This Week: Ransomware Goes Gold

Next: This Week: Unhappy Accidents and Avoidable Leaks
Previous: This Week: Dark Web Chats and User Error...
MFW I hear "the squirrels are winning".
January 20, 2017

The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.

A new FBI leak appeared to ring in the new year, but many believe that the “leak” contains false information. Goldeneye ransomware set a gold standard for exploited HR departments, and the squirrels are up to no good.

Goldeneye for Ransomware

Recently, cyber criminals began targeting Human Resources departments with Goldeneye ransomware, a variant of a strain known as Petya. Created by cyber criminal group Janus, this Ransomware-as-a-Service was sold to any interested buyer, after which Janus took part of their profits from the exploit.

The Goldeneye ransomware is sent as an attachment to a fake job application. The email includes a clean PDF cover letter attachment that aims to lull the opener into a false sense of security, and the second attachment is an infected Excel file. Upon opening, a note asks the victim to initiate the encryption process. A golden screen, hence the name, pops up demanding 1.3 BTC ($1167.61 USD) and provides  instructions on how to acquire bitcoin and how to contact the admin if they have issues decrypting files or with the payment process.

Cybercriminals are becoming increasingly more creative with their exploits and attacks; they know how to create a false sense of security. Exploits are hidden in ordinary content. Nearly everyone knows the prince-who-lost-his-money scam, so cyber criminals create content that hits closer to home. These attacks are not readily apparent, but sometimes your instincts tell you when an email looks phishy.

Disputed Leaks

As most were welcoming New Year’s Day with celebration and good company, the hacker known as CyberZeist leaked credentials from the US intelligence community. It wasn’t immediately clear if the dump was new or not, and many remain skeptical.

The self-described “political and offensive black-hat” dumped a list of 155 FBI email addresses, SHA1 passwords and their Salts on Pastebin, in a move that CyberZeist said was “totally devoted to the Anonymous Movement.” CyberZeist claimed to have accessed the information through a zero-day exploit in the Plone Content Management System (CMS), which supports the FBI’s site (as well as other notable organizations, including the CIA and Google).

Although some were new, many of the credentials in the New Year’s dump also appeared in CyberZeist’s 2011 leak of FBI email addresses and plaintext passwords, which they obtained through spear-phishing. But unlike other high-profile hacks of government agencies, there was no comment from the FBI (or other official agencies) on the New Year’s leak. Plone CMS, however, did speak up, calling the leak an outright “hoax.” Their statement specifically pointed to the hashes and salts in the leak, which are not consistent with values generated by Plone.

Why would a hacker leak fake information to boost their reputation if they’re anonymous? Because a reputation can make money - CyberZeist is now selling the Plone CMS “zero-day” on the dark web for $9,000.

One more thing: It’s been a nutty week…

The presentation “35 Years of Cyberwar: The Squirrels are Winning” at the Shmoocon security conference revealed that squirrels (and not cyberattacks) were one of the biggest threats to critical infrastructure. CyberSquirrel 1, the project that collects data on “animal-induced infrastructure outages,” has tracked “over 1,700 outages, affecting nearly 5 million people”.

RELATED ARTICLES
analysis January 08, 2019
New Commodities, New Consequences: Child Data on the Dark Web

analysis December 06, 2018
The Year Ahead: Developments in the Dark Web Data Trade

Sensitive data had a very bad year in 2018—and the year isn’t over yet. With the increase of large-scale breaches, what drives the underground economy for data on dark web markets? How will that...