[metaslider id=2951] … Read More
Archives for November 2016
Cerber Ransomware Delivered via Google, Tor2web
by Eduard Kovacs – SecurityWeek
A new version of the Cerber ransomware has been delivered by cybercriminals using spam emails, Google links, the Tor2web proxy service and malicious macro-enabled Word documents.
Cerber is a relatively new piece of ransomware, but it has evolved a great deal over the past months. The malware is believed to generate an annual revenue of $2.3 million by infecting hundreds of thousands of devices worldwide.
Check Point researchers reported last week that Cerber developers had released versions 5.0 and 5.0.1. The security firm detailed some changes in the ransomware, including new IP ranges and modifications in the way files are encrypted. However, it appears there are also some changes in the way the malware is distributed.
Cisco Talos has been monitoring a Cerber 5.0.1 campaign and noticed the use of some interesting techniques. The attack starts with a short and basic spam email referencing pictures, transaction logs, order details or loan acceptance letters. All spam messages include the name of the recipient in the subject line.
The emails apparently point to google.com, but if the link is clicked, the user is taken to a Google redirect page that reveals the true destination – a domain on the Tor network.
If the victim clicks on the onion.to link, the Tor2web proxy service is used to access the Tor network and download a document file. Using Tor2web enables access to Tor without the need to install a dedicated client.
“Additionally, as the actual malicious file is hosted on a server within the Tor network, it is significantly less likely that the malicious file will be removed or taken down like it would be if hosted traditionally on the internet via malicious or compromised web servers. It also allows the attackers to modify the redirection chain quickly and easily to attempt to evade reputation based blacklisting technologies,” explained Talos researchers.
The file downloaded from Tor is a Word document that claims to store protected content. If users follow the instructions in the file and enable macros, the Windows Command Processor invokes PowerShell, which fetches and executes Cerber. The malware binary is also downloaded from the Tor network using the Tor2web service.
Once their files are encrypted, victims are instructed to pay roughly $1,000 in bitcoins to obtain the “Cerber Decryptor.” If the ransom is not paid within five days, the amount doubles.
In mid-August, researchers discovered a flaw that allowed them to decrypt files held for ransom by Cerber versions 1 and 2, but the weakness was quickly fixed by cybercriminals. Decryption tools for newer versions have yet to be developed.
Windows Malware Infections spiked 106% from Black Friday to Cyber Monday
by Kelly Sheridan – Dark Reading
The number of infected PCs jumped some 106% during the holiday season’s first shopping weekend and 118% above normal on Cyber Monday.
‘Tis the season for gift-giving, snowfall – and cybercrime. The 2016 holiday shopping season has already proven risky, with malware infections in the US jumping 106% between Black Friday and Cyber Monday.
The data comes from Enigma Software Group (ESG), which compiled data on infections recorded in its SpyHunter program. ESG analyzed malware data in the month leading up to Thanksgiving and compared it with infections recorded between Nov. 25 and Nov. 28, 2016.
It’s worth noting this data only applies to malware infections recorded on PCs, and does not include activity from smartphones or Apple products.
The number of recorded infections has doubled year-over-year. This year’s 106% jump marks a significant increase from the same weekend in 2015, when malware was 84% above normal. Malware activity peaked on Cyber Monday, when instances were 118% higher than normal.
ESG believes there are multiple drivers behind the malware surge, says spokesperson Ryan Gerding.
“The biggest thing is that there are more people who are shopping online every year,” he explains. “What’s more, the bad guys are getting smarter in tricking people into accidentally clicking on links that install malware on their computers.”
Consumers are most likely to fall for emails that appear to come from legitimate companies. These messages may promise a free gift card or claim there is a problem with an order, but instead include a malicious link that will download malware onto the victim’s computers.
During the holidays, more people are shopping and anticipating these types of emails. They’re more likely to click on a money-saving coupon or wonder if there really is a problem with their order. As a result, malware infections continue to climb.
Emails aside, hackers also abuse social media accounts and post status updates containing malicious links. Others bundle malware with software downloaded from the Internet; for example, programs that promise to bypass location-specific restrictions on services like Netflix.
The vast majority of these infections are “nuisanceware,” says Gerding. They may slow down victims’ PCs or cause a spike in pop-up ads; things that are annoying but not necessarily dangerous.
However, the occasional dangerous attacks do take place. Ransomware makes up a tiny percentage of infections, but it can be devastating when it hits. ESG discovered about 0.5% of all infections include ransomware.
It’s a miniscule percentage, but Gerding notes the amount of infections made of ransomware has doubled since 2015. One year ago, ransomware made up about 0.25% of malware attacks. The trend promises ransomware will continue to grow as a consumer-facing threat in 2017.
“As long as the crooks are successful in getting people to pay a ransom, they’ll keep trying to get infections out there on as many computers as possible,” he says.
Mirai strikes again, leaving 1 million users offline
By Luana Pascu – Hot for Security BitDefender
When security experts warned us that Mirai-infected connected devices would strike again, and 10-fold, they weren’t kidding. Almost 1 million internet users in Europe couldn’t get online this weekend following an organized cyberattack launched by 900,000 home routers exploited by Mirai malware, Deutsche Telekom confirmed.
