Month: March 2016
Security firms are reporting that some of the United States ransomware attacks conducted over the past few months have demonstrated a level of sophistication that suggest they are the work of hacking groups previously backed by the Chinese government.
Ransomware attacks have previously been associated with low level cybercriminals who use spam email to send millions of messages out to random targets in the hope that some individuals will install the malicious file-locking software. In many cases, ransomware-as-a-service is being offered to cybercriminals via darknet marketplaces. Cybercriminals therefore do not need to have an extensive knowledge of hacking, and do not need to be highly skilled at conducting intrusions. However, due to the fact that ransomware can be incredibly lucrative, attacks are now being conducted by a wide range of individuals, including skilled hackers.
United States Ransomware Attacks Appear to Have Been Conducted by Former Chinese Government-Backed Hacking Groups
In some cases, the tactics used in the attacks bear the hallmarks of hacking groups known to have previously been involved in state-sponsored attacks on U.S. companies. The ransomware may not have been developed by foreign-government-backed hackers, but the methods and software used to gain entry to company networks and move around certainly appears to be.
Security firms Dell SecureWorks, InGuardians, G-C Partners, and Attack Research have all been called upon to investigate United States Ransomware attacks recently. The Dell team have investigated three highly sophisticated attacks, and the other companies have similarly been called upon to investigate security breaches involving ransomware.
All of the companies have come to the conclusion that these attacks were not the work of run-of-the-mill cybercriminals, and believe a well-known Chinese hacking group was behind the attacks. In one case, an attack on a U.S. company resulted in over 100 computers being locked with the file-encrypting software. Another attack involved 30 computers being locked. Similar large-scale ransomware attacks have also been investigated by the security firms. These attacks, like many conducted on large U.S. companies, have not previously been reported.
APT Tactics Used in Ransomware Attacks
Some of the attacks took advantage of security vulnerabilities in application servers, other used login credentials that were obtained in past Advanced Persistent Threat (APT) attacks on U.S companies. Rather than APT attacks taking place for espionage, the same methods appear to be used to gain access to networks in order to install ransomware.
None of the security firms are able to say with 100% certainty that the attacks were conducted by Chinese hacking groups, although it does appear to be the most logical answer. One theory put forward is that with China now pulling out of cyber-espionage after last year’s agreement with the U.S government, many Chinese hackers who were previously funded by the government are now out of work or are looking for additional income. Since the potential payoff from ransomware attacks is so high, they are now performing attacks on their own.
In some cases, where U.S companies have been compromised by government-sponsored attacks, it has been hypothesized that the hackers are cashing in as they pull out.
Even if Chinese hacking groups are not involved, it is clear is there is considerable money to be made by performing these attacks. Cybercriminal gangs who have previously targeted credit card numbers may now be switching to ransomware due to big potential payoffs.
Since most companies do not declare that they have suffered an attack and paid a ransom, it is difficult to tell exactly how bad the current situation is. But until ransomware ceases to be profitable, United States ransomware attacks are likely to continue.
Websites are being registered on Oman’s top level domain by typosqautters looking to capitalize on mistakes made by Mac users and push Genieo adware. The .om domain is intended to catch out Mac users who type quickly and miss out the c when typing .com website addresses.
Typosquatting is the registration of domain names with transposed or missed letters in an attempt to cash in on traffic intended for other websites. Goole.com being a good example. The site has been registered and uses an Ask Jeeves search bar to provide search engine functions to bad typists. The website has been reported to attract 1000 visitors a day, the vast majority of which have mistyped google.com.
However, in the case of the .om domain the typosquatters have sinister motives. The sites are being used to deliver malware and adware, with the typosquatters appearing to be targeting devices running OS X.
The sites detect the operating system on the device and redirect Windows users to websites where they are bombarded with popup adverts. Mac users are targeted with a fake Adobe Flash update. Downloading the update will install Genieo adware. Genieo adware installs itself as a browser extension on Firefox, Opera, and Chrome and is used to serve ads.
The spate of domain registrations was noticed by security researchers at Endgame, who discovered that over 330 domains had been registered with Oman’s Telecom Regulatory Authority in the past few weeks.
As is common with malicious typosquatters, they have chosen the names of well-known websites that receive large volumes of traffic. Endgame reports that .om sites have been registered for Gmail, Macys, Citibank, and Dell in the past few weeks, along with a host of other well-known brands. The sites appear to have been registered by a number of different typosquatting groups not just one individual. However, a large percentage were found to have been registered by individuals in New Jersey.
A number of different hosting companies have been used, although the site installations are all very similar. Endgame discovered that many of the sites contain vulnerabilities that could allow other parties to hijack the sites. At the present time, it would appear that the typosquatters are only intent on pushing Genieo adware and promote ad networks, although that may not remain the case. With the high number of security vulnerabilities that exist on the sites they could all too easily be hijacked by other individuals and used to deliver malware and ransomware to unsuspecting visitors.
