[metaslider id=2951] … Read More
SyncCrypt ransomware able to sneak past most antivirus defenses
From SC Magazine – August 17, 2017 – Doug Olenick,
A new ransomware called SyncCrypt is using a unique method of downloading the malicious files that makes it very hard for an antivirus program to detect.
SyncCrypt was detected by Emisoft researcher xXToffeeXx, reported Bleeping Computer, and is spread via spam emails containing an attachment with .wsf (Windows Script File) files. What is unusual about this, other than a .wsf file being used – which is rare – said Bleeping Computer founder Lawrence Abrams, is the .wsf will download an image with embedded .zip files containing the ransomware.
“This method has also made the images undetectable by almost all antivirus vendors on VirusTotal,” Abrams said.
However, whether or not the image is opened the .zip file is downloaded and its contents, a sync.exe, readme.html and readme.png, are extracted, Abrams said. The good news is that while image file tends to pass through most antivirus files contained inside the .zip file are more susceptible to detection. Although Bleeping Computer found that VirusTotal still detected them less than 50 percent of the time.
If properly installed the files are encrypted with a .kk extension and then the ransom note appears giving the victim 48 hours to pay about 0.1 bitcoin.
At this time there is no way to decrypt the files and the best defense is to ensure all files are properly backed up.
Two Dangerous Ransomware Are Back – Protect Your Computers
From the Hacker News – Swati Khandelwal
Ransomware has been around for a few years but has become an albatross around everyone’s neck—from big businesses and financial institutions to hospitals and individuals worldwide—with cyber criminals making millions of dollars.
In just past few months, we saw a scary strain of ransomware attacks including WannaCry, Petya and LeakerLocker, which made chaos worldwide by shutting down hospitals, vehicle manufacturing, telecommunications, banks and many businesses.
Before WannaCry and Petya, the infamous Mamba full-disk-encrypting ransomware and the Locky ransomware had made chaos across the world last year, and the bad news is—they are back with their new and more damaging variants than ever before.
Diablo6: New Variant of Locky Ransomware
First surfaced in early 2016, Locky has been one of the largest distributed ransomware infections, infecting organisations across the globe.
By tricking victims into clicking on a malicious attachment, Locky ransomware encrypts nearly all file formats on a victim’s computer and network and unlocks them until the ransom in Bitcoins is paid to attackers.
The ransomware has made many comebacks with its variants being distributed through Necurs botnet and Dridex botnet.
Don’t be Held Hostage by Ransomware – CFO Magazine
In this article from CFO Magazine, it is unfortunate that an attack such as the WannaCry/WanaCrypt0r has to occur to be the impetus of organizations and endusers alike to take security to the next level, but the five steps are crucial. You may not be immune, but you can reduce the chances of becoming a victim.
Kelly Bissell – June 6th, 2017
Five fundamental steps your company can follow to curb its chances of falling victim to a ransomware attack
If there’s a positive spin that can be placed on last month’s ransomware attacks, it’s that the topic of cybersecurity has finally emerged from the shadows and into the public eye. When 200,000 systems began to be infected across more than 150 countries on May 12, security became not just a matter for a few black-hat specialists and a wave of creative naming — from WannaCry to WanaCrypt0r and everything in between — it was suddenly everybody’s business.
Of course, businesses recognize they’re not immune from cyberattacks, and threat intelligence and law enforcement agencies have warned that such attacks can be expected to accelerate in frequency. In short, ransomware is rampant. Often delivered via e-mail, ransomware, also known as cryptoware, it’s used to attack a company’s data by encrypting it until a ransom is paid to an unknown source — in some respects, the criminals who use it are the “stand and deliver” highwaymen of the modern age.
Any approach to handling ransomware must take into account that it triggers fast-moving situations and that there’s no guarantee that an approach that works for one organization will also work for another. But here are five fundamental steps your company can take to curb its chances of its falling victim to a ransomware attack:
1.Adopt prevention programs. Most ransomware attacks start as a phishing attack. Prevention training and awareness programs can help employees recognize telltale signs of phishing scams and how to handle them. Guide your employees on how to recognize and avoid fraudulent e-mails or what to do in the event of a social engineering attack. Keep testing internally to prove the training is working.
2.Strengthen e-mail controls. Ransomware attacks are frequently delivered via e-mail. Strengthening e-mail controls can often prevent malicious e-mails from reaching employees. Make sure you have strong spam filters and authentication. Scan incoming and outgoing e-mails to detect threats and filter executable files. Consider a cloud-based e-mail analytics solution and how e-mail is configured and file extensions are displayed.
