Are you taking steps to prevent drive-by malware downloads? Have you implemented controls to reduce your attack surface and prevent your employees from inadvertently downloading malware onto your network?
Malvertising – A Major Security Risk that Should be Managed
Malvertising is the term used for the practice of displaying malicious adverts to website visitors. The malicious adverts are displayed via third party advertising networks which are present on a wide range of legitimate websites. Malicious adverts have been displayed to visitors to many of the top 500 global websites.
The New York Times website was discovered to be displaying malvertising via a third party ad networks. Those adverts redirected visitors to websites where ransomware was downloaded. The UK’s BBC website was similarly discovered to be displaying malicious adverts that resulted in ransomware downloads.
Other high profile sites found to be displaying malvertising include AOL, the NFL website, Realtor, theweathernetwork, newsweek, infolinks, answers.com, and thehill, amongst many many others.
Proofpoint recently announced it has succeeded in shutting down the AdGholas malvertising operation. This large-scale operation was reported to have resulted in malicious adverts being displayed to between 1 million and 5 million individuals per day. Researchers at Proofpoint estimated that between 10% and 20% of computers that loaded the malicious adverts were redirected to websites containing exploit kits. Exploit kits probe for security vulnerabilities in web browsers. If vulnerabilities are discovered, malware is silently downloaded onto the site visitor’s computer. Of course this was just one malvertising operation out of many.
Cost of Malware and Ransomware Infections
Many ransomware variants are capable of moving laterally within a network and replicating. One download may see multiple computers infected. Each infected device is encrypted with a separate key and a separate ransom demand is issued for each infection.
Organizations experiencing multiple infections can be issued with ransom demands of tens of thousands of dollars. In January, Hollywood Presbyterian Medical Center was forced to pay $17,000 for the decryption keys to unlock its computers.
The threat from malware can be far more serious. Malware such as keyloggers can be used to obtain login credentials to corporate bank accounts, allowing criminals to make fraudulent transfers and empty company accounts. Malware can install backdoors that can be used to steal patient data from healthcare organizations. Failing to prevent drive-by malware downloads can prove very costly indeed. Recently, the Ponemon Institute calculated the average healthcare data breach cost to be $4 million. The cost per compromised healthcare record was calculated to be $158.
Prevent Drive-by Malware Downloads
To prevent drive-by malware downloads you need to employ a range of tactics. Good patch management policies can help to ensure that devices are not left vulnerable. Software, browsers, and browser plugins should be kept up to date and patches applied promptly. Plugins and software commonly exploited by cybercriminals include Java, Adobe Flash, and PDF reader, as well as out of date web browsers.
Organizations can prevent employees from being directed to malicious websites by using a web filtering solution. A web filter can be configured to block websites known to contain malware or host exploit kits. A web filter can be used to block third party advertising from being displayed. Block the ad networks, and you will ensure that malvertising is not displayed.
You should also implement Acceptable Usage Policies (AUPs) to limit the websites that employees can visit. A web filtering solution can help in this regard. Employees can be instructed not to visit certain categories of websites which are known to carry a higher than average risk, but a web filter can be used to enforce those policies. By blocking access to gambling websites, pornography, sites containing illegal website content, and other risky websites such as p2p file sharing sites, risk can be greatly reduced.
A web filtering solution cannot prevent all data breaches and malware attacks, but it is a vital element of cybersecurity defenses that should not be ignored. It is one of the most important controls to employ to prevent drive-by malware downloads.
Pressure has been mounting recently on corporations in America to block pornography on WiFi networks open to the public. McDonalds and Starbucks have responded by announcing they will be blocking porn on public WiFi networks in their restaurants and coffee shops.
Early last week, McDonalds announced that it is now using WiFi network web filtering to block pornography – and child pornography – in its 14,000+ restaurants in the United States. The technology had been introduced earlier this year, although the move has only just been announced by the fast food chain. McDonalds is one of the first – and largest – organizations to block pornography on restaurant WiFi networks.
A couple of days later, Starbucks announced that that the company will also be using WiFi network web filtering to block pornography in its coffee shops in the United States. Starbucks will be evaluating web filtering solutions to block pornography in order to ensure the implementation of a web filter does prevent customers accessing non-pornographic websites. Once that process has been completed, the web filtering solution will be rolled out across its 12,200+ U.S. coffee shops followed by its company-owned stores around the world.
