Today is Thursday January 9th, 2020 and here are today’s most pressing cyber stories in under 5 minutes.
SNAKE Ransomware Is the Next Threat
A new ransomware called SNAKE is targeting networks and aiming to encrypt all of the devices connected to it. Enterprise targeting, or big-game hunting, ransomware is used by threat actors that infiltrate a business network, gather administrator credentials, and then use post-exploitation tools to encrypt the files on all of the computers on the network. The list of enterprise targeting ransomware is slowly growing and include Ryuk, BitPaymer, DoppelPaymer, Sodinokibi, Maze, MegaCortex, LockerGoga, and now the Snake Ransomware. Snake Ransomware was discovered by MalwareHunterTeam last week who shared it with Vitali Kremez to reverse engineer and learn more about the infection.
When started Snake will remove the computer's Shadow Volume Copies and then kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more. It then proceeds to encrypt the files on the device, while skipping any that are located in Windows system folders and various system files. When encrypting a file, it will append a ransom 5-character string to the files extension.
City of Las Vegas said it successfully avoided devastating cyber-attack
Officials from the city of Las Vegas said they narrowly avoided a major security incident that took place on Tuesday, January 7. According to a statement published by the city on Wednesday, the compromise took place on Tuesday, at 4:30 am, in the morning.The city said IT staff immediately detected the intrusion and took steps to protect impacted systems. The city responded by taking several services offline, including its public website, which is still down at the time of writing. City officials have not disclosed any details about the nature of the incident, but local press reported that it might have involved an email delivery vector. In a subsequent statement published on Twitter on Wednesday, the city confirmed it "resumed full operations with all data systems functioning as normal."
"Thanks to our software security systems and fast action by our IT staff, we were fortunate to avoid what had the potential to be a devastating situation," it said.
"We do not believe any data was lost from our systems and no personal data was taken. We are unclear as to who was responsible for the compromise, but we will continue to look for potential indications," the city also added.
Since this is believed to be an email-based compromise, the type of attack the city avoided can be anything from something as complex and dangerous as a ransomware infection that triggered after an employee opened a boobytrapped email, to something as mundane as a phishing attempt that tried to get an employee's credentials.
New Iranian data wiper malware hits
Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain's national oil company, ZDNet has learned from multiple sources.
The incident took place on December 29. The attack did not have the long-lasting effect hackers might have wanted, as only a portion of Bapco's computer fleet was impacted, with the company continuing to operate after the malware's detonation. ZDNet has learned from several sources that the Bapco incident is the cyber-attack described in a security alert published last week by Saudi Arabia's National Cybersecurity Authority. Saudi officials sent the alert to local companies active on the energy market, in an attempt to warn of impending attacks, and urging companies to secure their networks. The Bapco security incident came to light amid rising political tensions between the US and Iran after the US military killed a top Iranian military general in a drone strike last week. Although the Bapco incident doesn't appear to be connected to the current US-Iranian political tensions, it does come to show Iran's advanced technical capabilities when it comes to launching destructive cyber-attacks.
Currency Exchange Travelex Held Hostage by Ransomware
A ransomware attack has held London-based foreign currency exchange firm Travelex hostage since at least New Year's Day, the company confirmed Tuesday after more than a week of vague updates. It appears that the Sodinokibi gang is behind the incident.
On Tuesday, the BBC first reported that the Sodinokibi gang, which also goes by the name REvil, claimed to have accessed Travelex's network six months ago and had downloaded and then encrypted about 5GB of sensitive customer data, including dates of birth as well as payment and credit card data.
In addition, cybercriminals are asking for approximately $6 million in ransom to release the data, the BBC reports. The ongoing attack has crippled Travelex's websites in the U.K., the U.S. and Asia. Since New Year's Day, customers have been greeted with vague messages that claim the sites are down due to "planned maintenance."
After nearly a week of vague customer updates, Travelex finally admitted Tuesday that it had been hacked by the ransomware gang. The BBC also reported on Tuesday that the criminal gang will double its demand in two days if it's not paid and has threatened to sell the data within a week if its demands are not met.
"Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated," according to a company update. "Travelex is in discussions with the National Crime Agency and the Metropolitan Police, who are conducting their own criminal investigations, as well as its regulators across the world."
The attack has meant that Travelex has been forced to resort to manual measures for carrying out its business. This has affected banks that include Tesco, HSBC, Sainsbury's Bank and Virgin Mone, which use the Travelex's third-party currency exchange services.
Over the last seven days, Travelex's response to the ransomware attack has been criticized by security professionals due to the company's lack of clear messaging to customers whose data may have been affected.