News

30 Mins or Less: Rapid Attacks Extort Orgs Without Ransomware

  • Becky Bracken--Threatpost
  • published date: 2021-10-13 11:22:00 UTC

The previously unknown SnapMC group exploits unpatched VPNs and webserver apps to breach systems and carry out quick-hit extortion in less time than it takes to order a pizza.

<div class="c-article__content js-reading-content"> <p>In less time than it takes to get a stuffed crust pizza delivered, a new group called SnapMC can breach an organization’s systems, steal their sensitive data, and demand payment to keep it from being published, according to a new <a href="https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/" target="_blank" rel="noopener">report from NCC Group’s threat intelligence team</a> — no ransomware required.</p> <p>Rather than disrupting business operations by locking down a target’s data and systems, SnapMC just focuses on straight-up extortion. However, this low-tech, ransomware-free approach to extortion on a compressed timeline relies on known vulnerabilities with patches readily available.</p> <p><a href="https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=InfosecInsiders_Newsletter_Promo/" target="_blank" rel="noopener"><img loading="lazy" class="aligncenter wp-image-168544 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png" alt="Infosec Insiders Newsletter" width="700" height="50"></a></p> <p>“In the extortion emails we have seen from SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate,” the report said. “These deadlines are rarely abided by, since we have seen the attacker to start increasing the pressure well before countdown hits zero.”</p> <p>The researchers weren’t able to link the group to any known threat actors and gave it the name for it’s speed (“Snap”) and its mc.exe exfiltration tool of choice.</p> <p>As evidence the group has the data, SnapMC provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, the attackers threaten to publish the data and report the breach to customers and the media.</p> <p>Analysts said they’ve observed SnapMC successfully breaching unpatched and vulnerable VPNs using the <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-18935" target="_blank" rel="noopener">CVE-2019-18935</a> remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections.</p> <h2><strong>VPN Vulnerabilities </strong></h2> <p>A recent rise in VPN vulnerabilities has left companies exposed, according to Hank Schless, a senior manager with Lookout cloud security.</p> <p>“While VPN solutions have their place, there have been multiple stories of vulnerabilities within these solutions that were exploited in the wild,” Schless explained to Threatpost. “Ensuring that only authorized and secure users or devices can access corporate infrastructure requires zero trust network access (ZTNA) policies for on-premise or private apps and cloud access security broker (CASB) capabilities for cloud-based apps and infrastructure.”</p> <p>Last June the Colonial Pipeline was breached with an <a href="https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/" target="_blank" rel="noopener">old VPN password</a>. And last July <a href="https://threatpost.com/sonicwall-vpn-bugs-attack/167824/" target="_blank" rel="noopener">SonicWall issued a patch</a> for a bug in its old VPN models no longer supported by the company after attacks came to light — which were part of an ongoing wider campaign to exploit (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7481" target="_blank" rel="noopener">CVE-2019-7418</a>).</p> <p>The following month, <a href="https://threatpost.com/critical-cisco-bug-vpn-routers/168449/" target="_blank" rel="noopener">Cisco Systems issued a handful of patches</a> for the 8,800 Gigabit VPN routers vulnerable to compromise through <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1609" target="_blank" rel="noopener">CVE-2021-1609</a>.</p> <p>And by late last month, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CSIA) issued guidance to the Department of Defense, National Security Systems and the Defense Industrial Base to <a href="https://threatpost.com/vpns-nsa-cisa-guidance/175150/" target="_blank" rel="noopener">harden their VPNs</a> against threats from multiple nation-state advanced persistent threat (APT) actors.</p> <p>Nation-state actors aside, basic patching would protect against this latest smash-and-grab attempt at data extortion from the likes of SnapMC.</p> <h2><strong>Ransomware’s Evolution </strong></h2> <p>Oliver Tavakoli, CTO with Vectra, said that getting rid of the encryption piece of the attack altogether is a “natural evolution” of the ransomware <a href="https://threatpost.com/ransomware-volumes-record-highs-2021/168327/" target="_blank" rel="noopener">business model</a>. The NCC team likewise predicts the trend toward simple attacks on shorter timelines is likely to continue.</p> <p>“NCC Group’s Threat Intelligence team predicts that data-breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack,” the team said. “Therefore, making sure you are able to detect such attacks in combination with having an incident response plan ready to execute at short notice, is vital to efficiently and effectively mitigate the threat SnapMC poses to your organization.”</p> <p><em><strong>Check out our free </strong></em><a href="https://threatpost.com/category/webinars/" target="_blank" rel="noopener"><em><strong>upcoming live and on-demand online </strong></em></a><em><strong><u>town halls</u></strong></em><em><strong> – unique, dynamic discussions with cybersecurity experts and the Threatpost community.</strong></em></p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="30 Mins or Less: Rapid Attacks Extort Orgs Without Ransomware" data-url="https://threatpost.com/rapid-attacks-extort-ransomware/175445/" data-counters="no" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/breach/">Breach</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/vulnerabilities/">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>