Who’s Behind the GandCrab Ransomware?

July 8, 2019
61 Comments

The crooks behind an affiliate program that paid cybercriminals to install the destructive and wildly successful GandCrab ransomware strain announced on May 31, 2019 they were terminating the program after allegedly having earned more than $2 billion in extortion payouts from victims. What follows is a deep dive into who may be responsible for recruiting new members to help spread the contagion.

Image: Malwarebytes.

Like most ransomware strains, the GandCrab ransomware-as-a-service offering held files on infected systems hostage unless and until victims agreed to pay the demanded sum. But GandCrab far eclipsed the success of competing ransomware affiliate programs largely because its authors worked assiduously to update the malware so that it could evade antivirus and other security defenses.

In the 15-month span of the GandCrab affiliate enterprise beginning in January 2018, its curators shipped five major revisions to the code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.

“In one year, people who worked with us have earned over US $2 billion,” read the farewell post by the eponymous GandCrab identity on the cybercrime forum Exploit[.]in, where the group recruited many of its distributors. “Our name became a generic term for ransomware in the underground. The average weekly income of the project was equal to US $2.5 million.”

The message continued:

“We ourselves have earned over US $150 million in one year. This money has been successfully cashed out and invested in various legal projects, both online and offline ones. It has been a pleasure to work with you. But, like we said, all things come to an end. We are getting a well-deserved retirement. We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

Evil indeed, when one considers the damage inflicted on so many individuals and businesses hit by GandCrab — easily the most rapacious and predatory malware of 2018 and well into 2019.

The GandCrab identity on Exploit[.]in periodically posted updates about victim counts and ransom payouts. For example, in late July 2018, GandCrab crowed that a single affiliate of the ransomware rental service had infected 27,031 victims in the previous month alone, receiving about $125,000 in commissions.

The following month, GandCrab bragged that the program in July 2018 netted almost 425,000 victims and extorted more than one million dollars worth of cryptocurrencies, much of which went to affiliates who helped to spread the infections.

Russian security firm Kaspersky Lab estimated that by the time the program ceased operations, GandCrab accounted for up to half of the global ransomware market.

ONEIILK2

It remains unclear how many individuals were active in the core GandCrab malware development team. But KrebsOnSecurity located a number of clues that point to the real-life identity of a Russian man who appears to have been put in charge of recruiting new affiliates for the program.

In November 2018, a GandCrab affiliate posted a screenshot on the Exploit[.]in cybercrime forum of a private message between himself and a forum member known variously as “oneiilk2” and “oneillk2” that showed the latter was in charge of recruiting new members to the ransomware earnings program.

Oneiilk2 also was a successful GandCrab affiliate in his own right. In May 2018, he could be seen in multiple Exploit[.]in threads asking for urgent help obtaining access to hacked businesses in South Korea. These solicitations go on for several weeks that month — with Oneiilk2 saying he’s willing to pay top dollar for the requested resources. At the same time, Oneiilk2 can be seen on Exploit asking for help figuring out how to craft a convincing malware lure using the Korean alphabet.

Later in the month, Oneiilk2 says he no longer needs assistance on that request. Just a few weeks later, security firms began warning that attackers were staging a spam campaign to target South Korean businesses with version 4.3 of GandCrab. Continue reading

Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers

June 28, 2019
54 Comments

It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.

When an organization buys Office365 licenses from a reseller partner, the partner is granted administrative privileges in order to help the organization set up the tenant and establish the initial administrator account. Microsoft says customers can remove that administrative access if they don’t want or need the partner to have access after the initial setup.

But many companies partner with a CSP simply to gain more favorable pricing on software licenses — not necessarily to have someone help manage their Azure/O365 systems. And those entities are more likely to be unaware that just by virtue of that partnership they are giving someone at their CSP (or perhaps even outside contractors working for the CSP) full access to all of their organization’s email and files stored in the cloud.

This is exactly what happened with a company whose email systems were rifled through by intruders who broke into PCM Inc., the world’s sixth-largest CSP. The firm had partnered with PCM because doing so was far cheaper than simply purchasing licenses directly from Microsoft, but its security team was unaware that a PCM employee or contractor maintained full access to all of their employees’email and documents in Office365.

