Recently discovered SnapMC cybercriminal group takes advantage of unpatched VPNs and web server apps to break into systems and uses a rapid extortion technique to launch attacks in less than half an hour.
This Extortion Technique Takes Less Than Half An Hour And Needs No Ransomware
According to a new report from NCC Group’s threat intelligence team, a new group called SnapMC needs less than 30 minutes to breach an organization’s systems, steal confidential data, and solicit a ransom to avoid having their sensitive data published online. This extortion technique doesn’t require ransomware whatsoever.
The new cybercriminal group skips on locking down a target’s data and systems and goes straight to extortion. However, this inexpensive, low-tech, ransomware-free extortion strategy relies on known vulnerabilities with patches already available.
“In the extortion emails we have seen from SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate,” the report stated. “These deadlines are rarely abided by, since we have seen the attacker to start increasing the pressure well before countdown hits zero.”
Researchers could not link the newly discovered group to any known threat actors and gave it a name inspired by its speed (‘snap’) and its mc.exe exfiltration weapon of choice.
In order to prove that they are indeed in possession of the data, the hackers give victims a list of the stolen information. If the compromised organization refuses to negotiate within a given timeframe, the group threatens to make the data public and report the breach to the media and customers.
Researchers noted that they had observed SnapMC successfully breaching unpatched and vulnerable VPNs exploiting the CVE-2019-18935 remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections.
VPN Vulnerabilities Leave Companies Exposed
VPN vulnerabilities have seen a rise that has left organizations exposed to certain risks, according to Hank Schless, a senior manager with Lookout cloud security.
“While VPN solutions have their place, there have been multiple stories of vulnerabilities within these solutions that were exploited in the wild,” Schless explained. “Ensuring that only authorized and secure users or devices can access corporate infrastructure requires zero trust network access (ZTNA) policies for on-premise or private apps and cloud access security broker (CASB) capabilities for cloud-based apps and infrastructure.”
In June, the Colonial Pipeline attack made headlines. Unfortunately, it all started from an old VPN password. Next month, Cisco Systems released several patches for the 8,800 Gigabit VPN routers with a high risk of compromise through CVE-2021-1609.
And by late last month, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CSIA) issued guidance to the Department of Defense, National Security Systems, and the Defense Industrial Base to strengthen their VPNs against threats from multiple advanced persistent threat (APT) actors.
Essential patching would help protect organizations from the latest smash-and-grab extortion technique, such as the one used by SnapMC.
Oliver Tavakoli, CTO with Vectra, said that skipping on ransomware in such attacks is a “natural evolution” of the ransomware business model. However, the NCC team also predicts that simple attacks on shorter timelines are very likely to gain more traction.
“NCC Group’s Threat Intelligence team predicts that data-breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack,” the team said. “Therefore, making sure you are able to detect such attacks in combination with having an incident response plan ready to execute at short notice, is vital to efficiently and effectively mitigate the threat SnapMC poses to your organization.”