Tag Archives: ransomware

10Fold- Security Never Sleeps- 170

‘Crash Override’ malware heightens fears for US electric grid

Ukrainian cyberattack concerns U.S. security experts”

Tech security firms ESET and Dragos revelaed the malware behind last years Ukrainian attack, “Crash Override,” earlier this week. They claim that this particular software is only the second to be tailored to industrial control facilities and intended for massive disruption. The only precedent for an attack of this magnitude is the Stuxnet virus, which had thrown Iran’s nuclear program into disarray several years ago.

Malware Incidents at US SMBs Spiked 165% in Q1

“Various SMB’s suffer massive attack volume”

The first quarter of this year saw a huge increase in malware attack attempts according to  a new malwarebytes report. In the U.S. alone attacks on SMB’s have surged by 165% over the pervious years count.

Hospital Email Security in Critical Condition as DMARC Adoption Lags

“Patient data at risk”

A new report from Global Cyber Alliance has provided some chilling details about security issues with healthcare providers. Many of these institutions have been sluggish in adopting the DMARC protocol, leaving email accounts dangerously vulnerable.

Fileless malware: An undetectable threat

“New threats emerging”

While much of the security field tends to focus on ransomware and potential solutions, IT pro’s are missing some of the newer, stealthier threats. Fileless malware is one of these, with an increasing prevalence and frequency.

10Fold- Security Never Sleeps- 162

BitKangoroo Ransomware Deletes User Files

“Currently poses limited threat” 

BitKangaroo, a new ransomware program making rounds on the web, deletes files if cash payments are not made within a certain time period. While the prospect of the new software is dangerous, its creator does not seem to be particularly skilled. It is currently capable of affecting only files saved in the Desktop folder, but given time may be able to be developed into a much more competent threat.

The Long Tail of the Intel AMT Flaw

“Exploitable firms may need time to apply patches”

Many Intel chips containing the recently disclosed critical privilege escalation vulnerability in AMT firmware may leave many enterprises using the product exposed to remote attacks. Analysts recommend thise with the product in use take time to apply firmware patches, as the vulnerabilities can leave users devestated for a reasonably long time.

SLocker Ransomware Variants Surge

“Over 600 unique versions now circulating”

Android malware plague SLocker has increased in number by over six times over the last six months, with over 600 variants in use by cybercriminals on the web.

10Fold- Security Never Sleeps- 125

Malware Hidden In Banner Ads Served Up To Millions

“Popular sites unknowingly peddling malware in pixel banners”

ESET researchers have been monitoring a strain of malware dubbed Stregano, which has recently been making the rounds through the web via image files offered as advertisements to unsuspecting users. The manipulation of alpha channels from the ‘ad’ images, replacing transparency information with JavaScript code and variables that leave users susceptible to attacks.

OpenVPN will be audited for security flaws

“Renowned cryptography expert hired as consultant”

Among the most widely used private networking technology leaders, OpenVPN has announced a full audit funded by PIA. Contracted for the audit is Mathew Green, a John Hopkins University professor and cryptography engineering expert.

After attack, Indiana county will spend $220,000 on Ransomware recovery

“Madison County will pay the ransom and invest in greater IT protections”

In the wake of a Ransomware attack on the 4th of last month, Madison County, Indiana whas announced a budget plan that involves the paying of the demanded ransom as well as a rigorous outline of how to prevent future attacks.

 

10Fold- Security Never Sleeps- 111

Data Breach Affects 43 Million Web Host Consumers

“Compromised records include passwords, email addresses and more”

On Thursday San Francisoco web hosting firm Weebly will send notificaations to its users that over 40 million of their accounts had been compromised in the last eight months. Responsibility of the breach is still unknown, and the firm itself would not have become aware of the hack until an anonymous source released the information to LeakedSource. Sensitive customer information is among the data stolen, including passowrds and email addresses.