3.Improve CMDB. Companies need to be very diligent about building a complete configuration management data base (CMDB). It may be surprising, but most companies do not know all the IT systems in their environment across all subsidiaries and business lines. If you don’t know what you have, how can you protect it?
4.Insulate your infrastructure: Attackers are getting smarter, and it’s easier for unsuspecting employees to make mistakes by failing to recognize malicious e-mails. There’s a host of solutions here, from removing or limiting local workstation administration rights to seeking out the right configuration combinations (including virus scanners, firewalls, and so on). Regular patches of operating systems and applications can foil known vulnerabilities: Microsoft patches related to this particular threat was one kind of measure that Accenture used back in March 2017 as part of our normal patching cycle.
5.Plan for continuity. Ransomware attacks are far from random — they are highly targeted and intentional, meaning that many can be averted via meticulous prevention. But even with the best defenses in place, successful attacks can occur. Having a strong business continuity plan for recovery — one that’s regularly reviewed, updated, and tested— makes it easier to avoid paying ransom. Recovery objectives must be aligned to the critical tasks within an acceptable timeframe. Workstations and file servers shouldn’t be constantly connected to backup devices. Further, the backup solution should store periodic snapshots rather than regular overwrites of previous backups, so that in the event of a successful attack, backups will not be encrypted.
10 Cyber Security Threats to keep you awake at night
Businesses have cause to celebrate the benefits of technology – but fear it as well – as cyber-security journalist Tom Reeve explains.
From word processing, accounting packages and emails to process automation, just in time shipping and online sales and marketing, the hardware and software that drives modern businesses have enabled massive jumps in productivity while driving down costs.
However, the very internet service (check this link right here now to know more) that enables your business – your entire IT infrastructure from the boardroom to the shop floor – may be hijacked by attackers to eat your organisation from within. This goes beyond losing control of your Twitter account or the front page of your website being defaced – it is a battle for your data and your money.
You may consider cyber-security as an IT issue or something that falls under the remit of the audit committee, but IT is everywhere and organisations ignore cyber-security at their peril – just ask TalkTalk, Tesco Bank and Camelot, to name just a few.
In a series of articles I will look at who these attackers are, what they are looking for and how you and your board of directors can fight back against the hackers.
But first, let’s take a quick tour through 10 of the biggest threats facing organisations, large and small.
1. Network infiltration is the basis for many high-profile attacks, and it involves exploiting weaknesses in software, systems, hardware or staff to gain privileged access to servers and workstations. There are many ways to hack your network and cyber-security experts will tell you that it’s not a matter of if you get hacked – but when.
Once the attacker has gained entry to a trusted device on your network, then he’s spoilt for choice: steal the data on the computer, spy on the user to glean further usernames and passwords to other devices, lock the user out (see ransomware) or exploit weaknesses in the corporate network to force his way into other machines. Or he could harness the machine as part of a botnet, using it to send spam or attack computers outside your network.
Last year, it was revealed that Australian government systems, including a branch of the Defence Department, had been infiltrated repeatedly in the past five years, leading to the loss of plans for a geostationary satellite system among other things.
2. Ransomware is pretty much what it says on the tin, a new wrinkle on an attack that’s about as old as humanity itself. Ransomware is notable for being the one cyber-attack that goes out of its way to advertise itself. While other malicious software conceals itself, ransomware only hides for as long as it takes to encrypt your files. Then it launches a big banner proclaiming your new status as its victim.
Ransomware creators are noted for their excellent “customer” service. Their business model relies on teaching the victim how to do something that they probably haven’t done before: purchase bitcoins. They often include tutorials and even videos detailing each step.
Angela Sasse, professor of human-centred security at UCL, has interviewed victims about their experience of being attacked, and she says they often rave about how helpful the ransomers have been. However, this is to miss the point: by paying them, you are supporting their criminal business model and the advice from law enforcement, at least officially, is not to pay.
3. Trojan horses are a class of attack in which the harmful payload is hidden inside another ‘beneficial’ program, the most insidious examples of this being programs that claim to rid your computer of viruses or fix common configuration problems. Once downloaded, they will often ask for administrator rights on your device, be it a desktop, tablet or mobile phone.
Having enslaved your machine, a Trojan will typically open a connection to the internet and attempt to connect to a command and control server. Sometimes it will lie dormant, making it harder to detect and investigate the source of the attack. But when he’s ready, the attacker can download his choice of malware including keyloggers for sniffing passwords, botnet controllers to turn your machine into a DDoS robot and network intrusion tools to gain access to other machines.
