| |
CyberheistNews Vol 4, 34
Editor's Corner
Cryptolocker Being Spread Via YouTube Ads
VirusBulletin reported that cyber criminals now spread around Cryptolocker / CryptoWall via YouTube. Malware researchers Vadim Kotov and Rahul Kashyap discovered the cyber criminals purchase advertising space and use exploit kits to infect workstations.
They ran into this while checking YouTube and website banners for situations where malware writers had in fact bought space to spread their malware on unpatched computers. The researchers wrote: "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits."
YouTube Ad space turns out to be a cheap and efficient way to spread browser malware while using the powerful YouTube geo-targeting features. Unfortunately, this is a highly profitable criminal business model. The researchers stated there was very little advertising networks could do to prevent the attacks. Obviously YouTube (Google) is going to try hard but preventing this is not easy.
Now, spreading malware via ad-networks in itself is nothing new. We have seen this since 2010 where scareware was promoted as "Free Security Scans" remember? The free scan found a host of "problems" and sold you a rip-off bogus AV product. Some of these same gangs have moved on to ransomware.
What is new here is this: clicking on a thumbnail after the first video causes a redirect, an exploit kit located on a compromized website kicks in, finds a known unpatched vulnerability, and once found, executes ransomware code which locks all files and extorts $500. These exploit kits check for hundreds of known holes in mere seconds, so the "ad-network" threat just escalated to a much higher level.
So, there are a few best-practice points to consider here. Patching end-user workstations as soon as possible gets higher importance, I would look at either blocking YouTube at the edge, and/or deploying ad blockers in your Internet filter or as a browser plug-ins, and of course, you guessed it, educate your users! Story at VirusBulletin:
https://www.virusbtn.com/blog/2014/08_15.xml
More Ransomware News
Last week, Nicole Perlroth at the New York Times wrote: "You are guilty of child porn, child abuse, zoophilia or sending out bulk spam. You are a criminal. The Federal Bureau of Investigation has locked you out of your phone and the only way to regain access to all your data is to pay a few hundred dollars.
"That message — or variations of it — has popped up on hundreds of thousands of people’s Android devices in just the last month. The message claims to be from the F.B.I., or cybersecurity firms, but is in fact the work of Eastern European hackers who are hijacking Android devices with a particularly pernicious form of malware, dubbed “ransomware” because it holds its victims’ devices hostage until they pay a ransom.
In just the last 30 days, roughly 900,000 people were infected with a form of ransomware called “ScarePackage,” according to Lookout, a San Francisco-based mobile security firm.
“This is, by far, the biggest U.S. targeted threat of ransomware we’ve seen,” said Jeremy Linden, a senior security product manager at Lookout. “In the past month, a single piece of malware has infected as many devices in the U.S., as a quarter of all families of malware in 2013.”
By reverse coding the ransomware, Lookout’s engineers found several clues indicating that the ransomware’s authors are of Eastern European origin. Russian and Slavic words and slang appeared in the code. Here is the full blog post:
http://bits.blogs.nytimes.com/2014/08/22/android-phones-hit-by-ransomware/
Even MORE Ransomware News
The Avast Blog reports a new "password stealer" feature in the Reveton ransomware. Reveton is the type of "police" lock/screen ransomware which falsely alerts users they've broken some law and demands payment of a fine, usually in Bitcoin or MoneyPak. The new password stealer is very powerful and dangerous.
The authors upgraded the despised malware from a LockScreen-only version to a powerful password and credentials stealer by adding the last version of "Pony Stealer". This addition affects more than 110 applications and turns your computer to a botnet client. It's a good example of the criminal ecosystem that exists now; malware writers license other malware writer's apps and integrate them for more profit. Much more about this at the KnowBe4 Blog. (You can subscribe to the blog and get new post alerts via email):
http://blog.knowbe4.com/bid/394854/Reveton-Ransomware-Adds-Powerful-Password-Stealer
All the above are great reasons for effective security awareness training, Find out how affordable this is for your organization now. Why Kevin Mitnick security awareness training? Ransomware, that's why. Get a quote now:
http://info.knowbe4.com/ransomware-cryptolocker-guarantee_primary_14-08-26
Workers At U.S. Nuclear Regulator Fooled By Phishers
Antone Gonsalves at CSO reported something that worries me, and this SHOULD NOT BE at this day and age.
"Nuclear Regulatory Commission employees were tricked into disclosing passwords and downloading malware in three foreign-based phishing attacks that occurred over a three-year period. The incidents were described in an inspector general report obtained by the publication Nextgov through an open-records request.
In one incident, the attackers sent email to 215 NRC employees, asking them to verify their accounts by clicking on a link and logging in with their user name and password.
