Jun 30, 2016 | Cybersecurity News, Internet Security News
Mobile ransomware may not be nearly as prevalent as its PC counterpart, but attacks on mobile devices are on the rise according to a new report issued by anti-virus firm Kaspersky Lab.
Kaspersky Lab assessed thwarted ransomware attacks on mobile users over a period of two years and saw that the numbers of attacks doubled, signifying a worrying new trend.
Between 2014 and 2015, 2.04% of malware attacks on mobile users involved ransomware. Between 2015 and 2016, the percentage of ransomware attacks rose to 4.63%. During that period, 136,532 attacks took place.
Kaspersky Lab noted that the ransomware used to infect mobile devices differs considerably from the strains used to infect PC users. While Locky, CryptXXX, and RAA are now the main threats affecting PCs, the main mobile ransomware strains currently being used are Fusob, Small, Svpeng, and Pletor.
Mobile ransomware tends not to use encryption to lock files, instead malicious software is developed that blocks users from accessing their device. Oftentimes, this is achieved with a simple HTML overlay. Encryption is more effective on PCs because many users fail to back up their data, or when they do they leave their backup devices connected. Many strains of PC ransomware are able to delete backup files or encrypt them, leaving end users with no alternative but to pay the ransom or lose their data forever.
Many mobile users automatically backup their data in the cloud. If data is ever lost or encrypted, files can easily be recovered. However, overlays prevent the user from being able to access their files from the device. With mobile devices victims cannot simply take out a hard drive and plug it into another machine and manually remove malicious files. If an infection takes place, users either have to pay the ransom or replace their device. Provided the ransom is lower, many users will end up paying.
Without the need for encryption, the development of mobile ransomware is considerably cheaper. The ransoms that can be demanded may be lower than for PC infections, but campaigns can be highly profitable for cybercriminals.
Criminal gangs are also using an affiliate model to spread infections. There is usually no shortage of actors willing to invest the time distributing the malicious software in exchange for a cut of the ransom. In many cases, signing up for these affiliate ransomware campaigns is easy. The developers of the malware release kits to make it as easy as possible. Programming skill is not even needed.
Mobile Ransomware Attacks Will Continue
The use of mobile ransomware is increasing significantly because it is effective. An increasing amount of data are now stored on mobile devices, and end users – and business users in particular – are unwilling to lose their data. As long as ransoms are paid, attacks will continue and are likely to increase. Cybercriminals will only stop developing new mobile ransomware strains when the campaigns prove to be ineffective and unprofitable.
Jun 29, 2016 | Cybersecurity News, Internet Security News, Network Security
A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid.
Bart Ransomware Locks Files in Password-Protected ZIP Files
Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky.
Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device.
There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid.
Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart.
New Ransomware Variant Delivered via Spam Emails
The campaign uses spam emails to deliver malicious Javascript files, which are disguised as image files. End users may be fooled into opening the attachments in the belief they are simply images. However, if the attachments are opened, JavaScript is executed and Rocketloader is downloaded. Rocketloader installs Bart ransomware and is also capable of downloading a variety of other malware.
The ransomware has been developed to attack users in the west, and will not lock files if the operating system is in Russian, Ukrainian, or Belorussian.
To prevent infection, it is essential that end users do not open the infected email attachments. Since the emails may appear benign to end users, organizations should take steps to prevent the spam emails from being delivered. One way of doing this is to use SpamTitan. SpamTitan can be configured to block zip files and prevent them from being delivered to end users.
If spam emails are not delivered, end users will not be able to inadvertently infect their devices. Furthermore, the cost of deploying SpamTitan is likely to be considerably less than the cost of a single ransom payment to resolve a Bart infection.
Jun 22, 2016 | Cybersecurity News, Network Security
There have been a number of high-profile data breaches reported in recent weeks, now Citrix has announced its users have been impacted after receiving multiple reports of GoToMyPC password reuse attacks. An investigation into the attacks revealed that the account compromises were not the result of a Citrix data breach, but that the attacks had been made possible due to poor security practices of some of its users.
Passwords Reset After Spate of GoToMyPC Password Reuse Attacks
After discovering the GoToMyPC password reuse attacks, Citrix performed a password reset on all users’ accounts to reduce the risk of account compromises. When users next login to the remote desktop access service they will be required to set up a new password before being allowed to access the service.
While Citrix has taken steps to protect its own users, simply changing passwords on GoToMyPC will not protect users who share passwords across multiple applications and web services. It is therefore important for users to login to all online accounts that have the same password set and to create new, unique passwords for each.
Following the cyberattacks on LinkedIn, MySpace, and Tumblr, login credentials were openly sold on darknet marketplaces. Many individuals purchased the data and have been searching online platforms to find users that have accounts elsewhere. The same passwords are then tried to see if access can be gained.
