Category Archives: Cybercrime

Hackers breach psychotherapy center, use stolen health data to blackmail patients

News of an unusual data breach at a psychotherapy center in Finland broke over the weekend, after affected patients began receiving emails telling them to pay up or risk their personal and health data being publicly released. Therapist session notes of some 300 patients have already been published on a Tor-accessible site on the dark web. Among the victims are Finnish politicians (e.g., Member of Parliament Eeva-Johanna Eloranta) and minors. What is known about the … More

The post Hackers breach psychotherapy center, use stolen health data to blackmail patients appeared first on Help Net Security.

Ransomware attack disabled Georgia County Election database

A ransomware attack recently hit Georgia county government and reportedly disabled a database used to verify voter signatures.

A ransomware attack hit a Georgia county government early this month and disabled a database used to verify voter signatures in the authentication of absentee ballots. It is a common process to validate absentee ballots sent by mail by analyzing signatures.

The media pointed out that this is the first reported case of a ransomware attack against a system used in the incoming 2020 Presidential election.

Ransomware attacks could have a dramatic impact on the elections, they could disrupt voting systems and raise doubts about the validity of the vote.

The attack took place on October 7, it hit Hall County, in the northern part of the state and it disabled the county’s voter signature database.

“One of the databases the county uses to verify voter signatures on absentee ballots is not working after some county network outages due to a ransomware attack on Oct. 7.” reported the Gainesville Times. “Registration Coordinator Kay Wimpye with the county elections office said employees can still verify voter signatures by manually pulling hard copies of voter registration cards, which is more time-consuming. Most voter signatures can be verified using a state database that has been unaffected by the outages, she said.”

The media reported that the Hall County attack was carried out by Doppelpaymer ransomware operators that also leaked stolen data on their dark web leak site to force the organization to pay the ransom.

The county website published an update to announce that the attack did not impact the voting process for citizens, a situation that is differed from the scenario reported by the Times.

Pierluigi Paganini

(SecurityAffairs – hacking, Georgia county)

The post Ransomware attack disabled Georgia County Election database appeared first on Security Affairs.

Cybercrime capitalizing on the convergence of COVID-19 and 2020 election

The cybersecurity challenges of the global pandemic are now colliding with the 2020 U.S. presidential election resulting in a surge of cybercrime, VMware research reveals. Attacks growing increasingly sophisticated and destructive As eCrime groups grow more powerful, these attacks have grown increasingly sophisticated and destructive – respondents reported that 82 percent of attacks now involve instances of counter incident response (IR), and 55 percent involve island hopping, where an attacker infiltrates an organization’s network to … More

The post Cybercrime capitalizing on the convergence of COVID-19 and 2020 election appeared first on Help Net Security.

Pay it safe: Group-IB aids Paxful in repelling a series of web-bot attacks

Group-IB assisted Paxful, an international peer-to-peer cryptocurrency marketplace, in countering web-bot and social engineering attacks

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has assisted Paxful, an international peer-to-peer cryptocurrency marketplace, in countering a wave of web-bot and social engineering attacks, and customer account takeovers. Powered with Group-IB’s solution for online fraud prevention Secure Portal, the platform has managed to fight off over 220,000 requests from web-bots in just two months, shielding its 4.5 million customers against possible attacks. The figure suggests that bitcoin platforms remain of great interest to threat actors. 

Cryptocurrencies, in general, are the apple of cybercriminals’ eye: Group-IB has alerted cryptocurrency holders to various scams on numerous occasions: fake giveawaysnon-existent cryptocurrency investment platforms, as well as personal data-exposing schemes, have found hundreds of thousands of people as their victims.

The scope of online threats that Paxful faced before acquiring Secure Portal ranged from social engineering attacks to customer account takeover, which is not surprising given the popularity of cryptocurrencies. But it was the detection and prevention of bad bot activity that pushed Paxful to adopt an additional layer of cybersecurity and resort to Group-IB. Bots, which are reported to generate about a quarter of global Web traffic, are de facto programs that emulate the actions of a real device for the purposes needed. They are a big headache for eCommerce businesses today, with cybercriminals using them to steal money, brute-force user credentials or carry out DDoS attacks. 

The brute-forcing of user credentials was the case with Paxful. To successfully thwart bad-bot activity, Group-IB Secure Portal creates a unique fingerprint of a device that is based on over a dozen of indicators and metrics, including info on the user-agent, platform, operation system, the time zone from which the user operates, device language, and others. Based on this fingerprinting and behavioral analysis, Group-IB Secure Portal identifies and issues an alert for any suspicious activity in real-time, after which this detection is used by Paxful to block bad bots. 

Trojans have also been spotted in the attacks on the marketplace: Group-IB Secure Portal has identified at least 1,200 user devices infected with Trojans. The detection of malware is considerably facilitated by the fact that Secure Portal is fueled by the information on threat actors, different malware strains’ behavior, malicious IPs and compromised data, such as login credentials or bank card data, from Group-IB attribution-based Threat Intelligence, a proprietary system that holds the most up-to-date data on advanced attackers and their TTPs. 

Group-IB Secure Portal also managed to identify over 100,000 accounts with three or more logins from the same device. Some of these accounts were simply compromised, others were used to boost rank on the platform for further fraud activity or were just resold. 