As it happened, the PCM employee was not using multi-factor authentication. And when that PCM employee’s account got hacked, so too did many other PCM customers.

KrebsOnSecurity pinged Microsoft this week to inquire whether there was anything the company could be doing to better explain this risk to customers and CSP partners. In response, Microsoft said while its guidance has always been for partners to enable and require multi-factor authentication for all administrators or agent users in the partner tenants, it would soon be making it mandatory. Continue reading

Advertisement

Breach at Cloud Solution Provider PCM Inc.

June 27, 2019
35 Comments

A digital intrusion at PCM Inc., a major U.S.-based cloud solution provider, allowed hackers to access email and file sharing systems for some of the company’s clients, KrebsOnSecurity has learned.

El Segundo, Calif. based PCM [NASDAQ:PCMI] is a provider of technology products, services and solutions to businesses as well as state and federal governments. PCM has nearly 4,000 employees, more than 2,000 customers, and generated approximately $2.2 billion in revenue in 2018.

Sources say PCM discovered the intrusion in mid-May 2019. Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp.

One security expert at a PCM customer who was recently notified about the incident said the intruders appeared primarily interested in stealing information that could be used to conduct gift card fraud at various retailers and financial institutions.

In that respect, the motivations of the attackers seem similar to the goals of intruders who breached Indian IT outsourcing giant Wipro Ltd. earlier this year. In April, KrebsOnSecurity broke the news that the Wipro intruders appeared to be after anything they could quickly turn into cash, and used their access to harvest gift card information from a number of the company’s customers.

It’s unclear whether PCM was a follow-on victim from the Wipro breach, or if it was attacked separately. As noted in that April story, PCM was one of the companies targeted by the same hacking group that compromised Wipro. Continue reading

Tracing the Supply Chain Attack on Android

June 25, 2019
46 Comments

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

“Yehuo” () is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.

An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.

Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.

The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.

Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.

In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.

At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com, kelisrim[.]com, opnixi[.]com and sonyba[.]comwere seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device. Continue reading

Collections Firm Behind LabCorp, Quest Breaches Files for Bankruptcy

June 19, 2019
62 Comments

A medical billing firm responsible for a recent eight-month data breach that exposed the personal information on nearly 20 million Americans has filed for bankruptcy, citing “enormous expenses” from notifying affected consumers and the loss of its four largest customers.

The filing, first reported by Bloomberg, comes from the Retrieval-Masters Creditors Bureau, the parent company of the American Medical Collection Agency (AMCA). Earlier this month, medical testing firm Quest Diagnostics said a breach at the AMCA between Aug. 1, 2018 and March 30, 2019 led to the theft of personal and medical information on 11.9 million patients.

On June 4, KrebsOnSecurity broke the news that another major AMCA client — LabCorp — was blaming the company for a breach affecting 7.7 million of its patients.

According to a bankruptcy filing, LabCorp and Quest Diagnostics both stopped sending the AMCA business after the breach disclosure, as did the AMCA’s two other biggest customers — Conduent Inc. and CareCentrix Inc.

Bloomberg reports the data breach created a “cascade of events,” which incurred “enormous expenses that were beyond the ability of the debtor to bear.”

“Those expenses included more than $3.8 million spent on mailing more than 7 million individual notices to people whose information had been potentially hacked,” wrote Jeremy Hill. Retrieval Masters CEO Russell H. Fuchs “personally lent the company $2.5 million to help pay for those mailings, he said in the declaration. In addition, IT professionals and consultants hired in connection with the breach had cost Retrieval-Masters about $400,000 by the time of the filing.”

Retrieval Masters said it learned of the breach after a significant number of credit cards people used to pay their outstanding medical bills via the company’s site ended up with fraud charges on them soon after. The company also reportedly slashed its staff from 113 to 25 at the end of 2018.

The bankruptcy filing may also be something of a preemptive strike: Retrieval-Masters is already facing at least three class-action lawsuits from plaintiffs in New York and California.

A copy of the bankruptcy filing is available here (PDF).

Microsoft Patch Tuesday, June 2019 Edition

June 12, 2019
65 Comments

Microsoft on Tuesday released updates to fix 88 security vulnerabilities in its Windows operating systems and related software. The most dangerous of these include four flaws for which there is already exploit code available. There’s also a scary bug affecting all versions of Microsoft Office that can be triggered by a malicious link or attachment. And of course Adobe has its customary monthly security update for Flash Player.