Shortly after these data dumps, numerous Twitter accounts were hacked, including those belonging to a number of high profile celebrities – Katy Perry, Mark Zuckerberg, Tenacious D, and Lana Del Rey for example. While the hacking of a Twitter account may only be an inconvenience for many victims, far more serious hacks have occurred.
TeamViewer remote desktop connection software was targeted by attackers who had obtained data from the LinkedIn breach. Users’ accounts were accessed and the software leveraged to obtain access to users’ PayPal accounts and bank accounts, primarily using passwords saved in browsers. The victims had their bank and PayPal accounts emptied. Some individuals also reported that TeamViewer had been used to install ransomware on their computers.
Since many individuals share passwords on personal accounts and business accounts, the latter may also be compromised and that can have highly serious implications.
The Danger of Password Sharing
All organizations face a threat of cyberattacks and sooner or later it is likely that one of those attacks will be successful. If users’ login credentials are obtained, they can be used to access accounts on other web and software platforms.
The spate of recent attacks shows how dangerous it can be to use the same passwords for multiple accounts. While it is certainly convenient to use the same password on multiple platforms, users stand to have their entire online identity hijacked as a result of a single cyberattack on one company.
To limit the damage caused, it is essential to use a unique, complex password for each online account, never to recycle passwords, and to update passwords frequently. Sys admins should ensure that password policies are set that require complex passwords to be created. Password expiration policies should also be developed and implemented. Password managers can be used to help end users keep track of all of their passwords.
Jun 21, 2016 | Cybersecurity News, Internet Security News, Network Security
Security researchers have uncovered an entirely JavaScript based ransomware variant that is not only being used to lock infected devices with AES encryption, but also to deliver the Pony info-stealer. Pony is used to obtain users’ passwords and login credentials to launch further attacks. This means that while a ransom may have to be paid to regain access to important files, the victim is also highly likely to suffer further losses.
JavaScript based malware is nothing new. Criminals have been using JavaScript files to infect devices with ransomware for some time, yet previously JavaScript has most commonly been used to download ransomware to infected devices. The latest threat exclusively uses JavaScript and requires no additional downloads.
RAA Ransomware Delivered via Spam Email
The attack starts with a spam email containing a malicious attachment. The attached file appears to be a document, but it is actually a malicious JavaScript file. Opening the file will result in a fake Word document being created in the user’s My Documents folder. That file is then opened automatically leading the victim to believe that the file attachment is corrupted. However, processes will still be running in the background. The malicious JavaScript file – dubbed RAA ransomware – does not contain any cryptographic functions, instead it uses the CryptoJS library to lock files with AES encryption.
First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images.
Once the targeted files are identified, the JavaScript based ransomware then encrypts those files using AES encryption and replaces the extension with “.locked.” To make it harder for the victims to recover from the infection without paying the ransom, RAA ransomware also deletes the Windows Volume Shadow Copy Service (VSS) as well as all shadow copies. Finally, files are created on the Desktop which detail how much must be paid to obtain the decryption keys and instructions on how payment must be made.
JavaScript Based Ransomware Delivers the Pony Info Stealer
This JavaScript based ransomware also includes the pony info stealer. In contrast to other malware which can download additional malicious files from the Internet, RAA ransomware has the Pony info-stealer embedded as a base64 encoded string. The string is decoded and also saved to the My Documents folder and is then run automatically.
The RAA ransomware is set to run automatically each time the computer is booted, and it will install Pony each time. Since the ransomware runs on boot it will encrypt any of the above file extensions that have been created or downloaded since the last time the ransomware was executed. At present, there is no way of decrypting the files without paying the ransom.
To protect against attacks, end users must be vigilant and not open any files attachments sent from unknown individuals. Sys admins must also ensure that all files are regularly backed up and back up devices are air-gapped.
Jun 17, 2016 | Cybersecurity News, Network Security
Each year, the Ponemon Institute conducts an annual benchmark study on the cost of a data breach. The IBM-sponsored report reveals just how damaging data breaches can be to a company’s finances. Responding to a data breach costs companies millions of dollars, and each year the cost rises.
Last year, the Cost of a Data Breach study placed the average cost at 3.79 million. This year, the average cost has risen to $4 million. The average cost per stolen record rose from $154 to $158 over the past 12 months.
Average Cost of a Data Breach in the United States is $7.01 Million
However, those figures are taken from the global data collected for the study. The costs incurred by U.S businesses are much higher. Take the figures for the United States alone, and the average cost is $7.01 million. Last year the average cost of a breach response in the United States was $6.53 million.
Organizations in the United States can expect to pay costs of $221 per record, although organizations in the healthcare industry, financial, and life science sector can expect to pay far higher amounts. The cost of a data breach in the healthcare industry is a staggering $402 per record. The data also show that the average number of records exposed per incident also increased.
