By Dave McKay | May 8, 2021
Student Downloads Pirated Software and Infects COVID-19 Research Institute
A research student working at a European biomolecular research institute wanted to obtain copy of the software he used at the Institute for his personal use. The cost of a license proved too much for the students budget, so he asked on an online forum if there was a way he could get a cracked copy of the software. That is, one that has been modified by cybercriminals so that licensing is bypassed.
Someone helpfully guided them to a location they could access a pirated copy of the software he was after.
The student downloaded the pirated software but Microsoft Defender—an anti-virus and anti-malware application—prevented the software from being installed on his own personal laptop. Undeterred, the student threw caution to the wind and disabled Windows Defender.
Sadly, but nbot surprisingly, the software package also contained malware. He unwittingly installed a contained keystroke logger. This is an information harvesting program. It immediately began logging all of his keystrokes. It managed to harvest authentication credentials such as passwords, network connection details, browser cookies, anything he put in the clipboard, and more.
The crunch came when he used his personal laptop to make a Remote Desktop Protocol to the research institute. As soon as he did so, his RDP credentials were transmitted to the cybercriminals. They tested the credentials a few days later by making a test connection to the Institute’s network.
A few days after that, another connection was made and the network was infected with the Ryuk ransomware. It is probable that the cybercriminals who harvested the connection details sold them on the Dark Web to the ransomware gang who committed the actual attack.
“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” Peter Mackenzie, manager of rapid response at Sophos said. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”
This attack raises questions about allowing personal devices to be connected to an organization’s network, and the lack of basic security measures such as two-factor authentication. The basics of cyberhygiene should always be followed:
- Enable two-factor or multi-factor authentication (MFA), wherever possible.
- Review Bring Your Own Device and Connect Your Own Device policies. Are they worth the risk, and if so how do you contain and mitigate the risks?
- Implement a password policy that defines the strength of passwords, and make sure it applies to everyone, including part-time workers, student placements, and contractors.
- Retire or upgrade any old and unsupported operating systems and applications.
- Review proxy server settings and monitor security policies to deny access to malicious websites and suspect downloads.
- Disable the ability for unauthorized staff to install software applications.
- Lock down RDP access with group policies or access control lists.
- Segregate your network so that it is impossible for malware to race through your infrastructure unimpeded.
- Review firewall rules and ensure that they only whitelist traffic intended for known destinations.
Human error is one thing. A blatant disregard for the organization’s security is completely another. This incident borders on wilful neglect.
Source: InfoSecurity Magazine