Category Archives: Malware

Cyber Ransom vs. Ransomware

By now, we have all heard about ransomware as it has taken over the cybersecurity scene over the last couple of years. However, we want to make sure that everyone is clear about the difference between cyber ransom and ransomware, as there is a very clear distinction. Cyber ransom and ransomware attacks have been the most popular forms of cyberattacks as of late.

Cyber Ransom

The most common form of cyber ransom is through a distributed denial of service (DDoS) attack. In a DDoS attack, hackers flood a business’ site with data requests, overwhelming the site’s legitimate functions. The flooding eventually forces that website to shut down. As far as the ransom is concerned, cybercriminals will threaten to launch an attack on an organization’s site unless the organization pays a ransom fee of a certain Bitcoin amount.

Another form of cyber ransom is through corporate extortion which is becoming more and more popular. This type of attack can be carried out in several ways. One approach, which Domino’s in Europe was hit with, is where a cybercriminal sends out a ransom letter threatening businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, or fraudulent delivery orders.

Another variation of corporate extortion is where cybercriminals perform a data breach, where they gain access to a company’s network and gather sensitive data. The data collected is usually information on their clients such as credit cards, social security numbers, email addresses, and login credentials. While this seems like data breaches that we have heard about recently (Yahoo, Adult Friend Finder, and several social media sites), cybercriminals who are involved in corporate extortion are in it for the money. Once cybercriminals have performed the data breach, they will threaten to publicly release the information unless the company pays a set ransom fee.

Ransomware

Ransomware is the most common form of cyberattack seen today. In a ransomware attack, the cybercriminal will infect a machine with malware that encrypts all or some files on a user’s computer. Once the encryption process has completed, a ransom note will appear on the victim’s screen demanding payment in order to receive the decryption key. Payment for the decryption key is usually made in Bitcoins, which are extremely hard to trace back to the hacker. Ransomware is most commonly distributed through phishing campaigns where cybercriminals will send emails embedded with malware. Once the user on the receiving end clicks on a link or opens up an attached file, the malware will begin to download, and the encryption process will begin.

Cyber Ransom and Ransomware Connected

  • Cyber Ransom – Cybercriminals threaten to launch a DDoS attack on an organization’s site unless the organization pays a ransom fee.
  • Ransomware – Cybercriminals infect machines with malware that encrypts all or some files, then demand a ransom fee to receive the decryption key.

 

When put in these terms, cyber ransom and ransomware seem like they wouldn’t be connected at all. However, cybercriminals are becoming more and more sophisticated with their attacks every single day. So, here’s the kicker. Cybercriminals are starting to use the threat of DDoS as ‘smokescreens’ for more wicked attacks, such as ransomware. The hackers will use DDoS attacks to distract the IT department, so they are able to slip under the radar without being detected. While the DDoS attack or the threat of one will only distract IT individuals for a short time, that’s all the time hackers need. While the IT staff scramble to handle the momentary network outages, hackers can use automated scanning or penetration techniques to map a network and install ransomware.
To stop these types of attacks, look at some of the new technologies that continuously monitors your network traffic.

Ransomware Infection Causes Loss of 8 Years Of Police Department Evidence

Oh when will you learn to “BACKUP” your data.  Check your backups before you have an issue !!!

The Police Department in Cockrell Hill, Texas released in a press release that they lost 8 years worth of evidence after the department’s server was infected with ransomware.

The lost evidence includes all body camera video, and sections of in-car video, in-house surveillance video, photographs, and all their Microsoft Office documents. OUCH.

Eight years worth of evidence lost

Some of the lost data goes back to 2009, there are some files that era that are backed up on DVDs and CDs and remained available.

“It is […] unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small,” the press release reads.

In an interview with WFAA, who broke the story, Stephen Barlag, Cockrell Hill’s police chief, said that none of the lost data was critical. The department also notified the Dallas County District Attorney’s office of the incident.

Backup Procedure Kicked In After Locky Infection

The department says the infection was discovered on December 12, last year, and the crooks asked for a $4,000 ransom fee to unlock the files.

After consulting with the FBI’s cyber-crime unit, the department decided to wipe their data server and reinstall everything. Data could not be recovered from backups, as the backup procedure kicked in shortly after the ransomware took root, and backed up copies of the encrypted files. OUCH.

Infection Source: Phishing email with spoofed address

The press release says the infection took place after an officer opened a spam message from a cloned (spoofed) email address imitating a department issued email address. Security awareness training would have likely prevented this.

