Internet Security News
Our Internet security news features the latest press releases from the world´s largest online security companies with details of the latest threats to be aware of and, unfortunately, Internet security news relating to significant data breaches. While some organizations will be grateful for the advanced warning of an online threat – and details of how to protect themselves against it – for some the warnings will come too late.
Consequently it is recommended to be protected against all manner of online threats with an email filter and web filter from TitanHQ. Our Internet security solutions prevent users from accessing unsafe sites via phishing emails and malvertising, and from visiting websites that are vulnerable to exploit kits and malware. As many organizations already using TitanHQ solutions would agree, it is better to be safe than sorry.
May 24, 2017 | Cybersecurity News, Internet Security News, Web Filtering
The Terror exploit kit is a relative newcomer to the EK scene, yet it is evolving rapidly. Since the demise of Angler, exploit kit activity has waned. However, the threat from new exploit kits such as Terror is growing.
Exploit kits probe for vulnerabilities in browsers or plugins. When an individual is directed to a website hosting an exploit kit, the EK searches for exploitable vulnerabilities. When exploitable vulnerabilities are discovered, the EK silently downloads malware or ransomware.
Exploit kits can be hosted on compromised websites or sites run by the attackers. Cybercriminals use a variety of techniques to get traffic to the sites. Links can be sent via spam email or via instant messaging services and social media sites. Malicious advertisements – termed malvertising – can be hosted on third party ad networks. Those ads are then served in sidebars on any number of legitimate, high traffic websites. Web redirects are also used to divert traffic to malicious sites hosting exploit kits.
If an individual with out of date plugins or older browser version visits such a malicious site, and an exploit has been loaded to the kit for a vulnerability in the browser, a malicious payload can be silently downloaded onto the user’s device.
In recent months, spam email has become the main attack vector used by cybercriminals. However, exploit kit activity appears to be increasing with the Terror exploit kit fast evolving into a significant threat.
The Terror exploit kit used to use a ‘carpet-bombing’ approach, sending a wide range of exploits at the end users system in the hope that one would be effective. Such an approach is not particularly sophisticated.
However, Terror has now been updated and attacks can be tailored based on the user’s browser environment. Exploits that have a high probability of being successful are then delivered. The Terror exploit kit can now determine which exploits to drop based on the victim’s browser version, the plugins that have been installed, or patch level, according to the researchers who discovered the update.
Protecting against exploit kits requires browsers and plugins to be kept 100% up to date and vulnerability free, which can be a challenge for businesses. Additional security solutions on endpoints can help to prevent malware downloads, although many are unable to detect or block fileless malware.
One of the best security solutions to deploy is a web filter capable of scanning the URL to prevent end users from landing on websites that are known to host exploit kits. Web filters can also be configured to block malicious adverts.
By preventing users from visiting known malicious sites, the threat from exploit kits can be significantly reduced.
May 18, 2017 | Cybersecurity News, Internet Security News, Network Security
The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected.
U.S Escapes WannaCry Relatively Unscathed
The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS).
While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS.
The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys.
The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files.
WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions.
WannaCry Victims Appear to Have Been Contacted by the Attackers
In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear.
Paying ransom demands only encourages attackers to conduct further attacks. Ransom payments can be used by the attackers to fund further ransomware campaigns. There is also no guarantee that the attackers will supply valid keys to unlock data, even if they say they will. The advice from the Federal Bureau of Investigation (FBI) is never to pay a ransom unless it is absolutely necessary.
New WannaCry Ransomware Variants Detected
While the version of WannaCry ransomware used in Friday’s attacks has been stopped, that is not the only version of the ransomware being used. New WannaCry ransomware variants have been identified.
A second version was identified by researcher Matt Suiche. This version also included a kill switch, but used a different domain. Suiche registered that second domain and prevented 10,000 infected machines from having files encrypted.
A third version of Wannacry ransomware was also identified by Kaspersky Lab without the kill switch, although in that case, the ransomware component had been corrupted and infected computers would not have data encrypted.
The WannaCry attacks used the ETERNALBLUE exploit published by Shadow Brokers last month, which takes advantage of a vulnerability in Microsoft Server Message Block 1.0 (SMBv1). The threat from WannaCry may be temporarily over, although WannaCry is not the only threat that uses the ETERNALBLUE exploit and the DoublePulsar backdoor.
Researchers at Proofpoint have identified another threat that similarly uses the exploit to gain access to computers. In this case, the goal is not to encrypt files or even steal data. The attackers install Adylkuzz – a program that hogs computer resources and mines the cryptocurrency Monero.
How to Block the ETERNALBLUE Exploit
Other cybercriminals may also be using the ETERNALBLUE exploit and new WannaCry ransomware variants may be released without the kill switch. To block attacks, organizations should ensure that the MS17-010 patch is applied to plug the vulnerability. Older operating systems (Windows 8, Windows Server 2003, and Windows XP) can also be patched and protected against WannaCry ransomware attacks and other malware that use the ETERNALBLUE exploit. Any organization that has port 445 open should also ensure the port is closed, and if SMB must be used over the Internet, SMB should be used through an internal network via a VPN.
May 16, 2017 | Cybersecurity News, Internet Privacy, Internet Security News, Network Security
Browsing the Internet can result in malware and spyware downloads, malicious software can arrive via spam email, but a fresh-out-of-the-box laptop computer should be totally malware free. But not always. A pre-installed keylogger on HP laptops has recently been identified by Swedish security firm Modzero.
Potentially unwanted programs can be found on many new devices. Some serve a purpose but pose a security threat. For instance, in 2014, Lenovo laptop computers were shipped with ‘malware’ already installed that made the devices vulnerable to man-in-the-middle attacks. The program was Superfish.
The pre-installed keylogger on HP laptops does not appear to be used for any malicious purposes, although there is considerable potential for the program to be abused. The spyware records all keystrokes on the laptops after a user logs in and stores that information in a local drive. In some situations, the keystrokes will be passed to an API on the laptop.
The keylogger was discovered in an audio driver package – Conexant HD Audio Driver Package 1.0.0.46 and earlier versions. The offending file is MicTray64.exe, located in the C:\windows\system32\ folder.
