Category Archives: Malware

How to Ensure Your Social Profiles Will Never Get Hacked

Facebook notifications

Getting hacked can cause an unlimited number of problems for you and your reputation. The last thing you need is to see your profiles fall into the hands of someone else. The key is not to act when it happens but to act before it happens. This guide is going to show you everything you need to know about preventing your social profiles from getting hacked.

The Password Issue

To begin with, you need to make sure that you are crafting the right passwords. A weak password is the front door into your social media accounts. Many hackers will use the brute force method, which is where they simply attempt to guess your password. Automated software will continually try different combinations until it finds something that works.

The only way you can defend against this is through using upper and lower case letters, along with numbers and symbols. This password should be changed on a regular basis. Just make sure that you don’t come up with a password that you yourself can’t remember.

When storing your passwords, you should make sure you have adequate storage methods. Don’t keep them in a place online or offline where they can be immediately accessed.

The key here is to share your passwords with the smallest number of people possible. They should be kept on a strictly need to know basis.

Sign-In Technology

You may not have heard of sign-in technology before. It’s a fairly recent invention and it allows people to access your social media accounts without knowing the password. The way it works is that employees click the sign-in software and it will automatically allow them to access the social media account in question.

This technology will only be able to be accessed on certain company computers. This will allow you to keep all information centralized with one person. That means you always have one or two people to take full responsibility for the company’s passwords.

It doesn’t cost a lot to utilize this technology. There are many software bundles that will provide free services like this. It only takes a few minutes to install this technology on your computer.

The Most Common Path – The Email Hack

Despite the fact that spam detectors have become more proficient than ever before, hackers will still use emails in order to capture people’s information. As soon as you click on the offending link, you will be redirected to a page that looks remarkably similar to a genuine page. Once you enter your information, the hacker will capture that information. They may even attempt to install Spyware on your computer.

The emails that reach your inbox will contain links that you have to click on; usually in relation to a compromised account.

So how do you know whether something is genuine?

There are two ways to do this. First of all, you can mouse over the link and in the bottom right of your browser it will show you the full link. There will always be a slight change in the URL that will reveal it as a link you should avoid. But the best way to check if an email is genuine is to access the relevant website manually, like you would normally.

One other option you have to get around this entirely is to use a platform like Sprout Social or HootSuite to access your social media accounts through a third-party platform. It acts as a shield so your accounts cannot be hacked directly, since you are never accessing them directly.

Your Computer’s Security Arrangements

You can have the strongest password in the world. None of that is going to matter if your computer or network is vulnerable to attack, though. There are hackers who can install software on your computer that can allow them to take control of it remotely.

Then they can use things like sign-in technology against you because they can click the buttons without your input. Install the best anti-virus system you can, update it regularly, and be willing to pay for the best. This is not an area where you should compromise.

How will you protect your social media accounts from hackers today?

 

This article was written by Abdullahi Muhammed from Business2Community and was legally licensed through the NewsCred publisher network.

Ecuador Bank Hacked — $12 Million Stolen in 3rd Attack on SWIFT System

Bank_Hack

Bangladesh is not the only bank that had become victim to the cyber heist. In fact, it appears to be just a part of the widespread cyber attack on global banking and financial sector by hackers who target the backbone of the world financial system, SWIFT.

Yes, the global banking messaging system that thousands of banks and companies around the world use to transfer Billions of dollars in transfers each day is under attack.

A third case involving SWIFT has emerged in which cyber criminals have stolen about $12 million from an Ecuadorian bank that contained numerous similarities of later attacks against Bangladesh’s central bank that lost $81 Million in the cyber heist.

The attack on Banco del Austro (BDA) in Ecuador occurred in January 2015 and, revealed via a lawsuit filed by BDA against Wells Fargo, a San Francisco-based bank on Jan. 28, Reuters reported.

Here’s how cyber criminals target banks:

  • Uses malware to circumvent local security systems of a bank.
  • Gains access to the SWIFT messaging network.
  • Sends fraudulent messages via SWIFT to initiate cash transfers from accounts at larger banks.

Over ten days, hackers used SWIFT credentials of a bank employee to modify transaction details for at least 12 transfers amounting to over $12 Million, which was transferred to accounts in Hong Kong, Dubai, New York and Los Angeles.

In the lawsuit, BDA holds Wells Fargo responsible for not spotting the fraudulent transactions and has demanded Wells Fargo to return the full amount that was stolen from the bank.

The lawsuit filed by BDA in a New York federal court described that the some of these attacks could have been prevented if banks would have shared more details about the attacks with the SWIFT organization.

Wells Fargo has also fired back and blamed BDA’s information security policies and procedures for the heist and noted that it “properly processed the wire instructions received via authenticated SWIFT messages,” according to court documents.

