DDoS, crypto, and ransomware, oh my!

Another week, another Weekly Threat Report. On this joyous occasion, we’ll be taking a look at:

  • The rise of crypto prices (and how it impacts cybersecurity)
  • DDoS extortion campaigns
  • Where in the world is Emotet?
  • Threat researchers targeted by bad actors
  • SonicWall compromised

Buckle up for the ride, folks!

The big increase

This past year has seen a surge in crypto-coin prices, with Bitcoin (BTC) starting 2020 at around $8,000, ending the year around $30,000, and starting the new year with a peak of over $40,000. Many experts believe this surge in crypto prices has caused several threat actors to change tactics to capitalize on the higher prices.

First, the obvious: crypto-mining malware detections increased by over 50% in Q4 of 2020. The Perch Labs team has seen this firsthand. Occasionally while threat hunting, we encounter a botnet and monitor it to see what the bad guys are up to. We’ve been able to notify several organizations that their websites have been compromised, we’ve identified and reported stolen credit cards, and in nearly every case have observed the botnet operators downloading an XMRig miner in order to mine Monero, another cryptocurrency.

Monero is typically the crypto of choice for this activity because the system requirements for mining Monero are significantly less than for mining Bitcoin. Monero transactions are also much more difficult to track than Bitcoin, reducing the likelihood that security researchers and law enforcement can track the transactions to an individual.

The other big increase has been in the realm of DDoS extortion campaigns. On January 22, 2021, details were released regarding a global extortion campaign that threatens companies with DDoS attacks. The campaign was first detected back in August 2020, targeting financial institutions and other industries worldwide. Following the initial campaign, in late December 2020 and early January 2021, the campaign resumed and threatened multiple undisclosed organizations through a new wave of DDoS extortion emails.

According to sources, the emails contain information that threatens the companies with DDoS attacks unless they pay a ransom between 5 and 10 bitcoins, which is approximately $150,000 to $300,000 USD.

The DDoS attacks typically lasted around nine hours with 200 Gbps on some organizations, with one identified attack peaking at 237 Gbps. Additionally, researchers believed that the actors are still active. At the time of writing, it’s unclear how many victims the campaign may have impacted.

In the world of ransomware, threat actors have added DDoS attacks to their toolset in an effort to force targets to pay. In October 2020, the SunCrypt and RagnarLocker ransomware operators were first observed employing DDoS attacks against their victim’s network or website.

According to a report issued by BleepingComputer, the Avaddon ransomware operators are similarly using DDoS attacks to take down a victim’s site or network until the victim contacts them to initiate a negotiation. They’re currently performing a DDoS attack against an undisclosed victim website. The operators claimed that they had compromised approximately 44GB of the victim’s data, including confidential documents, personal data of customers and employees, as well as financial information. According to the operators, the victim chose not to cooperate with them, and they gave victims 24 hours to engage prior to leakage of company data.

Emotet is (mostly) dead

On January 27, 2021, a team of law enforcement agencies from around the world announced that they seized and took down the Emotet infrastructure and arrested an undisclosed number of operators as part of Operation LadyBird. Emotet was one of the most heavily distributed malware families of 2020. We’ve seen their infrastructure get targeted before, as discussed in an earlier Weekly Threat Report.

Emotet is one of the longest-lasting cybercrime services in existence, with their first banking Trojan identified in 2014. It’s typically distributed via malicious Word documents sent by email with language such as “Your invoice,” “Payment Details,” or possible shipping updates. Once infected, it attempts to connect to a Command and Control (C2) server for additional instructions. It then downloads additional malware, frequently ending in ransomware.

Hundreds of servers used by Emotet for its C2 have been seized and sinkholed, with many active Emotet infections around the world now connecting to those sinkholed domains. A sinkholed domain is a domain name where the DNS servers have been configured to respond with false information. In this case, DNS requests for Emotet’s C2 servers return IP addresses that belong to law enforcement, essentially crippling the malware and preventing any further infections.

It’s possible that any Emotet operators that have evaded arrest thus far could continue to load Emotet via other botnets. Still, they’ll be forced to completely rebuild their infrastructure before they’re able to monetize future infections.

Security researchers and companies are being targeted

On January 24, 2021, Google’s Threat Analysis Group (TAG) released details regarding an ongoing campaign targeting security researchers working on vulnerability research and development. TAG has linked this campaign to an unspecified North Korean nation state-sponsored group after observing a number of attacks targeting security researchers.

The threat actor established a research blog and multiple Twitter accounts to interact with potential targets. The blogs contain write-ups and analysis of vulnerabilities that have been disclosed, including “guest” posts from unaware legitimate security researchers, in an attempt to build credibility with other security researchers.

After establishing communication, the victim is asked to collaborate on vulnerability research, providing the victim with a Visual Studio Project. The Visual Studio Project contains source code for exploiting the vulnerability and a DLL that executes via Visual Studio Build Events. Upon execution, the DLL begins to communicate with the attacker’s C2 domains.

In other instances, researchers were compromised after visiting links on Twitter to vulnerability write-ups. Upon visiting the link, a malicious service is installed on the researcher’s system, and an in-memory backdoor begins beaconing to an attacker’s command-and-control C2 server.

SonicWall breached

At the end of last week, SonicWall revealed that their internal systems were compromised by an unknown threat actor utilizing previously unknown zero-day vulnerabilities in their NetExtender VPN client and Secure Mobile Access (SMA) physical appliance.

SonicWall has also published an advisory with mitigation steps as there are not yet any patches available for these products.

Mitigation involves enabling MFA and modifying your firewall to limit SMA access via an SSL-VPN or IP whitelist. SonicWall didn’t provide further details regarding the incident, but they are posting updates to the advisory listed above.

If you’re a Perch customer, we recommend sending us syslog from your SonicWall devices and then install the SonicWall Collection from the Perch Marketplace for better visibility into what your SonicWall devices are doing.

So far, technical details regarding the 0-days listed above aren’t available, but we’ll continue monitoring the situation and, if applicable, add new content to the Marketplace. If you install the entire collection now, you’ll automatically benefit from any new content created.

That’s all for this week.

  • Bryson Medlock, The Dungeon Master