Category Archives: Cyber Attack

New Malware Takes Commands From Memes Posted On Twitter

Security researchers have discovered yet another example of how cybercriminals disguise their malware activities as regular traffic by using legitimate cloud-based services. Trend Micro researchers have uncovered a new piece of malware that retrieves commands from memes posted on a Twitter account controlled by the attackers. Most malware relies on communication with their

Chinese hackers reportedly stole secret US Navy data

By Waqas

Hackers of Chinese origin have stolen data from US Navy contractors whose content includes highly confidential information on advanced military technologies. In June this year, it was reported that Chinese hackers stole 614 gigabytes of US Navy’s anti-ship missile data. Now, authorities in the United States have once again accused Chinese hackers of stealing secret data belonging […]

This is a post from HackRead.com Read the original post: Chinese hackers reportedly stole secret US Navy data

Hackers bypassed Gmail & Yahoo’s 2FA to target US officials

By Waqas

The attack was carried out by Iran-backed charming kitten hackers and victims include dozens of US government officials. Private emails of US sanctions officials and nuclear scientists have been breached by Iranian state-sponsored hackers. As per the data obtained by Certfa, a cybersecurity firm based in London, the hacking group Charming Kitten is responsible for the […]

This is a post from HackRead.com Read the original post: Hackers bypassed Gmail & Yahoo’s 2FA to target US officials

New Shamoon Malware Variant Targets Italian Oil and Gas Company

Shamoon is back… one of the most destructive malware families that caused damage to Saudi Arabia's largest oil producer in 2012 and this time it has targeted energy sector organizations primarily operating in the Middle East. Earlier this week, Italian oil drilling company Saipem was attacked and sensitive files on about 10 percent of its servers were destroyed, mainly in the Middle East,

British Teenager gets 3 year sentence for DDoS and False Bomb Threats

Recently, the Luton Crown Court sentenced a British teenager for sending out false bomb threats and carrying out DDoS attacks.

British Teenager gets 3 year sentence for DDoS and False Bomb Threats on Latest Hacking News.

A New Year’s Resolution: Security is Broken…Let’s Fix It

As we near the end of 2018, another wave of massive cyber-attacks has exposed personally identifiable information belonging to hundreds of millions of people and will cost the impacted businesses

The post A New Year’s Resolution: Security is Broken…Let’s Fix It appeared first on The Cyber Security Place.

PrivilegeEsc-Linux – Open Source Script for Enumeration on Linux

PrivilegeEsc-Linux is a simple script which checks the security on a Linux machine. It can run many different options, such

PrivilegeEsc-Linux – Open Source Script for Enumeration on Linux on Latest Hacking News.

Hackers Defaced Linux.org As Protest Against Linux Code of Conduct

Just recently, Linux.org owners had to bear with a seriously embarrassing situation when they noticed someone meddling with their website.

Hackers Defaced Linux.org As Protest Against Linux Code of Conduct on Latest Hacking News.

massExploitConsole – An Open Source Tool For Exploiting Known Vulnerabilities

MassExploitConsole is a python based easy-to-use cli tool for executing exploits. It has a collection of exploits to execute, built-in

massExploitConsole – An Open Source Tool For Exploiting Known Vulnerabilities on Latest Hacking News.

Brutex – Open Source Tool for Brute Force Automation

Brutex is a shell based open source tool to make your work faster. It combines the power of Nmap, Hydra

Brutex – Open Source Tool for Brute Force Automation on Latest Hacking News.

Kalitorify – Open Source Tool to Run Kali Linux Traffic Through Tor

Kalitorify is a shell based script for Kali Linux. It uses iptables and TOR to create a transparent proxy. In

Kalitorify – Open Source Tool to Run Kali Linux Traffic Through Tor on Latest Hacking News.

Healthcare Cybersecurity

The healthcare industry is one of the biggest targets for hackers and other bad actors, given the massive amount of personal data these organizations have in their possession and the

The post Healthcare Cybersecurity appeared first on The Cyber Security Place.

Quora hacked: Personal data of 100 million users stolen

By Waqas

Quora hacked – Change your password now. Another day, another data breach – This time Quora, a question-and-answer website, has suffered a massive data breach in which personal data of 100 million registered users has been stolen, the company said on Tuesday, December 4th. In a blog post, Quora’s Chief Executive Adam D’Angelo explained that the […]

This is a post from HackRead.com Read the original post: Quora hacked: Personal data of 100 million users stolen

Malware since 2017: Auction giant Sotheby’s Home hit by Magecart attack

By Waqas

Sotheby’s, an American multinational corporation and Auction House has become another victim of Magecart attack after hackers gained access to Sotheby’s home website and inserted a card-skimming code aiming at customers’ credit card and banking data. Although Sotheby’s detected the intrusion on 10th October 2018 the malware was present on its website and stealing personal and financial data of […]

This is a post from HackRead.com Read the original post: Malware since 2017: Auction giant Sotheby’s Home hit by Magecart attack

PewDiePie Fan Hacks 50,000 Printers to Keep the Channel No.1

In a recent effort to earn more subscribers for Felix Kjellberg’s channel ‘Pewdiepie’, a self-proclaimed Pewdiepie fan hacked over 50,000

PewDiePie Fan Hacks 50,000 Printers to Keep the Channel No.1 on Latest Hacking News.

