Threat Intel Report Q3 2020

A comprehensive approach
Anticipate threats
Proactively harden your directory infrastructure
Uncover vulnerabilities and weak configurations to maintain strong security boundaries
AD admins, blue teams, and auditors
Detect attacks
Detect attacks in real time with our AD-specific threat intelligence
Make AD an integral part of your security practice with SIEM and SOAR integrations
Enable your threat hunters with AD-native investigation capabilities
SOC analysts and threat hunters
Respond to breaches
Replay attacks and hunt for patients zero
Remediate at machine-speed through our orchestration playbooks
Detect persistence mechanisms and kick them out for good
Incident responders
The features we are proud of
Cutting-edge security technology
Harden, detect, respond
All your practices extended to your most vital IT asset: Active Directory
True real-time
Live exposure visualization, immediate attack alerts
Step-by-step recommendations
A follow-the-guide approach for AD admins new to security
Intelligence-driven, AD-native
Beyond compliance, detect AD-specific attack patterns
Seamless end-to-end user experience
No agents, no privileges
An instant-on application with hardly a footprint on operations
Dashboard-oriented UX
To simplify decision-making
and prioritization
Simple, no-nonsense architecture
Using standard protocols and proven technologies
Native integrations with your other practices
Turbo-charge your SIEM, SOAR, and IAM solutions
Top 5 attack trends
Q3 2020
Ransomware as a service (RaaS)
Attackers getting sloppy and caught
Maze ransomware cartel growing
Ransomware causing actual deaths
Ransomware negotiators
Ransomware as a service (RaaS)
- Subscription-based malicious model enables even the novice cybercriminal to launch ransomware attacks without much difficulty
- Commonly used by cybercriminals who don’t have much technical knowledge of how to create ransomware, this malicious model allows anyone to become an “affiliate” of an established RaaS package or service
- This vicious model is so enticing to some cybercriminals that you can even see the RaaS providers’ advertisements on the dark web

- You can find a number of RaaS operations in different forms and names on the dark web, including Cerber, Satan, Atom, Hostman, and Philadelphia
Attackers getting sloppy and caught
- Kathryn Nguyen, together with an associate, hacked a 56-year-old person’s cryptocurrency account, transferred the XRP into a Chinese crypto exchange, traded it into Bitcoin, then transferred these coins into multiple wallet addresses… sentenced to 2 years and 3 months in prison
- Tyler C. King was convicted of creating unauthorized admin accounts and giving them access to proprietary company info plus real-time access to executives’ email, personal files, and financial records…. sentenced to 57 months in prison
- Andrew Miller, pleaded guilty to one count of conspiracy and two counts of computer fraud for actions committed between 2008 and 2011 when he was part of the Underground Intelligence Agency hacking group… sentenced to 18 months in prison
- Joseph Sullivan, Uber’s former Chief Security Officer, was charged with leading an alleged attempt to cover up a 2016 hack that exposed the personal information of 57 million app users and drivers… charged with obstruction of justice and misprision of a felony
Maze ransomware
cartel growing
Ransomware causing actual deaths
- June 2020: ransomware gangs teamed up to extort victims in a shared platform, as well as to share tactics and intel
- August 2020: SunCrypt also joined the Maze cartel to go after big companies together
- Today the Maze cartel includes at minimum: LockBit, Ragnar Locker, and SunCrypt
- Before joining the cartel, SunCrypt had little communication or interaction with Maze, now they have a two-way communication channel
- SunCrypt joined the cartel to help with the volume, stating, “They just can’t handle all the available field of operations. Our main specialization is ransomware attacks”
- Like any cartel, the goal is to make money and gain control; SunCrypt clearly stated that they “share revenue from the successful operation”
- IP address range, 91.218.114[.]31, has been tied to both Maze and SunCrypt
- Interestingly, Maze has on many occasions denied that they are in any way related to SunCrypt
- Dusseldorf University Clinic was hit by attackers in mid-September
- Forensics found that the incident exploited a vulnerability in a “widely used commercial add-on software”, which was not mentioned specifically
- Immediately after the attack, the IT systems at the hospital gradually “crashed”, preventing access to hospital data
- This caused an immediate halt to all operations
- A woman needing emergency attention was transported to a neighboring hospital in Wuppertal for treatment
- The additional delay (60 minutes) was deadly, as the woman died due to the additional time to transport her 20 minutes to the neighboring hospital
- Police used the contact details in the ransom message to inform the attackers of the death due to the attack
- The attackers provided a digital decryption key, stopped the extort of funds, and have not responded since
Ransomware negotiators
- Negotiators can help scale down financial demands, arrange tricky cryptocurrency payments, and assist with data restoration
- Often negotiators are technical specialists or former law enforcement officers trained in the art of hostage and terrorist negotiations
- One negotiator remembers a negotiation where the initial demand was $80 million, which was reduced to $45 million, and ultimately paid nothing; the hacker was inexperienced and most likely used RaaS
- The city of Florence, Alabama, hired a ransomware negotiator and was able to reduce the ransom by 25%, as well as extend the payment deadline through the weekend
- Steve Holt, Mayor of Florence, Alabama – “We have a million-dollar system, we have IT professionals in it. But [the hackers] didn’t come at us with brute force, they just found an opening and got in,” he said. “Anybody can unknowingly, unwittingly, open an email that they shouldn’t have opened.”
Ransomware trends

Non-compliant victim data is posted on the web
- University Hospital, Newark, New Jersey
- SunCrypt ransomware leaked 1.7GB of the 240GB of data stolen
- Authorization forms, driver’s licenses, SSNs, DOBs, and records about the Board of Directors were posted online
- LG and Xerox
- Maze ransomware leaked 50.2GB of LG’s data and 25.8GB of Xerox’s data
- Closed-source firmware for phones and laptops, and customer support operations data were leaked

“The U.K. National Cyber Security Centre (NCSC), has issued an alert about a surge in ransomware incidents targeting educational institutions, urging them to follow the recently updated recommendations for mitigating malware attacks.”
Universities targeted as students return
Many suggestions were made to ensure security, but at the top of the list was, “Effective vulnerability management and patching procedures”
Reasons for the increased attacks on education include: Volume of personal data – birthdates, SSN, direct deposit, etc. Data is kept a long time.
Hard stats
Cybercrime will cost
the world
$6 trillion by 2021
A ransomware attack
will succeed every
11 seconds by 2021
It takes 196 days, on average,
to identify a data breach
6.5+ months
52% of breaches
were due to
hacking
33% of breaches
were due to
phishing attacks
How many company’s folders
are properly protected
5%
How many cybersecurity pros say
their team is understaffed
62%
Chances of becoming a
victim of cyberattack
25%
Attack examples
- U.S. Dept of Veterans Affairs – Breach: https://www.iheart.com/content/2020-09-15-personal-information-of-46000-veterans-compromised-after-va-data-breach/
- Razer – Data breach: https://www.thesouthafrican.com/technology/razer-data-breach-information-september-2020/
- Long Island hospital – Ransomware: https://www.itsecurityguru.org/2020/09/23/long-island-hospital-experiences-data-breach/
- 37 healthcare facilities – Data breach: https://www.hipaajournal.com/august-2020-healthcare-data-breach-report/
Our solutions
Provide field-tested products
with a seamless end-to-end user experience
Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally
A technical expertise recognized and awarded worldwide