Threat Report

Happy new year! We’re going to close out 2018 with Ryuk ransomware hitting the press and ring in 2019 with some new year hacktivity by two threat actors.

Tribune Publishing held hostage by Ryuk

On December 29, 2018, it was widely reported that Tribune Publishing was unable to publish Saturday editions of major U.S. newspapers, including the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, and the Baltimore Sun. The disruption also affected the distribution of the Wall Street Journal and the New York Times on the West Coast. Tribune’s disruption was caused by ransomware infection. The disruption affected every Tribune market across the United States. Tribune Publishing has recently been divesting from newspapers in favor of online content generated by robots. Which likely means, they weren’t paying attention to printing facilities the way they should. Obviously, we need more legislation and compliance standards for securing news media. Or, we’ll end up with a resurgence of incidents similar to the Max Headroom incident.

The LA Times recently confirmed that the printing house was targeted by threat actors in North Korea. Ryuk ransomware is a targeted strain that is attributed to Lazarus Group. The implication of North Korea does not confirm that the incident was intended to disrupt the activity of the U.S. press, but indicates that some aspect of Tribune Publishing, or their connected publications, were targeted for financial gain by the ransomware strain.

Ryuk ransomware has appeared in campaigns targeting large organizations both in the United States and around the globe. Ryuk typically targets enterprises that are capable of paying a lot of money in order to restore operations, suggesting that operations using this ransomware are primarily financially motivated. It first emerged in August 2018 and in the space of just days infected several organizations across the U.S., encrypting PCs, storage and data centers of victims, as well as demanding 15-50 BitCoin in ransom. However, the attacks are highly targeted with perpetrators conducting tailored campaigns involving extensive network mapping, network compromise, and credential stealing in order to reach the end goal of installing Ryuk and encrypting systems.

Even though Ryuk has been used by the financially motivated, I can’t help but wonder about ulterior motives. Maybe this is a twofer. It seems to me, America is already questioning where it can get factual news from and shutting down trustworthy lines of information which is dangerous. Digital and print news was disrupted for millions of people. There are groups that don’t want information to be open, accessible, or intelligible. Journalists have been targeted this past year and now the threats are moving upstream to the publishers and printers.

TDO threatens release of 9/11 insurance docs

In what very well could have been the new year somewhere on earth, “Thedarkoverlord” (TDO) claimed to have stolen approximately 18K documents from Hiscox Syndicates, National Life Group, Advantage Life Investment Bank, Lloyds of London, and Silverstein Properties and threatened to share documents related to 9/11 attacks publicly.

TDO is known to have targeted the production studio for Netflix, medical centers, and private businesses across the United States. TDO provided a link for a 10GB archive of allegedly stolen files in their extortion note and threatened to release relevant decryption keys to unlock different sets of files in exchange for an undisclosed ransom fee in Bitcoin from the victims. It is unclear at present exactly which files the actor stole, but researchers believe it is certainly an attempt to capitalize on conspiracy theories surrounding the 9/11 attacks. My tinfoil hat is buzzing with excitement.

Motherboard reports that Hiscox Group confirmed hackers had breached and likely stolen files related to litigation around the 9/11 attacks from a U.S. law firm that advised the company, “The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident. One of the cases the law firm handled for Hiscox and other insurers related to litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach,” the Hiscox spokesperson wrote in an email.

Don’t sue me for saying so, but lawyers have the worst security. If I was going to take down the largest insurer in the world, I would definitely work my way through a low security backdoor, like their lawyer. We should be treating law firms as vendors with remote access in terms of vendor risk management

New World Hackers aim at Gulf Coast govs

New World Hackers have been going on a new year spree dumping data from FLgov.com, Texas.gov, and a number of smaller government organization around the region. They don’t exclusively target government organizations, but the lowest bidding government contractor isn’t always good at application security. Plus, opportunity makes a great motive.

The group also disclosed a breach of Lenovo through their Twitter accounts, but the data dumps were taken down from ghostbin before I could confirm them. Roughly 127K customer records and 1M user records were reportedly exposed in the breach.

Previously, the group took credit for database breaches at Atlanta International Airport and Colorado Government organizations.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday December 27th 2018