“For Paxful, Group-IB was the perfect solution; we were particularly impressed by the accuracy of Group-IB’s device fingerprint technology,” comments Dmitry Moiseev, the Chief Information Security Officer at Paxful. “The unique technology that easily detects suspicious devices is exactly what we were looking for. Interactive graph visualization tools and strong API create a truly comprehensive experience when it comes to fraud investigation. With reliable and helpful technical support, Group-IB is a well-rounded cybersecurity solution that works for us.” 

With the deployment of Group-IB Secure Portal, Paxful is now even better equipped to mitigate fraud and prevent digital crimes well before they are even close to affecting the company’s multimillion customer base. 

“Businesses are struggling more than ever today and to ensure that their customers are safe from fraud when using online services is the new normal,” comments Group-IB International Business Development Director Nicholas Palmer. “Online fraud is one of the biggest hurdles on the path toward achieving a positive client experience. For online platforms, it is extremely important to ensure the safety of its users and the integrity of its cybersecurity, whose perimeter should extend to end-point devices and the protection of its clients. Group-IB Secure Portal is implementing this philosophy through its patented clientless detection technology, which protects clients’ customers without need for the latter to install any additional apps.”

About Group-IB Secure Portal

Group-IB Secure Portal is a client-side fraud prevention solution working across sessions, platforms, and devices in real time.

Group-IB Secure Portal effectively detects and prevents dangerous activities through behavior analysis, anomaly detection, daily automatic filter rule and signature updates based on unique data from Group-IB’s Threat Intelligence.

The combination of advanced anti-fraud technologies and intelligence protects both banking and retail customers. Moreover, it helps comply with legal requirements designed to protect funds belonging to individuals and companies against scammers.   

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services.

Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider.

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Pay it safe: Group-IB aids Paxful in repelling a series of web-bot attacks appeared first on Security Affairs.

Alexander Vinnik, the popular cyber criminal goes on trial in Paris

The Russian citizen Alexander Vinnik goes on trial in Paris for having defrauded nearly 200 victims across the world of 135 million euros using ransomware.

The Russian man Alexander Vinnik goes on trial in Paris for having defrauded nearly 200 victims across the world of 135M euros using ransomware.

Alexander Vinnik allegedly headed the Bitcoin exchange BTC-e, he is charged with different hacking crimes in Russia, France, and the United States.

In 2017, Greek Police arrested the Russian national Alexander Vinnik and they accused the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

AlexanderVinnik

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

Vinnik is also accused to be responsible for the failure of the Japanese bitcoin exchange Mt. Gox.

Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

French authorities accused Vinnik of defrauding more than 100 people in six French cities between 2016 and 2018.

French prosecutors revealed that among the 188 victims of the Vinnik’s attacks, there were local authorities, businesses, and individuals across the world.

Vinnik continues to deny charges of extortion and money laundering and did not answer magistrates’ questions.

“Prosecutors identified 20 businesses in six cities across France among the victims and following the money trail through various bank accounts — as much as $8 million — identified one as belonging to Vinnik.” reported the AFP news.

In June, New Zealand police had frozen NZ$140 million (US$90 million) in assets linked to a Russian cyber criminal. New Zealand police had worked closely with the US Internal Revenue Service on the case and the investigation is still ongoing.

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post Alexander Vinnik, the popular cyber criminal goes on trial in Paris appeared first on Security Affairs.

QQAAZZ crime gang charged for laundering money stolen by malware gangs

Multiple members of QQAAZZ multinational cybercriminal gang were charged for providing money-laundering services to high-profile malware operations.

20 members of the multinational cybercriminal group QQAAZZ were charged this week in the US, Portugal, Spain, and the UK for providing money-laundering services.

The arrests are the result of an unprecedented international law enforcement operation, coordinated by the Europol and dubbed Operation 2BaGoldMule, involving agencies from 16 countries. The police executed more than 40 house searches in Latvia, Bulgaria, the United Kingdom, Spain, and Italy.

The police also seized an extensive bitcoin mining operation in Bulgaria associated with QQAAZZ.

According to law enforcement bodies, the gang provides services to multiple malware operations, including Dridex, GozNym, and Trickbot.

QQAAZZ attempted to launder tens of millions stolen from victims starting with 2016 by the world’s foremost cybercriminals.

“Comprised of several layers of members mainly from Latvia, Georgia, Bulgaria, Romania, and Belgium, the QQAAZZ network opened and maintained hundreds of corporate and personal bank accounts at financial institutions throughout the world to receive money from cybercriminals who stole it from accounts of victims.” reads the press release published by Europol. “The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using ‘tumbling’ services designed to hide the original source of the funds.  After taking a fee of up to 50-percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.”  

The QQAAZZ gang advertised its services as a ‘global, complicit bank drops service’ on multiple Russian-speaking online cybercriminal forums.

QQAAZZ gang

The member of the gang used instant messaging apps to instruct their client on how to transfer the stolen funds to bank accounts under their control. The bank accounts were opened by money mules using fake and legitimate Polish and Bulgarian ID documents.

QQAAZZ also leverages dozens of shell companies to open other bank accounts.

The money laundering operation involved hundreds of corporate and personal bank accounts at financial institutions throughout the world.

Some of the money was also “converted to cryptocurrency using ‘tumbling’ services designed to hide the original source of the funds.”

“The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using “tumbling” services designed to hide the original source of the funds.” states the DoJ. “After taking a fee of up to 40 to 50 percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.”

“Cybercriminals are constantly exploring new possibilities to abuse technology and financial frameworks to victimise millions of users in a moment from anywhere in the world,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre.

“Today’s operation shows how through a proper law enforcement international coordination we can turn the table on these criminals and bring them to justice.”

