Being forewarned is being forearmed; and, if organizations keep up-to-date with the latest malware alerts, they have the opportunity to take measures to prevent their network systems becoming infected with the latest malware strains.
Many malware alerts originate not from reports of malware infections themselves, but from vulnerabilities being identified in everyday software that a hacker could use to install an exploit kit. Our malware alerts explain what the vulnerabilities are, how they can be used to deliver malware and what patches exist to eliminate the vulnerability.
Of course, the best way to block exploit kits from downloading malware onto your organization´s network systems is to ensure that Internet users never visit a website harboring an exploit kit. This can be achieved by a simple adjustment of your web filtering solution. If your organization does not yet have a web filtering solution, speak with WebTitan today.
A restaurant malware attack has resulted in the theft of the credit and debit card numbers of more than 355,000 customers, according to Krebs on Security. A breach was suspected to have occurred when credit unions and banks started to notice a flurry of fraudulent purchases. The breach was traced to the fast food restaurant chain Arbys.
While there have been numerous instances of credit card fraud reported in the past few days, the Arbys data breach was first identified in January. Industry partners contacted Arbys regarding a potential breach of credit/debit card numbers. At that point, the incident was only thought to have affected a handful of its restaurants.
The malware infection was soon uncovered and the FBI was notified, although the agency requested that Arby’s did not go public so as not to impede the criminal investigation. However, a statement has recently been released confirming that Arby’s is investigating a breach of its payment card systems.
Upon discovery of the breach, Arby’s retained the services of cybersecurity firm Mandiant to conduct a forensic analysis. The Mandiant investigation is continuing, although rapid action was taken to contain the incident and remove the malware from Arby’s payment card systems. The investigation revealed that the incident only impacted certain corporate-owned stores. None of the franchised stores were infected with malware. Arbys has more than 3,300 stores across the United States, more than 1,000 of which are corporate-owned.
PSCU, an organization serving credit unions, was the first to identify a potential breach after receiving a list of 355,000 stolen credit card/debit card numbers from its member banks. It is currently unclear when the restaurant malware attack first occurred, although the malware is currently thought to have been actively stealing data from October 25, 2016 until January 19, 2017, when the malware was identified and removed.
This is of course not the first restaurant malware attack to have been reported in recent months. The restaurant chain Wendys suffered a similar malware attack last year. That incident also resulted in the theft of hundreds of thousands of payment card details before the malware was discovered and removed. Similar payment card system malware infections were also discovered by Target and Home Depot and resulted in huge numbers of card details being stolen.
Details of how the malware was installed have not been released, although malware is typically installed when employees respond to spear phishing campaigns. Malware is also commonly installed as a result of employees clicking on malicious links contained in spam emails or being redirected to malicious sites by malvertising. In some cases, malware is installed by hackers who take advantage of unaddressed security vulnerabilities.
Once malware has been installed it can be difficult to identify, even when anti-virus and anti-malware solutions are in use. As was the case with the latest restaurant malware attack, data theft was only identified when cybercriminals started using the stolen payment card information to make fraudulent purchases.
Protecting against malware attacks requires multi-layered cybersecurity defenses. Good patch management policies are also essential to ensure that any security vulnerabilities are remediated promptly. Anti-spam and anti-phishing solutions can greatly reduce the volume of messages that make it through to employees’ inboxes, while malicious links and redirects can be blocked with a web filtering solution. A little training also goes a long way. All staff members with computer access should receive anti-phishing training and should be instructed on security best practices.
Regular scans should be performed on all systems to search for malware that may have evaded anti-virus and anti-malware solutions. Since a restaurant malware attack will target payment card systems, those should be frequently scanned for malware. Rapid detection of malware will greatly reduce the damage caused.
This month, security researchers have discovered cybercriminals are conducting social media ransomware attacks using Facebook Messenger and LinkedIn. Social media posts have long been used by cybercriminals to direct people to malicious websites containing exploit kits that download malware; however, the latest social media ransomware attacks are different.
According to researchers at CheckPoint Security, the social media ransomware attacks take advantage of vulnerabilities in Facebook Messenger. Images are being sent through Facebook Messenger with double extensions. They appear as a jpeg or SVG file, yet they have the ability to download malicious files including ransomware. The files are understood to use a double extension. They appear to be images but are actually hta or js files.
CheckPoint says “The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file.” The report goes on to say “This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” No technical details have been released as CheckPoint claim the vulnerability has yet to be fixed by Facebook.
Facebook responded to Blaze’s claim saying the problem was not related to Messenger, but involved bad Chrome extensions. Facebook said the problem had been reported to the appropriate parties.
Ransomware Attacks on the Rise
According to the Kaspersky Security Network, ransomware attacks on SMBs have increased eightfold in the past 12 months. The problem is also getting worse. More than 200 ransomware families have now been discovered by security researchers, and new forms of the malicious file-encrypting software are being released on a daily basis.
Any business that is not prepared for a ransomware attack, and has not implemented security software to protect computers and networks, is at risk of being attacked. A recent survey conducted by Vanson Bourne on behalf of SentinelOne showed that 48% of organizations had been attacked with ransomware in the past 12 months. Those companies had been attacked an average of 6 times.
How to Prevent Social Media Ransomware Attacks
Social media ransomware attacks are a concern for businesses that do not block access to social media platforms in the workplace. It is possible to prevent employees from accessing social media websites using WebTitan, although many businesses prefer to allow employees some time to access the sites. Instead of blocking access to Facebook, businesses can manage risk by blocking Facebook Messenger. With WebTitan, it is possible to block Facebook Messenger without blocking the Facebook website.
If WebTitan is installed, webpages that are known to contain malware or ransomware downloaders will be blocked. When individuals link to these malicious websites in social media posts, employees will be prevented from visiting those sites. If a link is clicked, the filtering controls will prevent the webpage from being accessed.
To find out more about how WebTitan can protect your organization from web-borne threats such as ransomware and to register for a free trial of WebTitan, contact the Sales Team today.
It doesn’t matter which security report you read; one thing is clear. The ransomware problem is becoming worse and the threat greater than ever.
While ransomware attacks in 2015 were few and far between, 2016 has seen an explosion of ransomware variants and record numbers of attacks across all industry sectors. For every ransomware variant that is cracked and decryption software developed, there are plenty more to take its place.
200 Ransomware Families Now Discovered
As if there were not enough ransomware milestones reached this year, there is news of another. The total number of detected ransomware families has now surpassed 200. That’s families, not ransomware variants.
The ransomware families have been catalogued by the ID Ransomware Service; part of the Malware Hunter Team. The current count, which may well be out of date by the time this article is finished, stands at 210.
Not only are new ransomware being developed at an unprecedented rate, the latest variants are even sneakier and have new capabilities to avoid detection. They are also more virulent and capable of encrypting a far wider array of data, and can delete backup files and quickly spread across networks and storage devices.
