Cybersecurity News Archives - Page 11 of 12

2018 Has Seen a Noticeable Surge in Email Impersonation Attacks

The September Email Danger Report circulated by cybersecurity firm FireEye has cast light on the latest methods being used by cybercriminals to dupe end-users into disclosing confidential information such as login identifications to online bank accounts and electronic mail facilities.

Phishing attacks continue to control the dangerous landscape and cybercriminals have been improving their methods to achieve a higher success rate. Standard phishing electronic mails, sent in massive batches to random receivers, require no earlier research on a person or business and can be effective if they reach an inbox. Nevertheless, spam sieving solutions are now much better at identifying these ‘spray and pray’ electronic mail attacks and end users can identify these electronic mails as malevolent with comparative ease if they do reach an inbox. A lot of phishers are now spending more time examining targets and are carrying out much more sophisticated attacks to enhance their success rate.

Among the most usual pieces of advice given to workers in safety awareness training sessions is never to click on a link or open an electronic mail attachment that has been received from a strange sender. If an electronic mail is received from a known individual, it is much more likely to be reliable. It is also much tougher for spam sieving solutions to identify these electronic mails as malevolent.

These imitation attacks involve the attacker imitating to be a known contact, such as the CEO or a coworker. In order to pull off a cheat such as this, the firm should be examined to identify a person within the firm and to find out their electronic mail address. That person’s electronic mail address is then spoofed to make it appear like the electronic mail has been sent from that person’s electronic mail account.

Better still, if an electronic mail account of a worker can be compromised, it can be used to send phishing electronic mails to coworkers from within the business. These Business Email Compromise (BEC) attacks are even tougher to recognize as malevolent, and if the CEO or CFO’s electronic mail account can be compromised, workers are much more likely to reply and open a malevolent attachment or click an embedded hyperlink.

Instead of having to create a message for one target, if access to an electronic mail account is gained, it becomes much easier to deceive large numbers of people with general phishing electronic mails. “By including a phishing link in the impersonation electronic mail, cybercriminals understood they could send out a vaguer electronic mail to a larger amount of people while still seeing a similar open rate,” wrote FireEye in the report.

This method works well if the electronic mail account has been compromised, however, it is also effective if the display name is deceived to demonstrate a person’s actual name instead of just the electronic mail address. Similarly, if the display name is modified to show a real electronic mail address used by the firm, many workers will trust the messages have come from that person and will not carry out additional checks to decide whether the electronic mail is genuine. An alternative method is to register a domain name that is extremely similar to the one used by a firm – with two letters transposed for example – which can be sufficient to fool numerous workers.

These kinds of impersonation attacks are known as friendly name deceiving and are often effective. FireEye notes that there has been a major increase in these kinds of phishing attacks in the first half of the year. Further, a lot of these electronic mails are being delivered – 32% as per the FireEye report.

The study demonstrates not only how important it is to apply an advanced spam sieving solution to block these electronic mails, but also how important it is for workers to receive safety consciousness training to assist them to recognize attacks such as these and to condition workers to carry out additional checks on the actual sender of an electronic mail before taking any action.

Cofense Looks Closely at Healthcare Phishing Attacks

Cofense, the prominent supplier of human-based phishing threat management solutions, has issued new research that demonstrates the healthcare industry lags behind other industrial sectors for phishing protections and is consistently attacked by cybercriminals who often succeed in gaining access to secret patient health data.

The Division of Health and Human Services’ Office for Civil Rights issued a synopsis of data breaches informed by healthcare companies that have involved over 500 records. Each week, many electronic mail breaches are registered on the portal.

The Cofense report examines deeper into these attacks and demonstrates that a third of all data breaches happen at healthcare companies.

There are several instances of how simple phishing attacks have led to attackers gaining access to secret data, some of which have led to the theft of enormous volumes of data. The phishing attack on Augusta University healthcare system, informed in August 2018, led to the health data of 417,000 patients being breached.

Cofense did a cross-industry comparison of 20 verticals including healthcare, the financial facilities, technology, manufacturing, and the energy sectors to decide how vulnerability and resiliency to phishing attacks differ by industrial sectors. The report compared electronic mail reporting against phishing vulnerability and demonstrated that healthcare has a resiliency rate of only 1.34, compared to 1.79 rate for all industries, 2.52 for the financial facilities, and 4.01 for the energy sector.

One of the main causes for the low healthcare score has been past underinvestment in cybersecurity, although the industry is greatly controlled and healthcare companies are required by law to provide safety consciousness training to workers and should implement a variety of controls to safeguard patient data.

The high cost of data breaches – $408 per record for healthcare companies compared to a cross-industry average of $148 per record – has implied that healthcare companies have had to invest more in cybersecurity. Although still worse than other industries, the enhanced investment has seen improvements made even though there is still plenty of room for improvement.

Source: Cofense

By studying replies to simulated phishing electronic mails transmitted through the Cofense PhishMe phishing simulation platform, the Leesburg, VA-based firm was able to recognize the phishing electronic mails that are most usually clicked by healthcare workers. The top clicked messages were bill requests, manager assessments, package delivery electronic mails, Halloween eCard alerts, and beneficiary changes, each of which had a click rate of over 18%. Having access to this data assists healthcare companies to address the biggest dangers. The report also details how, through training and phishing simulations, vulnerability to phishing attacks can be radically decreased.

