August ivanti threat thursday deck final[1]
•Download as PPTX, PDF•
0 likes•157 views
August Threat Thursday
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to August ivanti threat thursday deck final[1]
Similar to August ivanti threat thursday deck final[1] (20)
More from Ivanti
More from Ivanti (20)
Recently uploaded
Recently uploaded (16)
August ivanti threat thursday deck final[1]
- 1. Copyright © 2020 Ivanti. All rights reserved. Is Ransomware Winning? Chris Goettl and Phil Richards August 27, 2020
- 2. Copyright © 2020 Ivanti. All rights reserved. Agenda Items University of Utah: Ransom+Data Breach trend Jack Daniels: Over the barrel Is Ransomware winning? FritzFrog: Bogging down servers Canadian Government Services: Credentials breach 1 2 3 4 5
- 3. Copyright © 2020 Ivanti. All rights reserved. Situation Analysis Recommendations Exploit Type: Exposure: Attack Vectors:Impact: Multi-Factor Authentication Backup and Restore Next in the long line of Universities targeted by threat actors, the Utes paid nearly half a million to keep student and employee data safe. Is the rise in Ransom+DataTheft changing minds about whether to pay ransoms? The FBI recently updated their Ransomware guidance to soften the language around paying up. Ransomware University of Utah Ransom+Data Breach $457K .02% Data Stolen Student and Faculty PII NetWalker Ransomware Emergency Response Plan Tabletop Exercises Privilege/Credential Management Continuous Vulnerability Management
- 4. Copyright © 2020 Ivanti. All rights reserved. 21 43 5 Michigan State May 28 Status: ransom unknown, stated they will not pay September Your business or university? NetWalker has made $25M since March 2020 Source for revenue: Zdnet, August 3, 2020. Columbia College of CHI June 3 Status: ransom unknown, may have paid UC, San Fran June 29 Status: paid $1.14M ransom Univ. of Utah August 22 Status: paid $457K ransom
- 5. Copyright © 2020 Ivanti. All rights reserved. Situation Analysis Recommendations Exploit Type: Exposure: Attack Vectors:Impact: Buy a bottle of Jack Daniels The Brown-Forman Corporation, maker of Jack Daniels, was recently hit by the REvil ransomware gang, who claimed to have stolen 1 terabyte of data. The company said it stopped file encryption, but employee data may have been revealed. Brown-Forman is working with authorities and experts and is NOT negotiating as of now. Ransomware Jack Daniels: Refuses to pay 1 TB Including Employee records Internal network REvil Ransomware Toast Brown-Forman for not paying Review your security strategy Privilege/Credential Management Continuous Vulnerability Management Run some red team exercises
- 6. Copyright © 2020 Ivanti. All rights reserved.
- 7. Copyright © 2020 Ivanti. All rights reserved. Is Ransomware Winning?
- 8. Copyright © 2020 Ivanti. All rights reserved. Source: Coveware Q1 2020 ransomware marketplace report Ransomware Q1 2020 Growth The average ransom payment is now $111,605: up 33% from Q4 2019 causing an average of 15 days of downtime per attack. The top 3 top ransomware gangs by market share are Ryuk, Sodinokibi, and Phobos. Their most common attack vectors are email phishing, RDP, and software vulnerability. The industries hit the most by ransomware in Q1 were professional services, healthcare, the public sector, and consumer services.
- 9. Copyright © 2020 Ivanti. All rights reserved. In Q4 2019, the FBI updated its guidance on how to handle ransomware attacks. Even though paying encourages criminals and does not ensure you’ll get your data back the FBI said, updated language also stated companies might be better off in some circumstances paying ransom demands. FBI Softens Ransom Stance
- 10. Copyright © 2020 Ivanti. All rights reserved.
- 11. Copyright © 2020 Ivanti. All rights reserved. Copycat Hackers Extortion via DDOS Extortion campaigns by criminals impersonating real threat actors are using DDOS to target financial groups. These criminal groups are trying to scare potential victims by pretending to be better known ransomware gangs. More than a dozen of these attacks have occurred in the U.K. and U.S. in the past month.
- 12. Copyright © 2020 Ivanti. All rights reserved. Server Attacks & Credential Stuffing
- 13. Copyright © 2020 Ivanti. All rights reserved. FritzFrog: Bogging down servers FritzFrog has attacked over 500 servers in Europe and the US via SSH since January 2020. Target: government, medical, education, financial institutions Acts as both a P2P botnet and a worm Guardicore labs monitoring FritzFrog via: “frogger” Copyright © 2020 Ivanti. All rights reserved.
- 14. Copyright © 2020 Ivanti. All rights reserved. Canadian Government Services Attack: Credential Stuffing Two Canadian government agencies were attacked affecting thousands of accounts. Attackers took advantage of passwords and usernames being reused across systems. Takeaway: Do not reuse passwords across systems. Source: Spycloud 2020 Annual Credential Exposure Report
- 15. Copyright © 2020 Ivanti. All rights reserved. Q&A
- 16. Copyright © 2020 Ivanti. All rights reserved. Get the latest updates at: ivanti.com/ThreatThursday Thank You!
Editor's Notes
- Evolution of cybercrime – ransomware+breach (more common). Provides a convenient modality. Gives everyone a role to fill – good/bad, robber/victim. Earlier cybercrimes were more confusing – breached? Not breached? Cavalier attitude previously, become more developed. FBI – not terrorists, cyber gangs –softened language on paying. Ransomware convenient transaction for how this takes place. Even DDoS is monetizing as well. Way that makes sense to everyone involved/clear on how to move forward – efficient criminal market system. Like paying the mafia protection money. Won’t spam us if you pay us. Sell your data, discount market. Where does it end or does it – directions on where it will go.
