Posted August 31, 2020
Threat researchers report that low-skilled Iranian hackers carried out a series of successful attacks on business targets in June. The incident highlights the growing threat of malware to businesses and individuals.
In this short article we will tell you what happened, give you some background on the problem and tell you what you can do to be safe.
According to researchers at Group-IB in Singapore, novice hackers in Iran managed to infiltrate the networks of a number of companies around the world and infect their systems with Dharma ransom. Cybercriminals demanded ransoms ranging from 1
Interestingly, the villains in this case do not seem to have been particularly sophisticated, or even particularly skilled – far from the kind of threatening actors we are used to hearing about in connection with Iran: military network groups and APTs. They left clear traces of their geographical location, as well as the tools they used, and they do not appear to have attempted to filter out valuable business data. Most telling of all, they used Dharma ransomware in the attack, a so-called “ransomware-as-a-service” tool (RaaS) that was sold to cybercriminals in the garden, who wanted to make money quickly.
What is RaaS?
Ransomware-as-a-service seeks to monetize the growing popularity of ransomware among cybercriminals. The basic idea is that skilled hackers will code some user-friendly ransomware, and then sell it to unskilled hackers who will use it for cybercrime. A version of Dharma’s source code was discovered for sale on a Russian hacking forum for only $ 2000. Some RaaS vendors will even offer a commission pricing model, where they “earn” a percentage of all successful ransomware attacks.
Dharma ransomware has been observed in the wild since 2016, and according to the FBI, it has already been used to extort tens of millions of dollars from companies around the world.
What is malware?
RaaS is part of a broader cyber security problem: the growing trend of malicious software. These “user-friendly” malware offerings have significantly leveled the playing field for cybercriminals, and in the process have made the world a significantly more dangerous place.
Gone are the days when bad guys needed serious hacking skills to carry out a cyber attack. With the advent of malicious software, amateur hackers – even those with relatively limited technical ability – can inflict real damage on businesses and governments. On-the-shelf malware can be used by low-skilled threat actors who would never be able to code such malicious software alone: a kind of democratization of cybercrime.
This has greatly lowered the entry barrier for aspiring hackers, and has contributed to the sharp increase in ransomware and other types of malware attacks in recent years. While the most sophisticated malware tools are still in the hands of skilled threat actors, nation states, and APTs, this type of ready-to-use malware is dangerous enough to cause disruption and financial loss to organizations worldwide.
How to be safe
Dharma ransomware is easily accessible and requires little real technical ability to use. But while it may sound disturbing, paradoxically it can also prove to be a source of comfort.
The silver lining of this story is that ransomware can only be distributed when a network has been broken – and rookie hackers are not very good at breaking networks. This means that it should be reasonable to protect your home or small business network from off-the-shelf tools like Dharma ransomware, because the crooks who use them usually lack the skills needed to circumvent good security protocols.
In the case of the ransomware attacks in June, Group-IB security analysts note that Iranian hackers targeted networks with exposed Remote Desktop Protocol (RDP) ports, which were detected using automated network scanning tools. They then compromised insecure networks by using a free password-breaking tool to guess valid network information in case of trial and error.
Analysts therefore recommend that companies using RDP change the default RDP port (3389) to another port, as many network scanning tools are configured to scan only those ports that are frequently associated with the targeted service and will overlook networks as the service in question. is configured to run on a non-standard port.
In addition, they say companies should enable lockout policies that limit individual users to a specified number of failed login attempts, to prevent automated password-cracking tools from carrying out the kind of brutal force attacks used by these hackers.
Of course, it goes without saying that all employees should be educated about the importance of creating strong passwords, as weak or standard passwords are obviously much easier to guess – both for humans and computers – than long, strong passwords.
In addition, it appears that during the June attacks, hackers attempted to exploit an older Windows vulnerability (patched by Microsoft in 2017) to gain elevated privileges when accessing the system as a default user. The fact that they tried to exploit a three-year-old vulnerability suggests that they were hoping (and perhaps expected) to find companies that had not yet implemented the update, thus emphasizing the fundamental importance of regular and timely software and operating system updates!
Businesses should have a system of managed updates as a matter of course, and if they allow team members to work from home on their personal computers, they should take steps to educate employees on how and why with regular updates. Home users should usually always enable automatic updates on all devices.
Finally, it would be wise for companies to take other basic security measures, such as using two-factor authentication whenever possible; use password administrators to handle the task of creating and storing strong, unique passwords; and requires the use of VPNs and malware detection tools for all remote workers. Home users can also benefit from these basic security routines. In addition, business organizations should seek to provide all employees with access to basic security training covering topics such as phishing, corporate e-compromise (BEC) and secure downloads.