New Ransomware Group SnapMC be Found to Have Completed Breach in Less Than 30 Minutes of Hacking

Security researchers have discovered a new threat group that performs lightning-fast hacks, usually within 30 minutes, to steal corporate files and extort victims by threatening to leak their data online and to the media if they don’t pay the ransom within a few days.

The group, discovered by Dutch security firm Fox-IT, is named “SnapMC” because of its short intrusion time and use of a tool called mc.exe to exfiltrate data.

Fox-IT researchers say that web-facing software vulnerabilities are being used to infiltrate corporate networks, with some intrusions exploiting CVE-2019-18935, a vulnerability in the UI component of the Telerik ASP.NET framework

https://nvd.nist.gov/vuln/ detail/CVE-2019-18935

After the intrusion, the group reportedly acted quickly to collect data from local systems, never spending more than 30 minutes on the hacked network.

After a successful intrusion, SnapMC sends an email to the hacked company with a list of the stolen files as evidence. The companies are usually given 24 hours to reply to the email and 72 hours to negotiate a ransom payment.

In order to force companies to start negotiating, SnapMC will release a small portion of their data, threaten to leak files online, threaten to tell the media about the hack, and notify customers of the affected companies about the intrusion.

Fox-IT said that while they were tracking the group, despite having access to the victim’s internal network, they did not see them deploying any ransomware, only focusing on the data breach and subsequent extortion.

In addition, Fox-IT says it has not been able to confirm any connection between the SnapMC group and the current “leak market” – a web portal for leaking data on ongoing or failed extortion attempts.

Currently, there are a number of leak markets and data auction sites, such as

  • Arvin Club
  • Bonaci Group
  • Dark Leak Market
  • File Leaks
  • Karakurt
  • LockData
  • Marketo
  • XING
  • LockData-auction

In an effort to help companies implement the right defenses, SnapMC has released a technical report outlining the tools and techniques most commonly used during an intrusion. https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/

The Fox-IT report recommends deploying a web firewall in front of Telerik-based applications as the simplest solution to block attacks.

First, the initial access is typically through known vulnerabilities for which patches exist. Applying patches in a timely manner and keeping devices (connected to the Internet) up-to-date is the most effective way to avoid becoming a victim of this type of attack.

Do regular vulnerability scans to see where vulnerable software is located on your network.

Vulnerabilities may also be out of your direct reach, as third parties providing software packages may use vulnerable software as components. Therefore, it is important to have a clear mutual understanding and a well-defined contract between the organization and the software supplier regarding patch management and retention policies.

The latter also applies to the potential obligation to have the supplier provide the system for forensic analysis and root cause analysis in the event of an incident.

Notably, when reference testing the exploitability of a particular version of Telerik, it became apparent that the exploit would not succeed if the software component was behind a properly configured Web Application Firewall (WAF).

Finally, we would like to thank the following people for their support.

Finally, by properly implementing detection and incident response mechanisms and processes, the likelihood of successfully mitigating a serious impact to the organization increases. Timely detection and efficient response can help mitigate damage before it becomes apparent.

Leave a Reply

Your email address will not be published.