Category Archives: Cyber Attack

An Old WinRAR Vulnerability Left Users At Risk For Two Decades

Have you ever thought that an apparently harmless yet useful tool like WinRAR could pose security threats? Certainly seems so

An Old WinRAR Vulnerability Left Users At Risk For Two Decades on Latest Hacking News.

Android banking malware distributed with fake Google reCAPTCHA

By Waqas

Sucuri’s cybersecurity researchers have identified a highly sophisticated phishing campaign that is specifically targeting online banking users. The attack, for now, has been directed against a Polish bank in which attackers are exploiting Google reCAPTCHA systems as well as panic-eliciting tactics to lure victims into clicking on infected, malicious links that are already embedded in […]

This is a post from HackRead.com Read the original post: Android banking malware distributed with fake Google reCAPTCHA

Cryptojacking Apps Removed From Microsoft App Store

After Apple and Google, the malefactors are turning their attention to the Microsoft app store as well. We have already

Cryptojacking Apps Removed From Microsoft App Store on Latest Hacking News.

What is Watering hole attack and how to stay protected from such attacks?

The attacker first stalks the websites often visited by a victim or a particular group, and then infect the frequently visited websites with malware. The attacker then identifies the vulnerabilities

The post What is Watering hole attack and how to stay protected from such attacks? appeared first on The Cyber Security Place.

Dark Web hacker selling 92M new accounts on Dream market

By Waqas

The dark web hacker “Gnosticplayers” has quickly made a reputation for his high-profile data breaches and selling user data on the infamous Dream marketplace. A couple of days ago the hacker was selling 126 million accounts stolen from new data breaches and now, the same hacker is back with another list of compromised websites which is another […]

This is a post from HackRead.com Read the original post: Dark Web hacker selling 92M new accounts on Dream market

Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine

Electric scooters have proved to be a convenient form of travel for some over short distances. Security researchers have highlighted

Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine on Latest Hacking News.

Another Commercial WordPress Plugin Gets Exploited

In the past few months, commercial WordPress plugin WP Cost Estimation has been under attack from hackers. These hackers are

Another Commercial WordPress Plugin Gets Exploited on Latest Hacking News.

Microsoft February Patch Tuesday Addressed A Zero Day And Numerous Critical Bugs

In January, Microsoft’s scheduled updates fixed numerous security flaws that included some few critical ones. However, with Microsoft February Patch

Microsoft February Patch Tuesday Addressed A Zero Day And Numerous Critical Bugs on Latest Hacking News.

A Further 127 Million User Records Found For Sale on The Dark Web

Earlier this week, this site reported an individual who was selling 620 million user records he claimed had stolen from

A Further 127 Million User Records Found For Sale on The Dark Web on Latest Hacking News.

Could a shutdown ignite insider threats?

The 35-day government shutdown may be on a brief hiatus, but with the temporary deal to fund federal departments slotted to end on Feb. 15, many government workers are worried

The post Could a shutdown ignite insider threats? appeared first on The Cyber Security Place.

Critical Vulnerabilities Addressed In Adobe February Patch Tuesday

In the February’s monthly scheduled updates, Adobe has once again fixed a number of security flaws. The Adobe February Patch

Critical Vulnerabilities Addressed In Adobe February Patch Tuesday on Latest Hacking News.

Dark Web hacker selling 126M accounts stolen from new data breaches

By Waqas

A dark web hacker going by the online handle of “Gnosticplayers” is selling a massive trove of user data stolen after compromising websites of several popular companies. The data which amounts to over 126 million accounts includes emails and passwords, etc. and is currently available on the dark web’s infamous Dream marketplace. Who’s involved? The […]

This is a post from HackRead.com Read the original post: Dark Web hacker selling 126M accounts stolen from new data breaches

Email service provider loses 2 decades worth of data due to hack attack

By Waqas

Famed secure email service provider VFEmail has become a victim of a hack attack by an unknown cybercriminal. The company claims that it has suffered a “catastrophic destruction” of its US servers and almost two decades of data and backups in only a few hours. The entire digital infrastructure of the company got destroyed by […]

This is a post from HackRead.com Read the original post: Email service provider loses 2 decades worth of data due to hack attack

Hackers Destroyed VFEmail Service – Deleted Its Entire Data and Backups

What could be more frightening than a service informing you that all your data is gone—every file and every backup servers are entirely wiped out? The worst nightmare of its kind. Right? But that's precisely what just happened this week with VFEmail.net, a US-based secure email provider that lost all data and backup files for its users after unknown hackers destroyed its entire U.S.