- https://www.techspot.com/news/86472-university-utah-footed-457000-ransomware-bill.html https://siliconangle.com/2020/08/23/university-utah-paid-457000-behind-ransomware-attack/ https://www.theregister.com/2020/08/21/utah_pays_ransomware/ Ransomware+Databreach is the new norm. We need some data protection solutions now so we can take advantage of this new wave. Story: Following a spate of attacks in the UK and US, higher learning continues to get hit. University of Utah was affected most recently and paid a ransom of $457K. Mention Blackbaud background and others paying Group of additional attacks recently as well
- May 28 article – Michigan State (Michigan State won’t pay) https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/ Columbia College of Chicago https://www.bleepingcomputer.com/news/security/netwalker-ransomware-continues-assault-on-us-colleges-hits-ucsf/ June 29 article - University of California, San Francisco ($1.14 Million) https://www.bbc.com/news/technology-53214783 Aug 22 - University of Utah – Paid $457K https://news.coingenius.ai/netwalker-hackers-hit-university-of-utah-with-ransomware-attack/ NetWalker has made $25M since March https://www.zdnet.com/article/netwalker-ransomware-gang-has-made-25-million-since-march-2020/
- Allegedly data is for sale on the dark web though from Jack Daniels https://threatpost.com/jack-daniels-ritz-london-cyberattacks/158409/ https://cointelegraph.com/news/did-jack-daniels-thwart-a-ransomware-attack-or-not https://nakedsecurity.sophos.com/2020/08/18/us-liquor-giant-hit-by-ransomware-what-the-rest-of-us-can-do-to-help/ The maker behind Jack Daniels and other alcoholic beverages, Brown-Forman Corp., has suffered a recent cyberattack by the REvil ransomware gang. The company said that while it was able to thwart the actual encryption of files, some employee data may have been exposed.In an email to Bloomberg, the purported cybercriminals behind the attack on Brown-Forman Corp., identifying as the REvil gang, claimed to have lifted 1 terabyte of information from the distiller after it hacked into the company’s internal networks, and provided a link to its online data-leak site. The Louisville, Ky.-based company, which also owns other brands like Finlandia vodka, said in a media statement that it is “working closely with law enforcement, as well as world-class third-party data security experts, to mitigate and resolve this situation as soon as possible. There are no active negotiations.” The REvil contact confirmed, “An attempt at dialogue with the company did not bring any results.” REvil, also known as Sodinokibi, first appeared in April 2019 and has since appeared in several high-profile cyberattacks, such as one in January that targeted Travelex and another in May that targeted a popular law firm that works with several A-list celebrities. REvil is thought to operate as a ransomware-as-a-service (RaaS), where one group maintains the code and rents it out to other groups, known as affiliates, who carry out attacks and spread the ransomware. Any profits made are then split between the affiliates and the original gang, said researchers. The malware is also at the forefront of the one-two punch trend of locking up files, but also stealing and threatening to release sensitive data if victims don’t pay up. In the case of the celebrity law firm (Grubman Shire Meiselas & Sacks), the attackers threatened to leak 756 gigabytes of stolen data, including personal info on Lady Gaga, Drake and Madonna. “Cybercriminal groups like REvil target and exploit any organization that clicks their phishing emails or leaves unpatched or misconfigured systems exposed for them to attack,” James McQuiggan, security awareness advocate at KnowBe4, said via email. “They do it to prove to them that they got in and then hold their data for ransom.” He added, “For one terabyte of data to be stolen, it can be noteworthy to consider that the cybercriminals were inside the victim’s infrastructure for some time, especially for how long it would take to send out that much data unnoticed. It wouldn’t have been executed all at one time, but rather in chunks to avoid arousing suspicion by the security teams.”
- Do you want your car back?
- https://www.coveware.com/blog/q1-2020-ransomware-marketplace-report
- https://www.ic3.gov/media/2019/191002.aspx https://www.theregister.com/2019/10/03/fbi_softens_stance_on_ransomware/ FBI: “Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
- The Godfather
- https://www.bankinfosecurity.com/copycat-hacking-groups-launch-ddos-attacks-a-14846
- https://www.bleepingcomputer.com/news/security/fritzfrog-malware-attacks-linux-servers-over-ssh-to-mine-monero/ https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/ "The unique, advanced worming P2P botnet drops backdoors and cryptominers, and is spreading globally. A peer-to-peer (P2) botnet called FritzFrog has hopped onto the scene, and researchers said it has been actively breaching SSH servers since January. SSH servers are pieces of software found in routers and IoT devices, among other machines, and they use the secure shell protocol to accept connections from remote computers. SSH servers are common in enterprise and consumer environments alike.According to an analysis from Guardicore Labs, FritzFrog propagates as a worm, brute-forcing credentials at entities like governmental offices, educational institutions, medical centers, banks and telecom companies. FritzFrog has attempted to compromise tens of millions of machines so far, and has successfully breached more than 500 servers in total, Guardicore researcher Ophir Harpaz said. Victims include well-known universities in the U.S. and Europe, and a railway company; and the most-infected countries are China, South Korea and the U.S. FritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk,” Harpaz explained, in a posting on Wednesday. Once the server is compromised, “the malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.”It also can drop additional payloads, such as cryptominers.
- Other credentials – talk about - what makes a good password, good string of passwords. What You Need to Know About NIST 800-63 Password Guidelines https://jumpcloud.com/blog/nist-800-63-password-guidelines https://portswigger.net/daily-swig/canadian-government-services-forced-offline-after-credential-stuffing-attacks https://www.darkreading.com/attacks-breaches/canadian-government-issues-statement-on-credential-stuffing-attacks/d/d-id/1338697 This was a survey Spycloud did - Source link: https://spycloud.com/2020-annual-credential-exposure-report/