According to reports, the heist remained a secret for a long time and now disclosed when BDA decided to sue Wells Fargo that approved the fraudulent transfers.

SWIFT did not have any idea about the breach, as neither BDA nor Wells Fargo shared any detail about the attack.

“We were not aware,” SWIFT said in a statement. “We need to be informed by customers of such frauds if they relate to our products and services so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us.”

It turns out that the security of SWIFT itself was not breached in the attack, but cyber criminals used advanced malware to steal credentials of bank’s employees and cover their tracks.

In February, $81 Million cyber heist at the Bangladesh central bank was carried out by hacking into SWIFT using a piece of malware that manipulated logs and erased the fraudulent transactions history, and even prevented printers from printing those transactions.

Email Scams and Awareness

Email_Scam

Emails are the fastest means of communication! This is what we studied in our childhood. And how true! It indeed is. Today, no one can imagine living without an email ID. No work can be completed without the use of emails. Whether it be a job application, or inviting your friends to a party.

This culture of emails has opened up a lot of loopholes which can be exploited by the online scammers to gain monetary or other profits. Scammers these days have been employing new tools and methods to ruin common netizens’ experience of the web. Thus, in this article, we shall be enlisting some common email scams to make you aware of them and the methods to stay protected.

1. Phishing Attacks
Phishing attacks are when an email is sent to you containing a link to a webpage which looks strikingly similar to an authentic webpage. And once you put in your private information such as login credentials, credit card numbers then such data are stored in the depositories of such scammers which can be used later to give action to their malicious intent.

In order to avoid such attacks, recheck the URL of the webpage you’re accessing. If you observe even a slight difference, then close the tab and thank the almighty. Think twice before divulging your personal information on any webpage. Do not download any attachment until you’re 100% sure about the authenticity of the sender. Enable 2-factor-verification for websites which allows so.

2. Nigerian Prince Scam
You might have come across an email stating that you have inherited millions of dollars of a ‘Nigerian Prince’ since he died in a plane crash. Such emails are called “419” emails or Nigerian scams. The poor English in such emails is the first giveaway. However, many newbies on the internet including the senior citizens give into such emails and fall for the trap. Through their sweet talks, they will coerce you into depositing few thousands as the “transfer expenses”. And you guessed right about what happens next!

Avoiding such scams are simple. DO NOT RESPOND TO SUCH EMAILS seems to be the only solution. If you have responded out of curiosity then do not send your personal information and do not deposit any amount that they ask you to do.

3. Viruses in email
Online scammers are smart enough to create a program that can send your banking information as soon as you conduct a monetary transaction over the internet. Such programs or viruses can be attached to the emails as a picture or video or other executable files. And once you click onto it, it latches on to your system and gives out the required information to the hacker.

Updating your OS as well as the antivirus on your system is the key to avoiding such attacks. Scan all your attachments in your emails for viruses and malware and if anything looks suspicious then do not click on them. If you do, then you stand the chance of losing all your hard earned money.

4. Lottery Scam!
Similar to the Nigerian Prince scam, lottery scams, too, are rampant. Needless to say but such emails are fraudulent and believe me, no one is going to give you even $5, forget about the $5 million you just “won.” This is another tactic of collecting your personal information and gaining monetary profit through the “processing fee”.

The solution is simple. Do not fall into the trap. Report such emails as spam and block the email address from sending you such emails again.

Endnote
The advent of technology has made the scammers, too, advance. Above tactics employed by them have been successful for them for a very long period. It’s easy to fall into their traps if you’re not aware of such scams. But once, you’re aware, make sure to not fall or any of the above. Keep your eyes open for any scandalous emails and follow the suggestions given above to avoid the catastrophe.

Ransomware: Lucrative, fast growing, hard to stop

103537634-GettyImages-492752888.530x298

The hackers behind recent high-profile ransomware attacks on U.S. hospitals are using business methods that might be familiar to some Silicon Valley start-ups.

Cybercriminal gangs are attacking large markets with rich customers. They offer a product with a clear value proposition (giving you back your seized data) that alleviates a specific pain point (the inability to run your business). They act with agility and stealth enabling them to outwit the competition. They are also scrappy, often bootstrapping their illicit businesses.

“It is an economic business system, it is just perpetrated at a criminal level,” said Matt Devost, CEO of FusionX, a unit of Accenture. “There are a lot of analogies between that and a start-up environment.”

What started as a basic scam — extorting, say, a $300 ransom from a grandmother wanting to get family photos back — has escalated. Last year there was a “reported loss of more than $24 million as a result of ransomware attacks,” according to the FBI, a figure that surely massively underrepresents the scale of the problem due to the unwillingness of many victims to report.