Some Trojans have even been known to eliminate the competition by installing antivirus software and cleaning out other malware it finds on its host. Trojans are an effective and popular way to control computers, and even intelligence agencies have been known to employ them.
In the past year we have seen Trojans which bypass security on the Chrome browser, target customers of online Russian banks and even one designed to manipulate currency rates.
4. Phishing is an attack on your staff aimed at luring them into giving away passwords and other sensitive information. Dressed up as an email from a trustworthy source, it can appear to come from someone the person knows such as a friend or colleague or a bank or government agency.
Through training and vigilance, the incidence of successful phishing attacks can be reduced, but even so, the most savvy of users can fall for this attack if they aren’t paying attention.
Phishing attacks are usually sent to thousands of users at a time, but a more refined version of the attack, called spear-phishing, targets individuals. After carefully researching their victim, often using sources such as social media and publicly available corporate records, the attacker will write an email that sounds as if the the sender knows the recipient personally.
Phishing and spear-phishing were used to gain access to the email accounts of Democratic Party officials in the US ahead of the presidential election, and is also the most common type of malicious email that most people receive. Learning to spot them is one of the most effective skills you can learn for online survival.
5. Whaling is considered a variation of phishing even though it doesn’t contain any malware. Instead, it seeks to deceive the recipient into believing that it was written by a trusted figure – such as the company boss or a supplier – with instructions for wiring money.
In one well-known case, Ubiquiti, a manufacturer of network devices, was scammed out of $46.7 million ( 37 million) by “an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” according to an SEC filing.
And slightly closer to home, last year, two European manufacturers – Leoni AG and FACC – lost €40 million each in separate whaling attacks. In the case of FACC, the CEO and CFO were both sacked.
6. Supply chain attacks come from trusted suppliers who have privileged access to your corporate network. Organisations often trust their suppliers with sensitive information and access to their internal affairs while forgetting that suppliers don’t always have perfect control over their own IT networks.
To mitigate the risks of supply chain data leaks, it could be beneficial to use technology such as supply chain software that can restrict access to sensitive information while also tracking who is retrieving the data from the system. A little bit of carefulness and tech upgrades could help to reduce supply chain attacks while also making inventory management an easier task for the employees.
In one well-known case in 2013, Target Stores in America was compromised by an HVAC service provider which had access to the retailer’s internal networks through a purchase order management system. Attackers gained access to Target through the HVAC supplier and then waited several months, until the Black Friday shopping weekend, to launch a massive attack against thousands of point-of-sale terminals, stealing details on 110 million people.
7. Zero-day vulnerabilities are a class unto themselves. All software packages are thought to have vulnerabilities, and responsible developers patch them as quickly as they can once they become aware of them. Responsible disclosure is a process whereby security researchers inform companies of the problem and give them the opportunity to patch the problem before it is announced to the wider computing community.
However, malicious researchers, sometimes called black hats, don’t disclose vulnerabilities when they discover them because hidden vulnerabilities are valuable. Zero-days – so-called because developers have zero days to respond to them – are traded by criminal groups and even nation states for up to half a million dollars in some cases.
However, most organisations don’t need to worry about zero-days for the simple reason that they only retain their value for as long as they remain unknown. The more a zero-day is used, the more likely it is to be discovered. Organisations need only ask themselves, are we worth a zero-day attack? If not, move on – there are enough other things to worry about.
8. Vulnerable equipment and software is less about deliberate attacks and more about manufacturers’ sloppy security practices. In the rush to get a product to market, or keep costs as low as possible, security often takes a backseat.
When acquiring new hardware or software, ask yourself if you can trust the supplier. A little research on the internet can reveal whether the manufacturer has been cited in many security research reports. You may also want to hire Denver IT services or others in your location so that there’s someone to keep an eye on everything software-related.
Not only should you look for reliable equipment and software, but you should also look for an ISP who will not misuse your data. You can use a VPN on your device to secure your data as well. It’s best to go with a reputable internet service provider (like viasat satellite internet). You can also consider the add-on features provided by many ISPs, such as providing an internet connection in addition to antivirus, to protect your device from external malware.
Even brand names are not immune. It was recently revealed that Honeywell SCADA controllers – network-connected devices for controlling industrial processes – contained insecure password data and were also vulnerable to “path traversal” attacks. And CISCO regularly publishes security alerts alongside software updates, detailing vulnerabilities that it has discovered and fixed.
9. BYOD are those personal devices that staff use to connect to your network. Whether it’s a mobile phone or a tablet, every time you allow a member of staff to connect their device to your network, you are shaking hands with a computer of unspecified pedigree and unknown hygiene.