The infection did not spread to other computers because the server was taken offline and disconnected from the local network as soon as staff discovered the ransom demand.

New Phishing Campaign Targeting Gmail Users

A new phishing campaign has been discovered this week that targets even the most tech-savvy Gmail users. By posing as someone you may know, cybercriminals are gathering personally identifiable information that could be leveraged against the individual or against your company. Learn how the newest phishing campaign works and how you can keep yourself and your company safe from becoming the next victim.

What is Phishing?

Phishing is nothing new to the cybersecurity world. However, it is often mistaken for being general spam emails which is how many forms of ransomware are distributed. Take the newest form of ransomware, Spora, as an example. Spora is distributed through spam emails disguised as invoices for charges that victims didn’t make. These emails are coming from an individual or organization that is unknown to the potential victim.

What’s different about phishing is that the emails are coming from a known contact whose account has been compromised. Or, the emails are coming from someone who you think you know, but the email address has been changed by a letter or two. For example, JohnSmith@gmail.com compared to JohnSmith@gmails.com. Notice the ‘S’ at the end of Gmail on the second example.

Phishing campaigns can certainly be used to distribute ransomware. However, it would take the cybercriminal much more time to distribute the emails as they are more sophisticated attacks. The targets of phishing campaigns using ransomware would be high-profile targets where a large ransom can be demanded.

Most phishing emails contain an attachment or link set up to trick the user into divulging personally identifiable information such as financial information, login credentials, or credit card details.

Gmail Phishing Campaign

As mentioned before, the new Gmail phishing attack can trick even the most tech-savvy users. The attack works like this:

  • Hackers breach someone’s Gmail account and look through emails for correspondence containing attachments.
  • They then send emails from the compromised account, with each email leveraging similarities to prior communications, so as to make the new messages seem legitimate and familiar. Hackers will even use subject lines that were used in the past.
  • Here’s where the hack takes place. The email is embedded with an image of an attachment that has been used in the past. Rather than opening the attachment, clicking on the image will lead the user to a phishing page that looks like a Google login. Because the user is opening a Gmail attachment, the presentation of a phony Gmail login page does not sound any alarms.
  • Once the new victim enters their credentials into the phony Google login page, the hackers now have access to the victim’s account.

It’s believed that this phishing campaign has been going on for about a year with increasing intensity. How are these hackers using this campaign against their victims? Take a moment to think about all the ways your email account is used for everyday purposes. The first thing that comes to my mind is my banking sites. We have all forgotten a username or password before, right? How do you recover or reset your credentials? Enter your email address, and they will send you a temporary password or a code to reset your credentials. All a hacker has to do is search through your emails, find what banks you use, and go to those sites to request a reset to these credentials. In as little as five minutes, these cybercriminals have access to all of your personally identifiable information.

How can you stay safe?

Below are some tips, rather, necessities you need to implement into your everyday life to stay safe from phishing campaigns.

  • First, for the Gmail campaign, using two-factor authentication (2FA) can protect your Gmail account from being compromised. While this may be a pain to login to your account every time, it could save you from becoming a victim. 2FA basically means that you will need to use your password as well as a temporary code sent via text message to log in to your Gmail account. If hackers have access to your password but not the temporary code, they won’t be able to login to your account.
  • Always think twice before entering login credentials. For the Gmail campaign, why would you have to enter your login credentials again if you were already on the site? Second, do not log into sites via login pages generated by clicking links. Always go directly to the site through entering the URL into the Web browser.
  • Never enter passwords or other sensitive information into any Website with a data:text Furthermore, do not rely on warnings by Web browsers. The red warning used on insecure Websites, the certificate warnings used for invalid certificates, and the ‘unsafe site’ messages often do not appear for data:text URLs.
Be Prepared

Phishing campaigns can be used for ransomware attacks and gathering personally identifiable information on victims. However, they can also be the ‘in’ for hackers to gain access to a company’s servers and databases. Did you know? The average cost of a data breach in 2016 was $4 million, up from $3.8 million in 2015. How would a $4 million data breach affect your company? Would you be able to survive? Employees are and probably always will be the weakest link in the cybersecurity chain. Make sure your employees are educated not only on the persistent threats of cyberattacks and how to stay safe but the effect a cyberattack could have on your company. Unfortunately, this could be one of the biggest factors for continued success for your company.

GoldenEye Ransomware – A New Variant of Petya Ransomware

The creators of Petya ransomware, going by the name of Janus, have come out with a new variant tabbed as GoldenEye ransomware. Continuing with the James Bond theme, the GoldenEye ransomware is almost identical to past versions of Petya and Mischa variants.