Each time a user logs in, the program is scheduled to run. The file monitors all keystrokes on the device in order to monitor for special keystrokes. The program was developed by, Conexant, the audio chip manufacturer. The program has been included on HP laptops since December 2015.
While the software itself does not exactly pose a threat, the way the program logs the keystrokes allows the recorded keystrokes to be easily accessed. The log file created by the software is stored in the public folder (C:\users\public\MicTray.log) and can therefore be accessed by anyone.
The file is overwritten each time a user logs in, but any keystrokes recorded during that session could be accessed by anyone with access to the device. Additionally, if the registry key with the filepath is missing or corrupted, the keystrokes will be passed to a local API called OutputDebugString API.
Malware installed on the device could potentially allow the log file to be copied, and along with it, all keystrokes from the session. It would also be possible for keystrokes to be obtained in real-time.
The inclusion of the keylogger on HP laptops was an error according to HP. It was used as a debugging tool and should have been removed in the final version of the product.
HP has responded to the discovery by releasing a patch to fix the issue, which is available from the HP website or via Microsoft Update. All owners of HP laptops purchased since December 2015 should download the patch to mitigate the issue.
Models found to contain the pre-installed spyware include the following 28 models of HP laptops:
- HP EliteBook 820 G3 Notebook PC
- HP EliteBook 828 G3 Notebook PC
- HP EliteBook 840 G3 Notebook PC
- HP EliteBook 848 G3 Notebook PC
- HP EliteBook 850 G3 Notebook PC
- HP ProBook 640 G2 Notebook PC
- HP ProBook 650 G2 Notebook PC
- HP ProBook 645 G2 Notebook PC
- HP ProBook 655 G2 Notebook PC
- HP ProBook 450 G3 Notebook PC
- HP ProBook 430 G3 Notebook PC
- HP ProBook 440 G3 Notebook PC
- HP ProBook 446 G3 Notebook PC
- HP ProBook 470 G3 Notebook PC
- HP ProBook 455 G3 Notebook PC
- HP EliteBook 725 G3 Notebook PC
- HP EliteBook 745 G3 Notebook PC
- HP EliteBook 755 G3 Notebook PC
- HP EliteBook 1030 G1 Notebook PC
- HP ZBook 15u G3 Mobile Workstation
- HP Elite x2 1012 G1 Tablet
- HP Elite x2 1012 G1 with Travel Keyboard
- HP Elite x2 1012 G1 Advanced Keyboard
- HP EliteBook Folio 1040 G3 Notebook PC
- HP ZBook 17 G3 Mobile Workstation
- HP ZBook 15 G3 Mobile Workstation
- HP ZBook Studio G3 Mobile Workstation
- HP EliteBook Folio G1 Notebook PC
May 5, 2017 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
Pew Research has recently published the results of a study that set out to test cybersecurity awareness in America and find out more about the risks individuals are unwittingly taking when venturing online.
The study was conducted on 1,055 adult Americans, who were each asked 13 cybersecurity questions of varying difficulty. Questions included what HTTPS means, what two-factor authentication is, what private browsing means and the level of protection offered by insecure WiFi networks using a VPN. The study showed that cybersecurity awareness in America is poor and consumers are potentially taking major risks online.
While all 13 questions should have been answered correctly ‘security aware’ individuals, only 1% were able to answer all questions correctly. A substantial majority of adult Americans that took the questionnaire were only able to answer two of the questions correctly. The median was 5 correct answers out of 13, the mean 5.5, and only 20% of participants were able to answer more than 8 answers correctly.
Three quarters of participants were able to identify the most secure password in a list and 73% of respondents were aware that the use of public WiFi networks carries a major risk and should not be used for sensitive activities such as online banking, even if the WiFi network required the use of a password.
However, cybersecurity awareness was much worse for all other areas tested by the survey. Just over half of respondents were able to correctly identify what a phishing attack involved, which is a particularly worrying result considering how widespread the use of phishing is.
Ransomware has been heavily reported in the press and attacks on businesses have soared, yet fewer than half of survey participants were able to correctly identify what ransomware is and only 46% knew that email was not encrypted by default.
Worryingly, only 33% of participants were aware that HTTPS meant traffic was encrypted, suggesting many are entering credit card information into unencrypted websites.
Only one in ten participants were able to correctly identify multi-factor authentication, with 71% thinking CAPTCHA was a form of multi-factor authentication rather than just a method of differentiating between a human web visitor and a bot.
The survey showed cybersecurity awareness improved with the level of education in all areas tested by the study. Younger participants (18-29) were also more likely to answer questions correctly than the older age groups.
The share of incorrect answers was relatively low, with many opting to answer the questions with ‘not sure.’ While the survey does not show that cybersecurity awareness is woefully inadequate, it does clearly indicate that when it comes to cybersecurity awareness, there is considerable room for improvement.
While it is the responsibility of every individual to ensure they are aware of the risks when venturing online and should take steps to protect their identities and bank accounts, the survey confirms what many IT security professionals know all too well. Employee cybersecurity awareness is poor and the risk of employees making mistakes that compromise the security of their organization is high.
Cybersecurity training programs clearly need to be improved to raise awareness of the main threats and drill in best practices. However, it is essential that robust defenses are implemented to ensure that business networks are protected from poor security decisions made by employees.
If you would like to find out more about the best cybersecurity solutions that you can implement to keep your business protected from your own employees and how you can reduce reliance on your staff making the right security choices, contact the TitanHQ team today.
Apr 21, 2017 | Cybersecurity News, Internet Security News
McAfee has issued a new threat report detailing 2016 malware trends. The decline in new malware samples in the final quarter of 2016 does not suggest that 2017 will see a continued fall in new malware, but the opposite, according to McAfee Labs.
2016 malware trends follow a similar pattern to 2015. The first quarter saw large volumes of new malware discovered, followed by a steady decline over the next three quarters. The same trend was identified in 2015. Far from that decline continuing into 2017, the first quarter figures – which will not be made available until the summer – are likely to follow a similar trend and involve a massive in malware numbers in the first three months of 2017.