A dozen employees clicked on the link, which actually connected to a spreadsheet on Google Docs. After the incident was reported, the NRC cleaned the workers' systems and changed their credentials, a commission spokesman told Nextgov.
In another incident, attackers tricked an employee into clicking on an email link that downloaded malware from Skydrive, Microsoft's file hosting service that is now called OneDrive. The employee was one of a number of workers who received email in the spearphishing attack, the report said.
Both of the attacks originated from foreign countries that were not identified. In the third incident, the attacker hacked an employee's email account and used the contact list to send email carrying a malicious attachment to 16 other employees, according to Nextgov. One employee opened the attachment, which infected the NRC computer. Whether the attack was from a foreign country was not known.
The inspector general report listed 17 compromises or attempted compromises that occurred from 2010 to November 2013, Nextgov said. During the 2013 fiscal year, U.S. government agencies reported 46,160 "cyber-incidents" in which computers were compromised, according to a report by the Government Accountability Office. The number represented a 33 percent increase from fiscal 2012.
The NRC's job is to ensure that the nation's nuclear power industry is following federal safety regulations. Because the NRC collects large amounts of information from nuclear facilities, the attackers were likely after that data to learn more about plant operations, Andrew Gintner, vice president of industrial security at Waterfall Security Solutions, said.
Security Awareness Training anyone? PLEASE?
There is more to this story, so continue to read here:
http://www.csoonline.com/article/2466725/physical-security/workers-at-u-s-nuclear-regulator-fooled-by-phishers.html
Quotes of the Week
"The best road to progress is freedom's road." - John F. Kennedy
"Freedom is never more than one generation away from extinction. We didn't pass it to our children in the bloodstream. It must be fought for, protected, and handed on for them to do the same." - Ronald Reagan
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
|
WHITEPAPER:
Which of the 5 types of user education works best?
This whitepaper from Osterman Research shows which of the 5 types of security awareness training has the best results. Well over 200 organizations were asked questions related to their awareness training, malware infiltration, and if their problems with phishing were worse, the same or getting better. Research showed that an organization's Security Awareness Confidence Score varies significantly depending on the training type.
Download this whitepaper and find out which awareness training approach correlates with improvement of the phishing problem:
http://info.knowbe4.com/whitepaper-osterman-primary_14-08-26
Video: SQL Injection Explained In 5 Minutes
I was at Black Hat and left my email address at the Imperva booth. They sent me this and it's a very good little intro: "SQL injection attacks have been around for more than ten years … yet 97 percent of data breaches worldwide are still due to a SQL injection somewhere along the line," Neira Jones, Head of Payment Security for Barclaycard, 2012.
SQL injection attacks are the single most dangerous hacking attack today. Do you know how SQL injection password attacks work from start to finish? Test your knowledge with this video demonstration of a SQL injection attack. This step-by-step video:
- Shows how hackers use SQL injection to hack into databases
- Demonstrates the steps for SQL injection reconnaissance
- Explains how passwords and credit card numbers can be extracted with SQL injection. View Video (5:00)
https://www.youtube.com/watch?v=yZ8aDFs0Z38&feature=youtu.be
Hacking Into Traffic Lights With a Plain Old Laptop Is Scary Simple
Gizmodo reported yesterday about a new study from the University of Michigan on the vulnerabilities of traffic lights which is shocking proof that we need to make some major changes, and we need to make them now.
A team led by computer scientist J. Alex Halderman recently conducted a study on the security of traffic lights in an unnamed Michigan town and found them to be ridiculously easy to hack. There are three major weaknesses:
- unencrypted wireless connections,
- use of default usernames and passwords, and
- vulnerable dubugging ports
These meant that the researchers were able to take control over the lights with a normal laptop. As long as the wireless card in the hacker's computer can communicate at the same frequency that the traffic lights use, it can break into the wireless network that powers the entire system. It's pretty mind-boggling actually. A hacker can find the default usernames and passwords needed for unfettered access and take over a whole city's traffic system with one dinky exploit. And it really is a systemic problem. The research team wrote: "The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness." We agree. Security Awareness Training is needed on all levels from the end-user on up through development and the C-Suite. Link:
http://gizmodo.com/hacking-into-traffic-lights-with-a-plain-old-laptop-is-1624102517
Is Microsoft Antivirus Legit Again?
This question was asked in the Security Forum at Spiceworks. My answer was as follows, and you might be surprised.
"Unfortunately, from where the most of us are sitting (inside an organization), it is practically impossible to determine the quality of AV engines. The next issue is that the "testing" organizations also only have a partial look at the whole universe of malware out there. AV-test and Virustotal are relying mostly on a collection (or zoo) of known and new strains out there, and these are normally gathered using all AV engines (around 40-ish) and see who catches a sample first. Then they do their testing and scoring, but sadly it is a matter of the blind leading the blind.
