Researchers Discover Increase in Exploit Kit Activity

Exploit kits have been one of the attack vectors of choice for cybercriminals, although research from Trustwave shows exploit kit activity has been in decline over the past 12 months. Trustwave reports exploit kit activity fell by around 300% over the course of 2016.

Exploit kits are used to probe for vulnerabilities in web browsers and web browser plugins. When a user visits a website hosting an exploit kit, their browser is probed for flaws. If a flaw is found, it is exploited to silently download malware and ransomware.

However, as the middle of the year approached, exploit kit activity started to fall. There are many possible reasons why exploit kit activity has declined. Efforts have increased to make browsers more secure and defenses against exploit kits have certainly been improved.

Adobe Flash vulnerabilities were the most exploited, but last year Adobe started issuing patches faster, limiting the opportunity for the attackers to exploit flaws. The fall in exploit kit activity has also been attributed to the takedown of cybercriminal gangs that extensively used and developed exploit kits. In 2016, the Russian outfit Lurk was broken up and a number of high profile arrests were made. Lurk was the outfit behind the infamous Angler exploit kit. Angler, along with Neutrino, Nuclear and Magnitude were extensively used to download malware and ransomware.

The recently published 2017 IBM X-Force Threat Intelligence Index shows spam email volume increased around the middle of 2016 and there was a marked increase in malicious email attachments. Spam email has now become the attack vector of choice, but that doesn’t mean exploit kits have died. Exploit kits are still being used in attacks, but at a much-reduced level.

Exploit kits are now being used in smaller, more targeted attacks on specific geographical regions, rather than the global attacks using Angler, Nuclear and Magnitude.

Over the past few months, exploit kit activity has started to rise and new exploit kits have been discovered. Late last year, the DNSChanger exploit kit was discovered. While most exploit kits target vulnerabilities in browsers, the DNSChanger exploit kit targets vulnerabilities in routers.

Researchers from Zscaler’s ThreatLabz report there has been an increase in exploit kit activity in the first quarter of 2017. The researchers have noticed a new KaiXin campaign and Neutrino activity has increased. The researchers also detected a new exploit kit called Terror. The Terror exploit kit has been compiled from other exploit kits such as Sundown. The RIG EK continues to be one of the most commonly used kits and has been found to be delivering the ransomware variants Cerber and Locky.

Malicious email attachments may still be the attack vector of choice for spreading ransomware and malware payloads, but the threat from exploit kits is still significant and should not be ignored.

To find out how you can improve your defenses against exploit kits, contact the TitanHQ team today.

Source Code for NukeBot Trojan Published Online

The source code for the NukeBot Trojan has been published online on a source-code management platform. The code for NukeBot – or Nuclear Bot as it is also known –  appears to have been released by the author, rather than being leaked.

To date, the NukeBot Trojan has not been detected in the wild, even though it was first seen in December 2016. The NukeBot Trojan was developed by a hacker by the name of Gosya. The modular malware has a dual purpose. In addition to it functioning like a classic virus, it also works like an anti-virus program and is capable of detecting and eradicating other installed malware. The modular design means additional components and functionality can easily be added. When attempting to sell the malware in December last year, the author said further modules would be developed.

The release of the code for the NukeBot Trojan is understood to be an effort by the author to regain trust within the hacking community. IBM says Gosya is a relatively new name in hacking circles, having joined cybercrime forums in late 2016.

While newcomers need to build trust and gain the respect of other hacking community members, Gosya almost immediately listed the malware for sale soon after joining underground communities and failed to follow the usual steps taken by other new members.

Gosya may have developed a new malware from scratch, but he failed to have the malware tested and certified. No test versions of the malware were provided and underground forum members discovered Gosya was using different monikers on different forums in an attempt to sell his creation. Gosya’s actions were treated as suspicious and he was banned from forums where he was trying to sell his malware.

While other hackers may have been extremely dubious, they incorrectly assumed that Gosya was attempting to sell a ripped malware. The NukeBot Trojan was not only real, it was fully functional. There was nothing wrong with the malware, the problem was the actions taken by Gosya while attempting to sell his Trojan.

While many new malware variants are developed using sections of code from other malware – Zeus being one of the most popular – the NukeBot Trojan appears to be entirely new. Back in December, when the malware was first detected and analyzed, researchers from Arbor Networks and IBM X-Force verified that the malware was fully functional and had viable code which did not appear to have been taken from any other malware variant.  The malware even included an admin control panel that can be used to control infected computers.

Now that the source code has been released it is likely that Gosya will be accepted back in the forums. The source code will almost certainly be used by other malware developers and real-world NukeBot attacks may now start.

RIAA Wants Internet Service Providers to Filter Pirated Content

The Recording Industry Association of America (RIAA) wants regulations to be introduced that will force Internet Service Providers to filter pirated content, rather relying on the current system of DCMA takedowns, which the RIAA believes to be ‘antiquated.’ The RIAA claims the current DCMA notice and takedown system is ‘extremely burdensome’ and ‘ineffective’ and that the system invites abuse.

The RIAA and 14 other organizations wrote to the U.S. Copyright Office last week explaining the inadequacies of current DCMA Safe Harbors and suggesting a number of potential solutions to the problem.

Currently, Internet Service Providers are required to take down copyright-infringing content after receiving a DMCA request. The request must be acted on expeditiously and ISPs are legally protected from copyright infringement lawsuits.  The legislation has so far protected Internet Service Providers from legal action. Were it not for the legislation, an ISP could potentially be sued every time one of its users uploaded content that violated copyright.

