Archive for January, 2020

Securing the MSP: their own worst enemy

We’ve previously discussed threats to managed service providers (MSPs), covering their status as a valuable secondary target to both an assortment of APT groups as well as financially motivated threat groups. The problem with covering new and novel attack vectors, however, is that behind each new vector is typically a system left unpatched, asset management undone, a security officer not hired (typically justified with factually dubious claims of a “skills shortage”) or a board who sees investment in infrastructure—and yes, security is infrastructure—as a cost center rather than a long-term investment in sustainable profits.

In short, malware can be significantly less dangerous to a business than that business’ own operational workflow.

Points of entry

Data on breach root causes is hard to come by, typically because security vendors tend to benefit by not providing industry vertical specific risk analysis. But the data that is available occasionally hints at corporate data breaches starting with some common unforced errors.

The 2019 Verizon DBIR claims that only 28 percent of observed data breaches involve the use of malware for the initial intrusion. While malware plays a significant role in the subsequent exploitation, the numbers suggest the majority of public breaches are not driven by zero-day exploits or outlandishly complex intrusion paths. So if you’re trying to secure an MSP, what are the most common entry points for attackers?

Under the broad heading of “hacking,” the most prominent observed tactics for point-of-entry include phishing, use of stolen credentials, and other social engineering techniques. Subsequent actions to further access include common use of backdoors or compromised web applications. Let’s break these down a little further.

Phishing is a reliable way of gaining a foothold to compromise a system. How would an employee clicking on a phish constitute an unforced error? Frequently, enterprises of all sorts incentivize their workers to click on absolutely everything, while simultaneously limiting their actual reading of messages. The consequences for poorly-designed corporate communications can be huge, as was seen when an MSP lost control of admin credentials via phishing attack that was subsequently used to launch ransomware.

Stolen credentials are a tremendously common attack vector that has been seen in several high profile MSP data breaches. “Stolen” is a bit of a misnomer though, and they would be better considered as “mishandled.”

Setting aside credentials gained via social engineering or phishing, companies can frequently lose track of credentials by keeping old or unnecessary accounts active, failing to monitor public exposure of accounts, failing to force resets after secondary breaches that may impact employees, failing to enforce modern password policies—basically failing to pay attention.

Should any single account with exposed credentials be over-privileged, a significant breach is almost guaranteed. And the consequences for MSPs with sloppy credential handling can be quite severe (1, 2).

Last in the lineup for unnecessary security failures is patch management. Like any other company trying to manage fixed infrastructure costs, MSPs rely heavily on third-party software and services. So when a business-critical support app is discovered to have multiple severe vulnerabilities, it introduces a wide-open channel for further exploitation. On occasion, the vulnerabilities used are brand new. Typically, they are not, and companies that fail to patch or mitigate vulnerable software get predictably exploited.

Mishandled mitigation

These attack entry points have a couple factors in common. First, they are not tremendously technically sophisticated. Even with regards to limited APT examples, the actors relied on compromised credentials and phishing first before deploying the big guns for lateral propagation. Second, mitigating these common entry points are actions that impacted MSPs should have been doing anyway.

Credential management that includes limited external monitoring, timely access control, and periodic privilege review doesn’t simply protect against catastrophic breaches—it protects against a host of attacks at all points of the technical sophistication spectrum.

Anti-phishing system design cues not only defend against employees leaking critical data, they also make for more efficient corporate communications, keep employees safe, and ideally reduce their overall email load.

Appropriate logging with timely human review cuts down time to breach discovery, but also assists in detailed risk analysis that can make for lean and effective security budgets into the future. The relationship between all of these security behaviors and observed MSP data breaches suggests that more attention to industry best practices could have gone a long way toward eliminating or sharply diminishing breach risk.

Finally, a patch management schedule that tracks third party software and services, fixing vulnerabilities in a timely manner is a great way to close some of the largest entry points into an MSP. Subordinating patches to non critical business needs, not having a test network to deploy patches, or simply not patching at all is a large signpost to attackers signifying an easy target.

MSP security: not a luxury

An MSP might be tempted to consider security as an expensive indulgence—something to be considered as a nice-to-have after uptime and availability of resources. Done well, it is neither expensive, nor a luxury.