Microsoft says it has so far seen no exploitation against any of the four flaws that were disclosed publicly prior to their patching this week — nor against any of the 88 bugs quashed in this month’s release. All four are privilege escalation flaws: CVE-2019-1064 and CVE-2019-1069 affect Windows 10 and later; CVE-2019-1053 and CVE-2019-0973 both affect all currently supported versions of Windows.

Most of the critical vulnerabilities — those that can be exploited by malware or miscreants to infect systems without any action on the part of the user — are present in Microsoft’s browsers Internet Explorer and Edge.

According to Allan Liska, senior solutions architect at Recorded Future, serious vulnerabilities in this month’s patch batch reside in Microsoft Word (CVE-2019-1034 and CVE-2019-1035).

“This is another memory corruption vulnerability that requires an attacker to send a specially crafted Microsoft Word document for a victim to open, alternatively an attacker could convince a victim to click on a link to a website hosting a malicious Microsoft Word document,” Liska wrote. “This vulnerability affects all versions of Microsoft Word on Windows and Mac as well as Office 365. Given that Microsoft Word Documents are a favorite exploitation tool of cybercriminals, if this vulnerability is reverse engineered it could be widely exploited.” Continue reading

LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach

June 4, 2019
47 Comments

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

Just a few days ago, the news was all about how Quest had suffered a major breach. But today’s disclosure by LabCorp. suggests we are nowhere near done hearing about other companies with millions of consumers victimized because of this incident: The AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.

In a filing today with the U.S. Securities and Exchange Commission, LabCorp. said it learned that the breach at AMCA persisted between Aug. 1, 2018 and March 30, 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the filing reads. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

LabCorp further said the AMCA has informed LabCorp “it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.”

The LabCorp disclosure comes just days after competing lab testing firm Quest Diagnostics disclosed that the hack of AMCA exposed the personal, financial and medical data on approximately 11.9 million patients.

Quest said it first heard from the AMCA about the breach on May 14, but that it wasn’t until two weeks later that AMCA disclosed the number of patients affected and what information was accessed, which includes financial information (e.g., credit card numbers and bank account information), medical information and Social Security Numbers.

Quest says it has since stopped doing business with the AMCA and has hired a security firm to investigate the incident. Much like LabCorp, Quest also alleges the AMCA still hasn’t said which 11.9 million patients were impacted and that the company was withholding information about the incident.

The AMCA declined to answer any questions about whether the breach of its payment’s page impacted anyone who entered payment data into the company’s site during the breach. But through an outside PR firm, it issued the following statement:

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

The statement continues:

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.” Continue reading

Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware

June 3, 2019
53 Comments

For almost the past month, key computer systems serving the government of Baltimore, Md. have been held hostage by a ransomware strain known as “Robbinhood.” Media publications have cited sources saying the Robbinhood version that hit Baltimore city computers was powered by “Eternal Blue,” a hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017. But new analysis suggests that while Eternal Blue could have been used to spread the infection, the Robbinhood malware itself contains no traces of it.

On May 25, The New York Times cited unnamed security experts briefed on the attack who blamed the ransomware’s spread on the Eternal Blue exploit, which was linked to the global WannaCry ransomware outbreak in May 2017.

That story prompted a denial from the NSA that Eternal Blue was somehow used in the Baltimore attack. It also moved Baltimore City Council President Brandon Scott to write the Maryland governor asking for federal disaster assistance and reimbursement as a result.

But according to Joe Stewart, a seasoned malware analyst now consulting with security firm Armor, the malicious software used in the Baltimore attack does not contain any Eternal Blue exploit code. Stewart said he obtained a sample of the malware that he was able to confirm was connected to the Baltimore incident.

“We took a look at it and found a pretty vanilla ransomware binary,” Stewart said. “It doesn’t even have any means of spreading across networks on its own.”

Stewart said while it’s still possible that the Eternal Blue exploit was somehow used to propagate the Robbinhood ransomware, it’s not terribly likely. Stewart said in a typical breach that leads to a ransomware outbreak, the intruders will attempt to leverage a single infection and use it as a jumping-off point to compromise critical systems on the breached network that would allow the malware to be installed on a large number of systems simultaneously.

