Hive Ransomware, Holiday Phishing Scams, & Amazon RDS Leaks Data

Hive ransomware makes a profit, phishing for the holidays, and Amazon RDS leaks personal data.

Latest Threat Intel News:

Hive Ransomware Attackers Extorted $100 Million from 1,300 Victims

If you’ve ever wondered why ransomware seems so persistent, several U.S. government agencies have clued everyone in as to why: it’s profitable. In just the last eighteen months, Hive ransomware has victimized at least 1,300 organizations worldwide and collected approximately $100 million in ransom payments. Unfortunately, Hive is just one of many ransomware groups, and all indications point to the fact that they aren’t even the most prolific. Recent reports by Trellix and Recorded Future indicate that Lockbit remains the most prominent ransomware gang with Hive falling toward the middle of the pack. 

The government report also details how Hive has carried out attacks, which is instructive for knowing how to defend against them. Attackers working for Hive have gained access to networks through Remote Desktop Protocol (RDP), compromising virtual private networks (VPNs), exploiting vulnerabilities on publicly accessible devices over the internet, and distributing phishing emails with malicious attachments.

Why This Matters

If it wasn’t already clear, ransomware isn’t going away. There’s clearly too much potential profit in it. If a ransomware group such as Hive can pull in $100 million over eighteen months (the total is likely higher due to underreporting), there’s strong incentive to keep going. Organizations should prepare for the ever-growing likelihood that they will be in a ransomware gang’s sights at some point. Focusing on the basics in cyber hygiene can go a long way toward frustrating attackers.

Cyber Basics Include:

• Phishing-resistant Multi-Factor Authentication

• Regular patching

• Endpoint security solutions

• Resilient backups

Additional Information:

• #StopRansomware: Hive Ransomware | CISA

Watch Out for Phishing Scams This Holiday Season

Researchers with Akamai have identified a new phish kit that’s been targeting North American shoppers looking for holiday deals. Many of the phishing emails (often dubbed ‘lures’) offer a chance to win a coveted item from a reputable brand. If you’ve ever completed a Phishing 101 training, you’ll recognize that “nothing is free” is a core tenant for avoiding these scams. 

In these emails, attackers conceal malicious URLs with link shortening tools like Bit.ly. The user is then led to the final phishing site only after a long series of redirections. The concealing of the actual link address can make it harder to detect a link as malicious. Attackers also use the good reputation of legitimate cloud hosting providers by hosting phishing pages on services like Google, AWS, and Azure. This also helps them to bypass certain protection mechanisms. Finally, the phishing campaign gives each visitor a unique URL which prevents unwanted visitors from successfully rendering the phishing pages.

Why This Matters

We’re predicting an increase in phishing attempts around the holiday season. Organizations and individuals should stay vigilant. Using email security solutions, administering high-quality phishing training, and employing phish-resistant MFA can help against many types of phishing scams.

Additional Information: 

• Phishing kit impersonates well-known brands to target US shoppers (BleepingComputer)

Hundreds of Amazon Cloud Instances Discovered Leaking Personal Data

Cybersecurity researchers discovered that hundreds of databases hosted on the Amazon Relational Database Service (RDS) have been exposing data, unbeknownst to their administrators. Amazon RDS is a popular platform-as-a-service (PaaS) providing database services to organizations. The flaw resulting in the data exposure stems from the way that snapshots – or backups – are handled on the service. Permissions for snapshots work a little differently than permissions on the rest of an RDS instance, allowing wider access for snapshots to be easily shareable. According to researchers, RDS snapshots can be made public and are able to be viewed by anyone with an Amazon Web Services (AWS) account. Once public, the data can be viewed or copied by others resulting in longer-term exposure.

Why This Matters

Let’s face it, cloud services can be daunting. Entire career paths exist to architect and administrate cloud infrastructure. Organizations utilizing cloud resources should ensure they are intimately familiar with the services they rely upon, including how to configure those services securely and how to audit them. Simple mistakes or misunderstandings can result in data falling into the wrong hands. To prevent snapshot exposure on RDS, organizations should avoid making snapshots public and consider encrypting those snapshots (which prevents them from being publicly shared). This article offers further insights on how to audit your RDS snapshots.

Additional Information:

• Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.