Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Steam Patches Crypto Code to Prevent Padding Oracle Attacks Tue, 03 May 2016 07:00:41 -0500 Steam recently patched security vulnerabilities in its system to prevent attackers from tapping into the data transmitted between a local client and the Steam network to view plain-text passwords or take over accounts.

Although Steam uses encryption to keep sessions and user data secure, it didn’t employ Message Authentication Code (MAC) to provide authenticity, while the connection between the client and Steam was susceptible to a padding oracle attack, a researcher found. Thus, he was able to modify network traffic between the client and Steam, to compromise the user session and take over the account.

Nathaniel Theis, who goes by the name of XMPPwocky, explains that, in older versions of steam, an attacker observing the client connecting to Steam could sniff transmitted data using said techniques. The attack would allow bad actors view plain-text passwords, bypass SteamGuard, and take over the account, the researcher also says.

Steam uses AES-256-CBC to encrypt its network connection, and the AES key (session key) is generated securely on the client, encrypted with RSA-1024 and a hardcoded public key, and sent to Steam, but didn’t use a MAC to provide authenticity. Thus, an attacker trying to make changes to transmitted data cannot be immediately discovered, and the Steam encryption was completely unauthenticated.

The researcher notes that the lack of authentication alone is a vulnerability, but that exploitation for meaningful gain would be hard, especially since HTTPS is used for data transmission.

The researcher discovered that CMsgClientLogon, the message sent between client and Steam to identify users, included enough data to account for gaining access to the user account. Next, Theis concluded that Steam was vulnerable to a padding oracle attack (PDF) and, together with another researcher, came up with a proof-of-concept exploit.

While analyzing Steam session, Theis observed that, after the initial handshaking and setup, the client asks Steam to encrypt the channel by sending the encrypted session key in a ChannelEncryptResponse message. The server responds with a ChannelEncryptResult and the communication between the client and the server is then encrypted with the session key.

Thus, an attacker who can capture the ChannelEncryptResponse message could send to Steam the encrypted session key from the session they want to target. Basically, although the attacker cannot decrypt the session key, Steam would use that key and will decrypt it, meaning that the attack would be successful.

“Because of this replay attack, I could take a simple .PCAP of somebody connecting to Steam, and decrypt that entire session. No need for MITM- just the ability to eavesdrop. No issues with time- as long as I see the start of the connection, I’ve got what I need. And if the connection was closed, I could just restart it. I could even run the attack in parallel, between all Steam servers, massively speeding it up,” the researcher says.

He contacted Valve to report the issue and says that the company deployed mitigations against attacks targeting logon credentials within 12 hours after receiving the report. After that, Valve rolled out new crypto code to use MAC and also “includes a nonce in the ChannelEncryptRequest message that the client must include in the ChannelEncryptResponse to prevent replay attacks,” Theis notes.

Related: Details of 34,000 Steam Users Exposed During DDoS Attack

Related: Vulnerability Allowed Hackers to Hijack Steam Accounts

Copyright 2010 Respective Author at Infosec Island]]>
The Role of CASBs in Protection Against the 2016 “Treacherous 12" Tue, 03 May 2016 06:59:00 -0500 In early 2015, health insurance giant Anthem disclosed that hackers had broken into its servers and stolen more than 80 million customer records, including names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information. A third-party cloud service had been used to transfer the huge data store from the company’s network to the public cloud.

This headline-making attack, and many others the last few years, have raised new questions about cloud security. It used to be that most questions about cloud security revolved around concerns regarding compliance and insider threats. But lately, attention has turned to a troubling new worry: whether cloud services are falling victim to the same level of external attack as the data center.

As Software as a Service (SaaS) reshapes the way nearly every organization approaches IT, and with Infrastructure as a Service (IaaS) on the rise, cloud services now hold an array of mission-critical enterprise data, intellectual property, and other valuable assets. Which makes them a prime target for bad actors – from both inside and outside the organization.

A vivid illustration of the cloud threat landscape came Feb. 29 when the Cloud Security Alliance, an organization dedicated to defining and raising awareness of best practices for cloud security, issued a report titled “The Treacherous 12: Cloud Computing Top Threats in 2016.” Though cloud services deliver business-supporting technology more efficiently than ever before, the CSA concluded, they also bring significant risk.

Why do these risks occur?  The CSA said a major factor is that enterprise business units often acquire cloud services independently of the IT department, and often without regard for security. In addition, regardless of whether the IT department sanctions new cloud services, the door is wide open for the Treacherous 12.

Because all cloud services (sanctioned or not) present risks, the CSA asserts that businesses need to take security policies, processes, and best practices into account.

That makes sense, but is it enough?

Consider this surprising finding by Gartner. The analyst firm predicts that through 2020, 95 percent of cloud security failures will be the customer’s fault (1). This does not necessarily mean that customers lack security expertise, but it illustrates that it’s no longer sufficient to know how to make decisions about risk mitigation in the cloud. To reliably address cloud security, more is needed – automation.

Cloud security automation is where Cloud Access Security Brokers (CASBs) come into play. A CASB can help automate visibility, compliance, data security and threat protection for cloud services.

We looked at how well CASBs would fare in helping enterprises survive the treacherous 12 and guess what? CASBs clearly address nine of the treacherous 12 (along with many other risks not mentioned in the report). These include: 

#1   Data breach

#2   Weak ID, credential, and access management

#3   Insecure APIs

#4   System and application vulnerabilities

#5   Account hijacking

#6   Malicious insiders

#7   Advanced persistent threats

#10 Abuse and nefarious use of cloud services

#12 Shared technology issues

There are countless examples of why being protected against the Treacherous 12 is important. Some of the more high profile ones:

  • Data breach: In the 2015 Anthem breach, hackers used a third-party cloud service  to steal over 80M customer credentials.
  • Insecure APIs: A mid-2015 breach at the IRS exposed more than 300,000 records. While that’s a big number, the more interesting one is that it only took one vulnerable API to allow the breach to happen.
  • Malicious Insiders: Uber reported that its main database was improperly accessed. The unauthorized individual downloaded 50,000 names and numbers to a cloud service. Was it their former employee, the current Lyft CTO? That was Uber’s opinion. The DOJ disagreed and a lawsuit ensued. 

In each of these cases, a CASB could have helped. A CASB can:

  • Help detect data breaches by monitoring privileged users, encryption policies, and movement of sensitive data.
  • Detect unusual activity within cloud services that originate from API calls, and support risk scoring of external APIs and applications based on the activity.
  • Spot malicious insiders by monitoring for overly-privileged user accounts as well as user profiles, roles and privileges that drift from compliant baselines.
  • Spot malicious user activity through user behavior analytics.