The actual problem is that there are many hundreds of unknown zero-day threats out there, that NO antivirus engine can protect against. These 0-days are spread over dozens of popular apps. And as we recently saw, even AV engines themselves are riddled with 0-days. Government spy agencies buy these from specialized companies like British/German FinFisher, the French company Vupen, and the Italian Hacker Team. Cyber mafias buy them from independent criminal researchers. The spear-phishing attacks that target your company are laced with these 0-days. No AV is going to be effective against that.
Let's use logic for a moment. Microsoft has by far the world's largest network of "sensors", hundreds of millions of windows machines. They stand to gain the most from Windows being stable and not infected with malware. This massive detection network means they will be among the very first to get samples from unknown malware, and the first able to update their most recent Windows Defender code, which by now is a full-fledged AV engine.
Redmond is downplaying its quality to not upset their AV channel partners and not get into trouble with the Monopoly-cops. They do not care about certification from Virus Bulletin or AV test, because the tests are not very relevant. What is relevant are real-life threats out there in the wild. And they do know about them first.
I have uninstalled all AV protection and rely on two things: Windows Defender and training. I started KnowBe4 after having been inside the AV industry and created Kevin Mitnick Security Awareness Training, because that is at this point is a missing element in defending against those 0-day spear-phishing attacks.
What I would consider is a whitelisting product that only allows known-good executables to run, and perhaps MalwareBytes as a second opinion when needed.
"Cybersecurity As Realpolitik" By Dan Geer - Black Hat 2014
Dan Geer's Black Hat 2014 Keynote Cybersecurity as Realpolitik is thoughtful, smart, vital, and cuts through -- then ties together -- strands of security, liability, governance, privacy, and fairness, and is a veritable manifesto for a better (digital) world.
Dan Geer is a computer security analyst and risk management specialist. He is recognized for raising awareness of critical computer and network security issues before the risks were widely understood, and for ground-breaking work on the economics of security.
Geer is currently the chief information security officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the Central Intelligence Agency. 54 minute video:
http://videosift.com/video/A-video-about-cybersecurity-that-you-should-really-watch
Available in text: http://geer.tinho.net/geer.blackhat.6viii14.txt
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Magicians Kevin James, Dan Sperry and Adam Trent perform during the live results show of America's Got Talent 2014 at Radio City Music Hall:
http://www.flixxy.com/the-illusionists-magic-trio-americas-got-talent-2014.htm?utm_source=4
A unique aerobatic display in the world's top aerobatic glider aided by wingtip smoke and pyrotechnics:
http://www.flixxy.com/glider-plane-shooting-fireworks-from-the-wings.htm?utm_source=4
No action movie features a stunt as wild as this real-life footage from a dash-cam in Mogilev, Belarus:
http://www.flixxy.com/luckiest-motorcyclist-ever.htm?utm_source=4
The story of a man who proposes a wager as an opportunity to challenge himself to create an original performance in order to win a money-can’t-buy experience. 6 minute short, starring Jude Law and Giancarlo Giannini:
http://www.flixxy.com/the-gentlemans-wager-short-film.htm?utm_source=4
French athlete Floria Guei catches up from 4th place to 1st to win the Women's 4x400m Relay Final at the European Gymnastics Championships in Zurich 2014:
http://www.flixxy.com/incredible-victory-4x400m-relay-european-championship.htm
Should you believe your ears and the things they hear? Sometimes not!
http://www.flixxy.com/can-you-trust-your-ears-audio-illusions.htm?utm_source=4
'Beautiful' is the only word that can possibly be used to describe this video filmed at the Okinawa Churaumi Aquarium in Japan. The glass is 2 feet thick:
http://www.flixxy.com/okinawa-churaumi-aquarium.htm?utm_source=4
Survival Bike: Black Ops combines a moped and end of the world arsenal:
http://www.slashgear.com/survival-bike-black-ops-combines-a-moped-and-end-of-the-world-arsenal-05339952/
Bulletproof Coffee, The New Power Drink Of Silicon Valley:
http://www.fastcompany.com/3032635/most-creative-people/bulletproof-coffee-the-new-power-drink-of-silicon-valley
Billionaire Elon Musk: How I Became The Real 'Iron Man' - Lunch & Learn:
https://www.youtube.com/watch?v=mh45igK4Esw&feature=youtu.be&app=desktop
An excellent video animation created by Zero One Animation for the account of the Melbourne museum showing the destruction of the historic city of Pompeii after the eruption of the volcano Vesuvius. 8 minutes of WOW:
https://www.youtube.com/watch?v=dY_3ggKg0Bc
|
|