The report contains a case study that demonstrates how by using the Cofense platform, one healthcare company was able to halt a phishing attack within just 19 minutes. It is not unusual for breaches to take more than 100 days to identify.

Pegasus Spyware Campaigns Gather Speed: Infections Identified in 45 Countries

Pegasus spyware is a genuine surveillance device that has been accredited to the Israeli cyber-intelligence company NSO Group. The spyware functions on both Android smartphones and iPhones to permit safety services to interrupt text messages, trail telephone calls, trail a telephone’s location and get passwords and data from apps connected to an infected appliance.

Since at least 2016, NSO Group has been offering Pegasus spyware to nation-state actors, as per the Citizen Lab, which has carried out an in-depth analysis into the use of the spyware.

The analysis into Pegasus spyware has been going on for two years, during which time the scientists have seen a major increase in the number of operators using the malware. In 2016, there were only 200 known servers linked with Pegasus spyware; nevertheless, by 2018 the number had risen to over 600 servers. There are currently 36 operators known to be using Pegasus Spyware. Infections have been identified in 45 countries and there are 10 operators with infections in another country.

Upsettingly, The Citizen Lab’s research shows that there are six operators in states that have a track record of using spyware on inhabitants targeting civil rights, namely the United Arab Emirates, Kazakhstan, Morocco, Saudi Arabia, Mexico, and Bahrain. The Citizen Lab declares that the spyware has been used by Gulf Cooperation Council states to trail dissidents, especially a UAE activist in 2016 and an Amnesty International staffer in Saudi Arabia this year. In a latest blog post, The Citizen Lab wrote: “Our conclusions paint a grim picture of the human-rights dangers of NSO’s worldwide propagation.”

The complete list of states where Pegasus spyware has been noticed is: Algeria, Bahrain, Uzbekistan, the United States, the United Kingdom, Uganda, the UAE, Turkey, Tunisia, Thailand, Togo, Switzerland, Tajikistan, Singapore, South Africa, Rwanda, Saudi Arabia, Poland, Qatar, Pakistan, Palestine, the Netherlands, Oman, Mexico, Morocco, Lebanon, Libya, Kyrgyzstan, Latvia, Kenya, Kuwait, Jordan, Kazakhstan, Iraq, Israel, Greece, India, Egypt, France, Canada, Cote d’Ivoire, Bangladesh, Brazil, Yemen and Zambia.

Although the spyware has been noticed in those states, NSO Group has criticized The Citizen Lab’s research claiming that it hasn’t supplied the spyware to several of the states in the list, and that it only provides its product in a limited number of states that have been permitted under its Business Ethics Framework. The Citizen Lab stands by its research and maintains that grave suspicions have been raised concerning “the usefulness of [NSO Group’s] internal mechanism if it exists at all.”

Latest Python Ransomware Threat Identified

Safety scientists at Trend Micro have found a new Python ransomware threat that takes credit on the achievement of Locky ransomware. The threat actors behind the ransomware have mimicked the ransom note utilized by the gang accountable for Locky. The ransomware note declares files have been encrypted by Locky Locker. Trend Micro have instead named this new ransomware threat PyLocky.

Python is a common script-writing language, even though it is not usually used for generating ransomware. There have been remarkable exclusions such as CryPy and Pyl33t which were issued in 2016 and 2017 respectively.

What makes the latest Python ransomware variation to be prominent is its anti-machine learning abilities. PyLocky unites the Inno Setup installer and PyInstaller which makes it tougher to recognize the threat utilizing static analysis techniques and machine learning-based cybersecurity solutions. Trend Micro notices that similar methods have been used in certain Cerber ransomware variations.

Pylocky ransomware was first seen in electronic mail spam campaigns carried out in July. The campaigns were targeted and comparatively small, although all through July and August, the scale of the campaigns has risen. At first, the spam electronic mail campaigns were mainly transmitted in France and Germany, even though by the end of August it was French companies that were mainly targeted with France accounting for 63.5% of attacks. A quarter of attacks were carried out in Germany, and 7.5% of attacks were carried out in New Caledonia. Variations of the ransom note have been written in English, Italian and Korean, showing the attacks may spread to other areas in the near future.

The spam electronic mails utilized to dispense PyLocky are different and use social engineering methods to get end users to visit a malevolent URL where a .zip file having the PyLocky executable file is downloaded.

If that file is run, PyLocky will hunt for files on all logical drives and will encrypt over 150 different file kinds including images files, audio files, Office documents, databases, game files, archives, video files and system files. Files are encrypted utilizing the triple-DES cipher and the original files are overwritten. As an anti-sandbox safety, PyLocky will sleep for 999,999 seconds if the system has a total memory size of less than 4GB.

There is no free decryptor available that will open files encrypted by PyLocky. Recovery without paying the ransom is only possible by reestablishing files from backups.

New Brazilian Banking Trojan Hides in Plain Sight

An advanced new Brazilian banking Trojan has been found by safety scientists at IBM X-Force. The Trojan has been titled CamuBot because of its use of concealment to fool workers into running the installer for the malware. Like with other banking Trojans, its aim is to get bank account identifications, even though its method of doing so is different from most of the banking Trojans presently used by threat actors in Brazil.

Most banking Trojans are silent. They are silently connected out of sight, oftentimes through PowerShell scripts or Word macros in malevolent electronic mail attachments. In contrast, CamuBot is very visible.