The start-up costs for an illicit ransomware business are minimal. The hackers write their own code or buy ransomware as a service on the black market, often as part of a suite of other products.

Many groups are already operating other cybercriminal businesses, so getting into the ransomware business is just another way of leveraging existing talent and infrastructure. It requires minimal investment, is relatively low risk and the returns are potentially massive.

 

Enterprise victims frequently have no choice but to pay up, since hackers are often able to seize backup data as well, said Denise Anderson, president of the National Health Information Sharing and Analysis Center. “So if they need to stay in business, they are paying it.”

With the recent attacks on U.S. hospitals, the assailants are expanding beyond consumer to enterprise “customers” — their victims — and adjusting pricing accordingly. For example, Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of $17,000 in bitcoin in February. Other enterprises are likely paying a lot more than that already, said experts. (The FBI does not condone payment of ransom, an agency official told CNBC.)

Read MoreThe hospital held hostage by hackers

“Last year alone there was a reported loss of more than $24 million as a result of ransomware attacks” -FBI official

“I imagine it will hit into the millions of dollars, if they are able to infect some of the right types of targets in an enterprise environment,” said Devost.

Like smart start-up CEOs, the hackers are testing the market and refining the business model. As the vast majority of attacks are likely settled without going public, more research is needed to figure out just how profitable the business really is, said experts. Unlike the criminal networks, which often share information freely, many of the victims do not.

“The cybercriminals collude when their business model merits it,” said Anderson. “Shame on us for not working together to protect against them.”

 

The most lucrative potential victims have a specific set of characteristics. They hold critical information and infrastructure, have immature and vulnerable security programs and the ability to pay the ransom. Small- to medium-sized U.S. hospitals have proven to be a sweet spot in ransomware because of their often poor security infrastructure as well as the willingness to pay to retrieve patient data, get back online quickly and prevent reputational damage.

“We will see much more successful attacks in other industries,” said Ed Cabrera, vice president of cybersecurity strategy at Trend Micro.

Law firms, which protect confidential and valuable information about their clients, and venture-backed start-ups that have invested in developing intellectual property are two targets criminals may increasingly go after, he said.

“It is an economic business system, it is just perpetrated at a criminal level” -Matt Devost, CEO of FusionX, a unit of Accenture

The black market for high-value trade secrets or intellectual property is a lot more lucrative than the market for personally identifiable information, which is fairly saturated after numerous data breaches, said Devost. It is also a lot riskier, potentially exposing hackers attempting to sell their ill-gotten goods to law enforcement.

Within businesses, it is almost always employees at the top and bottom of the pyramid who represent the best “leads” for attackers. Often, hackers will specifically target C-level executives with high-level access to an entire corporate network, or find success when low-level employees click on something they should not, said Vinny Troia, CEO of cybersecurity consulting firm Night Lion Security.

In a perhaps counterintuitive twist, some ransomware criminals actually want to make their attacks “user friendly” for their victims. Like legitimate businesses, they want to maintain a five-star rating, said experts. Some will offer the opportunity for victims to “try before they buy,” unencrypting a small portion of the files held hostage to prove they can deliver the product — a decryption key to get their files back.

 

They are creating user interfaces with sleeker designs and, in some cases, even providing customer support to make it easier to for victims to pay, said Devost. That makes it easier for even low-level victims — i.e., the grandma who just wants her photos back, and who has never heard of bitcoin — to make a payment.

“To the extent that you have a support apparatus to help your victims pay tells me there is a lot of money being made,” said Cabrera.

On the back end, the hackers continue to innovate to make ransomware more robust, and to stay one step ahead of cybersecurity companies and law enforcement. When the “good guys” discover a decryption key, they often release it to enable victims to decrypt their own data, undercutting the attackers’ business.

An example of how nimble these illicit enterprises are is shown by the rapid product evolution of CryptoWall, first released in 2014. CryptoWall is one of the most widely used forms of ransomware, and has been updated several times to make it stronger, said cybersecurity and threat intelligence firm Webroot in its 2016 Threat Brief.

CryptoWall 3.0 is smarter, more secure and stealthier than previous generations. The malware generates unique encryption keys instead of using one key for all infections, secures the master key itself to prevent unauthorized access, and conceals the location of the servers containing the decryption keys and payment mechanisms, among other things.

“In late 2015, CryptoWall 4.0 was released, with numerous enhancements to help sidestep security software,” said Webroot.

 

The next evolution of CryptoWall will likely more aggressively try to encrypt attached network storage devices, Devost said.

The software is largely operated by criminal gangs, many with ties to organized crime, often located in Eastern Europe and Russia.

