Malware Alerts

Being forewarned is being forearmed; and, if organizations keep up-to-date with the latest malware alerts, they have the opportunity to take measures to prevent their network systems becoming infected with the latest malware strains.

Many malware alerts originate not from reports of malware infections themselves, but from vulnerabilities being identified in everyday software that a hacker could use to install an exploit kit. Our malware alerts explain what the vulnerabilities are, how they can be used to deliver malware and what patches exist to eliminate the vulnerability.

Of course, the best way to block exploit kits from downloading malware onto your organization´s network systems is to ensure that Internet users never visit a website harboring an exploit kit. This can be achieved by a simple adjustment of your web filtering solution. If your organization does not yet have a web filtering solution, speak with WebTitan today.

WannaCry Ransomware Attacks Halted… Temporarily

The WannaCry ransomware attacks that crippled hospitals in the United Kingdom on Friday have temporarily halted, although not before infections spread to 150 countries around the globe.  The massive ransomware campaign saw 61 NHS Trusts in the UK affected.

As the NHS was cancelling appointments and scrambling to halt the spread of the infection and restore its systems, the WannaCry ransomware attacks were going global. Organizations around the world were waking up to total chaos, with systems taken out of action and data access blocked. Other victims include FedEx, Telefonica, Deutsche Bahn and the Russian Interior Ministry and around 200,000 others.

The victim count rose considerably throughout Friday and Saturday morning, before a security researcher in the UK accidentally flicked the ransomware’s kill switch, preventing further WannaCry ransomware attacks. Had it not been for that researcher’s actions, the victim count would have been considerably higher.

The researcher in question prefers to remain anonymous, although he tweets under the Twitter account @MalwareTechBlog. While analyzing the ransomware, he discovered a reference to a nonsense web domain. He checked to see who owned the domain and discovered it had not been registered. He bought it and realized that his actions had stopped the ransomware in its tracks. If the domain could be contacted, encryption would not take place. If contact was not possible, the ransomware would proceed and encrypt files on the infected device.

This kill switch could have been put in place by the authors as a way to stop infections getting out of control. However, far more likely is the domain check was performed to determine if the ransomware was running in a test environment.

For now at least, the WannaCry ransomware attacks have stopped, although that does not mean they will not continue. New versions of the ransomware – without the kill switch – will almost certainly be released. In the meantime, IT security professionals have some time to plug the vulnerability that was exploited.

The exploit takes advantage of a vulnerability in Windows Server Message Block (SMB) that allows the attackers to download files onto a vulnerable machine. Microsoft issued a patch to plug the vulnerability on March 13 (MS17-010). Even though this was a high priority patch for which an exploit had been developed (ETERNALBLUE) and released online, many companies failed to update Windows leaving them vulnerable to attack.

Of course, any organization using an unsupported version of Windows – Windows XP for example – would not be able to apply the patch. Many NHS Trusts in the UK still use the unsupported version of Windows even though it is vulnerable to this and other exploits.

The attackers have reportedly made around $50,000 so far from the WannaCry ransomware attacks. That figure will rise, as victims are given 7 days to pay before the decryption keys held by the attackers will be permanently deleted. If payment is not made within 3 days, the $300 ransom doubles.

There are no clues as to who was behind the attack, although it was made possible by the actions of the hacking group Shadow Brokers, who published the exploit used in the WannaCry ransomware attacks in April. The exploit was not developed by Shadow Brokers however. That appears to have been developed by the National Security Agency in the USA. Shadow Brokers allegedly stole the exploit.

Microsoft has responded to the WannaCry ransomware attacks saying they should serve as a “wake-up call.” That’s not just the need to apply patches promptly to prevent cyberattacks, but also a wake up call for governments not to secretly stockpile exploits.

Mac Malware Warning Issued: Handbrake for Mac App Infected with RAT

A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.

A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.

A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.

Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.

Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.

Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.

The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.

Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.

The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.

‘Crazy Bad’ Microsoft Malware Protection Engine Bug Patched

A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.

If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.

The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.

The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.

The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.

While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk.  Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment.  The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.

The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.

NCCIC Issues Multi-Industry Alert on Sophisticated New Malware Threat

A sophisticated new malware threat has been discovered that is being used to target a wide range of industry sectors and infect systems with RAT/malware.

The campaign is being used to spread multiple malware variants and gain full access to systems and data. While many organizations have been attacked, the threat actors have been targeting IT service providers, where credential compromises can be leveraged to gain access to their clients’ environments.

The threat actors are able to evade detection by conventional antivirus solutions and operate virtually undetected.

The campaign has been running since at least May 2016 according to a recent alert issued by the National Cybersecurity Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security.

The campaign is still being investigated, but due to the risk of attack, information has now been released to allow organizations to take steps to block the threat and mitigate risk. NCCIC categorizes the threat level as medium.

While threat detection systems are capable of identifying intrusions, this campaign is unlikely to be detected. The attack methods used by the threat actors involve impersonating end users leveraging stolen credentials. Communications with the C2 are encrypted, typically occurring over port 443 with the domains frequently changing IP address. Domains are also spoofed to appear as legitimate traffic, including Windows update sites.

Two main malware variants are being used in this campaign – the remote administration Trojan (RAT) REDLEAVES and the PLUGX/SOGU Remote Access Tool. PLUGX malware has been around since 2012, although various modifications have been made to the malware to prevent detection.

PLUGX allows the threat actors to perform a range of malicious activities such as setting connections, terminating processes, logging off the current user and modifying files. It also gives the threat actors full control of the compromised system and allows the downloading of files. READLEAVES offers the threat actors a typical range of RAT functions including system enumeration.

NCCIC has released Indicators of Compromise (IOCs) to allow organizations to conduct scans to determine whether they have been infected and further information will be published when it becomes available.

While anti-virus solutions should be used, they are unlikely to offer protection against this malware campaign. NCCIC warns organizations that there is no single security solution that can prevent infection, therefore a multi-layered defense is required. The aim of organizations should be to make it as difficult as possible for the attackers to gain access to their systems and install malware and operate undetected.

NCCIC offers several suggestions to help organizations improve their defenses against attack. Since phishing emails are used to fool end users into revealing their credentials, anti-phishing solutions should be employed to prevent the emails from reaching end users’ inboxes.

Other mitigations are detailed in NCCIC’s recent report, which can be downloaded from US-CERT on this link.

New Locky Ransomware Attacks Use Techniques Similar to Dridex Malware Campaigns

Locky is back. The latest Locky ransomware attacks leverage an infection technique used in Dridex malware campaigns.

It has been all quiet on the western front, with Locky ransomware attacks dropping off to a tiny fraction of the number seen in 2016. In the first quarter of 2017, Locky ransomware campaigns all but stopped, with Cerber becoming the biggest ransomware threat.

That could be about to change. Locky has returned, its delivery mechanism has changed, and the crypto ransomware is now even harder to detect.

The latest campaign was detected by Cisco Talos and PhishMe. The Talos team identified a campaign involving around 35,000 spam emails spread over just a few hours. The researchers suggest the emails are being delivered using the Necurs botnet, which has until recently been used to send out stock-related email spam.

New Infection Method Used in Latest Locky Ransomware Attacks

The latest Locky campaign uses a different method of infection. Previous Locky campaigns have used malicious Word macros attached to spam emails. If the email attachment is opened, end users are requested to enable macros to view the content of the document. Enabling macros will allow a script to run that downloads the payload. For the latest campaign, spam emails are used to deliver PDF files.

The change in infection method can be easily explained. Over the past few months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and companies have been warning their staff about malicious Word documents containing macros.

If an end user is fooled into opening an email attachment that asks them to enable macros, they are now more likely to close the document and raise the alarm. To increase the probability of the end user taking the desired action, the authors have made a change. Macros are still involved, but later in the infection process.

The emails contain little in the way of text, but inform the recipient that the PDF file contains a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be opened. Opening the PDF file will see the user prompted to allow the PDF reader to download an additional file. The second file is a Word document containing a macro that the end user will be prompted to enable.

The rest of the infection process proceeds in a similar fashion to previous Locky ransomware attacks. Enabling the macros will see a Dridex payload downloaded which will then download Locky. Locky will proceed to encrypt a similarly wide range of file types on the infected computer, connected storage devices and mapped network drives.

The ransom payment demanded is 1 Bitcoin – currently around $1,200. This is considerably more that the ransom payments demanded when Locky first arrived on the scene just over a year ago.

One slight change for this campaign is the user is required to install the Tor browser in order to visit the payment site. This change is believed to be due to Tor proxy services being blocked.

Adding the extra step in the infection process is expected to result in more infections. Many users who would not open a Word attachment may be fooled into opening the PDF.

Businesses should raise the alarm and send out warning emails to staff alerting them to the new campaign and advising them to be wary of PDF files in emails.

Researchers Discover Increase in Exploit Kit Activity

Exploit kits have been one of the attack vectors of choice for cybercriminals, although research from Trustwave shows exploit kit activity has been in decline over the past 12 months. Trustwave reports exploit kit activity fell by around 300% over the course of 2016.

Exploit kits are used to probe for vulnerabilities in web browsers and web browser plugins. When a user visits a website hosting an exploit kit, their browser is probed for flaws. If a flaw is found, it is exploited to silently download malware and ransomware.

However, as the middle of the year approached, exploit kit activity started to fall. There are many possible reasons why exploit kit activity has declined. Efforts have increased to make browsers more secure and defenses against exploit kits have certainly been improved.

Adobe Flash vulnerabilities were the most exploited, but last year Adobe started issuing patches faster, limiting the opportunity for the attackers to exploit flaws. The fall in exploit kit activity has also been attributed to the takedown of cybercriminal gangs that extensively used and developed exploit kits. In 2016, the Russian outfit Lurk was broken up and a number of high profile arrests were made. Lurk was the outfit behind the infamous Angler exploit kit. Angler, along with Neutrino, Nuclear and Magnitude were extensively used to download malware and ransomware.

The recently published 2017 IBM X-Force Threat Intelligence Index shows spam email volume increased around the middle of 2016 and there was a marked increase in malicious email attachments. Spam email has now become the attack vector of choice, but that doesn’t mean exploit kits have died. Exploit kits are still being used in attacks, but at a much-reduced level.

Exploit kits are now being used in smaller, more targeted attacks on specific geographical regions, rather than the global attacks using Angler, Nuclear and Magnitude.

Over the past few months, exploit kit activity has started to rise and new exploit kits have been discovered. Late last year, the DNSChanger exploit kit was discovered. While most exploit kits target vulnerabilities in browsers, the DNSChanger exploit kit targets vulnerabilities in routers.

Researchers from Zscaler’s ThreatLabz report there has been an increase in exploit kit activity in the first quarter of 2017. The researchers have noticed a new KaiXin campaign and Neutrino activity has increased. The researchers also detected a new exploit kit called Terror. The Terror exploit kit has been compiled from other exploit kits such as Sundown. The RIG EK continues to be one of the most commonly used kits and has been found to be delivering the ransomware variants Cerber and Locky.

Malicious email attachments may still be the attack vector of choice for spreading ransomware and malware payloads, but the threat from exploit kits is still significant and should not be ignored.

To find out how you can improve your defenses against exploit kits, contact the TitanHQ team today.

Source Code for NukeBot Trojan Published Online

The source code for the NukeBot Trojan has been published online on a source-code management platform. The code for NukeBot – or Nuclear Bot as it is also known –  appears to have been released by the author, rather than being leaked.

To date, the NukeBot Trojan has not been detected in the wild, even though it was first seen in December 2016. The NukeBot Trojan was developed by a hacker by the name of Gosya. The modular malware has a dual purpose. In addition to it functioning like a classic virus, it also works like an anti-virus program and is capable of detecting and eradicating other installed malware. The modular design means additional components and functionality can easily be added. When attempting to sell the malware in December last year, the author said further modules would be developed.

The release of the code for the NukeBot Trojan is understood to be an effort by the author to regain trust within the hacking community. IBM says Gosya is a relatively new name in hacking circles, having joined cybercrime forums in late 2016.

While newcomers need to build trust and gain the respect of other hacking community members, Gosya almost immediately listed the malware for sale soon after joining underground communities and failed to follow the usual steps taken by other new members.

Gosya may have developed a new malware from scratch, but he failed to have the malware tested and certified. No test versions of the malware were provided and underground forum members discovered Gosya was using different monikers on different forums in an attempt to sell his creation. Gosya’s actions were treated as suspicious and he was banned from forums where he was trying to sell his malware.

While other hackers may have been extremely dubious, they incorrectly assumed that Gosya was attempting to sell a ripped malware. The NukeBot Trojan was not only real, it was fully functional. There was nothing wrong with the malware, the problem was the actions taken by Gosya while attempting to sell his Trojan.

While many new malware variants are developed using sections of code from other malware – Zeus being one of the most popular – the NukeBot Trojan appears to be entirely new. Back in December, when the malware was first detected and analyzed, researchers from Arbor Networks and IBM X-Force verified that the malware was fully functional and had viable code which did not appear to have been taken from any other malware variant.  The malware even included an admin control panel that can be used to control infected computers.

Now that the source code has been released it is likely that Gosya will be accepted back in the forums. The source code will almost certainly be used by other malware developers and real-world NukeBot attacks may now start.

Safari Scareware Used to Extort Money from Porn Viewers

A flaw in the mobile Safari browser has been exploited by cybercriminals and used to extort money from individuals who have previously used their mobile device to view pornography or other illegal content. The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages.

