Today is World Backup Day – a day when awareness of the need to backup data is raised around the world. It is a day when companies that are not backing up their critical data are encouraged to do so, and companies that do are encouraged to take a close look at their data backup policies and procedures to make sure that they are up to scratch.
World Backup Day 2016 is More Important Than Ever
World Backup Day may be an opportunity for companies to sell you a host of products and services associated with disaster recovery – a number of software companies offering backup services sponsor the day – but this year the day is more important than ever. This week, a large not-for-profit health system in the United States discovered just how important it is to have a fully functional backup of all critical data.
MedStar Health, a network of 10 hospitals and more than 250 outpatient facilities in the Washington D.C. area, was hit with a ransomware infection that compromised 18 computers. It could have been far worse had rapid action not been taken to shut down its network to prevent the lateral spread of the ransomware infection.
Fortunately, systems are now being restored and it appears that the reported ransom demand of $18,500 will not need to be paid. Many companies would not be in a position to decide whether or not to pay the ransom. If a viable copy of data has not been stored securely on an isolated drive, the ransom would have to be paid. Losing critical data would simply not be an option.
MedStar Health is not the only healthcare organization to have suffered a ransomware attack in recent weeks. In the United States, Methodist Hospital in Kentucky, and Chino Valley Medical Center, Desert Valley Hospital, and Hollywood Presbyterian Medical Center in California have all been attacked, as was Canada’s Ottawa Hospital. All of those attacks have occurred in the past two months.
It is not just the healthcare industry that is under attack; however, many companies prefer not to announce that they have had their systems infiltrated and data encrypted by attackers. Ransoms are quietly paid in order to get the security keys to unlock the encryption.
30% of Users Have Never Backed Up Their Data
Even though the loss of data could prove catastrophic for companies, many organizations are not backing up data as frequently as they should. Some do not test the backups they perform to make sure that in the event of an emergency, data can actually be recovered.
Almost a year ago to the day, the Tewksbury Police Department in Massachusetts was given no alternative but to pay a ransom to have its files unlocked. A backup of data had been recently performed, but that file was corrupted. The only non-corrupted backup file the Police Department had was more than 18 months old.
The figures on the World Backup Day website indicate 30% of users have never backed up their data, even though the loss of files would cause considerable anguish. Figures from Backblaze suggest that since 2013 (from when the World Backup Day figures were taken) things have improved and the figure now stands at 25%.
Companies Need to Review Backup Policies
For companies, a single backup of data is not sufficient protection. Multiple backup files can reduce risk. If one backup file is corrupted, it will not spell disaster. Those backups must be stored off-site, but should not be connected to a computer network. Backup files can also be encrypted by ransomware if the drive on which they are stored remains connected to a network.
There are many other ways that data can be accidentally deleted or lost. There may not be an option to simply pay a ransom to recover valuable data. Without a viable backup data could be lost forever. WBD figures suggest that 29% of data incidents are the result of accidents.
Performing frequent backups is a complex task given the huge volumes of data now being stored by organizations. Today is a good day to reassess policies, procedures and software, to test backups, and to make sure that when (not if) disaster strikes, valuable data will not be lost.
AceDeceiver iPhone malware can attack any iPhone, not just those that have been jailbroken. The new iOS malware has recently been identified by Palo Alto Networks, and a warning has been issued that the new method of attack is likely to be copied and used to deliver other malware.
Malware Exploits Apple DRM Vulnerability
Many iPhone users jailbreak their phones to allow them to install unofficial apps, yet the act can leave phones open to malware infections. One of the best malware protections for iPhones is not to tamper with them. Most iPhone malware are only capable of attacking jailbroken phones. However, AceDeceiver is different.
The new malware exploits a vulnerability in Apple’s Digital Rights Management (DRM) mechanism allowing it to bypass iPhone security protections. AceDeceiver iPhone malware is capable of fooling FairPlay into thinking it is a legitimate app that has been purchased by the user.
Users that have installed a software tool called Aisi Helper to manage their IPhones are most at risk of infecting their phones. While Aisi Helper can be used to manage iPhones and perform tasks such as cleaning devices and performing backups, it can also be used to jailbreak phones to allow users to install pirated software. To date more than 15 million iPhone owners have installed Aisi Helper and face a high risk of an AceDeceiver malware attack.
The software tool has been around since 2013 and is mainly used as a method of distributing pirated apps. While the software has been known to be used for piracy, this is the first reported case of it being used to spread malware. Palo Alto Networks reports that some 6.6 million individuals are using the software tool on a regular basis, many of whom live in China. This is where most of the AceDeceiver iPhone malware attacks have taken place to date.
The software tool can be used to install AceDeceiver onto iPhones without users’ knowledge. The malware connects the user to an app store that is controlled by the attackers. Users must enter in their AppleID and password and the login credentials are then sent to the attackers’ server. While Palo Alto Networks has discovered that IDs and passwords are being stolen, they have not been able to determine why the attackers are collecting the data.