While no figures have been released by either organization about the extent to which their WiFi networks are being used to view pornography, online safety organizations have been warning corporate America that the practice is becoming more prevalent and the risk to minors is considerable if efforts are not made to block pornography on restaurant WiFi networks.
Pressure by Anti-Pornography Organizations to Block Pornography on WiFi Networks Pays Off
Internet safety organization Enough is Enough launched its National Porn Free Wi-Fi campaign two years ago and has been placing pressure on corporate America to use WiFi network web filtering to block pornography and prevent access to illegal child pornography on restaurant WiFi networks.
Public WiFi networks offer a higher degree of anonymity than home and work Internet connections, and an increasing number of individuals are actively seeking unfiltered WiFi networks to view, download, and share inappropriate and illegal images.
Enough is Enough – whose mission is to make the Internet safer for children and families – gathered over 50,000 signatures from members of the public and has the backing of more than 75 partner organizations. Over the past few months, pressure has been placed on Starbucks – the largest coffee shop chain in the United States – to block pornography on WiFi networks and to prevent inappropriate material from being accidentally or deliberately viewed by minors.
Many smaller restaurant chains have already taken the decision to block pornography on WiFi networks that are provided for customers. Panera Bread and Chick-fil-A have been using WiFi network web filtering to block pornography and keep customers safe for a number of years, yet the larger chains have only just been convinced that it is important to block pornography on restaurant WiFi networks.
Donna Rice Hughes, President of Enough Is Enough, praised Starbucks and McDonalds for implementing a WiFi filtering solution to restrict access to pornography. She said “We will vigorously continue to encourage other businesses and venues such as hotels, airlines, shopping malls, and libraries to filter pornography and child abuse images on publicly available Wi-Fi in order to protect children and families.”
Another day passes and another ransomware variant emerges, although the recently discovered Ranscam ransomware takes nastiness to another level. Ranscam ransomware may not be particularly sophisticated, but what it lacks in complexity it more than makes up for in maliciousness.
The typical crypto-ransomware infection involves the encryption of a victim’s files, which is accompanied by a ransom note – often placed on the desktop. The ransomware note explains that the victim’s files have been encrypted and that in order to recover those files a ransom must be paid, usually in Bitcoin.
Since many victims will be unaware how to obtain Bitcoin, instructions are provided about how to do this and all the necessary information is given to allow the victim to make the payment and obtain the decryption key to unlock their files.
There is usually a time-frame for making payment. Usually the actors behind the campaign threaten to permanently delete the decryption key if payment is not received within a specific time frame. Sometimes the ransom payment increases if payment is delayed.
Ranscam Ransomware will not Allow Victims to Recover Their Files
Rather than encrypting files and deleting the decryption key, Ranscam ransomware threatens to delete the victim’s files.
The ransomware note claims the victim’s files have been encrypted and moved to a hidden partition on their hard drive, which prevents the files from being located or accessed. The payment requested by the actors behind this scam is 0.2 Bitcoin – Around $133 at today’s exchange rate.
While the ransom note claims that the victim’s files will be moved back to their original location and will be decrypted instantly once payment is received, this is not the case.
Unfortunately for the victims, but the time the ransom note is displayed, the victim’s files have already been deleted. Paying the ransom will not result in the encrypted files being recovered. A decryption key will not be provided because there isn’t one.
Researchers at Talos – who discovered the Ranscam ransomware variant – noted that the ransomware authors have no way of verifying if payment has been made. The ransomware only simulates the verification process. There is also no process built into the ransomware that will allow a victim’s files to be recovered.
Backup Your Files or Be Prepared to Lose Them
Many ransomware authors have a vested interest in ensuring that a victim’s files can be recovered. If word spreads that there is no chance of recovering encrypted files, any individual who has had their computer infected will not pay the ransom demand. Locky, CryptoWall, and Samsa ransomware may be malicious, but at least the thieves are honorable and make good on their promise. If they didn’t, discovering that files had a locky extension would be a guarantee that those files would be permanently lost.
There are new ransomware variants being released on an almost daily basis. Many of the new variants are simplistic and lack the complexity to even allow files to be recovered. The discovery of Ranscam ransomware clearly shows why it is essential to make sure that critical files are regularly backed up. Without a viable backup, there is no guarantee that files can be recovered and you – or your organization – will be at the mercy of attackers. Not all will be willing – or able to – recover encrypted files.