A popup is displayed advising the user that Safari cannot open the requested page. Clicking on OK to close the message triggers another popup warning. Safari is then locked in an endless loop of popup messages that cannot be closed.

A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content. Some users have reported messages containing Interpol banners, which are intended to make the user think the lock has been put on their phone by law enforcement. The only way of unlocking the device, according to the messages, is to pay a fine.

One of the domains used by the attackers is police-pay.com; however, few users would likely be fooled into thinking the browser lock was implemented by a police department as the fine had to be paid in the form of an iTunes gift card.

Other messages threaten the user with police action if payment is not made. The attackers claim they will send the user’s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid.

This type of Safari scareware is nothing new, although the zero-day flaw that was exploited to display the messages was. The attackers loaded code onto a number of websites which exploited a flaw in the way the Safari browser handles JavaScript pop-up windows. The code targeted iOS versions 10.2 and earlier.

The Safari scareware campaign was recently uncovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now released an update to its browser which prevents the attack from taking place. Users can protect their devices against attack by updating their device to iOS version 10.3.

Scareware is different from ransomware, although both are used to extort money. In the case of ransomware, access to a device is gained by the attacker and malicious file-encrypting malware is downloaded. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not owned, the user faces loss of data if they do not pay the attackers for the key to decrypt their locked files.

Scareware may involve malware, although more commonly – as was the case with this Safari scareware campaign – it involves malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The idea behind scareware is to scare the end user into paying the ransom demand to unlock their device. In contrast to ransomware, which cannot be unlocked without a decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowhow. In this case, control of the phone could be regained by clearing the Safari cache of all data.

MajikPOS Malware Used in Targeted Attacks on PoS Systems of U.S. Businesses

A new form of PoS malware – called MajikPOS malware – has recently been discovered by security researchers at Trend Micro. The new malware has been used in targeted attacks on businesses in the United States, Canada, and Australia.

The researchers first identified MajikPOS malware in late January, by which time the malware had been used in numerous attacks on retailers. Further investigation revealed attacks had been conducted as early as August 2016.

MajikPOS malware has a modular design and has been written in .NET, a common software framework used for PoS malware. The design of MajikPOS malware supports a number of features that can be used to gather information on networks and identify PoS systems and other computers that handle financial data.

The attackers are infecting computers by exploiting weak credentials. Brute force attacks are conducted on open Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports. A variety of techniques are used to install the MajikPOS malware and evade detection, in some causes leveraging RATs that have previously been installed on retailers’ systems. The malware includes a RAM scraping component to identify credit card data and uses an encrypted channel to communicate with its C&C and exfiltrate data undetected.

MajikPOS malware is being used by a well-organized cybercriminal organization and credit card details are being stolen on a grand scale. The stolen information is then sold on darknet ‘dump shops’. The stolen credit card numbers, which the researchers estimate to number at least 23,400, are being sold individually for between $9 and $39. The gang also sells the credit card numbers in batches of 25, 50, or 100. The majority of credit cards belong to individuals in the United States or Canada.

POS Malware Infections Can be Devastating

A number of different attack vectors can be used to install PoS malware. Malware can be installed as a result of employees falling for spear phishing emails. Cybercriminals commonly gain a foothold in retailers’ networks as a result of employees divulging login credentials when they respond to phishing emails.

While exploit kit activity has fallen in recent months, the threat has not disappeared and malvertising campaigns and malicious links sent via emails are still used in targeted attacks on U.S retailers.

Brute force attacks are also common, highlighting how important it is to change default credentials and set strong passwords.

POS malware infections can prove incredibly costly for retailers. Just ask Home Depot. A PoS malware infection has cost the retailer more than $179 million to resolve, with the cost of the security breach continuing to rise. That figure does not include the loss of business as a result of the breach. Consumers have opted to shop elsewhere in their droves following the 2014 PoS malware attack.

This latest threat should serve as a warning for all retailers. Security vulnerabilities can – and are – exploited by cybercriminals. If inadequate protections are put in place to keep consumers’ data secure, it will only be a matter of time before systems are attacked.

PetrWrap Ransomware: An Old Threat Has Been Hijacked by a Rival Gang

There is a new ransomware threat that businesses should be aware of, but PetrWrap ransomware is not exactly anything new. It is actually a form of ransomware that was first discovered in May last year. PetrWarp ransomware is, to all intents and purposes, almost exactly the same as the third incarnation of Petya ransomware. There is one key difference though. PetrWrap ransomware has been hijacked by a criminal gang and its decryption keys have been changed.

The criminal organization behind PetrWrap ransomware have taken Petya ransomware, for which there is no free decryptor, and have exploited a vulnerability that has allowed them to steal it and use it for their own gain. The attackers have simply added an additional module to the ransomware that modifies it on the fly. After all, why bother going to all the trouble of developing your own ransomware variant when a perfectly good one already exists!

Petya ransomware is being offered to spammers and scammers under an affiliate model. The ransomware authors are loaning the ransomware to others and take a percentage of the profits gained from ransoms that are paid. This is a common tactic to increase overall profits, just as retailers pay affiliate marketers to sell their products for a commission. In the case of ransomware-as-a-service, this allows the authors to infect more computers by letting others do the hard work of infecting computers.

Yet the gang behind PetrWrap has chosen not to give up a percentage of the profits. They are keeping all of the ransom payments for themselves. The module modifies and repurposes the malware code meaning even the Petya ransomware authors are unable to decrypt PetrWrap ransomware infections.

Kaspersky Lab research Anton Ivenov says “We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs.” He pointed out the significance of this, saying “the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be.”

Petya – and PetrWrap ransomware – is not a typical ransomware variant in that no files are encrypted. While Locky, CryptXXX, and Samsa search for a wide range of file types and encrypt them to prevent users from accessing their data, Petya uses a different approach. Petya modifies the master boot record that launches the operating system. The ransomware then encrypts the master file table. This prevents an infected computer from being able to locate files stored on the hard drive and stops the operating system from running. Essentially, the entire computer is taken out of action. The effect however is the same. Users are prevented from accessing their data unless a ransom is paid. Petya and PetrWrap ransomware can spread laterally and infect all endpoint computers and servers on the network. Rapid detection of an infection is therefore critical to limit the harm caused.

Should Malware Protection at the ISP Level be Increased?

Consumers and businesses need to take steps to protect their computers from malware infections, but should there be more malware protection at the ISP level?

Businesses and personal computer users are being infected with malware at an alarming rate, yet those infections often go unnoticed. All too often malware is silently downloaded onto computers as a result of visiting a malicious website.

Websites containing exploit kits probe for vulnerabilities in browsers and plugins. If a vulnerability is discovered it is exploited and malware is downloaded. Malware can also easily be installed as a result of receiving a spam email – if a link is clicked that directs the email recipient to a malicious website or if an infected email attachment is opened.

Cybercriminals have got much better at silently installing malware. The techniques now being used see attackers install malware without triggering any alerts from anti-virus software. In the case of exploit kits, zero-day vulnerabilities are often exploited before anti-virus vendors have discovered the flaws.

While malware infections may not be detected by end users or system administrators, that does not necessarily mean that those infections are not detected. Internet Service Providers – ISPs – are in a good position to identify malware infections from Internet traffic and an increasing number are now scanning for potential malware infections.

ISPs are able to detect computers that are being used for malicious activities such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, and doing so is a relatively easy process.

Malware Protection at the ISP Level

Malware protection at the ISP level involves implementing controls to prevent malware infections and notifying consumers when malicious activity is detected.

ISPs can easily check for potential malicious activity on IP addresses, although blocking those IP addresses is not the answer. While some computers are undoubtedly knowingly used for malicious purposes, in many cases the users of the computers are unaware that their device has been compromised.

ISPs can however alert individuals to a potential malware infection when suspicious activity is identified. Warning emails can be sent to end users to advise them that their computer is potentially infected with malware. Those individuals can be sent a standard email template that contains instructions on how to check for a malware infection.

An increasing number of ISPs are now performing these checks and are notifying their customers of suspicious activity. Many ISPs in Europe provide this cybersecurity checking service and Level 3 Communications is one such ISP that is taking the lead.

The ISP is assessing Internet traffic and is identifying potentially malicious activity associated with certain IP addresses. So far, the ISP has created a database containing around 178 million IP addresses that are likely being used for malicious activity. Many of those IP addresses are static and are part of a botnet. Level3 Communications has estimated that around 60% of those IP addresses have been added to a botnet and 22% of the suspicious IP addresses are believed to be used to send out phishing email campaigns.

The content of Internet traffic is not investigated, although the ISP has been able to determine the IP addresses being used and those which are being sent messages and Internet traffic. While the IP addresses are known, the individuals that use those IP addresses are not. In order to notify individuals of potential infections, Level3 Communications is working with hosting providers. Once the individuals are identified they are contacted and advised of a potential malware infection.

The war on cybercrime requires a collaborative effort between law enforcement, governments, ISPs, and consumers. Only when all of those parties are involved will it be possible to curb cybercrime. Consumers can take steps to prevent infection, as can businesses, but when those measures are bypassed, ISPs can play their part.

If all ISPs were to conduct these checks and send out alerts, malware infections could be tackled and life would be made much harder for cybercriminals.

ISP Web Filtering for WiFi Networks – Protecting Consumers from Malware Infections

Notifying consumers about malware infections is one thing that should be considered, but malware protection at the ISP level should be implemented to prevent consumers and businesses from being infected in the first place.

ISPs can implement web filtering controls to block the accessing of illegal website content such as child pornography. The same technology can also be used to block websites known to contain malware. Broadband providers can implement these controls to protect consumers, and providers of public Internet can use web filtering for WiFi networks.

WiFi filters have already been implemented on the London Underground to prevent users from accessing pornography. Those controls can be extended to block websites known to be malicious. In the UK, Sky WiFi networks use filtering controls to block certain malicious and inappropriate website content from being accessed to better protect consumers. Effective malware protection at the ISP level not only keeps consumers protected, it is also a great selling point in a highly competitive market.

If you are an ISP and are not yet using filtering controls to protect your customers, speak to TitanHQ today and find out more about malware protection at the ISP level and how low-cost web filtering controls can be implemented to keep customers better protected.

Cyberattacks on Educational Institutions in 2017 Paints Bleak Outlook

The financial services sector and healthcare industry are obvious targets for cybercriminals, but cyberattacks on educational institutions in 2017 have risen sharply. There have been a multitude of cyberattacks on educational institutions in 2017, and February is far from over. The list paints a particularly bleak outlook for the rest of the year. At the current rate, cyberattacks on educational institutions in 2017 are likely to smash all previous records, eclipsing last year’s total by a considerable distance.

Why Have There Been So Many Cyberattacks on Educational Institutions in 2017?

Educational institutions are attractive targets for cybercriminals. They hold large quantities of personal information of staff and students. Universities conduct research which can fetch big bucks on the black market.

While some of the finest minds, including computer scientists, are employed by universities, IT departments are relatively small, especially compared to those at large corporations.

Educational institutions, especially universities, are often linked to government agencies. If hackers can break into a university network, they can use it to launch attacks on the government. It is far easier than direct attacks on government agencies.

Cybersecurity protections in universities are often relatively poor. After all, it is hard to secure sprawling systems and huge networks that are designed to share information and promote free access to information by staff, students and researchers. Typically, university networks have many vulnerabilities that can easily be exploited.

Schools are also often poorly protected due to a lack of skilled staff and funding. Further, many schools are now moving to one-to-one programs, which means each student is issued with either a Chrome tablet or a Windows 10 laptop. More devices mean more opportunities for attack, plus the longer each student is connected to the Internet, the more time cybercriminals have to conduct attacks.

Another problem affecting K12 schools is the age of individuals who are accessing the Internet and email. Being younger, they tend to lack awareness about the risks online and are therefore more susceptible to social engineering and phishing attacks. The data of minors is also much more valuable and can be used for far longer by cybercriminals before fraud is detected.

While college students are savvier about the risks online, they are targeted using sophisticated scams geared to their ages. Fake job offers and scams about student loans are rife.

The threat of cyberattacks doesn’t always come from outside an institution. School, college and university students are hacking their own institution to gain access to systems to change their grades or for sabotage. Students with huge debts may also seek data to sell on the black market to help make ends meet.

While all of these issues can be resolved, much needs to be done and many challenges need to be overcome. It is an uphill struggle, and without additional funding that task can seem impossible. However, protections can be greatly improved without breaking the bank.

Major Cyberattacks on Educational Institutions in 2017

There have been several major cyberattacks on educational institutions in 2017, resulting in huge losses – both financial losses and loss of data. Educational institutions have been hacked by outsiders, hacked by insiders and ransomware attacks are a growing problem. Then there are the email-based social engineering scams that seek the tax information of staff. Already this year there have been huge numbers of attacks that have resulted in the theft of W-2 forms. The data on the forms are used to file fraudulent tax returns in the names of staff.

Notable cyberattacks on educational institutions in 2017 include:

Los Angeles Valley College

One of the most expensive cyberattacks on educational institutions in 2017 was a ransomware infection at Los Angeles Valley College. The attack saw a wide range of sensitive data encrypted, taking its network, email accounts and voicemail system out of action. The systems could not be restored from backups leaving the college with little alternative but to pay the $28,000 ransom demand. Fortunately, valid decryption keys were sent and data could be restored after the ransom was paid.

South Carolina’s Horry County Schools

The Horry County School District serves almost 43,000 students. It too was the victim of a ransomware attack that saw its systems taken out of action for a week, even though the ransom demand was paid. While it would have been possible to restore data from backups, the amount of time it would take made it preferable to pay the $8,500 ransom demand.