Protecting against AceDeceiver iPhone malware would appear to be simple. Don’t install Aisi Helper. However, that is only one method of delivery of AceDeceiver iPhone malware. In the past 7 months three different AceDeceiver malware variants have been uploaded to the official Apple App store. The three wallpaper apps managed to get around Apple’s code reviews initially to allow them to be made available on the Apple App store. They also passed subsequent code reviews.
Once Apple was made aware of the malicious apps the company removed from the App store. However, that is not sufficient to prevent users’ devices from being infected. According to Palo Alto’s Claud Xiao, an attack is still possible even though the apps have been removed from the App store. Apparently, all that is required is for the malicious apps to gain authorization from Apple once. They do not need to be available for download in order for them to be used for man-in-the-middle attacks. The vulnerability has not been patched yet, but Palo Alto has warned that even patching the problem will still leave users of older iPhones open to attack.
AceDeceiver iPhone Malware Attack Method Likely to be Copied
Xiao warned that this new method of malware delivery is particularly worrying because “it doesn’t require an enterprise certificate. Hence, this kind of malware is not under MDM solutions’ control, and its execution doesn’t need the user’s confirmation of trusting anymore.” Palo Alto believe the attack technique is likely to be copied and used to spread new malware to iPhone users.
A new USB-based malware has recently been discovered that poses a serious security risk to enterprises. While USB-based malware is not new, the discovery of Win32/PSW.Stealer.NAI – also known as USB Thief – has caused particular concern.
New USB-Based Malware Leaves No Trace of Infection or Data Theft
The malware is only transmitted via USB drives and leaves no trace of an attack on a compromised computer. Consequently, it is incredibly difficult to detect. The malware is capable of stealing and transmitting data, yet users will be unaware that their data has been being stolen.
The new USB-based malware was recently discovered by security firm ESET. The discovery stands out because the USB-based malware is quite different to other malware commonly used by cybercriminals to steal data.
For a start, the malware has been designed not to be copied and can only be spread via USB devices. The malware derives its key from the USB drive’s device ID, and is bound to the specific portable drive on which it has been installed. If the malware is copied to another drive it will not run because it uses file-names that are specific to each copy of the malware. This means the malware cannot spread and infect systems other than those it is being to attack.
The malware also uses multi-staged encryption that is also bound to the USB drive, which ESET says makes it exceptionally difficult to detect and analyze.
Malware Capable of Attacking Air-Gapped Computers
Many organizations make sure sensitive data is not exposed by not connecting computers to the Internet. However, while air-gaps are an effective protection against most malware attacks, they do not protect against USB-based malware. USB Thief can be used to steal data from air-gapped computers and once the infected USB drive has been disconnected there will be no trace left that any data have been stolen.
It has been hypothesized that the malware has been created to be used in targeted attacks on specific companies in order to steal proprietary enterprise data. ESET has warned that while the USB-based malware is being used only as a data stealer, attackers could tweak the malware to deploy any other malicious payload. This means that the malware could be used to sabotage systems.
ESET reports that the USB-based malware has been used to target companies in Africa and Latin America and warned that detection rates are particularly low. No information has been released to indicate which industries are being targeted with the malware at this point in time.
USB-based malware has previously been used in state-sponsored attacks on organizations. Stuxnet was also used to attack air-gapped systems, predominantly in the Middle East. However, Stuxnet inflected collateral damage as it was capable of self-replicating. It was therefore rapidly picked up and analyzed and action was rapidly taken to block infections.
In this case, the USB-based malware cannot be copied so it is unlikely to spread outside of a targeted system. It is likely to remain incredibly difficult to detect. USB Thief appears to have been extensively tested. Since there is a possibility that it can be identified by G Data and Kaspersky Lab anti-virus solutions, USB Thief performs a quick check to see if those anti-virus solutions are installed. If they have the malware will not run.
Preventing USB-Based Malware Attacks
Disabling autorun for USB drives will have no effect on USB Thief. The USB-based malware does not rely on being automatically run when plugged into a computer. Instead it is inserted into the files of portable applications often stored on USB drives, such as Firefox, TrueCrypt, and NotePad++. When these applications are run, USB Thief will run in the background.
It is possible to take precautions to prevent an attack by disabling USB ports. Even though there is a high risk of infection from an unknown USB drive, many individuals that find USB drives plug them straight into their computers. Staff should therefore be instructed never to plug in a USB drive from an unknown source.
System administrators that do not block malicious Word macros in Office 2016 could be making it far too easy for hackers to compromise their networks. Malicious Word macros are nothing new, but in recent months they have been increasingly been used to deliver ransomware and other nasty malware.
Macros Used in 98% of Office-related Enterprise Malware Attacks
It is common knowledge that executable files are used to deliver malware. Many companies implement a web filter to prevent the downloading of executable files by end users, and spam filters are often configured to prevent attached .exe files from being delivered.
Screensaver files (.SCR) are also commonly used to deliver malware and these too are often blocked by security solutions. Blocking other file types commonly used by attackers, such as batch files (.bat) and compressed files (.zip) can also help to reduce the risk of a malware infection. For the majority of enterprise end users, these files can be blocked without affecting workflows.