Pierluigi Paganini

(SecurityAffairs – hacking, QQAAZZ cybercrime gang)

The post QQAAZZ crime gang charged for laundering money stolen by malware gangs appeared first on Security Affairs.

Deepfake Voice Technology Iterates on Old Phishing Strategies

As the world of AI and deepfake technology grows more complex, the risk that deepfakes pose to firms and individuals grows increasingly potent. This growing sophistication of the latest software and algorithms has allowed malicious hackers, scammers and cyber criminals who work tirelessly behind the scenes to stay one step ahead of the authorities, making […]… Read More

The post Deepfake Voice Technology Iterates on Old Phishing Strategies appeared first on The State of Security.

Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List

Most Dangerous Celebrity

Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List

During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyber threats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information. Owing to his international popularity and fan following that well resonates in India, Cristiano Ronaldo takes the top spot on the India edition of McAfee’s 2020 Most Dangerous Celebrities list.

The Top Ten Most Dangerous Celebrities

Ronaldo is popular not only for his football skills, but also for his lifestyle, brand endorsements, yearly earnings, and large social media following, with fans devotedly tracking his every movement. This year, Ronaldo’s transfer to Juventus from Real Madrid for a reported £105M created quite a buzz, grabbing attention from football enthusiasts worldwide. Within the Top 10 list, Ronaldo is closely followed by veteran actress Tabu (No. 2) and leading Bollywood actresses, Taapsee Pannu, (No. 3) Anushka Sharma at (No. 4) and Sonakshi Sinha (No. 5). Also making the top ten is Indian singer Armaan Malik (No. 6), and young and bubbly actor Sara Ali Khan (No. 7). Rounding out the rest of the top ten are Indian actress Kangana Ranaut (No. 8), followed by popular TV soap actress Divyanka Tripathi (No. 9) and lastly, the King of Bollywood, Shah Rukh Khan (No. 10).

 

Most Dangerous Celebrity

Lights, Camera, Security

Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for new shows, sports, and movies to watch. For example, Ronaldo is strongly associated with malicious search terms, as fans are constantly seeking news on his personal life, as well as searching for news on his latest deals with football clubs. In addition, users may be streaming live football matches through illegal streaming platforms to avoid subscription fees. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity related news, their device could suddenly become plagued with adware or malware.

Secure Yourself From Malicious Search Results

Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

Be careful what you click

Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

Refrain from using illegal streaming sites

When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

Protect your online safety with a cybersecurity solution

 Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

Use a website reputation tool

Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

Use parental control software

Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

 Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List appeared first on McAfee Blogs.

How Searching For Your Favourite Celebrity May Not End Well

Most Dangerous Celebrity

How Searching For Your Favourite Celebrity May Not End Well

2020 has certainly been the year for online entertainment. With many Aussies staying home to stay well, the internet and all its offerings have provided the perfect way for us all to pass time. From free movies and TV shows to the latest celebrity news, many of us have devoured digital content to entertain ourselves. But our love affair with online entertainment certainly hasn’t gone unnoticed by cybercriminals who have ‘pivoted’ in response and cleverly adapted their scams to adjust to our insatiable desire for content.

Searching For Our Favourite Celebrities Can Be A Risky Business

Cybercriminals are fully aware that we love searching for online entertainment and celebrity news and so devise their plans accordingly. Many create fake websites that promise users free content from a celebrity of the moment to lure unsuspecting Aussies in. But these malicious websites are purpose-built to trick consumers into sharing their personal information in exchange for the promised free content – and this is where many come unstuck!

Who Are The Most Dangerous Celebrities of 2020?

McAfee, the world’s leading cybersecurity company, has researched which famous names generate the riskiest search results that could potentially trigger consumers to unknowingly install malware on their devices or unwillingly share their private information with cybercriminals.

And in 2020, English singer-songwriter Adele takes out the top honours as her name generates the most harmful links online. Adele is best known for smashing the music charts since 2008 with hit songs including ‘Rolling in the Deep’ and ‘Someone Like You’. In addition to her award-winning music, Adele is also loved for her funny and relatable personality, as seen on her talk show appearances (such as her viral ‘Carpool Karaoke’ segment) and concert footage. Most recently, her weight-loss and fitness journey have received mass media attention, with many trying to get to the bottom of her ‘weight-loss’ secrets.

Trailing Adele as the second most dangerous celebrity is actress and star of the 2020 hit show Stan ‘Love Life’ Anna Kendrick, followed by rapper Drake (no. 3), model and actress Cara Delevingne (no. 4), US TikTok star Charli D’Amelio (no. 5) and singer-songwriter Alicia Keys (no. 6). Rounding out the top ten are ‘Sk8r Boi’ singer Avril Lavigne (No. 7), New Zealand rising music star, Benee (no. 8), songstress Camila Cabello (no. 9), and global superstar, singer and actress Beyonce (no. 10).

Most Dangerous Celebrity

Aussies Love Celebrity Gossip

Whether it was boredom or the fact that we just love a stickybeak, our love of celebrity news reached new heights this year with our many of us ‘needing’ to stay up to date with the latest gossip from our favourite public figures. Adele’s weight-loss journey (no.1), Drake’s first photos of ‘secret son’ Adonis (no. 4), and Cara Delevingne’s breakup with US actress Ashley Benson (no. 5), all had us Aussie fans flocking to the internet to search for the latest developments on these celebrity stories.

We’ve Loved New Releases in 2020

With many of us burning through catalogues of available movies and TV shows amid advice to stay at home, new release titles have definitely been the hottest ticket in town to stay entertained.