“Whenever it comes to malware that is written with the focus of strictly making more of a profit, it has typically come out of that region of the world,” said Brian Calkin, vice president of operations at the Center for Internet Security.

For example, the architect believed to be behind CryptoLocker, Evgeniy Mikhaylovich Bogachev, remains at large, and is suspected to be in Russia. “Many of the most sophisticated cybercriminal actors are located in jurisdictions that do not cooperate directly with the United States,” said the U.S. Department of Justice on March 4 in response to an inquiry by Sen. Tom Carper (D-Del.) about the challenges in bringing the suspected criminals behind these types of ransomware attacks to justice.

“If all individuals and businesses backed up their files, ransomware that relies on encrypting user files would not be as profitable a business for cybercriminal actors,” said the DOJ.

The business of backing up data is also booming thanks in part to the recent high-profile ransomware attacks, with cybersecurity companies crowding the market. For example, Code42 provides a backup and real-time recovery solution. The company counts 37,000 organizations — including Lockheed Martin, Mayo Clinic and Kohl’s — as customers.

“If you had our solution you certainly would not have to pay for ransomware,” said Rick Orloff, chief security officer at Code42. “The flip side of the coin is, here is a thousand types of vulnerabilities, do you want to pay to be protected from all of them?”

“Companies need to align around what types of attacks do they want protection from,” he said.

Data Breaches, Hacking and Cybercrime – Oh My!

Keyboard_Lock

Whenever I visit my relatives, I’m often not shocked to take a look at their smartphone or tablet or PC and find the little “update” notification number on their apps light up – and it isn’t just usually one update, it’s like 99! Because of my experience and career path, we spend part of our visit going through and updating phones, tablets and computers. Sound familiar to anyone else?

After working in this field for more than 20 years, people often will ask me – how do you sleep at night? I tell them I sleep just like a baby – meaning I sleep for 4 hours and I’m up every half hour screaming (not my quote, but I love that one….) Truthfully though, I love what I do and I’m excited to provide some thoughts and advice to consumers on how to protect themselves from a range of cyberthreats from common hacking attacks to sophisticated newer techniques like ransomware. One of the things consumers need to focus on is personal “computer hygiene.” If consumers and businesses kept up basic computer hygiene, it would stop approximately 80-90 percent of attacks.

Here are a few key and simple things you can do to protect yourself from hackers and fraudsters alike:

1) Yes, you need anti-malware software on your PC or Mac.  But equally if not more important is that you need to keep all device software updated. Many computers are hacked because they are running on an outdated operating system or outdated version of Adobe or Java or other office software. Old software is vulnerable software.  Keep it up to date.

2) Don’t use the same password on different sites. Use a different password for financial sites, vs. other consumer/retail sites. Once a hacker has access to one password, they will usually try the same password on other major websites.

3) Use the strongest authentication options available to you. For example, when a site allows you to enroll via a mobile device, which triggers a code sent to you for verification, enroll for that. You’ll thank me later.

4) Remove your own “administrative rights” on your home computer.  Many companies remove general user’s ability to add new users, install software, etc.  This greatly limits what malware can do if it is accidentally downloaded by a user.  At home, most people don’t think to do this.  So, consider creating a “normal user” account for yourself, removing that “admin” access from it, and only use the default “Administrator” account or right when you need to install software, add new users, apply updates, etc.

Sincerely hope this helps you.

Do Not Respond To This Kind Of Email. It’s A Scam!

Criminals are tricking corporate employees into giving them payroll information. Here is how the scam works – and how you can prevent yourself from falling prey to it.

getty_462568451_86094

IMAGE: Getty Images

Over the past couple months there have multiple well-publicized cases of criminals tricking corporate employees into giving them payroll information that the crooks then use to commit various crimes: commonly, employees’ identities are stolen and phony tax returns are filed in order to obtain illegal “refunds” of “overpayments,” but thieves continue to find other ways to monetize the data including filing fraudulent unemployment claims.

Here is how the scam works – and how you can prevent yourself (and your business) from falling prey to it.

In the first stage of the attack criminals perform reconnaissance – often checking social media for information that employees have “overshared.” Criminals love it when employees post nonpublic information about some work-related endeavor, for example, because anyone who later claims to be an employee of the company and refers to this information when contacting a real employee will be far more likely to be believed than someone who simply claims to work for the firm but does not know any “insider” information. Criminals also search social media and the Internet in general to find the right “target” employees within the firm whose data they are trying to steal.

After performing reconnaissance, criminals contact their targets – often via a “spear phishing” type email message, but sometimes through other media such as via social media, texting, or telephone. Spear phishing refers to communications targeting a specific intended victim and which impersonates a party whom the receiver is expected to trust. Several recent attacks have involved communications in which the “CEO” or other high level executive of a firm asks an employee with access to payroll information to send him or her the W2s for all employees of the firm; others forms of the attack ask an employee with authorization to make wire transfers to pay some particular party, others may ask the employee to visit some website for some purpose, when, in fact, the site actually installs malware.

