Cybersecurity researchers have unearthed a new threat group known as SnapMC, that aims to secure access to the company’s files, steal their sensitive data and demand ransom to keep it from being leaked.
According to NCC Group’s Threat Intelligence team, SnapMC has not been linked as of yet to any known threat actors. The name is derived from the actor’s lightning-fast hacks, typically completed in under 30 minutes, and the exfiltration tool mc.exe it uses.
To perform the attack, SnapMC scans for multiple vulnerabilities in both web servers and virtual private networking solutions. In particular, the threat group utilizes the so-called Blue Mockingbird vulnerability that affects older versions of the Telerik UI for ASP.NET applications.
Once inside, the group sends extortion emails to victims. Typically, a victim is given 24 hours to respond to the email and another 72 hours to negotiate a ransom payment; a list of stolen data as evidence that the group has gained access to the victim’s infrastructure is included by the actors.
To intimidate victims to begin negotiations, the threat group releases small portions of the data, threatens to leak the files online, threatens to tell media outlets regarding the breach or notify a victim’s customers about the hack.
“There are multiple reasons for the success of these attacks: First, regulation and public awareness make victims more inclined to have the certainty of containing the incident by paying,” said Christo Butcher, global head for threat intelligence at the NCC Group Research and Intelligence Fusion Team. “Second, the threat actors behind various data breach extortion attacks are gaining more experience with every breach and subsequent extortion negotiation, which allows them to improve their skills in both negotiating as well as understanding the mindset of their victims.”
SnapMC does not deploy ransomware, despite having access to a victim’s internal network – the group focuses solely on data exfiltration and the subsequent extortion, the researchers observed while tracking the group.
Earlier this week, researchers published a technical report containing the tools and methodologies employed by SnapMC in their intrusions – in the hopes that organizations deploy proper defenses.
NCC Group recommends that organizations should keep all their web-facing assets up to date; doing so will help in mitigating the risks. Gaining visibility into susceptible software and putting in place effective detection and response systems can also help in combating the attacks.