Adherence to security norms that have been well defined for years can go a long way toward preventing big breaches, and can do so without expensive vendor contracts, pricy consultants, or best-in-class equipment. A managed service provider who chooses to ignore or delay those norms does so at its peril.

The post Securing the MSP: their own worst enemy appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Spear phishing 101: what you need to know

Phishing, a cyberattack method as old as viruses and Nigerian Princes, continues to be one of the most popular means of initiating a breach against individuals and organizations, even in 2020. The tactic is so effective, it has spawned a multitude of sub-methods, including smishing (phishing via SMS), pharming, and the technique du jour for this blog: spear phishing.

But first, a quick parable.

A friend of mine received a blitz of emails over the course of a few days, all geared toward their Netflix account.

Click to enlarge

The clues indicating something wasn’t quite right were numerous:

  • There were half a dozen emails instead of just one.
  • All of them required payment information, but each mail gave a different reason as to why.
  • There were spelling mistakes galore.
  • The emails were not personalised in any way.

Even without spotting the utterly bogus, non HTTPS URL linked from the email body, this friend would never have fallen for it. Granted, they have a decent knowledge of security basics. However, consider if the attacker had done this:

  • Grabbed some personal details from a data dump
  • Hunted online for accounts belonging to this person, perhaps on social media
  • Checked to see if they had an account with Netflix
  • Crafted an imitation Netflix email address
  • Addressed the potential victim directly by name
  • Included some or all of their home address
  • Made use of spell check
  • Set up a free HTTPS website
  • Used the most current version of Netflix’s logo

See the difference? While the first set of emails wouldn’t pass muster with a marginally knowledgeable user, the second would be much more difficult to screen as fake.

And that is what’s known in the business as spear phishing.

What is spear phishing?

Spear phishing’s sole purpose is to get inside the recipient’s head and make them think the messages they’re responding to are 100 percent legitimate—achieved due to personal touches designed to make them think what they’re dealing with is the real deal.

While you could argue alarm bells should ring when being asked for credit card details, in all honesty, once the scammer has thrown a few personal details into the mix like name and address, it may well be too late.

Imagine if the scammer monitored social media feeds to see which shows their target liked, then said something like, “Please ensure your details are correct to continue enjoying The Witcher.” Now add a picture of Henry Cavill looking cool.

Game. Over.

As you might expect, this kind of attack is rather difficult to combat. It doesn’t help when utterly random nonsense such as the poorly-made Netflix phishing attempt regularly inflict huge losses on organisations across the globe, despite being pretty terrible.

How many times have we seen healthcare facilities and even local municipal governments fall foul to ransomware via pretend spreadsheet attachments in fake HR tax emails? Make no mistake, this is a very real and immediate problem for those caught out.

With generic phishing already causing huge headaches for businesses and consumers alike, cybercriminals using data dumps expertly combined with professional social engineering techniques have an ever higher likelihood of success. And that’s before you consider other forms of spear phishing, such as conversation hijacking (more on this later), or attacks that use the spear phish as a launching pad for infecting networks with malware and other digital nasties.

Shall we take a look at some numbers?

Watch those verticals

A few years ago, the average cost of spear phish prevention over 12 months was $319,327 versus the significantly higher cost of any successful attack, which weighed in at $1.6 million. In 2019, the stats leaning heavily towards spear phishing speak for themselves, and huge payouts for scammers are the order of the day.

Payouts of $40 million, $50 million, and even $70 million and beyond are common, and that’s before you get to the cost of the cleanup and class action lawsuits. Throw in a little reputation damage and a PR firestorm, and you have all the ingredients for a successful breach. For the victims, not so much.

With spear phishing, the slightest piece of information can bring about an organisation’s downfall as it slices through all its otherwise fully functional security defences.

Evolution of the spear phish

Spear phishing isn’t only left to the realm of emails. Highly-targeted attacks also branch out into other areas, especially ones full of self volunteered information. Hijacking customer support conversations on Twitter is a great example of this: scammers set up imitation support accounts then barge into the conversation, leading the victim to phishing central. It’s a slick move.

It’s debatable how much of these scams are targeted, considering they’re making their attack up on the fly, instead of wading in with pre-gained knowledge. The difference here is the recon is aimed at the person the potential victim is being helped by, as opposed the victim themselves. Making note of when the customer support account is active, looking at initial Tweets so they can pretend to be the same person who helped before, and adopting some of their speech mannerisms/corporate speak all help to create a convincing illusion.