More people are getting in on the act. Ransomware is being rented out as a service to affiliates who receive a cut of the ransoms they collect. Campaigns can now be run with little to no skill. Unsurprisingly there are plenty of takers.
Massive Campaign Spreading New Locky Ransomware Variant
One of the biggest threats is Locky, a particularly nasty ransomware variant that first appeared in February 2016. Even though Locky has not been cracked, new variants continue to be released at an alarming rate. This week yet another variant has been discovered. The developers and distributers are also using a variant of techniques to evade detection.
Three separate campaigns have been detected this week after a two-week period of relative quiet. The ransomware is now back with a vengeance, with one of the campaigns reportedly involving an incredible 14 million emails on October 24 alone; 6 million of which were sent in a single hour.
There have been some successes in the fight against ransomware. Earlier this year the No More Ransom project was launched. The No More Ransom Project is a joint initiative Europol and the Dutch National Police force, although a number of security firms have now collaborated and have supplied decryptors to unlock files encrypted by several ransomware strains. So far, decryptors have been uploaded to the site that can unlock several ransomware variants: Chimera, Coinvault, Rannoh, Rakhni, Shade, Teslacrypt, and Wildfire.
Ransomware Problem Unlikely to Be Solved Soon
Despite the sterling efforts of security researchers, many of the most widely used ransomware strains have so far proved impossible to crack. The authors are also constantly developing new strains and using new methods to avoid detection. The ransomware problem is not going to be resolved any time soon. In fact, the problem is likely to get a lot worse before it gets better.
Last year, an incredible 113 million healthcare records were exposed or stolen. This year looks like it will be a record-breaking year for breaches if incidents continue at the current rate. The sheer number of healthcare records now available to cybercriminals has had a knock-on effect on the selling price. Whereas it was possible to buy a complete set of health data for $75 to $100 last year, the average price for healthcare records has now fallen to between $20 and $50.
Cybercriminals are unlikely to simply accept a lower price for data. That means more attacks are likely to take place or profits will have to be made up by other means. The glut of stolen data is seeing an increasing number of cybercriminals turn to ransomware.
Are you Prepared for a Ransomware Attack?
With the threat from ransomware increasing, organizations need to prepare for an attack and improve defenses against ransomware. Policies should be developed for a ransomware attack so rapid action can be taken if devices are infected. A fast response to an attack can limit the spread of the infection and reduce the cost of mitigation; which can be considerable.
Defending against ransomware attacks is a challenge. Organizations must defend against malicious websites, malvertising, drive-by downloads, malicious spam emails, and network intrusions. Hackers are not only stealing data. Once a foothold has been gained in a network and data are stolen, ransomware is then deployed.
An appropriate defense strategy includes next generation firewalls, intrusion detection systems, web filtering solutions, spam filters, anti-malware tools, and traditional AV products. It is also essential to provide regular security awareness training to staff to ensure all employees are alert to the threat.
Even with these defenses attacks may still prove successful. Unless a viable backup of data exists, organizations will be left with two options: Accept data loss or pay the ransom. Unfortunately, even the latter does not guarantee data can be recovered. It may not be possible for attackers to supply valid keys to unlock the encryption and there is no guarantee that even if the keys are available that they will be sent through.
Since Windows Shadow copies can be deleted and many ransomware variants will also encrypt backup files on connected storage devices, backup devices should be air-gapped and multiple backups should be performed.
With attacks increasing, there is no time to wait. Now is the time to get prepared.
Another day passes and another ransomware variant emerges, although the recently discovered Ranscam ransomware takes nastiness to another level. Ranscam ransomware may not be particularly sophisticated, but what it lacks in complexity it more than makes up for in maliciousness.
The typical crypto-ransomware infection involves the encryption of a victim’s files, which is accompanied by a ransom note – often placed on the desktop. The ransomware note explains that the victim’s files have been encrypted and that in order to recover those files a ransom must be paid, usually in Bitcoin.
Since many victims will be unaware how to obtain Bitcoin, instructions are provided about how to do this and all the necessary information is given to allow the victim to make the payment and obtain the decryption key to unlock their files.
There is usually a time-frame for making payment. Usually the actors behind the campaign threaten to permanently delete the decryption key if payment is not received within a specific time frame. Sometimes the ransom payment increases if payment is delayed.
Ranscam Ransomware will not Allow Victims to Recover Their Files
Rather than encrypting files and deleting the decryption key, Ranscam ransomware threatens to delete the victim’s files.
The ransomware note claims the victim’s files have been encrypted and moved to a hidden partition on their hard drive, which prevents the files from being located or accessed. The payment requested by the actors behind this scam is 0.2 Bitcoin – Around $133 at today’s exchange rate.
While the ransom note claims that the victim’s files will be moved back to their original location and will be decrypted instantly once payment is received, this is not the case.
Unfortunately for the victims, but the time the ransom note is displayed, the victim’s files have already been deleted. Paying the ransom will not result in the encrypted files being recovered. A decryption key will not be provided because there isn’t one.
Researchers at Talos – who discovered the Ranscam ransomware variant – noted that the ransomware authors have no way of verifying if payment has been made. The ransomware only simulates the verification process. There is also no process built into the ransomware that will allow a victim’s files to be recovered.
Backup Your Files or Be Prepared to Lose Them
Many ransomware authors have a vested interest in ensuring that a victim’s files can be recovered. If word spreads that there is no chance of recovering encrypted files, any individual who has had their computer infected will not pay the ransom demand. Locky, CryptoWall, and Samsa ransomware may be malicious, but at least the thieves are honorable and make good on their promise. If they didn’t, discovering that files had a locky extension would be a guarantee that those files would be permanently lost.
There are new ransomware variants being released on an almost daily basis. Many of the new variants are simplistic and lack the complexity to even allow files to be recovered. The discovery of Ranscam ransomware clearly shows why it is essential to make sure that critical files are regularly backed up. Without a viable backup, there is no guarantee that files can be recovered and you – or your organization – will be at the mercy of attackers. Not all will be willing – or able to – recover encrypted files.
The developers of CryptXXX ransomware have made some updates to the malicious software recently. A new campaign has also been launched which is seeing an increasing number of Joomla and WordPress websites compromised with malicious code that directs visitors to sites containing the Neutrino exploit kit.
The latest CryptXXX crypto-ransomware variant no longer changes the extension of files that have been encrypted, instead they are left unchanged. This makes it more difficult for system administrators to resolve an infection by restoring files from backups, as it is much harder to determine exactly which files have been encrypted.
