SnapMC Rapidly Steals Data, Demands Payment Without Ransomware
SnapMC can breach systems and issue threats within the time it takes to install a software update.
Shutterstock
Channel Futures: Are these attacks more dangerous than ransomware? Is the likelihood for success increased with SnapMC?
Srinivas Mukkamala: It’s difficult to say whether SnapMC’s attacks are more dangerous than ransomware, as it depends on the type of data and what the threat actor does with the data. It’s also difficult to generalize the danger. SnapMC’s recent attacks are more along the lines of extortion, as they are not yet denying access to the data. This can have a socioeconomic impact if the threat actors either sell the data or use the stolen data for a competitive advantage.
Additionally, most of these fast-hitting ransomware groups don’t focus on deleting backups. It doesn’t prevent you from paying when the data is exfiltrated, but it will help you recover your business and get back to operations.
CF: How are SnapMC attacks able to move so much faster than other attacks?
SM: These attacks are primarily entry through vulnerabilities. The speed is due to more and more automation. We’re seeing threat actors start working on scripts to help automate the path from initial compromise to privilege escalation, to internal reconnaissance to lateral movement. This automation helps compress the time required to deploy ransomware.
CF: What should organizations do if they’re hit with a SnapMC attack? Should they react differently than in a ransomware attack?
SM: Organizations should focus on adopting risk-based patching and ensure proper cyber hygiene. It’s important to be resilient and have response and recovery strategies in place for cyber incidents. With SnapMC attacks, it becomes more difficult. Organizations need to know the value of data and the implications of unauthorized data use, as there can be regulatory and privacy concerns.
CF: What can organizations do to protect themselves from SnapMC? Can MSSPs and other cybersecurity providers help?
SM: Organizations need to ensure they’re patching and taking a layered approach to security. Unpatched vulnerabilities are one of the most common methods of entry and putting off patches is a huge security risk. Patching helps organizations reduce their attack surface risk.
MSSPs and other cybersecurity providers should have a proactive strategy in place. They should also have response and recovery capabilities to access for vulnerabilities exploited by threat actors and guide patches on vulnerable systems and applications.
Raghu Nandakumara: The name of the game is speed, so organizations should preempt attacks with technologies that are focused on resiliency. This means adopting the principles of least privilege through zero trust solutions, so that mitigations are in place before a fast-moving threat actor breaches your environment.
Additionally, organizations with strong visibility into their networks can better understand how their applications communicate, and gain additional insight into which ports need to be secured immediately in the event of a breach. This visibility pays off in the event of any attack, be it ransomware or data breach extortion.
Lastly, SnapMC scans internet-facing hosts on a victim’s network, looking for unpatched vulnerabilities to exploit. This is why understanding exposure is so important when putting together a patching strategy. It’s not just about patching high-value assets (HVAs) first, or fixing the most critical vulnerabilities. It’s about understanding what are your organization’s most exposed assets and starting there, which will result in the greatest risk reduction.
Medical technology giant Olympus has confirmed it was hit by a cyberattack last weekend that forced it to shut down its IT systems in the United States, Canada and Latin America. This incident follows a ransomware attack that hit Olympus’ EMEA IT systems in early September.
When Olympus was contacted, it sent us the following statement:
“We are currently investigating the extent of the incident and will provide updates as new information becomes available. Olympus is committed to taking all appropriate actions to ensure the security of our customers and business partners’ data. Olympus acted quickly and prudently as a responsible company, and has engaged various forensic experts to ensure that the impact of the incident is as minimal as possible. We are committed to making the appropriate or legally required notifications when there is sufficient information to do so. There is currently no evidence that the two events are related, but our investigation is ongoing.”
Erich Kron is security awareness advocate at KnowBe4.
