On August 10, Cisco confirmed that the “yanluowang” extortion software Gang broke through the company’s network at the end of May and tried to blackmail them by threatening to disclose stolen documents on the Internet. Earlier, the Gang also claimed to have invaded the system of Wal Mart, an American retailer, but Wal Mart denied that blackmail attacks had occurred.
In this incident, yanluowang extortion Gang hijacked an employee’s personal Google account, which contained the credentials synchronized from his Google browser, and then used the employee’s credentials to enter the Cisco network.
After gaining a foothold in Cisco’s enterprise network, the attack group began to move horizontally to Citrix servers and domain controllers. Cisco Talos said that the attacker entered the Citrix environment, captured a series of Citrix servers, and finally gained privileged access to the domain controller. XenServer/Citrix Hypervisor protection. After gaining domain management rights, the attacker uses enumeration tools such as ntdsutil, adfind, and secretsdump to collect more information, and installs a series of payloads on the attacked system, including a backdoor. Finally, Cisco discovered the attackers and expelled them from its environment. However, in the next few weeks, the attackers continued to try to access again, but failed.
Analysis on characteristics of blackmail software attack
In recent years, extortion software attacks remain high. In such an attack, an attacker usually encrypts enterprise data and requires payment to recover access rights. In some cases, the attacker may also steal the information of the organization and ask for additional fees in exchange for not disclosing the information to the authorities, competitors or the public. In the Cisco incident, yanluowang Gang blackmailed by threatening to disclose information on the Internet.
In 2021, from the perspective of economic impact and infection, we can see that conti and Revil threat actors dominate the extortion software market. They even provide their own ransomware as a service (RAAS) platforms through which attackers can launch attacks. Given the rapid growth of RAAS type business models, it is difficult to attribute certain events to an attacker. The development of ransomware attacks mainly shows the following five trends:
RDP and fishing are still the most common attack vectors
In the past few years, the primary attack through RDP has been the main attack vector. However, since 2021, we have seen this attack vector declining. In contrast, attacks through fishing have increased. We regard these two attack vectors as the most common way to obtain the initial foothold, and these two attack vectors are also the cheapest and most profitable methods for attackers. In this attack against Cisco, yanluowang group pretended to be a trusted support organization and carried out a series of complex voice phishing attacks against Cisco employees, thus obtaining VPN access rights.
Profit maximization: from double extortion to multiple extortion
Double blackmail is a common topic in blackmail software attacks. Extortion attacks usually encrypt the files on the victim’s network and system first, and then the files and data will be oozed out, hosted and detained on the dump site owned by the extortion software organization. During negotiation, documents are usually locked. Some RAAS platforms also have a timer function to indicate how much time the victim has left to pay the ransom.
In recent years, we have seen a change in profit maximization, which is the emergence of multiple extortion schemes. Initially, the attacker steals and encrypts sensitive data from the organization and threatens the victim to pay, otherwise, the data will be publicly released. Now, attackers are also demanding ransom from customers and / or partners of the organization. In April 2021, Revil launched an attack against the notebook manufacturer quanta computer. When the company refused to pay any ransom, the attackers turned their attention to apple and threatened to publish the blueprint they stole in the initial attack. Later, the attacker gave up the blackmail against apple, and apple did not officially comment on the incident.
Extortion software as a service (RAAS) business model grows
It has become normal to use ransomware as a service (RAAS) platform in attacks. This type of service provides a platform for other threat actors, attack organizations and individuals, and implements an affiliate marketing model. The RAAS platform covers all the functions required for ransomware attacks, from file encryption and storage to payment.
The RAAS provider will take a percentage of the ransom received by the victim, while the link will control the reward and communication with the victim. The RAAS platform can easily deploy all the tools needed on the infected target, and these tools are still under development. Like a healthy enterprise, the RAAS platform constantly adapts to new environmental changes so as not to be detected by terminals and network security tools. RAAS allows any attacker to conduct ransomware attacks, even if they lack technical knowledge。
Wrap up
Ransomware incidents can seriously affect business processes and deprive organizations of the data needed to operate and deliver mission critical services. Facts have proved that extortion software will bring great economic losses and reputation damage. From the initial invasion to the final restoration of normal operation, there are great challenges for enterprises. Although the extortion software attack suffered by Cisco did not have a major impact on the enterprise, it also sounded the alarm for us again. In this regard, it is suggested that the organization adopt the following methods to avoid blackmail attacks.
- Regularly conduct vulnerability scanning to identify and solve vulnerabilities, especially those on Internet Oriented devices, so as to reduce the attack surface.
- After being invaded by extortion software, the enterprise shall report to the competent authority in a timely manner, and request technical assistance or share information to prevent other enterprises from being attacked similarly.
- Maintain encrypted offline data backup and conduct regular tests.
- Patch and update the software and operating system regularly.
Vinchin offers solutions such as VMware backup for the world’s most popular virtual environments, XenServer backup, XCP-ng backup, Hyper-V backup, RHV/oVirt backup, Oracle backup, etc.