Snapchat, Mercy Housing, and Sprouts Farmers Market have all fallen prey to the W2 scam within the last couple months, thereby exposing their employees to all sorts of risks. Other firms have been duped by similar attacks and sent out spreadsheets with personnel information, and the Federal Reserve Bank of New York is believed to have recently issued about $100-Million in fraudulent wire transfer payments as a result of receiving instructions fraudulent to do so.

Here are some ways to help prevent this problem from harming you and your business:

1.       Train employees not to overshare on social media and provide them with technology that warns them if they are doing so.

2.       Train employees not to respond to email requests for sensitive data without picking up the phone and speaking with the person requesting the data to be sent.

3.       Understand — and make sure your employees understand — how phishing works, and why it is a serious problem that is not getting better with time.

4.       Train employees to think about the risk level of requests. As Jonathan Sander, Vice President at Lieberman Software, noted, “If a payroll employee wants one W2, then maybe you just let them have it. If that same employee wants all of them all at once, then there should be something that triggers to say this is a different sort of request that deserves more scrutiny.”

5.       Utilize encryption – if a sensitive document is sent encrypted, an unauthorized party receiving it will have difficulty opening it. As Brad Bussie, Director of Product Management at STEALTHbits Technologies, phrased it: “As a best practice, personal identifiable information should never be transmitted in an un-encrypted format.” I agree.

6.       Use secure email – If a firm has the resources to do so, email security technology can help – but, do not rely on such technology to prevent problems since social engineering can come in through other channels (texting, social media messages, phone calls, etc.), and, sometimes problematic emails can still make it through. Nonetheless, reducing the threat via email can be useful; as Craig Young, Computer Security Researcher at Tripwire, noted “The use of cryptographically signed emails and securely configured mail services with advanced spam filters, sender policy framework (SPF), and DomainKeys Identified Mail (DKIM) configurations can also greatly reduce the likelihood of a successful e-mail scam.” Keep in mind that by reducing the number of problematic emails that reach users, email security technology can cause people to become less vigilant – so make sure to reinforce the need for vigilance via training.

7.       Utilize Data Loss Prevention systems – these types of systems can block certain types of files and attachments from going out to external email addresses.

These are just a few ideas to think about, there are several others !!!

Ransomware – Practical view, mitigation and prevention tips

You've been Hacked

Ransomware:
Ransomware is a kind of malware that encrypts everything on your system with a Cryptographic algorithm and holds that encrypted data hostage for ransom. It demands the user to pay for the decryption key. There are two types of ransomwares. In first, ransomware encrypts all data on the system and it is nearly impossible to decrypt it without the key. In second, it simply locks the system and demands to enter the key for data decryption but it does not encrypt data.

One of the very well-known ransomware is Cryptolocker. It uses RSA to encrypt data. Command and control server of malware stores the private key for decryption of data. It typically propagates as a Trojan and it relies mainly on social engineering for propagation.

Working of ransomware (unlike its purpose) is quite interesting. For proper understanding, we can divide its working in following steps.

  1. Approaching system of the victim and installing it as a covert/silent installation. It places its keys in system registry.
  2. After installation, it contacts its command and control center. The server tells the ransomware what to do. It starts communication by performing handshake with the server and exchange keys.
  3. Now it actually starts working, with the key provided by the server it starts encrypting the data on the machine. It uses common file extensions to identify the files and encrypt them.
  4. This is where it gets scary. After encrypting the data, it shows a message on screen that it has locked data on your computer and you have to pay within a period if you want to see your data again.

How it propagates:

Ransomware mostly uses social engineering tricks to propagate. It uses email attachments with malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also a likely reason of infection. Ransomware also spreads through mediums like USB, portable hard drives etc.

Ransomware installation:

Its installation is a covert operation. It uses Windows default behavior to hide the extensions from name of the file, disguising the real .exe extension. Once it reaches its target by using any of the above mentioned propagation methods and user opens the malicious file, it becomes a memory resident on the computer. Then it usually saves itself in the Appdata folder, User Temp and Localappdata folders. Later, it adds a registry key in the windows registry to start the malware every time windows restart. 

Main working:

The main purpose of ransomware is encryption of data on the target computer. It generates a random symmetric encryption key for each file. It targets files with general extensions like .jpg, .doc, .docx, .xls, .png, .ppt, .pptx, .jpeg etc. and other files whose extension are in the malware code. It uses AES algorithm to encrypt data files. After encrypting data, it encrypts a random key with asymmetric private key using RSA algorithm and adds this to encrypted file. Now only the owner of the private key can have access to the random key it generated to encrypt the data.