“First reports state this attack was carried out by the BlackMatter ransomware gang, a fairly new group that is claiming to combine the best features of several other ransomware strains, including REvil and DarkSide, and that is said to be targeting only large enterprises,” he said. “They appear to operate as a profit-sharing ransomware-as-a-service (RaaS) provider, which utilizes affiliates to carry out the attacks while the main developers maintain the required infrastructure to support the ransomware and work to evolve their product.”
While it has not been reported yet, BlackMatter typically exfiltrates data prior to encryption and uses the threat of releasing the data to improve the chance they will see a payout from the victim, Kron said.
Saryu Nayyar is CEO of Gurucul.
“Organizations are kept up at night by the prospect of being hit by ransomware, and now Olympus, an international tech company, is the latest victim,” she said. “In the case of Olympus, it was the BlackMatter ransomware, which is essentially the same as the attack on the Colonial Pipeline back in April. Unless BlackMatter relents, it has the potential to cost Olympus millions of dollars to get its network unencrypted.”
Until enterprises can completely protect their systems from attack, the only early warning available is to monitor network activity in detail to detect anomalous activity, and rapidly track it down to close any security holes, Nayyar said. IT teams and security professionals have to be constantly vigilant, but they also need the right tools for early detection and remediation.
The governor of Missouri has vowed to prosecute a journalist for reporting a security flaw in a state agency website that exposed more than 100,000 teachers’ Social Security numbers.
Missouri Gov. Mike Parson is vowing to prosecute the staff of the St. Louis Post-Dispatch after the newspaper says it uncovered security vulnerabilities on a state agency website, according to NPR.
The governor is characterizing the incident as a hacking and said the state will investigate it at what could be a $50 million cost to taxpayers.
The Post-Dispatch said in its story that an unnamed reporter discovered flaws on the state’s Department of Elementary and Secondary Education (DESE) website that made the Social Security numbers of teachers and other school staff “vulnerable to public exposure.” It notified the agency before publication.
Tim Wade is technical director of Vectra‘s CTO team.
“This situation underscores how much ground we need to cover to protect security researchers that operate in the public good, and redirect outrage away from the discovery of vulnerabilities and data loss towards the root causes of why these security failures continue to occur to the detriment of individual safety,” he said. “Courts recognize limits to protections from unlawful search when activities occur clearly in a public context – it’s hard to imagine that the low-technical sophistication of the behaviors described, with a tool as common as a web browser, constitutes anything but the digital equivalent of observations made in a public context.”
Jake Williams is co-founder and CTO of BreachQuest. He said threatening a reporter with legal action is almost always a bad idea and usually creates an unintended Streisand Effect, which is the act of trying to suppress information but simply making it more widespread as a result. But more generally, organizations should be careful not to shoot the messenger when security vulnerabilities are disclosed.
“This is certainly not hacking in any sense of the word,” he said. “It appears that the reporter used a publicly available web application intended to facilitate searching for teacher certifications. When the results were displayed, the reporter simply viewed the source code of the web page and found the Social Security numbers. While Governor Parson said the reporter ‘decoded the HTML source code,’ in reality they simply used the feature built into every web browser since the dawn of the internet. Because HTTP is stateless, many web applications store their status in hidden form fields so they can be passed from the browser back to the server with every request. It seems likely that these hidden form fields included the Social Security number of the teacher.”
The question of whether this was a crime might be more black and white if the reporter had enumerated all records before reporting the issue, Wade said. That Parson said only three records were taken seems to contradict any malicious intent.
“Instead of focusing on this so-called hacking, Gov. Parson should be worried about the security of the state’s applications, particularly those that are available for public use,” he said.
The governor of Missouri has vowed to prosecute a journalist for reporting a security flaw in a state agency website that exposed more than 100,000 teachers’ Social Security numbers.
Missouri Gov. Mike Parson is vowing to prosecute the staff of the St. Louis Post-Dispatch after the newspaper says it uncovered security vulnerabilities on a state agency website, according to NPR.
The governor is characterizing the incident as a hacking and said the state will investigate it at what could be a $50 million cost to taxpayers.
