Attackers Scanning for PoS Software in New Sodinokibi Ransomware Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


Attackers Scanning for PoS Software in New Sodinokibi Ransomware Campaign


Making extra money from victims appears to be the goal, Symantec says.



Operators of Sodinokibi — one of the biggest ransomware threats currently targeting enterprise organizations — appear to have hit on a new tactic to try and generate extra money from victims.
Security researchers at Symantec recently spotted a Sodinokibi ransomware campaign where the attackers are scanning the networks of their targets for credit-card or point-of-sale (POS) data. It is unclear whether the attackers are targeting the data for encryption or they view it as another way to make money from their victims.
Symantec reported observing the attackers in the latest campaign using the Cobalt Strike penetration-testing tool to deliver Sodinokibi on victim networks. At least eight organizations — most of them large, multisite entities — were found to have the Cobalt Strike tool on their systems. Three of those organizations — one each from the healthcare, food, and services sectors — were later infected with Sodinokibi, the security vendor said in a report Tuesday.
The attackers have demanded as much as $50,000 in Monero cryptocurrency from the victims if paid within the first three hours, or $100,000 if paid later. Symantec says it has not been able to determine how the attackers gained initial access to the victim networks in the latest campaign; typical tactics have included the use of phishing emails and exploiting vulnerabilities in an organizations Internet-facing infrastructure. In some cases, the attackers have opened accounts on infected systems to maintain persistence.
Adversaries are always looking for creative ways to increase profit from their attack campaigns, says Symantec cyber intelligence analyst Jon DiMaggio.
In the current campaign, the Sodinokibi attacker is leveraging all resources across the victims infrastructure to maximize profits. This indicates they are not solely interested in obtaining a ransom, DiMaggio says. They are looking for other ways to potentially make a profit.
It is likely the attacker would deploy POS-scanning malware to extract credit-card details, if they would POS systems on a victim network, he says.
Sodinokibi has emerged as one of the most prolific ransomware strains since it first surfaced in April 2019, at least partly because it is being distributed under a ransomware-as-a-service model. Several security vendors have described the malware (aka REvil) as being used mostly in attacks against large organizations with the resources to pay big ransoms to get their data back.
The malwares more notable victims include foreign exchange service
Travelex
, which reportedly paid some $2.3 million earlier this year to recover data following a New Years Eve attack on its systems. Sodinokibi has also been associated with an attack on
A-list celebrity law firm
Grubman Shire Meiselas & Sacks earlier this year.
Data Exposure Threat
In recent months, Sodinokibi has been used in campaigns where threat actors have stolen sensitive, business-critical data from victim organizations before encrypting the data. The attackers have then threatened to publicly release the data if the victim organization refused to pay the demanded ransom. Earlier this month, the group behind Sodinokibi launched a website through which it plans on auctioning stolen data to interested buyers.
This is a relatively new tactic seen only by a few groups of organized ransomware attackers, DiMaggio says. The intent is to embarrass the victim by releasing sensitive business data or even data associated with the victims customers, thereby making them potentially liable for damage, he says.
Sodinokibi emerged right around the time the operators of the equally destructive GandCrab ransomware family announced their retirement after collecting a reported $2 billion in ransom money from victims worldwide. Many believe the GandCrab group is now behind Sodinokibi as well.
In its report
this week, Symantec described the threat actors behind the latest Sodinokibi campaign as using a combination of custom malware and legitimate tools and infrastructure to carry out attacks. Examples include the use of a remote admin tool from NetSupport to distribute malware components, the use of code-hosting service Patebin to host Cobalt Strike and Sodinokibi, and Amazon CloudFront service for command-and-control purposes.
The goal in using these services to host malicious payloads and communicate with infected systems is to ensure the malicious activity is hidden within an organizations legitimate traffic. Defenders may overlook network connections to legitimate infrastructure and therefore allow malicious activity to continue on their networks, DiMaggio says.
Targeted ransomware attacks are on the rise, so it is vital for organizations to bolster their endpoint security and have data backup and recovery plans in place in the event they are attacked. Also important is for organizations to deploy controls for detecting the misuse of legitimate tools and services on their networks.
In almost every targeted enterprise ransomware attack, the adversary is present on the network for a period of time prior to deploying the ransomware, DiMaggio says. During this time they are using legitimate tools in the environment as well as additional publicly available tools and malware, such as the credential-stealing Mimikatz to expand their presence.
Identifying the misuse of these legitimate tools or the use of publicly available hack tools within the targeted environment presents an opportunity to stop the attack before it begins, he says.
Related Content:
Targeted Ransomware Attacks Show No Signs of Abating
Sodinokibi Ransomware: Where Attackers Money Goes
This Is Not Your Fathers Ransomware
7 Must-Haves for a Rockin Red Team
How Cybersecurity Incident Response Programs Work (and Why Some Dont)
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really bad day in cybersecurity. Click for 
more information and to register
 for this On-Demand event. 

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attackers Scanning for PoS Software in New Sodinokibi Ransomware Campaign