Hackers Could Exploit A Zoom App Vulnerability To Disrupt Conferences

The customers of Zoom conferencing app need to update their apps at the earliest to protect themselves from hackers. As

Hackers Could Exploit A Zoom App Vulnerability To Disrupt Conferences on Latest Hacking News.

Moscow’s cable car service shuts down in 2 days after ransomware attack

By Waqas

The first cable-car service was launched in Moscow this Tuesday, and free rides to and from Luzhniki Stadium were promised to the visitors throughout the first month. Naturally, people were eager to ride the cable-car and thronged the location. However, much to their dismay, only after a few days the service got attacked with ransomware. […]

This is a post from HackRead.com Read the original post: Moscow’s cable car service shuts down in 2 days after ransomware attack

Marriott Data Breach Exposed 500 Million Records From Starwood Database

Another massive hotel data breach has surfaced online that affected millions of customers. This time, the victim is a renowned

Marriott Data Breach Exposed 500 Million Records From Starwood Database on Latest Hacking News.

Manipulating Digital Mammograms Via Artificial Intelligence May Cause Misdiagnosis

Mammography has been a critical procedure for diagnosing breast cancer. Yet, at the same time, the exposure to radiations has

Manipulating Digital Mammograms Via Artificial Intelligence May Cause Misdiagnosis on Latest Hacking News.

Potential Dell Data Breach Might Have Exposed Customer Information

In a time when cyber attacks and data breaches have become a routine, what makes them interesting is when an

Potential Dell Data Breach Might Have Exposed Customer Information on Latest Hacking News.

Dunkin Donuts Resets Passwords After Enduring Credential Stuffing Attack

For all donut lovers out there, it’s time to reset your account passwords if you have been a customer of

Dunkin Donuts Resets Passwords After Enduring Credential Stuffing Attack on Latest Hacking News.

Marriott hotel data breach: Sensitive data of 500 million guests stolen

By Waqas

Marriott has announced that it has suffered a massive data breach after attackers hacked its guest reservation system at Starwood hotels, a group of hotels the company took over in 2016 – These hotels include Sheraton, St. Regis, Westin and W Hotels. The breach was discovered last week after Marriott’s internal security tool alerted the company regarding an attempt to access the […]

This is a post from HackRead.com Read the original post: Marriott hotel data breach: Sensitive data of 500 million guests stolen

Knock – Open Source Subdomain Scanner Tool

Knock is a python based tool for enumerating subdomains on a targeted domain. You can use a custom wordlist and

Knock – Open Source Subdomain Scanner Tool on Latest Hacking News.

Things To Understand To Prevent Data Loss

By Julia Sowells Senior Information Security Specialist at Hacker Combat, Customer data is the lifeblood of any business entity; they are driven towards the increasing obligation of securing it as they

The post Things To Understand To Prevent Data Loss appeared first on The Cyber Security Place.

AI in cyber security: a help or a hindrance?

AI has the possibility of being deployed by both sides: those looking to attack and those looking to defend.With a disappearing IT perimeter, a widening skills gap and the increasing sophistication

The post AI in cyber security: a help or a hindrance? appeared first on The Cyber Security Place.

Empire – Open Source Post-Exploitation Agent Tool

Empire is regarded as one of the most useful frameworks by many penetration testers. It has many different powershell and

Empire – Open Source Post-Exploitation Agent Tool on Latest Hacking News.

BitPay XSS Hack Used to Steal Private Keys From Unsuspecting Customer Wallets

The CoPay Bitcoin Wallet was recently hit with a malicious Cross-site scripting exploit that enabled private keys of its users

BitPay XSS Hack Used to Steal Private Keys From Unsuspecting Customer Wallets on Latest Hacking News.

Blazy – Open Source Modern Login Brute-forcer

I know what you are thinking, bruteforce doesn’t work anymore in many cases. However, Blazy is not just another brute-force

Blazy – Open Source Modern Login Brute-forcer on Latest Hacking News.

Dell.com announces potential cyber security breach

Dell.com resets all customer passwords after a network breach

Dell Inc., the U.S. based hardware giant, announced yesterday that the company had suffered a security breach earlier this month, on November 9, 2018. However, the company said that it managed to stop hackers who were looking to access data such as customer names, email addresses and hashed passwords.

