News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Telecommuting employees are now ransomware targets of “Evil Corp.”

    Posted on OscarCP Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories Telecommuting employees are now ransomware targets of “Evil Corp.”

    Viewing 4 reply threads
    • Author
      Posts
      • #2275573 Reply
        OscarCP
        AskWoody Plus

        A Russian group known as “Evil Corp” is targeting telecommuting employees with ransomware:

        https://www.bbc.com/news/world-us-canada-53195749

        Symantec technical director Eric Chien told the New York Times the hackers take advantage of employees now using virtual private networks (VPNs) to access work systems. [Emphasis mine]

        They use VPNs to identify which company a user works for, and then infect the user’s computer when they visit a public or commercial site. When the user next connects to their employer’s system, the hackers can attack.

        Further:

        Symantec Corporation, a firm that monitors corporate and government networks released a notice warning of the threat it identified on Thursday night.

        The attacks used what Symantec described as a relatively new type of ransomware called WastedLocker, which has been attributed to Evil Corp. Ransomware are computer viruses that threaten to delete files unless the ransom is paid. The WastedLocker ransomware virus demands ransoms of $500,000 to $1m to unlock computer files it seizes.

        Symantec said the “vast majority of targets are major corporations, including many household names”, and eight targets were Fortune 500 companies. All are US-owned but one, which is a US-based subsidiary.

        Most targeted companies were in the manufacturing, information technology and media sectors.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        3 users thanked author for this post.
      • #2275582 Reply
        Elly
        AskWoody MVP

        These are finely tuned, extensive, targeted attacks, releasing layers of penetration… but they rely on someone associated with the organization accepting a zip file (for updating browser?) that contains the initial payload, on their at-home computer… then connecting and infecting the corporation.

        Evil Corp ‘sees’ potential folks to target through their VPN connection to the corporate network.

        We have enough problems right now, and don’t need additional stress on businesses, so this was a great catch by Symantec… and a great use of their AI:

        The attacks were proactively detected on a number of customer networks by Symantec’s Targeted Attack Cloud Analytics, which leverages advanced machine learning to spot patterns of activity associated with targeted attacks.

        Just one question- are these targeted victims identifiable because their VPN traffic is somehow visible, or are they using a compromised VPN? Interested, because VPN are supposed to increase privacy, not make one vulnerable as a target.

        Non-techy Win 10 Pro and Linux Mint experimenter

      • #2275586 Reply
        OscarCP
        AskWoody Plus

        Elly asked: “Just one question- are these targeted victims identifiable because their VPN traffic is somehow visible, or are they using a compromised VPN? Interested, because VPN are supposed to increase privacy, not make one vulnerable as a target.

        Good question. I believe, after reading the BBC article, that the black hats first will penetrate the servers of the company whose employees they want to target (among all the bad things they might want do to that company) and, once they are in, will start listening in to the VPN traffic. Does any one here have a different understanding of this?

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        1 user thanked author for this post.
      • #2275662 Reply
        Paul T
        AskWoody MVP

        rely on someone associated with the organization accepting a zip file… on their at-home computer

        Another failure of corporate security procedures. Who lets home computers access the network except via remote control? Since when were people with admin credentials allowed to update servers from “stuff I found on the internet”?

        cheers, Paul

        p.s. I did work for one organisation that allowed admins to run their Windows computer with their admin credentials – “it’s inconvenient to have to open an admin session”. Crazy!

        1 user thanked author for this post.
        • #2275713 Reply
          anonymous
          Guest

          Most enterprises have large numbers of staff using at-home laptops to connect to corporate networks via VPN.

          This attack uses a UAC bypass to elevate privilege; no admins updating servers required.

          • #2275927 Reply
            Paul T
            AskWoody MVP

            As I said, remote control only.

            cheers, Paul

            • #2276010 Reply
              anonymous
              Guest

              Hmm. So what was the “failure of corporate security procedures” at these 30+ major US corporations?

      • #2275970 Reply
        Fred
        AskWoody Plus

        I believe, after reading the BBC article, that the black hats first will penetrate the servers of the company whose employees they want to target (among all the bad things they might want do to that company) and, once they are in, will start listening in to the VPN traffic. Does any one here have a different understanding of this?

        Oscar you are correct.
        It depends on how the network architecture is built; and that should always remain a trade secret.
        The BBC article is correct, and if the crooks have a way in, eventually literally everything can end up on the street.
        Often, ZeroDay vulnerabilities are used for this by ALL national governments and (counter) espionage.
        What else can you do to check? Check the data flows to and from the network bit by bit and per program … Who has the effort and money for that?

        so: https://yourmagicalhome.blogspot.com/2018/08/summoning-muses-spell-for-inspiration.html

        Black Lives Matter
        • This reply was modified 1 week, 5 days ago by Fred.
        1 user thanked author for this post.
    Viewing 4 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Telecommuting employees are now ransomware targets of “Evil Corp.”

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.