Remote Access Cyber Attacks: Vigilance When Screen Sharing – Technologist
A newly identified data extortion group known as Mad Liberator has emerged, targeting users of the AnyDesk remote access application. This group employs a deceptive strategy, using a fake Microsoft Windows update screen to mask their data exfiltration activities. Please do urge employees to take caution when screen sharing and preach vigilance about remote access cyber attacks.
First observed in July, Mad Liberator’s operations have notably avoided data encryption. However, according to their data leak site, they claim to use AES/RSA algorithms to lock files, suggesting a potential for more destructive attacks in the future.
What is the attack methodology, and who are they targeting?
Sophos, a leading cybersecurity firm, reports that Mad Liberator initiates attacks by establishing unsolicited computer connections via AnyDesk, a widely used remote access tool in corporate IT environments. Vigilance when screen sharing has, therefore, never been more important. Once a connection is established, the attackers deploy a binary disguised as a Microsoft Windows Update, which presents a fake update splash screen to the user.
How do remote access cyber attacks work?
This fake update screen is designed solely to distract the victim, while Mad Liberator leverages AnyDesk’s File Transfer tool to steal data from OneDrive accounts, network shares, and local storage. The victim’s keyboard is turned off to ensure the exfiltration process goes uninterrupted.
Being observational and having an impact
In incidents documented by Sophos, the attacks have lasted approximately four hours. Although data encryption has not been observed in the aftermath of these attacks, ransom notes are left on shared network directories to maximise their visibility within the compromised organisation.
Interestingly, Sophos has not detected any prior interaction between Mad Liberator and their targets before the AnyDesk connection request. No associated phishing attempts have been recorded, suggesting a different initial access strategy.
How have they gone about the extortion process?
Mad Liberator’s extortion tactics involve contacting breached firms via their darknet site, offering assistance fixing security issues and recovering encrypted files in exchange for a ransom. If the company fails to respond within 24 hours, its name is published on Mad Liberator’s extortion portal. From that point, the victim has seven days to initiate contact with the attackers. If the ransom is not paid within an additional five days, the stolen data is made public on the Mad Liberator website, which currently lists nine victims.
EDR Understanding Modern Cyber Security – Munio – Technologist
What Are Quishing Attacks: Warning To EV Owners – Technologist
Cradlepoint Outlines 5G SASE Strategy For Cellular And Hybrid WAN Security – Technologist
About The Author
admin
Azeem Rajpoot, the author behind Technolo Gist, is a passionate tech enthusiast with a keen interest in exploring and sharing insights about the rapidly evolving world of technology. With a background in Technologist, Azeem brings a unique perspective to the blog, offering in-depth analyses, reviews, and thought-provoking articles. Committed to making technology accessible to all, Azeem strives to deliver content that not only keeps readers informed about the latest trends but also sparks curiosity and discussions. Follow Azeem on this exciting tech journey to stay updated and inspired.