The malware communicates with its command and control center to obtain the public key. It uses Domain generation algorithm (DGA) with common name as “Mersenne Twister” to generate random domain names and find its command and control center. After encrypting data, it displays a message with the time limit to the user about the ransom that has to be paid for the key and failed to do so will delete the key.

Money_Pack

The compromise system can have the symptoms like high rate of Peer to Peer communication, increased network communication (Communication with Command & Control center server) and high use of system resources.

Mitigation and Prevention:

So far, there is no way that can break the Cryptolocker encryption and provide you the key to decrypt data. Paying seems to be the only way to get data back unless you have a backup. Some of the incidents in past showed that paying did not pay back. As some people paid but did not get the key and in other cases the given key did not work. So the best way is to keep yourself save proactively. Now we are going to discuss some proactive approaches to keep yourself safe from these types of attacks, in case you are affected what steps to take.

  1. The first and the foremost thing that comes into play when we talk about security is User Awareness. Training of the employees, users and all stakeholders is the most important thing. As in this case, we are in a war against malware. In addition, users cannot win this fight unless they are aware of the threats. SOC/Security management team can organize seminar, awareness campaigns etc., to guide the employees. Periodic briefing is also important. Explaining the cases with examples to the non-technical as well as technical employees can make it better for them to understand and remember the scenarios they are likely to face in everyday life.
  2. Along with user awareness, implementation of security policies is inside the domain via GPO and email transport rules to block such potential type of emails and Exes to execute silently. One recommends it highly to use Security Group policies in your organization for safeguarding against malware. Let us walk through the process of implementing the same.

Certain application and programs apply software restriction policies for their execution. This uses Group policy. What we can do is to block the executable in the specific user space areas where the ransomware launches itself. In large organizations, we can do this via Domain Group policies. In small business environment, home or organizations with no domains apply local security policies.

  • Open Group Policy management console on your primary DC to implement a Software restriction policy.

  • Create a New GPO. Name it as “Software Restriction Policy”.

Well the folder structure for users in Windows XP and prior is a bit different so what we can do is, to create 2 different policies; one for XP systems in domain and other for Vista and higher version of OSs. What I would do is, I will add both types of folders for XP and later in one GPO.

  • Now edit the newly made GPO and add user space folders in which we don’t want the software to auto execute. Go to Computer Configuration> Policies > Windows Settings > Security Settings Software Restriction Policies > Additional Rules. Right click Additional Rule and click ‘Add new Path rule’. Here we will create a new rule and enforce software restriction.

  • We will be adding file paths here. Add a path, select security level ‘Disallowed’ and add a description.

The paths for XP user space are as follows:

  • %AppData%\*.exe
  • %AppData%\*\*.exe
  • %UserProfile%\Local Settings\Temp\Rar*\*.exe
  • %UserProfile%\Local Settings\Temp\wz*\*.exe
  • %UserProfile%\Local Settings\Temp\*.zip\*.exe
  • %UserProfile%\Local Settings\Temp\Rar*\*.exe

The paths for other higher version of OS are:

  • %LocalAppData%\Temp\*.zip\*.exe
  • %LocalAppData%\Temp\7z*\*.exe
  • %LocalAppData%\Temp\wz*\*.exe
  • %LocalAppData%\Temp\Rar*\*.exe

  • Now allow sometime to let the GP sync to all the systems or you can go to every system and open cmd as Administrator write ‘gpupdate /force’ to force update the group policy to the system and now you are done.

There can be a disadvantage of applying the software restriction policy i.e. all the other legitimate exes will not run in those spaces as well. However, we can whitelist the legitimate software in Software Restriction policies.

For Whitelisting apps in Software Restriction policy, exceptions have to be set for those apps. We can manually instruct windows to allow those apps while block all the others. For doing so just add same rule for particular apps as explained before and set security level to Unrestricted instead of Disallowed. This will allow the GPO to whitelist the apps and their execution takes place in user space.

  1. If you have on-premises email server or exchange, Transport rules are something very useful. Use the exchange transport rule to block or disallow attachments with executable content or at least mark it as Possible Spam so User may have warned by the content of the email.
  • Open Exchange Management Console on your exchange server.
  • Go to Organization Configuration > Hub Transport.
  • Open Transport Rules.

  • Add new rule by right clicking the main screen. Enter the Name of the rule along with the description of rule.

  • Select the condition for the rule from next window. Select option “When any attachment file name matches text patterns”.