You’re probably wondering about the three of the 12 threats that aren’t covered by a CASB -- data loss (#8), insufficient due diligence (#9) and denial of services (#11).

The cost of data loss is huge. A now-defunct company named Code Spaces had to close down when its corporate assets were destroyed, because it did not follow best practices  for business continuity and disaster recovery. Data loss prevention is a primary corporate responsibility, and a CASB can’t detect whether it is in place.

Insufficient due diligence is the responsibility of the organization leveraging the cloud service, not the service provider. Executives need a good roadmap and checklist for due diligence. A CASB can provide advice, but they don’t automate the process.

Finally, denial of service attacks are intended to take the provider down. It is the provider’s responsibility to take precautions to mitigate DoS attacks.

As cloud security becomes one of the most pressing issues in IT, the power of the CASB can not be ignored.

1. “Gartner Press Release, “Gartner Reveals Top Predictions for IT Organizations and Users for 2016 and Beyond,” October 6, 2015, 

Copyright 2010 Respective Author at Infosec Island]]>
Nemucod Malware Downloader Evolves into Ransomware Tue, 26 Apr 2016 21:16:55 -0500 Nemucod, a previously known JavaScript malware family designed to download additional malicious software onto the compromised computers, has evolved into ransomware and is now using 7-Zip to encrypt its victims’ files.

The malware was observed downloading TeslaCrypt and also trying to drop ransomware from its body, Fortinet’s Roland Dela Paz explains. The Nemucod variant was delivered via encrypted JavaScript attachments in spam emails and tried to download an executable file on the user’s temporary directory from compromised websites.

Should the download succeed, the malware downloads the ransom note, then drops and runs a batch file to encrypt user’s data, while adding the .crypted extension to all affected files. As soon as the process is completed, the malicious application displays the ransom text and performs its usual routine: it downloads and executes additional malware to the system.

What researchers discovered last month was that the ransomware didn’t use RSA-1024 to encrypt files, but that it only encrypted the first 2048 bytes of each file with XOR encryption. The ransomware was using a pre-defined 255 long key embedded in the downloaded executable component, and a decryptor was released for it toward the end of March.

Additionally, users could restore their PCs using system restore and could restore files via Volume Shadow Copies. Fortinet researchers also discovered that the ransomware’s code resembles that of KeyBTC, although it has a simpler implementation, although they couldn’t establish a direct relationship between KeyBTC and Nemucod actors.

Most recently, the Nemucod ransomware has received another update, and is now using the 7-Zip application to actually encrypt the files, it seems. Additionally, the malware authors have lowered the ransom from the original 0.60358 Bitcoins (around $267), to 0.49731 Bitcoins (around $220).

A recent post on Bart Blaze’s blog explains that, after the malware’s execution, users can see in Task Manage the following processes: a0.exe (which masquerades 7-Zip), a1.exe, a2.exe, cmd.exe, and wscript.exe. To stop the encryption operation, users should end all of these processes.

The malware is removable with the help of anti-virus programs, but users are advised to maintain a copy of the ransom note, to identify the ransomware. As mentioned above, a Nemucod decryptor exists, but it was designed to the previous variant of the malware, and might not work with the newer one, at least not yet.

Related: Kovter Ad Fraud Trojan Evolves Into Ransomware

Related: Links Found Between Different Ransomware Families

Copyright 2010 Respective Author at Infosec Island]]>
Bangladesh Bank: Why Aren't We Talking About Privileged Account Management? Tue, 26 Apr 2016 12:05:00 -0500 Remember back in February when those hackers stole more than $80 million from Bangladesh Bank?

According to a report from Jim Finkle at Reuters, not only did they get away with a large amount of money, they may have also hacked the Society for Worldwide Interbank Financial Telecommunication (SWIFT), an organization which provides a network that enables financial institutions to exchange information about financial transaction details.

Investigators researching the recent Bangladesh Bank heist previously said the still-unidentified hackers had broken into computers and took control of credentials that were used to log into the SWIFT system. But it appears that the SWIFT software on the bank computers was probably compromised in order to erase records of illegal transfers.

So why is this such a big deal?

According to reports, the SWIFT messaging platform is used by 11,000 banks and other institutions around the world, though only some use the Alliance Access software. Exploiting privileged accounts is a critical stage of an attack lifecycle – and that is what appears to have happened when the SWIFT Software was compromised – resulting in an $81 million loss to the bank.

Today’s typical, advanced cyber-attacks are normally designed to evade traditional threat prevention technologies that are focused on protecting the perimeter from outside breach. Once inside a network, many of these modern attacks follow a common lifecycle. Attackers usually attempt to advance from the initial breach, escalating their privileges and moving laterally through the system to identify and access valuable targets and confidential information so they can access their target systems and information.

Once an attacker has hijacked the privileged credentials of an authorized user, its activities blend in with legitimate traffic and is therefore much more difficult to detect. Attackers can therefore operate undetected inside an organization for long periods of time.

More than likely, this is how this particular breach happened:

Perimeter compromise. Attackers gain entry into a corporate network through multiple attack vectors including email, web and endpoints. Attackers have become highly sophisticated and are increasingly finding ways to evade traditional network perimeter threat detection technologies. In most cases, immediately after the initial compromise, attackers download malware tools and establish a connection to a command-and-control server to enable ongoing control.

Escalate privileges. External attackers, after the initial compromise, target privileged accounts to facilitate the future stages of the attack. Through a variety of tactics, attackers attempt to gain possession of the credentials used to access privileged accounts. Privilege escalation appears to have been the critical stage of the attack, because if privileged credentials are compromised, the attacker is able to move closer to sensitive data while remaining undetected.

Reconnaissance and lateral movement. Once armed with privileged credentials, attackers may conduct stealth reconnaissance across the network to locate other vulnerable systems, and then spread laterally across the network in search of target data and systems. As the attacker identifies an additional interesting target, it may again need to escalate its privileges to gain access to the newly identified system and then continue its reconnaissance.

Data exfiltration. The final stage of an attack lifecycle is typically to exfiltrate the desired information from the target’s corporate network to a location that the attacker controls. Once the target information has been gathered in a staging area and is ready for exfiltration, the attacker can use its privileged access to bypass controls and monitoring technologies designed to prevent or detect exfiltration.

