| |
CyberheistNews Vol 4, 31
Editor's Corner
Heads-Up: Second Generation Ransomware In The Wild
Last week, Fedor Sinitisyn, security researcher for Kaspersky posted something worrisome. He reported that the Angler Exploit Kit was delivering a new second-generation type of ransomware called CTB-Locker (for "Curve-Tor-Bitcoin"). Kaspersky identifies it as "Onion" because it uses the The Onion Router (TOR) network; Microsoft identifies the malware as Critroni.A.
The Next CryptoLocker
Sinitisyn described CTB-Locker as the potential successor to CryptoLocker, and said that other malware used the anonymous TOR network though it was limited to banking malware families such as the 64-bit ZeuS.
Why Second Generation? 5 reasons:
1) CTB-Locker is the very first Windows ransomware that uses the TOR network
for its command & control (c&c) servers which makes it much harder to shut
down.
2) Traffic between the malware that lives on the infected machine and
its c&c servers is much harder to intercept.
3) CTB-Locker encrypts files using little-used and super strong Elliptic
Curve Diffie-Hellman cryptography which makes decrypting it yourself
impossible.
4) Compresses files before encrypting them.
5) It was built as commercial crimeware, so it can be sold globally to
other cybercriminals. The Bitcoin ransom can be specified, as can the
extensions of the files that will be encrypted.
This new generation is likely originating from an eastern European country like the Ukraine or Romania, but not Russia. The developers of the early versions of CTB-Locker had English-speaking users in view as their primary targets, and English was the only language supported in the GUI.
However in more recent versions, Russian also came to be supported in the Trojan's GUI along with English. The fact that the first infections are mainly in Russia means it originated somewhere outside of Russia. Russian cyber crime never hacks in Russia itself because they are immediately arrested and shut down by the Russian security services.
Once a PC is infected with CTB-Locker, the ransomware gives the victim detailed instructions on how to pay the Bitcoin ransom. Here is how the locking screen looks:
The fact that other cybercriminals are going to use this code will make it certain that the U.S. will be heavily targeted. Symantec's recent Internet Security Threat Report mentioned on page 6:
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
- Ransomware attacks grew by 500 percent in 2013 and turned vicious
- Scammers continued to leverage profitable ransomware scams where the
attacker pretends to be local law enforcement demanding a fake fine of
between $100 to $500.
- First appearing in 2012 these threats escalated in 2013, and grew by
500 percent over the course of the year.
More than ever it is needed to step your users through effective security awareness training before their files (or all the others on the file server) are being taken ransom. And (very obviously) you need excellent backup/restore software and test that frequently. KnowBe4 guarantees you that once all your users are trained and receive a simulated phishing attack once a month, we will pay your crypto-ransom if you get hit by any strain of ransomware.
Get a quote now:
http://info.knowbe4.com/ransomware-cryptolocker-guarantee-14-08-05
I'll Be At BlackHat This Week
Next issue you will get the highlights of the BlackHat Conference in Vegas, with a focus on social engineering and security awareness training. I'm going to Hacker Summer Camp, woo hoo. :-) To be kept up-to-date close to real-time, follow me on Twitter: @stuallard. By the way, you should really subscribe to our blog, I report there on a very regular basis about the same topics:
http://blog.knowbe4.com/
Scam Of The Week: The Diet Pill
One scam that's been making the rounds recently on Pinterest and Tumblr (and Twitter, if the profile is linked to Pinterest) is for magic bullet-style diet pills. Part of what made this particular campaign so effective was its hijacking of high-profile social media accounts to spread itself around.
While scammers often use fake profiles they've generated themselves, says Narang, they usually end up getting shut down by the social network's services, at which point they turn to compromising legitimate profiles.
"These people were well known users with thousands of followers, and they got compromised and they were posting messages about, 'I can't believe I lost weight with these pills' and a link," says Narang. "One of the profiles they did compromise was a well-known fitness trainer. Considering she's in fitness and talking about weight loss, that probably got people to click through and buy the pills."
By CSO Online, 10 new social media scams you need to look out for:
http://www.csoonline.com/article/2457669/data-protection/10-new-social-media-scams-to-watch-out-for.html?source=CSONLE_nlt_salted_hash_2014-07-28#tk.rss_socialengineering
And while we are on the Scam topic, the Federal court system warns of yet another scam targeting potential jurors. This time around the Administrative Office of the U.S. Courts says citizens are getting e-mails claiming they have been selected for jury service and demanding that they return a form with such information as Social Security and driver’s license numbers, date of birth, cell phone number, and mother’s maiden name. According to the court office, the e-mail scam has been reported in at least 14 federal court districts.