Petya Ransomware History
The Petya ransomware emerged on the cybersecurity scene back in March 2016.   Typically, when a user becomes infected with ransomware, the malware targets and encrypts files on the victim’s hard drives. By doing this, the malware leaves the operating system working properly. However, Petya takes it to the next level. Instead of encrypting files on the hard drive, the ransomware encrypts portions of the hard drive itself, making the user unable to access anything on the drive, including Windows.

The ransomware is distributed via emails that target human resource departments. The emails contain a Dropbox link to supposed applications that download a file and when executed, install the Petya ransomware on the system.

In May, two months after the release of Petya, the ransomware bundled a second file-encrypting program for cases where it cannot replace a computer’s master boot record to encrypt its file table. Before encrypting the computer’s master file table (MFT), the ransomware replaces the computer’s master boot record (MBR), which contains a code that initiates the operating system’s bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves the computer unable to boot.

However, in order to overwrite the MBR and the computer it infected, the malware needs to obtain administrator privileges. In previous versions of Petya, if it failed to obtain administrator privileges, the infection routine stopped. The latest variant, dubbed Mischa, installs another ransomware program that begins to encrypt users’ files directly, which doesn’t require administrator privileges.

In summary, Petya starts off by distributing the ransomware through an email posing as a job application. Once executed, the fake file attempts to download Petya, and if that fails, it installs Mischa. This dynamic duo ensures that the cybercriminals will encrypt your hard drive, leaving you unable to use your system until you have paid the ransom.

GoldenEye Ransomware
Like the earlier version of Petya, the GoldenEye ransomware is distributed via emails. Posing as job applications, the emails include two file attachments that are supposedly resumes and have a subject starting with the word Bewerbung. As you can see in the email below, GoldenEye is targeting German users.

One of the attachments is a fake resume that is used to convince members of the human resource department that the email is legitimate. The second attachment is an Excel spreadsheet, which is the installer for the GoldenEye ransomware that contains a malicious macro. In the spam emails that have been circulating over the past couple of days, the following Excel names have been observed to be spreading GoldenEye.

  • Wiebold-Brewerbung.xls
  • Meinel-Brewerbung.xls
  • Seidel-Brewerbung.xls
  • Wust-Brewerbung.xls
  • Born-Brewerbung.xls
  • Schlosser-Brewerbung.xls

When a user clicks on the ‘Enable Content’ button, the macro will launch and save the embedded file into an executable file in the temp folder. Once the file has finished being created, the malware will automatically launch, beginning the encryption process on the computer.

Here is where GoldenEye differs from the earlier combination of the Petya/Mischa version. Instead of running Petya first and trying to gain administrative privileges to overwrite the MBR and then running Mischa to encrypt files, GoldenEye does the opposite.

Starting just like any other ransomware, GoldenEye encrypts the user’s files and appends a random 8-character extension. This is the Mischa part of the ransomware. Shortly after displaying the ransom note, GoldenEye enters the Petya part of the encryption process. The ransomware forcibly reboots the user’s computer and enters the stage where it starts encrypting the user’s hard drive MFT which makes it impossible to access any files on the hard drive. This process is masked by a fake ‘check disk (chkdsk)’ screen as seen below.

Once this process ends, you will see a new ransom screen, using yellow-colored text hence the name ‘GoldenEye.’ The GoldenEye ransom note is shown below.

The GoldenEye ransomware has seen incredible numbers compared to the Locky ransomware, which has been one of the most successful ransomware to-date. Last Wednesday, (December 7, 2016) GoldenEye infected 160 users in Germany alone while Locky’s best day over the last month infected 375 users across 30 countries. The ransom for the encryption key is currently set at 1.33 bitcoins which equates to roughly $1,000.

Why Clickjacking Is More Intrusive Than You Think

Another great post from a guest writer, Vlad De Ramos

clickjacking

Regardless of the size of your business or data, clickjacking should be your concern. There’s no such thing as a minor issue when it comes to your security on the web.

The discovery of clickjacking dates back to 2008, when computer security experts, Robert Hansen and Jeremiah Grossman, first divulged it in the OWASP NYC AppSec Conference. At the time, the duo described it as another form of zero-day attack, referring to a software vulnerability that’s unknown to its vendor, and which hackers are quick to exploit.

Browser or network services are prone to clickjacking attacks, which target legitimate content on websites by layering it with malicious links or buttons without the knowledge of the website administrator and end users. Clicking on those links redirects users to phony websites, exposing the victims to the attacker’s malicious codes.