South Washington County Schools

Hackers do not always come from outside an organization, as discovered by South Washington County Schools. A student hacked a server and copied the records of 15,000 students onto a portable storage device, although the incident was detected and the individual apprehended before data could be sold or misused.

Northside Independent School District

One of the largest cyberattacks on educational institutions in 2017 was reported by Northside Independent School District in San Antonio, Texas. Hackers gained access to its systems and the records of more than 23,000 staff and students.

Manatee County School District

Manatee County School District experienced one of the largest W-2 form phishing attacks of the year to date. A member of staff responded to a phishing email and sent the W-2 forms of 7,900 staff members to tax fraudsters.

Huge Numbers of W-2 Form Phishing Attacks Reported

This year has seen huge numbers of W-2 form phishing attacks on educational institutions. Databreaches.net has been tracking the breach reports, with the following schools, colleges and educational institutions all having fallen for phishing scams. Each has sent hundreds – or thousands of W-2 forms to tax fraudsters after responding to phishing emails.

  • Abernathy Independent School District
  • Argyle School District
  • Ark City School District
  • Ashland University
  • Barron Area School District
  • Belton Independent School District
  • Ben Bolt Independent School District
  • Black River Falls School District
  • Bloomington Public Schools
  • College of Southern Idaho
  • Corsicana Independent School District
  • Davidson County Schools
  • Dracut Schools
  • Glastonbury Public Schools
  • Groton Public Schools
  • Independence School District
  • Lexington School District 2
  • Manatee County School District
  • Mercedes Independent School District
  • Mercer County Schools
  • Mohave Community College
  • Morton School District
  • Mount Health City Schools
  • Neosho County Community College
  • Northwestern College
  • Odessa School District
  • Powhatan County Public Schools
  • Redmond School District
  • San Diego Christian College
  • Tipton County Schools
  • Trenton R-9 School District
  • Tyler Independent School District
  • Virginian Wesleyan College
  • Walton School District
  • Westminster College
  • Yukon Public Schools

*List updated June 2017

These cyberattacks on educational institutions in 2017 show how important it is to improve cybersecurity defenses.

If you would like advice on methods/solutions you can adopt to reduce the risk of cyberattacks and data breaches, contact TitanHQ today. TitanHQ offers cost-effective cybersecurity solutions for educational institutions to block email and web-based attacks and prevent data breaches.

Restaurant Malware Attack Results in Theft of More Than 355,000 Credit and Debit Cards

A restaurant malware attack has resulted in the theft of the credit and debit card numbers of more than 355,000 customers, according to Krebs on Security. A breach was suspected to have occurred when credit unions and banks started to notice a flurry of fraudulent purchases. The breach was traced to the fast food restaurant chain Arbys.

While there have been numerous instances of credit card fraud reported in the past few days, the Arbys data breach was first identified in January. Industry partners contacted Arbys regarding a potential breach of credit/debit card numbers. At that point, the incident was only thought to have affected a handful of its restaurants.

The malware infection was soon uncovered and the FBI was notified, although the agency requested that Arby’s did not go public so as not to impede the criminal investigation. However, a statement has recently been released confirming that Arby’s is investigating a breach of its payment card systems.

Upon discovery of the breach, Arby’s retained the services of cybersecurity firm Mandiant to conduct a forensic analysis. The Mandiant investigation is continuing, although rapid action was taken to contain the incident and remove the malware from Arby’s payment card systems. The investigation revealed that the incident only impacted certain corporate-owned stores. None of the franchised stores were infected with malware. Arbys has more than 3,300 stores across the United States, more than 1,000 of which are corporate-owned.

PSCU, an organization serving credit unions, was the first to identify a potential breach after receiving a list of 355,000 stolen credit card/debit card numbers from its member banks. It is currently unclear when the restaurant malware attack first occurred, although the malware is currently thought to have been actively stealing data from October 25, 2016 until January 19, 2017, when the malware was identified and removed.

This is of course not the first restaurant malware attack to have been reported in recent months. The restaurant chain Wendys suffered a similar malware attack last year. That incident also resulted in the theft of hundreds of thousands of payment card details before the malware was discovered and removed. Similar payment card system malware infections were also discovered by Target and Home Depot and resulted in huge numbers of card details being stolen.

Details of how the malware was installed have not been released, although malware is typically installed when employees respond to spear phishing campaigns. Malware is also commonly installed as a result of employees clicking on malicious links contained in spam emails or being redirected to malicious sites by malvertising. In some cases, malware is installed by hackers who take advantage of unaddressed security vulnerabilities.

Once malware has been installed it can be difficult to identify, even when anti-virus and anti-malware solutions are in use. As was the case with the latest restaurant malware attack, data theft was only identified when cybercriminals started using the stolen payment card information to make fraudulent purchases.

Protecting against malware attacks requires multi-layered cybersecurity defenses. Good patch management policies are also essential to ensure that any security vulnerabilities are remediated promptly. Anti-spam and anti-phishing solutions can greatly reduce the volume of messages that make it through to employees’ inboxes, while malicious links and redirects can be blocked with a web filtering solution. A little training also goes a long way. All staff members with computer access should receive anti-phishing training and should be instructed on security best practices.

Regular scans should be performed on all systems to search for malware that may have evaded anti-virus and anti-malware solutions. Since a restaurant malware attack will target payment card systems, those should be frequently scanned for malware. Rapid detection of malware will greatly reduce the damage caused.

Beware of Social Media Ransomware Attacks

This month, security researchers have discovered cybercriminals are conducting social media ransomware attacks using Facebook Messenger and LinkedIn. Social media posts have long been used by cybercriminals to direct people to malicious websites containing exploit kits that download malware; however, the latest social media ransomware attacks are different.

According to researchers at CheckPoint Security, the social media ransomware attacks take advantage of vulnerabilities in Facebook Messenger. Images are being sent through Facebook Messenger with double extensions. They appear as a jpeg or SVG file, yet they have the ability to download malicious files including ransomware. The files are understood to use a double extension. They appear to be images but are actually hta or js files.

CheckPoint says “The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file.” The report goes on to say “This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” No technical details have been released as CheckPoint claim the vulnerability has yet to be fixed by Facebook.

Earlier this week, security researcher Bart Blaze claimed to have also identified a Facebook Messenger campaign that was allegedly being used to spread Locky ransomware. Blaze said an SVG image was being sent via Facebook Messenger that contained malicious JavaScript code that installed a malware downloader called Nemucod. Nemucod subsequently downloaded Locky. This is also the first time that the actors behind the infamous Locky ransomware are believed to have used Facebook Messenger to spread infections.

Facebook responded to Blaze’s claim saying the problem was not related to Messenger, but involved bad Chrome extensions. Facebook said the problem had been reported to the appropriate parties.

Ransomware Attacks on the Rise

According to the Kaspersky Security Network, ransomware attacks on SMBs have increased eightfold in the past 12 months. The problem is also getting worse. More than 200 ransomware families have now been discovered by security researchers, and new forms of the malicious file-encrypting software are being released on a daily basis.

Any business that is not prepared for a ransomware attack, and has not implemented security software to protect computers and networks, is at risk of being attacked. A recent survey conducted by Vanson Bourne on behalf of SentinelOne showed that 48% of organizations had been attacked with ransomware in the past 12 months. Those companies had been attacked an average of 6 times.

How to Prevent Social Media Ransomware Attacks

Social media ransomware attacks are a concern for businesses that do not block access to social media platforms in the workplace. It is possible to prevent employees from accessing social media websites using WebTitan, although many businesses prefer to allow employees some time to access the sites. Instead of blocking access to Facebook, businesses can manage risk by blocking Facebook Messenger. With WebTitan, it is possible to block Facebook Messenger without blocking the Facebook website.

If WebTitan is installed, webpages that are known to contain malware or ransomware downloaders will be blocked. When individuals link to these malicious websites in social media posts, employees will be prevented from visiting those sites. If a link is clicked, the filtering controls will prevent the webpage from being accessed.

To find out more about how WebTitan can protect your organization from web-borne threats such as ransomware and to register for a free trial of WebTitan, contact the Sales Team today.

Are You Prepared for a Ransomware Attack?

Are You Prepared for a Ransomware Attack?

It doesn’t matter which security report you read; one thing is clear. The ransomware problem is becoming worse and the threat greater than ever.

While ransomware attacks in 2015 were few and far between, 2016 has seen an explosion of ransomware variants and record numbers of attacks across all industry sectors. For every ransomware variant that is cracked and decryption software developed, there are plenty more to take its place.

200 Ransomware Families Now Discovered

As if there were not enough ransomware milestones reached this year, there is news of another. The total number of detected ransomware families has now surpassed 200. That’s families, not ransomware variants.

The ransomware families have been catalogued by the ID Ransomware Service; part of the Malware Hunter Team. The current count, which may well be out of date by the time this article is finished, stands at 210.

Not only are new ransomware being developed at an unprecedented rate, the latest variants are even sneakier and have new capabilities to avoid detection. They are also more virulent and capable of encrypting a far wider array of data, and can delete backup files and quickly spread across networks and storage devices.

More people are getting in on the act. Ransomware is being rented out as a service to affiliates who receive a cut of the ransoms they collect. Campaigns can now be run with little to no skill. Unsurprisingly there are plenty of takers.

Massive Campaign Spreading New Locky Ransomware Variant

One of the biggest threats is Locky, a particularly nasty ransomware variant that first appeared in February 2016. Even though Locky has not been cracked, new variants continue to be released at an alarming rate. This week yet another variant has been discovered. The developers and distributers are also using a variant of techniques to evade detection.

Three separate campaigns have been detected this week after a two-week period of relative quiet. The ransomware is now back with a vengeance, with one of the campaigns reportedly involving an incredible 14 million emails on October 24 alone; 6 million of which were sent in a single hour.

There have been some successes in the fight against ransomware. Earlier this year the No More Ransom project was launched. The No More Ransom Project is a joint initiative Europol and the Dutch National Police force, although a number of security firms have now collaborated and have supplied decryptors to unlock files encrypted by several ransomware strains. So far, decryptors have been uploaded to the site that can unlock several ransomware variants: Chimera, Coinvault, Rannoh, Rakhni, Shade, Teslacrypt, and Wildfire.

Ransomware Problem Unlikely to Be Solved Soon

Despite the sterling efforts of security researchers, many of the most widely used ransomware strains have so far proved impossible to crack. The authors are also constantly developing new strains and using new methods to avoid detection. The ransomware problem is not going to be resolved any time soon. In fact, the problem is likely to get a lot worse before it gets better.

Last year, an incredible 113 million healthcare records were exposed or stolen. This year looks like it will be a record-breaking year for breaches if incidents continue at the current rate. The sheer number of healthcare records now available to cybercriminals has had a knock-on effect on the selling price. Whereas it was possible to buy a complete set of health data for $75 to $100 last year, the average price for healthcare records has now fallen to between $20 and $50.

Cybercriminals are unlikely to simply accept a lower price for data. That means more attacks are likely to take place or profits will have to be made up by other means. The glut of stolen data is seeing an increasing number of cybercriminals turn to ransomware.

Are you Prepared for a Ransomware Attack?

With the threat from ransomware increasing, organizations need to prepare for an attack and improve defenses against ransomware. Policies should be developed for a ransomware attack so rapid action can be taken if devices are infected. A fast response to an attack can limit the spread of the infection and reduce the cost of mitigation; which can be considerable.

Defending against ransomware attacks is a challenge. Organizations must defend against malicious websites, malvertising, drive-by downloads, malicious spam emails, and network intrusions. Hackers are not only stealing data. Once a foothold has been gained in a network and data are stolen, ransomware is then deployed.

An appropriate defense strategy includes next generation firewalls, intrusion detection systems, web filtering solutions, spam filters, anti-malware tools, and traditional AV products. It is also essential to provide regular security awareness training to staff to ensure all employees are alert to the threat.

Even with these defenses attacks may still prove successful. Unless a viable backup of data exists, organizations will be left with two options: Accept data loss or pay the ransom. Unfortunately, even the latter does not guarantee data can be recovered. It may not be possible for attackers to supply valid keys to unlock the encryption and there is no guarantee that even if the keys are available that they will be sent through.

Since Windows Shadow copies can be deleted and many ransomware variants will also encrypt backup files on connected storage devices, backup devices should be air-gapped and multiple backups should be performed.

With attacks increasing, there is no time to wait. Now is the time to get prepared.

Ranscam Ransomware Shows Why Paying the Ransom Is Never Wise

Another day passes and another ransomware variant emerges, although the recently discovered Ranscam ransomware takes nastiness to another level. Ranscam ransomware may not be particularly sophisticated, but what it lacks in complexity it more than makes up for in maliciousness.

The typical crypto-ransomware infection involves the encryption of a victim’s files, which is accompanied by a ransom note – often placed on the desktop. The ransomware note explains that the victim’s files have been encrypted and that in order to recover those files a ransom must be paid, usually in Bitcoin.

Since many victims will be unaware how to obtain Bitcoin, instructions are provided about how to do this and all the necessary information is given to allow the victim to make the payment and obtain the decryption key to unlock their files.

There is usually a time-frame for making payment. Usually the actors behind the campaign threaten to permanently delete the decryption key if payment is not received within a specific time frame. Sometimes the ransom payment increases if payment is delayed.

Ranscam Ransomware will not Allow Victims to Recover Their Files

Rather than encrypting files and deleting the decryption key, Ranscam ransomware threatens to delete the victim’s files.

