May cyber news round-up

It’s been a busy month in the world of cyber risk and security. Here’s our May recap of recent news in the world of cyber.

1. Colonial pipeline ransomware attack: The full story

The Colonial Pipeline Company, which operates the largest petroleum pipeline in the United States, reported on May 7th that it fell victim to a ransomware attack.

Vox reported that panic buying ensued shortly after; five days after the hack was announced, the national average price for a gallon of regular gas had pushed past $3 for the first time since 2014.

The FBI confirmed that the ransomware used is linked to the hacker group called DarkSide, believed to be based in Eastern Europe. DarkSide does not appear to be linked to any nation-states, saying in a statement that “our goal is to make money, [not to create] problems for society” and that it is apolitical.

Reports indicate the attack began on May 6th, when nearly 100 gigabytes of data stolen from Colonial’s computers were locked up. A ransom was demanded to stop the data from being leaked on the internet and to unlock the affected systems. Reports varied on whether Colonial paid the ransom or not until May 19th, when Colonial confirmed it had paid $4.4 million worth of bitcoin. CEO Joseph Blount said that it was a difficult decision, but one that he felt was “the right thing to do for our country.”

The attack highlights two of the Biden administration’s priorities: improving American infrastructure, and cybersecurity. To assist with these aims, Biden has unveiled a $2 trillion infrastructure plan that includes $100 billion to modernize the electrical grid. An executive order was also signed and meant to strengthen the federal government’s cybersecurity standards for software and technology services it uses.

2. NCSC records 15-fold increase in scam website takedowns

The UK authorities took down over 700,000 malicious and phishing sites last year, a huge increase from 2019, according to the National Cyber Security Centre (NCSC). As well as websites, the service removed 1.4 million malicious URLs, reports InfoSecurity Magazine.

Although COVID-19 scams surged in 2020, the NCSC said that the 15-fold increase in the volume of sites taken down was due to an expansion of the service.

The NCSC claimed to have detected and blocked 122 phishing campaigns spoofing the National Health Service (NHS) across 2020, which saw fake vaccine lures and malicious apps masquerading as the official NHS Test and Trace app. Also spoofed was the TV Licensing agency and Her Majesty’s Revenue and Customs (HMRC), the most phished brand last year. More than 11,000 government-themed phishing campaigns were taken down in 2020 – more than double the 2019 figure.

Meanwhile, the Suspicious Email Reporting Service, only launched in April 2020, received nearly four million reports by the end of the year, leading to the removal of over 26,000 scams not previously identified.

3. 1.3 Million RDP server logins collected from UAS market

The login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials.

UAS, or 'Ultimate Anonymity Services,' is a dark web marketplace that sells Windows Remote Desktop login credentials, stolen Social Security Numbers, and access to SOCKS proxy servers. It is the largest marketplace of its type and provides tips to maintain network persistence along with customer service support.

Since December 2018, a group of security researchers has had private access to the UAS marketplace database and amassed IP addresses, usernames and passwords for 1,379,609 RDP accounts that have been sold since the end of 2018.

Vitali Kremez from Advanced Intelligence shared a redacted copy with BleepingComputer for review. Analysis of the 1.3 million accounts in the database has revealed insights including:

• The top five login names found in the sold RDP servers are 'Administrator', 'Admin', 'User', 'test', and 'scanner'.
• The top five passwords used by the RDP servers are '123456', '123', 'P@ssw0rd', '1234', and 'Password1'.
• The top five represented countries in the database are United States, China, Brazil, Germany, India, and the United Kingdom.

Vitali Kremez has launched a new service called RDPwned which allows organizations to check if their servers are listed in the database. This lookup can be performed by reverse DNS, IP addresses, and domain names.

You can read complete statistics about the accounts in the database from the full article here.

4. Ransomware task force plans to take down the ransomware economy

The US Department of Justice has formed a task force to curb the surge of ransomware cyberattacks. As reported in the Wall Street Journal, in an internal memorandum last week, Acting Deputy Attorney General John Carlin said ransomware poses not just an economic threat to businesses but “jeopardizes the safety and health of Americans.”

By identifying ransomware as a priority, the task force will increase training, dedicate more resources to the issue, seek to improve intelligence sharing across the department, and work to identify “links between criminal actors and nation-states”.

The memo calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks.

The task force will consist of the Justice Department’s criminal, national security and civil divisions, the FBI and the Executive Office of U.S. Attorneys. It will also work to boost collaboration with the private sector, international partners and other federal agencies.

While estimates on annual damages of ransomware attacks vary widely, the average size of ransoms has ballooned in recent years and the overall toll on the economy is likely in the billions of dollars.

Want to learn more about CFC’s cyber policy? Visit our product page or check out our other great cyber-related resources.