At that point, all we’re really dealing with is a perfectly-crafted imitation email but in human form, and with the ability to interact with the victim. Has spear phishing ever seen such a potent way to go on the offensive? When people are happy to weaponise customer support to use them against you, it’s really something to sit down and consider.

Fighting the rising tide of spear phishing

Anybody can be a target, but executives, especially at the CEO level, is where it’s at in terms of big scores for criminals (a form of targeting sometimes called whaling). By necessity, most organisations’ executives are set up to be publicly visible, and scammers take advantage of this. As has been mentioned, this is one of the toughest forms of attack to defend against.

If the social engineering component is designed to open the network to malware abuse, then we also need to consider the overall security infrastructure. Security software, updates, firewalls, and more all become important tools in the war against spear phishing—especially given what can come after the initial foot in the door attack.

Tools such as spam filtering and detection are great for random, casual attacks, but given the direct nature of spear phishing, it may well be a bridge too far for automation to flag as suspicious. Dedicated, ongoing training is important at all levels of the business, alongside not getting into the habit of blaming employees and third parties when things go wrong (and they will, eventually). You don’t want people less likely to report incidents out of fear of getting into trouble—it’s not productive and won’t help anybody.

Tools to aid in reporting spear phishing attacks, either dedicated apps or something web-based inside the network, are always useful. It’s also good to ensure departments have at least some idea how important business processes work in other departments. Securing the organization is a little easier when unrelated department A is an additional layer of defence for unrelated department B. Pay attention to HR, accounting, and top line exec interaction.

If your organisation hasn’t considered what to lock down yet, there’s never been a better time. Europol’s EC3 report on spear phishing was released late last year and contains a wealth of information on the subject for those wanting to dive deeper.

Ponder all forms of phishing, see which one(s) may be the biggest danger to your organisation and your employees, and start figuring out how best to approach the issue. You won’t regret it—but the scammers certainly will.

The post Spear phishing 101: what you need to know appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Explained: the strengths and weaknesses of the Zero Trust model

In a US court of law, the accused are deemed to be innocent until proven guilty. In a Zero Trust security model, the opposite is true. Everything and everyone must be considered suspect—questioned, investigated, and cross-checked—until we can be absolutely sure it is safe to be allowed.

Zero Trust is a concept created by John Kindervag in 2010 during his time as Vice President and Principal Analyst for Forrester Research. When looking at failures inside organizations to stop cyberattacks, especially lateral movements of threats inside their networks, Kindervag realized that the traditional security model operated on the outdated assumption that everything inside an organization’s network could be trusted. Instead, Zero Trust inverts that model, directing IT teams according to the guiding principle of “never trust, always verify” and redefining the perimeter to include users and data inside the network.

Over the last 10 years, more and more businesses have moved toward the Zero Trust model, demolishing the old castle-and-moat mentality and accepting the reality of insider threats. We take an inside look at Zero Trust, including its strengths and weaknesses, to help organizations evaluate whether they should embrace the philosophy within their own walls or consider different methods.

Definition of Zero Trust

Zero Trust is an information security framework that states organizations should not trust any entity inside or outside of their network perimeter at any time. It provides the visibility and IT controls needed to secure, manage, and monitor every device, user, app, and network belonging to or being used by the organization and its employees and contractors to access business data.

The goal of a Zero Trust configuration should be clear: restrict access to sensitive data, applications, and devices on a need-to-know basis. Employees in finance need accounting software—all others should be barred. Remote workers should use VPNs—access from the open Internet should be prohibited. Data sharing should be limited and controlled. The free flow of information that was once one of the cornerstones of the Internet needs to be confined in order to protect networks from penetration, customers from privacy violations, and organizations from attacks on infrastructure and operations.

The strategy around Zero Trust boils down to scrutinizing any incoming or outgoing traffic. But the difference between this and other security models is that even internal traffic, meaning traffic that doesn’t cross the perimeter of the organization, must be treated as a potential danger as well.

While this might seem severe, consider the changes in the threat landscape over the last 10 years: the hundreds of public data leaks and breaches; ransomware attacks that halted operations on thousands of endpoints in cities, schools, and healthcare organizations; or millions of users’ personally identifiable information stolen from business databases. As cybercriminals continue to turn their focus to business targets in 2020, Zero Trust seems like a smart approach to thwart increasing numbers of attacks.

