CyberWire Daily - Getting in and getting out with SnapMC. [Research Saturday]
Episode Date: December 4, 2021Guest Christo Butcher of NCC Group's Research and Intelligence Fusion Team discusses their research into a cybercriminal group they dubbed SnapMC. Forget ransomware, too expensive and too much hassle.... Randomly enter through a known vulnerability, take a look around, lock away data and leave again. And all that within half an hour: hit & run. An email is then sent to the affected organization: pay or else the stolen data will be published and/or sold. This is the opportunistic approach of a new group of blackmailers who don't even bother to encrypt data. NCC Group has given them the name SnapMC: a combination of 'snap' (a sudden, sharp cracking sound or movement) and MC, from mc.exe, the primary tool they use to exfiltrate data. They have only seen SnapMC's attacks in the Netherlands for the time being. They do not target specific sectors and we have not (yet) been able to associate them with known attackers. The research can be found here: SnapMC: extortion without ransomware SnapMC skips ransomware, steals data Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So it started around the summer of this year where we started seeing clearly related
incident response cases and SOC sightings. And compared to a lot of what we were seeing, these were very rapid
in-and-out style attacks, often done within half an hour, less time than it takes to have a pizza
delivered. That's Christo Butcher from the NCC Group Research and Intelligence Fusion Team.
The research we're discussing today is titled SnapMC, extortion without ransomware.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust
plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating
lateral movement, connecting users only to specific apps, not the entire network, continuously
verifying every request based on identity and context, simplifying security management with Thank you. zero trust and AI. Learn more at zscaler.com slash security.
Well, I want to dig into that element of it, but before we do, let's just go over some of
the basics here. Can you give us a little overview of who this group that you all are calling SnapMC
may be and how they go about doing the things they do? Sure. Great question. So we have not
been able to link this cluster of activity with any other known actors. That's why we came up with
a new name, you know, and want to share this with the community to hear about
others' experiences and, you know, help the rest protect themselves. The sort of MO, the way of
working, as far as we've seen, is different than we usually see, where, and that's also, you know,
where the name comes from, that focus on speed instead of focus on impact. The approach we saw here was that the actor was
actually choosing to simplify the attacks, you know, get in and get out again with the stolen
data much more quickly, thereby, you know, not taking some of the opportunities to explore further
or move laterally, etc. That was different from most of the attacks we see,
where the attacker tries to do as much damage,
get as far into the network as possible.
Well, let's walk through it together here.
How does someone find themselves falling victim to SnapMC?
So the incidents we've seen so far were based on known vulnerabilities,
so not very advanced initial access techniques,
but basically abusing known vulnerability in software,
Telerik UI, or SQL injection,
so basically fairly standard stuff.
And again, that focus on speed,
the attacker would get into one of these systems
through one of those vulnerabilities or misconfigurations, look around what he could get at quickly, what kind of data was available, exfiltrate that, and then, you know, leave it at that.
So, a very little attempt at lateral movement or privilege escalation or even persistence.
Very much focused on here's a vulnerable system,
getting in, seeing what's easy to get, and then leaving again.
Do you have any sense for what that makes available to them?
I mean, using the methods that they use,
what sort of data is there for the picking?
You know, a lot of their focus was on web-based systems, web apps,
and the databases behind there. So, you know, depends totally on their focus was on web-based systems, web apps, and the databases behind there.
So, you know, depends totally on the victim, of course, what's in there.
But often it does include lots of sensitive customer data or personal data of people using the service there.
And that does give the attacker access to that kind of sensitive information.
access to that kind of sensitive information. Not the strongest lever for extortion,
but it is the kind of information which would force the victim to go into the notification process of a data breach. Now, you mentioned that it didn't seem to be a focus of theirs
for privilege escalation, but according to your research here, there were some instances of that.
According to your research, Jerry, there were some instances of that.
Some, and each incident was slightly different. So, you know, there were very clear signs that this was a manual looking around.
There was actually somebody seeing what there could be had, what kind of data was available.
But again, compared to the traditional ransomware type breaches,
which would use more advanced tools, this would remain fairly limited.
Well, let's talk about the actual collection and exfiltration then. What sort of processes
are they using to actually gather up the data and get it out of the system?
So in the different incidents we saw, they'd look for
fairly easy data to get access to. So in the SQL injection case, I believe they actually never left
sort of the SQL protocol. So they actually, through the SQL injection, just tried to pull
out all of the data out of the database. There might have been chances there for further penetration, getting persistence on
the machine, etc. Moving from there, it looked like they didn't even try to do that. They really
kept it at what was easy to access. Same with the other vulnerabilities. Once on that first system,
they'd have a look around, collect some data, and the most telling sign was their use of MinIO,
a cloud object storage, which let them fairly quickly exfiltrate large amounts of data.
That was one of the main telltale signs we saw in all the incidents
where they actually used the Telerik UI vulnerability and gained access to that first machine.
Telerik UI vulnerability and gain access to that first machine.