One of the main problems is while the current system protects innocent Internet service providers who have passively, or unwittingly, allowed their services to be used for copyright infringing activities, some entertainment services are protected, even though their businesses are based entirely on copyright infringement, such as the streaming of sports, entertainment and movies.

A number of suggestions have been made such as amending Digital Millennium Copyright Act to include a timeframe for processing DCMA takedowns as well as requiring Internet Service Providers to filter pirated content and use automated systems that identify pirated content and prevent it from being uploaded once the content has been flagged.

The RIAA suggests that when a DCMA request is received requiring specific content to be removed, that content should then be flagged. A system should be put in place that blocks that content from being uploaded in the future on a different webpage or website. Currently, a takedown of content just means the individual or organization can simply upload the content again on another webpage or domain and the process must start over again. The RIAA says the current system is like an endless game of Whac-A-Mole.

The proposals have been criticized as any automated process is likely to result in the removal of web content that is protected under fair use laws and that automated systems could result in the overblocking of website content.

This argument has been countered by the RIAA saying the risk has been exaggerated and that argument is often used by ISPs to avoid implementing content identification technologies. The RIAA argues that current technologies are sufficiently granular to allow them to be calibrated to filter pirated content and protect fair uses.

Safari Scareware Used to Extort Money from Porn Viewers

A flaw in the mobile Safari browser has been exploited by cybercriminals and used to extort money from individuals who have previously used their mobile device to view pornography or other illegal content. The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages.

A popup is displayed advising the user that Safari cannot open the requested page. Clicking on OK to close the message triggers another popup warning. Safari is then locked in an endless loop of popup messages that cannot be closed.

A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content. Some users have reported messages containing Interpol banners, which are intended to make the user think the lock has been put on their phone by law enforcement. The only way of unlocking the device, according to the messages, is to pay a fine.

One of the domains used by the attackers is police-pay.com; however, few users would likely be fooled into thinking the browser lock was implemented by a police department as the fine had to be paid in the form of an iTunes gift card.

Other messages threaten the user with police action if payment is not made. The attackers claim they will send the user’s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid.

This type of Safari scareware is nothing new, although the zero-day flaw that was exploited to display the messages was. The attackers loaded code onto a number of websites which exploited a flaw in the way the Safari browser handles JavaScript pop-up windows. The code targeted iOS versions 10.2 and earlier.

The Safari scareware campaign was recently uncovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now released an update to its browser which prevents the attack from taking place. Users can protect their devices against attack by updating their device to iOS version 10.3.

Scareware is different from ransomware, although both are used to extort money. In the case of ransomware, access to a device is gained by the attacker and malicious file-encrypting malware is downloaded. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not owned, the user faces loss of data if they do not pay the attackers for the key to decrypt their locked files.

Scareware may involve malware, although more commonly – as was the case with this Safari scareware campaign – it involves malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The idea behind scareware is to scare the end user into paying the ransom demand to unlock their device. In contrast to ransomware, which cannot be unlocked without a decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowhow. In this case, control of the phone could be regained by clearing the Safari cache of all data.

Another Major Restaurant POS Breach Has Been Detected

Another major restaurant POS breach has been detected. This time, Cleveland-based Select Restaurants Inc., has had its POS system breached. Select Restaurants owns many well-known restaurants throughout the United States.

According to Brian Krebs, restaurants known to be affected by the POS malware infection include:

  • The Rusty Scupper (Baltimore, MD)
  • Parkers Blue Ash Tavern (Cincinnati, OH)
  • Parkers’ Restaurant & Bar (Downers Grove, IL)
  • Winberie’s Restaurant & Bar (Oak Park, IL., Princeton, NJ., Summit, NJ.)
  • Black Powder Tavern (Valley Forge, PA)

The restaurant POS breach does not appear to have occurred at Select Restaurants, instead it was the chain’s POS vendor that was attacked – Geneva. IL-based 24×7 Hospitality Technology. The attack occurred via a remote access application that the company uses to remotely access, update, and maintain the POS system used by its customers.

After gaining access to the POS system, the attackers installed a form of malware known as PoSeidon. The malware records and exfiltrates credit card data when cards are swiped by restaurant staff when customers pay for their meals. The malware was installed and active for around 3 months from October 2016 to January 2017.

While fraudulent use of customers’ credit card details is often quickly detected by banks and credit card companies, it can be difficult to track those fraudulent card uses back to a specific retailer or restaurant. When major restaurant chains experience POS malware infections it is far easier to detect the source of the fraud. Malware infections at smaller restaurant chains can take much longer to detect.  During that time, the credit card details of all of the restaurant’s customers can be stolen.

The remote access system could have been attacked using a variety of methods. If a weak password was used, it may have been guessed or a brute force attack could have occurred. Alternatively, an employee may have revealed a password by responding to a phishing or spear phishing email.

In this case, the malware was installed via the POS system provider, although a restaurant POS breach could just as easily occur. Restaurant chains can do little to prevent attacks on their POS system provider, but they can implement cybersecurity defenses to protect them against direct attacks.

Restaurants are major targets for cybercriminals. Malware can remain undetected for many months during which time many thousands of credit cards can be stolen. The consequences for restaurant chains can be severe. While customers may not experience any losses – their credit card company will usually refund any fraudulent purchases – the effect on a restaurant chain’s reputation can be permanent.

To protect systems from attack, restaurant chains should ensure software solutions are installed to block the most common attack vectors. Software must be kept up to date and patched promptly to prevent vulnerabilities from being exploited and antivirus solutions should be kept up to date and regular scans should be scheduled on all parts of the network.

For further information on how to prevent a restaurant POS breach and malware infections, contact the TitanHQ team today.