The ransomware developers have also changed the ransom note that is presented to victims and the Tor address for payment has also been changed. The payment site has been changed frequently, having used names such as Google Decryptor and Ultra Decryptor in the past. The authors have now changed the site to Microsoft Decryptor. This is the second time the payment site has been renamed since June 1. Unfortunately for victims that experience difficulties making the payment, there is no method of contacting the attackers to explain about payment issues.
CryptXXX crypto-ransomware has previously been spread using the Angler exploit kit, although the ransomware is now being distributed using Neutrino. Neutrino is primarily used to exploit vulnerabilities in PDF reader and Adobe Flash to download CryptXXX.
CryptXXX Crypto-Ransomware and CryptoBit Distributed in RealStatistics Campaign
WordPress and Joomla sites are being infected at a high rate, with 2,000 sites currently infected as part of the latest campaign according to Sucuri. The company’s researchers have suggested that the actual figure may be closer to 10,000 websites due to the limited range of sites that they have been observing.
It is unclear how the websites are being infected, although it has been suggested that outdated Joomla and WordPress installations are the most likely way that the attackers are gaining access to the sites, although outdated plugins on the websites could also be used to inject malicious Analytics code. The campaign is being referred to as “Realstatistics” due to the URL that is placed into the PHP template of infected sites.
The latest campaign has also been used to push other ransomware variants on unsuspecting website visitors. Palo Alto Networks researchers discovered eight separate Cryptobit variants that were being pushed as part of the latest Realstatistics campaign. The attackers now appear to be using Cryptobit less and have switched to CryptXXX crypto-ransomware in recent days.
Security researchers at ESET have discovered a dangerous new Mac backdoor program which allows attackers to gain full control of a Mac computer. Mac malware may be relatively rare compared to malware used to infect PCs, but the latest discovery clearly demonstrates that Mac users are not immune to cyberattacks. The new OS X malware has been dubbed OSX/Keydnap by ESET. This is the second Mac backdoor program to be discovered in the past few days.
OSX/Keydnap is distributed as a zip file containing an executable disguised as a text file or image. If the file is opened, it will download the icloudsyncd backdoor which communicates with the attackers C&C via the Tor network. The malware will attempt to gain root access by asking for the users credentials in a pop up box when an application is run. If root access is gained, the malware will run each time the device is booted.
The malware is capable of downloading files and scripts, running shell commands, and sending output to the attackers. The malware is also able to update itself and also exfiltrates OS X keychain data.
Second Mac Backdoor Discovery in Days
The news of OSX/Keydnap comes just a matter of hours after security researchers at Bitdefender announced the discovery of another Mac backdoor program called Eleanor. Hackers had managed to get the Backdoor.MAC.Eleanor malware onto MacUpdate. It is hidden in a free downloadable app called EasyDoc Converter.
EasyDoc Converter allowed Mac users to quickly and easily convert files into Word document format; however, rather than doing this, the app installed a backdoor in users’ systems. Infections with Eleanor will be limited as the app does not come with certificate issued to an Apple Developer ID. This will make it harder for many individuals to open the app.
However, if users do install the app, a shell script will be run that will check to see if the malware has already been installed and whether Little Snitch is present on the device. If the Little Snitch network monitor is not installed, the malware will install three LaunchAgents together with a hidden folder full of executable files used by the malware. The files are named to make them appear as if they are dropbox files.
The LaunchAgents open a Tor hidden service through which attackers can communicate with a web service component, which is also initiated by the LaunchAgents. A Pastebin agent is also launched which is used to upload the Mac’s Tor address to Pastebin where it can be accessed by the attackers. The Mac backdoor program can reportedly be used for remote code execution, to access the file system, and also to gain access to the webcam.
Cybercriminals are taking advantage of hospital legacy system security vulnerabilities and are installing malware on medical devices such as blood gas infusers. The malware is used to steal data or launch attacks on other parts of healthcare networks. Specialist devices operating on hospital legacy systems are being attacked with increasing frequency and, in many cases, the attacks are going undetected for long periods of time. Once malware has been installed on the devices, hackers are able to conduct attacks from within the network.
The malware allows attackers to download a range of tools that serve as backdoors. They are able to move freely around the network and search for data. Many hospitals are completely unaware that their networks have been compromised and that they are under attack. When the attack is finally identified, it is often too late and data has already been stolen.
The Risk of Hospital Legacy System Security Vulnerabilities Being Exploited is Considerable
In the past few days, researchers at TrapX Security have issued an update to a security report that was first released last year. In 2015, TrapX Security warned of the risk of medical devices being targeted by cybercriminals and of hospital legacy system security vulnerabilities being exploited.
The company’s researchers explained that many healthcare providers had been attacked via their medical devices and warned that additional protections needed to be put in place to prevent the devices from being used to gain access to otherwise secure networks. Security researchers call the attack vector MEDJACK – short for medical device hijack.
Medical devices often run on hospital legacy systems which cannot be changed or updated. Hospital legacy systems security vulnerabilities are often allowed to go unpatched. Hospitals have addressed some of these vulnerabilities and have implemented a host of new security controls to block attacks and detect malware. However, TrapX Security has reported that cybercriminals are managing to bypass these new security controls using old malware.
Old Malware Being Used to Gain Access to Healthcare Data
Researchers have discovered that security software is failing to identify the threat from old malware. These old malware variants may not be effective against the latest operating systems which have had the vulnerabilities that they exploit plugged. However, they are still effective against hospital legacy systems.
The researchers discovered that some attackers had used the MS08-067 worm which exploits vulnerabilities in early versions of Windows. The vulnerabilities were addressed in Windows 7 and the worm is no longer considered a security risk. Even if security software detects the worm, since it is not believed to pose a risk it is either not flagged or the security alert is ignored. However, medical devices are vulnerable if they run on older operating systems. Attackers have also embedded highly sophisticated tools in the worm. Even if the threat is detected, security software does not recognize that the risk of attack is actually high.
TrapX Security has warned that these infections are going undetected for long periods of time due to a lack of security on medical devices or the operating systems on which they run. Consequently, attackers can steal sensitive medical data over long periods of time. Unfortunately, once a backdoor has been installed, it can difficult to detect. Many security systems do not scan medical devices for malware and lateral movement within the network is similarly difficult to detect.
To prevent attacks on medical devices, healthcare organizations should, as far as is possible, isolate the devices and only run them inside a secure network zone. That zone should be protected by an internal firewall, and the devices should not be accessible via the Internet. If patches and updates are available, they should be installed to address hospital legacy system security vulnerabilities. If medical devices cannot be updated and have reached end-of-life, they should be retired and replaced with devices that have the necessary protections to prevent device hijacking.
Researchers at FireEye have reported that the Angler Exploit Kit has been updated and that it is now capable of bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protection – the first time this behavior has been observed in the wild.