The cheat begins with the attackers doing some reconnaissance to identify companies that use a particular bank. Workers are then identified who are likely to have access to the firm’s bank account particulars. Those people are got in touch with by telephone and the attacker pretends to be a worker at their bank carrying out a regular safety check.

The workers are directed to visit a specific URL and a scan is carried out to decide whether they have the latest security module installed on their computer. The fake scan returns a result that they have out-of-date safety software and they are told to download a new safety module to make sure all online banking dealings remain safe.

When the safety module is downloaded and executed, a standard installer is shown. The installer contains the bank’s logos and accurate imaging to make it seem genuine. The user is directed to shut down all running programs on their computer and run the installer, which directs them through the installation procedure. During that procedure, the installer generates two files in the %Program Data% folder, determines a proxy module, and adds itself to firewall regulations and antivirus software as a confidential application.

The SSH-based SOCKS proxy is then loaded and establishes port forwarding to generate a tunnel linking the appliance to the attacker’s server. As per IBM X-Force, “The tunnel permits attackers to direct their own traffic via the infected machine and use the victim’s IP address when accessing the compromised bank account.”

The installer then leaves and a popup screen is opened which guides the user to what seems to be the bank’s online portal where they are required to enter their banking identifications. Nevertheless, the site they are directed to is a phishing website that transmits the account details to the attacker.

As soon as the banking identifications have been obtained and their account can be accessed, the attacker verifies that the installation has been successful and ends the call. The victims will be unaware that they have given complete control of their bank account to the attacker.

Some users will have additional verification controls in place, such as an appliance linked to their computer that is required in order for account access to be allowed. In such instances, the attacker will advise the end user that an additional software installation is needed. The malware used in the attack can fetch and connect a driver for that appliance. The attacker tells the end user to run an additional program. When that procedure is finished, the attacker is able to intercept one-time codes sent to that appliance from the bank as part of the verification procedure.

A transaction is then tried, which is tunneled through the user’s IP address to make the transaction seem genuine to the bank. IBM X-Force notes that this attack method also permits the attackers to evade the biometric verification procedure.

Zero-Day Windows Task Scheduler Vulnerability Exploited by Threat Group

On August 27, a safety scientist with the online moniker SandboxEscaper found a zero-day weakness in Windows Task Scheduler (Windows 7-10) and issued a proof-of-concept exploit for the fault on GitHub. Microsoft was not alerted to the fault and was not given time to issue a solution to avoid the fault from being abused.

Obviously, the exploit is now being used by at least one hacking group to attack companies. Cybersecurity company ESET reports that a new threat group named PowerPool has been carrying out targeted attacks using the backdoor.

The fault is present in the Advanced Local Procedure Call (ALPC) of Windows Task Scheduler. If local access to an appliance is gained, it is possible to elevate rights to SYSTEM level by overwriting certain files which are not safeguarded by filesystem access control lists.

Microsoft has not yet rectified the fault – and will likely not do so until Patch Tuesday on September 11 – even though Acros Security has issued a micropatch that will block the fault from being abused. Even though the micropatch has been available for numerous days, many companies have decided to wait until Microsoft solves the problem and remain susceptible to attack.

ESET telemetry data indicates the PowePool group has already carried out attacks using a tad altered type of the proof-of-concept exploit, which was recompiled from the source code published on GitHub. Attacks have been noticed in the US, Russia, India, Ukraine, Chile, Poland, Germany, UK, and the Philippines.

In the assaults, the group uses the exploit to overwrite C:\Program Files(x86)\Google\Update\GoogleUpdate.exe to give its malware important consents on systems. According to a latest ESET report, the first stage of the attack involves offering the malware through electronic mail in a spam campaign that utilizes Symbolic Link (.slk) file attachments. The spam electronic mails are part of a targeted spear-phishing campaign, with the electronic mail attachment disguised as an invoice.

The first phase of the malware is used for reconnaissance to identify systems of interest that are worthy of a more wide-ranging compromise. If the system is of interest, the malware downloads an added module that is capable of carrying out commands on a compromised system, can download more files, upload data to the attacker’s C2 server, and can halt processes running on an infected appliance.

ESET notes that the second phase of the malware downloads a range of genuine tools which support the attackers to move laterally on the network and compromise additional appliances.

The published exploit has now been included in the attackers’ arsenal and is being utilized to increase privileges on a compromised system. The exploit was utilized within 48 hours of it being circulated on GitHub. This is a typical example of what occurs when details of vulnerabilities are disclosed outside a coordinated disclosure procedure.

Huge URL Deception Campaign Discovered Targeting 76 Universities

A huge URL deceiving campaign targeting at 76 universities in 14 countries has been found by safety students at SecureWorks.

The threat group called Cobalt Dickens is supposed to be behind the attack. The group is supposed to work out of Iran and is well known for carrying out these sorts of attacks.

The latest campaign has seen the hacking group generate over 300 deceived websites on sixteen domains. Hosted on those websites are bogus login pages for 76 universities, mainly in the United States, but also in universities in Canada, Australia, China, Israel, Japan, Switzerland, Turkey, South Africa, Italy, Germany, the Netherlands, Malaysia, and the UK.