Implementing Zero Trust

Implementing a Zero Trust security model in an organization is not simply a change in mindset. It will require a clear view of functions within the company’s departments, currently-deployed software, access levels, and devices, and what each of those requirements will look like in the future.

Often, building a Zero Trust network from the ground up is easier than reorganizing an existing network into Zero Trust because the existing network will need to remain functional throughout the transition period. In both scenarios, IT and security teams should come up with an agreed-upon strategy that includes the ideal final infrastructure and a step-by-step strategy on how to get there.

For example, when setting up resource and data centers, organizations may have to start almost from scratch, especially if legacy systems are incompatible with the Zero Trust framework—and they often are. But even if companies don’t have to start from scratch, they may still need to reorganize specific functions within their security policy, such as how they deploy software or onboard employees, or which storage methods they use.

Strengths of Zero Trust

Building Zero Trust into the foundation of an organization’s infrastructure can strengthen many of the pillars upon which IT and security are built. Whether it’s in bolstering identification and access policies or segmenting data, by adding some simple barriers to entry and allowing access on an as-needed basis, Zero Trust can help organizations strengthen their security posture and limit their attack surface.

Here are four pillars of Zero Trust that we believe organizations should embrace:

  • Strong user identification and access policies
  • Segmentation of data and resources
  • Strong data security in storage and transfer
  • Security orchestration
User identification and access

Using a secure combination of factors in multi-factor authentication (MFA) should provide teams with sufficient insight into who is making a request, and a well thought-out policy structure should confirm which resources they can access based on that identification.

Many organizations gate access to data and applications by opting for identity-as-a-service (IDaaS) cloud platforms using single sign-on services. In a Zero Trust model, that access is further protected by verifying who is requesting access, the context of the request, and the risk of the access environment before granting entry. In some cases, that means limiting functionality of resources. In others, it might be adding another layer of authentication or session timeouts.


Robust access policies will not make sense without proper segmentation of data and resources, though. Creating one big pool of data where everyone that passes the entrance test can jump in and grab whatever they want does not protect sensitive data from being shared, nor does it stop insiders from misusing security tools or other resources.

By splitting segments of an organization’s network into compartments, Zero Trust protects critical intellectual property from unauthorized users, reduces the attack surface by keeping vulnerable systems well guarded, and prevents lateral movement of threats through the network. Segmentation can also help limit the consequences of insider threats, including those that might result in physical danger to employees.

Data security

Even with restricting access to data and reducing the attack surface through segmentation, organizations are open to breaches, data leaks, and interception of data if they do not secure their data in storage and in transit. End-to-end encryption, hashed data, automated backups, and securing leaky buckets are ways organizations can adopt Zero Trust into their data security plan.

Security orchestration

Finally, drawing a thread through all of these pillars is the importance of security orchestration. Even without a security management system, organizations using Zero Trust would need to ensure that security solutions work well together and cover all the possible attack vectors. Overlap is not a problem by itself, but it can be tricky to find the right settings to maximize efficiency and minimize conflicts.

Challenges of the Zero Trust strategy

Zero Trust is billed as a comprehensive approach to securing access across networks, applications, and environments from users, end-user devices, APIs, IoT, micro-services, containers, and more. While aiming to protect the workforce, workloads, and workplace, Zero Trust does encounter some challenges. These include:

  • More and different kinds of users (in office and remote)
  • More and different kinds of devices (mobile, IoT, biotech)
  • More and different kinds of applications (CMSes, intranet, design platforms)
  • More ways to access and store data (drive, cloud, edge)

In the not-too-distant past, it was commonplace for the vast majority of the workforce to spend the entirety of their working hours at their place of employment. Not true today, where, according to Forbes, at least 50 percent of the US population engage in some form of remote work. That means accessing data from home IPs, routers, or public Wi-Fi, unless using a VPN service.

But users are not necessarily limited to a workforce. Customers sometimes need to access an organization’s resources, depending on the industry. Consider customers that want to select orders for their next delivery, check on inventory, participate in demos or trials, and of course access a company’s website. Suppliers and third-party service companies may need access to other parts of an organization’s infrastructure to check on operations, safety, and progress.

All of these instances point to a wide variation in user base and a larger number of access points to cover. Coming up with specific policies for each of these groups and individuals can be time-consuming, and maintaining the constant influx of new employees and customers will add considerable workload for whomever manages this task moving forward.