Angler Exploit Kit Could be Used to Deliver any Malicious Payload
The Angler exploit kit is being used to exploit vulnerabilities in Silverlight and Adobe Flash plug-ins. If vulnerabilities are found, Angler downloads its malicious payload: TeslaCrypt ransomware. Teslacrypt was closed down a few weeks ago and the authors released a universal decryption key that can unlock all infections. Anti-virus firms have since developed tools that can be used to remove TeslaCrypt infections. However, it is probable that the Angler exploit kit will be updated to deliver other malicious payloads for which there is no known fix. Many distributors of TeslaCrypt have already transitioned to CryptXXX.
Currently EMET protections are only being bypassed on devices running Windows 7, although it is probable that attackers will soon develop EMET bypasses that work on more recent versions of Windows. That said, updating to later versions of Windows will help organizations improve their security posture. If an upgrade is not possible or practical, sys admins should ensure that patches are applied promptly. If possible, ActiveX should also be disabled as should Flash and Silverlight plugins. Uninstalling unnecessary software and disabling plugins will reduce the attack surface.
EMET was developed to prevent malicious actors from exploiting memory corruption vulnerabilities, and while this has proved effective at some preventing attacks, the bypass shows that Microsoft’s protection is not 100% effective. While EMET can be used to reduce the risk of ransomware and other malware infections, system admins should not rely on EMET alone. Multi-layered security defenses should be employed to keep networks protected, as this bypass clearly shows. It is still essential to use anti-virus and anti-malware software and to keep definitions up to date.
While efforts can be made to prevent exploit kits from taking advantage of vulnerabilities in plugins, enterprises can reduce risk further by stopping end users from visiting websites known to host exploit kits. By implementing a web filtering solution and restricting access to certain categories of website, enterprises can greatly enhance their security posture.
Microsoft has recently given Windows users a new incentive to upgrade to Windows 10: A ransomware worm called ZCryptor. The new ransomware variant exhibits worm-like capabilities and is able to self-replicate and infecting multiple devices. The malicious file-encrypting software infection will not be prevented by upgrading to the latest version of Windows, although additional protections are included in the Windows 10 release to make infection more difficult.
The new ransomware variant, called ZCryptor.A, is primarily distributed via spam email messages containing malicious macros, although the Microsoft security advisory indicates the ransomware worm is also installed via fake installers such as those claiming to update Adobe Flash to the latest version.
If ZCryptor is installed, the ransomware searches for removable drives and installs an autorun.inf file on the device. When the drive is disconnected and connected to another computer, the ransomware is able to spread, infecting a new machine.
The ZCryptor ransomware worm is capable of encrypting 88 different file types according to the Microsoft advisory, although some samples have been detected that are capable of infecting as many as 121 different files types.
Once installed, the ransomware generates a fake Windows alert indicating a removable drive cannot be detected. The pop-up will continue to be displayed while the ransomware is running and is communicating with its command and control server. The purpose of the pop-up is unclear, although presumably this is generated to prompt the user to disconnect the drive. This could be a ploy to get the victim to connect the removable drive to a different computer thus spreading the infection.
The ransomware worm displays an HTML window explaining that all personal files on the computer have been encrypted. A ransom demand of 1.2 Bitcoin is demanded ($500) for the decryption key to unlock the infection. Victims are given 4 days to pay the ransom or the ransom demand increases to 5 Bitcoin. The attackers claim that after 7 days the unique decryption key will be permanently destroyed, and all encrypted files will remain permanently locked.
While anti-virus software developers have been able to find vulnerabilities in a number of other ransomware variants and develop fixes, no known fix currently exists for a ZCryptor infection. Victims will either have to restore all of their files from a backup or will have to pay the ransom. Of course, there is no guarantee that the attackers will make good on their promise and will supply a valid decryption key.
Ransomware Worm Represents Next Stage of Malware Development
Many organizations now employ web filtering solutions such as WebTitan to block malicious URLs containing exploit kits. By blocking these attack vectors, it is becoming harder for cybercriminals to infect computers.
Spam filters have similarly been developed to be much more efficient and effective at blocking malicious spam email. SpamTitan now blocks 99.97% of spam, making it much harder for malicious attachments and links to reach end users.
Due to the improved cybersecurity protections in place in many organizations, ransomware developers have had to develop new methods to spread infections. The development of ransomware that exhibits worm-like behavior does not come as a surprise. Security researchers believe that these ransomware worms are likely to become much more common and that self-propagating ransomware and malware will soon become the norm.
After the recent news that TeslaCrypt has been decommissioned comes a new highly serious threat: DMA Locker ransomware.
Malwarebytes has recently reported that DMA Locker ransomware, which is now in its 4th incarnation – could pose a significant threat to businesses and individuals over the coming weeks. Version 4 of the ransomware has already been added to the Neutrino exploit kit and is currently being distributed. Malwarebytes expects DMA Locker ransomware attacks to become much more widespread.
Spate of DMA Locker Ransomware Attacks Expected
DMA Locker ransomware was first seen in the wild in January of this year, yet the malicious file-encrypting malware posed little threat in its early forms, containing numerous flaws that allowed security companies to develop decryption tools.
The early forms of DMA Locker ransomware were capable of encrypting files offline and did not used a command and control server. When files were encrypted, the key to unlock the encryption was stored on the device. This allowed the malware to be reverse engineered to crack the encryption.
A new version of the ransomware was released a month later, yet it used a weak random generator and it was a relatively easy task to guess the AES key. A couple of weeks later saw the release of version 3, which saw previous flaws corrected by the authors.
However, version 3 of DMA Locker ransomware contained another flaw. While it was not possible to decrypt locked files without a decryption key, the attackers used the same key for the entire campaign. If a business had multiple infections, only one key would need to be purchased. That key could then be posted online and be used by other victims.
However, this month version 4 was released. The latest version corrects the issues with version 3 and uses a separate key for each infection. The ransomware also communicates with a command and control server and cannot work offline.
Infection with early versions of the ransomware occurred via compromised remote desktop logins – or logins that were easily guessed. Consequently, the number of recorded infections remained low. However, the latest version has been added to exploit kits which take advantage of vulnerabilities in browsers making silent drive-by downloads of the ransomware possible. This makes attacks much more likely to occur.
The ransomware is potentially highly serious, encrypting a wide range of file types. Many ransomware strains only encrypt specific file types. TeslaCrypt for example was developed to attack gamers, and encrypted saved game files and files associates with Steam accounts. DMA Locker does not search for specific files, and instead encrypts everything that is not in its whitelist of file extensions. It is also capable of encrypting files on network drives, not just the computer on which it has been downloaded.
To prevent attacks, businesses should use web filtering software to block users visiting sites containing exploit kits and stop command and control server communications. Regular backups should also be performed and files stored on air-gapped drives. In case of attack, files can then be recovered without paying the ransom.