Rising to fame following her roles in ‘Twilight’ and musical comedy ‘Pitch Perfect’, Anna Kendrick (no. 2) starred in HBO Max series ‘Love Life’ which was released during the peak of COVID-19 in Australia, as well as the 2020 children’s film ‘Trolls World Tour’. R&B and pop megastar Beyonce (no. 10) starred in the 2019 remake of Disney cult classic ‘The Lion King’ and released a visual album ‘Black Is King’ in 2020.

Music Has Soothed Our Souls This Year 

While live concerts and festivals came to a halt earlier this year, many of us are still seeking music – both old and new – to help us navigate these unprecedented times. In fact, musicians make up 50% of the top 10 most dangerous celebrities – hailing from all genres, backgrounds and generations.

Canadian rapper Drake (No. 2) sparked fan interest by dropping his ‘Dark Lanes Demo Tapes’ album including hit songs ‘Chicago Freestyle’ and ‘Tootsie Slide’ that went massively viral on TikTok. New Zealand singer Benee also came out of the woodwork with viral sensations Supalonely and Glitter topping charts and reaching global popularity on TikTok.

Known for her enormously successful R&B/Soul music in the early 2000s, Alicia Keys (no. 6) released a string of new singles in 2020. Camila Cabello’s ‘Senorita’ duet with Canadian singer and now boyfriend Shawn Mendes, was Spotify’s most streamed song of 2019. The couple continued to attract copious attention as fans followed stories reporting on the lovebirds self-isolating together in Miami earlier this year.

How to Avoid Getting Caught In An Online Celebrity Scam

Please don’t feel that getting caught by an ill-intentioned cybercrime is inevitable. If you follow these few simple tips, you can absolutely continue your love of online entertainment and all things celebrity:

  1. Be Careful What You Click

If you are looking for new release music, movies or TV shows or even an update on your favourite celebrity then ALWAYS be cautious and only click on links to reliable sources. Avoid ‘dodgy’ looking websites that promise free content – I guarantee these sites will gift you a big dose of malware. The safest thing is to wait for official releases, use only legitimate streaming sites and visit reputable news sites.

  1. Say NO to Illegal Streaming and Downloading Suspicious Files

Yes, illegal downloads are free but they are usually riddled with malware or adware disguised as mp3 files. Be safe and use only legitimate music streaming platforms – even if it costs a few bucks! Imagine how devastating it would be to lose access to everything on your computer thanks to a nasty piece of malware?

  1. Protect Your Online Safety With A CyberSecurity Solution

One of the best ways of safeguarding yourself (and your family) from cybercriminals is by investing in an  comprehensive cybersecurity solution like McAfee’s Total Protection. This Rolls Royce cybersecurity package will protect you from malware, spyware, ransomware and phishing attacks. An absolute no brainer!

  1. Get Parental Controls Working For You

Kids love celebrities too! Parental control software allows you to introduce limits to your kids’ viewing which will help minimise their exposure to potentially malicious or inappropriate websites when they are searching for the latest new on TikTok star Charlie D’Amelio or go to download the latest Benee track.

I don’t know how my family of 6 would have survived this year without online entertainment. We’ve devoured the content from three different streaming services, listened to a record number of hours on Spotify and filled our heads with news courtesy of online news sites. And while things are looking up, it will be a while before life returns to normal. So, please take a little time to educate your family on the importance of ‘thinking before you click’ and the perils of illegal downloading. Let’s not make 2020 any more complicated!!

Stay safe everyone!

 

Alex x

The post How Searching For Your Favourite Celebrity May Not End Well appeared first on McAfee Blogs.

Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020

Most Dangerous Celebrity

Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020

During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyberthreats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information.

Thanks to her recent starring roles, American actress Anna Kendrick has found herself at the top of McAfee’s 2020 Most Dangerous Celebrities list.

The Top Ten Most Dangerous Celebrities

You probably know Anna Kendrick from her popular roles in films like “Twilight,” Pitch Perfect,” and “A Simple Favor.” She also recently starred in the HBO Max series “Love Life,” as well as the 2020 children’s film “Trolls World Tour.” Kendrick is joined in the top ten list by fellow actresses Blake Lively (No. 3), Julia Roberts (No. 8), and Jason Derulo (No. 10). Also included in the top ten list are American singers Mariah Carey (No. 4), Justin Timberlake (No. 5), and Taylor Swift (No. 6). Rounding out the rest of the top ten are American rapper Sean (Diddy) Combs (No. 2), Kate McKinnon (No. 9), and late-night talk show host Jimmy Kimmel (No. 7).

Most Dangerous Celebrity

Lights, Camera, Security

Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for new shows and movies to watch. However, people must understand that torrent or pirated downloads can lead to an abundance of cyberthreats. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity film, their device could suddenly become plagued with adware or malware.

Secure Yourself From Malicious Search Results

Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

Be careful what you click

 Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

Refrain from using illegal streaming sites

When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

Protect your online safety with a cybersecurity solution

 Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

Use a website reputation tool

 Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

 Use parental control software

 Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

The post Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020 appeared first on McAfee Blogs.

ScamsWeek2020

Here’s How to Be Yourself and NOT let a Scammer Be You!

If you hadn’t truly embraced the incredible benefits of managing your life online, then I bet 2020 has changed things for you. With social distancing still a big consideration in day to day life, more Aussies than ever are managing their lives online so they can stay home and stay well. But, unfortunately, there is a downside – online scams. The expanded online playground of 2020 means cybercrims are upping the ante and investing even more energy doing what they do so well – scamming everyday Aussies out of their hard-earned cash.