“It certainly wouldn’t be the go-to exploit if your objective was to identify critical systems and then only when you’re ready launch the attack so you can do it all at once,” Stewart said. “At this point, Eternal Blue is probably going to be detected by internal [security] systems, or the target might already be patched for it.”

It is not known who is behind the Baltimore ransomware attack, but Armor said it was confident that the bad actor(s) in this case were the same individual(s) using the now-suspended twitter account @Robihkjn (Robbinhood). Until it was suspended at around 3:00 p.m. ET today (June 3), the @Robihkjn account had been taunting the mayor of Baltimore and city council members, who have refused to pay the ransom demand of 13 bitcoin — approximately $100,000.

In several of those tweets, the Twitter account could be seen posting links to documents allegedly stolen from Baltimore city government systems, ostensibly to both prove that those behind the Twitter account were responsible for the attack, and possibly to suggest what may happen to more of those documents if the city refuses to pay up by the payment deadline set by the extortionists — currently June 7, 2019 (the attackers postponed that deadline once already).

Some of @robihkjn’s tweets taunting Baltimore city leaders over non-payment of the $100,000 ransomware demand. The tweets included links to images of documents allegedly stolen by the intruders.

Over the past few days, however, the tweets from @Robinhkjn have grown more frequent and profanity-laced, directed at Baltimore’s leaders. The account also began tagging dozens of reporters and news organizations on Twitter.

Stewart said the @Robinhkjn Twitter account may be part of an ongoing campaign by the attackers to promote their own Robbinhood ransomware-as-a-service offering. According to Armor’s analysis, Robbinhood comes with multiple HTML templates that can be used to substitute different variables of the ransom demand, such as the ransom amount and the .onion address that victims can use to negotiate with the extortionists or pay a ransom demand. Continue reading

NY Investigates Exposure of 885 Million Mortgage Documents

May 31, 2019
18 Comments

New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.

On May 24, KrebsOnSecurity broke the news that First American had just fixed a weakness in its Web site that exposed approximately 885 million documents — many of them with Social Security and bank account numbers — going back at least 16 years. No authentication was needed to access the digitized records.

On May 29, The New York Times reported that the inquiry by New York’s Department of Financial Services is likely to be followed by other investigations from regulators and law enforcement.

First American says it has hired a third-party security firm to investigate, and that it shut down external access to the records.

The Times says few people outside the real estate industry are familiar with First American, but millions have entrusted their data to the company when they go to close the deal on buying or selling a new home.

“First American provides title insurance and settlement services for property sales, which typically require buyers to hand over extensive financial records to other parties in their transactions,” wrote Stacy Cowley. “The company is one of the largest insurers in the United States, handling around one in every four transactions, according to the American Land Title Association.”

News also emerged this week that First American is now the target of a class action lawsuit alleging the Fortune 500 mortgage industry giant “failed to implement even rudimentary security measures.”

Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors

May 30, 2019
33 Comments

Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software.

In March 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) — Canada’s equivalent of the U.S. Federal Communications Commission (FCC), executed a search warrant in tandem with the Royal Canadian Mounted Police (RCMP) at the home of a Toronto software developer behind the Orcus RAT, a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.

The CRTC was flexing relatively new administrative muscles gained from the passage of Canada’s Anti-Spam Legislation (CASL), which covers far more than just junk email. Section 7 of CASL deals with the alteration of transmission data, including botnet activity. Section 8 involves the surreptitious installation of computer programs on computers or networks including malware and spyware.

And Section 9 prohibits an individual or organization from aiding, inducing, procuring or causing to be procured the doing of any of the above acts.

CRTC Director Neil Barratt said this allows his agency to target intermediaries who, through their actions or through inaction, facilitate the commission of CASL violations. Businesses found to be in violation of CASL can be fined up to $10 million; individuals can face up to a $1 million fine.

“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said in an interview with KrebsOnSecurity.

“CASL defines spam as commercial electronic messages without consent or the installation of software without consent or the intercepting of electronic messages,” Barratt said. “The installation of software is under Section 8, and this is one of the first major investigations under that statute.” Continue reading