The threat from Cerber ransomware has increased substantially after the gang behind the file-encrypting software have leveraged Dridex botnets to deliver a malicious payload that loads the ransomware onto users’ devices.
Cerber ransomware was first discovered in the wild in February 2016, but researchers at security firm FireEye noticed a massive increase in infections in recent weeks. Initially, Cerber ransomware infections occurred as a result of visiting malicious websites hosting the Nuclear or Magnitude exploit kits. Nuclear and Magnitude probe visitors’ browsers for a number of zero day vulnerabilities, although infections primarily occurred by exploiting a vulnerability in Adobe Flash (CVE-2016-1019). Now the ransomware is being installed via infected files sent via spam email.
Cerber differs from many ransomware strains by being able to speak to victims. The ransomware is able to use text-to-speech to tell victims they have been infected and that their files have been encrypted.
Massive Increase in Cerber Ransomware Infections Discovered in April
The number of infections remained relatively low since the discovery of the new ransomware earlier this year; however, there was a massive spike in infections around April 28 according to FireEye. The ransomware was being downloaded using Microsoft Word macro downloaders.
The attached files are usually disguised as invoices, receipts, or purchase orders, while the emails – written in English – urge the user to open the attachment. If macros are enabled on the computer a VBScript will be installed in the victim’s %appdata% folder. If macros are not enabled users will be prompted to enable them in order to view the contents of the file. Doing so will guarantee infection.
Once installed, the script performs a check to determine whether the infected computer has an Internet connection by sending an HTTP request to a website. If an Internet connection is present, the script will perform a HTTP Range Request, that will ultimately result in the final stage of the infection. FireEye reports the technique has previously been used to deliver the financial Trojans Dridex and Ursnif.
Cerber has been configured to encrypt Word documents, emails, and Steam gaming files, which are given a “.cerber” extension. To unlock the encryption, the victims are told to visit one of a number of websites with the domain “decrypttozxybarc”. Further instructions are then provided on how to unlock the encryption, although a Bitcoin ransom must first be paid. In addition to encrypting files, Cerber ransomware adds the victim’s computer to a spambot network.
The ransomware uses a number of obfuscation techniques to avoid detection by spam filters and anti-virus programs. If the emails are delivered and the macros are allowed to run, victims’ files will be encrypted. To prevent infection, it is important to have macros disabled and to be extremely cautious about opening email attachments, and never to open files deliver via email from an unknown sender. The decrypttozxybarc domain should also be added to web filter blacklists.
Last week, the website of a major toy manufacturer was discovered to have been compromised and was being used to infect visitors with ransomware. The website of Maisto was loaded with the Angler exploit kit that probed visitors’ browsers for exploitable vulnerabilities. When vulnerabilities were discovered, they were exploited and ransomware was downloaded onto visitors’ devices. In this case, the ransomware used was CryptXXX.
Many ransomware infections require a system rebuild and restoration of data from a backup. If a viable backup does not exist there is no alternative but to pat the attackers for an encryption. Fortunately, in this case there is an easy fix for a CryptXXX infection. The ransomware-encrypted files can be decrypted for free according to Kaspersky Lab. However, there are many malicious strains of ransomware that are not so easy to remove.
While decrypting files locked by CryptXXX is possible, that is not the only malicious action performed by the ransomware. CryptXXX is also an information stealer and can record logins to FTP clients, email clients, and steal other data stored in browsers. It can even steal bitcoins from local wallets.
CryptXXX is now being used in at least two major exploit kit attack campaigns according to researchers from Palo Alto Networks. While Locky ransomware was extensively used in March this year – deployed using the Nuclear exploit kit – the attackers appear to have switched to the Angler exploit kit and the Bedep/CryptXXX combo.
How to Block Exploit Kits from Downloading Malware
To protect end users’ devices and networks from malware downloads and to block exploit kits, system administrators must ensure that all browser plugins are kept up to date. Exploit kits take advantage in security vulnerabilities in a wide range of plugins, although commonly vulnerabilities in Flash and Java are exploited. These two browser plugins are used on millions of machines, and new zero-day vulnerabilities are frequently discovered in both platforms. Cybercriminals are quick to take advantage. As soon as a new vulnerability is identified it is rapidly added to exploit kits. Any machine that contains an out-of-date plug in is at risk of attack.
It takes time for patches to be developed and released when a new zero-day vulnerability is discovered. Keeping all devices up to date is a time consuming process and sys admins are unlikely to be able to update all devices the second a patch is released. To effectively protect devices and networks from attacks using exploit kits, consider using a web filtering solution.
A web filter can be used to block websites containing exploit kits and thus prevent the downloading of malware, even if patches have not been installed. The best way to block exploit kits from downloading malware is to ensure that end users never visit a website containing an exploit kit!
A web filter should not be an excuse for poor patch management practices, but web filtering software can ensure devices and networks are much better protected.
The risk of phishing attacks has increased considerably over the past 12 months, according to a new data breach report from Verizon. Ransomware attacks are also on the rise. The two are often used together to devastating effect as part of a three-pronged attack on organizations.
Firstly, cybercriminals target individual employees with a well-crafted phishing campaign. The target is encouraged to click a link contained in a phishing email which directs the soon-to-be victim to a malicious website. Malware is then silently downloaded to the victim’s device.
The malware logs keystrokes to gain access to login credentials which allows an attacker to infiltrate email accounts and other systems. Infections are moved laterally to compromise other networked devices. Stolen login credentials are then used to launch further attacks, which may involve making fraudulent bank transfers or installing ransomware on the network.
The Risk of Phishing Attacks is Growing
Verizon reports that due to the effectiveness of phishing and the speed at which attackers are able to gain access to networks, the popularity of the technique has grown substantially. In years gone by, phishing was a technique often used in nation-state sponsored attacks on organizations. Now there is a high risk of phishing attacks from any number of different players. Even low skilled hackers are now using phishing to gain access to networks, steal data, and install malware. Out of the nine different incident patterns identified by the researchers, phishing is now being used in seven.
Phishing campaigns are also surprisingly effective. Even though many companies now provide anti-phishing training, attempts to educate the workforce to minimize the risk of phishing attacks is not always effective. The 2016 Verizon data breach report suggests that when phishing emails are delivered to inboxes, 30% of end users open the emails. In 2015 the figure was just 23%. Rather than employees getting better at identifying phishing emails they appear to be getting worse. Even worse news for employers is 13% of individuals who open phishing emails also double click on attached files or visit the links contained in the emails.
Ransomware Attacks Increased 16% in a Year
Ransomware has been around for the best part of a decade although criminals have favored other methods of attacking organizations. However, over the past couple of years that has changed and the last 12 months has seen a significant increase in ransomware attacks on businesses. According to the data breach report, attacks have increased by 16% in the past year. As long as companies pay attackers’ ransom demands attacks are likely to continue to increase.
