In what may be a first for watering hole attacks, we’ve now seen an attack that targeted watering holes, or at least water utilities. The way this was discovered is a bit bizarre — it was found by Dragos during an investigation into the February incident at Oldsmar, Florida. A Florida contractor that specializes in water treatment runs a WordPress site that hosted a data-gathering script. The very day that the Oldsmar facility was breached, someone from that location visited the compromised website.
You probably immediately think, as the investigators did, that the visit to the website must be related to the compromise of the Oldsmar treatment plant. The timing is too suspect for it to be a coincidence, right? That’s the thing, the compromised site was only gathering browser fingerprints, seemingly later used to disguise a botnet. The attack itself was likely carried out over Teamviewer. I will note that the primary sources on this story have named Teamviewer, but call it unconfirmed. Assuming that the breach did indeed occur over that platform, then it’s very unlikely that the website visit was a factor, which is what Dragos concluded. On the other hand, it’s easy enough to imagine a scenario where the recorded IP address from the visit led to a port scan and the discovery of a VNC or remote desktop port left open.
One Weird Ransomware Trick
This time it’s not clickbait, we promise. This really is a weird trick, and it really does prevent some ransomware infections. Blame [Brian Krebs] for the clickbait title, because he made this oddity well known.
A sizable chunk of ransomware campaigns are run out of Russia, including the Colonial Pipeline attack by DarkSide. Historically, Russian officials have been somewhat laissez-faire towards computer crime committed by Russian nationals, so long as the victims were not Russian, or from an allied state. (Though there is news about that, we’ll cover in a moment.) How does a Russian criminal check where their potential victim lives? One way is to check for the languages installed on the machine, as part of the ransomware install. So the trick? Install the Russian language and Cyrillic virtual keyboard. It’s not a guaranteed solution, by any means, but it might just keep you out of trouble, and it won’t hurt.
We have even more bad news for QNAP and their users. First, a new pair of vulnerabilities were just announced, one in the MusicStation app, and the other, ironically, in the MalwareRemover app. The initial report was in September of last year, and the fixed versions were published on or before May 6.
And secondly, the Qlocker ransomware campaign has been taken down. That sounds like a good thing, but with the end of the campaign also comes the end of the opportunity to pay for decryption keys. So far, there hasn’t been a decryption program released, and this looks like the end of the line for decrypting the ransomed data, until someone can crack it.
News continues to come in regarding the Colonial Pipeline, some of which was rumored last week. First off, it’s been confirmed that it was the corporate network that was hit with the Ransomware, and not the pipeline operations itself. I know many have been quite frustrated by the news that the outage was actually caused by the billing systems going down. Before you get your pitchforks out, remember that a bankrupt company doesn’t pump gasoline down the pipeline, either.
In what is welcome news, DarkSide seems to be disbanded, some of their accounts seized, and at least some of their bitcoin drained, probably by law enforcement. In other words, the pipeline attack achieved political critical mass, and a chain reaction was kicked off, leading to law enforcement action, maybe even by Russian authorities. Regardless of the details, it sounds like decryption tools will be released, and this particular ransomware gang is done.
International Insurer and Ransomware
One of the big international insurers, AXA, was hit by a triple-threat ransomware campaigns over the past weekend. It doesn’t appear to be the entire company, but a handful offices in Asia were compromised. After the compromise, a coordinated DDoS attack was launched against their websites. The worst part of the attack is that data, some of it very personal, was exfiltrated in addition to being encrypted. This includes medical reports and legal identification documents. The ironic part is that AXA had announced a new policy just a week earlier, that their French policies would no longer reimburse for ransom payments.