Enter Privileged Account Management

Clearly, there needs to be a solution put in place to protect organizations in the future from a similar incident. A Privileged Account Security Solution will provide organizations with the following capabilities that could be a critical part of solution:

Comprehensive platform for proactive protection of privileged credentials and target assets from cyber-attacks. A solution for privileged account security enables to proactively protect against and automatically detect and respond to in-progress cyber-attacks before they strike vital systems and compromise sensitive data.

Automatic identification and understanding of the scope of privileged account risk. A PAM solution automatically detects privileged accounts across the enterprise and helps customers visualize the resulting compliance gaps and security vulnerabilities. This automated process reduces the time-consuming and error-prone task of manually tracking and updating privileged credentials, thereby decreasing IT operational costs. This enhanced visibility significantly improves the security posture of our customers and facilitates adherence to rigorous audit and compliance standards.

Continuous monitoring, recording and secure storage of privileged account activity. A PAM solution monitors, collects and records individual privileged session activity down to every mouse click and keystroke. It also provides highly secure storage of privileged session recordings and robust search capabilities allowing organizations to meet their audit and compliance requirements. Session recordings also provide a full forensics record of privileged activity to facilitate a more rapid and precise response to malicious activity.

Organizations have invested heavily in security products to protect their IT infrastructure and valuable information. According to IDC, worldwide spending on IT security products is expected to grow from $32.0 billion in 2013 to $42.0 billion by 2017. Historically, the majority of this spending has been focused on perimeter threat protection products such as firewalls, network and web security.

While prevention of the initial breach is an important layer of an enterprise security strategy, at Thycotic, we do not believe that perimeter-based threat protection alone is sufficient to protect against today’s increasingly sophisticated and targeted external security threats.

Despite significant investments in perimeter-based threat protection solutions, most enterprises are still being breached. Therefore, we believe that in the future, a greater portion of the overall spend must be dedicated to security solutions focused on the inside of the enterprise.

About the author: Jim Legg is the President and CEO of Thycotic and has more than 25 years of managerial and sales experience in guiding technology companies to accelerated, sustained growth.

Copyright 2010 Respective Author at Infosec Island]]>
End-to-end Encryption, Today -- Loophole Closed or Moved? Fri, 22 Apr 2016 15:31:42 -0500 Instant messaging is a big part of today’s digitally connected era, and there are a plethora of instant messaging apps, offering various features. Security, especially because of the latest developments with the Apple “back door” discussion, has become critical for these apps. The top apps with vaunted security features include iMessage and Snapchat. Despite the attention that app developers bestow on security, these apps possess vulnerability that is fairly easy to exploit.

It was recently shown (by security researchers at John Hopkins University) that attackers could intercept encrypted messages sent through iMessage and retrieve texts, photos and videos by exploiting a specific security weakness in iMessage. Snapchat messages, or snaps, delete themselves after a short period of time. But, it was recently shown (by security researchers at Gibson Security) that Snapchat also suffers from weak security, allowing attackers to poach usernames and phone numbers of users.

Thanks to increased security awareness, companies are making strides toward offering better security. Following in the footsteps of Apple, WhatsApp (owned by Facebook) and Viber recently enabled end-to-end encryption to their millions of customers, with the objective of securing privacy of their customers’ conversations.

What is End-to-End Encryption?

End-to-end encryption has been the go-to security solution for instant-messaging apps. It aims to add a shield where nobody other than the sender and receiver of a message can see the message, not even the company offering the instant-messaging service. This is performed by encrypting the message with keys derived from passwords of the sender and receiver.

Is the Loophole closed or just moved?

The current end-to-end encryption implementations raise a number of questions. If a user needs to reset her password (perhaps after losing her device or forgetting the password), the chat histories will no longer be available, to anyone. Because of the encryption method, the history is encrypted with keys derived from the old password, which cannot be decrypted with any other keys, including those derived from the new password. This holds true even if the app server has backed-up the encrypted chat histories.

Currently, this issue is addressed by allowing users to easily back up chat histories on storage from third-party vendors such as Google Drive, iCloud, or by using the device’s internal memory. Having the ability to access previous chats is a crucial feature in most instant-messaging apps, and resorting to third-party storage providers has been the usual method of addressing this 'loss of history' situation.

Because there are now third party services in the picture, the overall security is now only as secure as the external services. This is extremely concerning, especially for companies that staunchly support security and privacy, since now, the responsibility of securing customer data has fallen on external shoulders. What if WhatsApp data is stored in a cloud server owned by a third party, and a hacker steals personal WhatsApp chat history? Who is held accountable — Facebook (WhatsApp) or Apple (through iCloud storage)? Legal teams will have to define this clearly. Furthermore, Apple has direct access to the data of WhatsApp’s customers on iCloud. This is because, the keys to encrypted data on iCloud are owned and held by Apple — not the users, like in most other cloud storage providers. So, WhatsApp can no longer hold an independent stand on protecting customer privacy against providing access to the government. However, requiring storage is inherent in the functionality of end-to-end encryption.

Can technology help solve the issue?

If the instant-messaging service company stores encrypted chat histories, then control on securing data back is up to itself, forcing it to answer the same legal question: who owns the encryption keys? If the company owns the keys, it can’t claim that it holds no access to content. If customers own the keys (passwords), then the original issue of forgetting the keys and being locked out of encrypted data still exists. For this reason, I believe this solution isn’t viable. It is clear that using traditional keys (passwords), which are easily forgotten, does not work either. The solution to the problem at hand necessitates key derivation that does not involve memory.

Let’s use our fingers

Biometric cryptography is an active area of research, and many recent advances provide secure tools to perform biometric secure key derivation. Also, backing up keys need not be performed after every message; but perhaps, every time the device is accessed is reasonable frequency. With biometric identification technology already implemented in devices such as iPhones, technology overhead might be minimal. With a key derivation method that does not require memory and with the technology already in place for use, I believe biometric cryptography offers a potential solution to the problem.

An alternate approach for password management is to use Password Managers. A Password Manager is a software, using which a user only need to deal with a single master secret; using this master secret, the Password Manager derives passwords for all the user’s accounts. The master key is either stored on the user’s device or on the service provider’s cloud. If stored on the user’s device, the issue of losing the password upon losing the device still persists. Also, storing the master password on the provider’s cloud gives clear access to the provider, defeating the original objective of securing user's privacy.

It is, however, important that instant-messaging service providers invest in research and development of a viable solution that patches the loophole and gives full control of data to its customers.

One thing is clear: end-to-end encryption does not solve the problem, despite the common perception that it is the holy grail of instant-messaging security. It is necessary that service providers shift their attention toward non-traditional key-derivation mechanisms to close the loophole. Biometric cryptography is a potential candidate because it is the embodiment of storing information that doesn’t require memory. Also, biometrics is already mainstream, and it’s being embedded on our devices now and into the future. 

