Dealer Threat Advisory 15-21: Increase in Activity from Sophisticated Threat Actors

THREAT UPDATE

A large increase of activity has been seen from malicious threat actors. Many different vectors have been combined to facilitate targeted and widespread attacks. Considering the technical difficulty of these methods, these attackers are highly sophisticated and organizations should be especially vigilant about the attack surface of their company. rocketwise recommends having proper patching and password policies, as well as keeping users trained to be wary of malicious emails.

TECHNICAL DETAIL & ADDITIONAL INFORMATION

WHAT IS THE THREAT?

Sophisticated attack methods have seen a large increase of spear-phishing, ransomware, and exploitation of public facing applications. Groups have been seen impersonating financial institutions to compromise credentials and deploy RATs (remote access trojans) by email. Other groups have been seen exploiting public applications to gain access to internal networks, then deploying wipers disguised as ransomware. Essentially – they are encrypting and wiping victims’ data while asking for a ransom for data that is not recoverable.

WHY IS IT NOTEWORTHY?

This is especially noteworthy due to the various methods being combined to facilitate these attacks. Groups have purchased various domains to impersonate financial institutions and perform spear-phishing campaigns. Once a user downloads a malicious .exe from an email, threat actors can gain access to the internal network, compromising any confidential data, and performing attacks as they see fit. Other advanced actors have been seen utilizing VPNs, and then tunneling traffic through an organization’s RDP hosts to deploy ransomware.

WHAT IS THE EXPOSURE OR RISK?

Organizations must be extremely cautious when considering their attack surface. Threat actors will steal confidential data, credentials, and even perform wiper attacks disguised as ransomware. Extremely advanced threat actors may try to stay persistent on the internal network to gather as much information as they can, and then perform an attack if they deem it necessary. The SolarWinds attackers were within the SolarWinds systems for at least 9 months before initiating their attacks.

Many dealership software vendors require the use of VPN's in order to access their software. As previously announced this year, several of those VPN providers have found vulnerabilities within their VPN software. This puts your dealership at a much higher risk. 

WHAT ARE THE RECOMMENDATIONS?

Considering the different attacks being deployed, organizations should perform the following:

• Make sure you have an endpoint protection solution in place that can detect and block these attacks. 
• Train users vigilantly to be wary of emails that may ask for credentials, or ask the user to download a file to process information (such as a loan, invoice, ACH form or other type of sensitive data.)
• Block the IP addresses, domains, and hash values located in the following link so that attacks are intercepted by your email protection system, or so that infected systems cannot communicate with these IOCs: https://www.cyjax.com/2021/05/27/financial-spear-phishing-campaigns-pushing-rats/
• Ensure no vulnerable or important services or equipment is open to the public to ensure that attackers cannot exploit them.
• Deploy strong password policies and patching policies to increase the security level of your dealership.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

• https://www.cyjax.com/2021/05/27/financial-spear-phishing-campaigns-pushing-rats/
• https://assets.sentinelone.com/sentinellabs/evol-agrius
• https://threatpost.com/email-campaign-fake-ransomware-rat/166378/

If you have any questions, please contact us.