Further, there has been a steady increase in the number of new malware samples detected year on year, from around 400 million per quarter in 2015 to more than 600 million per quarter in 2016. If that trend continues into 2017, this year is likely to see around 800,000 new malware samples detected each quarter on average. McAfee predicts that there will be around 17 million malware samples by the end of this year.
McAfee reports that ransomware has increased steadily over the course of 2016, starting the year with around 6 million samples and finishing the year with over 9 million detected samples. However, the final quarter of 2016 saw a sharp drop in ransomware due to a decline in generic ransomware detections and a fall in the use of Locky.
There have been relatively few new Mac OS malware samples detected over the past two years, although Q3, 2016 saw new Mac OS malware increase from around 10,000 to 50,000, with a massive rise to around 320,000 new samples in the final quarter of 2016.
By the end of 2016, the total number of Mac OS malware rose to more than 450,000, from around 50,000 at the end of Q4, 2015. The increase mostly involved bundled adware.
The switch from exploit kits to email as the main attack vector is evident from the figures for new macro malware, with a sharp rise in Q2, 2016 and a continued rise in Q3. In Q1, there were around 60,000 detections, in Q3 that figure had risen to more than 200,000.
The public sector was most affected by security breaches in 2016, followed by healthcare, online services, finance, and software development. The biggest causes of security incidents, for which the causes are known, were account hijacking, followed by DDoS attacks, targeted attacks, SQL injection and malware. The main methods used for conducting network attacks last year were SSL (33%), DoS (15%), Worms (13%), brute force attacks (13%), and browser-based attacks (15%).
There has been a downward trend in new suspect URLS detected from Q1 2015 to Q2, 2016, although that trend has reversed in the last two quarters of 2016 with new malicious URL detections starting to rise steadily. New phishing URLS ebb and flow, although there was a general upward trend in 2016. McAfee’s figures shows spam email volume has remained fairly constant for the past two years, with the bulk of spam messages delivered using the Necurs botnet in Q3 and Q4, 2016.
Apr 18, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Privacy, Internet Security News, Web Filtering
A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions.
Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls.
Why Are Employees Bypassing Security Controls?
Employees bypassing security controls is a major problem, but why is it happening?
The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons.
In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities.
The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity. Pornographic websites are often targeted by cybercriminals and used to host malware. Visiting those sites increases the risk of silent malware downloads. 43% of companies said they had found out some employees had been using gambling sites at work, another high-risk category of website and a major drain of productivity.
While employees are provided with email accounts, many are choosing to access web-based accounts such as Gmail. Dtex found that 87% of employees were using web-based email programs on work computers. Not only does this present a security risk by increasing the probability of malware being downloaded, it makes it harder for employers to identify data theft. Dtex says “By completely removing data and activity from the control of corporate security teams, insiders are giving attackers direct access to corporate assets.”
Lack of Control and Visibility
Many companies are unaware that they have employees bypassing security controls because they lack visibility into what is happening on end points. Shadow IT can be installed without the organization’s knowledge, including VPN’s and hacking tools, but what can be done to stop employees bypassing security controls?
Security software can be installed to allow organizations to closely monitor the types of activities that are taking place on work computers. This can allow action to be taken to reduce insider threats. Organizations should also block the use of VPN’s and anonymizers to ensure they have more visibility into employee’s online activities.
One of the easiest ways to block the use of VPNs and anonymizers is to use a web filtering solution. Web filters are increasingly used as a way of preventing productivity losses during the working day. Web filtering solutions can be configured to block specific sites or categories of website.
A web filter, such as WebTitan, can be configured to block access to anonymizer websites, along with other websites that are prohibited under organization’s acceptable use policies.
Some employees find the controls overly restrictive and search for ways to bypass those controls. Organizations should carefully consider what websites and types of websites are blocked. Excessively restrictive controls over personal Internet access can prompt employees to try to bypass security controls. Allowing some personal use may be preferable.
One solution, possible with WebTitan, is to ease restrictions on Internet access by using time controls. To prevent falls in productivity, web filters can be applied during working hours, yet relaxed at other times such as lunch breaks. By allowing some personal Internet use, there is less incentive for employees to attempt to bypass security controls.
WebTitan also produces access logs to allow organizations to carefully monitor online user activity and take action against the individuals discovered to be violating company policies. Automatic reports can also be generated to allow organizations to take more timely action.
Monitoring employee Internet access and installing solutions to provide visibility into end point activity allows organizations to reduce the risk of insider threats and stop employees from engaging in risky behavior.
Mar 30, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News
The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password.
The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone.
The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes.
Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen.
The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations.
The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP servers could be used to store illegal material. Healthcare organizations may have cybersecurity solutions in place to monitor for data being exfiltrated, but not data that are being uploaded. Hacking tools could be uploaded to the servers or they could be used to share illegal content.
If FTP servers must be run in anonymous mode, healthcare organizations should ensure the servers only contain data that is publicly available.
Mar 22, 2017 | Cybersecurity News, Internet Security News, Network Security
Educational institutions have been warned about Moodle security flaws that could allow cybercriminals to attack web servers, gain administrative privileges and run malicious code.
Many educational institutions use the Moodle platform for their e-learning websites. The platform allows students to access interactive online courses. There are almost 80,000 websites that use the open source platform, many of which are operated by schools, colleges and universities.
On Monday this week, Security researcher Netanel Rubin discovered a vulnerability – tracked as CVE-2017-2641 – that could be exploited to run malicious PHP code on an unpatched Moodle server. He pointed out on his blog that the problem does not lie with a single critical security flaw, but a number of smaller vulnerabilities which can be exploited when combined.
An attacker could exploit the Moodle security flaws and create hidden administrative accounts; however, in order to exploit the flaws, it would be necessary for the attacker to have an account on the platform. It does not matter what type of account the attacker has, provided it is not a guest account. Since more than 100 million individuals log onto the websites to access courses, obtaining a user account would not pose too much of a problem.
The Moodle security flaws could be exploited by attackers to install backdoors in the system allowing persistent access to data stored on a Moodle server, and there is data aplenty. Highly sensitive information about students is stored on the system, including personal information, grades and test data.