The ransomware note claims the victim’s files have been encrypted and moved to a hidden partition on their hard drive, which prevents the files from being located or accessed. The payment requested by the actors behind this scam is 0.2 Bitcoin – Around $133 at today’s exchange rate.

While the ransom note claims that the victim’s files will be moved back to their original location and will be decrypted instantly once payment is received, this is not the case.

Unfortunately for the victims, but the time the ransom note is displayed, the victim’s files have already been deleted. Paying the ransom will not result in the encrypted files being recovered. A decryption key will not be provided because there isn’t one.

Researchers at Talos – who discovered the Ranscam ransomware variant – noted that the ransomware authors have no way of verifying if payment has been made. The ransomware only simulates the verification process. There is also no process built into the ransomware that will allow a victim’s files to be recovered.

Backup Your Files or Be Prepared to Lose Them

Many ransomware authors have a vested interest in ensuring that a victim’s files can be recovered. If word spreads that there is no chance of recovering encrypted files, any individual who has had their computer infected will not pay the ransom demand. Locky, CryptoWall, and Samsa ransomware may be malicious, but at least the thieves are honorable and make good on their promise. If they didn’t, discovering that files had a locky extension would be a guarantee that those files would be permanently lost.

There are new ransomware variants being released on an almost daily basis. Many of the new variants are simplistic and lack the complexity to even allow files to be recovered. The discovery of Ranscam ransomware clearly shows why it is essential to make sure that critical files are regularly backed up. Without a viable backup, there is no guarantee that files can be recovered and you – or your organization – will be at the mercy of attackers. Not all will be willing – or able to – recover encrypted files.

CryptXXX Crypto-Ransomware Receives an Update

The developers of CryptXXX ransomware have made some updates to the malicious software recently. A new campaign has also been launched which is seeing an increasing number of Joomla and WordPress websites compromised with malicious code that directs visitors to sites containing the Neutrino exploit kit.

The latest CryptXXX crypto-ransomware variant no longer changes the extension of files that have been encrypted, instead they are left unchanged.  This makes it more difficult for system administrators to resolve an infection by restoring files from backups, as it is much harder to determine exactly which files have been encrypted.

The ransomware developers have also changed the ransom note that is presented to victims and the Tor address for payment has also been changed. The payment site has been changed frequently, having used names such as Google Decryptor and Ultra Decryptor in the past. The authors have now changed the site to Microsoft Decryptor. This is the second time the payment site has been renamed since June 1. Unfortunately for victims that experience difficulties making the payment, there is no method of contacting the attackers to explain about payment issues.

CryptXXX crypto-ransomware has previously been spread using the Angler exploit kit, although the ransomware is now being distributed using Neutrino. Neutrino is primarily used to exploit vulnerabilities in PDF reader and Adobe Flash to download CryptXXX.

CryptXXX Crypto-Ransomware and CryptoBit Distributed in RealStatistics Campaign

WordPress and Joomla sites are being infected at a high rate, with 2,000 sites currently infected as part of the latest campaign according to Sucuri. The company’s researchers have suggested that the actual figure may be closer to 10,000 websites due to the limited range of sites that they have been observing.

It is unclear how the websites are being infected, although it has been suggested that outdated Joomla and WordPress installations are the most likely way that the attackers are gaining access to the sites, although outdated plugins on the websites could also be used to inject malicious Analytics code. The campaign is being referred to as “Realstatistics” due to the URL that is placed into the PHP template of infected sites.

The latest campaign has also been used to push other ransomware variants on unsuspecting website visitors. Palo Alto Networks researchers discovered eight separate Cryptobit variants that were being pushed as part of the latest Realstatistics campaign. The attackers now appear to be using Cryptobit less and have switched to CryptXXX crypto-ransomware in recent days.

Dangerous New Mac Backdoor Program Discovered

Security researchers at ESET have discovered a dangerous new Mac backdoor program which allows attackers to gain full control of a Mac computer. Mac malware may be relatively rare compared to malware used to infect PCs, but the latest discovery clearly demonstrates that Mac users are not immune to cyberattacks. The new OS X malware has been dubbed OSX/Keydnap by ESET. This is the second Mac backdoor program to be discovered in the past few days.

OSX/Keydnap is distributed as a zip file containing an executable disguised as a text file or image. If the file is opened, it will download the icloudsyncd backdoor which communicates with the attackers C&C via the Tor network. The malware will attempt to gain root access by asking for the users credentials in a pop up box when an application is run. If root access is gained, the malware will run each time the device is booted.

The malware is capable of downloading files and scripts, running shell commands, and sending output to the attackers. The malware is also able to update itself and also exfiltrates OS X keychain data.

Second Mac Backdoor Discovery in Days

The news of OSX/Keydnap comes just a matter of hours after security researchers at Bitdefender announced the discovery of another Mac backdoor program called Eleanor. Hackers had managed to get the Backdoor.MAC.Eleanor malware onto MacUpdate. It is hidden in a free downloadable app called EasyDoc Converter.

EasyDoc Converter allowed Mac users to quickly and easily convert files into Word document format; however, rather than doing this, the app installed a backdoor in users’ systems. Infections with Eleanor will be limited as the app does not come with certificate issued to an Apple Developer ID. This will make it harder for many individuals to open the app.

However, if users do install the app, a shell script will be run that will check to see if the malware has already been installed and whether Little Snitch is present on the device. If the Little Snitch network monitor is not installed, the malware will install three LaunchAgents together with a hidden folder full of executable files used by the malware. The files are named to make them appear as if they are dropbox files.

The LaunchAgents open a Tor hidden service through which attackers can communicate with a web service component, which is also initiated by the LaunchAgents. A Pastebin agent is also launched which is used to upload the Mac’s Tor address to Pastebin where it can be accessed by the attackers. The Mac backdoor program can reportedly be used for remote code execution, to access the file system, and also to gain access to the webcam.

Hospital Legacy System Security Vulnerabilities Being Exploited to Gain Access to Health Data

Cybercriminals are taking advantage of hospital legacy system security vulnerabilities and are installing malware on medical devices such as blood gas infusers. The malware is used to steal data or launch attacks on other parts of healthcare networks. Specialist devices operating on hospital legacy systems are being attacked with increasing frequency and, in many cases, the attacks are going undetected for long periods of time. Once malware has been installed on the devices, hackers are able to conduct attacks from within the network.

The malware allows attackers to download a range of tools that serve as backdoors. They are able to move freely around the network and search for data. Many hospitals are completely unaware that their networks have been compromised and that they are under attack. When the attack is finally identified, it is often too late and data has already been stolen.

The Risk of Hospital Legacy System Security Vulnerabilities Being Exploited is Considerable

In the past few days, researchers at TrapX Security have issued an update to a security report that was first released last year. In 2015, TrapX Security warned of the risk of medical devices being targeted by cybercriminals and of hospital legacy system security vulnerabilities being exploited.

The company’s researchers explained that many healthcare providers had been attacked via their medical devices and warned that additional protections needed to be put in place to prevent the devices from being used to gain access to otherwise secure networks. Security researchers call the attack vector MEDJACK – short for medical device hijack.

Medical devices often run on hospital legacy systems which cannot be changed or updated. Hospital legacy systems security vulnerabilities are often allowed to go unpatched. Hospitals have addressed some of these vulnerabilities and have implemented a host of new security controls to block attacks and detect malware. However, TrapX Security has reported that cybercriminals are managing to bypass these new security controls using old malware.

Old Malware Being Used to Gain Access to Healthcare Data

Researchers have discovered that security software is failing to identify the threat from old malware. These old malware variants may not be effective against the latest operating systems which have had the vulnerabilities that they exploit plugged. However, they are still effective against hospital legacy systems.

The researchers discovered that some attackers had used the MS08-067 worm which exploits vulnerabilities in early versions of Windows. The vulnerabilities were addressed in Windows 7 and the worm is no longer considered a security risk. Even if security software detects the worm, since it is not believed to pose a risk it is either not flagged or the security alert is ignored. However, medical devices are vulnerable if they run on older operating systems. Attackers have also embedded highly sophisticated tools in the worm. Even if the threat is detected, security software does not recognize that the risk of attack is actually high.

TrapX Security has warned that these infections are going undetected for long periods of time due to a lack of security on medical devices or the operating systems on which they run. Consequently, attackers can steal sensitive medical data over long periods of time. Unfortunately, once a backdoor has been installed, it can difficult to detect. Many security systems do not scan medical devices for malware and lateral movement within the network is similarly difficult to detect.

To prevent attacks on medical devices, healthcare organizations should, as far as is possible, isolate the devices and only run them inside a secure network zone. That zone should be protected by an internal firewall, and the devices should not be accessible via the Internet. If patches and updates are available, they should be installed to address hospital legacy system security vulnerabilities. If medical devices cannot be updated and have reached end-of-life, they should be retired and replaced with devices that have the necessary protections to prevent device hijacking.

New Angler Exploit Kit Update Confirms Need for Web Filtering Software

Researchers at FireEye have reported that the Angler Exploit Kit has been updated and that it is now capable of bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protection – the first time this behavior has been observed in the wild.

Angler Exploit Kit Could be Used to Deliver any Malicious Payload

The Angler exploit kit is being used to exploit vulnerabilities in Silverlight and Adobe Flash plug-ins. If vulnerabilities are found, Angler downloads its malicious payload: TeslaCrypt ransomware. Teslacrypt was closed down a few weeks ago and the authors released a universal decryption key that can unlock all infections. Anti-virus firms have since developed tools that can be used to remove TeslaCrypt infections. However, it is probable that the Angler exploit kit will be updated to deliver other malicious payloads for which there is no known fix. Many distributors of TeslaCrypt have already transitioned to CryptXXX.

Currently EMET protections are only being bypassed on devices running Windows 7, although it is probable that attackers will soon develop EMET bypasses that work on more recent versions of Windows. That said, updating to later versions of Windows will help organizations improve their security posture. If an upgrade is not possible or practical, sys admins should ensure that patches are applied promptly. If possible, ActiveX should also be disabled as should Flash and Silverlight plugins. Uninstalling unnecessary software and disabling plugins will reduce the attack surface.

EMET was developed to prevent malicious actors from exploiting memory corruption vulnerabilities, and while this has proved effective at some preventing attacks, the bypass shows that Microsoft’s protection is not 100% effective. While EMET can be used to reduce the risk of ransomware and other malware infections, system admins should not rely on EMET alone. Multi-layered security defenses should be employed to keep networks protected, as this bypass clearly shows. It is still essential to use anti-virus and anti-malware software and to keep definitions up to date.

While efforts can be made to prevent exploit kits from taking advantage of vulnerabilities in plugins, enterprises can reduce risk further by stopping end users from visiting websites known to host exploit kits. By implementing a web filtering solution and restricting access to certain categories of website, enterprises can greatly enhance their security posture.

Upgrade to Windows 10 to Avoid Ransomware Worm, Says Microsoft

Microsoft has recently given Windows users a new incentive to upgrade to Windows 10: A ransomware worm called ZCryptor. The new ransomware variant exhibits worm-like capabilities and is able to self-replicate and infecting multiple devices. The malicious file-encrypting software infection will not be prevented by upgrading to the latest version of Windows, although additional protections are included in the Windows 10 release to make infection more difficult.

The new ransomware variant, called ZCryptor.A, is primarily distributed via spam email messages containing malicious macros, although the Microsoft security advisory indicates the ransomware worm is also installed via fake installers such as those claiming to update Adobe Flash to the latest version.

If ZCryptor is installed, the ransomware searches for removable drives and installs an autorun.inf file on the device. When the drive is disconnected and connected to another computer, the ransomware is able to spread, infecting a new machine.

The ZCryptor ransomware worm is capable of encrypting 88 different file types according to the Microsoft advisory, although some samples have been detected that are capable of infecting as many as 121 different files types.

Once installed, the ransomware generates a fake Windows alert indicating a removable drive cannot be detected. The pop-up will continue to be displayed while the ransomware is running and is communicating with its command and control server. The purpose of the pop-up is unclear, although presumably this is generated to prompt the user to disconnect the drive. This could be a ploy to get the victim to connect the removable drive to a different computer thus spreading the infection.

The ransomware worm displays an HTML window explaining that all personal files on the computer have been encrypted. A ransom demand of 1.2 Bitcoin is demanded ($500) for the decryption key to unlock the infection. Victims are given 4 days to pay the ransom or the ransom demand increases to 5 Bitcoin. The attackers claim that after 7 days the unique decryption key will be permanently destroyed, and all encrypted files will remain permanently locked.

While anti-virus software developers have been able to find vulnerabilities in a number of other ransomware variants and develop fixes, no known fix currently exists for a ZCryptor infection. Victims will either have to restore all of their files from a backup or will have to pay the ransom. Of course, there is no guarantee that the attackers will make good on their promise and will supply a valid decryption key.

Ransomware Worm Represents Next Stage of Malware Development

Many organizations now employ web filtering solutions such as WebTitan to block malicious URLs containing exploit kits. By blocking these attack vectors, it is becoming harder for cybercriminals to infect computers.

Spam filters have similarly been developed to be much more efficient and effective at blocking malicious spam email. SpamTitan now blocks 99.97% of spam, making it much harder for malicious attachments and links to reach end users.

Due to the improved cybersecurity protections in place in many organizations, ransomware developers have had to develop new methods to spread infections. The development of ransomware that exhibits worm-like behavior does not come as a surprise. Security researchers believe that these ransomware worms are likely to become much more common and that self-propagating ransomware and malware will soon become the norm.