Consider why you are allowing these mobile devices to access your network, and if it is just to allow them to use the Wi-Fi, consider setting up an isolated network for this purpose.
10. Denial of service is an attack that can bring your website or cloud services grinding to a halt. A common attack method, known as distributed denial of service (DDoS), typically employs a botnet of thousands of compromised computers to flood a victim’s server with packets of useless information.
The target becomes bogged down in the sheer number of requests it is forced to handle in attacks lasting minutes or days, slowing and sometimes crashing the device.
In a new wrinkle on this tried and tested attack, attackers are using the Mirai malware to take over internet-connected CCTV cameras and digital video recorders and launching the biggest DDoS attacks ever seen. Last year, Twitter, Spotify, Netflix, Amazon and Reddit were among the many websites taken offline for several hours by an attack on the Dyn DNS service which appears to have been enabled, at least in part, by a Mirai botnet.
So there you have it – ten cyber-threats facing your organisation.
Cerber Ransomware Now Evades Machine Learning
From Dark Reading
New variant has been broken into separate harmless-looking components to fool ML-based detection systems, Trend Micro says.
Cybercriminals have repeatedly shown an ability to innovate past whatever security controls organizations and industry have been able to throw in their way. So it is little surprise that some have begun taking a crack at machine learning tools.
Researchers at security vendor Trend Micro recently discovered a new version of the Cerber ransomware sample that appears designed specifically to evade detection by machine learning algorithms.
“The Cerber changes are really interesting as they’re a direct response to changes in how some products are detecting malware,” says Mark Nunnikhoven, vice president of cloud research for Trend Micro.
The newest version separates the different stages of the malware into multiple files and dynamically injects them into a running process, he says. “This helps to conceal them from various detection methods.”
Like other ransomware threats, the new version of Cerber also is distributed via email. The email contains a link to self-extracting archive stored in a Dropbox account controlled by the attackers. The archive contains three files—one containing a Visual Basic script, the second a DLL, and the third, a binary file. The script is designed to load the DLL, which then reads the binary file and executes it. The binary file contains a new loader for Cerber and also the configuration settings for the malware.
The loader first checks to see if it is running in a sandbox or other protected environment. If it discerns that it’s not in a protected environment, it injects the entire Cerber binary into one of several running processes, Trend Micro said in an alert this week.
“In their current form, some static machine learning-tools can have a hard time seeing the various pieces of the new configuration of Cerber,” Nunnikhoven says. The malicious parts of it don’t get analyzed, so the malware doesn’t get flagged.
The reason is that static machine learning approaches look at the content of a file and evaluate the contents to see if they match malicious behaviors and attributes, he says.
But if the malicious content of the file is hidden for instance via encryption, or it is injected in real-time into a legitimate process, the content is not evaluated for suspicious behavior and attributes, he says.
“Say someone walks up to the door and they’ve got their hands behind their back. You look through the peephole and don’t see an immediate threat so you let them in,” he says. You don’t know until they are already in the house whether whatt they have in their hands is malicious or benign.
The latest innovations only make Cerber harder to detect via machine learning algorithms, he says. It can still be detected by other mechanisms. “The take-home message is that only using one technique to detect malware leaves you vulnerable if the criminals adapt to it.”
News of Cerber’s latest tricks comes even as a new report from Carbon Black shows that many organizations remain unconvinced about the benefits of applying artificial intelligence and machine learning techniques to detect and stop cyber threats.
Nearly 75% of 410 security researchers that Carbon Black surveyed for the report describe AI-driven cybersecurity tools as being flawed, while 70% are convinced cyberattackers are capable of bypassing machine learning-based systems.
Mike Viscuso, co-founder and CTO of Carbon Black, says many current machine learning-based anti-malware tools are designed to stop attacks based on an inspection of files rather than behavior. They therefore miss the growing number of attacks that involve no malware files at all, he says.
Static, analysis-based approaches relying exclusively on files have been useful in the past. AI and ML-based tools can be useful in augmenting human decision-making and in spotting non-obvious relationships in massive volumes of security data. But they are of somewhat limited use in detecting non-malware attacks, he says.
Rather than using ML tools to look at individual files, organizations should be monitoring application and service activity, communications among processes, unauthorized requests to run applications, and changes to permission and credential levels, Vicuso says.
“If security tools are looking for just malware, they are missing an entire class of attacks that rely on native operating system tools to carry out nefarious actions. Attacks are evolving. So should [be] our defenses.”