When people are deceived into visiting the bogus login pages and enter their identifications, they are redirected to the genuine university website where they are logged in to a lawful session automatically. They will be unaware that their login identifications have been stolen. The stolen identifications are then used to gain access to the online library systems of universities and intellectual property is stolen.

Universities are appealing targets for cybercriminals. Attacks on financial organizations provide more immediate profit and healthcare companies keep large quantities of valuable data that can easily be sold to identity thieves. Nevertheless, attacks on those companies are more difficult and time-consuming as they normally have more improved cybersecurity protections.

It is much harder to secure university networks and weaknesses often exist which can be easily abused. Universities are therefore seen as easy targets. Attacks can also be very lucrative. Universities often have prized intellectual property which has not yet been commercialized. The information can give companies a substantial competitive advantage.

SecureWorks has issued indicators for the threat and a list of domains that are known to be used by the attackers. Those domains and IP addresses must be obstructed through a router, firewall, or web filter to avoid users from accessing the fake login pages.

The use of 2-factor verification is also strongly suggested. While not infallible, 2-factor verification is an important safety control that can avoid illegal people from gaining access to online resources when login identifications are stolen. Without the second verification factor, access will be disallowed.

Micropatch Obstructs Zero-Day Vulnerability in Windows Task Scheduler

On August 29, 2018, a proof-of-concept use for a zero-day vulnerability in Windows Task Scheduler was published on GitHub by a safety researcher.

The vulnerability had not earlier been disclosed to Microsoft, and therefore, no repair has been released to tackle the fault. If misused, a malevolent actor might elevate consents of malevolent code running on a compromised appliance from guest or user level to administrator level with complete system access.

The fault is not likely to be tackled by Microsoft before September Patch, even though the cybersecurity company Acros Security has created a workaround – a micropatch – that avoids the abuse of the vulnerability. The repair will safeguard weak 64-bit Windows types until Microsoft issues a repair to rectify the fault.

The abuse for the zero-day vulnerability in Windows Task Scheduler was only verified to work on 64-bit types of Windows. Nevertheless, two safety scientists proposed the abuse might be tweaked to work on 32-bit Windows types. Those tweaks are comparatively minor. 32-bit Windows types are therefore also weak and will likely remain so until Microsoft tackles the problem.

The micropatch was made available for 64-bit Windows 10 v1803 types on August 30, 2018 with a micropatch for Windows Server 2016 released the next day together with detailed information regarding how the repair avoids the vulnerability from being abused. The source code has also been released.

Businesses need to connect the micropatch through the opatch Agent client. By providing the source code, businesses are able to apply the repair to their systems without using the opatch agent.

Even though the zero-day has been publicly available for many days, there are no reports of the vulnerability being used by threat actors in the wild. Nevertheless, that is not likely to remain the case for long. It is therefore strongly desirable to apply the micropatch to avoid abuse of the flaw. Microsoft must release an official repair in its September 11, 2018 round of updates.

Ransomware Attacks Slow down as Cryptocurrency Mining Proves More Lucrative

Throughout the previous two years, ransomware has been preferred by cybercriminals as it offered an easy method to make money. Campaigns might easily be carried out through spam electronic mail, and for many people, it wasn’t even necessary to create the malware from scratch. Ransomware-as-a-service permitted campaigns to be carried out for a 60% cut of the profits earned with no programming experience needed.

Although some threat actors are still using ransomware in spray and pray promotions or more targeted attacks, there has been a clear change toward the use of cryptocurrency mining malware. Cryptocurrency mining malware is used in lieu of ransomware because it is more lucrative. The quantity of new ransomware families found was 26% lower in the first half of 2018 compared to the second half of 2017.

The reputation of cryptocurrency mining malware – or cryptojacking attacks as they are also called – has been verified by Trend Micro in its Midyear Safety Roundup statement. Cryptocurrency mining activity findings nearly doubled in the first half of 2018 compared to the second half of 2017, increasing by 96%. Cryptocurrency mining findings in the first half of 2018 were 956% higher than in the first half of 2017. 47 new families of cryptocurrency mining malware were identified in the first half of 2018.

The statement records the altering methods used by cybercriminals to introduce the malware or drive traffic to sites that have cryptocurrency mining code set up. Those tricks include malvertising campaigns, Ad additions into websites by the Droidclub botnet, adware downloaders, the use of web miner writings in the AOL ad platform, misuse of vulnerabilities like CVE-2017-10271, and downloads through exploit kits.

A ransomware virus can prove very expensive for companies in terms of network downtime and interruption to companies’ procedures while systems are reconstructed and data are recuperated from backups. The expenses linked with cryptojacking are often lesser by comparison, however, the attacks are still expensive. Networks are decelerated which has an effect on production, energy charges rise, hardware can be worn down, or in some instances, permanent harm can be caused.

Cybercriminals are continuously changing methods and are exploring for the simplest method to make money. As the value of cryptocurrencies has risen, and safeguards against ransomware improved by firms, tricks have altered consequently. Trend Micro notes in the statement that business leaders should keep abreast of changing tricks and make sure they have adequate safeguards in place to protect against new attack techniques.

The cybersecurity company has also issued an alert to important infrastructure firms. The number of SCADA vulnerabilities identified by Trend Micro has doubled in the space of a year, with most of those vulnerabilities in human-machine interface (HMI) software. Further, cybercriminals have shifted from reconnaissance to actively abusing those vulnerabilities.