The inside track on protecting intellectual property (IP)

Dr Darren Williams, CEO and Founder of BlackFog, discusses the need for firms to protect their IP from cyber attack and provides advice on how to stop hackers from removing

The post The inside track on protecting intellectual property (IP) appeared first on The Cyber Security Place.

Phishing, Humans Root of Most Healthcare Attacks

Across healthcare organizations in the US, malicious actors are successfully leveraging phishing attacks to initially gain access to networks, according to findings from the 2019 HIMSS Cybersecurity Survey published by the Healthcare Information

The post Phishing, Humans Root of Most Healthcare Attacks appeared first on The Cyber Security Place.

Cyber Security Risk in Retail and How to Handle It

Hackers and their tactics are continually evolving but one thing remains the same: retailers are prime targets for a cyber-attack. This is such a widespread issue that in nearly every

The post Cyber Security Risk in Retail and How to Handle It appeared first on The Cyber Security Place.

Hacked User Finds $500 Worth of Food Ordered From Their McDonald’s App

Ordering food through an app on a mobile phone has become an increasingly popular way to satisfy the appetite. However,

Hacked User Finds $500 Worth of Food Ordered From Their McDonald’s App on Latest Hacking News.

Advanced Customer Verification – Are You Ready For That?

Fraud is on the rise and attacks made by cybercriminals are becoming more sophisticated. Basic identity proofing is no longer effective, so it’s time for turning the clunky process into

The post Advanced Customer Verification – Are You Ready For That? appeared first on The Cyber Security Place.

Mumsnet Data Leak Baffled Parents As Cloud Migration Exposed Users’ Personal Data

Another day, another breach. This time, the incident has troubled thousands of parents as it affected parenting forum Mumsnet. Reportedly,

Mumsnet Data Leak Baffled Parents As Cloud Migration Exposed Users’ Personal Data on Latest Hacking News.

New Linux Backdoor “SpeakUp” Found Exploiting Flaws In Multiple Linux Distros

Researchers have discovered a new Trojan campaign that creates a Linux backdoor. Referred to as SpeakUp, the backdoor malware exploits

New Linux Backdoor “SpeakUp” Found Exploiting Flaws In Multiple Linux Distros on Latest Hacking News.

Critical Remote Code Execution Vulnerability Affects Android Via .PNG Image File

Sharing landscape pictures, cute animal photos or memes is quite common among smartphone users. That’s why images serve as one

Critical Remote Code Execution Vulnerability Affects Android Via .PNG Image File on Latest Hacking News.

Cybercriminals leverage Google Translate to hide their phishing sites

Attackers are using a new technique that uses Google Translate to hide the real domain of their phishing sites. This phishing technique works more effectively in mobile devices when compared

The post Cybercriminals leverage Google Translate to hide their phishing sites appeared first on The Cyber Security Place.

Historical OSINT – A Peek Inside The Georgia Government’s Web Site Compromise Malware Serving Campaign – 2010

Remember the massive Russia vs Georgia cyber attack circa 2009? It seems that the time has come for me to dig a little bit deeper and provide actionable intelligence on one of the actors that seem to have participated in the campaign including a sample Pro-Georgian type of Cyber Militia that apparently attempted to "risk-forward" the responsibility for waging Cyberwar to third-parties including

Denial-of-Service and Man-in-the-middle vulnerabilities found in Smart scale IoT device

An IoT device analyzed by researchers was found to have four security flaws that could allow attackers to perform denial of service (DoS) and man-in-the-middle(MITM) attacks.  The device’s associated mobile

The post Denial-of-Service and Man-in-the-middle vulnerabilities found in Smart scale IoT device appeared first on The Cyber Security Place.

Numerous Beauty Camera Apps Were Found to be Loaded With Malware

Most smartphone users, particularly those selfie-freaks, love to download various photo-filtering and beauty camera apps. From adding special effects and

Numerous Beauty Camera Apps Were Found to be Loaded With Malware on Latest Hacking News.

CookieMiner Malware Can Steal Crypto Exchange Cookies, Saved Passwords and iPhone SMS Messages

Researchers have discovered a new malware used to steal saved passwords and credit card details from browsers. In addition, it

CookieMiner Malware Can Steal Crypto Exchange Cookies, Saved Passwords and iPhone SMS Messages on Latest Hacking News.