Copyright 2010 Respective Author at Infosec Island]]>
Access Management Increases Security, Cuts Costs Fri, 22 Apr 2016 07:27:14 -0500 While organizations are constantly trying to reduce spending, there are certain areas that they actually aren’t cutting back on and are actually increasing budgets. Several recent surveys and studies have shown that organizations in both the US and UK continue to invest heavily in identity and access management (IAM) solutions.

The main reason why respondents said they were continuing to invest are somewhat obvious: security issues. As technology continues to advance in an attempt to become more secure, hackers and their ways of breaching an organizations network also become more sophisticated. IAM solutions must be able to protect against advanced attack, as well as secure new technology, such as mobile devices and cloud applications.

The second priority for the continued investment in IAM solutions is an attempt to save money in the long run. Though IAM solutions require an initial investment, they help organizations save money in many areas of the company over time.

Continued Security Threats

No matter how secure you think your organization’s network is there are always hackers, both outside and within, the company that will find ways around your company’s security measures. IAM solutions continually evolve to stay one step ahead of these hackers and keep the network safe. Not only do organizations need to ensure the security of their in house computers, but they also now need to do that same for the many mobile devices which employees are using outside of the network to access cloud applications. Any type of hack, whether large or small, can cost the organization a great deal, which is why they believe this type of investment in a solution is important. So how can an IAM solution help with security?

Most importantly, the organization needs to ensure correct access rights for their entire network and applications being used inside and outside the organization. IAM solutions allow for automation of account management which can ensure security while also making it easy to achieve. For example, when an employee joins the organization they need to receive the correct access rights. Automation allows for the account to be set up both easily and accurately so that the employee doesn’t accidently receive too many, or too few, access rights. A manager or member of the HR department simply adds the employee to the HR system and can easily have accounts in any system or application automatically created for them.

The organization needs to ensure that access is revoked once the employee is no longer with the organization; one of the most common access issues. An IAM solution can allow for a manager to easily disable an account to ensure that this critical process is not overlooked. For example, when an employee leaves the organization, a manager can easily disable the employees account in the source system, for example, PeopleSoft, and have all of their accounts and access rights revoked with one click, ensuring that they no longer have access.

In a similar fashion to how IAM solutions automate the account management process for in-house applications, they can also can be set up to seamlessly work with cloud applications, such as Office 365, Google Apps, TOPdesk, etc. This allows a manager to easily create, change or disable the accounts of an employee who has left the organization, which ensures security of the network and data.

This is just one of the basic parts of an IAM solution. There are many other modules that help with security as well. For example, another way that access rights can be monitored is with an attestation module. The network and applications can be scanned on a regular basis for the current access rights which are compared against a predefined matrix, which contains the standard or accepted rights. If any differences are found, the attestation module will alert a manager and system owner for review. If this difference is okay, an electronic signature should be sent. If the rights are found to be unauthorized, a workflow process can automatically remove the rights, with notifications emails to the appropriate parties involved.

Long-term Investment

Though IAM solutions are an investment at first, over time they actually save the organization a substantial amount of money. This is mainly because there no longer needs to be one or more full-time employees handling account management, and these employees can be utilized elsewhere in the organization. IAM solutions automate the complete end user lifecycle, requiring little to no manual tasks be performed. For example, in education, at the beginning of each semester, several employees need to dedicate days of their time just to add new students and employees and move graduates to alumni status.

Another way IAM solutions can save money is through licensing costs. Organizations tend to not review how many licenses they are paying for and how many are actually being used. This has also been a major issue with employees who leave the organization. Often, an ex-employee will still have access to an application that the company is unknowingly paying for. Many IAM solutions provide an overview of access rights, allowing managers to see exactly who has access to what systems and applications to ensure they are paying for the correct number of licenses. If there are any errors in access rights, an automated account management solution allows them to easily be corrected.

Over the years, IAM solutions have become very flexible, making them more cost efficient to implement. An organization can easily pick and choose which modules their organization needs and customize it to their needs. So, a smaller company does not need to purchase a large enterprise IAM solution, and can chose the modules that they need for their immediate issues.

So, while IT spending may be cut back, investments in IAM solutions continue to grow because of security issues, flexibility and an overall cost savings.

Copyright 2010 Respective Author at Infosec Island]]>
Nuclear Exploit Kit Targets Non-English Users in Over 150 Countries Thu, 21 Apr 2016 10:08:55 -0500 Exploit kits (EKs) are a constantly evolving component of the malware landscape, mainly because their operators are updating them often and are also employing new techniques to achieve high infection rates, and the Nuclear EK is no exception.

Researchers at Cisco Talos have recently had a closer look at Nuclear and noticed that its operators have switched focus toward non-English users, but that they are targeting people in more than 10,000 different cities in over 150 countries worldwide. Although not the top EK out there, as Angler still holds the crown, Nuclear is certainly a major threat.

According to Talos researchers, Nuclear shows a distinct behavior compared to Angler, as the masterminds behind it would use a single server instance, immediately replaced with a new one if taken down, and would use a well-known free email service to create their accounts. Moreover, they make use of coupon codes to avoid traditional payment and are also using different email addresses and hosts consistently.

While looking at a single server hosting the malicious activity, researchers found that around 60,000 unique IPs were connecting to this particular server, revealing that the EK was more widespread than initially expected. Almost half of the IPs were directing from a malicious webcam ad hosted on adult content websites, with over 25,000 IPs redirected in a single day, the researchers say.

Traffic analysis revealed that users in Spain (20 percent of hosts) and Germany (around 15 percent) were most targeted, with Argentina on the third position, the United States only on the fourth, and Mexico on the fifth, all three with around 8 percent. France, Italy, and Poland were also among the most targeted countries.

Cisco Talos researchers noticed that the HTTP headers captured in the logs included the ‘Accept-Language’ information, and they managed to build a table of the language breakdowns. The table also reveals that Spanish and German were the most targeted languages, with English only on the third position, followed by French and Italian.

The exploit kit operators have focused on Flash Player vulnerabilities to compromise systems, and didn’t add exploits for Silverlight to their malicious code, although Angler, Rig, and Magnitude did. However, the same as other EKs out there, Nuclear is mainly dropping ransomware variants, which allow cybercriminals to effectively monetize their activity.

Researchers also noticed that the EK was using different HTTP versions for the back-end communication, with requests to the proxy server using HTTP/1.1, while traffic from the proxy server to the exploit server was using HTTP/1.0. Recently, Nuclear started dropping Tor and leveraging it to gather the final payload anonymously, and this change could soon be employed by other EKs as well, researchers say.

