant remote access software platform. If it hadn’t been caught in time, at least 15,000 people could have been affected.

Law enforcement, including the FBI, the Secret Service, and the Pinellas County Sheriff’s Office are currently investigating how the threat actor got in and who would want to do this. What we know so far is that a plant operator at the Oldsmar water treatment facility noticed someone remotely accessing the computer system he was monitoring — once at about 8:00am and again at 1:30pm — to open the function that controls the amount of sodium hydroxide (lye) in the water.

Lye is used to treat acidity in water by raising its pH levels and removing heavy metals. Too much lye in the water could cause skin burns and rashes — and the hacker changed the lye ration from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase. After the attacker left the system, the operator quickly reduced the lye concentration level back to normal, so there was no adverse effect on the water. Importantly, the water treatment plant had redundancies in place, so if the operator had missed the hacker’s intrusion, the system would have caught the change in time.

So, what was this? A test by nation-state actors? An attempt to severely harm the townspeople of Oldsmar? As of this writing, there are no indications that this was targeted attack. The Pinellas County Sheriff’s office doesn’t have a suspect but is following leads — none of which point to terrorism. It may simply have been an act of vandalism. Vulnerable Internet-connected Industrial Control Systems (ICS) are not difficult to find.

In the case of the Oldsmar water treatment facility, the attack was neither successful nor sophisticated. A remote access software tool was either exposed to the open Internet or accessed via brute force/password. (Although law enforcement say they don’t know how hackers got onto the system, a CNN source counters that a password was required to operate the software remotely.) Unfortunately, a sophisticated attack isn’t required to render a dangerous result, and what happened at Oldsmar simply highlights how many critical infrastructure systems are vulnerable.

IT and security professionals charged with securing vital infrastructure needn’t panic — the first priority here isn’t shielding against complex zero-days or advanced persistent threats. Instead, it’s the kind of grunt work facing all in cybersecurity today, such as patching, air-gapping, and enforcing two-factor authentication. My advice for anyone in infrastructure or others using remote access software:

  • Be careful with how much remote access software you deploy on your network. You should never leave this software unused for long periods, especially if it’s left open to the Internet.
  • Ensure that the remote access software you do have is configured properly. Open it only to staff that require remote access, and require they access it using a strong password and 2FA.
  • Remote Desktop Protocol (RDP) should be kept closed or used with protection, such as our Brute Force Protection module in Malwarebytes Nebula.

To learn more about the hack of the Florida city water facility, read our blog on Malwarebytes Labs:
https://blog.malwarebytes.com/hacking-2/2021/02/hackers-try-to-poison-florida-citys-drinking-water/

Categories
Security

RegretLocker ransomware encrypts virtual machines

Ransomware, ransomware, ransomware. At this point, the other malware families might be feeling some Jan Brady-level jealousy toward their flashier, more advanced brother. Ransomware is getting all the attention right now — for good reason.

Ransomware attacks have been ramping up in volume and in sophistication over the last year. Corporate targets have had to steel themselves against stealthy spear phishing campaigns, exposed RDP ports, zero-day exploits, and more. Now they have to worry about their virtual machines.

Using a combination of advanced attack techniques, a new ransomware family discovered in October called RegretLocker is able to encrypt virtual hard drives and close any files open by users for encryption. Why does this matter? RegretLocker is able to execute much more quickly than previous ransomware families and evade detection.

RegretLocker takes ransomware to the next level

RegretLocker ransomware appears fairly simple on the surface. It is accompanied by a short and sweet ransom note (as opposed to a long-winded soliloquy that has become common among ransomware threat actors). It uses email instead of Tor to accept ransom payments. When encrypting files, it applies a harmless-sounding .mouse extension.

But that’s where the simplicity ends. Instead of encrypting large files en masse, which can take a long time, RegretLocker mounts a virtual disk file so that each file may be encrypted individually, speeding up the process. In addition, RegretLocker uses the Windows Restart Manager API to terminate processes on Windows that can keep a file open during encryption, preventing users from salvaging open files.

RegretLocker follows in the footsteps of another ransomware family known as Ragnar Locker, which was first discovered in October 2019. Ragnar Locker deploys virtual machines to victim systems and launches the ransomware from inside. This gives the ransomware access to files on the local disk without being detected by security software deployed on the host system. In September 2020, Maze ransomware authors added Ragnar Locker’s virtual machine tactic to their bag of tricks.

