This Week: Ransomware Goes Gold

Next: This Week: Unhappy Accidents and Avoidable Leaks
Previous: This Week: Dark Web Chats and User Error...
MFW I hear "the squirrels are winning".
January 20, 2017

The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.

A new FBI leak appeared to ring in the new year, but many believe that the “leak” contains false information. Goldeneye ransomware set a gold standard for exploited HR departments, and the squirrels are up to no good.

Goldeneye for Ransomware

Recently, cyber criminals began targeting Human Resources departments with Goldeneye ransomware, a variant of a strain known as Petya. Created by cyber criminal group Janus, this Ransomware-as-a-Service was sold to any interested buyer, after which Janus took part of their profits from the exploit.

The Goldeneye ransomware is sent as an attachment to a fake job application. The email includes a clean PDF cover letter attachment that aims to lull the opener into a false sense of security, and the second attachment is an infected Excel file. Upon opening, a note asks the victim to initiate the encryption process. A golden screen, hence the name, pops up demanding 1.3 BTC ($1167.61 USD) and provides  instructions on how to acquire bitcoin and how to contact the admin if they have issues decrypting files or with the payment process.

Cybercriminals are becoming increasingly more creative with their exploits and attacks; they know how to create a false sense of security. Exploits are hidden in ordinary content. Nearly everyone knows the prince-who-lost-his-money scam, so cyber criminals create content that hits closer to home. These attacks are not readily apparent, but sometimes your instincts tell you when an email looks phishy.

Disputed Leaks

As most were welcoming New Year’s Day with celebration and good company, the hacker known as CyberZeist leaked credentials from the US intelligence community. It wasn’t immediately clear if the dump was new or not, and many remain skeptical.

The self-described “political and offensive black-hat” dumped a list of 155 FBI email addresses, SHA1 passwords and their Salts on Pastebin, in a move that CyberZeist said was “totally devoted to the Anonymous Movement.” CyberZeist claimed to have accessed the information through a zero-day exploit in the Plone Content Management System (CMS), which supports the FBI’s site (as well as other notable organizations, including the CIA and Google).

Although some were new, many of the credentials in the New Year’s dump also appeared in CyberZeist’s 2011 leak of FBI email addresses and plaintext passwords, which they obtained through spear-phishing. But unlike other high-profile hacks of government agencies, there was no comment from the FBI (or other official agencies) on the New Year’s leak. Plone CMS, however, did speak up, calling the leak an outright “hoax.” Their statement specifically pointed to the hashes and salts in the leak, which are not consistent with values generated by Plone.

Why would a hacker leak fake information to boost their reputation if they’re anonymous? Because a reputation can make money - CyberZeist is now selling the Plone CMS “zero-day” on the dark web for $9,000.

One more thing: It’s been a nutty week…

The presentation “35 Years of Cyberwar: The Squirrels are Winning” at the Shmoocon security conference revealed that squirrels (and not cyberattacks) were one of the biggest threats to critical infrastructure. CyberSquirrel 1, the project that collects data on “animal-induced infrastructure outages,” has tracked “over 1,700 outages, affecting nearly 5 million people”.

analysis March 20, 2019
Trends and Projections: Shifting Law Enforcement

For the first post in the Trends and Projections series, we unpack the increased law enforcement attention toward cyber-enabled fraud and the shift in resources allocated to taking down dark web communities trading compromised...

analysis January 24, 2019
Collection #1: Why You Should Care but Not Panic

January is not yet over and 2019 has already brought us the second biggest collection of stolen data in history. Unlike traditional data breaches, Collection #1 is actually a massive collection of smaller credential...