“Dell is announcing that on November 9, 2018, it detected and disrupted unauthorized activity on its network attempting to extract Dell.com customer information, which was limited to names, email addresses and hashed passwords,” the company said in its press release.

“Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.”

According to reports, Dell did not inform its customers about the breach when it forced the password resets for all customer accounts on November 14, 2018. Also, the company did not mention how the hackers were able to breach its network.

“Our investigations found no conclusive evidence that any information was extracted,” Dell said in its press release. “Credit card and other sensitive customer information was not targeted. The incident did not impact any Dell products or services.”

Dell said that it is still investigating the incident, but said the breach wasn’t extensive one, as the company’s engineers were able to detect the intrusion on the same day it took place.

While a Dell spokesperson refused to provide the number of affected accounts, he said that “it would be imprudent to publish potential numbers when there may be none.”

Following the security breach, the company has encouraged its customers to change password for their Dell.com account and also for other online services if they use the same or similar passwords.

The post Dell.com announces potential cyber security breach appeared first on TechWorm.

Dell Resets All Customers’ Passwords After Potential Security Breach

Multinational computer technology company Dell disclosed Wednesday that its online electronics marketplace experienced a "cybersecurity incident" earlier this month when an unknown group of hackers infiltrated its internal network. On November 9, Dell detected and disrupted unauthorized activity on its network attempting to steal customer information, including their names, email addresses and

U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware. The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed. The duo used

Veil-Framework – Open Source Tool to Bypass Common Anti-Virus Solutions

Based on python, the Veil-Framework is one of the most popular tools for Anti-Virus evasion. You can generate many different

Veil-Framework – Open Source Tool to Bypass Common Anti-Virus Solutions on Latest Hacking News.

mitmAP – An Open Source Tool to Create a Fake Access Point and Sniff Data

The Evil Access Point (AP) attack has been around for a long time. There are several ways to create this

mitmAP – An Open Source Tool to Create a Fake Access Point and Sniff Data on Latest Hacking News.

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is "Event-Stream," a toolkit that makes it easy for developers to create and work with streams, a collection of

Trivial Spotify Phishing Campaign Targets Users To Steal Login Credentials

Spotify users have to become cautious due to another round of a Spotify phishing campaigns that targets users’ credentials. The

Trivial Spotify Phishing Campaign Targets Users To Steal Login Credentials on Latest Hacking News.

VMWare Patched Critical Vulnerability In Workstation And Fusion

Recently, VMware patched critical vulnerability affecting its Workstation and Fusion software. The bug could allegedly allow an attacker to execute

VMWare Patched Critical Vulnerability In Workstation And Fusion on Latest Hacking News.

Xerosploit – Open Source Toolkit For Man In The Middle Attacks

Xerosploit is a python-based toolkit for creating efficient Man In The Middle attacks which combines the power of bettercap and

Xerosploit – Open Source Toolkit For Man In The Middle Attacks on Latest Hacking News.

Phishers Up Their Game to Combat User Awareness

In an attempt to undermine the security industry’s effort to educate end users about phishing campaigns, malicious actors are evolving in their tactics, according to Zscaler. In a recent blog

The post Phishers Up Their Game to Combat User Awareness appeared first on The Cyber Security Place.

Mirai Used as Payload in Hadoop YARN Vulnerability

A Mirai variant has been discovered targeting unpatched Linux servers, shifting the use of the malicious payload beyond the internet of things (IoT), according to new research from NETSCOUT ASERT.

The post Mirai Used as Payload in Hadoop YARN Vulnerability appeared first on The Cyber Security Place.

Vision Direct Deals With Customer Data Leak

Vision Direct, UK’s biggest online retailer involved in the business of supplying contact lens has recently hit the headlines for

Vision Direct Deals With Customer Data Leak on Latest Hacking News.

Center for Connected Medicine Polls Top Health Systems About 2019 Priorities

Cybersecurity is still the big one. But interoperability and telehealth are not far behind for leading organizations’ technology goals. The Center for Connected Medicine polled IT executives across 38 health

The post Center for Connected Medicine Polls Top Health Systems About 2019 Priorities appeared first on The Cyber Security Place.

Real Identity of Hacker Who Sold LinkedIn, Dropbox Databases Revealed

The real identity of Tessa88—the notorious hacker tied to several high-profile cyber attacks including the LinkedIn, DropBox and MySpace mega breaches—has been revealed as Maksim Vladimirovich Donakov (Максим Владимирович Донаков), a resident of Penza, Russian Federation. In early 2016, a hacker with pseudonym Tessa88 emerged online offering stolen databases from some of the biggest social media

DDoS Attack Volumes Increase By 110% In Q3 2018, According To Link11’s New Report

Link11, a cyber security firm, has released its Q3 DDoS Report, revealing that the scale and volume of DDoS attacks continued to grow in Europe during Q3 2018. The Link11

The post DDoS Attack Volumes Increase By 110% In Q3 2018, According To Link11’s New Report appeared first on The Cyber Security Place.

