Terror Exploit Kit Now Conducting Targeted Attacks

The Terror exploit kit is a relative newcomer to the EK scene, yet it is evolving rapidly. Since the demise of Angler, exploit kit activity has waned. However, the threat from new exploit kits such as Terror is growing.

Exploit kits probe for vulnerabilities in browsers or plugins. When an individual is directed to a website hosting an exploit kit, the EK searches for exploitable vulnerabilities. When exploitable vulnerabilities are discovered, the EK silently downloads malware or ransomware.

Exploit kits can be hosted on compromised websites or sites run by the attackers. Cybercriminals use a variety of techniques to get traffic to the sites. Links can be sent via spam email or via instant messaging services and social media sites. Malicious advertisements – termed malvertising – can be hosted on third party ad networks. Those ads are then served in sidebars on any number of legitimate, high traffic websites. Web redirects are also used to divert traffic to malicious sites hosting exploit kits.

If an individual with out of date plugins or older browser version visits such a malicious site, and an exploit has been loaded to the kit for a vulnerability in the browser, a malicious payload can be silently downloaded onto the user’s device.

In recent months, spam email has become the main attack vector used by cybercriminals. However, exploit kit activity appears to be increasing with the Terror exploit kit fast evolving into a significant threat.

The Terror exploit kit used to use a ‘carpet-bombing’ approach, sending a wide range of exploits at the end users system in the hope that one would be effective. Such an approach is not particularly sophisticated.

However, Terror has now been updated and attacks can be tailored based on the user’s browser environment. Exploits that have a high probability of being successful are then delivered. The Terror exploit kit can now determine which exploits to drop based on the victim’s browser version, the plugins that have been installed, or patch level, according to the researchers who discovered the update.

Protecting against exploit kits requires browsers and plugins to be kept 100% up to date and vulnerability free, which can be a challenge for businesses. Additional security solutions on endpoints can help to prevent malware downloads, although many are unable to detect or block fileless malware.

One of the best security solutions to deploy is a web filter capable of scanning the URL to prevent end users from landing on websites that are known to host exploit kits. Web filters can also be configured to block malicious adverts.

By preventing users from visiting known malicious sites, the threat from exploit kits can be significantly reduced.

New WannaCry Ransomware Variants Identified

The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected.

U.S Escapes WannaCry Relatively Unscathed

The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS).

While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS.

The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys.

The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files.

WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions.

WannaCry Victims Appear to Have Been Contacted by the Attackers

In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear.

Paying ransom demands only encourages attackers to conduct further attacks. Ransom payments can be used by the attackers to fund further ransomware campaigns. There is also no guarantee that the attackers will supply valid keys to unlock data, even if they say they will. The advice from the Federal Bureau of Investigation (FBI) is never to pay a ransom unless it is absolutely necessary.

New WannaCry Ransomware Variants Detected

While the version of WannaCry ransomware used in Friday’s attacks has been stopped, that is not the only version of the ransomware being used. New WannaCry ransomware variants have been identified.

A second version was identified by researcher Matt Suiche. This version also included a kill switch, but used a different domain. Suiche registered that second domain and prevented 10,000 infected machines from having files encrypted.

A third version of Wannacry ransomware was also identified by Kaspersky Lab without the kill switch, although in that case, the ransomware component had been corrupted and infected computers would not have data encrypted.

The WannaCry attacks used the ETERNALBLUE exploit published by Shadow Brokers last month, which takes advantage of a vulnerability in Microsoft Server Message Block 1.0 (SMBv1). The threat from WannaCry may be temporarily over, although WannaCry is not the only threat that uses the ETERNALBLUE exploit and the DoublePulsar backdoor.

Researchers at Proofpoint have identified another threat that similarly uses the exploit to gain access to computers. In this case, the goal is not to encrypt files or even steal data. The attackers install Adylkuzz – a program that hogs computer resources and mines the cryptocurrency Monero.

How to Block the ETERNALBLUE Exploit

Other cybercriminals may also be using the ETERNALBLUE exploit and new WannaCry ransomware variants may be released without the kill switch. To block attacks, organizations should ensure that the MS17-010 patch is applied to plug the vulnerability. Older operating systems (Windows 8, Windows Server 2003, and Windows XP) can also be patched and protected against WannaCry ransomware attacks and other malware that use the ETERNALBLUE exploit. Any organization that has port 445 open should also ensure the port is closed, and if SMB must be used over the Internet, SMB should be used through an internal network via a VPN.

Researchers Discover Pre-Installed Keylogger on HP Laptops

Browsing the Internet can result in malware and spyware downloads, malicious software can arrive via spam email, but a fresh-out-of-the-box laptop computer should be totally malware free. But not always. A pre-installed keylogger on HP laptops has recently been identified by Swedish security firm Modzero.

Potentially unwanted programs can be found on many new devices. Some serve a purpose but pose a security threat. For instance, in 2014, Lenovo laptop computers were shipped with ‘malware’ already installed that made the devices vulnerable to man-in-the-middle attacks. The program was Superfish.

The pre-installed keylogger on HP laptops does not appear to be used for any malicious purposes, although there is considerable potential for the program to be abused. The spyware records all keystrokes on the laptops after a user logs in and stores that information in a local drive. In some situations, the keystrokes will be passed to an API on the laptop.

The keylogger was discovered in an audio driver package – Conexant HD Audio Driver Package 1.0.0.46 and earlier versions. The offending file is MicTray64.exe, located in the C:\windows\system32\ folder.