Two new studies indicate the mobile malware threat is increasing at an unpresented rate. Any enterprise that allows smartphones to connect to its network, such as those operating a BYOD policy, faces an increased risk of a cyberattack via those devices.
G DATA Report Warns of Rapidly Increasing Mobile Malware Threat
According to the recent G DATA survey, the mobile malware threat has increased substantially over the course of the past 12 months and shows no sign of abating. The number of new malware variants discovered in 2015 is 50% higher than 2014. In 2015, 2.3 million malware samples targeting Android devices were collected, with a new variant being identified, on average, every 11 seconds. In the final quarter of the year, an alarming 758,133 new malware samples were collected, which represents an increase of 32% from the third quarter.
The main risk is older devices operating outdated versions of Android, although G DATA reports that hackers are developing exploits for security vulnerabilities far faster than in past years. Unless Android operating systems are kept totally up to date, vulnerabilities will exist that can be exploited. Unfortunately, phone manufacturers often delay rolling out operating system updates leaving all devices prone to attack.
Mobile Malware Infections Increasing According to Nokia Threat Intelligence Lab
Earlier this month, a report issued by the Nokia Threat Intelligence Lab suggested that 60% of malware operating in the mobile space targets Android smartphones. While iOS malware was a rarity, that has now changed. Nokia reports that for the first time ever, iOS malware has made the top 20 malware list, which now includes the iOS Xcodeghost and FlexiSpy malware. These two malware account for 6% of global smartphone infections.
Mobile ransomware is also increasing. In 2015, several new mobile ransomware variants were identified. Ransomware is used to lock devices with file-encrypting software. Users are only able to recover their files if a ransom is paid to the attackers. With an increasing number of individuals using their smartphones to store irreplaceable data, and many users not backing up those files, individuals are often given no choice but to pay attackers for a security key to unlock their data.
Nokia reports that the malware now being identified has increased in sophistication and has been written by hackers that know the Android system inside out. Malware is getting harder to detect, and once identified it can be extremely difficult to remove. Nokia reports that many malware variants are highly persistent and can even survive a factory reset.
How to Mitigate Mobile Malware Risk
With the mobile malware threat increasing, organizations must implement new security measures to keep devices secure and protect their networks. Anti-virus and anti-malware solutions should be installed on all devices allowed to connect to business networks to reduce the risk of a malware infection.
Many mobile devices are used for work purposes such as accessing business email accounts. Android malware infections could all too easily result in business data being compromised, while keyloggers could give attackers access to business networks.
Enterprises may not yet be majorly concerned about the rising mobile malware threat, but they should be. With the growing sophistication of today’s mobile malware, a business network compromise is a very real threat.
Enterprises that permit the use of mobile devices for work purposes should limit the actions that can be performed on Wi-Fi networks by implementing a web filtering solution. They should ensure that all BYOD policies stipulate a minimum Android version that can be used, and all devices should be kept up to date with app updates installed promptly. Enterprises should also monitor for jailbroken or rooted devices, and prevent them from being used for work purposes or from connecting to business Wi-Fi networks.
A new report issued by the Institute for Critical Infrastructure highlights the need for organizations to develop ransomware mitigation policies due to the high risk of cyberattacks involving the malicious file encrypting software. The report warns that 2016 will be a year when ransomware wreaks havoc on businesses in the United States, in particular on the U.S critical infrastructure community.
Ransomware is being used by cybercriminals as it is a highly effective method of extorting money from businesses. Businesses need data in order to function, and ransomware prevents them from accessing it. If ransomware is installed on a computer, or worse still spreads to a computer network, critical data needed by the business is encrypted. A ransom demand is issued by the attackers who will not release the decryption keys until the ransom is paid. Without those keys data will remain locked forever. Business are often given no alternative but to give in to the attackers’ demands.
Rampant Ransomware Prompts ICIT to Issue Warning
The report warns organizations of the current dangers, and says that in 2016, “Ransomware is rampant.” Organizations of all sizes are being targeted. The criminal gangs behind the campaigns are targeting healthcare providers, even though their actions place the lives of patients in danger. Police and fire departments have also been targeted, as have educational institutions and businesses. The greater the need for access to data, the bigger incentive organizations have to pay the ransom.
According to the report, “In numerous cases, organizations tend to pay because, for them, every minute of downtime directly equates to lost revenue.” The cost of that downtime can be considerable. Far more than the ransom demand in many cases.
Unfortunately, as pointed out in the report, it is too difficult and time consuming to track down attackers. They are able to cover their tracks effectively and they take payment in Bitcoin or use other online payment methods that give them a degree of anonymity. Often attacks are conducted across International borders. This makes it simply too difficult for the perpetrators to be found and brought to justice by law enforcement agencies.
Even the FBI has said that it advises companies to pay the ransom in many cases, unless the victims can live without their data. The report says, “no security vendor or law enforcement authority can help victims recover from these attacks.” It is therefore up to each individual organization to put measures in place to protect against ransomware.
