Ransomware hits video game developers

Video game developers have recently come under attack, and not because release dates keep getting delayed. A few weeks ago, Egregor ransomware claimed Ubisoft and Crytek as victims of an attack. Now, another major video game developer has disclosed an incident.

On November 4, 2020, Capcom revealed that there was unauthorized access to its systems, including email and file servers. Capcom’s internal network operations were impacted by the incident on November 2, and they’re reportedly still trying to recover.

Capcom stated that there was no evidence any customer data was breached, but the burden of proof is now on companies.

An organization without proper monitoring for file or email access won’t see evidence of customer data being breached. However, with sufficient network and log monitoring, organizations should be able to confidently say if customer data was accessed.

Capcom’s lack of evidence is quite possibly a distraction. It’s highly likely an authorized party was able to access Capcom customer data, and Capcom just doesn’t know it.

I’ve read the tea leaves, and my bet is on ransomware. When the impact of an incident involves disruption to operations, ransomware is typically the case. I’m guessing Capcom had good backups and didn’t think the data accessed was sensitive enough to pay any extortion demands.

Because of that, Capcom’s disclosure seems like an attempt to get ahead of the ransomware operators leaking data.

I’m going to go further out on the ransomware limb here to theorize that this incident may be a continuation of Egregor’s campaign on top tier video game developers. But they’re not the only ones that need to worry about Egregor; we all do.

It’s not just them

We’ve had some experiencing fighting Egregor and here’s what I can tell you: we’ve seen Egregor start with a maldoc, leading to QakBot.

If you can catch the malicious document in an email, the commands run by a user opening the maldoc, the QakBot download, the QakBot beaconing, or any other IOCs before they get to running Egregor on all your hosts, you win.

On top of Egregor, other ransomware strains have been making news. On October 28, an alert from CISA warned of an imminent cybercrime threat to U.S. hospitals and healthcare providers.

The CISA warning followed Krebs on Security reporting on a tip from Alex Holden, founder of Hold Security.

Holden said he observed communications between Ryuk operators in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S. around the U.S. presidential election.

Perch investigated all Ryuk, TrickBot, BazarLoader, and Anchor_DNS IOCs included in the report. We found one large Healthcare organization beaconing consistently with Anchor DNS.

We were able to work with the customer to contain the incident before it evolved into Ryuk. beaconing consistently with Anchor DNS. We were able to work with the customer to contain the incident before it evolved into Ryuk.

This was one of the most timely and valuable CISA reports we’ve received. So, kudos to everyone for quickly getting the intel out there. Many of the CISA indicators appear to be sourced from the Net Scouts article on Anchor DNS.

The election has come and gone. We saved one. Did y’all get the other 399? There were a couple of Ryuk healthcare hits, but not the wave expected. Did blue team thwart this imminent threat, or was it overstated?

Ransomware doesn’t just happen

Ransomware is the impact of an incident, not the start of one. In all these ransomware incidents, they still had to get in first. Most of the time, it’s RDP or maldocs, but it can also be from critical software vulnerabilities in a VPN, RMM, Mobile Device Management software, or even your webserver.

Oracle issued a rare off-schedule patch for CVE-2020-14750, which has a critical CVSS score of 9.8 out of 10.

Following Oracle’s patch, CISA issued an alert on CVE-2020-14750, urging government and non-government users of WebLogic Servers to apply an available patch as soon as possible. Oh, and then apply another patch because the first one had a bypass.

CISA’s urgency is warranted. The Perch flock is seeing active scanning for vulnerable WebLogic Servers based on the CVE details. We have also deployed an IDS signature to detect these attacks. You can have it too.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[Perch Security] Oracle WebLogic Server Remote Code Execution CVE-2020-14882"; flow:established, to_server; content:"/console/images/%252E%252E%252Fconsole.portal"; nocase; http_raw_uri; content:"ShellSession("; content:"java.lang.Runtime.getRuntime().exec("; distance:0; tag:session,5,packets; reference:url, https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf; reference:cve,2020-14882; classtype:web-application-attack; sid:900162; rev:2;)

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Bad Neighbor vuln discovered living in ICMPv6