How Serious a Threat is Clickjacking?

In 2010, social media enterprise, Facebook, unknowingly became a platform where a number of clickjacking attacks were launched. The series of scams were made possible by enticing users to Like and Share posts that either tricked people into giving out their cell phone number for a survey or load a fan page onto their profile. Unknown to the unsuspecting victims, they were being charged on their phone bills and sharing con sites on their Facebook page.

Given the creativity of criminal hackers, they can use clickjacking on businesses.

1. Data can be illegally obtained or manipulated.

Research from CyberKeel, a Danish maritime security specialist firm, revealed in 2015 that 18 out of 20 cargo vessels are prone to clickjacking.

Through clickjacking, a shipper logs or registers into a fake website mirroring the legitimate carrier’s site. As the shipper provides personal information, the attacker is waiting to intercept that information and make fraudulent transactions on behalf of the shipper.

The possibilities on how the shipper information can be misused are endless. Hackers may use it to access shipment information, transport banned cargo, modify shipping documents, or steal cargoes altogether.

2. Sneaky money making schemes.

Criminal hackers can replicate legitimate emails to lure people into clicking a link. Once done, the user will be redirected to a landing page which contains a button hiding the attacker’s code. If the victim interacts with the malicious code, it will execute a command that will transfer money to the attacker.

This requires social engineering and a susceptible victim which makes clickjacking a medium risk, but the impact of the scheme is high because this technique can be used to execute other attacks such as keylogging and theft.

3. Spamming your entire network.

This vulnerability requires interaction as victims have to voluntarily interact with the malicious page and if a user fall for the technique, it can potentially expose confidential information or take control of the user’s account or computer which can lead to an unauthorized user spamming its network of friends or contacts with more malicious links or viruses from its account.

How Can Clickjacking Be Countered?

Back when clickjacking was first announced to the public, the first recourse was to encourage web users to use text-only browsers. This way hackers can’t embed their malicious code on graphic elements.

Although web developers are responsible and have the major role in designing websites and code that will keep your websites away from vulnerabilities, users also have a significant role in preventing malicious attacks:

  • Turn off or disable scripts and plugin content, which are the most common and usual clickjacking targets during browsing sessions.
  • Always make sure that your browser is updated to the latest version as it also offers improved security measures.
  • Pay attention to the browser’s warning notifications, saying there might be some element hidden in the content you were trying to access.
  • Keep your antivirus software up to date and secure as possible.
  • Be extra vigilant when web pages load too slowly, which may indicate suspicious activity within the site.
  • Coordinate with your IT specialists for tools and new developments.
  • Do not click any link in emails by unknown sources. Delete them immediately.

Clickjacking should not be overlooked. This vulnerability can be linked to other series of attacks and the impact of it will be even higher. There is no such thing as a minor issue when it comes to your security on the web. Regardless of the size of your business or data, you must always be prepared and ready to implement a disaster recovery plan.

 

About the Author: Vlad de Ramos has been in the IT industry for more than 22 years with focus on IT Management, Infrastructure Design and IT Security. Outside the field, he is also a professional business and life coach, a teacher and a change manager. Vlad has set his focus on IT security awareness in the Philippines and he is a certified information security professional, a certified ethical hacker and forensics investigator and a certified information systems auditor.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of TheDigitalAgeBlog.

Tips on Training Employees on the Dangers of Cyberthreats

Unfortunately, no amount of training for your employees will prevent cyberthreats. If thatcomputer-security.png were the case, those of us in the cybersecurity industry would be without employment. However, training to reduce the risk of cybercriminal activity is essential to a company’s bottom line. Without training and security measures we may as well leave the front door open at night with a sign stating, “Welcome all criminals.”