DMA Locker Ransomware: Flaws Fixed and Widespread Attacks Expected

After the recent news that TeslaCrypt has been decommissioned comes a new highly serious threat: DMA Locker ransomware.

Malwarebytes has recently reported that DMA Locker ransomware, which is now in its 4th incarnation – could pose a significant threat to businesses and individuals over the coming weeks. Version 4 of the ransomware has already been added to the Neutrino exploit kit and is currently being distributed. Malwarebytes expects DMA Locker ransomware attacks to become much more widespread.

Spate of DMA Locker Ransomware Attacks Expected

DMA Locker ransomware was first seen in the wild in January of this year, yet the malicious file-encrypting malware posed little threat in its early forms, containing numerous flaws that allowed security companies to develop decryption tools.

The early forms of DMA Locker ransomware were capable of encrypting files offline and did not used a command and control server. When files were encrypted, the key to unlock the encryption was stored on the device. This allowed the malware to be reverse engineered to crack the encryption.

A new version of the ransomware was released a month later, yet it used a weak random generator and it was a relatively easy task to guess the AES key. A couple of weeks later saw the release of version 3, which saw previous flaws corrected by the authors.

However, version 3 of DMA Locker ransomware contained another flaw. While it was not possible to decrypt locked files without a decryption key, the attackers used the same key for the entire campaign. If a business had multiple infections, only one key would need to be purchased. That key could then be posted online and be used by other victims.

However, this month version 4 was released. The latest version corrects the issues with version 3 and uses a separate key for each infection. The ransomware also communicates with a command and control server and cannot work offline.

Infection with early versions of the ransomware occurred via compromised remote desktop logins – or logins that were easily guessed. Consequently, the number of recorded infections remained low. However, the latest version has been added to exploit kits which take advantage of vulnerabilities in browsers making silent drive-by downloads of the ransomware possible. This makes attacks much more likely to occur.

The ransomware is potentially highly serious, encrypting a wide range of file types. Many ransomware strains only encrypt specific file types. TeslaCrypt for example was developed to attack gamers, and encrypted saved game files and files associates with Steam accounts. DMA Locker does not search for specific files, and instead encrypts everything that is not in its whitelist of file extensions. It is also capable of encrypting files on network drives, not just the computer on which it has been downloaded.

To prevent attacks, businesses should use web filtering software to block users visiting sites containing exploit kits and stop command and control server communications. Regular backups should also be performed and files stored on air-gapped drives. In case of attack, files can then be recovered without paying the ransom.

Dridex Botnets Being Leveraged to Deliver Cerber Ransomware

The threat from Cerber ransomware has increased substantially after the gang behind the file-encrypting software have leveraged Dridex botnets to deliver a malicious payload that loads the ransomware onto users’ devices.

Cerber ransomware was first discovered in the wild in February 2016, but researchers at security firm FireEye noticed a massive increase in infections in recent weeks. Initially, Cerber ransomware infections occurred as a result of visiting malicious websites hosting the Nuclear or Magnitude exploit kits. Nuclear and Magnitude probe visitors’ browsers for a number of zero day vulnerabilities, although infections primarily occurred by exploiting a vulnerability in Adobe Flash (CVE-2016-1019). Now the ransomware is being installed via infected files sent via spam email.

Cerber differs from many ransomware strains by being able to speak to victims. The ransomware is able to use text-to-speech to tell victims they have been infected and that their files have been encrypted.

Massive Increase in Cerber Ransomware Infections Discovered in April

The number of infections remained relatively low since the discovery of the new ransomware earlier this year; however, there was a massive spike in infections around April 28 according to FireEye. The ransomware was being downloaded using Microsoft Word macro downloaders.

The attached files are usually disguised as invoices, receipts, or purchase orders, while the emails – written in English – urge the user to open the attachment. If macros are enabled on the computer a VBScript will be installed in the victim’s %appdata% folder. If macros are not enabled users will be prompted to enable them in order to view the contents of the file. Doing so will guarantee infection.

Once installed, the script performs a check to determine whether the infected computer has an Internet connection by sending an HTTP request to a website. If an Internet connection is present, the script will perform a HTTP Range Request, that will ultimately result in the final stage of the infection. FireEye reports the technique has previously been used to deliver the financial Trojans Dridex and Ursnif.

Cerber has been configured to encrypt Word documents, emails, and Steam gaming files, which are given a “.cerber” extension. To unlock the encryption, the victims are told to visit one of a number of websites with the domain “decrypttozxybarc”. Further instructions are then provided on how to unlock the encryption, although a Bitcoin ransom must first be paid. In addition to encrypting files, Cerber ransomware adds the victim’s computer to a spambot network.

The ransomware uses a number of obfuscation techniques to avoid detection by spam filters and anti-virus programs. If the emails are delivered and the macros are allowed to run, victims’ files will be encrypted. To prevent infection, it is important to have macros disabled and to be extremely cautious about opening email attachments, and never to open files deliver via email from an unknown sender. The decrypttozxybarc domain should also be added to web filter blacklists.

How to Block Exploit Kits and Keep your Network Protected

Last week, the website of a major toy manufacturer was discovered to have been compromised and was being used to infect visitors with ransomware. The website of Maisto was loaded with the Angler exploit kit that probed visitors’ browsers for exploitable vulnerabilities. When vulnerabilities were discovered, they were exploited and ransomware was downloaded onto visitors’ devices. In this case, the ransomware used was CryptXXX.

The website was attacked using JavaScript, which loaded the site with the angler exploit kit. The exploit kit searches for a wide range of browser plugin vulnerabilities that can be exploited. A malware dropper called Bedep is then used to install the ransomware.

Many ransomware infections require a system rebuild and restoration of data from a backup. If a viable backup does not exist there is no alternative but to pat the attackers for an encryption. Fortunately, in this case there is an easy fix for a CryptXXX infection. The ransomware-encrypted files can be decrypted for free according to Kaspersky Lab. However, there are many malicious strains of ransomware that are not so easy to remove.

While decrypting files locked by CryptXXX is possible, that is not the only malicious action performed by the ransomware. CryptXXX is also an information stealer and can record logins to FTP clients, email clients, and steal other data stored in browsers. It can even steal bitcoins from local wallets.

CryptXXX is now being used in at least two major exploit kit attack campaigns according to researchers from Palo Alto Networks. While Locky ransomware was extensively used in March this year – deployed using the Nuclear exploit kit – the attackers appear to have switched to the Angler exploit kit and the Bedep/CryptXXX combo.

How to Block Exploit Kits from Downloading Malware

To protect end users’ devices and networks from malware downloads and to block exploit kits, system administrators must ensure that all browser plugins are kept up to date. Exploit kits take advantage in security vulnerabilities in a wide range of plugins, although commonly vulnerabilities in Flash and Java are exploited. These two browser plugins are used on millions of machines, and new zero-day vulnerabilities are frequently discovered in both platforms. Cybercriminals are quick to take advantage. As soon as a new vulnerability is identified it is rapidly added to exploit kits. Any machine that contains an out-of-date plug in is at risk of attack.

It takes time for patches to be developed and released when a new zero-day vulnerability is discovered. Keeping all devices up to date is a time consuming process and sys admins are unlikely to be able to update all devices the second a patch is released. To effectively protect devices and networks from attacks using exploit kits, consider using a web filtering solution.

A web filter can be used to block websites containing exploit kits and thus prevent the downloading of malware, even if patches have not been installed. The best way to block exploit kits from downloading malware is to ensure that end users never visit a website containing an exploit kit!

A web filter should not be an excuse for poor patch management practices, but web filtering software can ensure devices and networks are much better protected.

Risk of Phishing Attacks and Ransomware Infections Highlights Need for Web Filtering Software

The risk of phishing attacks has increased considerably over the past 12 months, according to a new data breach report from Verizon. Ransomware attacks are also on the rise. The two are often used together to devastating effect as part of a three-pronged attack on organizations.

Firstly, cybercriminals target individual employees with a well-crafted phishing campaign. The target is encouraged to click a link contained in a phishing email which directs the soon-to-be victim to a malicious website. Malware is then silently downloaded to the victim’s device.

The malware logs keystrokes to gain access to login credentials which allows an attacker to infiltrate email accounts and other systems. Infections are moved laterally to compromise other networked devices. Stolen login credentials are then used to launch further attacks, which may involve making fraudulent bank transfers or installing ransomware on the network.

The Risk of Phishing Attacks is Growing

Verizon reports that due to the effectiveness of phishing and the speed at which attackers are able to gain access to networks, the popularity of the technique has grown substantially. In years gone by, phishing was a technique often used in nation-state sponsored attacks on organizations. Now there is a high risk of phishing attacks from any number of different players. Even low skilled hackers are now using phishing to gain access to networks, steal data, and install malware. Out of the nine different incident patterns identified by the researchers, phishing is now being used in seven.

Phishing campaigns are also surprisingly effective. Even though many companies now provide anti-phishing training, attempts to educate the workforce to minimize the risk of phishing attacks is not always effective. The 2016 Verizon data breach report suggests that when phishing emails are delivered to inboxes, 30% of end users open the emails. In 2015 the figure was just 23%. Rather than employees getting better at identifying phishing emails they appear to be getting worse. Even worse news for employers is 13% of individuals who open phishing emails also double click on attached files or visit the links contained in the emails.

Ransomware Attacks Increased 16% in a Year

Ransomware has been around for the best part of a decade although criminals have favored other methods of attacking organizations. However, over the past couple of years that has changed and the last 12 months has seen a significant increase in ransomware attacks on businesses. According to the data breach report, attacks have increased by 16% in the past year. As long as companies pay attackers’ ransom demands attacks are likely to continue to increase.

How Can Web Filtering Software Prevent Ransomware Infections and Reduce the Risk of Phishing Attacks

Defending a network from attack requires a wide range of cybersecurity defenses to be put in place. One of the most important defenses is the use of web filtering software. A web filter sits between end users and the Internet and controls the actions that can be taken by end users as well as the web content they are allowed to access.

A web filter can be used to block phishing websites and malicious sites where drive-by malware downloads take place. Web filtering software can also be configured to block the downloading of files typically associated with malware.

Training employees how to avoid phishing emails can be an effective measure to reduce the risk of phishing attacks, but it will not prevent 100% of attacks, 100% of the time. When training is provided and web filtering software is used, organizations can effectively manage phishing risk and prevent malware and ransomware infections. As phishing attacks and ransomware infections are on the increase, now is the ideal time to start using web filtering software.

Popularity of Ransomware-As-A-Service Increasing

The recent rise in ransomware infections has been attributed to the proliferation of ransomware-as-a-service, with many malicious actors now getting in on the act and sending out spam email campaigns to unsuspecting users.

Ransomware-as-a-Service Proliferation is a Major Cause for Concern

The problem with ransomware-as-a-service is how easy it is for attackers with relatively little technical skill to pull off successful ransomware attacks. All that is needed is the ability to send spam emails and a small investment of capital to rent the ransomware. The malicious software is now being openly sold as a service on underground forums and offered to spammers under a standard affiliate model.

The malware author charges a nominal fee to rent out the ransomware, but takes a large payment on the back end. Providers of ransomware-as-a-service typically take a cut of 5%-25% of each ransom. Spammers get to keep the rest. Renters of the malicious software cannot access the source code, but they can set their own parameters such as the payment amount and timescale for paying up.

SMBs Increasingly Targeted by Attackers

While individuals were targeted heavily in the past and sent ransom demands of around $400 to $500 to unlock their family photographs and other important files, attackers and now extensively targeting businesses. Often the same model is used with a fee charged by the attackers per install.

When an organization has multiple devices infected with ransomware the cost of remediation is considerable. One only needs to look to Hollywood Presbyterian Medical Center to see how expensive these attacks can be. The medical center was forced to pay a ransom of $17,000 to unlock computers infected with ransomware, in addition to many man-hours resoling the infection once the encryption keys had been supplied. Not to mention the cost of reputation damage and clearing the backlog due to the shutting down of its computers for over a week.

Warning Issued About the Insider Ransomware Threat

As if the threat from ransomware was not enough, researchers believe the situation is about to get a whole lot worse. Ransomware-as-a-service could be used by a malicious insider to infect their own organization. With insider knowledge of the locations and types of data critical to the running of the business, an insider would be in the best position to infect computers.

Insiders may also be aware of the value of the data and the cost to the business of losing data access. Ransoms could then be set accordingly. With payments of tens of thousands of dollars possible, this may be enough to convince some employees to conduct insider attacks. Since finding hackers offering ransomware-as-a-service is not difficult, and network access has already been gained, insiders may be tempted to pull off attacks.

To counter the risk of insider ransomware attacks businesses should develop policies to make it crystal clear to employees that attackers will be punished to the full extent of the law. Software solutions should be put in place to continuously monitor for foreign programs installed on networks and network privileges should be restricted as far as is possible. Employees should have their network activities monitored and suspicious activity should be flagged and investigated. It is not possible to eliminate the risk of insider attacks, but it is possible to reduce risk to a minimal level.

Shadow IT Risk Highlighted By New Malware Discovery: 12 Million Machines Infected

IT professionals are well aware of the shadow IT risk. Considerable risk is introduced by employees installing unauthorized software onto their work computers and mobile devices. However, this has been clearly illustrated this week following the discovery of a new malware by the Talos team. To date more than 12 million individuals are believed to have installed the new Trojan downloader.