Vulnerability Leaves Millions of Adult FriendFinder Users Exposed

“Adult website compromised by hacker”

Low security backend servers of Adult FriendFinder hack apparently been compromised, and the one responsible has reportedly posted confidential data on Twitter. The breach has not been officially recognized or confirmed by FriendFinder Networks.

Ransomware among Three Most Destructive Cyber Threats

“Amid rising malware usage in 2016”

Total cost of damages related to malicious software attacks is set to exceed $1 billion this year as cybercriminals begin to shift focus onto business networks instead of individuals.

Critical Flaw Patched in Lexmark Printer Management

“Software update fixes vulnerabilities”

MarkVision printer management software has addressed serious concerns that could allow an attacker to remotely access a host server attached to a product, allowing confidential files to be stolen or a Dos condition. This comes as a relief to users, as 20,000 printers are networked to MarkVision Enterprise web tools.

 

10fold- Security Never Sleeps- 101

Nearly Half of State Voter Registrations Attacked by Russian Hackers

“Four were cracked, leaving speculation on security of upcoming election”

As we covered in our last installment, cyber security threats from the Russians have been on the rise in this year’s voting season. We can see now that these fears may have some legitimacy, as Russian hackers were successfully able to enter several voter registration systems in the U.S.

James Comey, Director of the FBI released in his statement that “There’s no doubt that some bad actors have been poking around.” Among those attempted to be breached were what many political analysts consider to be this year’s electoral ‘swing states’, including Arizona and Illinois.

GAO Claims Issue at FDA Cybersecurity Systems

“Confidential health data potentially at risk”

Security firewalls and 80 other weaknesses were found in the Food and Drug Administration’s computer programs. This lack of proper security would allow hackers to breach confidential health information. The information was made public after the GAO, the Government Accountability Office, made 15 instructional changes to beef up security measures after an extensive audit undertaken to strengthen government agencies from potential cyber attacks.

Ransomware Spread Increases

“Weak desktop credentials biggest point of most common point of contact”

Stolen credentials for widespread remote administration application TeamViewer has been largely used to insert ransomware software ‘Surprise’, according to a research team in March. The number of attacks have increased significantly of late, adopted by more highly effective cybercriminals noting its success from their lesser-known counterparts.

The cyberattacks began long before the TeamViewer insertion via RPD servers, but started as crude password generator attacks. This recent development allows criminals to be far more effective in their theft and hacking techniques.

Tofsee Malware Now Distributed Via Spam

“Experts believe the new method is more profitable for hackers”

While malware program Tofsee has been around since 2013, its current spam distribution method is fairly new. The RIG exploit kit that recently oversaw the spread of the malware has stopped circulating, leaving spammers to employ their bots to pick up the slack. Cybercriminals often use Tofsee to engage in , including click fraud, cryptocurrency mining, DDoS attacks and sending spam.

 

10Fold – Security Never Sleeps – 98

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Researchers have encountered a denial-of-service botnet that’s made up of more than 25,000 Internet-connected closed circuit TV devices. Scammers are spreading JavaScript malware disguised as a Facebook comment tag notification. The Threat Group 4127 that hit the Democratic National Committee also went after 1,800 other targets with info interesting to Russian government, says SecureWorks. The whitehats from Kaspersky Lab provided a free tool that allowed victims to decrypt their precious data without paying the ransom, which typically reaches $500 or more.

Large botnet of CCTV devices knock the snot out of jewelry website – Publication: Ars Techinca – Reporter name: Dan Goodin

The unnamed site was choking on an assault that delivered almost 35,000 HTTP requests per second, making it unreachable to legitimate users. When Sucuri used a network addressing and routing system known as Anycast to neutralize the attack, the assailants increased the number of HTTP requests to 50,000 per second. The DDoS attack continued for days, causing the Sucuri researchers to become curious about the origins of the attack. They soon discovered the individual devices carrying out the attack were CCTV boxes that were connected to more than 25,500 different IP addresses. The IP addresses were located in no fewer than 105 countries around the world.