According to Rubin, the Moodle security flaws affect all versions of the platform tested, including “3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.”
Rubin pointed out that such a large system – Moodle contains more than 2 million lines of PHP code – will almost inevitably have numerous vulnerabilities. In this case, the code has been written by multiple authors which has led to logical flaws being introduced. The problem comes from having too much code, too many developers and a lack of documentation. That is a problem for any system of this size, not just Moodle.
Rubin was able to take advantage of the Moodle security flaws and gain administrative privileges on the server, after which it was child’s play to execute code. Rubin said it was as simple as uploading a new plugin to the server.
Last week Moodle released a patch to address a number of vulnerabilities in the system, although no information was released about what the patch addressed. All users of the system are advised to update to the latest version of the platform and apply the latest security patch as soon as possible.
Failure to update systems and apply patches promptly will leave systems vulnerable to attack, whether it is Moodle or any other platform or software. If patches are not applied it will only be a matter of time before security flaws are exploited to gain access to servers or computers and steal sensitive data.
Mar 15, 2017 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
2017 has already seen numerous cyberattacks on educational institutions. 2017 has started particularly badly for the education sector and there is no sign of the cyberattacks abating any time soon. But why is the education sector being so heavily targeted by hackers, cybercriminals, and scammers?
It is easy to see why cyberattacks on financial institutions occur. There are substantial funds to be plundered. Cyberattacks on healthcare organizations are also common. Those organizations hold vast quantities of data; data that can be sold for big bucks on the black market and used for all manner of fraud: Medical fraud, identity theft, tax fraud, and insurance fraud for example.
However, the education sector is similarly being targeted. K12 schools, colleges, and universities have all been attacked and those attacks have soared in 2017.
The list of educational institutions that have reported cyberattacks in 2017 is long. Barely a day goes by without another educational institution being added to the list. Many of the cyberattacks on educational institutions are random, but it is becoming increasingly clear that the education sector is being targeted.
There are many reasons why the attacks have soared in recent months. Educational institutions hold vast quantities of valuable data, they have considerable computer resources that can be used by cybercriminals, and in contrast to other industry sectors, educational institutions are not as heavily regulated when it comes to cybersecurity protections. Defenses are relatively poor and educational organizations tend to have relatively few IT staff compared to the corporate sector.
In short, the potential profits from cyberattacks on educational institutions are high and attacks are relatively easy to perform. For cybercriminals that is an excellent combination.
What Data are Cybercriminals Attempting to Steal?
K12 school systems have been targeted by criminals in order to gain access to student data. Social Security numbers of minors are extremely valuable. Dates of birth and Social Security numbers can be used for identity theft and fraud and in the case of minors, fraud is less likely to be identified quickly. Minors details can be used for longer.
Universities and school systems also hold considerable amounts of intellectual property and research. That information can be sold for considerable sums on the black market.
As we have seen on many occasions this year, the personal information of school employees has been targeted by scammers. Emails have been sent requesting W-2 Form data, which are used to file fraudulent tax returns in school employees’ names.
This tax season, the following colleges, universities, schools and school districts have reported that employees have fallen for a W-2 Form phishing scam and have emailed the data of their employees to cybercriminals.
- Abernathy Independent School District
- Ark City School District
- Ashland University
- Barron Area School District
- Belton Independent School District
- Black River Falls School District
- Bloomington Public Schools
- College of Southern Idaho
- Corsicana Independent School District
- Crotched Mountain Foundation
- Davidson County Schools
- Dracut Schools
- Glastonbury Public Schools
- Groton Public Schools
- Independent School District
- Lexington School District Two
- Manatee County School District
- Mohave Community College
- Morton School District
- Mount Healthy City Schools
- Northwestern College
- Odessa School District
- Redmond School District
- Tipton County Schools
- Trenton R-9 School District
- Tyler Independent School District
- Virginian Wesleyan College
- Yukon Public Schools
As with the healthcare industry, the reliance on data makes schools, colleges, and universities targets for ransomware attacks. Ransomware is used to encrypt data and a ransomware demand is issued to unlock files. In many cases ransoms are paid as no backups of the encrypted data exist.
Some notable cyberattacks on educational institutions that have been reported this year are listed below.
2017 Cyberattacks on Educational Institutions
January 2017
Northside Independent School District in San Antonio, TX, discovered its email system had been hacked. Names, addresses, and dates of birth were potentially stolen. In total, 23,000 individuals were impacted by the incident.
South Washington County Schools in Minnesota discovered that one of its students had hacked into its system and stolen more than 15,000 employee records.
Los Angeles County College was attacked with ransomware in January and was forced to pay a ransom demand of $28,000 to regain access to its files. The attack resulted in most of the college’s infrastructure, including email and voicemail, being encrypted by the ransomware.
February 2017
Horry County Schools in South Carolina was forced to pay a ransom demand of $8,500 to recover data that were encrypted with ransomware. Even though the ransom was paid, systems were taken out of action for over a week as a result of the infection.
These are just a handful of the cyberattacks on educational institutions reported this year. Given the increase in cyberattacks on educational institutions, it is essential that schools, colleges, and universities take action and implement appropriate defences to mitigate risk.
If you are in charge of cybersecurity at your educational organization and you would like to receive tailored advice on some of the best protection measures you can implement to reduce the risk of a cyberattack, contact the TitanHQ team today.
Mar 14, 2017 | Cybersecurity Advice, Internet Security News
At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused.
Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands.
However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable.
Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed.
In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud.
One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable to restore their data due to a corrupted backup file.
At the conference, there were many security professionals offering ransomware advice for healthcare providers, although when it comes to prevention there is no silver bullet. A range of ransomware defenses should be deployed to prevent email and web-borne attacks.
Cybersecurity solutions should be implemented to prevent malicious emails from being delivered to end users. Spam filtering solutions are one of the best defenses against email-borne threats as they block the majority of malicious emails from being delivered to end users. Cybersecurity solutions should also be implemented to prevent web-borne attacks. Web filters block malicious websites from being visited and can be configured to prevent downloads of malicious and suspicious files. Endpoint security solutions should also be considered. They can rapidly detect downloads of malicious files and prevent malicious software from being installed.