AdvisorsBot Malware Utilized in Targeted Attacks on Restaurants and Hotels

Security scientists at Proofpoint have found a new malware danger that is being used in targeted attacks on restaurants, hotels, and telecom companies. AdvisorsBot malware, so called since its C&C servers comprise the word advisors, was first noticed in May 2018 in a range of spam electronic mail promotions.

AdvisorsBot malware is under development even though the existing form of the malware has been used in several attacks all over the world, although the majority of those attacks have been carried out in the United States. The spam campaigns are thought to be carried out by a threat actor known to Proofpoint scientists as TA555.

AdvisorsBot isn’t linked to Marap malware, even though it operates in a similar way in that the malware is a first-stage payload which is utilized to fingerprint the sufferer and identify whether the aim is of interest and worthwhile of a more broad compromise. Proofpoint notices that these malware variations are two instances of a rising tendency of extremely versatile modular malware that can be utilized in a range of different strikes.

AdvisorsBot malware is written in C, even though another type of malware has been recognized that has been written using PowerShell with a .NET DLL in the PowerShell script. This type of the malware, which has been called PoshAdvisor, and runs in the memory without writing any data to the disk.

The scientists note that these malware variations have several anti-analysis characteristics and can identify a range of different malware analysis tools and can decide if they are running on a virtual machine. If on a VM or malware analysis tools are noticed, the malware exits.

The spam electronic mails used to provide the malware comprise a Word attachment with a macro that, if permitted to run, performs a PowerShell command that downloads a PowerShell script that performs inserted shellcode that runs AdvisorsBot.

Three different electronic mail lures have been found, each of which aims a particular industrial sector. Although the campaign seems to be targeted, electronic mails have been sent to targets unconnected to the content of the electronic mails which indicates a more haphazard distribution of the electronic mails.

Hotels are being targeted with a message that claims to have been sent by one who has earlier remained at the hotel and has been charged two times for the stay. The electronic mail attachment seems to be a bank statement displaying the double charge.

The electronic mails targeting restaurants claim that the sender of the electronic mail visited the restaurant and experienced complicated, dangerous food poisoning. The electronic mail attachment has details of disease and the opinion of a doctor, together with a warning of legal action.

The electronic mails targeting telecom companies claim to be a resume sent in a speculative application for work.

New Crucial Apache Struts Vulnerability Found

A new Apache Struts vulnerability has been found in the main functionality of Apache Struts. This is a serious vulnerability that lets distant code execution in certain configurations of the framework. The vulnerability might prove more serious than the one that was abused in the Experian hack in 2017.

Apache Struts is an open source framework utilized in several Java-based web applications. It has been approximated that at least 65% of Fortune 500 firms use Struts to some extent in their web applications.

The vulnerability was known by safety scientist Man Yue Mo of Semmle and is being followed as CVE-2018-11776. Semmle unveiled the vulnerability to the Apache Foundation and the timing of publication of the vulnerability matches with the release of a patch to repair the vulnerability.

The possibility for abuse is limited by the fact that only certain configurations of Apache Struts are susceptible to attack. While these configurations are not likely to be set by the bulk of companies, they are far from unusual.

The Apache Foundation has released particulars of the configurations that are susceptible:

When the alwaysSelectFullNamespace flag is set to true, which is the default configuration using the Struts Convention plug-in.
When the Struts configuration file of an application has “a <action …> tag that does not identify the optional namespace attribute or specifies a wildcard namespace (e.g. “/*”)”.

Now that the vulnerability has been unveiled it is necessary for all companies to update vulnerable versions of Struts as a priority. The vulnerability is present in all supported versions of Apache Struts 2. Users of Struts 2.3 have been advised to upgrade to 2.3.35 and users of 2.5 must upgrade to 2.5.17.

As Semmle noted in an August 22 blog post, earlier vulnerabilities in Apache Struts have led to exploits being developed within a day of the announcement being made of a vulnerability.

It is possible that targets can be easily identified and attacks are unavoidable. As the Experian hack indicated, the failure to tackle Struts weaknesses can prove extremely damaging.

Necurs Botnet Now Dispersing Marap Malware

The Necurs botnet is being utilized to transmit huge quantities of spam electronic mails having Marap malware. Marap malware is presently being utilized for reconnaissance and learning about sufferers. The aim seems to be the creation of a system of infected users that can be targeted in future attacks.

The malware generates an exclusive impression for each infected appliance, contacts its C2 server, and transmits information concerning the sufferer’s system to the attackers including username, operating system, language, country, IP address, domain name, hostname, installed anti-virus software, and details of Microsoft Outlook OST files.

The malware has some basic anti-analysis characteristics and can find when it has been installed on a virtual machine and contains measures to obstruct debugging and sandboxing.

Marap malware is modular and can easily be updated with additional modules post-infection to provide increased functionality. It helps as a malware dropper that can be used to provide many different payloads, even though it is presently unclear what those payloads will be.

The malspam campaign was discovered by safety scientists at Proofpoint who say it involves millions of emails. Marap malware is delivered using a range of different electronic mail attachments, with Microsoft Excel Web Query files (IQY) preferred. The messages have iqy files as attachments, or they are incorporated in PDF files and password-protected ZIP files. Standard Microsoft Word documents with malevolent macros are also being transmitted.

