From The Dark Overlord 9/11 Files… A Glimpse into What Your Life is Worth


From The Dark Overlord 9/11 Files… A Glimpse into What Your Life is Worth (Jan 1, 2019)

The threat group, "The Dark Overlord" (TDO) is attempting to extort money out of several organizations that dealt with the litigation and insurance claims following the 9/11 attacks. Companies such as Hiscox Syndicates Ltd, Lloyds of London, and Silverstein Properties are purportedly all compromised by The Dark Overlord having a large amount of documentation stolen. The threat group is exploiting the underlying emotion that is tied to 9/11 and its aftermath in order to garner more global attention as well as scare the organizations into paying their ransom. The extortion note sent to the companies contains a link for a 10 gigabyte (GB) archive of files that are encrypted and states that if they do not receive the ransom amount, they will release the decryption keys that would decrypt certain sets of files in the cache at a time. The Dark Overlord is notorious for exploiting anyone and everyone, with complete disregard, simply to obtain a large illicit profit.

Recommendation: Threat actors like The Dark Overlord capitalize on fear mongering to garner an illicit profit. While breach details have not been reported in open sources, the group is known to exploit companies'' misconfigured Remote Desktop Protocol (RDP) servers to gain access to a target's network. TDO also has claimed they utilize exploits to access SRSSQL remotely. Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice Defense-in-Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and fail-safe).

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.