Hackers Now Exploit Google Sheets To Spread CSV Malware

After previously exploiting Microsoft Excel for formula injection attacks, hackers have now turned their attention to Google Sheets for the

Hackers Now Exploit Google Sheets To Spread CSV Malware on Latest Hacking News.

A Hackers Take On Blockchain Security

One of the leading factors of the blockchain—aside from the obvious decentralization—is the high level of security behind it. It’s not uncommon to hear people claim that it is “unhackable.”

The post A Hackers Take On Blockchain Security appeared first on The Cyber Security Place.

Nest Cam Accessed Using Leaked Passwords Left Family Horrified

The dangers of low security on the Internet of Things (IoT) devices once again surfaced last week. A family have

Nest Cam Accessed Using Leaked Passwords Left Family Horrified on Latest Hacking News.

Firefox 66 Will Feature MiTM Attack Warnings By Default

Mozilla has recently released its browser version Firefox 65 that brings enhanced content blocking. With the upcoming Firefox 66, it

Firefox 66 Will Feature MiTM Attack Warnings By Default on Latest Hacking News.

First Hacker Convicted of ‘SIM Swapping’ Attack Gets 10 Years in Prison

A 20-year-old college student who stole cryptocurrency worth more than $5 million by hijacking victims' phone numbers has pleaded guilty and accepted a sentence of 10 years in prison. Ortiz was arrested last year on charges of siphoning millions of dollars in cryptocurrency from around 40 victims using a method commonly known as "SIM swapping," which typically involves fraudulently porting of

Home Remodelling Website Houzz Suffers a Data Breach

The popular home remodelling website Houzz has informed its customers that it suffered a data breach. This breach is thought to

Home Remodelling Website Houzz Suffers a Data Breach on Latest Hacking News.

Basecamp Endured a Brute Force Attack

Once again, another popular online portal fell victim to a cyber attack. However, this time, the targeted firm Basecamp effectively

Basecamp Endured a Brute Force Attack on Latest Hacking News.

HIV Records of 14k People in Singapore Leaked

Singapore has suffered its second attack on private medical records in seven months. This time, the records of around 14

HIV Records of 14k People in Singapore Leaked on Latest Hacking News.

New Mac Malware Targets Cookies to Steal From Cryptocurrency Wallets

Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts. Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on

Radware Blog: Attackers Are Leveraging Automation

Cybercriminals are weaponizing automation and machine learning to create increasingly evasive attack vectors, and the internet of things (IoT) has proven to be the catalyst driving this trend. IoT is the birthplace of many of the new types of automated bots and malware. At the forefront are botnets, which are increasingly sophisticated, lethal and highly automated digitized […]

The post Attackers Are Leveraging Automation appeared first on Radware Blog.



Radware Blog

How deception changes the rules of engagement in cyber security

Carolyn Crandall, Chief Deception Officer at Attivo Networks, explores how deception techniques can provide not only early detection of malicious activity but also an invaluable insight into an attacker’s methods.Deception

The post How deception changes the rules of engagement in cyber security appeared first on The Cyber Security Place.

Airbus Suffers Data Breach, Some Employees’ Data Exposed

European airplane maker Airbus admitted yesterday a data breach of its "Commercial Aircraft business" information systems that allowed intruders to gain access to some of its employees' personal information. Though the company did not elaborate on the nature of the hack, it claimed that the security breach did not affect its commercial operations. So, there's no impact on aircraft production.

FBI Mapping ‘Joanap Malware’ Victims to Disrupt the North Korean Botnet

The United States Department of Justice (DoJ) announced Wednesday its effort to "map and further disrupt" a botnet tied to North Korea that has infected numerous Microsoft Windows computers across the globe over the last decade. Dubbed Joanap, the botnet is believed to be part of "Hidden Cobra"—an Advanced Persistent Threat (APT) actors' group often known as Lazarus Group and Guardians of

Scammers Steal Social Media Videos For Fake Fundraising Accounts

Earlier this month, a 4-year-old girl called Maya Tisdale was videoed by her parents taking her first independent steps. Maya was

Scammers Steal Social Media Videos For Fake Fundraising Accounts on Latest Hacking News.

2019 predictions – the year ahead for cybersecurity

2018 was a roller-coaster year for the tech industry – lots of big court cases and high-profile data privacy disagreements.2018 was a roller-coaster year for the tech industry – lots

The post 2019 predictions – the year ahead for cybersecurity appeared first on The Cyber Security Place.