The spam campaign includes a range of different electronic mail subjects and messages including sales requests, important banking documents, invoices, and simple electronic mails just containing malevolent PDF files and ZIP file attachments.

Proofpoint notes that there has been a surge in these flexible malware variations in recent months as threat actors move away from ransomware and ‘noisy’ malware that are easy to notice. In its place, downloaders, for example, Marap malware gives attackers the flexibility to introduce a variety of different attacks and carry out a recce to identify systems that deserve a more significant compromise.

Free Decryptor for Fileslocker Ransomware Created After Master Key Leaked

A free decryptor for Fileslocker ransomware has been created after the leaking of the master key for the ransomware on Pastebin.

The master key is the key utilized by threat actors to decrypt files that have been encoded by the ransomware. The post was generated on December 29, 2018, and states that the master key, which decrypts the secret key, is “relevant to V1, V2 version” and that the poster is “waiting for safety personnel to create decryption tools.”

A free decryptor for Fileslocker ransomware was created by Michael Gillespie, the inventor of MalwareHunterTeams’ ID Ransomware – A tool that can be utilized to decide what ransomware variation has been utilized to encrypt files.

Interestingly, a new Christmas-themed type of Fileslocker ransomware was released in late December which encrypted files and modified the Desktop wallpaper to a Christmassy background. Moreover, the browser on an infected appliance was opened and the Pastebin decryption key was shown.

In order for the free decryptor for Fileslocker ransomware to operate, a victim should upload the ransomware note from the Desktop. The ransom note has the encrypted decryption key, which is unlocked using the newly developed master key-based decryptor.

Filerlocker ransomware is a ransomware-as-a-service offering that is typically distributed by partners who get a cut of the profits from any ransom payments they make from distributing the ransomware. What is not understood is why the master key was released.

The Pastebin posting provides a hint. It finishes with the expression “The end is just the beginning,” which indicates that Fileslocker ransomware is no more and the group at the rear of the ransomware is moving on to other tasks. This is not unusual. When ransomware variations are retired, the master keys are often issued online. What the threat group moves onto subsequent is anyone’s guess, but for now, at least, any persons who are infected with Fileslocker ransomware will be able to decrypt their files for free of charge.

Tribune Publishing Cyberattack Cripples Many U.S. Newspapers

A fresh malware attack on Tribune Publishing has caused interruption to many newspaper print runs including those of the Los Angeles Times, San Diego Tribune, and the west coast editions of the New York Times and Wall Street Journal, among others. The Tribune Publishing cyberattack happened on Thursday, December 28, 2018, and spread all over the Tribune Publishing system on Friday, disturbing the Saturday publications of a number of newspapers that shared the same production platform.

At the outset, the interruption was attributed to a computer failure, even though the LA Times later verified it had suffered a malware attack carried out by threat actors outside the United States. The Tribune Publishing cyberattack didn’t lead to any subscriber or promoter data being accessed and is supposed to have been carried out either to intentionally cause interruption or in an attempt to extract money from Tribune Publishing.

Although the malware variant used in the attack has not been formally verified, numerous sources at the affected newspaper informed the LA Times that the attack included Ryuk ransomware, which was recognized by the extension added to encrypted files: .ryk.

Scientists at Check Point had earlier examined Ryuk ransomware and found it shares some of its source code with Hermes ransomware. The latter had been attributed to an APT danger actor called the Lazarus group: A hacking group with strong relations to North Korea.

Although it is possible that the Lazarus group has carried out the attack specially to cause interruption to News outlets, the attack might similarly have been executed by an actor who has acquired the source code to Ryuk ransomware, or the closely linked Hermes ransomware.

Ryuk ransomware first surfaced in the summer of 2018 and has been used in numerous campaigns targeting companies in the United States. Those attacks seem to have been financially inspired.

Not all agree that Lazarus is behind Ryuk ransomware. Symantec proposes that Ryuk ransomware has been dispersed by the group behind the Emotet banking Trojan and CrowdStrike has attributed Ryuk ransomware to a crime group in Eastern Europe known as Grim Spider.

It’s also presently unclear how the ransomware was connected. Ryuk ransomware campaigns earlier this year have included malspam (phishing) electronic mails. The use of RDP-based methods to connect the malware, such as the use of stolen identifications or brute force RDP attacks is also a probability. IT teams have been working round-the-clock to remediate the Tribune Publishing cyberattack. Production resumed to usual in time for the Sunday publications of the affected papers. It is unclear if the ransom was paid.

FTC Issues Warning Concerning New Netflix Phishing Scam

The U.S. Federal Trade Commission has circulated a warning about a new international Netflix phishing cheat that tries to deceive Netflix subscribers into revealing their account identifications and payment information. The cheat uses a tried and tested method to get that information: The warning of account closure because of payment information being out of date.

Users are transmitted a message requesting them to update their payment details since Netflix has experienced difficulties getting the monthly subscription payment. The user is provided with an “Update Account Now” button which they can click to insert their accurate banking/card information. Nevertheless, clicking the link will not guide the user to the official Netflix site, instead, they will be taken to a web page on a site operated by the scammer. On that site, Netflix login identifications will be harvested together with the banking information entered by subscribers.

The latest campaign was recognized by the Ohio Police Division, which shared a copy of the phishing electronic mail on Twitter. The FTC also issued a warning about the new Netflix phishing cheat in the latest blog post.