How Can Web Filtering Software Prevent Ransomware Infections and Reduce the Risk of Phishing Attacks
Defending a network from attack requires a wide range of cybersecurity defenses to be put in place. One of the most important defenses is the use of web filtering software. A web filter sits between end users and the Internet and controls the actions that can be taken by end users as well as the web content they are allowed to access.
A web filter can be used to block phishing websites and malicious sites where drive-by malware downloads take place. Web filtering software can also be configured to block the downloading of files typically associated with malware.
Training employees how to avoid phishing emails can be an effective measure to reduce the risk of phishing attacks, but it will not prevent 100% of attacks, 100% of the time. When training is provided and web filtering software is used, organizations can effectively manage phishing risk and prevent malware and ransomware infections. As phishing attacks and ransomware infections are on the increase, now is the ideal time to start using web filtering software.
The recent rise in ransomware infections has been attributed to the proliferation of ransomware-as-a-service, with many malicious actors now getting in on the act and sending out spam email campaigns to unsuspecting users.
Ransomware-as-a-Service Proliferation is a Major Cause for Concern
The problem with ransomware-as-a-service is how easy it is for attackers with relatively little technical skill to pull off successful ransomware attacks. All that is needed is the ability to send spam emails and a small investment of capital to rent the ransomware. The malicious software is now being openly sold as a service on underground forums and offered to spammers under a standard affiliate model.
The malware author charges a nominal fee to rent out the ransomware, but takes a large payment on the back end. Providers of ransomware-as-a-service typically take a cut of 5%-25% of each ransom. Spammers get to keep the rest. Renters of the malicious software cannot access the source code, but they can set their own parameters such as the payment amount and timescale for paying up.
SMBs Increasingly Targeted by Attackers
While individuals were targeted heavily in the past and sent ransom demands of around $400 to $500 to unlock their family photographs and other important files, attackers and now extensively targeting businesses. Often the same model is used with a fee charged by the attackers per install.
When an organization has multiple devices infected with ransomware the cost of remediation is considerable. One only needs to look to Hollywood Presbyterian Medical Center to see how expensive these attacks can be. The medical center was forced to pay a ransom of $17,000 to unlock computers infected with ransomware, in addition to many man-hours resoling the infection once the encryption keys had been supplied. Not to mention the cost of reputation damage and clearing the backlog due to the shutting down of its computers for over a week.
Warning Issued About the Insider Ransomware Threat
As if the threat from ransomware was not enough, researchers believe the situation is about to get a whole lot worse. Ransomware-as-a-service could be used by a malicious insider to infect their own organization. With insider knowledge of the locations and types of data critical to the running of the business, an insider would be in the best position to infect computers.
Insiders may also be aware of the value of the data and the cost to the business of losing data access. Ransoms could then be set accordingly. With payments of tens of thousands of dollars possible, this may be enough to convince some employees to conduct insider attacks. Since finding hackers offering ransomware-as-a-service is not difficult, and network access has already been gained, insiders may be tempted to pull off attacks.
To counter the risk of insider ransomware attacks businesses should develop policies to make it crystal clear to employees that attackers will be punished to the full extent of the law. Software solutions should be put in place to continuously monitor for foreign programs installed on networks and network privileges should be restricted as far as is possible. Employees should have their network activities monitored and suspicious activity should be flagged and investigated. It is not possible to eliminate the risk of insider attacks, but it is possible to reduce risk to a minimal level.
IT professionals are well aware of the shadow IT risk. Considerable risk is introduced by employees installing unauthorized software onto their work computers and mobile devices. However, this has been clearly illustrated this week following the discovery of a new malware by the Talos team. To date more than 12 million individuals are believed to have installed the new Trojan downloader.
Seemingly Genuine Software Performs a Wide Range of Highly Suspect System Actions
Many users are frustrated by the speed of their PC and download tools that will help to resolve the problem, yet many of these are simply bloatware that perform no beneficial functions other than slowing down computers. These can be used to convince users to pay for additional software that speeds up their PCs, or worse. The software may perform various nefarious activities.
It would appear that the new malware is of this ilk. Furthermore, it is capable of being exploited to perform a wide range of malicious actions. The software performs a wide range of highly suspect functions and has potential to steal information, gain administration rights, and download malicious software without the user’s knowledge.
The new malware has been referred to as a “generic Trojan” which can check to see what AV software is installed, detect whether it has been installed in a sandbox, determine whether remote desktop software has been installed, and check for security tools and forensic software.
By detecting its environment, the malware is able to determine whether detection is likely and if so the malware will not run. If detection is unlikely a range of functions are performed including installing a backdoor. The backdoor could be used to install any number of different programs onto the host machine without the user’s knowledge.
So far more than 7,000 unique samples have been discovered by Talos. One common theme is the use of the word “Wizz” throughout the code, with the malware communicating with “WizzLabs.
Analysis of the malware revealed that one of the purposes of the software was to install adware called “OneSoftPerDay”. The company behind this adware is Tuto4PC, a French company that has got into trouble with authorities before for installing PUPs on users’ computers without their knowledge.
By allowing the malware to run, researchers discovered it installed System Healer – another Tito4PC creation – without any user authorization. Whether the malware will be used for nefarious activity other than trying to convince the users to download and pay for PUPs is unclear, but the potential certainly exists. With 12 million devices containing this software, at any point these machines could be hijacked and the software used for malicious purposes.
The Shadow IT Risk Should Not Be Underestimated
The shadow IT risk should not be underestimated by security professionals. Many seemingly legitimate software applications have the capability of performing malicious activities, and any program that does to such lengths to detect the environment in which it is run and avoid detection is a serious concern.
Organizations should take steps to reduce Shadow IT risk and prevent installation of unauthorized software on computers. Policies should be put in place to prohibit the installation of unauthorized software, and software solution should be employed to block installers from being downloaded. As an additional precaution, regular scans should be conducted on networked devices to check for shadow IT installations and actions taken against individuals who break the rules.
K-12 schools in the United States have been put on alert after it was discovered that backdoors have been installed on a number of servers running Follet’s Destiny Library Management System. More than 60,000 schools in the United States use Destiny to track school library assets, a number of which now face a high risk of cyberattack.
A security vulnerability in the JBoss platform has recently been used to launch attacks on a number of organizations in the United States. The vulnerability has allowed malicious actors to gain access to servers and install ransomware. The main targets thus far have been hospitals, including Baltimore’s Union Memorial which was infected as a result of a ransomware attack on its parent organization MedStar. The attackers gained access to servers at MedStar and used SamSam ransomware to lock critical files with powerful encryption. The discovery of the ransomware resulted in the forced shutdown of MedStar’s EHR and email causing widespread disruption to healthcare operations.