The German internet provider announced that only some 5 percent out of its 20 million customer pool was directly affected by the botnet attack. Once they started fixing the problem, the percentage dropped to 2. The identity of the hackers is unknown for now, but ISC SANS reports most of the traffic comes from Brazil.
“The massive interference from connections of Deutsche Telekom, according to findings from the Federal Office for Security in Information Technology (BSI), follow a worldwide attack,” reads the abendblatt.de. “According to BSI, the attacks were also noticeable in the government-protected government network, but could be repelled with effective protection measures. “
The routers involved in the attack were made by Zykel and Speedport and had port 7547 open, according to SANS Internet Storm Center. They were used for TV and landline services. Attacks have increased against these ports, as they “appear to exploit a vulnerability in popular DSL routers.”
“The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability. Currently, honeypots see about one request every 5-10 minutes for each target IP,” SANS Internet Storm Center found.
Deutsche Telekom has released a firmware update for the routers. As 41 million devices have been detected to have this port open, users with vulnerable routers are advised to run the update and, if possible, block the port.
Carleton University Latest Victim of Ransomware
Carleton University computers infected with ransomware
‘Our research is halted right now because all our computers are either shut down or infected’
By Matthew Braga, CBC News
Students at Carleton University are being warned that some of its computers have been infected by ransomware — a type of computer virus that uses encryption to effectively hold files hostage in exchange for payment.
“Any system accessible from the main network, that is Windows based, may have been compromised,” the school’s computing and communications services department wrote in an update to its website Tuesday morning.
A graduate student at the university emailed CBC to say the attackers have asked for payment in bitcoin, a digital currency that is difficult to trace. According to a message he saw on a school computer, the attackers are asking for either two bitcoin per machine, or 39 bitcoin total to release the encrypted files — the latter equalling nearly $38,941 at today’s rate on the popular Bitcoin exchange Coinbase.
The school has warned students to ignore the messages and report them.
“Our research is halted right now because all our computers are either shut down or infected,” the graduate student said.
More information to come
“We’re trying to sort out the details still,” said Steven Reid, a media relations officer at Carleton, who could not confirm the amount of payment the attackers had requested. “It’s affecting multiple systems, but we don’t know the extent.”
Students have been warned to shut down their computers, and stay off the school’s wireless network.
Staff and faculty at the university received notification of “network issues” from the IT department on Twitter just before 9 a.m. on Tuesday morning.
Those issues were said to be impacting email and Carleton Central, an information hub for course registration, admissions, payroll, and other administrative services.
David Kenyi, a volunteer at the school’s International Student Services Office, told CBC News that he and his colleagues have been unable to access their email and that students have been unable to register for events at his office.
“Now they do it manually, using pen and paper, and later I will need to put that into the system,” Kenyi said.
Previous victims
In June of this year, the University of Calgary was hit by a similar attack. In that case, the university paid $20,000 to regain access to its systems.
At the time, university vice-president of finances and services Linda Dalgetty said the school decided to pay the ransom to ensure that no one would lose access to their research.
And just this past weekend, San Francisco’s Municipal Transportation Agency (SFMTA) was infected with ransomware that took its ticketing systems offline. During the downtime, passengers were allowed to ride for free.
In that case, the attackers demanded payment of 100 bitcoin, which is worth about $95,000 Cdn. In a statement to the CBC, SFMTA chief spokesperson Paul Rose said that the agency did not pay the ransom and never considered doing so.
Public Safety Canada recommends that victims not pay the ransom requested by their attackers, as there is no guarantee that the locked files will be released, and payment may only encourage more criminals to adopt the tactic.
Gartner acknowledges Sophos’s continued data protection leadership
After being recognized by Gartner as a leader in seven consecutive Magic Quadrants for Mobile Data Protection, we continue our success by being one of the vendors with the most comprehensive solution in the new Gartner report, Market Guide for Information-Centric Endpoint and Mobile Protection.*
This new report by John Girard of Gartner is the replacement for the now retired Gartner Magic Quadrant for Mobile Data Protection. It defines nine different methods for information-centric endpoint protection, ranging from basic device protection to comprehensive file-based protection methods.
Of the 18 representative companies discussed in the report, Sophos is one of only two companies that can provide a solution for every single method with Sophos SafeGuard and Sophos Mobile Control.
Sophos SafeGuard, with its always-on file-based Synchronized Encryption, will protect your files wherever they go, for example when shared across platforms, emailed, or uploaded to cloud-based storage. The secure container technology and personal information management (PIM) capabilities in Sophos Mobile Control provide secure collaboration everywhere, working across mobile devices without compromising security and preventing accidental data leakage.
We agree with Gartner that, considering that information is highly mobile in today’s world, data protection solutions can no longer be centered around full disk encryption but should instead account for the many ways that business information needs protection as it moves.
To find out what Gartner says about the Information-Centric Endpoint and Mobile Protection marketplace, download the complete Market Guide here.
About Gartner
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
*Gartner Market Guide for Information-Centric Endpoint and Mobile Protection, John Girard, 26 October 2016