  • Select as much extensions as you want. Here we are adding exe, html, doc, docx, jpg, jpeg, zip, rar etc.
  • Select the Action that the rule will perform after meeting the conditions. Select the option “prepend message subject with string”. Now add “Possible Spam” as the text that will be added in the subject line.

  • If there are any exceptions, add them on the next screen else left it as it is. Complete the process by click Next and then Finish. The transport rule is added and its enable with priority set to 0.

Now when the user will receive the email with those specific extensions that we added in rule, he will observer Possible Spam in the subject of those emails.

3. User permissions: It is something minor but very important when we are dealing with the threats like ransomware. Review the NTFS permissions carefully for every time we deal with permissions. For instance, Share folders from server etc. If the share folder has ‘Everyone’ write permission and the user system gets infected, you are in trouble. Try to give the as minimum permissions as possible to users to lessen the damage.

4. By this time, many antivirus softwares are able to detect and remove this virus but decryption of the data is not possible unless you have the key. Keep your antivirus updated so it can detect and remove the malware before it acts.

5. Keep your systems up-to-date and patched up with latest security patches that the manufacturer releases.

6. Do not allow Peer to Peer communication in your network. Ransomware and many of the other malware and bots communicate with their command and control center via P2P communication. Disallowing this will help you keep save.

7. Use Security devices like firewalls and IDS/IPS in your network and configure them appropriately and intelligently.

8. Avoid using such type of unknown anti-virus on your system even if it claims to remove the malware from your network or system. Ransomware encryption cannot be broken easily and data cannot be decrypted without a key so if any unknown anti-virus claims that it can break encryption in no time don’t get tricked. It is some other type of malicious virus.

9. Last but not the least: Rather it is the most useful solution I know so far, is to BACKUP all your data regularly. I have seen clients affected with ransomwares and the only thing that saved them was Successful backup. Backup all your critical data to the external drive or NAS or SAN that is isolated from your system is very useful. If you are a big organization, then develop a BCP (Business Continuity Plan) and BDR (Backup and Disaster Recovery). BCP contains all the aspects of ransomware attacks and migration techniques along with the details of the backup you can or will take for your organization. There are many backup solutions available in the market that can help you backing up your data to an external storage or remote location i.e. cloud storage.

Thank you Tal for the great Post:
Operational Security Specialist | OSCP, CREST, ISO 27001, 22301 & 22035 Certified Lead Auditor and 27005 Risk Manager

First known hacker-caused power outage signals troubling escalation

Highly destructive malware creates “destructive events” at 3 Ukrainian substations:by

powerline-640x480
Highly destructive malware that infected at least three regional power authorities in Ukraine led to a power failure that left hundreds of thousands of homes without electricity last week, researchers said.

The outage left about half of the homes in the Ivano-Frankivsk region of Ukraine without electricity, Ukrainian news service TSN reported in an article posted a day after the December 23 failure. The report went on to say that the outage was the result of malware that disconnected electrical substations. On Monday, researchers from security firm iSIGHT Partners said they had obtained samples of the malicious code that infected at least three regional operators. They said the malware led to “destructive events” that in turn caused the blackout. If confirmed it would be the first known instance of someone using malware to generate a power outage.

“It’s a milestone because we’ve definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout,” John Hultquist, head of iSIGHT’s cyber espionage intelligence practice, told Ars. “It’s the major scenario we’ve all been concerned about for so long.”

Researchers from antivirus provider ESET have confirmed that multiple Ukrainian power authorities were infected by “BlackEnergy,” a package discovered in 2007 that was updated two years ago to include a host of new functions, including the ability to render infected computers unbootable. More recently, ESET found, the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems. The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.

“Perfectly capable”

Until now, BlackEnergy has mainly been used to conduct espionage on targets in news organizations, power companies, and other industrial groups. While ESET stopped short of saying the BlackEnergy infections hitting the power companies were responsible for last week’s outage, the company left little doubt that one or more of the BlackEnergy components had that capability. In a blog post published Monday, ESET researchers wrote

Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems. However, there is also another possible explanation. The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.

Over the past year, the group behind BlackEnergy has slowly ramped up its destructive abilities. Late last year, according to an advisory from Ukraine’s Computer Emergency Response Team, the KillDisk module of BlackEnergy infected media organizations in that country and led to the permanent loss of video and other content. The KillDisk that hit the Ukrainian power companies contained similar functions but was programmed to delete a much narrower set of data, ESET reported. KillDisk had also been updated to sabotage two computer processes, including a remote management platform associated with the ELTIMA Serial to Ethernet Connectors used in industrial control systems.

In 2014, the group behind BlackEnergy, which iSIGHT has dubbed the Sandworm gang, targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries. iSIGHT researchers say the Sandworm gang has ties to Russia, although readers are cautioned on attributing hacking attacks to specific groups or governments.