Over 2000 Backdoors Discovered to Have Been Installed on Servers Running JBoss
Since the attack took place, Cisco’s Talos security team has been scanning the Internet to locate servers that are vulnerable via the JBoss security vulnerability. Earlier this week Talos researchers discovered 3.2 million servers around the world are vulnerable to attack. However, there is more bad news. Attackers have already exploited the security vulnerability and have installed backdoors in thousands of servers. In some cases, multiple backdoors have been installed by a number of different players by dropping webshells on unpatched servers running JBoss. 2,100 backdoors were discovered and 1,600 IP addresses have been affected.
Hospitals have been targeted as they hold a considerable volume of valuable data which are critical to day to day operations. If attackers are able to lock those files there is a high probability that the hospitals will be forced to pay a ransom to unlock the encryption. Hollywood Presbyterian Medical Center had to pay a ransom of $17,000 to unlock files that had been encrypted in a ransomware attack. Schools are also being targeted.
Poor patch management policies are to blame for many servers being compromised. The JBoss security vulnerability is not new. A patch was issued to correct the vulnerability several years ago. If the patch had been applied, many servers would not have been compromised. However, some organizations, including many schools, are not able to update JBoss as they use applications which require older versions of JBoss.
Destiny Library Management System Vulnerabilities Addressed With A New Patch
A number of schools running Destiny Library Management System were discovered to have been compromised by attackers using the JexBoss exploit to install backdoors, which could be used to install ransomware. Follett discovered the problem and has now issued a patch to address the security vulnerability and secure servers running its Destiny Library Management System. The patch plugs security vulnerabilities in versions 9.0 to 13.5, and scans servers to identify backdoors that have been installed. If non-Destiny files are discovered they are removed from the system.
Any school using the Destiny Library Management System must install the patch as a matter of urgency. If the Destiny Library Management System remains unpatched, malicious actors may take advantage and use the backdoors to install ransomware or steal sensitive data.
Symantec’s 2016 Internet security threat report has revealed the lengths to which cybercriminals are now going to install malware and gain access to sensitive data. The past 12 months has seen a substantial increase in attacks, and organizations are now having to deal with more threats than ever before.
Internet Security Threat Report Shows Major Increases in Ransomware, Malware, Web-borne Threats and Email Scams
The new Internet Security Threat Report shows that new malware is being released at a staggering rate. In 2015, Symantec discovered over 430 million unique samples of malware, representing an increase of 36% year on year. As Symantec points out, “Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.”
A new zero-day vulnerability is now being discovered at a rate of one per week, twice the number seen in 2014 and 2013. In 2015, 54 new zero-day vulnerabilities were discovered. In 2014 there were just 24 zero-day exploits discovered, and 23 in 2013.
The 2016 Internet Security Threat Report puts the total number of lost or stolen computer records at half a billion, although Symantec reports that organizations are increasing choosing to withhold details of the extent of data breaches. The breach may be reported, but there has been an 85% increase in organizations not disclosing the number of records exposed in breaches.
Ransomware Attacks Increased 35% in 2015
Ransomware is proving more popular than ever with cybercriminal gangs. In 2015, ransomware attacks increased by 35%. The upward trend in 2015 has continued into 2016. Spear phishing attacks have also increased. While these attacks are often conducted on large organizations, Symantec reports that spear phishing attacks on smaller companies – those with fewer than 250 employees – have been steadily increasing over the past five years. In 2015, spear phishing attacks increased by a staggering 55%.
Cybercriminals may now be favoring phishing attacks and zero-day exploits over spam email scams, but they still pose a major risk to corporate data security. There has also been a rise in the number of software scams. Scammers are getting consumers to purchase unnecessary software by misreporting a security problem with their computer. Symantec blocked 100 million fake technical support scams last year.
75% of Websites Found to Contain Exploitable Security Vulnerabilities
One of the most worrying statistics from this year’s Internet Security Threat Report is over 75% of websites contain unpatched security vulnerabilities which could potentially be exploited by hackers. Even popular websites have been found to contain unpatched vulnerabilities. If attackers can compromise those websites and install exploit kits, they can be used to infect millions of website visitors. Simply being careful which sites are visited and only using well known sites is no guarantee that infections are avoided.
With the dramatic increase in threats, organizations need to step up their efforts and improve cybersecurity protections. Failure to do so is likely to see many more of these attacks succeed.
In February, the Federal Bureau of Investigation (FBI) issued an alert over a new ransomware called MSIL (AKA Samas/Samsam/Samsa), but a recent confidential advisory was obtained by Reuters, in which the FBI asked U.S. businesses and the software security community for help to deal with the growing enterprise ransomware threat from MSIL.
The new ransomware is particularly nasty as it is capable of infecting networks, not just individual computers. In February, the FBI alert provided details of the new ransomware and how it attacked systems by exploiting a vulnerability in the enterprise JBoss system. Any enterprise running an outdated version of the software platform is at risk of being attacked. The FBI’s list of indicators was intended to help organizations determine whether they had been infected with MSIL.
Just over a month later, the FBI sent out a plea for assistance, requesting businesses to contact its CYWATCH cybersecurity center if they suspected they had been attacked with the ransomware. Any business or security expert with information about the ransomware was also requested to get in touch.
Recent high profile attacks on healthcare organizations and law enforcement have resulted in ransoms being paid to attackers in order to unlock ransomware infections. Oftentimes there is no alternative but to pay the ransom demand in order to recover data. However, paying ransoms simply encourages more attacks.
The Enterprise Ransomware Threat is Now at A Critical Level
Ransomware is not new, but the methods being used by cybercriminals to infect systems is more complex as is the malicious software used in the attacks. The volume of attacks and the number of ransomware variants now in use mean the enterprise ransomware threat is considerable, with some security experts warning that ransomware is fast becoming a national cybersecurity emergency.
The healthcare industry is being targeted as hospitals cannot afford to lose access to healthcare data. Even if electronic patient medical files are not encrypted, systems are being shut down to contain infections. This causes massive disruption and huge costs, which attackers hope will make paying the ransom the best course of action.
Dealing with the enterprise ransomware threat requires a multi-faceted approach. Attackers are using a variety of methods to install ransomware and blocking spam email is no longer sufficient to deal with the problem. MSIL attacks are being conducted by exploiting vulnerabilities in enterprise software systems, end users are being fooled into installing ransomware with social engineering techniques, drive by downloads are taking place and the malicious file-encrypting software is also being sent via spam email.
How to Protect Against Enterprise Ransomware Attacks
The FBI is trying to encourage business users and individuals never to open untrusted email attachments and to ensure they are deleted from inboxes. Fortunately, the high profile attacks on large institutions have put enterprises on high alert. With awareness raised, it is hoped that greater efforts will be made by enterprises to reduce the risk of an attack being successful.