Nuclear’s operators are using a proxy server to interact with the users directly and are also focused on reducing the number of landing pages being delivered to products that cannot be compromised, researchers say. The Nuclear user agent revealed a list of keywords that would result in the EK returning 404, some related to security products, while others to gaming consoles and other technologies.

With a focus on non-English countries, Nuclear clearly attempts to increase elusiveness, while also avoiding competition and visibility associated with its attacks. However, it’s clear that users in English countries, are not safe from it either, as victims in these geographies cannot be avoided.

“This research marks an interesting change in exploit kit behavior in a move towards more targeted compromise. As researchers have continued to pick apart the exploit kits as they operate inside the US/UK, the adversaries are evolving. This is similar to the same way they evolve the kit itself as we build protections against the kits themselves,” Cisco Talos’ Nick Biasini says.

Related: Nuclear EK Gate Uses Decoy CloudFlare DDoS Check Page

Copyright 2010 Respective Author at Infosec Island]]>
A Security Lesson from Down Under: Australia’s Banking App Malware Theft Wed, 20 Apr 2016 07:00:00 -0500 With the Australian banking system reeling from its recent malware attacks, it seems news stories about the theft of personal data are popping up with depressing regularity.

In case you missed the latest story, it bears investigation due to the warning shot it fired across the U.S. commercial banking sector, and the implications for how safe your financial data is right now. And when I say financial data, let’s be clear, I mean your actual money.

The sophisticated Android attack on the banking apps of Australia’s biggest banks has targeted millions of customers. That’s ANZ Bank, Commonwealth Bank, National Australia Bank, Westpac and a host of others. Hiding in infected phones, using fake log in screens for the banking apps themselves, but also Whatsapp, Skype, PayPal, eBay and Google services, the malware leaps into action when a legitimate banking app is used, replacing it with a fake cover in order to intercept log-in details. In fact, it also serves to steal SMS two-factor authentication codes, meaning the bank’s security measures are bypassed, and the thieves can then transfer funds at will.

Terrifying, yes, and unfortunately not an isolated event. Just a few short months ago, German users were targeted by criminals using mobile banking malware disguised as a fake PayPal app. The cyber-criminal’s dictionary is ever expanding, with phishing (malicious emails) now joined by smshing (malicious SMS) and vishing (voice over telephone scamming).

But it’s not just the lexicon that’s growing, it’s access. Right now any one of us can go online and make a free spoof call from our phone, using simple, consumer focused websites. Sure it’s being marketed as a way of playing “hilarious” jokes on friends and family, or of protecting your own caller ID and privacy, but let’s not be overly naïve. Privacy is a right, protected by law; anonymity, however, particularly online, rarely brings out the best in people. 

Perhaps your response is that while Germany and Australia are having their problems, it’s all a long way from our shores. Unfortunately, it’s not a view shared by the Washington Legislature, who are so concerned with malicious online activity that a new cybercrime bill has just sailed through the House and Senate. Focusing on prison sentences and fines for spoofing, electronic data tampering, theft and service interference, the bill is an explicit indication that the lawmakers identify these threats as a clear and present danger.

Obviously then the time has come for the financial sector to take decisive action and demonstrate a leadership role in this area. The technology exists and is widely available for banks to provide spoof-proof communications internally and to their customers, with solutions such as two factor tokens.

As a parallel, every bank has fraud and crime units in place, the entire function of which is to protect the organisation and its customers from malevolent activities by reacting quickly and proactively to perceived irregularities and suspected threats. To not have such a function would be unthinkable, and the costs, both hard and in terms of reputational damage would swift and seismic.

The same approach must be taken with secure communication – failure to take responsibility will be to invite exactly the type of hacking discussed earlier. The financial services sector must not wait for governments to act, conflicted as they are while they work out their balance between protecting their electorate from crime, and attempting to control the use of strong encryption technologies. The duty of care and the protection of customers falls instead to the banks themselves, and it is an obligation they must meet now and with gusto, or prepare to count the cost of their negligence.

About the Author: Harvey Boulter is Chairman of Communication Security Group (CSG).

Copyright 2010 Respective Author at Infosec Island]]>
3 Requirements for Effective Security Investigations Fri, 15 Apr 2016 07:00:00 -0500 Most organizations lack the manpower and visibility needed to properly investigate every lead. Security teams are often faced with the choice of ignoring potential incidents, or devoting excessive resources in order to gain more understanding into what has happened. Automated detection followed by correlations to reduce false positives are indeed important steps in mitigating this burden, but the majority of work still relies on the actual investigation phase. Even the best-equipped analysts find themselves sorting through unrecognized sessions and mountains of packet captures, unable to provide quick answers to critical questions.So, how does an enterprise change this?

In order to provide security teams with the ability to react quickly and accurately to cyber-attacks and overcome technical and resource-related limitations, here are three fundamental requirements to consider:

1. Automate Data Analysis to overcome skill-set barriers

The ongoing skills shortage creates a major bottleneck in facilitating forensics investigations. Organizations must support users who lack deep expertise, so that security professionals at all levels can handle more complex investigations, escalate fewer tickets and resolve incidents faster. Forensics solutions may collect valuable data for investigating a threat, but if further manual analysis is required just to find the relevant data and understand what it means, it is likely to be lost in the shuffle. Security teams should not waste precious time drilling in sessions with Wireshark-like tools when trying to understand what is happening in the network. Teams must have the ability to enable a solution that analyzes data automatically, translating network packets and sessions into intuitive and searchable intelligence. This method not only saves time, but also money.

2. Complete Visibility Into User Behavior and Application Content

The traditional approach of correlating events from different sources using SIEM has proven insufficient. Enterprise visibility should extend beyond logs and flow data in order to validate security alerts and determine the extent of successful incidents. Security teams need immediate access to information assets traversing the network in order to answer questions like, “When was the data accessed?” “By whom?” “Where has it traveled to?” “What was in it?” This includes the actual payloads of network conversations, rather than just the metadata – the content of emails, chats, file transfers, business transactions, DNS lookups, search queries, authentications, as well as remote desktop sessions.

3. Greater retention periods of forensics data

The ability to look back in time to investigate historical security events is critical, but by the time you discover a breach, it’s usually too late. According to Mandiant 2015 Threat Report, an attacker has a free rein in breached environments for approximately 205 days before being discovered. Organizations are doing their best to collect data for forensics investigations, however, they are facing significant storage limitations. As high-level meta-data is insufficient, the current approach is to capture and store full packet-data for later analysis. A quick calculation shows that a 10GbE link will require about 110TB of storage for recording a single day of traffic.