Each time a user logs in, the program is scheduled to run. The file monitors all keystrokes on the device in order to monitor for special keystrokes. The program was developed by, Conexant, the audio chip manufacturer. The program has been included on HP laptops since December 2015.

While the software itself does not exactly pose a threat, the way the program logs the keystrokes allows the recorded keystrokes to be easily accessed. The log file created by the software is stored in the public folder (C:\users\public\MicTray.log) and can therefore be accessed by anyone.

The file is overwritten each time a user logs in, but any keystrokes recorded during that session could be accessed by anyone with access to the device. Additionally, if the registry key with the filepath is missing or corrupted, the keystrokes will be passed to a local API called OutputDebugString API.

Malware installed on the device could potentially allow the log file to be copied, and along with it, all keystrokes from the session. It would also be possible for keystrokes to be obtained in real-time.

The inclusion of the keylogger on HP laptops was an error according to HP. It was used as a debugging tool and should have been removed in the final version of the product.

HP has responded to the discovery by releasing a patch to fix the issue, which is available from the HP website or via Microsoft Update. All owners of HP laptops purchased since December 2015 should download the patch to mitigate the issue.

Models found to contain the pre-installed spyware include the following 28 models of HP laptops:

  • HP EliteBook 820 G3 Notebook PC
  • HP EliteBook 828 G3 Notebook PC
  • HP EliteBook 840 G3 Notebook PC
  • HP EliteBook 848 G3 Notebook PC
  • HP EliteBook 850 G3 Notebook PC
  • HP ProBook 640 G2 Notebook PC
  • HP ProBook 650 G2 Notebook PC
  • HP ProBook 645 G2 Notebook PC
  • HP ProBook 655 G2 Notebook PC
  • HP ProBook 450 G3 Notebook PC
  • HP ProBook 430 G3 Notebook PC
  • HP ProBook 440 G3 Notebook PC
  • HP ProBook 446 G3 Notebook PC
  • HP ProBook 470 G3 Notebook PC
  • HP ProBook 455 G3 Notebook PC
  • HP EliteBook 725 G3 Notebook PC
  • HP EliteBook 745 G3 Notebook PC
  • HP EliteBook 755 G3 Notebook PC
  • HP EliteBook 1030 G1 Notebook PC
  • HP ZBook 15u G3 Mobile Workstation
  • HP Elite x2 1012 G1 Tablet
  • HP Elite x2 1012 G1 with Travel Keyboard
  • HP Elite x2 1012 G1 Advanced Keyboard
  • HP EliteBook Folio 1040 G3 Notebook PC
  • HP ZBook 17 G3 Mobile Workstation
  • HP ZBook 15 G3 Mobile Workstation
  • HP ZBook Studio G3 Mobile Workstation
  • HP EliteBook Folio G1 Notebook PC

Study Reveals Cybersecurity Awareness in America is Poor

Pew Research has recently published the results of a study that set out to test cybersecurity awareness in America and find out more about the risks individuals are unwittingly taking when venturing online.

The study was conducted on 1,055 adult Americans, who were each asked 13 cybersecurity questions of varying difficulty. Questions included what HTTPS means, what two-factor authentication is, what private browsing means and the level of protection offered by insecure WiFi networks using a VPN. The study showed that cybersecurity awareness in America is poor and consumers are potentially taking major risks online.

While all 13 questions should have been answered correctly ‘security aware’ individuals, only 1% were able to answer all questions correctly. A substantial majority of adult Americans that took the questionnaire were only able to answer two of the questions correctly. The median was 5 correct answers out of 13, the mean 5.5, and only 20% of participants were able to answer more than 8 answers correctly.

Three quarters of participants were able to identify the most secure password in a list and 73% of respondents were aware that the use of public WiFi networks carries a major risk and should not be used for sensitive activities such as online banking, even if the WiFi network required the use of a password.

However, cybersecurity awareness was much worse for all other areas tested by the survey. Just over half of respondents were able to correctly identify what a phishing attack involved, which is a particularly worrying result considering how widespread the use of phishing is.

Ransomware has been heavily reported in the press and attacks on businesses have soared, yet fewer than half of survey participants were able to correctly identify what ransomware is and only 46% knew that email was not encrypted by default.

Worryingly, only 33% of participants were aware that HTTPS meant traffic was encrypted, suggesting many are entering credit card information into unencrypted websites.

Only one in ten participants were able to correctly identify multi-factor authentication, with 71% thinking CAPTCHA was a form of multi-factor authentication rather than just a method of differentiating between a human web visitor and a bot.

The survey showed cybersecurity awareness improved with the level of education in all areas tested by the study. Younger participants (18-29) were also more likely to answer questions correctly than the older age groups.

The share of incorrect answers was relatively low, with many opting to answer the questions with ‘not sure.’ While the survey does not show that cybersecurity awareness is woefully inadequate, it does clearly indicate that when it comes to cybersecurity awareness, there is considerable room for improvement.

While it is the responsibility of every individual to ensure they are aware of the risks when venturing online and should take steps to protect their identities and bank accounts, the survey confirms what many IT security professionals know all too well. Employee cybersecurity awareness is poor and the risk of employees making mistakes that compromise the security of their organization is high.

Cybersecurity training programs clearly need to be improved to raise awareness of the main threats and drill in best practices. However, it is essential that robust defenses are implemented to ensure that business networks are protected from poor security decisions made by employees.

If you would like to find out more about the best cybersecurity solutions that you can implement to keep your business protected from your own employees and how you can reduce reliance on your staff making the right security choices, contact the TitanHQ team today.