The Post-Dispatch said in its story that an unnamed reporter discovered flaws on the state’s Department of Elementary and Secondary Education (DESE) website that made the Social Security numbers of teachers and other school staff “vulnerable to public exposure.” It notified the agency before publication.
Tim Wade is technical director of Vectra‘s CTO team.
“This situation underscores how much ground we need to cover to protect security researchers that operate in the public good, and redirect outrage away from the discovery of vulnerabilities and data loss towards the root causes of why these security failures continue to occur to the detriment of individual safety,” he said. “Courts recognize limits to protections from unlawful search when activities occur clearly in a public context – it’s hard to imagine that the low-technical sophistication of the behaviors described, with a tool as common as a web browser, constitutes anything but the digital equivalent of observations made in a public context.”
Jake Williams is co-founder and CTO of BreachQuest. He said threatening a reporter with legal action is almost always a bad idea and usually creates an unintended Streisand Effect, which is the act of trying to suppress information but simply making it more widespread as a result. But more generally, organizations should be careful not to shoot the messenger when security vulnerabilities are disclosed.
“This is certainly not hacking in any sense of the word,” he said. “It appears that the reporter used a publicly available web application intended to facilitate searching for teacher certifications. When the results were displayed, the reporter simply viewed the source code of the web page and found the Social Security numbers. While Governor Parson said the reporter ‘decoded the HTML source code,’ in reality they simply used the feature built into every web browser since the dawn of the internet. Because HTTP is stateless, many web applications store their status in hidden form fields so they can be passed from the browser back to the server with every request. It seems likely that these hidden form fields included the Social Security number of the teacher.”
The question of whether this was a crime might be more black and white if the reporter had enumerated all records before reporting the issue, Wade said. That Parson said only three records were taken seems to contradict any malicious intent.
“Instead of focusing on this so-called hacking, Gov. Parson should be worried about the security of the state’s applications, particularly those that are available for public use,” he said.
SnapMC, a new cyber threat group, has emerged that skips ransomware and goes from breach to ransom in 30 minutes.
In less time than it takes to grab lunch, SnapMC can breach an organization’s systems, steal their sensitive data, and demand payment to keep it from being published, according to a new report from NCC Group’s threat intelligence team. No ransomware is required.
NCC Group hasn’t yet been able to link SnapMC to any known threat actors. The name SnapMC is derived from the actor’s rapid attacks and the exfiltration tool it uses, mc.exe.
The extortion emails from SnapMC give victims 24 hours to get in contact and 72 hours to negotiate, according to NCC Group. Furthermore, this actor starts increasing the pressure well before countdown hits zero.
SnapMC includes a list of the stolen data as evidence that they have had access to in the victim’s infrastructure. If the organization doesn’t respond or negotiate within the given time frame, the actor threatens to publish the data. Or worse, it immediately publishes the stolen data, and informs the victim’s customers and various media outlets.
Different Focus and Tactics
Ivanti’s Srinivas Mukkamala
To learn more about SnapMC, we spoke with Srinivas Mukkamala, Ivanti’s senior vice president of security products, and Raghu Nandakumara, field CTO at Illumio.
Channel Futures: How is SnapMC different from typical ransomware attacks?
Srinivas Mukkamala: The primary difference between SnapMC and typical ransomware attacks are the tactics they are adopting and their focus on the vulnerabilities they travel that provide remote access with elevated privileges for them to access data and exfiltrate.
Illumio’s Raghu Nandakumara
Raghu Nandakumara: SnapMC is squarely a theft-only attack, where attackers steal something valuable and require payment to return it. And they differentiate themselves from advanced persistent threats (APTs) because they strike with speed, rather than a low-and-slow approach. Unlike typical ransomware threat groups, SnapMC skips the ransom and goes straight to extortion, meaning that threat actors can breach systems and issue threats during the time it takes for most people to install a software update, or go on a walk.
See our slideshow above for more on SnapMC and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like