Twitter Scammers Pose As Large Companies to Scam Unsuspecting Users

Social media has made it easier for customers to complain to large companies. Many companies now have dedicated social media accounts

Twitter Scammers Pose As Large Companies to Scam Unsuspecting Users on Latest Hacking News.

Europol Now Going After People Who Bought DDoS-for-Hire Services

If you were a buyer of any online DDoS-for-hire service, you might be in trouble. After taking down and arresting the operators of the world's biggest DDoS-for-hire service last year, the authorities are now in hunt for customers who bought the service that helped cyber criminals launch millions of attacks against several banks, government institutions, and gaming industry. Europol has

DailyMotion Victim of Credential Stuffing Attack

Popular video sharing platform DailyMotion announced it has become the victim of a credential stuffing attack. According to an email

DailyMotion Victim of Credential Stuffing Attack on Latest Hacking News.

1 in 8 Businesses Are Destroyed by Data Breaches. Don’t Be a Statistic

I have frequently stated that one of the leading causes of business failures is poor cash flow management. According to a study by US Bank, 82% of all businesses that

The post 1 in 8 Businesses Are Destroyed by Data Breaches. Don’t Be a Statistic appeared first on The Cyber Security Place.

More Money, More Worries About Cyber Risk

Executives at financial services companies are increasingly concerned about risks, but as technology becomes more integrated in managing financials, more executives say that cybersecurity is increasingly becoming the most important

The post More Money, More Worries About Cyber Risk appeared first on The Cyber Security Place.

Video Sharing Platform DailyMotion Falls Victim To Credential Stuffing Attack

After meddling with a number of social networks, it seems the hackers have moved their focus to video-sharing platforms as

Video Sharing Platform DailyMotion Falls Victim To Credential Stuffing Attack on Latest Hacking News.

Impending Ukraine Election Targeted by Hackers

Ukraine is reporting an increase in cyber attacks aimed at disrupting the upcoming presidential elections. The Ukraine Government believe that

Impending Ukraine Election Targeted by Hackers on Latest Hacking News.

Google Chrome to Get Drive-by Download Protection

Engineers at Google are working on drive-by download protection for Chromium. Googles Chrome browser is based on the open-source engine

Google Chrome to Get Drive-by Download Protection on Latest Hacking News.

Emergency Directive Issued by US Government After Domain Attacks

A recent wave of domain hijacking attacks has hit government websites. The US government decided to take action with a new

Emergency Directive Issued by US Government After Domain Attacks on Latest Hacking News.

GandCrab ransomware and Ursnif virus spreading via MS Word macros

Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from

Hacker Broadcasts Fake Missile Warning Over Compromised Nest Camera

Smart technology has now become hugely popular. There are now many products on the market that can make your home

Hacker Broadcasts Fake Missile Warning Over Compromised Nest Camera on Latest Hacking News.

The Threat Intelligence Market Segment – A Complete Mockery and IP Theft Compromise – An Open Letter to the U.S Intelligence Community

I recently came across to the most recently published DoD Cyberspace Strategy 2018 which greatly reminded me of a variety of resources that I recently took a look at in terms of catching up with some of the latest cyber warfare trends and scenarios. Do you want to be a cyber warrior? Do you want to "hunt down the bad guys"? Watch out - Uncle Sam is there to spank the very bottom of your digital

How to Bulletproof Your Business Data Against Breaches in 2019

Over the past year, and even before then, many services have either fallen prey to hackers or suffered from accidental data breaches and leaks. Legislators are now cracking down, passing

The post How to Bulletproof Your Business Data Against Breaches in 2019 appeared first on The Cyber Security Place.

Someone Hacked PHP PEAR Site and Replaced the Official Package Manager

Beware! If you have downloaded PHP PEAR package manager from its official website in past 6 months, we are sorry to say that your server might have been compromised. Last week, the maintainers at PEAR took down the official website of the PEAR (pear-php.net) after they found that someone has replaced original PHP PEAR package manager (go-pear.phar) with a modified version in the core PEAR file

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking, which security researchers with "

Using Offender Profiling Techniques in Security Operations

Let’s start this article off with a question. What does Agent Smith from the Matrix, the Joker from Batman and Darth Vader from Star Wars all have in common? It’s

The post Using Offender Profiling Techniques in Security Operations appeared first on The Cyber Security Place.