Seemingly Genuine Software Performs a Wide Range of Highly Suspect System Actions

Many users are frustrated by the speed of their PC and download tools that will help to resolve the problem, yet many of these are simply bloatware that perform no beneficial functions other than slowing down computers. These can be used to convince users to pay for additional software that speeds up their PCs, or worse. The software may perform various nefarious activities.

It would appear that the new malware is of this ilk. Furthermore, it is capable of being exploited to perform a wide range of malicious actions. The software performs a wide range of highly suspect functions and has potential to steal information, gain administration rights, and download malicious software without the user’s knowledge.

The new malware has been referred to as a “generic Trojan” which can check to see what AV software is installed, detect whether it has been installed in a sandbox, determine whether remote desktop software has been installed, and check for security tools and forensic software.

By detecting its environment, the malware is able to determine whether detection is likely and if so the malware will not run. If detection is unlikely a range of functions are performed including installing a backdoor. The backdoor could be used to install any number of different programs onto the host machine without the user’s knowledge.

So far more than 7,000 unique samples have been discovered by Talos. One common theme is the use of the word “Wizz” throughout the code, with the malware communicating with “WizzLabs.

Analysis of the malware revealed that one of the purposes of the software was to install adware called “OneSoftPerDay”. The company behind this adware is Tuto4PC, a French company that has got into trouble with authorities before for installing PUPs on users’ computers without their knowledge.

By allowing the malware to run, researchers discovered it installed System Healer – another Tito4PC creation – without any user authorization. Whether the malware will be used for nefarious activity other than trying to convince the users to download and pay for PUPs is unclear, but the potential certainly exists. With 12 million devices containing this software, at any point these machines could be hijacked and the software used for malicious purposes.

The Shadow IT Risk Should Not Be Underestimated

The shadow IT risk should not be underestimated by security professionals. Many seemingly legitimate software applications have the capability of performing malicious activities, and any program that does to such lengths to detect the environment in which it is run and avoid detection is a serious concern.

Organizations should take steps to reduce Shadow IT risk and prevent installation of unauthorized software on computers. Policies should be put in place to prohibit the installation of unauthorized software, and software solution should be employed to block installers from being downloaded. As an additional precaution, regular scans should be conducted on networked devices to check for shadow IT installations and actions taken against individuals who break the rules.

Servers Running Destiny Library Management System Installed with Backdoors

K-12 schools in the United States have been put on alert after it was discovered that backdoors have been installed on a number of servers running Follet’s Destiny Library Management System. More than 60,000 schools in the United States use Destiny to track school library assets, a number of which now face a high risk of cyberattack.

A security vulnerability in the JBoss platform has recently been used to launch attacks on a number of organizations in the United States. The vulnerability has allowed malicious actors to gain access to servers and install ransomware. The main targets thus far have been hospitals, including Baltimore’s Union Memorial which was infected as a result of a ransomware attack on its parent organization MedStar. The attackers gained access to servers at MedStar and used SamSam ransomware to lock critical files with powerful encryption. The discovery of the ransomware resulted in the forced shutdown of MedStar’s EHR and email causing widespread disruption to healthcare operations.

Over 2000 Backdoors Discovered to Have Been Installed on Servers Running JBoss

Since the attack took place, Cisco’s Talos security team has been scanning the Internet to locate servers that are vulnerable via the JBoss security vulnerability. Earlier this week Talos researchers discovered 3.2 million servers around the world are vulnerable to attack. However, there is more bad news. Attackers have already exploited the security vulnerability and have installed backdoors in thousands of servers. In some cases, multiple backdoors have been installed by a number of different players by dropping webshells on unpatched servers running JBoss. 2,100 backdoors were discovered and 1,600 IP addresses have been affected.

Hospitals have been targeted as they hold a considerable volume of valuable data which are critical to day to day operations. If attackers are able to lock those files there is a high probability that the hospitals will be forced to pay a ransom to unlock the encryption. Hollywood Presbyterian Medical Center had to pay a ransom of $17,000 to unlock files that had been encrypted in a ransomware attack. Schools are also being targeted.

Poor patch management policies are to blame for many servers being compromised. The JBoss security vulnerability is not new. A patch was issued to correct the vulnerability several years ago.  If the patch had been applied, many servers would not have been compromised. However, some organizations, including many schools, are not able to update JBoss as they use applications which require older versions of JBoss.

Destiny Library Management System Vulnerabilities Addressed With A New Patch

A number of schools running Destiny Library Management System were discovered to have been compromised by attackers using the JexBoss exploit to install backdoors, which could be used to install ransomware. Follett discovered the problem and has now issued a patch to address the security vulnerability and secure servers running its Destiny Library Management System. The patch plugs security vulnerabilities in versions 9.0 to 13.5, and scans servers to identify backdoors that have been installed. If non-Destiny files are discovered they are removed from the system.

Any school using the Destiny Library Management System must install the patch as a matter of urgency. If the Destiny Library Management System remains unpatched, malicious actors may take advantage and use the backdoors to install ransomware or steal sensitive data.

Symantec’s Internet Security Threat Report Shows Major Increase in Online Threats

Symantec’s 2016 Internet security threat report has revealed the lengths to which cybercriminals are now going to install malware and gain access to sensitive data. The past 12 months has seen a substantial increase in attacks, and organizations are now having to deal with more threats than ever before.

Internet Security Threat Report Shows Major Increases in Ransomware, Malware, Web-borne Threats and Email Scams

The new Internet Security Threat Report shows that new malware is being released at a staggering rate. In 2015, Symantec discovered over 430 million unique samples of malware, representing an increase of 36% year on year. As Symantec points out, “Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.”

A new zero-day vulnerability is now being discovered at a rate of one per week, twice the number seen in 2014 and 2013. In 2015, 54 new zero-day vulnerabilities were discovered. In 2014 there were just 24 zero-day exploits discovered, and 23 in 2013.

The 2016 Internet Security Threat Report puts the total number of lost or stolen computer records at half a billion, although Symantec reports that organizations are increasing choosing to withhold details of the extent of data breaches. The breach may be reported, but there has been an 85% increase in organizations not disclosing the number of records exposed in breaches.

Ransomware Attacks Increased 35% in 2015

Ransomware is proving more popular than ever with cybercriminal gangs. In 2015, ransomware attacks increased by 35%. The upward trend in 2015 has continued into 2016. Spear phishing attacks have also increased. While these attacks are often conducted on large organizations, Symantec reports that spear phishing attacks on smaller companies – those with fewer than 250 employees – have been steadily increasing over the past five years. In 2015, spear phishing attacks increased by a staggering 55%.

Cybercriminals may now be favoring phishing attacks and zero-day exploits over spam email scams, but they still pose a major risk to corporate data security. There has also been a rise in the number of software scams. Scammers are getting consumers to purchase unnecessary software by misreporting a security problem with their computer. Symantec blocked 100 million fake technical support scams last year.

75% of Websites Found to Contain Exploitable Security Vulnerabilities

One of the most worrying statistics from this year’s Internet Security Threat Report is over 75% of websites contain unpatched security vulnerabilities which could potentially be exploited by hackers. Even popular websites have been found to contain unpatched vulnerabilities. If attackers can compromise those websites and install exploit kits, they can be used to infect millions of website visitors. Simply being careful which sites are visited and only using well known sites is no guarantee that infections are avoided.

With the dramatic increase in threats, organizations need to step up their efforts and improve cybersecurity protections. Failure to do so is likely to see many more of these attacks succeed.

FBI Seeks Help To Deal With Enterprise Ransomware Threat

In February, the Federal Bureau of Investigation (FBI) issued an alert over a new ransomware called MSIL (AKA Samas/Samsam/Samsa), but a recent confidential advisory was obtained by Reuters, in which the FBI asked U.S. businesses and the software security community for help to deal with the growing enterprise ransomware threat from MSIL.

The new ransomware is particularly nasty as it is capable of infecting networks, not just individual computers. In February, the FBI alert provided details of the new ransomware and how it attacked systems by exploiting a vulnerability in the enterprise JBoss system. Any enterprise running an outdated version of the software platform is at risk of being attacked. The FBI’s list of indicators was intended to help organizations determine whether they had been infected with MSIL.

Just over a month later, the FBI sent out a plea for assistance, requesting businesses to contact its CYWATCH cybersecurity center if they suspected they had been attacked with the ransomware. Any business or security expert with information about the ransomware was also requested to get in touch.

Recent high profile attacks on healthcare organizations and law enforcement have resulted in ransoms being paid to attackers in order to unlock ransomware infections. Oftentimes there is no alternative but to pay the ransom demand in order to recover data. However, paying ransoms simply encourages more attacks.

The Enterprise Ransomware Threat is Now at A Critical Level

Ransomware is not new, but the methods being used by cybercriminals to infect systems is more complex as is the malicious software used in the attacks. The volume of attacks and the number of ransomware variants now in use mean the enterprise ransomware threat is considerable, with some security experts warning that ransomware is fast becoming a national cybersecurity emergency.

The healthcare industry is being targeted as hospitals cannot afford to lose access to healthcare data. Even if electronic patient medical files are not encrypted, systems are being shut down to contain infections. This causes massive disruption and huge costs, which attackers hope will make paying the ransom the best course of action.

Dealing with the enterprise ransomware threat requires a multi-faceted approach. Attackers are using a variety of methods to install ransomware and blocking spam email is no longer sufficient to deal with the problem. MSIL attacks are being conducted by exploiting vulnerabilities in enterprise software systems, end users are being fooled into installing ransomware with social engineering techniques, drive by downloads are taking place and the malicious file-encrypting software is also being sent via spam email.

How to Protect Against Enterprise Ransomware Attacks

The FBI is trying to encourage business users and individuals never to open untrusted email attachments and to ensure they are deleted from inboxes. Fortunately, the high profile attacks on large institutions have put enterprises on high alert. With awareness raised, it is hoped that greater efforts will be made by enterprises to reduce the risk of an attack being successful.

Some of the best protections include:

  • Ensuring all software is kept up to date and patches are installed promptly
  • Using spam filtering tools to reduce the risk of infected attachments being delivered to end users
  • Backing up all systems frequently to ensure data can be restored in the event of an attack
  • Conducting regular staff training sessions to help end users recognize phishing emails and malicious attachments
  • Disabling macros on all computers
  • Using web filtering solutions to prevent drive-by downloads and block malicious websites
  • Issuing regular security bulletins to staff when a new enterprise ransomware threat is discovered

AceDeceiver iPhone Malware Attacks Non-Jailbroken Phones

AceDeceiver iPhone malware can attack any iPhone, not just those that have been jailbroken. The new iOS malware has recently been identified by Palo Alto Networks, and a warning has been issued that the new method of attack is likely to be copied and used to deliver other malware.

Malware Exploits Apple DRM Vulnerability

Many iPhone users jailbreak their phones to allow them to install unofficial apps, yet the act can leave phones open to malware infections. One of the best malware protections for iPhones is not to tamper with them. Most iPhone malware are only capable of attacking jailbroken phones. However, AceDeceiver is different.

The new malware exploits a vulnerability in Apple’s Digital Rights Management (DRM) mechanism allowing it to bypass iPhone security protections. AceDeceiver iPhone malware is capable of fooling FairPlay into thinking it is a legitimate app that has been purchased by the user.

Users that have installed a software tool called Aisi Helper to manage their IPhones are most at risk of infecting their phones. While Aisi Helper can be used to manage iPhones and perform tasks such as cleaning devices and performing backups, it can also be used to jailbreak phones to allow users to install pirated software. To date more than 15 million iPhone owners have installed Aisi Helper and face a high risk of an AceDeceiver malware attack.

The software tool has been around since 2013 and is mainly used as a method of distributing pirated apps. While the software has been known to be used for piracy, this is the first reported case of it being used to spread malware. Palo Alto Networks reports that some 6.6 million individuals are using the software tool on a regular basis, many of whom live in China. This is where most of the AceDeceiver iPhone malware attacks have taken place to date.

The software tool can be used to install AceDeceiver onto iPhones without users’ knowledge. The malware connects the user to an app store that is controlled by the attackers. Users must enter in their AppleID and password and the login credentials are then sent to the attackers’ server. While Palo Alto Networks has discovered that IDs and passwords are being stolen, they have not been able to determine why the attackers are collecting the data.

AceDeceiver Malware Attacks Non-Jailbroken iPhones

Protecting against AceDeceiver iPhone malware would appear to be simple. Don’t install Aisi Helper. However, that is only one method of delivery of AceDeceiver iPhone malware. In the past 7 months three different AceDeceiver malware variants have been uploaded to the official Apple App store. The three wallpaper apps managed to get around Apple’s code reviews initially to allow them to be made available on the Apple App store. They also passed subsequent code reviews.

Once Apple was made aware of the malicious apps the company removed from the App store. However, that is not sufficient to prevent users’ devices from being infected. According to Palo Alto’s Claud Xiao, an attack is still possible even though the apps have been removed from the App store. Apparently, all that is required is for the malicious apps to gain authorization from Apple once. They do not need to be available for download in order for them to be used for man-in-the-middle attacks. The vulnerability has not been patched yet, but Palo Alto has warned that even patching the problem will still leave users of older iPhones open to attack.

AceDeceiver iPhone Malware Attack Method Likely to be Copied

Xiao warned that this new method of malware delivery is particularly worrying because “it doesn’t require an enterprise certificate. Hence, this kind of malware is not under MDM solutions’ control, and its execution doesn’t need the user’s confirmation of trusting anymore.” Palo Alto believe the attack technique is likely to be copied and used to spread new malware to iPhone users.