Employees must also be informed of the risk of attack and trained to be more cyber aware. Training should be reinforced with exercises to test whether cybersecurity training has been effective. Individuals can then be singled out and provided with further training as necessary.
Comey explained to attendees at the Boston Conference on Cybersecurity that the key to combating cybercrime is collaboration. Cybercrime has escalated in recent years and the problem is not going to be beaten by organizations acting independently. Collaboration between law enforcement organizations and companies across all industries is essential. Comey said all new cyberthreats and details of cyberattacks should be shared with the FBI.
Mar 7, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News
A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot.
The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document.
Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect.
Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses.
DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC).
The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure.
While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the file as malicious.
Cybercriminals are constantly looking for new methods of bypassing security controls and infecting end users. However, since this threat is delivered via email, that is the point at which it is easiest to block. Infection also requires macros to be enabled. If macros are blocked, the malware will not be executed. Otherwise, since the DNS communications between the malware and the attackers differs from standard DNS communications, inspecting DNS content should enable security professionals to identify infection.
Feb 28, 2017 | Cybersecurity News, Internet Privacy, Internet Security News, Web Filtering
Opposition to pornography filtering in libraries has seen the American Library Association placed on the National Center for Sexual Exploitation (NCOSE) naughty list.
Each year, NCOSE publishes a list of the top twelve companies and organizations that it believes are either profiting from pornography or facilitating access. The aim of the list, referred to as the Dirty Dozen, is to name and shame the companies and organizations that are failing to do enough to tackle the growing problem of online pornography.
Pornography is only the tip of the iceberg. Hidden underneath is a world of sexual exploitation, prostitution, and sex trafficking. NCOSE sees companies and organizations that fail to take action as being part of the problem, inadvertently – or in some cases deliberately – contributing to the considerable harm that is caused by pornography.
This year’s list includes technology and telecoms companies (Amazon, Comcast, Roku) the American Library Association (ALA) and EBSCO, a provider of library resources to schools, colleges, higher education establishments and libraries). Four websites make the list (YouTube, Twitter, Snapchat, and Backpage.com), along with Cosmopolitan Magazine, HBO, and Amnesty International.
The ALA is almost a permanent fixture on the NCOSE Dirty Dozen list, having been present for the past five years. It is the ALA’s opposition to the use of pornography filtering in libraries that sees it included year after year. NCOSE says “the ALA zealously encourages public libraries not to install internet filters on public access computers.” By taking such a stance, the ALA is providing patrons – including children – with the means to access sexually explicit and obscene material. ALA told CBN news that “Librarians encourage parents and children to talk with one another. Families have a right to set their own boundaries and values. They do not have the right to impose them on others.”
NCOSE doesn’t hold back, saying the ALA stance on pornography filtering in libraries “has turned the once safe community setting of the public library into a XXX space that fosters child sexual abuse, sexual assault, exhibitionism, stalking, and lewd behavior in libraries across the country.”
Only this month, NCOSE responded to the ALA’s continued opposition to pornography filtering in libraries on the grounds of free speech, saying there is no constitutional requirement for libraries to provide access to hardcore pornography to patrons.
EBSCO made the list as its databases “provide easy access to hardcore pornography sites and extremely graphic sexual content,” pointing out that its system allows schoolchildren to easily circumvent web filters in schools. In response to its inclusion on the list, EBSCO says it is working on enhancing its web filtering systems and will implement better algorithms to filter pornographic content.
Amazon made the list, even though it has a policy prohibiting the sale of pornography, because of its pornography-related items on its site, including hardcore pornographic films and sex dolls with childlike features.
Amnesty International made the list for its stance on the decriminalization of prostitution and for creating “a de facto right for men to buy people.” Cosmopolitan was included for its hypersexualized imagery and glamorization of violent, public, and group sex. Roku, Comcast, Snapchat, Twitter, YouTube and HBO were included for peddling pornography, pushing the boundaries of what is acceptable, and making it too easy for pornographic content to be accessed.
Feb 23, 2017 | Cybersecurity News, Internet Security News, Web Filtering
A security researcher has discovered a new Google Chrome scam that infects victims’ computers with malware. In contrast to many malware-downloading scams, the new Google Chrome scam is highly convincing and is certain to result in many malware infections.
Hackers have installed malicious JavaScript on a number of compromised WordPress websites. The JavaScript modifies the text on a compromised webpage when it is visited using the Google Chrome browser. The text on the website appears as if Google Chrome cannot read the font, with the characters on the site replaced with random fonts and symbols.
A popup appears on screen informing the visitor that “the “HoeflerText” font wasn’t found” by Google Chrome. The visitor is told that the webpage they are trying to view cannot be displayed correctly as a result. Visitors are prompted to update their Chrome browser to include the new font by downloading a “Chrome Font Pack.”
The Google Chrome scam is convincing. The popup uses the Chrome logo and looks official, with colors and branding that Google would use on its popup windows. The shading used for the “Update” button on the popup window is also accurately reproduced.
Furthermore, HoeflerText is a true font. If the user opens a new tab on their browser and Google’s the font, they will discover the font is real, making the Google Chrome scam seem entirely plausible.
Clicking the update button will trigger a download of the update file – ChromeFontv7.5.1.exe – which is an executable containing the malware. While attempting to run the executable would normally result in an anti-virus warning being displayed, relatively few anti-virus products are detecting the ChromeFontv7.5.1.exe file as malicious. VirusTotal shows that just 9 out of 59 AV products identify the file as malicious.
The Google Chrome scam was uncovered by NeoSmart Technologies researcher Mahmoud Al-Qudsi. He reports that while the Google Chrome scam is highly convincing, there are two signs that the update is not real. First, regardless of the version of Chrome used, the popup says the user has Chrome version 53. The second sign of the scam is the popup says the update file is called Chrome_Font.exe, yet the file that is downloaded has a different name. These two slipups by the criminals behind the campaign are only slight and would unlikely be noticed by many users.
