[TheRecord] New SnapMC group extorts companies after short 30-minute hacks

Security researchers have discovered a new threat actor that carries out lightning-fast hacks, typically under 30 minutes, steals a company’s files, and then extorts the victim with threats to leak the data online or to media outlets unless a ransom payment is made within a few days.

Discovered by Dutch security firm Fox-IT, the company named the group SnapMC because of its short-lived intrusions and the use of a tool called mc.exe for data exfiltration.

Fox-IT researchers said the group typically breaches company networks via vulnerabilities in web-facing software, with several intrusions linked to the exploitation of CVE-2019-18935, a vulnerability in a UI component for the Telerik ASP.NET framework.

Once inside, the group moves fast to collect data from local systems and typically doesn’t spend more than 30 minutes on a hacked network.

Following a successful exfiltration, SnapMC operators send emails to the hacked company with a list of the stolen files as evidence.

Companies are usually given 24 hours to respond to the email and another 72 hours to negotiate a ransom payment.

To coerce companies to begin negotiations, SnapMC publishes small portions of the data, threatens to leak the files online, threatens to tell media outlets about the hack, or notify a victim’s customers about the breach.

Fox-IT said that during the time they tracked the group, they had not observed it deploying ransomware, despite having access to a victim’s internal network, with the group focusing solely on data exfiltration and the subsequent extortion.

Furthermore, Fox-IT said they also haven’t been able to link the SnapMC group to any of the current “leak markets,” which are web portals used to leak data from ongoing or failed extortion attempts.

Currently active leak and data auction sites include the likes of:

Arvin ClubBonaci GroupDark Leak MarketFile LeaksKarakurtLockDataMarketoXING

Image: The Record

Earlier today, Fox-IT released a technical report containing the tools and techniques commonly used by SnapMC in their intrusions — in the hopes that companies deploy proper defenses.

One of the simplest solutions to block attacks, recommended in the Fox-IT report, was to deploy a web firewall in front of Telerik-based applications since this has been proven to block SnapMC’s initial compromise attempts.

The post New SnapMC group extorts companies after short 30-minute hacks appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Adobe Joins Security Patch Tuesday Frenzy

All posts, Security Week

Software maker Adobe has issued critical warnings for security vulnerabilities in multiple products running on Windows and macOS machines. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Daily NCSC-FI news followup 2019-12-14

New Orleans city government under cyberattack; workers told to turn off, unplug computers www.nola.com/news/politics/article_0039909a-1dd3-11ea-919e-938ea62f03b5.html Workers in New Orleans City Hall were told a cyberattack has struck the city government, multiple sources said on Friday. The exact extent of the attack is unknown. The attack was announced over the loudspeaker system in City Hall and workers […]

Read More

[ZDNet] Budget 2021: ASIO the big winner from AU$1.9 billion national security pool

All posts, ZDNet

ASIO will take the majority, with over a billion dollars to be used on enhancing Australia’s national security capabilities. There’s also a bunch of funding for three yet-to-be-passed security Bills. Source: Read More (Latest topics for ZDNet in Security)

Read More