However, it is not practical prevent Word documents and other Office files from being emailed or shared. These file types are used by most workers on a day to day basis. They are also being extensively used to deliver malware. According to figures released by Microsoft, office document macros are used in 98% of Office-related attacks on enterprises.
Fail to Block Malicious Word Macros in Office 2016 at your Peril!
There have been a number of recent cases of ransomware being installed after enabling Word macros. Hackers can add malicious scripts to Word macros and install malware without rousing too much suspicion. Word documents are often trusted not to be malicious by many end users.
After a rise in the use of macros to deliver computer viruses, Microsoft made a change to automatically disable macros in Word by default. Opening a Word document therefore required users to manually enable macros before they could be run.
The use of macro viruses went into rapid decline after this security measure was introduced because macros ceased to be a particularly effective method of malware delivery. That was about a decade ago.
However, recently there has been a surge in the use of embedded VBA scripts to deliver malware. Even when system administrators block malicious Word macros in Office 2016 it does not prevent infection. End users are enabling macros in order to open Word documents after being convinced to do so by attackers.
Enterprise end users are sent spam emails containing infected Word documents and are fooled into enabling macros in order to view the documents. When end users open the infected files they are presented with a warning message saying the content of the document cannot be viewed without first enabling macros. The end user does just that, and the malicious VBA script is run. That script then opens a connection to the hackers C&C server and malware is downloaded to the user’s device.
IT departments can conduct training and tell end users to never enable macros, but sooner or, later, one individual will ignore that advice and will inadvertently install malware. Many businesses use macros in their office files, so blocking them from running is simply not an option. So how can businesses block malicious Word macros in Office 2016 without having to stop using macros in documents altogether? Fortunately, Microsoft has come up with a cunning solution.
Microsoft Makes It Easier to Block Malicious Word Macros
Microsoft has responded to the wave of malicious macro attacks by developing a better solution than the one introduced more than a decade ago. A new setting has been added to make it possible to block malicious Word macros in Office 2016 while still being able to use genuine macros. The good news for system administrators is the settings cannot be bypassed by end users who think they know better than their IT department.
System administrators can now apply a group setting that will block macros in Office files that have been obtained from the Internet zone. Microsoft’s definition of the Internet zone includes documents attached to emails that have been sent from outside an organization, as well as documents obtained from cloud storage providers such as Google Drive and Dropbox and from file sharing websites.
Opening and attempting to run macros from these sources will result in a warning being presented to the user saying their system administrator has blocked macros for security reasons. They will not be given the option of bypassing those settings and running the macros. The new setting can be found in the Microsoft Trust Center in the security settings of Word.
Palo Alto Networks has discovered a new spam email campaign that is being used to spread fileless malware via malicious Microsoft Word macros sent as email attachments.
What is Fileless Malware?
Fileless malware, or memory-resident malware, is most commonly associated with drive-by malware attacks via malicious websites. The malware resides in the RAM and is never installed on the hard drive of an infected machine, which means it is difficult to detect because anti-virus software does not check the memory.
Memory-resident malware has not been favored by attackers until recently, as infections do not survive a reboot. However, some fileless malware such as Poweliks uses the registry to ensure persistence. Memory-resident malware is often used to spy on computer activity and record keystrokes.
PowerSniff Fileless Malware Rated as High Threat
The spam email campaign discovered by Palo Alto uses Microsoft Word macros to install the malware. When infected Word documents are opened, malicious macros execute PowerShell scripts and fileless malware is injected into the memory. In the latest case, the malware bears some resemblance to Ursnif malware. Palo Alto call the latest variant PowerSniff.
To date, over 1500 spam emails have been observed by Palo Alto. The emails are not sent out using mass spam email campaigns, but appear to be targeted and include data highly specific to the target. The emails contain the users first name for instance, along with an address or telephone number to make the target believe the email is genuine.
The subject lines and file names used in the emails differ from individual to individual. All of the emails contain an infected Word file along with some pressing reason for the individual to open the document. This can include invoices that urgently need to be paid, details of payments that have not gone through, gift vouchers that needs to be claimed, or reservations that must be confirmed.
The attacks are primarily being conducted on targets in the United States and Europe. The targets are mostly in the professional, hospitality, manufacturing, wholesale, energy, and high tech industry sectors.
The malware is capable of checking if is in a sandbox or virtualized environment, and performs reconnaissance on the victim host. According to Palo Alto researchers, the malware is sniffing out machines that are used for financial transactions, searching for strings such as POS, SALE, SHOP, and STORE. The malware actively avoids machines that are used in the healthcare and education sectors, searching for strings such as nurse, health, hospital, school, student, teacher, and schoolboard and marking these as being of no interest.
Palo Alto has rated the malware a high threat, with activity widespread in the past week. To protect against this type of attack, and others using malicious Word macros, it is essential that macros are automatically disabled in Microsoft Word. Users should deny any request to run macros if they accidentally open an email attachment.