WebTitan Protects Users from the Latest Google Chrome Scam
The malware is identified as malicious by ClamAV and Kaspersky Lab, the dual anti-virus engines used by WebTitan to protect users from malware infections while browsing the Internet. If WebTitan is installed, this and other malware threats are blocked, preventing end users from inadvertently infecting their computer with malware.
If you have yet to implement a web filtering solution, your computers and networks are likely to be at risk of being infected. Malware and ransomware infections are costly to resolve, cause considerable disruption to business processes, and can result in the theft of intellectual property, customer data, and login credentials. The latter can be used to gain access to corporate bank accounts, allowing funds to be transferred to criminals’ accounts.
Since visiting malicious websites can result in malware being silently downloaded without any user interaction, employees may be unaware that their computers have been infected. Malware infections may go undetected for long periods of time, during which large volumes of sensitive data can be stolen.
A web filtering solution will prevent employees from visiting malicious websites that phish for sensitive information or download malware. Furthermore, a web filtering solution is inexpensive to implement and maintain.
To discover the benefits of web filtering and to find out more about WebTitan, contact the TitanHQ team today. WebTitan is also available on a 14-day, no obligation free trial allowing you to discover the benefits of the full product before deciding to proceed with a purchase.
Jan 20, 2017 | Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm.
However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO.
Web Filters in Libraries are Not Only About Internet Control
This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action.
What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware.
Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment.
Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted.
Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen.
The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only alternative in cases of ransomware infections. To wipe its entire system and reinstall files from backups. That is not a quick process. It could take weeks; certainly days.
The ransom payment may be avoided, but removing the infection will still result in considerable costs being incurred. Then there is the impact the attack has had on patrons of the city’s libraries. The library system is primarily used by poor and disadvantaged individuals. According to library spokesperson Jen Hatton, “For many of our patrons, we’re their only access to the internet.” Hatton also said, “This is their only access to a computer. Some of them have a smartphone, but they don’t have a data plan. They come in and use the Wi-Fi.”
It is not clear how the infection occurred, although there are two main ways that ransomware is installed: Malicious spam email messages and by visiting malicious websites. Both of these attack vectors can be blocked if appropriate software is installed.
Web Filters in Libraries are an Important Ransomware Defense
A spam filter can be used to filter out malicious messages. Those messages contain attachments, which if opened, infect computers or download ransomware. User interaction is required. If the messages are quarantined and not delivered to users’ inboxes, infection can be prevented.
In the case of malicious links contained in emails – an alternative to attachments – a click will direct the user to a malicious website where ransomware is downloaded. Even if a link is clicked, access to the website can be blocked with a web filter. Web filters in libraries can also be configured to stop patrons and staff from visiting malicious sites while browsing the Internet. If a website that is known to be malicious is accessed – deliberately or accidentally – the site will not be displayed and infection will be blocked. Web filters in libraries can also block the downloading of files that are commonly used to infect computers – executable or JavaScript files for example.
The use of web filters in libraries is therefore not just about limiting access to inappropriate and harmful website content. Web filters in libraries are an important cybersecurity protection that can help to ensure that, come what may, patrons will still be able to access the Internet and borrow books.
Nov 24, 2016 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
In the past few days, Facebook Messenger Locky ransomware attacks have been discovered, exploit activity has increased, and malicious spam email volume has increased. Organizations now need to defense against a wide range of attack vectors
2016 – The Year of Ransomware
2016 has seen an explosion in the use of ransomware by cybercriminals and there is no sign of that changing in the near future. More than 200 ransomware families have now been identified, one of the most dangerous being Locky.
Locky ransomware was first discovered in February this year, but it has fast become one of the most prolific ransomware variants and has infected thousands of computers. No organization is immune to attack, although the gang behind the infections have been extensively targeting healthcare organizations. A number of U.S. healthcare providers have been forced to pay a ransom demand to recover their data.
Rather than cybercriminals having to break through company defenses to gain access to data, then exfiltrate files, and sell those data on the black market – a process that can take weeks before payment is received – ransomware is a quick and easy revenue generator. Payments are made within a few days of infection as many companies cannot continue to function without access to their data.
It is not even necessary for cybercriminals to develop their own ransomware. The malicious file-encrypting software can be ‘hired’ from the authors. By using ransomware-as-a-service, anyone with an Internet connection could run a ransomware campaign. Little skill is needed and attacks result in fast payment. It is therefore no surprise that the file-encrypting software has become so popular.
Infection can occur via malicious adverts, exploit kits, or via spam email. All of those infection vectors allow the attackers to bypass traditional cybersecurity defenses such as firewalls.
Some headway has been made by security researchers and decryptors have been developed for some ransomware variants. Wildfire, Chimera, Shade, TeslaCrypt, and CoinVault have all been cracked. However, Locky has so far resisted security researchers’ efforts to crack it.
The authors of the crypto-ransomware are also constantly updating Locky and new variants are regularly being released. At present, there is no decryptor available for Locky infections and victims are faced with three choices if they experience an infection:
- Accept data loss
- Pay the ransom demand to obtain a key to unlock data
- Recover encrypted files from backups
Unfortunately for the victims, recovering encrypted files from backups can be complicated. Locky not only locks files with powerful encryption, the files names and file extensions are also changed. This makes it hard for victims to identify specific files. Locky also deletes Windows Shadow Copies to make it harder for victims to recover their data.
Facebook Messenger Locky Ransomware Attacks Reported
The authors behind Locky have experimented with exploit kits to spread infections, although since the demise of the Angler and Neutrino exploit kits, Locky has primarily been distributed via spam email. Massive spam email campaigns are used to spread the malicious software. Those campaigns involve many millions of emails.
However, earlier this month, security researchers noticed that the cybercriminal gang behind Locky has started to use exploit kits again. The Bizarro Sundown exploit kit has been discovered to be spreading Locky. More worrying, Facebook Messenger Locky ransomware attacks have now been reported.
The Facebook Messenger Locky ransomware attacks were noticed by security researcher Bart Blaze earlier this month. Malicious messages are being sent to Facebook Messenger users which contain an .SVG image file. That image file is not what it seems. It contains the Nemucod downloader – malicious JavaScript code embedded in the image. The code is run when the image file is opened and Nemucod then downloads Locky.