In this era of BYOD policies and IoT equipment, plus the “always on” mentality that sometimes strikes for remote employees, organizations must allow for a great variation in devices used for work, as well as the operating systems that come with them. Each of these devices have their own properties, requirements, and communication protocols, which will need to be tracked and secured under the Zero Trust model. Once again, this requires a bit more work upfront but likely yields positive results.


Another challenging factor to take into account when adopting a Zero Trust strategy is the number of applications in use across the organization for people and teams to collaborate and communicate. The most versatile of these apps are cloud-based and can be used across multiple platforms. This versatility can, however, be a complicating factor when deciding what you want to allow and what not.

Are the apps shared with third-party services, agencies, or vendors? Are the communication platforms outward-facing, and not just for employees? Is this application necessary only for a particular department, such as finance, design, or programming? All of these questions must be asked and answered before blindly adopting a stack of 60 applications for the entire workforce.


One reason why the old security policies are growing out of favor is that there’s no one, fixed location that needs to be protected any longer. Organizations can’t just protect endpoints or corporate networks. More and more resources, data, and even applications are stored in cloud-based environments, meaning they can be accessed from anywhere and may rely on server farms in various global locations.

This is further complicated by the potential shift to edge computing, which will require IT teams to switch from a centralized, top-down infrastructure to a decentralized trust model. As we have seen in our series about leaky cloud resources (AWS buckets and elastic servers), the configuration of data infrastructure in cloud services and beyond will need to be flawless if businesses don’t want it to end up as the weakest link in their Zero Trust strategy.

To trust or not to trust

Overhauling to a Zero Trust security framework isn’t easily accomplished, but it’s one we feel strengthen’s an organization’s overall security posture and awareness. IT teams looking to convince executives of the old guard might look for prime opportunities, then, to make their argument. For example, if there’s already a planned move to cloud-based resources, that’s a good time to suggest also adopting Zero Trust.

Changes in the threat landscape, including recent vulnerabilities in VPNs and Citrix, plus ransomware being delivered through Remote Desktop Protocol (RDP), might encourage more organizations to investigate a Zero Trust solution, if only for identity and access management. These organizations will have to allow for a transition period and be prepared for some major changes.

A proper Zero Trust framework that doesn’t automatically allow traffic inside the perimeter will certainly hinder the lateral threat movement that hackers use to tighten their grip on a breached network. Top business-focused threats such as Emotet and TrickBot would be hindered from spreading, as they’d be unable to work their way from server to server in a segmented network. Since the point of infiltration is usually not the target location of an attacker, setting up internal perimeters can also limit the severity of a successful attack.

Add to these layers strong data security hygiene and intelligent orchestration that provides wide coverage across threat types, operating systems, and platforms, and businesses have a security framework that’d be pretty tough to beat today. In our eyes, that makes Zero Trust a hero.

The post Explained: the strengths and weaknesses of the Zero Trust model appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

A week in security (January 20 – 26)

Last week on Malwarebytes Labs, we reported on a Ryuk ransomware attack on The Tampa Bay Times, a newspaper in Florida; unmasked an elaborate browser locking scheme behind the more advanced tech support operations that are currently active; and looked at the latest laws on regulating deepfakes.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (January 20 – 26) appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Tampa Bay Times hit with Ryuk ransomware attack

Florida newspaper The
Tampa Bay Times
suffered a Ryuk ransomware attack Thursday, making it the
latest major victim of the notorious ransomware family that continues to rise
in popularity.

Curiously, the paper is at least the third Florida-based Ryuk
victim in the past year.

The attack, which The Tampa Bay Times reported on itself, did not result in any breached data. Sensitive customer information, such as subscriber addresses and credit card details, was not disclosed in the breach, the newspaper said.

The Tampa Bay Times
chief digital officer Conan Gallaty said the paper had “a lot of plans for
systems that go down,” and that its priority was in restoring and securing

“The focus for us is to fully recover and then work on
further preventative measures,” Gallaty said.