Ransomware Mitigation Policies are Essential
Recovering from a ransomware infection can be expensive and difficult. It is therefore imperative that defenses are put in place to prevent ransomware from being installed on computers and networks.
The report suggests four key areas that can help with ransomware mitigation.
- Forming a dedicated information security team
- Conducting staff training
- Implementing layered defenses
- Developing policies and procedures to mitigate risk
An information security team should conduct risk assessments, identify vulnerabilities, and ensure defenses are shored up. Security holes must be plugged to prevent them being exploited. The team must also devise strategies to protect critical assets. They are an essential element of a ransomware mitigation strategy.
Staff training is essential. Employees must be instructed how to identify threats. Employees are often targeted as they are the weakest link in the security chain. It is easiest to get an employee to install ransomware than to attempt a hack in many cases. According to the report, this is one of the most important ransomware mitigation steps to take.
Layered defenses should be implemented to make it harder for attackers to succeed. Organizations should not rely on one form of defense such as a firewall. Antivirus and antimalware solutions should be used, anti-spam filters employed to prevent email attacks, and web filtering solutions should be used to prevent web-borne attacks.
With the threat now having reached critical levels, ransomware mitigation policies are essential. Administrative policies can help reduce the likelihood of an attack being successful. Employees must be aware who they can report suspicious emails and network activity to, and those individuals must be aware how they should act and deal with threats.
It was only a matter of time before a fully functional Mac ransomware was developed. Researchers at Palo Alto Networks have discovered that time has now come, after its Unit 42 team found KeRanger: The first fully functional Mac ransomware to be discovered in the wild. The ransomware was spread via the Transmission file-sharing app.
Fortunately, action has been taken to contain the malicious software before it could be fully exploited; however, this signals a turning point for Apple users. Their devices are no longer safe from ransomware attacks.
Mac Ransomware is No Longer Theoretical
While a Mac ransomware called FileCoder was discovered by Kaspersky Lab in 2014, the malicious software was incomplete and could not be used to infect Apple devices. The discovery of KeRanger shows that Apple users are no longer immune to attack.
Apple has added the signature for the malicious software to its XProtect OS X anti-malware definitions However, any Apple customer that downloaded BitTorrent client Transmission (v 2.9) over the weekend (Between 11:00 PST on March 4, and 19:00 PST on March 5, 2016) could well have downloaded KeRanger, along with any customer who downloaded the file sharing app prior to March 4.
The Mac ransomware bypassed Gatekeeper controls by using a genuine security certificate. The certificate was issued to Polisan Boya Sanayi ve Ticaret A.Ş., of Istanbul and is believed to have been stolen.
The ransomware was included in the Transmission installation files as “General.rtf.” The rich text file looks innocuous enough, but General.rtf is not a document file as the extension suggests, instead it is a Mach-O executable file. The file is copied to ~/Library/kernel_service and is run before the user sees an interface.
Once the ransomware has been activated, it searches the system on which it is installed and will encrypt around 300 different file types, including images, documents, multimedia files, emails, databases, certificates, archives, and source code. The Mac ransomware uses AES encryption to lock any files it finds and is capable of encrypting files saved on connected networks and external drives.
In many cases, ransomware infections cannot be removed and the user is forced to pay a ransom to obtain a security key. However, locked files can potentially be restored from backups. Unfortunately for users infected with KeRanger, the Time Machine system files are also encrypted preventing backup files from being restored.
The Threat Has Been Neutralized Although Action Must Be Taken by Transmission Users
The new Mac ransomware has been neutralized by the revoking of the digital certificate that enables the software to install on OS X, while the developers of Transmission App have removed the infected version from the transmissionbt.com website.
According to Claud Xiao of Palo Alto Networks, if KeRanger has been installed, users will still be at risk of having their files encrypted. The latest version of Transmission will remove the ransomware if it has been installed on users’ Macs.
Any customer who has installed version 2.9 should download the updated version of the file sharing software as soon as possible to prevent their device from being locked by the file-encrypting malware.
Users only have a limited timeframe for doing this. The Mac ransomware will stay hidden and quiet for 3 days following infection. After that it will connect to its C&C and will start encrypting files on the infected device and connected drives. A ransom of 1 Bitcoin (around $400) will then be demanded by the attackers. Only if the ransom is paid will the security key be sent to unlock the encryption. Failure to pay will see files locked forever. Transmission users must ensure they have installed version 2.92 and need to reboot their device after installation.
Protecting Devices from Attack Using WebTitan Web Filtering Solutions
WebTitan Cloud can help enterprises keep their devices free from malware and ransomware by blocking the downloading of file types known to be used by hackers to install malicious software. It is also possible to prevent KeRanger installations by blocking access to file sharing websites. By limiting the actions that can be taken by users and the sites that can be visited, the risk of networks being compromised or infected with malware can be greatly reduced.
WebTitan Cloud and WebTitan Gateway web filtering solutions can reduce reliance on staff training to teach end users how to identify malware, phishing emails, and malicious websites. Blocking risky online behavior can significantly reduce the risk of malware and ransomware infections.