Facebook comment tag malware scam targets Chrome users – Publication: SC Magazine – Reporter name: Robert Able

A user will receive a notification in their app and/or in their email about a friend tagging them in a comment and, upon clicking the link, malware is downloaded to their device, according to Hackread. Currently the malware is only targeting Chrome and one analyst on the network question and answer site Stack Exchange said the file is a typical obfuscated JavaScript malware, which targets the Windows Script Host to download the rest of the payload.


Google Accounts Of US Military, Journalists Targeted By Russian Attack Group – Publication: Dark Reading- Reporter name: Sara Peters

A Russian attack group used the Bitly URL-shortener to disguise malicious links in order to carry out spearphishing campaigns not only against the Democratic National Committee, but also against some 1,800 Google accounts of US military and government personnel and others.


New and improved CryptXXX ransomware rakes in $45,000 in 3 weeks – Publication: Ars Technica- Reporter name: Dan Goodin

Earlier this month, the developers released a new CryptXXX variant that to date still has no decryptor available. Between June 4 and June 21, according to a blog post published Monday by security firm SentinelOne, the Bitcoin address associated with the new version had received 70 bitcoins, which at current prices is valued at around $45,228. The figure doesn’t include revenue generated from previous campaigns.

10Fold – Security Never Sleeps – 97

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: A remote desktop access service called GoToMyPC was hacked this weekend and is urging all users to immediately change their passwords; The number of network infections generated by some of the most prolific forms of malware — such as Locky, Dridex, and Angler — has suddenly declined; on Friday night a hacker made off with $50 million of virtual currency after hacking the DAO (Decentralized Autonomous Organization); and a new variety of ransomware called RAA has been discovered.

GoToMyPC hit with hack attack; users need to reset passwords – Publication: PCWorld – Reporter name: Nick Mediati

According to a post published to GoToMyPC’s system status page, the remote desktop access service experienced a hack attack this weekend, and it’s now requiring all users to reset their passwords before logging in to the service.


Malware infections by Locky, Dridex, and Angler drop — but why?  – Publication: ZDNet – Reporter name: Danny Palmer

The number of network infections generated by some of the most prolific forms of malware — such as Locky, Dridex, and Angler — has suddenly declined. Instances of malware and ransomware infection have risen massively this year, but cybersecurity researchers at Symantec have noticed a huge decline in activity during June, with new infections of some forms of malicious software almost at the point where they’ve completely ceased to exist.


A $50 Million Hack Just Showed That the DAO Was All Too Human – Publication: WIRED- Reporter name: Klint Finley

Sometime in the wee hours Friday, a thief made off with $50 million of virtual currency. The victims are investors in a strange fund called the DAO, or Decentralized Autonomous Organization, who poured more than $150 million of a bitcoin-style currency called Ether into the project.


New RAA ransomware written in JavaScript discovered – Publication: SC Magazine UK – Reporter name: Doug Olenick

A new variety of ransomware called RAA has been discovered that has the somewhat unusual attribution of being coded in JavaScript instead of one of the more standard programming languages making it more effective in certain situations.

10Fold – Security Never Sleeps – 94

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: On Wednesday afternoon, LinkedIn users received an email titled “Important information about your LinkedIn account,” describing the massive 2012 hack and what the company is doing about it. A recently patched Adobe Flash Player vulnerability is being abused in a new malvertising campaign that redirects users to the Angler exploit kit (EK), Malwarebytes researchers warn. The TeslaCrypt creators called it quits recently, but unfortunately for users, there’s a new ransomware program that’s ready to take its place. Google intends to kill off passwords, as well as allow Android apps to run instantly without installing the apps first.

Finally! LinkedIn Comes Clean About Mass Data Breach – Publication: Fortune – Reporter name: Jeff John Roberts

In its email, LinkedIn claimed that it “became aware” last week that the data stolen in 2012 was being made available online. This seems a bit of stretch—the whole point of stealing data is typically to sell it online—but we’ll take them at their word. And, unlike so many other LinkedIn emails, this one is definitely useful. Oddly, the email did not include any acknowledgement or apology for the dreadful security practices used by LinkedIn in the first place. These included poor cryptography, such as failing to “salt” the data, which made it easier for hackers to unscramble users’ passwords.