Image Source: Ohio Police via FTC

As you can see from the picture, the message appears official as it has the Netflix logo and color scheme. The message also strongly looks like official electronic mail communications often sent by Netflix. Nevertheless, there are tell-tale indications that the electronic mail is not what it appears. Netflix is naturally conscious who their subscribers are and addresses electronic mails to users by their first name. In this electronic mail, the message starts with “Hi Dear.”

Less visible is the hyperlink, however it is something that is fairly easy to check by hovering the mouse arrow over the button. That will show the actual URL, which is not the official Netflix website. One more indication is the phone number on the electronic mail is a U.S. number, which for any person based in another country would be extremely doubtful.

If the link is clicked, the page the user is directed to appears official and is nearly indistinguishable from the actual site, even though if a user checks the URL it will verify they are not on the actual Netflix site for their country.

All of these warning indications must be identified by users, but several people fail to cautiously check messages before clicking. To avoid phishing cheats such as this, make certain you carefully check all electronic mail messages before replying and if ever you receive an electronic mail containing any warning, visit the authorized URL for the firm directly by entering in the website directly into the browser instead of clicking a link in an electronic mail.

Orange Livebox Modems Revealing WiFi Information

Hackers are abusing a fault (CVE-2018-20377) in Orange Livebox ASDL modems that let them get the SSID and the Wi-Fi password of the appliances in plaintext. As soon as access is gained to a weak modem, attackers could update the firmware and alter device settings. Abusing the vulnerability is as easy as sending a GET request.

The vulnerability was identified by Troy Mursch at Bad Packets, who noted the company’s honeypots were being scanned with GET requests in the run-up to Christmas. The images were part of targeted attacks on Orange LiveBox ASDL modems, which are utilized by Orange Espana to provide a consumer Internet facility.

Identifying the appliances is a swift and easy procedure. A search can be carried out on the search engine Shodan. A rapid search by Mursch demonstrated there are presently 19,490 of the vulnerable modems in use. Additional 2,018 modems were not leaking data but were exposed to the Internet.

As soon as identified, an attacker only requires to send a GET request to “/get_getnetworkconf.cgi to get plaintext SSIDs and WiFi passwords. An attacker can also see the phone number of the client and the MAC addresses and names of all related clients. Mursch also found that password reuse was widespread, and many appliances had not set a custom password, instead, they used the default admin/admin identifications.

The attack identified by Mursch seems to come from within Spain from a Telefonica Spain customer. It is presently unclear why attempts are being made to access the modems’ Wi-Fi identifications.

Mursch has reported the fault to CCN-CERT, Orange Espana, and Orange-CERT and the vulnerability is presently being probed. The vulnerability is present in Orange Livebox Arcadyan ARV7519 modems running firmware versions 00.96.00.96.613, 00.96.00.96.609ES, 00.96.321S and 00.96.217.

Over 50 Accounts Compromised in San Diego School District Data Breach

A major data breach has been informed by the San Diego School District that has possibly led to the theft of the personal information of over half a million present and former staff and students. The data disclosed as a consequence of the breach date back to the 2008/2009 school year.

The breach was noticed after reports from district staff of a flood of phishing electronic mails. The electronic mails were highly credible and deceived users into visiting a web page where they were required to enter their login identifications. Doing so passed the identifications to the attacker.

The attacker succeeded in compromising over 50 accounts, which permitted access login to the school district’s network which comprised the district database having staff and student information.

A wide variety of confidential information was saved in the database including names, birth dates, deduction information, salary information, savings and flexible spending account details, dependent identity information, tax information, payroll information, legal notices, enrollment information, emergency contact details, Social Security numbers, health data, attendance records, the names of banks, routing numbers, and account numbers for direct deposits.

The break was noticed in October 2018 but was determined to date back January 2018. When a data breach is noticed, the first step that is commonly taken is to shut down access to all undermined accounts. Doing so would obviously forewarn the attacker that the breach has been noticed.

In this situation, the San Diego Unified Police was notified about the breach and the decision was taken to probe the breach before ending access. By taking this measure, the police division was able to identify a person who is supposed to be behind the attack.

All compromised identifications have now been reset and illegal access is no more possible. Additional safety controls have now been applied to avoid similar attacks in the future.

Notices have now been issued to all affected people. Those notices were delayed to allow the police to probe the breach without tipping off the attacker.

Backdoor and Ransomware Detections Rose Over 43% in 2018

The lately published Kaspersky Security Bulletin 2018 demonstrates there has been a 43% rise in ransomware detections and a 44% rise in backdoor detections in the first 10 months of 2018, emphasizing the increasing danger from malware.

Kaspersky Lab is now coping with 346,000 new malevolent files every day and has so far found more than 21.64 million malevolent objects in 2018.

Backdoor detections rose from 2.27 million to 3.26 million in 2018 and ransomware detections are up from 2.2 million detections to 3.13 million. Backdoors comprise 3.7% of malevolent files examined by Kaspersky Lab and ransomware comprises 3.5%.

The biggest cyberthreat in 2018 was banking Trojans, which comprised over half of all malevolent file detections. The main danger was the Zbot Trojan, which was used in 26.3% of attacks, after that the Nymaim Trojan (19.8%), and the SpyEye backdoor (14.7%). 7 of the top ten most widespread malware groups were banking Trojans. The remaining three were backdoors.