The use of virtual machines by these ransomware families is not for the faint of heart — it’s complex, messy, and requires prior knowledge about the hardware and capabilities of its target networks, including whether or not the services had already been disabled. However, for threat actors looking to select and encrypt specific files quickly, or for those who’ve compromised a system but are looking to crack particularly difficult files, these methods represent the next evolution in a long chain of dangerous developments in ransomware.

What’s more, there are not many ways to protect against these types of ransomware attacks outside of preventing them from happening in the first place. (Though Malwarebytes’ Anti-Ransomware technology blocks RegretLocker from launching.)

What we can take away from these latest developments in ransomware is that cybercriminals have been busy doing what they do best: developing new tricks and workarounds that had previously prevented their malware from being as dangerous as it could be. The best defense, as it has always been, is awareness and proactive protection.

To learn more about RegretLocker ransomware, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/regretlocker-new-ransomware-can-encrypt-windows-virtual-hard-disks/

And here is Bleeping Computer’s take on RegretLocker: https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/

For information on Ragnar Locker’s attack on gaming company Capcom: https://threatpost.com/gaming-giant-capcom-ragnar-locker-ransomware/160996/

Categories
Security

Maze ransomware group calls it quits… maybe

2020 has claimed victim nearly 200,000 small businesses across the United States — a gut punch of a statistic. But there’s one group closing up shop that I won’t shed any tears over: Maze ransomware.

Last week, the notorious Maze ransomware group known for corporate targeting and data extortion schemes announced they are shutting down operations. So why aren’t security folks like me rejoicing? First, we’ve seen ransomware families disappear before, only to come back with a smarter business plan for distribution or key updates that increase their potency. Second, never trust the word of a cybercriminal.

Back in May 2019, Malwarebytes researchers discovered a new strain of ransomware known as Maze, distributed via the Fallout exploit kit. Soon after, we found that Maze was spreading indiscriminately through other exploit kits, such as Spelevo, as well as through spam campaigns using documents laced with malicious macros.

As time went on, Maze operators began to adopt a more targeted approach, likely looking for a higher return on investment. They began going after organizations with spear phishing campaigns or by exploiting vulnerabilities in exposed infrastructure. Nothing new there. However, Maze was a pioneer in some regards, as it was one of the first to threaten its victims with leaking sensitive data if the ransom was not paid. Its authors also adopted clever tricks to evade detection by leveraging virtual machines to encrypt files.

Rumors began months ago that the threat actors behind Maze ransomware might be abandoning ship, as several of its affiliates switched to an up-and-coming ransomware family known as Egregor, which likely shares some of its code with Maze. In fact, it’s possible that former Maze developers are the ones behind the Egregor project, which would explain the recruitment of their affiliates.

On November 1, coincidentally my birthday, the group behind Maze released a statement claiming that they were done for good. The error-laden message (more of a rant) went on to claim that the future will be lived entirely online, therefore Maze’s efforts were meant to help prepare companies by forcing them to increase their security — typical rhetoric among delusional criminals who try to reframe their acts as benevolent.

There’s no doubt the Maze developers and distributors made enough money to call it a day. Their so-called press release is perhaps a distraction meant to hide conflicts or internal disagreements. It could also be a smokescreen for a potential shift to Egregor. When a cybercriminal says, “We never had partners or official successors,” you can count on the opposite to be true.

Whether Maze is actually gone, we can’t yet say for sure. We thought Ryuk had vanished earlier in 2020, only to have it return. At the same time, the affiliate shift to Egregor is reminiscent of the shift away from GandCrab to Sodinokibi ransomware in 2019.

Unfortunately, history has shown us that when a crime group decides to close their doors, it’s rarely because they have seen the error in their ways. Because of this, it’s best to continue to guard against, at the very least, the types of attack vectors used by Maze ransomware. I suggest:

  • Updating software and hardware to shore up vulnerabilities (protecting against exploit kits)
  • Boosting protection against brute force attacks and exposed RDP ports
  • Increasing employee awareness on sophisticated spear phishing tactics
  • Segmenting sensitive data into more restrictive servers

For more information on the Maze ransomware group’s retirement, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/maze-ransomware-gang-announces-retirement/

For an in-depth threat spotlight on Maze ransomware’s capabilities: https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist

For TechCrunch’s take on Maze’s retirement: https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down