Angler EK Malvertising Campaign Abuses Recent Flash Zero-Day – Publication: SecurityWeek – Reporter name: STAFF

The campaign relies on domain shadowing and professional-looking fake ads that are sent to ad networks and displayed on legitimate websites. Furthermore, the attack is highly targeted, serving the malicious code conditionally and redirecting users to the Angler EK only after performing a series of checks otherwise known as fingerprinting. While the technique is not new, there are some interesting aspects about this malvertising campaign, including the fact that Angler is abusing the CVE-2016-4117 zero-day flaw in Adobe Flash Player that was patched on May 12. Attackers abused the vulnerability via specially crafted Office documents and an exploit for this vulnerability was added to the Magnitude and Neutrino EKs as well last week.


New DMA Locker ransomware is ramping up for widespread attacks – Publication: CSO- Reporter name: Lucian Constantin

Previous DMA Locker versions did not use a command-and-control server so the RSA private key was either stored locally on the computer and could be recovered by reverse-engineering, or the same public-private key pair was used for an entire campaign. This meant that if someone paid for the private RSA key, that same key would work on multiple computers and could be shared with other victims.


Google’s Trust API: Bye-bye passwords, hello biometrics? – Publication: NetworkWorld – Reporter name: Ms. Smith

Trust API will run in the background, always keeping track of your biometrics, so it will know you are really “you” when you unlock your device. It will utilize some of the common biometric indicators you might expect, such as your face print, as well as others such as how your swipe the screen, the speed of your typing, voice patterns, your current location and even how you walk. Combined, it gives a cumulative “trust score.”

10Fold – Security Never Sleeps – 92

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Kansas Heart Hospital was hit with a ransomware attack. It paid the ransom, but then attackers tried to extort a second payment. A Critical Elevation of Privilege (EoP) vulnerability in the Qualcomm Secure Execution Environment (QSEE) affects around 60 percent of all Android devices around the world, despite being already fixed, researchers warn. Financial transaction network SWIFT called on its customers Friday to help it end a string of high-profile banking frauds perpetrated using its network. A manhunt is underway for criminals who looted millions from Japan’s cash machines nationwide in an hours-long heist, officials and reports said Monday.

Kansas Heart Hospital hit with ransomware; attackers demand two ransoms – Publication: NetworkWorld – Reporter name: Ms. Smith

Kansas Heart Hospital in Witchita was hit with ransomware last week. The ransomware attack occurred on Wednesday, and the KWCH 12 news video from Friday night said some files were still inaccessible by the hospital. Hospital President Dr. Greg Duick refused to disclose the ransom amount and the ransomware variant. He said, “I’m not at liberty because it’s an ongoing investigation, to say the actual exact amount. A small amount was made.”Yes, the hospital paid the ransom. No, the hackers didn’t decrypt the files—at least it was described as not returning “full access to the files.” Instead, the attackers asked for another ransom. This time the hospital refused to pay because it was no longer “a wise maneuver or strategy.”


Critical Vulnerability Plagues 60% of Android Devices – Publication: SecurityWeek – Reporter name: STAFF

The issue, discovered last year by Gal Beniamini, affects 75 percent of all Android devices powered by a Qualcomm processor, security firm Duo Security claims. According to Duo, around 80 percent of all Android devices have a Qualcomm processor inside, but just 25 percent of users have applied the patch, meaning that 60 percent of devices continue to be vulnerable.


SWIFT asks its customers to help it end a string of high-profile banking frauds – Publication: PCWorld – Reporter name: Peter Sayer

The SWIFT network itself is still secure, it insisted in a letter to banks and financial institutions. However, some of its customers have suffered security breaches in their own infrastructure, allowing attackers to fraudulently authorize transactions and send them over the SWIFT network, it said. SWIFT wants its customers to come forward with information about other fraudulent transfers made using their SWIFT credentials, to help it build a picture of how the attackers are working.