The social media giant has confirmed that Facebook Messenger Locky ransomware attacks have occurred, although Facebook was quick to point out that infections are occurring via “a poorly implemented extension for Google’s Chrome browser.”
Security controls are generally very good at Facebook, but they are not infallible. Facebook Messenger Locky ransomware attacks are a major risk and users must exercise caution.
As with spam email, users should not open any attachments from individuals they do not know. Even when image files and other file types are received via messenger apps and spam email from individuals that are known to the recipient, they should be treated with suspicion.
How to Reduce the Risk of a Ransomware Infection
Businesses need to implement defenses to reduce the risk of a ransomware infection. The consequences for taking no action can be severe.
Ransomware infections can spread laterally through a network and ransomware gangs require payment for each infected machine and can even set the price per infected organization. The Locky ransomware attack on Hollywood Presbyterian Medical Center in February resulted in a ransom payment of $17,000 being made, in addition to the considerable cost associated with removing the infection and recovering from more than a week without access to key information systems.
One of the best defenses against ransomware is WebTitan. WebTitan is an innovative web filtering solution that can be configured to limit access to websites known to host exploit kits. Malicious third-party adverts (malvertising) can be blocked, along with websites that carry a high risk of being exploited by hackers to spread infections.
The best way for businesses to ensure that Facebook Messenger Locky ransomware attacks do not occur is to block Facebook Messenger entirely. With WebTitan, blocking Facebook Messenger – without blocking the Facebook website- is a quick and easy task.
By limiting the websites that can be visited by employees and blocking Facebook Messenger and other chat platforms, organizations can greatly improve their security posture and prevent ransomware from being installed.
For further information on the full range of features of WebTitan, details of pricing, and how to register for a free no-obligation trial, contact the TitanHQ sales team today.
Jul 8, 2016 | Cybersecurity News, Internet Security News, Web Filtering
If you want to keep your computers and network protected, you should ensure that browsers are patched as soon as updates are made available. However, end users may be fooled into taking action to keep their computers secure and inadvertently use fake Firefox updates.
Fake FireFox Updates Used to Install the Kovter Trojan
Fake Firefox updates are being used by the gang behind the Kovter Trojan. A new version of the fileless malware has been identified recently, and it is infecting users by posing as a fake Firefox update.
The cybercriminal gang behind Kovter frequently tweak the malware and come up with new ways of infecting end users. Kovter is a particular worry as it can be particularly difficult to detect. Being fileless, there are no actual files to detect. The malware resides only in the memory, and it ensures it is reloaded into the memory each time a computer is rebooted with a Windows registry component.
Kovter can perform a range of malicious activities, such as redirecting users to malicious websites, performing click fraud, downloading other malware, and now also encrypting files. The latest variant discovered by CheckPoint also has ransomware capabilities.
When users visit a malicious or infected website they are presented with fake Firefox updates and are urged to download the latest version to keep their computers secure. Researchers at Barkly discovered that the gang behind the latest Kovter campaign are using a legitimate certificate to fool antivirus engines. The certificate was issued to Comodo, although it has since been revoked. Anti-virus engines are also now being updated to detect the malware and block its download.
Preventing Drive by Malware Downloads
There are a number of steps that can be taken to prevent drive-by downloads of malware such as Kovter. Policies should be implemented that prohibit end users from performing software updates, which should be left to the IT team to handle. Patch management policies should be developed and implemented to make sure that when software updates and patches are issued, they are installed promptly or preferably automatically.
Browsers should never be updated outside the normal update process. To check if the latest version is installed, simply click on the help function, followed by the About option, and the browser will check to determine whether an update is available.
A web filtering solution is also an important security control to employ to prevent drive-by downloads. A web filter can be configured to block access to webpages known to contain malware and restrict access to non-work related websites which carry a high risk of malware infections. Some web filtering solutions – WebTitan Gateway for example – can also scan websites in real-time to check for known indicators of drive-by downloads and exploit kits. WebTitan then prevents the sites from being visited.
Jun 30, 2016 | Cybersecurity News, Internet Security News
Mobile ransomware may not be nearly as prevalent as its PC counterpart, but attacks on mobile devices are on the rise according to a new report issued by anti-virus firm Kaspersky Lab.
Kaspersky Lab assessed thwarted ransomware attacks on mobile users over a period of two years and saw that the numbers of attacks doubled, signifying a worrying new trend.
Between 2014 and 2015, 2.04% of malware attacks on mobile users involved ransomware. Between 2015 and 2016, the percentage of ransomware attacks rose to 4.63%. During that period, 136,532 attacks took place.
Kaspersky Lab noted that the ransomware used to infect mobile devices differs considerably from the strains used to infect PC users. While Locky, CryptXXX, and RAA are now the main threats affecting PCs, the main mobile ransomware strains currently being used are Fusob, Small, Svpeng, and Pletor.
Mobile ransomware tends not to use encryption to lock files, instead malicious software is developed that blocks users from accessing their device. Oftentimes, this is achieved with a simple HTML overlay. Encryption is more effective on PCs because many users fail to back up their data, or when they do they leave their backup devices connected. Many strains of PC ransomware are able to delete backup files or encrypt them, leaving end users with no alternative but to pay the ransom or lose their data forever.
Many mobile users automatically backup their data in the cloud. If data is ever lost or encrypted, files can easily be recovered. However, overlays prevent the user from being able to access their files from the device. With mobile devices victims cannot simply take out a hard drive and plug it into another machine and manually remove malicious files. If an infection takes place, users either have to pay the ransom or replace their device. Provided the ransom is lower, many users will end up paying.
Without the need for encryption, the development of mobile ransomware is considerably cheaper. The ransoms that can be demanded may be lower than for PC infections, but campaigns can be highly profitable for cybercriminals.
Criminal gangs are also using an affiliate model to spread infections. There is usually no shortage of actors willing to invest the time distributing the malicious software in exchange for a cut of the ransom. In many cases, signing up for these affiliate ransomware campaigns is easy. The developers of the malware release kits to make it as easy as possible. Programming skill is not even needed.