Quotes of the Week
"Our lives begin to end the day we become silent about things that matter." - Martin Luther King, Jr.
"No legacy is so rich as honesty." - William Shakespeare
"First they ignore you, then they threaten to sue you, then they deny the vulnerability, then you p0wn them" - with apologies to Mahatma Gandhi
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
|
NEW TRAINING MODULE: Financial Institution Physical Security
Banks and Credit Unions are KnowBe4's main customers. We have received many requests for a training module regarding physical security for these types of facilities, and we are excited to announce that it's now available!
Let’s start by defining what Physical Security is.
It is the protection of your employees, your customers and their funds, the premises, any security devices, computers, and networks, from physical circumstances and events that could cause serious losses or damage. This includes protection from robbery, kidnap/extortion, bomb threat, fire, natural disasters, burglary, and nuclear emergencies.
Being security aware means that employees understand there is the potential for harm to personnel, customers, and your premises and that they stay alert for any unusual situation and act appropriately in case of an emergency. Find out more about this module here: http://info.knowbe4.com/fips_quote-14-08-05
Is Antivirus As Vulnerable As Any Other Product?
Joxean Koret, a security researcher from the Singapore-based Coseinc, using a "fuzzer" tool he built himself, found numerous remotely exploitable vulnerabilities in multiple antivirus software products.
He published a slide show and demonstrated that AV could be hacked just like any other third party application. The fact that AV engines often use the highest privileges makes the danger only worse. Why? Most antivirus products are installed with top privileges, so finding a bug in them and exploiting it allows an attacker the same top privileges on the victim system.
At the SyScan 360 security conference in Beijing, Koret provided a relatively simple example, explaining that "most antivirus engines update via HTTP only protocols." (i.e. not using HTTPS). Using a man-in-the-middle (MitM) attack, "one can install new files and/or replace existing installation files," which "often translates in completely owning the machine with the AV engine installed as updates are not commonly signed".
Attack Surface
Here are two of his intro slides put into text. He's unfortunately right.
"Fact: installing an application in your computer makes you a bit more vulnerable. You just increased your attack surface. If the application is local: your local attack surface increased. If the application is remote: your remote attack surface increased. If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may do... Your attack surface dramatically increased.
Myths and Reality
According to Joxean, antivirus propaganda states: "We make your computer safer with no performance penalty!" and "We protect against unknown zero day attacks!". Joxean states the reality as: "AV engines makes your computer more vulnerable with a varying degree of performance penalty." and "The AV engine is as vulnerable to zero day attacks as the applications it tries to protect."
Joxean provides a list with some vulnerabilities he found, it includes heap overflows, remote vulnerabilities, integer overflows, local privilege escalation, as well as command injection possibilities. Ouch.
The list of products with one or more of these glitches includes Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda, and eScan.
His conclusions are a bit shocking, you would have expected better from the AV crowd. Developers need to get their act together and increase the security of their products. Remember Microsoft's Secure Coding initiative from about 10 years ago? That's a good example.
Throw Away Antivirus Completely?
No, AV is still part of your defense-in-depth. He has some points, but there are plenty of apps that escalate local privilege. Yes, it's a danger, but other apps have similar risks, even a whitelisting product can have the same problem. Secure coding is a must these days!
The Best Bang For Your Security Budget.
Today, an essential part of your defense-in-depth has to be stepping your users through effective security awareness training. This prevents spear phishing and ransomware attacks from getting through. For a very low cost per user per year you get unlimited training and year-round automated simulated phishing attacks you can send to all users. That is a guaranteed way to get a massive drop in malware infections, and fun to do. You get reports of repeat offenders you can show to management. Find out how affordable this is for your own organization. (Hat Tip to Ionut Ilascu at SoftPedia.)
GET A QUOTE NOW: http://info.knowbe4.com/ransomware-cryptolocker-guarantee-0
Koler Ransom Trojan Attacked 200,000 Android Users In Weeks
I found something interesting at the CSO site:
"The crude Koler.a 'police ransom' Trojan that started attacking Android smartphone users in April has finally been knocked out of action by researchers but only after revealing the disturbing if brief scale of its global success.
"According to Kaspersky Lab, which recently gained access to the malware's command and control stats, Koler did most of its damage weeks before noted security blogger Kafeine reported its discovery in early May.
"These numbers showed that around 196,000 Android users searching for porn on their mobile devices encountered the landing page used to install the malicious Trojan .apk file, about 150,000 of whom were US-based IP addresses. Of the rest, nearly 14,000 were from the UK, 6,000 in Australia, and almost that number in Canada."