This week is Scams Awareness Week in Australia – a good opportunity to be reminded of how our growing use of technology can give scammers more opportunities to trick us into giving away our valuable personal information. In 2019, a whopping $630 million dollars was lost by Australians in scams.

Scammers are Pivoting Too!

We’ve all heard it. 2020 is about pivoting – being flexible and seeking out new opportunities. Well, clearly, we aren’t the only ones heeding the advice with scammers changing things up to capitalise on the chaotic nature of 2020. In fact Scamwatch has seen a 55 per cent increase in reports involving loss of personal information this year compared with the same period in 2019, totalling more than 24, 000 reports and over $22 million in losses.

Many experts are warning that scammers are renowned for ‘following the money’ so are currently expending a lot of energy targeting Aussies’ superannuation and government relief payments. Using email, text or phone, a scammer will often pretend to be from a Government agency eg MyGov or the Health Department and will insist that they require personal information in order to help the ‘victim’ access government payments, or access their super fund.

They are after driver’s license details, Medicare numbers – whatever they can get their hands on that will give them 100 points of identification which is enough for them to assume the identity of the victim and effectively do anything in their name. They could apply for a credit card, access superannuation accounts, or even tap into a victim’s government payments!

What Can We Do to Protect Ourselves?

There are steps we can all take to minimise the risk of getting caught up in a scam and, to be honest, most of them are remarkably simple. Here are my top tips:

  1. Think Critically

If there was ever a time to tap into your inner Sherlock Holmes, it’s now! If you receive a call, text, or email from someone out of the blue who claims to be from a government agency then tread VERY carefully! Do not feel pressured to share any information with anyone who has contacted you – regardless of what they say. Take a moment and ask yourself why they would be contacting you. If they are calling you – and you still aren’t sure – ask for their number so you can call them back later.

Remember – reputable organisations will rarely – if ever – call you and ask for personal information. And if you still aren’t sure – ask a family member of trusted friend for their advice. But remain sceptical at all times!

  1. Passwords, Passwords, Passwords

Yes, I know I sound like a broken record – but having an easily guessable password that you use on all your devices and accounts is no different to playing Russian Roulette – you won’t come out on top! Unfortunately, data breaches are a reality of our digital life. If a scammer gets their hands on your email and password combo through a data breach – and you have used that same combo on all your accounts – then you are effectively giving them access to your online life.

So, you need a separate complex password for each of your online accounts. It needs to be at least 8 characters and a combination of numbers, letter (lower and uppercase) and symbols. I love using a nonsensical sentence but a password manager that does all the thinking – and remembering – is the absolute best way of managing your passwords. Check out McAfee Total Protection, which includes a Password Manager.

  1. Keep Your Personal Information Tight

The best way to keep your personal information safe is by keeping it to yourself! Limit the amount of personal information you share – particularly on social media. Oversharing online makes it even easier for a scammer to steal your identity. And please avoid linking up your credit or debit cards to your online accounts unless absolutely necessary. Yes, it’s so convenient and a great way of making spontaneous purchases but it is a very risky business.

2020 has certainly been a tough year for us all. Many of us are struggling – financially and psychologically as we come to grips with our changing world. So, please – take a little time to tighten up your online life and remember if something seems too good to be true then it probably is!

Stay safe everyone!

Alex x

 

The post ScamsWeek2020 appeared first on McAfee Blogs.

How to ‘Online Date’ Safely in 2020

If you are a young person looking for your ‘special someone’ then 2020 would have seriously cramped your style. Whether you’ve been in lockdown, working from home or simply staying home to stay well, your social life would have taken a hit. So, it comes as no surprise that dating sites have become the playground for young people – in fact all aged people – who are ‘looking for love’.

The New Normal

Our ‘in-person’ social lives look a whole lot different to 2019. Over the last six months, we’ve all been living with a barrage of new restrictions which has meant a lot of time at home. Earlier in 2020, many cities effectively closed-up while others – such as Melbourne – recently imposed a strict lockdown to curb the spread of the virus. In NSW, cafes, pubs, and restaurants reopened but with tight restrictions on the number of people allowed inside. My older boys spent a few Saturday nights lining up to get into the local pub but ended up returning home to the couch.

And of course, it goes without saying that protecting our people should be the biggest priority, but it has taken a toll on our ability to socialise and connect with others.

Most Aussies Now Meet Their Partners Online

One of my oldest friends found the love of her life online. 15 years later and all is going swimmingly! She was an Aussie and he was an Englishman – but it didn’t matter – love prevailed! There is no humanly possible way, these two would have connected if it wasn’t for the wonders of technology.

A recent survey of over 54,000 Australians by the ABC – the Australia Talks National Survey showed that more people meet their partner online than anywhere else and in fact – it has been that way since 2010! And of the Aussies who met their partners in 2019 – 1/3 made the connection online. So, even before 2020 – people were looking online to find a match.

But add in a global pandemic and you don’t have to be a rocket scientist to predict that these statistics will only increase!

Proceed with Caution

With so many people, understandably, feeling isolated and lonely, online dating is a wonderful way to make connections – both romantic and platonic. But you do need to have your wits about you to stay safe.

Scammers will often prey on our need to feel connected to each other and expend a lot of energy developing relationships for all the wrong reasons. So, if you have a teen or young adult in your house who is directing their energies into online dating sites, then please check in with them to ensure they are being safe.