While most security breaches take months to discover, the value of traditional solutions that entail full packet capture is clearly diminished. Security teams are often restricted to merely several days’ retention periods, considering the capacity of a typical enterprise infrastructure. To overcome this challenge and get access to the historical content required for proper investigations, organizations need to take a different approach and work with solutions that can increase forensics data retention periods from days to many months in order to reveal the full story before, during and after an attack.

The above considerations must be examined in order to mediate security incidents as quickly as possible. As we know, it is (nearly) impossible to prevent a breach altogether in this day and age. It’s how efficiently you understand and handle the event that matters. Don’t let your organization fall behind.


Tomer Saban is the co-founder and CEO of WireX. Tomer brings with him 15 years of experience in telecommunications and network security. Prior to founding WireX Systems, Tomer served as a team manager in the intelligence division at Nice Systems. Tomer is an alumnus of the 8200 Entrepreneurship Program and the Merage Institute for U.S. - Israel Innovation Leadership Program. Tomer holds a B.Sc. in Computer Science from the College of Management Institute in Israel.

Copyright 2010 Respective Author at Infosec Island]]>
RockLoader Dropper Downloads Locky, Kegotip, and Pony Thu, 14 Apr 2016 15:32:00 -0500 A new malware downloader has been spotted recently, used to drop various malicious programs to compromised computers, including the Locky ransomware and the Kegotip and Pony info stealers.

Dubbed RockLoader, the new dropper has been spotted pushed by resources associated with the Dridex botnet via a .js file packaged inside a .zip archive and via malicious Office documents with macros. Distributed through spam emails, the new dropper is experimenting with a method for facilitating a Windows User Account Control (UAC) bypass, researchers at PhishMe reveal.

RockLoader was observed in campaigns primarily targeting UK and French organizations, and researchers at Proofpoint said last week that it was also used to load Dridex 220. Overall, the dropper was observed downloading four different pieces of malware, but it was mainly associated with the Dridex botnet and the distribution of the Locky ransomware.

While droppers are nothing new, and Upatre, previously used in Dyre and Gameover ZeuS campaigns, is one of the most popular of them, what sets RockLoader apart is its attempt to bypass UAC. According to PhishMe, the original malware executable was compiled for 32-bit operating systems, but researchers also noticed that the dropper comes with a shellcode compiled as a 64-bit binary.

After successfully bypassing UAC, RockLoader makes HTTP POST requests to the /api/ directory on its command and control host to request encoded commands for its next step. The malware can look for multiple arguments in the data it receives, and researchers suggest that it includes support for several commands.

The dropper can receive instructions such as “command” and “update,” as well as a “notask” instruction, which results in it creating and running a “1.bat” file in the temp directory to try and delete itself. Researchers also discovered that the downloader’s operators can pass multiple arguments and commands to the malware in one request.

“This vastly increases the economy and extensibility of this malware’s operation. Stacking commands in this way is where this new malware downloader really shines. With this capability, the attackers are able to drop several malware payloads to the system at once, or pass multiple commands to a single victim,” the researchers said.

PhishMe also notes that, in a campaign targeted against a UK company earlier this month, RockLoader downloaded multiple executables onto the infected machines, including the Locky Loader and the Pony info stealer. The latter was supposedly included in the package to help cybercriminals expand their C2 infrastructure, given that Pony can harvest FTP credentials from the compromised computers.

The introduction of RockLoader to the infection chain shows that attackers are continuously looking for new ways to increase their infection rates. Additionally, researchers suggest that the new dropper is expected to fill the gap left by Upatre’s absence, especially since it includes many of the strengths that made Upatre successful, as well as additional extensibility and functionality. 

Copyright 2010 Respective Author at Infosec Island]]>
SAP Security Notes April 2016 - DoS Vulnerabilities on the Rise Thu, 14 Apr 2016 09:32:00 -0500 SAP has released the monthly critical patch update for April 2016. This patch update closes 26 vulnerabilities in SAP products including 19 SAP Security Patch Day Notes and 7 Support Package Notes. 8 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

10 of all closed SAP Security Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 7.5.

SAP Security Notes April 2016 by priority

Most of the discovered vulnerabilities belong to the SAP ABAP applications security.

SAP Security Notes April 2016 by platforms

The most common vulnerability type is Missing authorization check.

SAP Security Notes April 2016 by type

This month, 5 critical vulnerabilities identified by ERPScan’s researchers Nursultan Abubakirov, Dmitry Yudin, and Vahagn Vardanyan were closed.

How 2 DoS vulnerabilities can allow full system compromise

Two of the off-schedule patches addressing Denial of Service vulnerabilities discovered by Dmitry Yudin ([1] and [2]) were released on March, 14. On March,16 at the Troopers Security conference ERPScan director of SAP cyber security services Dimitry Chastuhin showed how to execute code remotely using these 2 DoS, one configuration mistake, and race condition vulnerability.

His presentation titled “Exploiting the unexploitable” proved that even low-impact vulnerabilities can be used together to gain full administrative access to the system. Since patching process on a real SAP landscape is time-consuming and costly, the idea to fix only the most dangerous security issues seems rather tempting, but, as we can see, completely insecure.

According to responsible disclosure rules, we can’t give any details of this attack vector before 90 days after disclosure.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.

  • A Denial of service vulnerability in SAP Enqueue Server (CVSS Base Score: 7.5). Update is available in SAP Security Note 2258784. An attacker can use a Denial of service vulnerability to terminate a process of the vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime and business reputation.
  • A Denial of service vulnerability in SAP Internet Communication Manager (CVSS Base Score: 7.5). Update is available in SAP Security Note 2256185
  • A Denial of service vulnerability in SAP jstart (CVSS Base Score: 7.5). Update is available in SAP Security Note 2259547.
  • An XML external entity vulnerability in SAP UDDI (CVSS Base Score: 7.1). Update is available in SAP Security Note 2254389. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorized access to OS filesystem.
  • A Cross-site scripting vulnerability in SAP UR Control (CVSS Base Score: 6.1). Update is available in SAP Security Note 2201295. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. More information about XSS vulnerabilities in SAP systems is available in ERPScan’s research.

