The Cat’s in the Cradle, the RAT’s in the Server
Observations from the banks of the technology river
TOM EVANS; ASHTON ENGINEER EMERITUS
Some mail arrived just the other day
Landed In my inbox with a lot to say
But there were others to read and not much time
I clicked on the link and lost my mind
My poor machine was no longer mine, and then I knew My machine was pwned, and acting wild Spittin’ out spam like an evil child
The rat’s in the server and it’s not alone
Lots of bad warz and they’re phoning home Can’t get it out, it’s really bad
Looking for help, none to be had
The rat’s in the server and my server’s dead
(To the tune of “The Cat’s in the cradle”, sort of ). Okay, so song writing as a second career is out.
Is there a remote access trojan (RAT) in your server? A recent study found 481 servers controlling 14 different families of RATs. The really bad news is they could only find a fraction of the servers out there. This does not bode well for networks or users with poor security practices. Unlike ransomware which encrypts data and then does nothing else, RATs can do lots of things - including evading detection.
Combining RATs with a new and devastating phishing email that claims the CIA know you have child porn on your computer and you need to pay $5000 to have this information ‘disappear’. Here is where this gets scary.
“With the capabilities of recent destructive malware and ransomware
the following scenario becomes highly probable: If you don’t pay the ransom—but click on the link, worried to death—they will put actual child pornography on the users’ machine, and/or they stuff your users’ search history with fake searches. Then they will anonymously notify the FBI or other Law Enforcement. It’s a setup and the intent is to actually cause the person to get arrested and massively disrupt your organization at the same time.”
Apparently it’s not that complex to install the child porn, and stuff your search history. The legal reaction to child porn is swift and merciless. Proving you were the victim of an extortion plot may be next to impossible.
Even though you or your company may ultimately get clear with the authorities, bad press could be disastrous, personally and professionally.
Do your users know what to do when faced with an email threat like this. How could it get worse? Well, it can.
RATs allow someone else control of machines on your network. With that control almost anything can be done. One sequence of events can look like this:
Phishing email > Bad Word Document > Emotet (spreads over network) > Emotet downloads Trickbot (disables AV, harvests email addresses, steals credentials, hijacks accounts to send other phishing emails) > Trickbot gets Ryuk (ransomware).
Obviously nothing good happens with this sequence of events. This all starts with the weakest link in your security – a user. Someone clicks on a link that they shouldn’t and your network is compromised. If you are in the SMB space, there is a big target on your network and your users are front and center in the battle.
THERE ARE 3 REASONS SOMEONE CLICKS ON A LINK:
#1 - They don’t know how to tell a bad link
#2 - They don’t take time to check the link
#3 - They don’t care about what happens if they click the link.
You can fix #1 with security awareness training that happens on a
regular basis. You can fix #2 by letting employees know that security IS important and they need to take the time. Fixing #3 is harder depending on why they don’t care. If they have so little regard for their job they don’t care if the company goes under, you have a real problem employee. If they don’t care because they don’t think it is important, education can help, but needs to be a valid demonstration that management thinks it is important. If you want to stay in business, security needs to be worth the time and effort.
In the song “The cat’s in the cradle” the father didn’t take time for his son. His son wanted to be ‘just like Dad’. In the end, he did – with no time for family. Call Ashton, and we’ll help you make time for security!