fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers Sell Access to Your Network Via Remote Management Apps

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj

Hackers Sell Access to Your Network Via Remote Management Apps

Remote monitoring and management (RMM) software is starting to get attention from hackers as these types of tools provide access to multiple machines across the network.

At least one network access broker has been advertising access to networks of organizations in various regions of the world that use the ManageEngine Desktop Central from Zoho to manage their Windows, Linux, and Mac systems.

Some of the breached companies are attractive targets for ransomware operators, who may already have jumped at the opportunity.

RMM access for complete control

The seller is active on a major Russian-speaking forum where they’ve been announcing network access since at least July 2020. In September, the actor advertised 36 accesses, hoping for a cumulative profit close to $100,000.

In a report shared with BleepingComputer, cyber intelligence company KELA was able to determine that the offer was for Zoho’s ManageEngine Desktop Central, a management platform that lets administrators deploy patches and software automatically on network machines, as well as troubleshoot them through remote desktop sharing.

KELA told BleepingComputer that the actor is not selling RMM access exclusively. In an early post on the forum, they offered domain access. More recently, they offered credentials to 1,000 remote desktop (RDP) servers in China.

Also Read: Does Personal Data Market About To Become The Next Big Thing

Apart from these, though, almost all posts from the access broker’s sales thread are for RMM access. According to KELA, there are at least 53 accesses advertised individually with a cumulative value of over $150,000.

It is difficult to determine the seller’s profit from these transactions because some offers did not disclose a price and they asked potential buyers to make an offer.

There is confirmation that the threat actor sold access to ten networks, though, which earned them around $33,800. The number is likely higher since some deals may have completed in private

Hacker forum

KELA was able to identify multiple victims, but for two of them the network access was the most expensive in the seller’s offer: one company in Turkey and one in Canada. The prices asked for these two were 1.5BTC and 1BTC.

Brief profiles for the two companies published by the broker show revenues of hundreds of millions of US dollars and hundreds of computers on their network, details that caused the sale to complete in a few hours.

Sale post Sale post 2

However, based on the actor’s statements, they have network access to companies all over the world, most of them in the U.S., including the U.K., Spain, Brazil, and Portugal.

As for the activity sector of the victims, this also varies (IT, education, construction, manufacturing, law, healthcare, government) suggesting that the compromises are opportunistic rather than targeted attacks.

Although there isn’t a strong indication, the buyers are likely connected with ransomware operators.

“We haven’t seen any direct communications between the actor and known ransomware affiliates, for example. However, based on the broker’s wording in posts it’s pretty evident the actor is aiming towards ransomware use cases” – Raveed Laeb, KELA Product Manager

Furthermore, the seller appears hints that the network access they’re selling is suitable for ransomware attacks. Laeb told us that the actor wrote in one of their posts:

“From there [the RMM platform] you can deploy your payloads (cobalt or any other) and take over network. Also if you want you can deploy your file stealer on File server and transfer to your own FTP server.”

Looking for ManageEngine Desktop Central instances exposed on the internet, KELA found close to 900 servers open on various ports.

Also Read: PDPA For Companies: Compliance Guide For Singapore Business

Graph

As for the hacking method, this remains unknown at the moment; but it could be anything from attacking a managed services provider, direct brute-force attacks, or exploiting the remote code execution vulnerability CVE-2020-10189 disclosed in March.

Laeb told us that the actor leveraging this flaw is also unlikely because the actor is selling login credentials to the management platform, and exploiting the vulnerability is typically for backdooring the server and dropping malware. However, this is just an assumption since there isn’t a clear and complete profile of the seller’s activity and abilities.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us