Other critical issues closed by SAP Security Notes April 2016

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2262710: SAP HANA DP Agent has a Denial of service vulnerability (CVSS Base Score: 7.5 ). An attacker can use a Denial of service vulnerability to terminate a process of the vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime, and business reputation. Install this SAP Security Note to prevent the risks.
  • 2262742: SAP HANA DP Agent has a Missing authorization check vulnerability (CVSS Base Score: 7.3 ). An attacker can use a Missing authorization check vulnerability to access a service without authorization and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2252191: SAP HANA XS Advanced Java Runtime has a Remote command execution vulnerability (CVSS Base Score: 7.3 ). An attacker can use a Remote command execution vulnerability to execute commands remotely without authorisation. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.

It is highly recommended that SAP customers patch all those SAP vulnerabilities to prevent business risks affecting SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Cloud Email Applications Could Put Your Corporate Data at Risk Tue, 12 Apr 2016 10:00:00 -0500 Do you know the risks associated with third party cloud apps?

We examined Boxer, Microsoft Outlook (previously Acompli), Spark, CloudMagic, MyMail, Zero, and InboxCube to understand their:

  • Terms and Conditions
  • Privacy Policy
  • Access rights
  • File sharing capabilities
  • Deletion process
  • Actual connections to the cloud email provider and their origins

What we found may surprise (or scare) you. In the following post you will find a summary of our research. Most of us don’t think twice before accepting the terms of use when connecting to 3rd party applications. But at least when it comes to cloud based Email services, we should all be more wary.

Our security researcher have examined the leading email Apps on the market and found evidence that they pose a serious security threat to enterprises. Research suggests that the number of Cloud based email users is on the rise—from 12% in 2013, to an anticipated 50% of enterprises by 2022. While this shift to the IT Cloud brings many benefits, it also leaves the organization with a new set of security challenges.

Many of these challenges relate to the lack of organizational understanding pertaining to the “Shared Responsibility” model prevalent in the IT Cloud. The model states that the vendor is responsible for creating a secured service, and the client is accountable for using the service in a secure manner. One specific case, where the responsibility to secure falls entirely on the organization’s shoulders is the use of third party applications connecting to IT Cloud email. This scenario did not exist with on premise systems and falls between the cracks with the shift to IT Cloud.

In this new era, employees have the ability to grant applications access to their corporate information. However, organizations do not have the capability to monitor, let alone prevent it. IT Cloud email platforms have created comprehensive sets of APIs to allow third party integrations, offering organizations almost limitless ways to interact with their data. However, these APIs conceal a substantial risk that most organizations do not take into account. Examining a few of the most common email Apps on the market today helps to paint a clearer picture of what it means to allow access to third party apps.

We examined Boxer, Microsoft Outlook (previously Acompli), Spark, CloudMagic, MyMail, Zero, and InboxCube. Our test consisted of reviewing the Terms and Conditions, Privacy Policy, access rights, file sharing capabilities, deletion process, and lastly the actual connections to the Cloud email provider and their origins. The result were not encouraging – after examining the leading email Apps on the market, it is evident they pose a serious security threat.

As long as Cloud email providers lack the needed control and governance functionality, organizations are left to independently implement CASB solutions (Cloud Access Security Brokers) to safeguard their information. CASB solutions supply a complex feature set designed to detect and block malicious apps. This detection is based on a proprietary app library maintained through continuous security research. While the security challenges addressed here pertain mostly to email Apps, many of these problems are true for all third party applications that can access the IT Cloud.


Although this trend is only in its infancy, the continual growth of the IT Cloud will only displace more on premise services. With that in mind, organizations must begin reassessing the way they think in terms of security risks and begin adapting to a new generation of solutions to mitigate these security challenges.

To receive your complimentary copy of this research please write to

Copyright 2010 Respective Author at Infosec Island]]>
Adobe Flash Player Issues Offer Endpoint Lessons Tue, 12 Apr 2016 07:00:00 -0500 The recent vulnerabilities found in Adobe’s Flash Player have forced the company to issue out security patches yet again. This comes as no surprise to most, since the Flash Player is notorious for having bugs. Flash has been extremely vulnerable and exploited in many high profile attacks via zero-days, as well as commodity attacks leveraging popular exploit kits. Just last year, users had to uninstall Flash when a critical vulnerability was discovered.

Companies have taken it upon themselves to avoid running into Flash Player as much as possible. The Firefox browser blocks Flash by default, and Google Chrome introduced a setting that blocks Flash content from automatically playing, offering users a warning message before proceeding. Six years ago, Apple explained that Flash was too outdated to implement on iOS devices. Last December, even Adobe itself started encouraging content creators to build content using new Web standards such as HTML5. However, Adobe still has not mentioned anything about discontinuing Flash Player.

Another conservative approach some organizations take is to block Flash Players from automatically playing any content. Through this approach, users will need to approve each video before it plays. This method prevents unknown videos from exploiting unresolved vulnerabilities. Sometimes the best way to avoid security issues is by not using an insecure program at all. However, this is an almost unrealistic approach, since most people have Flash Player installed. The majority of users will have to update their Flash Player to avoid becoming victims of these newly discovered vulnerabilities.

Adobe has warned that all users, no matter what OS they’re using— Windows, OS X, Android, Chrome OS, Mac, iOS, and Linux, are all vulnerable. Five of the vulnerabilities that this Adobe update fixed were critical, but only one vulnerability (CVE-2016-1010) was identified by Adobe as a zero-day flaw that hackers were already exploiting in targeted attacks. These vulnerabilities leave organizations open to major threats, since they allow hackers to execute their own code on affected systems.

Whether the decision is to uninstall Flash entirely or ensure that all updates have been completed across the enterprise, the challenge most IT practitioners often face is related to compliance. Getting entire enterprises to update or uninstall Flash in a timely fashion will be a challenging undertaking.

  • Better Monitoring: Companies need to identify unauthorized applications and validate that endpoints are not running any applications that could permit remote control access, key logging, file sharing or hacking tools. Note that Microsoft Windows updates validate that each endpoint is up to date with the latest Microsoft updates and if not, what updates are missing.
  • Leverage Cloud-based Endpoint Protection: Cloud technologies can prove beneficial in identifying risks towards targeted attacks simply because the cloud allows rapid sharing and roll out of detections and protections at scale. Cloud solutions are continuously updated to cover emerging threats, and designed to grow with your business. This automates compliance with your cybersecurity policies by monitoring all the endpoints in your enterprise.
  • Vulnerability Detection: Companies need a process in place to determine on an ongoing basis any and all vulnerabilities for common user applications such as Chrome, Firefox, Java in addition to Adobe. Endpoints are the most sensitive areas of your company’s network environment, which makes them a prime target for hackers.