Financial wrongdoing, such as the theft of banking identifications and credit card numbers, makes up the majority of attacks, even though APT groups tend to focus on company data theft.

There were fewer new ransomware groups developed in 2018 than 2017, but even though there has been a reduction in ransomware development, the danger of attack is still substantial. The worst month of the year for ransomware attacks was September when 132,047 occurrences were seen. Over the preceding ten months, 11 new ransomware groups have been found and there have been 39,842 changes made to current ransomware variations. As per Kaspersky Lab, in the previous year, 220,000 company users and 27,000 SMB users have been infected with ransomware and had files encrypted.

WannaCry variations were the most generally used, comprising 29.3% of infections, followed by common ransomware (11.4%), and GandCrab ransomware (6.67%).

Banking Trojans and malevolent software invented to attack ATMs and POS systems will carry on to be the main dangers in 2019, as per the report.

Actively Exploited Internet Explorer Vulnerability Patched by Microsoft

Microsoft has issued an out of band update for Internet Explorer to rectify a vulnerability that is being actively exploited. The Internet Explorer vulnerability was found by Clement Lecigne at Google’s Threat Analysis Group, who informed Microsoft of the vulnerability.

The remote code execution vulnerability, tracked as CVE-2018-8653, is in the Internet Explorer scripting engine, which manages memory objects. If the vulnerability is abused, an attacker might corrupt the memory in a way that lets the implementation of arbitrary code with the same level of rights as the existing user.

If the attack happens while a user is logged in that has administrative privileges, an attacker would be able to take complete control of the user’s appliance and connect programs, modify or erase data, or create new accounts with complete admin privileges.

For the vulnerability to be exploited, a user would need to visit a specifically created web page having the exploit code. This might be achieved through malvertising – malevolent advertisements that redirect users to the malevolent webpages – or by sending electronic mails having a hyperlink to the malevolent web page.

Updates have been issued for:

Internet Explorer 11 on Windows 10
Windows 8.1
Windows 7 SP1
Internet Explorer 10 on Windows Server 2012
Internet Explorer 9 on Windows Server 2008

Obviously, the updates must be applied as soon as possible, even though temporary measures can be taken until the update is applied to defend against attack. Microsoft proposes rights to the jscript.dll file for the Everyone group must be removed. This will not have any unfavorable effects for users of Internet Explorer 9, 10, or 11, which use the jscript9.dll file by default.

To modify rights on 32-bit systems, enter the following command at an admin command prompt:

cacls %windir%\system32\jscript.dll /E /P everyone:N

On 64-bit systems, enter the following command:

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

No details have been issued to date on present attacks that are abusing this vulnerability. Google has yet to provide that information to Microsoft.

90% of Malware Delivered Through Spam Email

Cybercriminals use a range of methods to gain access to business networks to install malware, even though by far the most usual method of dispersing malware is spam electronic mail. As per the latest study by F-Secure, in 2018, 90% of malware was distributed through spam electronic mail.
The most usual kinds of malware distributed via spam electronic mail are bots, downloaders, and backdoors, which jointly comprise 52% of all infections. Banking Trojans comprise 42% and Emotet, Trickbot, and Panda banking Trojans are most usual. Although 2018 has seen several ransomware attacks on companies, ransomware comprises just 6% of spam-delivered malware. F-Secure notices that all through 2018, email-based ransomware attacks have decreased.
Analysis of spam electronic mails has indicated that among the most effective and most used appeals is a failed delivery notice, particularly during the holiday period. At this time of the year, users are likely to be anticipating package deliveries.
During the holiday period, a lot of users let their guard down and reply to messages that they would identify as doubtful at other times of the year. This was shown by F-Secure through replicated Black Friday and Cyber Monday themed phishing attacks. The campaign observed a 39% surge in people replying to the phishing messages than at other times of the year.
F-Secure’s study showed 69% of spam electronic mails try to get users to visit a malevolent URL. The hyperlinks in the messages lead users to phishing websites where they are requested to enter confidential information such as credit card numbers, Office 365 logins, or other identifications. Hyperlinks also guide users to sites hosting exploit kits that probe computers for vulnerabilities and quietly download malware or trick users into downloading apparently benign files that have malevolent scripts. 31% of spam messages have malevolent attachments – often macros and other scripts that download malevolent software.
In years gone, spam electronic mails were comparatively easy to identify; nevertheless, lots of the spam and phishing electronic mails now being sent are much more sophisticated. Cybercriminals are using well-tried social engineering ways to receivers to disclose confidential information or install malware. Many spam electronic mails are almost the same as those sent by real companies, complete with proper branding and logos.
With more users opening malevolent electronic mail attachments and clicking hyperlinks in electronic mails at this time of year, companies confront a higher danger of malware infections, electronic mail account breaches, and theft of confidential information.
Obviously, an advanced spam filtering solution should be applied to avoid malevolent messages from being delivered to inboxes. Web sieving technology can be applied to avoid workers from visiting malevolent websites. Though, as good as technological solutions are at obstructing spam, phishing, and malware downloads, it’s important not to disregard the last line of protection: Workers.
Safety consciousness training must be provided to all workers to teach them cybersecurity best ways and how to identify malevolent electronic mails. Through continuous training, the vulnerability of workers to phishing attacks can be substantially decreased. As per Cofense, training and phishing simulation exercises can decrease worker vulnerability to phishing attacks by over 90%.