In the United States, the total cost of a data breach rose by 7% over the space of a year, and by 2% per stolen or compromised record. The Ponemon Institute offers some suggestions why the overall cost of a data breach has increased by such a high degree. One of the main reasons is a substantial rise in indirect costs. When an organization suffers a security breach that exposes sensitive data such as credit card numbers, financial information, Social Security numbers, or medical records, consumers are increasingly taking their business elsewhere. The Ponemon Institute refers to this as the abnormal churn rate.
Organizations Should Try to Reduce Churn Rate After a Data Breach
One of the findings of the research is the higher the churn rate is following a data breach, the higher the cost of the breach will be. Companies that experienced an abnormal churn rate of lower than 1%, had to pay average breach costs of $5.4 million. The cost rose to $6.0 million with an abnormal churn rate of between 1% and 2%, while a churn rate of above 4% resulted in average costs of $12.1 million.
The industries most likely to see customers leave and find alternative companies to do business with were healthcare organizations, financial companies, service organizations, and companies operating in the technology and life sciences industries. Public sector companies, research organizations, and the media experienced the lowest churn rates.
Ponemon suggests that one of the best ways to reduce the financial impact of a data breach is to put greater effort into retaining customers and adopting strategies to preserve brand value and reputation. Consumers now understand that data breaches are a fact of life, but they expect action to be taken by organizations that have suffered a breach that exposed their personal information. Issuing breach notifications quickly, offering credit monitoring services to affected individuals, and taking steps to greatly improve security can all help to reduce fallout after a data breach occurs.
Malicious Attacks Cost the Most to Resolve
All data breaches will result in organizations incurring costs, but the cause of a data breach will dictate how high those costs will be. Malicious attacks on organizations were discovered to cost the most to resolve. In the United States, the average cost per record for a malicious or criminal attack was $236. For system glitches the cost was £213 per record, and for human error the cost was $197 per record.
The costs incurred can be reduced significantly if organizations take steps to prepare for data breaches. The Ponemon Institute determined that having an effective breach response plan can greatly reduce the cost of a data breach. When an organization can respond quickly to a breach the costs tend to be much lower.
The average time to contain a data breach was determined to be 58 days. Organizations that were able to contain a data breach in less than 30 days paid an average cost of $5.24 million per breach, compared to $8.85 million when the time to contain the breach exceeded 30 days.
It also pays to invest in technologies that allow organizations to identify breaches quickly when they do occur. The mean time to identify a breach was determined to be 191 days – more than 6 months. When the mean time to identify a breach was less than 100 days, the breach cost was $5.83 million. When the mean time to identify a data breach exceeded 100 days, the mean cost rose to $8.01 million.
The costs of breach resolution are continuing to rise. Organizations should therefore consider investing more heavily in technologies to prevent data breaches and to increase the speed at which they are detected. The results of the study clearly demonstrate that having a tested breach response plan in place is essential if costs are to be reduced.
Jun 9, 2016 | Cybersecurity Advice, Cybersecurity News
The security threat from bloatware was made abundantly clear last year with the discovery of a Lenovo bloatware vulnerability, affecting the Superfish Adware program that came pre-installed on Lenovo laptops.
Bloatware is a term used to describe software applications and programs that are largely unnecessary, yet are pre-installed on new computer and laptops. The software programs can slow down computers and take up a lot of memory, yet offer the user little in the way of benefits. They are primarily used to update application features rather than to enhance security.
Unfortunately, these pre-installed programs have been discovered – on numerous occasions – to contain security vulnerabilities that can be exploited by malicious actors and used for man-in-the-middle attacks. They can even let attackers run arbitrary code, allow privilege escalation, or perform malicious software updates.
Now a new Lenovo bloatware vulnerability has been uncovered. This time it concerns the company’s software updater which has been found to contain a vulnerability that could potentially be exploited allowing man-in-the-middle attacks to be conducted.
New Bloatware Vulnerability Found in Lenovo Accelerator Application Updater: Uninstall Recommended
The Lenovo Accelerator Application has been pre-installed on a wide range of desktop computers and notebooks shipped pre-installed with Windows 10. In total, well over 100 different models of Lenovo notebooks and desktops have the Lenovo Accelerator Application installed. Lenovo says the application is used to speed up the launching of Lenovo applications and communicates with the company’s servers to determine whether application updates exist.
The UpdateAgent pings Lenovo’s servers every 10 minutes to check whether updates have been released. However, the application has recently been discovered to contain a security vulnerability that could be exploited by attackers. DuoLabs investigated a number of companies to check for security vulnerabilities in pre-installed software applications and found that Lenovo’s UpdateAgent was particularly vulnerable to attacks.
DuoLabs reported that the updater had “no native security,” and that “executables and manifests are transmitted in the clear and no code-signing checks are enforced.” The security flaws could allow an attacker to intercept these communications and manipulate responses, even allowing malicious software updates to be performed.
Lenovo has responded by issuing an advisory recommending all owners of the affected devices uninstall the software application. This is a straightforward task that can be performed by accessing the Apps and Features application on a Windows 10 computer, selecting the Lenovo Accelerator Application and manually uninstalling the program.