As security threats continue to become more complex, companies need to embrace endpoint security as a critical part of their total security portfolio to protect against future gaps and vulnerabilities.


About the Author: Amir Geri handles research and development at Promisec, a pioneer in endpoint detection and remediation. 

Copyright 2010 Respective Author at Infosec Island]]>
Encrypted Messaging App Signal Desktop Launches in Public Beta Mon, 11 Apr 2016 08:34:50 -0500 The Signal secure communication application is now available for all desktop users, after being available via an invitation program only for the past few months.

Developed by Open Whisper Systems, the encrypted messaging application is available in a beta version as a Chrome app. Designed to stay connected with a phone at all times, the software allows Signal Android users to view their messages on the desktop.

Signal Desktop makes all incoming and ongoing messages available on all devices at all time, while also offering end-to-end encryption, along with support for free private group, text, picture, and video messages. It allows users to seamlessly switch between devices and continue conversations on any of them, as the synchronization is performed instantly.

According to Open Whisper Systems, the Signal Desktop beta app has seen a series of improvements since launched in private beta, now featuring a refined UI and better look and feel. The application is available for download through the Chrome Web Store.

“As always, everything is end-to-end encrypted and painstakingly engineered in order to keep your communication safe -- allowing you to send high-quality private group, text, picture, and video messages for free,” Open Whisper Systems says. Signal leverages users existing phone numbers and address books to keep them connected and does not require separate logins, usernames, or PINs.

When first announcing Signal Desktop in December 2015, Open Whisper Systems also said that only the Android application offers support for the Signal Desktop app for the time being. Unfortunately, the company didn’t offer an update on when the Signal for iOS app would support Signal Desktop in the new announcement.

Signal leverages the ZRTP protocol to encrypt communication. The security protocol was invented by Pretty Good Privacy creator Phil Zimmermann, who is also the co-founder of Silent Circle, a company focused on paid encrypted communication services.

Starting last week, the cryptographic protocol for end-to-end encryption is powering all WhatsApp communication too, as part of a deal announced in November 2014. The encrypted communication is available for both mobile and desktop users, since WhatsApp Web allows people to connect via any browser with a simple QR code scan, and isn’t tied to a specific browser.

WhatsApp’s mother company Facebook and other tech giants have been focused on toughening their encryption as a reaction to FBI’s attempt to force Apple to decrypt the iPhone of the San Bernardino Islamic terrorist shooter. Although the FBI eventually managed to hack the phone without Apple’s help, they are keeping the encryption battle alive by asking the company to help in another case. 

Copyright 2010 Respective Author at Infosec Island]]>
"Cyber AIR" Act Would Direct FAA to Establish Cybersecurity Standards for Aircraft Fri, 08 Apr 2016 07:23:00 -0500 (SecurityWeek) - Senator Edward Markey (D-Mass.), Thursday, introduced a proposed new Cyber AIR Act as amendments to the FAA Reauthorization Bill currently being debated by the Senate. His bill follows his own investigation into the security practices of airlines and aircraft manufacturers.

The bill focuses on three areas. Firstly it instructs the aviation industry to disclose cyber incidents to the FAA, and the FAA to report annually to Congress. There is no specified time limit for the industry's disclosures; however, if this was done rapidly the system could allow the FAA to operate as a threat intelligence distribution hub for the whole aviation industry. 

  Read More at SecurityWeek

Copyright 2010 Respective Author at Infosec Island]]>
U.S. and Canada Issue Joint Alert on Ransomware Wed, 06 Apr 2016 09:56:06 -0500 Ransomware has recently become one of the biggest cyber threats to both end users and enterprises, and the United States Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre (CCIRC) have now released a joint alert on ransomware threats.

Ransomware is designed to restrict user’s access on an infected computer until a ransom is paid. While ransomware programs are not new, their usage has increased dramatically since the beginning of 2016, with cybercriminals targeting individuals and businesses alike, including healthcare facilities and hospitals worldwide.

Over the past few months, numerous new ransomware families emerged, including Locky, Magic, Petya, PowerWare, or KeRanger, the first fully-functional OS X ransomware, which is based on Linux.Encoder. Ransomware that targets Android exists as well, but, regardless of name or platform, the threat works the same: it holds user’s data for ransom and aims at extorting money from victims.

After infecting a machine and taking control over the user’s data by encrypting personal files, the ransomware displays an on-screen alert, informing the victim on what happened with their files. The note also tells the victim that they would have to pay a ransom to regain access to the files, usually in a virtual currency such as Bitcoin, and usually amounting to $200–$400.

As DHS and CCIRC note in their joint alert, ransomware is spread via phishing emails that contain malicious attachments, or via drive-by downloads, when the user visits an infected website. Exploit kits such as Angler, Nuclear, and Magnitude have been all observed switching to ransomware as their malicious payload over the past several months.

Moreover, malware operators have been focusing on exploiting vulnerable web servers to gain access to enterprise networks, and also use social media for distribution. The joint alert also notes that ransomware sees increased use because it is a very efficient method for generating revenue.

Last year, researchers took a closer look at the CryptoWall 3.0 ransomware and discovered over 4,000 malware samples, 839 command and control (C&C) URLs, five second-tier C&C IP addresses, and over 400,000 infection attempts across 49 campaigns. They estimated that the group behind these attacks infected hundreds of thousands of computers worldwide, causing $325 million in damages.

This year, Locky appears to be the fastest growing ransomware family, infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. The threat is distributed via spam emails with malicious Office documents or compressed attachments that contain macros or JavaScript files.

Another destructive ransomware is Samas, recently discovered to have been used to compromise the networks of healthcare facilities as well. Samas, however, uses penetration testing tools to find vulnerable Web servers and leverages these to infect the organization’s networks.

The joint U.S. and Canada alert also reveals that computers infected with ransomware might also be infected with other malicious applications, which are usually dropped in previous stages of compromise. Effects of ransomware infection include temporary or permanent loss of data, disruption of regular operations, financial losses, and potential harm to an organization’s reputation.

The two agencies also suggest that paying a ransom might not be the solution, as it does not guarantee that encrypted files will be released or that the malware infection has been removed.

To avoid risks associated with such an infection, users and system admins should backup their data and employ a recovery plan, should use application whitelisting to prevent malicious software from running, and keep the operating system, applications and anti-malware software updated at all times.

Users are also advised to avoid clicking on links in emails or enabling macros from email attachments, as this is the manner in which embedded code is executed and the malware enters the computer. Enterprises should consider blocking email messages with attachments from suspicious sources, and limit users’ permissions to install apps. 

Copyright 2010 Respective Author at Infosec Island]]>