Yeah, it really does seem like kind of the, I don't know, an online version of kind of a smash and grab burglary, you know, where it's just breaking a window and grabbing everything in the display there as quickly as possible.
100%. That is very much how we interpret these attacks, which on the one hand, that makes them fairly simple and
straightforward. There's not much use of advanced toolings or techniques here. But at the same time,
that speed actually is one of the big challenges here to be able to respond quickly enough to stop
sensitive data from being exfiltrated. That's the big challenge here, where in most traditional
ransomware, traditional attacks, there would be more time from the attacker coming in to when
they would actually start exfiltrating data or encrypting files or doing actual damage,
which gives the defenders a window of opportunity to detect and to respond, stop the attack.
you know, a window of opportunity to detect and to respond, stop the attack.
Here, you know, under half an hour, that really forces the defenders to act fast.
One of the interesting things that your research points out is that there is no shortage of extortion emails being sent out there.
But a lot of times, it's an empty threat.
And in this case, the SnapMC group, they are actually going out there and grabbing stuff.
But what sort of follow-up do they have to the victims to demonstrate that they've actually
grabbed some data? Right, right. So that extortion process is interesting because
just like in the attack itself, it's aimed at speed, where the emails would ask the victim to get in touch within 24 hours, and then give them
three days, 72 hours after that to respond. And, you know, that's a relatively short time frame
compared to some of the other extortion negotiations we've seen. And even within that
time frame, we'd see the actor actively increasing the pressure, threatening to release the data early.
And during that whole process, the actor would have evidence, file listings, etc., showing that they actually had been present, had been able to get their hands on that data.
In some cases, we've also seen the actor on fora, dark web fora.
on fora, dark web fora.
So we do believe that this actor is actually able to go through and intends to go through with either selling the data or publishing it.
Do you have any insights on what the ask is?
Dollar amounts, are they looking for here?
We've seen amounts in the order of $50,000 to a little over $100,000.
That's interesting. I mean, in itself, you know,
it's, I mean, that's certainly not a small amount of money, but we see ransomware asks, you know, in the multi-millions. So again, it's the speed of the operation, maybe not trying to inflict too
much pain, but get their payment and be on with it. Exactly. It seems to be in that range of not huge amounts,
which might be more difficult for their victim to pay.
At the same time, we also don't think this actor,
like traditional ransomware actors,
this actor doesn't seem to take the time to get to know their victims very well.
So our impression is that the actor doesn't have as much information. What is
the exact financial situation of their victim? So the damage they do is lower. The information
they have is slightly less. So we think that's why they aim for these amounts.
Well, let's talk about potential mitigations here. What are your recommendations?
Yes, great question. Because, you know, in the end, I think the main lesson is that from a purely TTP point of view, this actor is not very special.
The types of attacks, the tools, the techniques are fairly standard.
But the speed actually makes it quite a challenge.
makes it quite a challenge. So, you know, at NCC Group, when we talk to clients, we find that holistic approach works well, thinking about the prevention, the detection, the response.
And of those three, prevention is probably the most straightforward and normal one. This actor
used known vulnerabilities. So basic security hygiene is very important here. Keeping software
up to date, good patch management, hardening the attack surface, regular pen testing, etc. They're the basics. This actor is just showing if you don't have that up to scratch, then within no time you might be paying the price.
of itself, because these are known vulnerabilities, they're not that difficult to detect, but the speed required to respond means that you actually have to take good care of that detection pipeline
so that the people and processes aren't flooded by, say, a big backlog of false positives
slowing down their response time. Here, it's very important to be able to bubble up these incidents
as relevant, very urgent, so that on the response side, you're in time to do
something about it. And given response, automation, of course, can help, but the people and the
processes are really the bedrock. And practicing these kinds of incidents, we feel is a very
important part. You know, it's okay to have the best tools, but if you're not able to, you know,
jump right on the incident, fix it really quickly, be able to have the best tools, but if you're not able to jump right on the
incident, fix it really quickly, be able to make the right decisions quickly, that'll slow you down.
And half an hour really is not much time. So practicing these processes, looking at what
your IT landscape looks like, figuring out what possible attack vectors would be, and then going
through the movements to make sure that everybody's lined up to act quickly.
And to be able to do all of that,
to be able to do those practice rounds,
prepare your prevention detection response,
of course, it's very important to know these threats,
understand the urgency.
And in this case, the Telerik UI or the SQL injection was used,
but we expect that this actor will basically choose And in this case, the Telerik UI or the SQL injection was used.
But we expect that this actor will basically choose whatever gives him good victims.
So next time might be something totally, totally different.
Having that good threat intelligence so that you can prepare yourself is very important here.
Yeah, it really strikes me that this is an actor who has been very deliberate in making their living by going after that low-hanging fruit.
Exactly. Low-hanging fruit, I think, is the right expression here. Yes. Our thanks to Christo Butcher from the NCC Group Research and Intelligence Fusion Team.
The research is titled SnapMC, Extortion Without Ransomware.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week.