Some of the best protections include:
- Ensuring all software is kept up to date and patches are installed promptly
- Using spam filtering tools to reduce the risk of infected attachments being delivered to end users
- Backing up all systems frequently to ensure data can be restored in the event of an attack
- Conducting regular staff training sessions to help end users recognize phishing emails and malicious attachments
- Disabling macros on all computers
- Using web filtering solutions to prevent drive-by downloads and block malicious websites
- Issuing regular security bulletins to staff when a new enterprise ransomware threat is discovered
AceDeceiver iPhone malware can attack any iPhone, not just those that have been jailbroken. The new iOS malware has recently been identified by Palo Alto Networks, and a warning has been issued that the new method of attack is likely to be copied and used to deliver other malware.
Malware Exploits Apple DRM Vulnerability
Many iPhone users jailbreak their phones to allow them to install unofficial apps, yet the act can leave phones open to malware infections. One of the best malware protections for iPhones is not to tamper with them. Most iPhone malware are only capable of attacking jailbroken phones. However, AceDeceiver is different.
The new malware exploits a vulnerability in Apple’s Digital Rights Management (DRM) mechanism allowing it to bypass iPhone security protections. AceDeceiver iPhone malware is capable of fooling FairPlay into thinking it is a legitimate app that has been purchased by the user.
Users that have installed a software tool called Aisi Helper to manage their IPhones are most at risk of infecting their phones. While Aisi Helper can be used to manage iPhones and perform tasks such as cleaning devices and performing backups, it can also be used to jailbreak phones to allow users to install pirated software. To date more than 15 million iPhone owners have installed Aisi Helper and face a high risk of an AceDeceiver malware attack.
The software tool has been around since 2013 and is mainly used as a method of distributing pirated apps. While the software has been known to be used for piracy, this is the first reported case of it being used to spread malware. Palo Alto Networks reports that some 6.6 million individuals are using the software tool on a regular basis, many of whom live in China. This is where most of the AceDeceiver iPhone malware attacks have taken place to date.
The software tool can be used to install AceDeceiver onto iPhones without users’ knowledge. The malware connects the user to an app store that is controlled by the attackers. Users must enter in their AppleID and password and the login credentials are then sent to the attackers’ server. While Palo Alto Networks has discovered that IDs and passwords are being stolen, they have not been able to determine why the attackers are collecting the data.
AceDeceiver Malware Attacks Non-Jailbroken iPhones
Protecting against AceDeceiver iPhone malware would appear to be simple. Don’t install Aisi Helper. However, that is only one method of delivery of AceDeceiver iPhone malware. In the past 7 months three different AceDeceiver malware variants have been uploaded to the official Apple App store. The three wallpaper apps managed to get around Apple’s code reviews initially to allow them to be made available on the Apple App store. They also passed subsequent code reviews.
Once Apple was made aware of the malicious apps the company removed from the App store. However, that is not sufficient to prevent users’ devices from being infected. According to Palo Alto’s Claud Xiao, an attack is still possible even though the apps have been removed from the App store. Apparently, all that is required is for the malicious apps to gain authorization from Apple once. They do not need to be available for download in order for them to be used for man-in-the-middle attacks. The vulnerability has not been patched yet, but Palo Alto has warned that even patching the problem will still leave users of older iPhones open to attack.
AceDeceiver iPhone Malware Attack Method Likely to be Copied
Xiao warned that this new method of malware delivery is particularly worrying because “it doesn’t require an enterprise certificate. Hence, this kind of malware is not under MDM solutions’ control, and its execution doesn’t need the user’s confirmation of trusting anymore.” Palo Alto believe the attack technique is likely to be copied and used to spread new malware to iPhone users.
A new USB-based malware has recently been discovered that poses a serious security risk to enterprises. While USB-based malware is not new, the discovery of Win32/PSW.Stealer.NAI – also known as USB Thief – has caused particular concern.
New USB-Based Malware Leaves No Trace of Infection or Data Theft
The malware is only transmitted via USB drives and leaves no trace of an attack on a compromised computer. Consequently, it is incredibly difficult to detect. The malware is capable of stealing and transmitting data, yet users will be unaware that their data has been being stolen.
The new USB-based malware was recently discovered by security firm ESET. The discovery stands out because the USB-based malware is quite different to other malware commonly used by cybercriminals to steal data.
For a start, the malware has been designed not to be copied and can only be spread via USB devices. The malware derives its key from the USB drive’s device ID, and is bound to the specific portable drive on which it has been installed. If the malware is copied to another drive it will not run because it uses file-names that are specific to each copy of the malware. This means the malware cannot spread and infect systems other than those it is being to attack.
The malware also uses multi-staged encryption that is also bound to the USB drive, which ESET says makes it exceptionally difficult to detect and analyze.
Malware Capable of Attacking Air-Gapped Computers
Many organizations make sure sensitive data is not exposed by not connecting computers to the Internet. However, while air-gaps are an effective protection against most malware attacks, they do not protect against USB-based malware. USB Thief can be used to steal data from air-gapped computers and once the infected USB drive has been disconnected there will be no trace left that any data have been stolen.
It has been hypothesized that the malware has been created to be used in targeted attacks on specific companies in order to steal proprietary enterprise data. ESET has warned that while the USB-based malware is being used only as a data stealer, attackers could tweak the malware to deploy any other malicious payload. This means that the malware could be used to sabotage systems.
ESET reports that the USB-based malware has been used to target companies in Africa and Latin America and warned that detection rates are particularly low. No information has been released to indicate which industries are being targeted with the malware at this point in time.
USB-based malware has previously been used in state-sponsored attacks on organizations. Stuxnet was also used to attack air-gapped systems, predominantly in the Middle East. However, Stuxnet inflected collateral damage as it was capable of self-replicating. It was therefore rapidly picked up and analyzed and action was rapidly taken to block infections.
In this case, the USB-based malware cannot be copied so it is unlikely to spread outside of a targeted system. It is likely to remain incredibly difficult to detect. USB Thief appears to have been extensively tested. Since there is a possibility that it can be identified by G Data and Kaspersky Lab anti-virus solutions, USB Thief performs a quick check to see if those anti-virus solutions are installed. If they have the malware will not run.
Preventing USB-Based Malware Attacks
Disabling autorun for USB drives will have no effect on USB Thief. The USB-based malware does not rely on being automatically run when plugged into a computer. Instead it is inserted into the files of portable applications often stored on USB drives, such as Firefox, TrueCrypt, and NotePad++. When these applications are run, USB Thief will run in the background.
It is possible to take precautions to prevent an attack by disabling USB ports. Even though there is a high risk of infection from an unknown USB drive, many individuals that find USB drives plug them straight into their computers. Staff should therefore be instructed never to plug in a USB drive from an unknown source.