The total global impact of cybercriminal activity is expected to cost businesses over $2 trillion by 2019. This is larger than the cocaine, heroin, and marijuana trade combined.
Cybercriminal gangs are increasing by the thousands monthly, and why not? In comparison with other criminal activity (drugs, robbery, guns, etc.) cybercrime is much easier, more profitable, and less likely to land one in prison. While cybercriminal activity may be on the mind of our government here in the states, the argument can be made it is not nearly as significant as it should be, and it certainly is not of concern to the governments in the far east of the world. If you think the Russian government is overly
concerned with locating small groups of hackers in basements ripping off Americans, you are mistaken.
We can place prevention products like a firewall and anti-virus on our network, as well as protection software like CryptoStopper.io, HackTraps and Carbon Black, but the first line of defense is training our staff.
Here are a few tips for educating employees about cybersecurity that are essential to business:
1. Create an environment open to discussion on cybersecurity.
In several workplaces, for whatever reason, many employees don’t feel comfortable with the IT staff and vice versa. This cannot be an issue. The staff must feel comfortable taking suspicious e-mails to IT, and IT departments must feel comfortable discussing recent threats with the staff. Do not have an environment of, “Sign this policy every year and be on your way.”  Issues must be discussed. Never make anyone feel bad for bringing something they think is an issue to IT. Thank them for bringing a false alarm to your attention, or they may not bring a real one next time. Also, provide food.  This always makes people happy.
2. Create a regular meeting to discuss various concerns on cybersecurity and make it worth employees’ time.
This may be met with groans at first, but if you make the content relevant, you will be surprised by how many people are genuinely interested in how to keep themselves and friends and family at home safe from cybercriminals. Keep it simple at first. Discuss how to keep their social media accounts safe, improving passwords and interesting stories and of individuals getting hacked (yes, in cybersecurity you actually do run into some pretty crazy stories).
3. Educate the staff to recognize an attack.
Training is essential prior to being attacked. Assume an attack will happen; what is the first thing that needs to be done? Teach employees what a suspicious e-mail looks like. Provide examples. What should be done if a suspicious e-mail is received? This all needs to be done in orientation for new hires and reviewed more than just once a year.
4. Send internal phishing campaigns.
A well-done phishing campaign can be 45% effective. Again, do not harass anyone who fails. I can promise you will have failures. Use this as a time to teach how to spot a fraudulent e-mail: are there any spelling errors? Does this not appear to be the way this sender speaks? Is this from UPS/Fed Ex and you are not expecting a package? Is the salutation vague and not personalized? All of these are signs of a phishing campaign. Teach them to spot them, contact the sender if known before clicking on anything, or contact IT to analyze.
5. Lastly, and probably most simply, make sure employees are changing passwords frequently.
 I bet if you surveyed the office you would find many employees store passwords on a spreadsheet directly on their wall or even worse in a spreadsheet on their desktop. I once encountered a situation where an employee had a spreadsheet on the shared file on the server. You may laugh, but did anyone let them know this was a giant no-no? Of course not. The key is, don’t assume your head accountant, top salesperson, or even your CEO knows as much as you do.

 

 

Zero-Day Warning! Ransomware targets Microsoft Office 365 Users

microsoft-office-zero-day-exploit
If just relying on the security tools of Microsoft Office 365 can protect you from cyber attacks, you are wrong.

Variants of Cerber Ransomware are now targeting MS Office 365 email users with a massive zero-day attack that has the ability to bypass Office 365’s built-in security tools.

According to a report published by cloud security provider Avanan, the massive zero-day Cerber ransomware attack targeted Microsoft Office 365 users with spam or phishing emails carrying malicious file attachments.

The Cerber ransomware is invoked via Macros. Yes, it’s hard to believe but even in 2016, a single MS Office document could compromise your system by enabling ‘Macros‘.

Locky and Dridex ransomware malware also made use of the malicious Macros to hijack systems. Over $22 Million were pilfered from the UK banks with the Dridex Malware that got triggered via a nasty macro virus.

You can see a screenshot of the malicious document in the latest malware campaign below, targeting Microsoft Office 365 users:

 microsoft-office-exploit

While the security firm did not specify the exact number of users possibly hit by the ransomware, Microsoft reported in its first quarter 2016 that there are almost 18.2 Million Office 365 subscribers.

“While difficult to precisely measure how many users got infected,” Avanan estimated that “roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.”

Although Cerber originally emerged in March, the malware campaign targeting Office 365 users began on June 22. However, Microsoft started blocking the malicious file attachment on June 23.

The Cerber Ransomware not only encrypts user files and displays a ransom note, but also takes over the user’s audio system to read out its ransom note informing them that their files were encrypted.

The ransomware encrypts files with AES-256 encryption, asking victims to pay 1.24 Bitcoin (nearly US$810) for the decryption key.

How to Protect Yourself from Cerber Ransomware

In order to prevent yourself from the Cerber or any ransomware attack:

  • Always keep your system and antivirus up-to-date.
  • Regularly backup your files in an external hard-drive.
  • Disable Macros in your MS Office programs.
  • Always beware of phishing emails, spams, and clicking the malicious attachment.
  • You can also use an Intrusion detection system (IDS), to help you quickly detect malware and other threats in your network.