Here are my top tips on staying safe while you look for love online:

  1. Don’t Get Too Personal – While it might feel harmless sharing your name, location and occupation to your new online friends, it doesn’t take much for a scammer to piece together your details to access your personal info, bank accounts or even steal your identity. Never use your full name on dating sites and only share what is absolutely necessary!
  2. Do Your Homework – Before you meet someone in person after meeting them online, always do your homework. A Google search is a great place to start and even using Google Images will help you get a better understanding of a person. Don’t forget to check out their LinkedIn account too. And why not investigate whether you might have mutual friends? If so, ask them for their ‘2 cents worth’ too.
  3. Think Before You Send – Sharing sexy pics or videos with the person you are dating online might seem like a good idea in the moment but please consider how this could affect you in the future. Once those pictures and videos are online, they are online forever. Even social media apps that say pictures go away after a few seconds can be easily circumvented with a screenshot.  It’s not just celebrities who have intimate pictures spread around the Internet!
  4. Make passwords a priority – Ensure all your online dating and social media accounts, and all your devices, have separate and unique passwords. Ideally, each password should have a combination of lower- and upper-case letters, numbers, and special characters. I love using a nonsensical, crazy sentence!

 

One of the greatest lessons of 2020 for me is our need for human connection.

My biggest takeout from 2020? Humans need other humans to not only survive but thrive. So, if you’re looking for your life partner – or even companionship – the online world may be the perfect way for the moment. But, please – exercise caution and be safe – because as I say to my boys all the time – trust your gut, because it’s usually right!

Stay safe

Alex x

 

The post How to ‘Online Date’ Safely in 2020 appeared first on McAfee Blogs.

Ransomware attack on Garmin thought to be the work of ‘Evil Corp’

Russian cybercrime gang is believed to be responsible for taking Garmin services offline

A ransomware attack that took the GPS and smartwatch business Garmin entirely offline for more than three days is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.

Garmin began to restore services to customers on Monday morning, after being held hostage for a reported ransom of $10m, although some services were still operating with limited functionality.

Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.

Related: Garmin down: how to still get your activities on to Strava

Continue reading...

Smartwatch maker Garmin hit by outages after ransomware attack

US company forced to shut down call centres, website and some other online services

Garmin has been forced to shut down its call centres, website and some other online services after a ransomware attack encrypted the smartwatch maker’s internal network and some production systems.

The US company shut down services including the official Garmin website and all customer services, including phone lines, online chat and email.

Related: The five: ransomware attacks

Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.

Continue reading...

Cyber Threats Trends 6 Months Of Findings

After six months from Cyber Threats Trends launch it’s time to check its main findings. When I decided to develop my own Cyber Threats Observatory I was not sure about its effectiveness and I was even more skeptical about the real usage from international cybersecurity communities. Fortunately many students, researchers and professionals used such a data to write thesis, papers and researches. Many of them cited my work (by adding a link in footnotes or in the reference section), other just dropped a “thank you email”. This was enough for me to decide to mantain Cyber Threats Trends for additional six months. Performing data collection, data analysis and data classification requires a quite expensive back-end, so it needs to be useful for somebody otherwise it would make no sense to maintain such a dedicated infrastructure.

But now let’s take a looks to what it was able to find during the past six months.

Malware Families

The most seen Malware families from January 2020 to June 2020 (6 months of activity) are the following ones:
GrandCrab ~3%
Upatre ~1,9% (!!)
Emotet ~1,8%
TrickBot ~1,25%
It looks like be inline with many available statistics and reports from the 2020 with the only exception on Upatre, which looks like super out of topic in 2020, but I have mostly discussed it here, so today I am quite confident it’s not a wrong classification. Many other families have been seen according to the following graph, but they will not be discussed in the current post.

Malware Families

Looking at the distribution of the top malware families we might focus on figure-out if some temporal pattern would emerge. The following image shows the GrandCarb family distribution over time. It is interesting to see that GrandCrab was mostly active during the last two weeks of March reaching its top detection rate on 2020-03-31 within a delicious frequency rate about 138 unique “findings” in that single day. Contrary it looks like to be less used during the months of May and June 2020.

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

From Malpedia

Looking at pattern-wise we might agree there is a kind of frequency inside of it. If you group the date by weeks you might find that GrandCrab is mostly used twice per month. If you consider a “top” (the biggest local maximum detection rate) as the campaign launching day and the following local maximum tops in detection rate (in other words the shorter “tops” or the local maximums) as physiological campaign adjustments, it looks like attackers would take two weeks to harvest profit from previous launched campaign and to prepare new artifacts for the following one.

GrandCrab Ditribution over time

The following graph shows the Upatre family distribution over the past six months.

First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016.

From Paloalto Unit42

This is a very interesting graph because Upatre was not longer used since years (I bet since 2016). However it looks like attackers recovered it and re-started to use it from April 2020. Grouping by date you would appreciate a 3 days rhythm meaning that from one “attack wave” to another one it would take an average of 3 days. I will perform additional check on that, but static rules are perfectly matching what we are seeing int the upatre graph.

Upatre Distribution over time

Moving one TrickBot, the following image shows its distribution over time. TrickBot was mostly active during the first months of 2020 in a constant and linear way, while from March to April 2020 it experienced a quite significant speedup. Due to covid thematic campaigns Cyber Threats Trends recorded more TrickBot as never before in such time frame.