According to ESET, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents. If true, it’s distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy. It’s also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people.

Ukrainian authorities are investigating a suspected hacking attack on its power grid, the Reuters news service reported last week. ESET has additional technical details about the latests BlackEnergy package here.

While Saudi Arabia’s largest gas producer was also infected by destructive malware in 2012, there’s no confirmation it affected production. iSIGHT’s report suggests a troubling escalation in malware-controlled conflict that has consequences for industrialized nations everywhere.

The 5 Biggest Cybersecurity Risks for Small and Medium Businesses

Cyber_Security

Cases of data breaches from major corporations around the world are becoming more and more frequent, much to the dismay of business owners all over the world. Every few weeks, there is a report about a big corporation’s data being leaked on some website, causing the company huge monetary losses as well as irreparable damage to reputation.

Although the alarming frequency of such high-profile data breaches would lead one to believe that the hackers must really have it in for large business owners, the fact still remains that small and medium business owners are just as susceptible to data breaches, if not more. Even if small and medium businesses realize that they are under threat as well, they might wrongly think that they would need to spend a large amount of money to keep the threat at bay.

The reality is anything but this. The major factor that decides whether you fall victim to such attacks is your level of negligence. Therefore, this article aims to make you aware about the 5 biggest threats your business might face.




The 5 biggest threats

1. Stolen laptops and mobiles
It is astonishing how much data is stolen or compromised when the devices used by employees are stolen. The one who has access to the systems can access the company data and use it as he or she wishes. Therefore, it is absolutely essential for businesses to encrypt all data that is transferred on portable device of an employee. This would ensure that the data remains protected in the event that the device is stolen.
2. Unsecured Internet Networks
This is a blatant overlooking of your business’s security. Wireless networks are used by all businesses, and even small businesses today require off-shore and remote employees to access corporate data from elsewhere. Therefore, having a secure network is important to prevent unauthorized personnel from entering your network and causing problems.
3. Spear Phishing
This is another term for email scams. Email scams are one of the oldest tricks of the trade of gaining access to a user’s system. Hackers quite often send such tampered emails to all employees of a company in hopes that one of them falls for it. These attacks spread like fire, so if one employee system is affected, the entire network could be done soon enough. This is something employees should keep an eye out for as well, for such emails are usually simple to spot.
4. Malware
Malware is any code that has malicious intentions and has the capability to cause serious problems in your system. Malware are of different types, but they can be warded off by keeping a good anti-virus and anti-malware software on hand. It is also important to regularly update your anti-virus.
5. Insider Threats
This is something that is not always the case but is always a possibility. An employee holding a grudge against your company might take things further by mishandling your sensitive corporate data. To prevent such a thing from happening, make sure employees have differing access to corporate data according to their rank in your company. It is also wise to record the activity of all employees, big or small, to know if something is amiss.
Conclusion
We saw in this article how small and medium businesses can be targeted. The amount of money to be spent on security systems is by no means huge. All it takes is a little background knowledge to invest right in opposition to investing big.

“Locky” ransomware: What you need to know

Thanks to the Emerging Threats Team at SophosLabs for their behind-the-scenes work on this article.

locked-1200“Locky” feels like quite a cheery-sounding name.

But it’s also the nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky.

Of course, it doesn’t just rename your files, it scrambles them first, and – as you probably know about ransomware – only the crooks have the decryption key.

You can buy the decryption key from the crooks via the so-called dark web.

The prices we’ve seen vary from BTC 0.5 to BTC 1.00 (BTC is short for “bitcoin,” where one bitcoin is currently worth about $400/£280).

locky-ransom-1200

The most common way that Locky arrives is as follows:

  • You receive an email containing an attached document (Troj/DocDl-BCF).
  • The document looks like gobbledegook.
  • The document advises you to enable macros “if the data encoding is incorrect.”

locky-macros-640

  • If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
  • The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).

Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.

Locky even scrambles wallet.dat, your Bitcoin wallet file, if you have one.

In other words, if you have more BTCs in your wallet than the cost of the ransom, and no backup, you are very likely to pay up. (And you’ll already know how to buy new bitcoins, and how to pay with them.)

Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, that you may have made.

Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure.

Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:

locky-wallpaper-640

If you visit the dark web page given in the warning message, then you receive the instructions for payment that we showed above.

Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup.

Remember, also, that like most ransomware, Locky doesn’t just scramble your C: drive.

It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.

If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed.

Giving yourself up front all the login power you might ever need is very convenient, but please don’t do it.

Only login (or use Run As...) with admin powers when you really need them, and relinquish those powers as soon as you don’t.

WHAT TO DO?

  • Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
  • Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
  • Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.