The developers of CryptXXX ransomware have made some updates to the malicious software recently. A new campaign has also been launched which is seeing an increasing number of Joomla and WordPress websites compromised with malicious code that directs visitors to sites containing the Neutrino exploit kit.
The latest CryptXXX crypto-ransomware variant no longer changes the extension of files that have been encrypted, instead they are left unchanged. This makes it more difficult for system administrators to resolve an infection by restoring files from backups, as it is much harder to determine exactly which files have been encrypted.
The ransomware developers have also changed the ransom note that is presented to victims and the Tor address for payment has also been changed. The payment site has been changed frequently, having used names such as Google Decryptor and Ultra Decryptor in the past. The authors have now changed the site to Microsoft Decryptor. This is the second time the payment site has been renamed since June 1. Unfortunately for victims that experience difficulties making the payment, there is no method of contacting the attackers to explain about payment issues.
CryptXXX crypto-ransomware has previously been spread using the Angler exploit kit, although the ransomware is now being distributed using Neutrino. Neutrino is primarily used to exploit vulnerabilities in PDF reader and Adobe Flash to download CryptXXX.
CryptXXX Crypto-Ransomware and CryptoBit Distributed in RealStatistics Campaign
WordPress and Joomla sites are being infected at a high rate, with 2,000 sites currently infected as part of the latest campaign according to Sucuri. The company’s researchers have suggested that the actual figure may be closer to 10,000 websites due to the limited range of sites that they have been observing.
It is unclear how the websites are being infected, although it has been suggested that outdated Joomla and WordPress installations are the most likely way that the attackers are gaining access to the sites, although outdated plugins on the websites could also be used to inject malicious Analytics code. The campaign is being referred to as “Realstatistics” due to the URL that is placed into the PHP template of infected sites.
The latest campaign has also been used to push other ransomware variants on unsuspecting website visitors. Palo Alto Networks researchers discovered eight separate Cryptobit variants that were being pushed as part of the latest Realstatistics campaign. The attackers now appear to be using Cryptobit less and have switched to CryptXXX crypto-ransomware in recent days.
Security researchers at ESET have discovered a dangerous new Mac backdoor program which allows attackers to gain full control of a Mac computer. Mac malware may be relatively rare compared to malware used to infect PCs, but the latest discovery clearly demonstrates that Mac users are not immune to cyberattacks. The new OS X malware has been dubbed OSX/Keydnap by ESET. This is the second Mac backdoor program to be discovered in the past few days.
OSX/Keydnap is distributed as a zip file containing an executable disguised as a text file or image. If the file is opened, it will download the icloudsyncd backdoor which communicates with the attackers C&C via the Tor network. The malware will attempt to gain root access by asking for the users credentials in a pop up box when an application is run. If root access is gained, the malware will run each time the device is booted.
The malware is capable of downloading files and scripts, running shell commands, and sending output to the attackers. The malware is also able to update itself and also exfiltrates OS X keychain data.
Second Mac Backdoor Discovery in Days
The news of OSX/Keydnap comes just a matter of hours after security researchers at Bitdefender announced the discovery of another Mac backdoor program called Eleanor. Hackers had managed to get the Backdoor.MAC.Eleanor malware onto MacUpdate. It is hidden in a free downloadable app called EasyDoc Converter.
EasyDoc Converter allowed Mac users to quickly and easily convert files into Word document format; however, rather than doing this, the app installed a backdoor in users’ systems. Infections with Eleanor will be limited as the app does not come with certificate issued to an Apple Developer ID. This will make it harder for many individuals to open the app.
However, if users do install the app, a shell script will be run that will check to see if the malware has already been installed and whether Little Snitch is present on the device. If the Little Snitch network monitor is not installed, the malware will install three LaunchAgents together with a hidden folder full of executable files used by the malware. The files are named to make them appear as if they are dropbox files.
The LaunchAgents open a Tor hidden service through which attackers can communicate with a web service component, which is also initiated by the LaunchAgents. A Pastebin agent is also launched which is used to upload the Mac’s Tor address to Pastebin where it can be accessed by the attackers. The Mac backdoor program can reportedly be used for remote code execution, to access the file system, and also to gain access to the webcam.