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

From Malpedia
TrickBot Distribution over time

The following image shows the Emotet Distribution over time. As plausible the Emotet’s distribution follows the TrickBot one. Even if it is not clear the relationship between TrickBot folks and Emotet folks, we are quite accustomed to see these frameworks closely delivered in common campaigns, like for example few months ago when we experienced a lot of Ryuk (ransomware) distribution using Emotet + TrickBot.

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.

From Malpedia
Emotet Distribution

Some indicators, such as the detection rate in January and the detection rate in June show to us that Emotet is used on these specific months even without TrickBot and it might suggest a different attack delivery procedure highlighting a different threat actor. In other words, comparing TrickBot and Emomet we observe that there are mainly two groups: a group which delivers TrickBot and Emotet together (such as the Ryuk ransom group) and a group which uses Emotet without TrickBot.

Carrier Distribution

Excluding the file type exe, which is the most analyzed file extension in the dropper panorama, we continue to observe many office files as the main Malware carrier. For example Microsoft Word Document within MACRO files are the most observed Malware carrier followed by PDF documents and CDF contents. While PowerShell files are still one of the most emerging threats we have not observed vast amount of Malware delivery on such carrier so far, but we see a revamping in the ancient Microsoft Excel Macro 4.0 as obfuscation technique.

Frequency no EXE

Still quite interesting how that statistics change over time. Indeed PDF and OLE objects are still the most used during the analyzed period of time. Even CDF document are quite common while simple scripts such as “VBscript” of Javascript are slowly decelerate their presence in international statistics.

Conclusion

Developing Cyber Threats Trends has been a great journey ! I had many sleepless nights and additional costs due to a quite big backend network (especially “database speaking”) but I had the opportunity to collect super interesting data and to increase knowledge on malware statistics and on developing distributed systems. Moreover it turned out being a quite useful data collection and trend analysis tool for quite few people out there ! I would definitely keep it on collecting more data !

How Entertaining Ourselves at Home Has Become a Risky Business

Online entertainment is certainly having a moment. While we all stayed home and socially distanced, many of us filled our time binge-watching movies and TV series  – and wasn’t it fabulous!! But did you know that researching your next binge-watching project could actually be putting you at risk?

Aussies Love TV

There is no doubt that us Aussies love our TV and the statistics confirm this. With over three-quarters of Aussies watching TV and over two-thirds browsing the internet to pass the time during lockdown, we are clearly a country of screen-time professionals. And with just under a million new Aussies gaining access to a streaming service in their household, it seems everyone is doing their bit to support the entertainment industry!

But streaming isn’t cheap and can add up fast (particularly when you have multiple accounts) prompting many of us to look for free alternatives. And our desire to save a buck or two when trying to find our next binge-watching project hasn’t escaped the attention of cybercriminals who have a knack for crafting convincing scam strategies that are in sync with consumer trends.

What’s the Most Targeted Show to Search For?

McAfee analysed over 100 of the top ‘talked about’ entertainment titles available across the leading streaming providers here in Australia and identified the 10 most targeted shows (both TV and film) to search for.

The series Unorthadox and movie Ace Ventura took the top place in their respective categories as having the highest ‘web search risk’ which means cybercriminals have put a lot of effort into developing scams around these titles. Scams could include websites offering free downloads of these titles – which require you to enter your personal information – or, pirated videos that contain malware which could access the private data on your device.

Here are the top 10 riskiest shows in both categories:

Series – Australian Top 10 Most Targeted

  1. Unorthadox
  2. You
  3. Family Guy
  4. Big Mouth
  5. Homeland
  6. The Vampire Diaries
  7. Dynasty
  8. Lost
  9. Brooklyn Nine-Nine
  10. Stranger Things

Movies – Australian Top 10 Most Targeted

  1. Ace Ventura
  2. Green Book
  3. John Wick
  4. Machinist
  5. Annihilation
  6. Ex Machina
  7. A Star Is Born
  8. Fyre
  9. Lady Macbeth
  10. Bird Box

Horror and Thriller Films seem to be the trend!

It appears as though our love for horror and thriller films may be putting us in danger, with five of the top ten films most targeted by cybercriminals falling into these genres. With social distancing restrictions in place, Aussies are clearly seeking to add some thrill back into their lives which has opened up new opportunities for cybercriminals. Consumers need to be careful when it comes to searching for stimulating content to escape reality to ensure it doesn’t translate to real-life malware horror.

How You Can Stay Safe While Binge-Watching At Home

Now, I want to make it very clear – this news doesn’t mean you need to give up nights on the couch. Not at all! Instead, just follow a few simple steps and you can continue binge-watching till your heart is content!

Here are my top tips for staying safe:

  1. Be Careful What You Click –if you are looking to catch up on the latest season of You or A Star is Born, please only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from sources like iTunes or Amazon, instead of downloading a “free” version from a website that could contain malware.
  2. Do NOT use Illegal Streaming Sites – this is not negotiable! Many illegal streaming sites are riddled with malware disguised as pirated video files. Malware could cause you a world of pain. Not only could it cause your device to freeze or crash, it could steal sensitive information and give cybercrims unauthorized access to system resources. So, do your device a favor and stream your favourite show from a reputable source.
  3. Protect your Online Life with a Cybersecurity Solution –why not send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

So, when you are looking for your next binge-watching project, please take a moment before you download. Ensure the site you are accessing content from is legit (have you heard of it before? is it offering something for free when every other streaming service has a fee?) and if you are even a little unsure that it doesn’t look professional then DON’T click! The last thing you want is a bonus virus to interrupt your night in on the couch!

Happy Watching!!