Hacker Alexander Zhukov Extradited to US After Infecting Over 1.7 Million Computers

News disclosed on the Russian version of Facebook, VK, states that Bulgaria has extradited Russian hacker Alexander Zhukov to the US

Hacker Alexander Zhukov Extradited to US After Infecting Over 1.7 Million Computers on Latest Hacking News.

New malware found using Google Drive as its command-and-control server

Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities. Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (

Active Exploits Of ThinkPHP Vulnerability Found Even After Patch

In December 2018, we witnessed active exploits of a ThinkPHP vulnerability. After the discoverers of this flaw posted its PoC,

Active Exploits Of ThinkPHP Vulnerability Found Even After Patch on Latest Hacking News.

Security in an IoT World: Your Big Data Problem is Getting Bigger

It’s that time of year for prediction articles and the number has become almost overwhelming. This year, one of the trending topics I’ve noticed is the growth in Internet of

The post Security in an IoT World: Your Big Data Problem is Getting Bigger appeared first on The Cyber Security Place.

Hackers Exploit Chile’s ATM Network Under The Guise of a Skype Job Interview

Lazarus, a network of hackers who target financial organizations, has recently been identified as the prime suspect with regards to

Hackers Exploit Chile’s ATM Network Under The Guise of a Skype Job Interview on Latest Hacking News.

Encryption is key to protecting information as it travels outside the network

A new Vera report reveals stark numbers behind the mounting toll of data breaches triggered by cybercrime and accidents. One of the most recognized and mandated security controls, installed encryption tools protect

The post Encryption is key to protecting information as it travels outside the network appeared first on The Cyber Security Place.

Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively. According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian

Unprotected Government Server Exposes Years of FBI Investigations

A massive government data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a storage server for at least a week, exposing a whopping 3 terabytes of data containing millions of sensitive files. The unsecured storage server, discovered by Greg Pollock, a researcher with cybersecurity firm UpGuard, also contained decades worth of confidential case files from the

Hackers infect e-commerce sites by compromising their advertising partner

Magecart strikes again, one of the most notorious hacking groups specializes in stealing credit card details from poorly-secured e-commerce websites. According to security researchers from RiskIQ and Trend Micro, cybercriminals of a new subgroup of Magecart, labeled as "Magecart Group 12," recently successfully compromised nearly 277 e-commerce websites by using supply-chain attacks. Magecart

How to Secure Your Mid-Size Organization From the Next Cyber Attack

If you are responsible for the cybersecurity of a medium-sized company, you may assume your organization is too small to be targeted. Well, think again. While the major headlines tend to focus on large enterprises getting breached – such as Sony, Equifax, or Target the actual reality is that small and mid-sized companies are experiencing similar threats. According to Verizon’s 2018 Data

A city in Texas is using paper after suffering ransomware attack

By Waqas

Another day, another devastating ransomware attack; this time, computers at The City Hall of Del Rio, Texas have suffered a massive ransomware attack forcing authorities to completely shut down the targeted network. The attack took place on Thursday, January 10th after which the City’s Management Information Services (MIS) Department went on to isolate the malware by turning off the […]

This is a post from HackRead.com Read the original post: A city in Texas is using paper after suffering ransomware attack

DDoSing Hospital Networks Landed This Hacktivist in Jail for Over 10 Years

A simple DDoS attack could land you in jail for 10 years or even more. A Massachusetts man has been sentenced to over 10 years in prison for launching DDoS attacks against the computer network of two healthcare organizations in 2014 to protest the treatment of a teenager at the centers. Beyond serving 121 months in prison, Martin Gottesfeld, 34, was also ordered by U.S. District Judge

Dancho Danchev’s Threat Data – How to Request Free Access Including a Christmas Discount

Dear blog readers, I wanted to let everyone know that I'm currently offering unlimited and exclusive access to Threat Data - The World's Most Comprehensive Threats Database in the true spirit of the Christmas seasons to selected set of individuals and organizations that approach me at dancho.danchev@hush.com Key Summary Points: - the platform basically represents the majority of proprietary

Dancho Danchev – Cyber Threat Analyst – Join Me on Patreon Community!

Dear blog readers, In the true spirit of the Christmas season I decided to let everyone know that I've recently launched my own Patreon Community Page with the idea to let everyone know that I'm currently busy crowd-funding a high-profile upcoming Cyber Security Investment Project - and I would love to hear from you more details about your thoughts regarding new Tier Features and whether or

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

Coercion

People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

 

 

Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

Encryption

Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

Persistence

Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

Conclusion

Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.