Mobile Ransomware Attacks Will Continue
The use of mobile ransomware is increasing significantly because it is effective. An increasing amount of data are now stored on mobile devices, and end users – and business users in particular – are unwilling to lose their data. As long as ransoms are paid, attacks will continue and are likely to increase. Cybercriminals will only stop developing new mobile ransomware strains when the campaigns prove to be ineffective and unprofitable.
Jun 29, 2016 | Cybersecurity News, Internet Security News, Network Security
A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid.
Bart Ransomware Locks Files in Password-Protected ZIP Files
Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky.
Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device.
There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid.
Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart.
New Ransomware Variant Delivered via Spam Emails
The campaign uses spam emails to deliver malicious Javascript files, which are disguised as image files. End users may be fooled into opening the attachments in the belief they are simply images. However, if the attachments are opened, JavaScript is executed and Rocketloader is downloaded. Rocketloader installs Bart ransomware and is also capable of downloading a variety of other malware.
The ransomware has been developed to attack users in the west, and will not lock files if the operating system is in Russian, Ukrainian, or Belorussian.
To prevent infection, it is essential that end users do not open the infected email attachments. Since the emails may appear benign to end users, organizations should take steps to prevent the spam emails from being delivered. One way of doing this is to use SpamTitan. SpamTitan can be configured to block zip files and prevent them from being delivered to end users.
If spam emails are not delivered, end users will not be able to inadvertently infect their devices. Furthermore, the cost of deploying SpamTitan is likely to be considerably less than the cost of a single ransom payment to resolve a Bart infection.
Jun 21, 2016 | Cybersecurity News, Internet Security News, Network Security
Security researchers have uncovered an entirely JavaScript based ransomware variant that is not only being used to lock infected devices with AES encryption, but also to deliver the Pony info-stealer. Pony is used to obtain users’ passwords and login credentials to launch further attacks. This means that while a ransom may have to be paid to regain access to important files, the victim is also highly likely to suffer further losses.
JavaScript based malware is nothing new. Criminals have been using JavaScript files to infect devices with ransomware for some time, yet previously JavaScript has most commonly been used to download ransomware to infected devices. The latest threat exclusively uses JavaScript and requires no additional downloads.
RAA Ransomware Delivered via Spam Email
The attack starts with a spam email containing a malicious attachment. The attached file appears to be a document, but it is actually a malicious JavaScript file. Opening the file will result in a fake Word document being created in the user’s My Documents folder. That file is then opened automatically leading the victim to believe that the file attachment is corrupted. However, processes will still be running in the background. The malicious JavaScript file – dubbed RAA ransomware – does not contain any cryptographic functions, instead it uses the CryptoJS library to lock files with AES encryption.
First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images.
Once the targeted files are identified, the JavaScript based ransomware then encrypts those files using AES encryption and replaces the extension with “.locked.” To make it harder for the victims to recover from the infection without paying the ransom, RAA ransomware also deletes the Windows Volume Shadow Copy Service (VSS) as well as all shadow copies. Finally, files are created on the Desktop which detail how much must be paid to obtain the decryption keys and instructions on how payment must be made.
JavaScript Based Ransomware Delivers the Pony Info Stealer
This JavaScript based ransomware also includes the pony info stealer. In contrast to other malware which can download additional malicious files from the Internet, RAA ransomware has the Pony info-stealer embedded as a base64 encoded string. The string is decoded and also saved to the My Documents folder and is then run automatically.
The RAA ransomware is set to run automatically each time the computer is booted, and it will install Pony each time. Since the ransomware runs on boot it will encrypt any of the above file extensions that have been created or downloaded since the last time the ransomware was executed. At present, there is no way of decrypting the files without paying the ransom.
To protect against attacks, end users must be vigilant and not open any files attachments sent from unknown individuals. Sys admins must also ensure that all files are regularly backed up and back up devices are air-gapped.
Jun 8, 2016 | Cybersecurity News, Internet Security News
A new WordPress plugin vulnerability was recently uncovered that is being actively exploited. The vulnerability affects the WP Mobile Detector plugin, which is used to determine whether a website is being viewed on a desktop or mobile device. The plugin then serves a compatible WordPress theme.
The plugin was one of the first to be able to distinguish whether a device was a standard mobile or a Smartphone, and as of the start of May, the plugin had been installed on more than 10,000 WordPress websites.
WP Mobile Detector WordPress Plugin Vulnerability Exploited to Install Porn Spam Doorways
The WordPress plugin vulnerability was detected by Plugin Vulnerabilities, which noticed a HEAD request for a file called /wp-mobile-detector/resize.php, even though the plugin had not been installed on the site.
Researchers at Plugin Vulnerabilities concluded that the request was made by an individual attempting to determine whether the plugin had been installed in order to exploit a vulnerability. After searching for reports of a known vulnerability and finding none, researchers investigated further and discovered the plugin had an arbitrary file upload vulnerability.
The vulnerability is straightforward to exploit and can be used to upload malicious files to the cache directory, host spam content, redirect users to malicious websites, or install malware. Since the plugin performed no checks to validate input from untrusted sources, an attacker would be able to insert a src variable containing a malicious URL and PHP code.
Many of the infections uncovered so far have involved the installation of porn spam doorways. Sucuri reports that the WordPress plugin vulnerability has been exploited since May 27.
Since the discovery of the WP Mobile Detector plugin flaw last week, the plugin was temporarily removed from the WordPress plugin directory. The developer of the WP Mobile Detector plugin has now fixed the vulnerability. Any site owner that has the plugin installed should immediately update to version 3.6.
However, simply updating to the latest version of the plugin will not remove malware if it has already been installed. If web shells have already been installed, attackers could still have an active backdoor to the site allowing them to continue to upload malicious files or inject malicious code into webpages.
One of the easiest ways to check to see if a site has been compromised is to look for a directory called gopni3g in the site root. The directory will contain a story.php file, and “.htaccess and subdirectories with spammy files and templates,” according to Sucuri researcher Douglas Santos.