The point of the article seems to be the idea that nearly about 200K people were confronted with the ransomware Koler (on Android) before it was even discovered...More:
http://www.csoonline.com/article/2458911/data-protection/defunct-koler-ransom-trojan-attacked-200-000-android-users-in-matter-of-weeks.html
Cyber Warfare Lexicon:
Every profession has its own language. And when there’s a language, there must be a dictionary. So with the U.S. military aggressively embracing cyberwarfare why shouldn’t the Pentagon also create its own cyberwarfare dictionary? The Website Public Intelligence, which likes to unveil hidden documents, has posted U.S. Strategic Command’s Cyber Warfare Lexicon.
Cyberwarfare is the word used to define the most aggressive form of attack by a foe or rival over the Internet. It largely applies to actions by states and involves denying internet services to communities or countries, or, at worst, destroying critical infrastructure or industrial facilities. This is how Cyber Warfare "talks", you can click on words and look them up:
http://publicintelligence.net/cyber-warfare-lexicon/
Cryptolocker Ransomware Variant Hits Synology Users: Synolocker
When your products get targeted with custom made ransomware, you know you've got it made. We're talking about NAS (network-attached storage) built by Synology in Taiwan. The malware has started wreaking havoc over the weekend, looking at couple of posts on different online help forums, "My Diskstation got hacked last night. When I open the main page on the webserver I get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked," a user shared his experience on Synology's forum. "It will cost 0.6 BitCoins. It encrypts file by files. Therefore I started to copy my most important files to another disk while encryption was in progress on other files. After the most important files was copied I turned off my disk." The ransom message identifies the attack as the the result of a "SynoLocker" infection, explains how the files are encrypted (and threatens that "without the decryption key, all encrypted files will be lost forever"), and urges affected users to visit an .onion domain in order to get further instructions on how to get the key. Synology is working on fixing the problem, but it's still unknown how the malware manages to compromise the devices. One guess is the exploitation of a vulnerability, as was the case with the recent instances of Synology DiskStations infected with Bitcoin miners. More at net-security.org: http://www.net-security.org/malware_news.php?id=2827
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
When engineers have nothing to do ... they create beautiful and awesome machines that are fascinating to watch:
http://www.flixxy.com/when-engineers-have-nothing-to-do.htm?utm_source=4
Amazing cosplayers at San Diego Comic Con - the mecca for anything comic book or Science Fiction related:
http://www.flixxy.com/san-diego-comic-con-2014-cosplay.htm?utm_source=4
Thought Pole Dancing was new? Nope, been a sport in India for a thousand years, and some of these guys are pretty awesome:
http://www.flixxy.com/amazing-indian-pole-gymnastics.htm?utm_source=4
Amazing barefoot skiing behind an airplane at the World Barefoot Center in Winter Haven, Florida. Filmed in 4K resolution, turn it full screen:
http://www.flixxy.com/barefoot-skiing-behind-airplane-in-4k.htm?utm_source=4
Phantom v1610 Capturing Stuff Blowing up at 60,000 FPS Slomo with Sig Sauer Firearms. Only try this at the firing range...
http://vimeo.com/96726779
This bobcat Ninja excavator operator places a bottle on top of another and then a golf ball on top of it all!
http://www.flixxy.com/master-of-his-craft-beer-bottle-excavator-trick.htm?utm_source=4
BMW takes five M235i Coupes drifting in Cape Town, South Africa (DriftMob), also a short bonus "The Making Of" on the same page:
http://www.slashgear.com/bmw-takes-m235i-coupe-drifting-in-five-car-city-stunt-30339263/
The ATM Video: "automated thanking machine". Hot dang, THIS is how you create a viral video. People are sharing this like crazy:
http://www.theblaze.com/stories/2014/07/30/about-halfway-through-this-video-it-becomes-obvious-why-banks-new-video-has-received-almost-3-million-views-in-just-days/
1200 HP Bugatti Veyron Super Sport Pur Blanc hits 246.4 MPH!! - YouTube:
https://m.youtube.com/watch?v=ytXI5Clz100
19-year-old singer Luciana Zogbi with a powerful performance of 'All of Me' by John Legend. What an amazing voice, and easy on the eyes too:
http://www.flixxy.com/john-legend-all-of-me-luciana-zogbi.htm?utm_source=4
Here is a nice example of art and technology intersecting into a great performance! At the start of each tune, Bryson Andres plays and records a variety of sounds, then uses the pedal to repeat/layer on top. Crafty!
http://www.flixxy.com/street-violinist-bryson-andres.htm?utm_source=4
|
|