New Data-Stealing USB-Based Malware Discovered

A new USB-based malware has recently been discovered that poses a serious security risk to enterprises. While USB-based malware is not new, the discovery of Win32/PSW.Stealer.NAI – also known as USB Thief – has caused particular concern.

New USB-Based Malware Leaves No Trace of Infection or Data Theft

The malware is only transmitted via USB drives and leaves no trace of an attack on a compromised computer. Consequently, it is incredibly difficult to detect. The malware is capable of stealing and transmitting data, yet users will be unaware that their data has been being stolen.

The new USB-based malware was recently discovered by security firm ESET. The discovery stands out because the USB-based malware is quite different to other malware commonly used by cybercriminals to steal data.

For a start, the malware has been designed not to be copied and can only be spread via USB devices. The malware derives its key from the USB drive’s device ID, and is bound to the specific portable drive on which it has been installed. If the malware is copied to another drive it will not run because it uses file-names that are specific to each copy of the malware. This means the malware cannot spread and infect systems other than those it is being to attack.

The malware also uses multi-staged encryption that is also bound to the USB drive, which ESET says makes it exceptionally difficult to detect and analyze.

Malware Capable of Attacking Air-Gapped Computers

Many organizations make sure sensitive data is not exposed by not connecting computers to the Internet. However, while air-gaps are an effective protection against most malware attacks, they do not protect against USB-based malware. USB Thief can be used to steal data from air-gapped computers and once the infected USB drive has been disconnected there will be no trace left that any data have been stolen.

It has been hypothesized that the malware has been created to be used in targeted attacks on specific companies in order to steal proprietary enterprise data. ESET has warned that while the USB-based malware is being used only as a data stealer, attackers could tweak the malware to deploy any other malicious payload. This means that the malware could be used to sabotage systems.

ESET reports that the USB-based malware has been used to target companies in Africa and Latin America and warned that detection rates are particularly low. No information has been released to indicate which industries are being targeted with the malware at this point in time.

USB-based malware has previously been used in state-sponsored attacks on organizations. Stuxnet was also used to attack air-gapped systems, predominantly in the Middle East. However, Stuxnet inflected collateral damage as it was capable of self-replicating. It was therefore rapidly picked up and analyzed and action was rapidly taken to block infections.

In this case, the USB-based malware cannot be copied so it is unlikely to spread outside of a targeted system. It is likely to remain incredibly difficult to detect. USB Thief appears to have been extensively tested. Since there is a possibility that it can be identified by G Data and Kaspersky Lab anti-virus solutions, USB Thief performs a quick check to see if those anti-virus solutions are installed. If they have the malware will not run.

Preventing USB-Based Malware Attacks

Disabling autorun for USB drives will have no effect on USB Thief. The USB-based malware does not rely on being automatically run when plugged into a computer. Instead it is inserted into the files of portable applications often stored on USB drives, such as Firefox, TrueCrypt, and NotePad++. When these applications are run, USB Thief will run in the background.

It is possible to take precautions to prevent an attack by disabling USB ports. Even though there is a high risk of infection from an unknown USB drive, many individuals that find USB drives plug them straight into their computers. Staff should therefore be instructed never to plug in a USB drive from an unknown source.

Microsoft Makes it Easier to Block Malicious Word Macros in Office 2016

System administrators that do not block malicious Word macros in Office 2016 could be making it far too easy for hackers to compromise their networks. Malicious Word macros are nothing new, but in recent months they have been increasingly been used to deliver ransomware and other nasty malware.

Macros Used in 98% of Office-related Enterprise Malware Attacks

It is common knowledge that executable files are used to deliver malware. Many companies implement a web filter to prevent the downloading of executable files by end users, and spam filters are often configured to prevent attached .exe files from being delivered.

Screensaver files (.SCR) are also commonly used to deliver malware and these too are often blocked by security solutions. Blocking other file types commonly used by attackers, such as batch files (.bat) and compressed files (.zip) can also help to reduce the risk of a malware infection. For the majority of enterprise end users, these files can be blocked without affecting workflows.

However, it is not practical prevent Word documents and other Office files from being emailed or shared. These file types are used by most workers on a day to day basis. They are also being extensively used to deliver malware. According to figures released by Microsoft, office document macros are used in 98% of Office-related attacks on enterprises.

Fail to Block Malicious Word Macros in Office 2016 at your Peril!

There have been a number of recent cases of ransomware being installed after enabling Word macros. Hackers can add malicious scripts to Word macros and install malware without rousing too much suspicion. Word documents are often trusted not to be malicious by many end users.

After a rise in the use of macros to deliver computer viruses, Microsoft made a change to automatically disable macros in Word by default. Opening a Word document therefore required users to manually enable macros before they could be run.

The use of macro viruses went into rapid decline after this security measure was introduced because macros ceased to be a particularly effective method of malware delivery. That was about a decade ago.

However, recently there has been a surge in the use of embedded VBA scripts to deliver malware. Even when system administrators block malicious Word macros in Office 2016 it does not prevent infection. End users are enabling macros in order to open Word documents after being convinced to do so by attackers.

Enterprise end users are sent spam emails containing infected Word documents and are fooled into enabling macros in order to view the documents. When end users open the infected files they are presented with a warning message saying the content of the document cannot be viewed without first enabling macros. The end user does just that, and the malicious VBA script is run. That script then opens a connection to the hackers C&C server and malware is downloaded to the user’s device.

IT departments can conduct training and tell end users to never enable macros, but sooner or, later, one individual will ignore that advice and will inadvertently install malware. Many businesses use macros in their office files, so blocking them from running is simply not an option. So how can businesses block malicious Word macros in Office 2016 without having to stop using macros in documents altogether? Fortunately, Microsoft has come up with a cunning solution.

Microsoft Makes It Easier to Block Malicious Word Macros

Microsoft has responded to the wave of malicious macro attacks by developing a better solution than the one introduced more than a decade ago. A new setting has been added to make it possible to block malicious Word macros in Office 2016 while still being able to use genuine macros. The good news for system administrators is the settings cannot be bypassed by end users who think they know better than their IT department.

System administrators can now apply a group setting that will block macros in Office files that have been obtained from the Internet zone. Microsoft’s definition of the Internet zone includes documents attached to emails that have been sent from outside an organization, as well as documents obtained from cloud storage providers such as Google Drive and Dropbox and from file sharing websites.

Opening and attempting to run macros from these sources will result in a warning being presented to the user saying their system administrator has blocked macros for security reasons. They will not be given the option of bypassing those settings and running the macros. The new setting can be found in the Microsoft Trust Center in the security settings of Word.

Fileless Malware is Being Installed Using Microsoft Word Macros

Palo Alto Networks has discovered a new spam email campaign that is being used to spread fileless malware via malicious Microsoft Word macros sent as email attachments.

What is Fileless Malware?

Fileless malware, or memory-resident malware, is most commonly associated with drive-by malware attacks via malicious websites. The malware resides in the RAM and is never installed on the hard drive of an infected machine, which means it is difficult to detect because anti-virus software does not check the memory.

Memory-resident malware has not been favored by attackers until recently, as infections do not survive a reboot. However, some fileless malware such as Poweliks uses the registry to ensure persistence. Memory-resident malware is often used to spy on computer activity and record keystrokes.

PowerSniff Fileless Malware Rated as High Threat

The spam email campaign discovered by Palo Alto uses Microsoft Word macros to install the malware. When infected Word documents are opened, malicious macros execute PowerShell scripts and fileless malware is injected into the memory. In the latest case, the malware bears some resemblance to Ursnif malware. Palo Alto call the latest variant PowerSniff.

To date, over 1500 spam emails have been observed by Palo Alto. The emails are not sent out using mass spam email campaigns, but appear to be targeted and include data highly specific to the target. The emails contain the users first name for instance, along with an address or telephone number to make the target believe the email is genuine.

The subject lines and file names used in the emails differ from individual to individual. All of the emails contain an infected Word file along with some pressing reason for the individual to open the document. This can include invoices that urgently need to be paid, details of payments that have not gone through, gift vouchers that needs to be claimed, or reservations that must be confirmed.

The attacks are primarily being conducted on targets in the United States and Europe. The targets are mostly in the professional, hospitality, manufacturing, wholesale, energy, and high tech industry sectors.

The malware is capable of checking if is in a sandbox or virtualized environment, and performs reconnaissance on the victim host. According to Palo Alto researchers, the malware is sniffing out machines that are used for financial transactions, searching for strings such as POS, SALE, SHOP, and STORE. The malware actively avoids machines that are used in the healthcare and education sectors, searching for strings such as nurse, health, hospital, school, student, teacher, and schoolboard and marking these as being of no interest.

Palo Alto has rated the malware a high threat, with activity widespread in the past week. To protect against this type of attack, and others using malicious Word macros, it is essential that macros are automatically disabled in Microsoft Word. Users should deny any request to run macros if they accidentally open an email attachment.

Oman TLD Being Exploited By Typosquatters Pushing Genieo Adware

Websites are being registered on Oman’s top level domain by typosqautters looking to capitalize on mistakes made by Mac users and push Genieo adware. The .om domain is intended to catch out Mac users who type quickly and miss out the c when typing .com website addresses.

Typosquatting is the registration of domain names with transposed or missed letters in an attempt to cash in on traffic intended for other websites. Goole.com being a good example. The site has been registered and uses an Ask Jeeves search bar to provide search engine functions to bad typists. The website has been reported to attract 1000 visitors a day, the vast majority of which have mistyped google.com.

However, in the case of the .om domain the typosquatters have sinister motives. The sites are being used to deliver malware and adware, with the typosquatters appearing to be targeting devices running OS X.

The sites detect the operating system on the device and redirect Windows users to websites where they are bombarded with popup adverts. Mac users are targeted with a fake Adobe Flash update. Downloading the update will install Genieo adware. Genieo adware installs itself as a browser extension on Firefox, Opera, and Chrome and is used to serve ads.

The spate of domain registrations was noticed by security researchers at Endgame, who discovered that over 330 domains had been registered with Oman’s Telecom Regulatory Authority in the past few weeks.

As is common with malicious typosquatters, they have chosen the names of well-known websites that receive large volumes of traffic. Endgame reports that .om sites have been registered for Gmail, Macys, Citibank, and Dell in the past few weeks, along with a host of other well-known brands. The sites appear to have been registered by a number of different typosquatting groups not just one individual. However, a large percentage were found to have been registered by individuals in New Jersey.

A number of different hosting companies have been used, although the site installations are all very similar. Endgame discovered that many of the sites contain vulnerabilities that could allow other parties to hijack the sites. At the present time, it would appear that the typosquatters are only intent on pushing Genieo adware and promote ad networks, although that may not remain the case. With the high number of security vulnerabilities that exist on the sites they could all too easily be hijacked by other individuals and used to deliver malware and ransomware to unsuspecting visitors.

Mobile Malware Threat Increasing According to Recent Studies

Two new studies indicate the mobile malware threat is increasing at an unpresented rate. Any enterprise that allows smartphones to connect to its network, such as those operating a BYOD policy, faces an increased risk of a cyberattack via those devices.

G DATA Report Warns of Rapidly Increasing Mobile Malware Threat

According to the recent G DATA survey, the mobile malware threat has increased substantially over the course of the past 12 months and shows no sign of abating. The number of new malware variants discovered in 2015 is 50% higher than 2014. In 2015, 2.3 million malware samples targeting Android devices were collected, with a new variant being identified, on average, every 11 seconds. In the final quarter of the year, an alarming 758,133 new malware samples were collected, which represents an increase of 32% from the third quarter.

The main risk is older devices operating outdated versions of Android, although G DATA reports that hackers are developing exploits for security vulnerabilities far faster than in past years. Unless Android operating systems are kept totally up to date, vulnerabilities will exist that can be exploited. Unfortunately, phone manufacturers often delay rolling out operating system updates leaving all devices prone to attack.

Mobile Malware Infections Increasing According to Nokia Threat Intelligence Lab

Earlier this month, a report issued by the Nokia Threat Intelligence Lab suggested that 60% of malware operating in the mobile space targets Android smartphones. While iOS malware was a rarity, that has now changed. Nokia reports that for the first time ever, iOS malware has made the top 20 malware list, which now includes the iOS Xcodeghost and FlexiSpy malware. These two malware account for 6% of global smartphone infections.

Mobile ransomware is also increasing. In 2015, several new mobile ransomware variants were identified. Ransomware is used to lock devices with file-encrypting software. Users are only able to recover their files if a ransom is paid to the attackers. With an increasing number of individuals using their smartphones to store irreplaceable data, and many users not backing up those files, individuals are often given no choice but to pay attackers for a security key to unlock their data.

Nokia reports that the malware now being identified has increased in sophistication and has been written by hackers that know the Android system inside out. Malware is getting harder to detect, and once identified it can be extremely difficult to remove. Nokia reports that many malware variants are highly persistent and can even survive a factory reset.

How to Mitigate Mobile Malware Risk

With the mobile malware threat increasing, organizations must implement new security measures to keep devices secure and protect their networks. Anti-virus and anti-malware solutions should be installed on all devices allowed to connect to business networks to reduce the risk of a malware infection.

Many mobile devices are used for work purposes such as accessing business email accounts. Android malware infections could all too easily result in business data being compromised, while keyloggers could give attackers access to business networks.

Enterprises may not yet be majorly concerned about the rising mobile malware threat, but they should be. With the growing sophistication of today’s mobile malware, a business network compromise is a very real threat.