The newspaper did not respond to the threat actors, and
Gallaty said the paper would have refused any ransom payment demanded. This
stalwart opposition is becoming less common today, as increasingly companies
are forced to choose between the loss of several hundred thousand dollars in
ransom payments, or several hundred thousand dollars in database and operations

Further, when some companies hire the help of outside malware recovery firms, they may be signing up, quietly, for ransomware negotiations. A ProPublica investigation last year found that at least two cybersecurity firms that touted allegedly advanced technology solutions would, in fact, pay off the ransoms demanded by the threat actors who breached their clients.

The investigation of two firms found that:

“The [cybersecurity] firms are alike in other ways. Both
charge victims substantial fees on top of the ransom amounts. They also offer
other services, such as sealing breaches to protect against future attacks.
Both firms have used aliases for their workers, rather than real names, in
communicating with victims.”

Though The Tampa Bay Times did not disclose the Ryuk ransomware attack vector, Gallaty said he believed the paper was unlikely to be a specific target for the threat actors. That’s hard to reconcile with Ryuk’s history—already it has been responsible for crippling the delivery operations for at least four major US newspapers, including The Chicago Tribune and The Los Angeles Times.

In speaking with The
Tampa Bay Times
, Malwarebytes senior security researcher JP Taggart
explained the calculus behind potential Ryuk ransomware targets:

“They’re looking at the people that have the most to lose.”

That bears true when looking at recent Ryuk victims.

In June 2019, the government of Lake City, Florida, crawled to a halt, with phones and computer systems stalled after threat actors successfully implanted a Ryuk variant into the city’s network. Unable to work themselves out of the problem, even with the help of the FBI, the city had to make a choice. It chose to pay $460,000. A similar situation happened months later, in October, when the Alabama-based DCH Health System was forced to partially shut down three of its hospitals after a Ryuk attack. Again, unable to solve the problem, and unable to continue to turn away all but the most critical patients, the hospital operator decided to prioritize patient care, paying an undisclosed amount to the threat actors.

Those payments add up. According to CrowdStrike, Ryuk’s deployment teams have amassed more than $3.7 million in paid ransoms.

When Ryuk’s threat actors haven’t successfully scored a big pay day, though, they’ve still managed to do enormous damage. In April 2019, Imperial County, California, refused to pay an enormous $1.3 million ransom from a Ryuk attack, but, according to The Wall Street Journal, the city has spent $1.6 million in recovery efforts. In late December, the US Coast Guard publicly announced that it suffered a Ryuk attack that shut down a maritime facility for 30 hours.

The ransomware campaigns became so common that the FBI warned the public that threat actors had used Ryuk to target more than 100 US and international businesses since its emergence in August 2018.

According to new Malwarebytes data, those attacks have
continued. From January 1–23, 2020, Malwarebytes recorded a cumulative 724 Ryuk
detections. The daily detections fluctuated, with the lowest detection count at
18 on January 6, and the highest detection count at 47 on January 14.

Ryuk detections reported by Malwarebytes from January 1–23, 2020

The ransomware frequently works in conjunction with Emotet
and TrickBot in multi-stage attacks. Those separate malware families have also
been active in the new year, with small spikes into the thousands of
detections. Emotet, particularly, kicked
itself into high gear again starting on January 13

Recent daily detection activity for Emotet, Trickbot, and Ryuk, reported by Malwarebytes

As we explained before in our threat spotlight on Ryuk:

“The first stage of the attack starts with a weaponized
Microsoft Office document file—meaning, it contains malicious macro
code—attached to a phishing email.
Once the user opens it, the malicious macro will run cmd and execute a PowerShell command. This command
attempts to download Emotet.

Once Emotet executes, it retrieves and executes another
malicious payload—usually TrickBot—and collects information on affected systems. It
initiates the download and execution of TrickBot by reaching out to and
downloading from a pre-configured remote malicious host.

Once infected with TrickBot, the threat actors then check if the
system is part of a sector they are targeting. If so, they download an additional
payload and use the admin credentials stolen using TrickBot to perform lateral
movement to reach the assets they wish to infect.

The threat actors then check for and establish a connection with
the target’s live servers via a remote desktop protocol (RDP).
From there, they drop Ryuk.”

The Tampa Bay Times
did not specify which systems, or how many computers, were disrupted in
Thursday’s attack. Instead, the only hint of inconvenience in the newspaper’s routine
was the acknowledgement that Friday’s newspaper would be published with an
earlier deadline.

The show must go on.

The post Tampa Bay Times hit with Ryuk ransomware attack appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 1 of 4 1234