Manhunt After Millions Stolen in Hours-long Japan ATM Heist – Publication: Security Week – Reporter name: STAFF

Armed with fake credit card details from South Africa’s Standard Bank, the thieves hit 1,400 convenience store ATMs in a coordinated attack earlier this month. The international gang members, reportedly numbering around 100 people, each made a series of withdrawals in less than three hours, Japanese media said. Their haul totaled 1.4 billion yen ($13 million), according to the reports, with machines in Tokyo and Osaka among those targeted. It was not clear how the gang made off with the equivalent of millions of dollars so quickly as the cash machines usually limit withdrawals to 100,000 yen ($910) a day.

10Fold – Security Never Sleeps – 91

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: DNI head James Clapper told a Washington audience Wednesday that the intelligence community is grappling with the “internet of things” — devices and appliances that can be wirelessly connected to the web and can provide access for hackers or foreign spies. Updates released by Cisco for the AsyncOS operating system powering the company’s Web Security Appliance (WSA) address several high severity denial-of-service (DoS) vulnerabilities. Researchers at MIT and Oxford University have shown that the location stamps on just a handful of Twitter posts can be enough to let even a low-tech snooper find out where you live and work. A senior lawmaker Wednesday hinted that nations not doing enough to stop ransomware groups from operating within their countries should be treated in the same way that the US treats countries that sponsor terror groups.

Clapper: My hearing aids needed security clearance – Publication: CNN – Reporter name: Nicole Gauette

The intelligence community is trying to figure out how it should operate on a wireless basis, Clapper said, in ways that are secure. It’s a particular challenge “in terms of dealing with millennials who are quite used to that,” he added. “We’re trying to come up with a policy on this, some governance that is consistent across the enterprise, that at the same time will allow for latitude for technology to change — because it will,” he said. The country’s top intelligence official said that as the internet of things grows more common, the 10.3 billion end points now in existence are expected to mushroom to 29.5 billion by 2020 in an industry that will be worth $1.7 trillion.


Cisco Patches Serious Flaws in Web Security Appliance – Publication: SecurityWeek – Reporter name: Eduard Kovacs

One of the vulnerabilities (CVE-2016-1380) is caused by the lack of proper input validation for packets in an HTTP POST request. A remote, unauthenticated attacker can cause the appliance to reload by sending it a specially crafted HTTP POST request. The second security hole (CVE-2016-1383) is related to how the operating system handles certain HTTP response code. An unauthenticated attacker can remotely cause a DoS condition by sending a specially crafted HTTP request to the targeted device, causing it to run out of memory.


Got privacy? If you use Twitter or a smartphone, maybe not so much – Publication: CIO – Reporter name: Katherine Noyes

The researchers set out to fill what they consider knowledge gaps within the National Security Agency’s current phone metadata program. Currently, U.S. law gives more privacy protections to call content and makes it easier for government agencies to obtain metadata, in part because policymakers assume that it shouldn’t be possible to infer specific sensitive details about people based on metadata alone. This study, reported in the Proceedings of the National Academy of Sciences, suggests otherwise. Preliminary versions of the work have already played a role in federal surveillance policy debates and have been cited in litigation filings and letters to legislators in both the U.S. and abroad.


Time To Treat Sponsors Of Ransomware Campaigns As Terrorists, Lawmaker Says – Publication: Dark Reading – Reporter name: Jai Vijayan

Richard Downing, deputy attorney general at the US Department of Justice and one of the witnesses at the hearing, characterized the scope of the ransomware problem as “staggering.” One of his recommendations is for Congress to enact legislation that will close loopholes in existing laws and make it easier for FBI and law enforcement in general to pursue and prosecute those involved in ransomware schemes. Current statutes such as the Computer Fraud and Abuse Act (CFAA) already make it a crime for people to create botnets by breaking into computers or using a botnet to carry out ransomware attacks. But the law is less clear on the implications for people who might be renting or selling a botnet but are not actually using it, he said.