Enterprises that permit the use of mobile devices for work purposes should limit the actions that can be performed on Wi-Fi networks by implementing a web filtering solution. They should ensure that all BYOD policies stipulate a minimum Android version that can be used, and all devices should be kept up to date with app updates installed promptly. Enterprises should also monitor for jailbroken or rooted devices, and prevent them from being used for work purposes or from connecting to business Wi-Fi networks.

Ransomware Mitigation Policies Essential to Protect Against Rampant Ransomware

A new report issued by the Institute for Critical Infrastructure highlights the need for organizations to develop ransomware mitigation policies due to the high risk of cyberattacks involving the malicious file encrypting software. The report warns that 2016 will be a year when ransomware wreaks havoc on businesses in the United States, in particular on the U.S critical infrastructure community.

Ransomware is being used by cybercriminals as it is a highly effective method of extorting money from businesses. Businesses need data in order to function, and ransomware prevents them from accessing it. If ransomware is installed on a computer, or worse still spreads to a computer network, critical data needed by the business is encrypted. A ransom demand is issued by the attackers who will not release the decryption keys until the ransom is paid. Without those keys data will remain locked forever. Business are often given no alternative but to give in to the attackers’ demands.

Rampant Ransomware Prompts ICIT to Issue Warning

The report warns organizations of the current dangers, and says that in 2016, “Ransomware is rampant.” Organizations of all sizes are being targeted. The criminal gangs behind the campaigns are targeting healthcare providers, even though their actions place the lives of patients in danger. Police and fire departments have also been targeted, as have educational institutions and businesses. The greater the need for access to data, the bigger incentive organizations have to pay the ransom.

According to the report, “In numerous cases, organizations tend to pay because, for them, every minute of downtime directly equates to lost revenue.” The cost of that downtime can be considerable. Far more than the ransom demand in many cases.

Unfortunately, as pointed out in the report, it is too difficult and time consuming to track down attackers. They are able to cover their tracks effectively and they take payment in Bitcoin or use other online payment methods that give them a degree of anonymity. Often attacks are conducted across International borders. This makes it simply too difficult for the perpetrators to be found and brought to justice by law enforcement agencies.

Even the FBI has said that it advises companies to pay the ransom in many cases, unless the victims can live without their data. The report says, “no security vendor or law enforcement authority can help victims recover from these attacks.” It is therefore up to each individual organization to put measures in place to protect against ransomware.

Ransomware Mitigation Policies are Essential

Recovering from a ransomware infection can be expensive and difficult. It is therefore imperative that defenses are put in place to prevent ransomware from being installed on computers and networks.

The report suggests four key areas that can help with ransomware mitigation.

  • Forming a dedicated information security team
  • Conducting staff training
  • Implementing layered defenses
  • Developing policies and procedures to mitigate risk

An information security team should conduct risk assessments, identify vulnerabilities, and ensure defenses are shored up. Security holes must be plugged to prevent them being exploited. The team must also devise strategies to protect critical assets. They are an essential element of a ransomware mitigation strategy.

Staff training is essential. Employees must be instructed how to identify threats. Employees are often targeted as they are the weakest link in the security chain. It is easiest to get an employee to install ransomware than to attempt a hack in many cases. According to the report, this is one of the most important ransomware mitigation steps to take.

Layered defenses should be implemented to make it harder for attackers to succeed. Organizations should not rely on one form of defense such as a firewall.  Antivirus and antimalware solutions should be used, anti-spam filters employed to prevent email attacks, and web filtering solutions should be used to prevent web-borne attacks.

With the threat now having reached critical levels, ransomware mitigation policies are essential. Administrative policies can help reduce the likelihood of an attack being successful. Employees must be aware who they can report suspicious emails and network activity to, and those individuals must be aware how they should act and deal with threats.

Mac Ransomware Being Delivered Via BitTorrent

It was only a matter of time before a fully functional Mac ransomware was developed. Researchers at Palo Alto Networks have discovered that time has now come, after its Unit 42 team found KeRanger: The first fully functional Mac ransomware to be discovered in the wild. The ransomware was spread via the Transmission file-sharing app.

Fortunately, action has been taken to contain the malicious software before it could be fully exploited; however, this signals a turning point for Apple users. Their devices are no longer safe from ransomware attacks.

Mac Ransomware is No Longer Theoretical

While a Mac ransomware called FileCoder was discovered by Kaspersky Lab in 2014, the malicious software was incomplete and could not be used to infect Apple devices. The discovery of KeRanger shows that Apple users are no longer immune to attack.

Apple has added the signature for the malicious software to its XProtect OS X anti-malware definitions However, any Apple customer that downloaded BitTorrent client Transmission (v 2.9) over the weekend (Between 11:00 PST on March 4, and 19:00 PST on March 5, 2016) could well have downloaded KeRanger, along with any customer who downloaded the file sharing app prior to March 4.

The Mac ransomware bypassed Gatekeeper controls by using a genuine security certificate. The certificate was issued to Polisan Boya Sanayi ve Ticaret A.Ş., of Istanbul and is believed to have been stolen.

The ransomware was included in the Transmission installation files as “General.rtf.” The rich text file looks innocuous enough, but General.rtf is not a document file as the extension suggests, instead it is a Mach-O executable file. The file is copied to ~/Library/kernel_service and is run before the user sees an interface.

Once the ransomware has been activated, it searches the system on which it is installed and will encrypt around 300 different file types, including images, documents, multimedia files, emails, databases, certificates, archives, and source code. The Mac ransomware uses AES encryption to lock any files it finds and is capable of encrypting files saved on connected networks and external drives.

In many cases, ransomware infections cannot be removed and the user is forced to pay a ransom to obtain a security key. However, locked files can potentially be restored from backups. Unfortunately for users infected with KeRanger, the Time Machine system files are also encrypted preventing backup files from being restored.

The Threat Has Been Neutralized Although Action Must Be Taken by Transmission Users

The new Mac ransomware has been neutralized by the revoking of the digital certificate that enables the software to install on OS X, while the developers of Transmission App have removed the infected version from the transmissionbt.com website.

According to Claud Xiao of Palo Alto Networks, if KeRanger has been installed, users will still be at risk of having their files encrypted.  The latest version of Transmission will remove the ransomware if it has been installed on users’ Macs.

Any customer who has installed version 2.9 should download the updated version of the file sharing software as soon as possible to prevent their device from being locked by the file-encrypting malware.

Users only have a limited timeframe for doing this. The Mac ransomware will stay hidden and quiet for 3 days following infection. After that it will connect to its C&C and will start encrypting files on the infected device and connected drives. A ransom of 1 Bitcoin (around $400) will then be demanded by the attackers. Only if the ransom is paid will the security key be sent to unlock the encryption. Failure to pay will see files locked forever. Transmission users must ensure they have installed version 2.92 and need to reboot their device after installation.

Protecting Devices from Attack Using WebTitan Web Filtering Solutions

WebTitan Cloud can help enterprises keep their devices free from malware and ransomware by blocking the downloading of file types known to be used by hackers to install malicious software. It is also possible to prevent KeRanger installations by blocking access to file sharing websites. By limiting the actions that can be taken by users and the sites that can be visited, the risk of networks being compromised or infected with malware can be greatly reduced.

WebTitan Cloud and WebTitan Gateway web filtering solutions can reduce reliance on staff training to teach end users how to identify malware, phishing emails, and malicious websites. Blocking risky online behavior can significantly reduce the risk of malware and ransomware infections.

Marcher Trojan: Yet Another Reason to Use a Web Filter

The Marcher Trojan was first discovered in the wild around three years ago; however, malware does not remain the same for very long, so it is no surprise to see yet another Marcher Trojan variant appear. This time the method of attack differs substantially from previous incarnations of this money-stealing malware.

Marcher Trojan Delivered Using Fake Adobe Flash Update

This time, attackers are targeting users of online pornography and are attempting to trick them into installing the Marcher Trojan on their Android phones by disguising the malware as an Adobe Flash installer package. Adobe Flash may be on its last legs, but a considerable number of porn websites host Flash videos. Users of pornographic websites therefore need Adobe Flash in order to view adult videos.

The attackers are targeting users of pornographic websites by sending links to new porn sites via SMS messages and spam email. Clicking the links contained in those messages will direct the user to a malicious website where they are asked to download an update to Adobe Flash.

Adobe Flash updates are frequently released due to the high number of zero-day vulnerabilities discovered in the software. Users are therefore likely to think there is nothing untoward about the update. The attackers have named it AdobeFlashPlayer.apk to make the download appear genuine.

After downloading the update, the user is required to change settings on the phone to allow apps from unknown sources to be installed. They are then asked to give the fake Adobe Flash update administrator privileges. Once installed, the owner of the device will be unaware that they have just compromised their Android phone.

The malware will then start communicating with the attackers C&C server and will send a list of the apps installed on the device to the attackers. That information is then used to display the appropriate fake login screens for apps installed on the device. Those login screens record bank and credit card details and send them to the attackers.

Another method of attack used by the malware is to send a MMS message to the user asking them to download the X-Video porn app from the Google Play store. The X-Video app is not malicious and can be installed for free; however, after installing the app the user receives a fake prompt asking them to update their Google Play credit card information.

The Marcher Trojan can also prevent users from visiting the real Google Play store without first entering their payment card details into the fake Google Play payment screen.

Fortunately, the malware is easy to remove. The app can be deactivated and then uninstalled. But the user would need to know they have been infected in order to do that.

Blocking Adult Content to Protect WiFi Network Users

Any business that allows employees to access WiFi network can improve network security by blocking access to adult websites. Preventing WiFi network users from accessing adult sites and other websites commonly used to deliver malware can greatly improve security posture.

The Marcher Trojan is being used to steal money from Android users, although the malware has been used to deliver at least 50 different payloads. Other Trojan downloaders deliver ransomware and other nasty malware. Once on a network the malicious software can cause a considerable amount of damage.

WebTitan can be used to prevent the downloading of files commonly used by hackers to hide malware such as SCR, EXE, and ZIP files. It can also be used to block access to risky websites and those known to contain malware.

For business WiFi networks, a web filter is now becoming less of an option and more of a necessity to prevent malware and ransomware downloads and keep users’ devices and networks malware free.

Enterprise Malware Attacks Increasing: Malware Infections Increased 73 pc in 2015

Last year saw a massive increase in the number of recorded enterprise malware attacks, with hackers also targeting public sector organizations and government agencies with increased frequency. According to the new Dell Security Annual Threat Report, malware attacks virtually doubled in 2015, and reached a staggering 8.19 billion worldwide infections.

The new report makes for worrying reading. The current threat level is greater than ever before and the volume of enterprise malware attacks now taking place has reached unprecedented levels. Organizations that fail to implement robust controls to protect their systems from malware downloads are likely to be attacked.

Dell Reports a 73% Increase in Malware Infections in 2015

To compile the report, Dell gathered data from its Dell SonicWALL Global Response Intelligence Defense network. In 2014, Dell SonicWALL received approximately 37 million unique malware samples. In 2015, that figure increased to 64 million: An increase of 73%. Dell noted increases in malware, ransomware, viruses, Trojans, worms, and botnets in 2015.

Not only is the volume of malware increasing, the vectors used to infect devices and networks are now much broader. Cybercriminals are also getting much better at concealing infections and covering their tracks. When malware is eventually discovered on systems, it has usually been present and active for some time.

Hackers are now using anti-forensic techniques to evade detection, steganography, URL pattern changes, and are modifying their landing page entrapment techniques. Command and Control center communications are also being encrypted making it harder to identify communications from infected devices and systems. Oftentimes, it is communications between malware and C&C servers that allow anti-malware and intrusion prevention systems to identify malware infections.

Spam email is still being used to deliver malicious software although drive-by attacks have increased. IoT devices are also being used to install malware due to the relatively poor security of the devices.

Enterprises now have a much broader attack surface to defend, yet security budgets are often stretched making it difficult for IT security teams to install adequate defenses to repel attacks using such a diverse range of attack vectors. It may not be possible to implement robust defenses to repel all attacks, although by concentrating on the most commonly exploited weaknesses the majority of enterprise malware attacks can easily be prevented.

How to Defend Against Enterprise Malware Attacks

The majority of successful enterprise malware attacks could have been prevented had basic security measures been implemented and had industry security best practices been adopted. Hackers may be using ever more sophisticated methods to infiltrate systems and steal data, but in the majority of cases they do not use zero-day vulnerabilities to attack: Well-known security weaknesses are exploited.

All too often enterprise malware attacks are discovered to have occurred as a result of unpatched or outdated software. Oftentimes, patches and software updates have been available for months prior to attacks taking place. One of the best defenses against cyberattacks is to adopt good patch management practices and ensure that software updates are applied within days of release.

Email spam is still used to deliver a wide range of malware and malicious software, yet spam email is easy to block with a robust spam filtering solution such as SpamTitan. Along with staff training on phishing email identification and basic security best practices, malware infections via email can be easily prevented.

It is also strongly advisable to implement an enterprise web filtering solution. Allowing employees full access to the Internet can leave a business susceptible to drive-by malware downloads. A web filtering solution such as WebTitan Gateway – or WebTitan Cloud for Wi-Fi networks – can prevent malicious file downloads, malvertising, and limit the risk of drive-by enterprise malware attacks.

Using a firewall capable of inspecting every packet and validating all entitlements for access is also advisable. Since hackers are also using SSL/TLS encryption to mask C&C communications, it is a wise precaution to use a firewall that incorporates SSL-DPI inspection functionality.