[TheRecord] New SnapMC group extorts companies after short 30-minute hacks

Security researchers have discovered a new threat actor that carries out lightning-fast hacks, typically under 30 minutes, steals a company’s files, and then extorts the victim with threats to leak the data online or to media outlets unless a ransom payment is made within a few days.

Discovered by Dutch security firm Fox-IT, the company named the group SnapMC because of its short-lived intrusions and the use of a tool called mc.exe for data exfiltration.

Fox-IT researchers said the group typically breaches company networks via vulnerabilities in web-facing software, with several intrusions linked to the exploitation of CVE-2019-18935, a vulnerability in a UI component for the Telerik ASP.NET framework.

Once inside, the group moves fast to collect data from local systems and typically doesn’t spend more than 30 minutes on a hacked network.

Following a successful exfiltration, SnapMC operators send emails to the hacked company with a list of the stolen files as evidence.

Companies are usually given 24 hours to respond to the email and another 72 hours to negotiate a ransom payment.

To coerce companies to begin negotiations, SnapMC publishes small portions of the data, threatens to leak the files online, threatens to tell media outlets about the hack, or notify a victim’s customers about the breach.

Fox-IT said that during the time they tracked the group, they had not observed it deploying ransomware, despite having access to a victim’s internal network, with the group focusing solely on data exfiltration and the subsequent extortion.

Furthermore, Fox-IT said they also haven’t been able to link the SnapMC group to any of the current “leak markets,” which are web portals used to leak data from ongoing or failed extortion attempts.

Currently active leak and data auction sites include the likes of:

Arvin ClubBonaci GroupDark Leak MarketFile LeaksKarakurtLockDataMarketoXING

Image: The Record

Earlier today, Fox-IT released a technical report containing the tools and techniques commonly used by SnapMC in their intrusions — in the hopes that companies deploy proper defenses.

One of the simplest solutions to block attacks, recommended in the Fox-IT report, was to deploy a web firewall in front of Telerik-based applications since this has been proven to block SnapMC’s initial compromise attempts.

The post New SnapMC group extorts companies after short 30-minute hacks appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] MyRepublic customers compromised in third-party data breach

All posts, ZDNet

Singapore internet services provider says the security breach had occurred on a third-party data storage platform, affecting 79,388 local mobile subscribers whose identity verification documents have been compromised. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ESET] Microsoft takes down large‑scale BEC operation

All posts, ESET feed

The fraudsters ran their campaigns from the cloud and used phishing and email forwarding rules to steal their targets’ financial information. The post Microsoft takes down large‑scale BEC operation appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[TheRecord] Microsoft fixes OMIGOD bugs in secret Azure app

As part of its monthly Patch Tuesday security updates, Microsoft has patched a collection of four vulnerabilities in OMI, a mostly unknown application that the company has been silently installing on most Linux-based Azure virtual machines and related systems. Called Open Management Infrastructure (OMI), the app is the Linux equivalent of Microsoft’s Windows Management Infrastructure […]

Read More