Alex xx

 

 

 

 

The post How Entertaining Ourselves at Home Has Become a Risky Business appeared first on McAfee Blogs.

EasyJet reveals cyber-attack exposed 9m customers’ details

Airline apologises after credit card details of about 2,200 passengers were stolen
Q&A: are you affected and what should you do?

EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

The company said on Tuesday that email addresses and travel details were accessed and it would contact the customers affected.

Continue reading...

Cybersecurity Trends

Trends are interesting since they could tell you where things are going.

I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

The Rise of Targeted Ransomware

2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
During 2019, we observed a strong game change in the ransomware attacks panorama.

The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

Zero-Day Malware

Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

Immagine che contiene dispositivo

Descrizione generata automaticamente

A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

Immagine che contiene dispositivo

Descrizione generata automaticamente

If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services.

While lots of information has been shared about the victims and immediate impacts of industrial sector ransomware distribution operations, the public discourse continues to miss the big picture. As financial crime actors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have observed an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to support the chain of production. As a result, ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.

Truly understanding the unique nuances of industrial sector ransomware distribution operations requires a combination of skillsets and visibility across both IT and OT systems. Using examples derived from our consulting engagements and threat research, we will explain how the shift to post-compromise ransomware operations is fueling adversaries’ ability to disrupt industrial operations.

Industrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise Deployment

The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach were often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have moved toward adopting a more operationally complex post-compromise approach.

In post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to obtain their initial access to a victim environment, but once on a network they will focus on gaining privileged access so they can explore the target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which  expand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For more information, including technical detail, on similar activity, see our recent blog posts on FIN6 and TEMP.MixMaster.


Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches

Historical incidents involving the opportunistic deployment of ransomware have often been limited to impacting individual computers, which occasionally included OT intermediary systems that were either internet-accessible, poorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

  • As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (e.g., credit card numbers or customer data) to include the monetization of production environments.
  • As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
  • Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

Organized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets

An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes. This is apparent in ransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.

In fact, we have observed very similar process kill lists deployed alongside samples from other ransomware families, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been associated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post.


Figure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)

Regardless of which ransomware family first employed the OT-related processes in a kill list or where the malware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list itself is more noteworthy than any individual malware family that has implemented it. While the OT processes identified in these lists may simply represent the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to impact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and OT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments running industrial software products and technology.

Ransomware Deployments in Both IT and OT Systems Have Impacted Industrial Production

As a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets, ransomware incidents have effectively impacted industrial production regardless of whether the malware was deployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks have resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has caused insufficient or late supply of end products or services, representing long-term financial losses in the form of missed business opportunities, costs for incident response, regulatory fines, reputational damage, and sometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also critical to societal well-being.

The best-known example of ransomware impacting industrial production due to an IT network infection is Norsk Hydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced multiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted communication between IT systems that are commonly used to manage resources across the production chain. Interruptions to these flows of information containing for example product inventories, forced employees to identify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant has responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig manufacturer. While the infection happened only on corporate networks, the biggest business impact was caused by disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting production.

Ransomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering workstations. Most of this equipment relies on commodity software and standard operating systems that are vulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production.

As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-049A describing how a post-compromise ransomware incident had affected control and communication assets on the OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers resulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of operations that lasted two days.

Mitigating the Effects of Ransomware Requires Defenses Across IT and OT

Threat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal business model, imposing high operational costs on victims. We encourage all organizations to evaluate their safety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build resilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every case will differ, we highlight the following recommendations.

For custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting, Managed Defense, and Threat Intelligence.

  • Conduct tabletop and/or controlled red team exercises to assess the current security posture and ability of your organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze, and recover from such an attack. Revisit recovery requirements based on the exercise results. In general, repeatedly practicing various threat scenarios will improve awareness and ability to respond to real incidents.
  • Review operations, business processes, and workflows to identify assets that are critical to maintaining continuous industrial operations. Whenever possible, introduce redundancy for critical assets with low tolerance to downtime. The right amount and type of redundancy is unique for each organization and can be determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be conducted without involving business process owners and collaborating across IT and OT.
  • Logically segregate primary and redundant assets either by a network-based or host-based firewall with subsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like SMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote connections, we recommend routine auditing of all systems that potentially host these services and protocols. Note that such architecture is generally more resilient to security incidents.
  • When establishing a rigorous back-up program, special attention should be paid to ensuring the security (integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.
  • Optimize recovery plans in terms of recovery time objective. Introduce required alternative workflows (including manual) for the duration of recovery. This is especially critical for organizations with limited or no redundancy of critical assets. When recovering from backups, harden recovered assets and the entire organization's infrastructure to prevent recurring ransomware infection and propagation.
  • Establish clear ownership and management of OT perimeter protection devices to ensure emergency, enterprise-wide changes are possible. Effective network segmentation must be maintained during containment and active intrusions.
  • Hunt for adversary intrusion activity in intermediary systems, which we define as the networked workstations and servers using standard operating systems and protocols. While the systems are further away from direct control of physical processes, there is a much higher likelihood of attacker presence.
  • Note, that every organization is different, with unique internal architectures and processes, stakeholder needs, and customer expectations. Therefore, all recommendations should be carefully considered in the context of the individual infrastructures. For instance, proper network segmentation is highly advisable for mitigating the spread of ransomware. However, organizations with limited budgets may instead decide to leverage redundant asset diversification, host-based firewalls, and hardening as an alternative to segregating with hardware firewalls.