Two TalkTalk hackers jailed for 2015 data breach that cost it £77 million

Two hackers have been sent to prison for their roles in hacking TalkTalk, one of the biggest UK-based telecommunications company, in 2015 and stealing personal information, banking, and credit card details belonging to more than 156,000 customers. Matthew Hanley, 23, and Connor Allsopp, 21, both from Tamworth in Staffordshire, were sentenced Monday to 12 months and 8 months in prison,

Instagram Bug, Now Fixed, Exposed User Passwords

A security flaw in Instagram’s Download Your Data, a tool released in April this year, reportedly could have exposed user passwords, but the bug has now been fixed, according to

The post Instagram Bug, Now Fixed, Exposed User Passwords appeared first on The Cyber Security Place.

Major SMS Leak Exposed Millions Of Messages

Two-factor authentication codes were also exposed in Voxox leak. A huge database with user names, smartphone numbers, SMS messages and even two-factor authentication codes has been exposed, putting personal details at

The post Major SMS Leak Exposed Millions Of Messages appeared first on The Cyber Security Place.

Hackers May Exploit Microsoft PowerPoint For Malware Attacks

Microsoft Office tools, particularly, the Word, Excel, and PowerPoint, have always enticed criminal hackers due to their popularity among the

Hackers May Exploit Microsoft PowerPoint For Malware Attacks on Latest Hacking News.

Secret Charges Against Julian Assange Revealed Due to “Cut-Paste” Error

Has Wikileaks founder Julian Assange officially been charged with any unspecified criminal offense in the United States? — YES United States prosecutors have accidentally revealed the existence of criminal charges against Wikileaks founder Julian Assange in a recently unsealed court filing in an unrelated ongoing sex crime case in the Eastern District of Virginia. Assistant US Attorney Kellen

7 New Meltdown and Spectre-type CPU Flaws Affect Intel, AMD, ARM CPUs

Disclosed earlier this year, potentially dangerous Meltdown and Spectre vulnerabilities that affected a large family of modern processors proven that speculative execution attacks can be exploited in a trivial way to access highly sensitive information. Since then, several more variants of speculative execution attacks have been discovered, including Spectre-NG, SpectreRSB, Spectre 1.1,

HITRUST Common Security Framework – Improving Cyber Resilience?

A few weeks ago, Anthem agreed to a record $16 million HIPPA settlement with federal regulators to close the chapter on a data breach that exposed data on nearly 79 million individuals

The post HITRUST Common Security Framework – Improving Cyber Resilience? appeared first on The Cyber Security Place.

Access to Thousands of Breached Sites Found on Underground Market

By Vitali Kremez, Director of Reasearch at  Flashpoint, Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of

The post Access to Thousands of Breached Sites Found on Underground Market appeared first on The Cyber Security Place.

Chinese APT Group Exploit Fixed Critical Adobe ColdFusion Vulnerability On Unpatched Servers

In September, Adobe patched numerous critical vulnerabilities in ColdFusion. However, a couple of weeks after Adobe released the patches, researchers

Chinese APT Group Exploit Fixed Critical Adobe ColdFusion Vulnerability On Unpatched Servers on Latest Hacking News.

Critical Flaw in GDPR Plug-In For WordPress

Hackers have been found exploiting a critical security vulnerability that affects a GDPR plug-in for WordPress to take control over vulnerable websites according to security researchers at Wordfence. “These attacks show that

The post Critical Flaw in GDPR Plug-In For WordPress appeared first on The Cyber Security Place.

Hacker Who DDoSed Sony, EA and Steam Gaming Servers Pleads Guilty

A 23-year-old hacker from Utah pleaded guilty this week to launching a series of denial-of-service (DoS) attacks against multiple online services, websites, and online gaming companies between 2013 and 2014. According to a Justice Department (DoJ) press release, Austin Thompson, a.k.a. "DerpTroll," took down servers of several major gaming platforms including Electronic Arts' Origin service,

StatCounter Analytics Code Hijacked to Steal Bitcoins from Cryptocurrency Users

Late last week an unknown hacker or a group of hackers successfully targeted a cryptocurrency exchange with an aim to steal Bitcoins by compromising the web analytics service it was using. ESET malware researcher Matthieu Faou this weekend spotted malicious JavaScript code on up to 700,000 websites that were bundled with the traffic tracking code from the leading web analytics platform

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

Coercion

People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

 

 

Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

Encryption

Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

Persistence

Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

Conclusion

Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.