Thought leadership. threat analysis, news and alerts.
Search Engines Blacklist Fewer Sites, Study Shows
A study conducted by SiteLock showed that search engines are blacklisting fewer sites.
Blacklisting happens when a search engine removes a website from its results due to the presence of a malicious software (malware).
In the second quarter of 2018, SiteLockanalyzed over 6 million websites through the use of malware scanners. SiteLock’s analysis showed that search engines like Google and Bing only blacklisted 17.5% of infected websites with malware in the second quarter of 2018, a 6% decrease from the previous year.
Prevalence of Website Malware
Website visitors and website owners alike rely on search engine warnings. On the part of website visitors, they rely on search engines to flag malicious websites that may leave them unprotected as they surf the web.
According to SiteLock, when website owners rely mainly on search engine warnings and outwardly facing symptoms, they may be missing malware that’s attacking their website visitors.
Even as search engines are blacklisting fewer sites, malicious websites aren’t getting fewer. SiteLock’s study showed that 9% or as many as 1.7 million websites have a major security vulnerability that could allow attackers to embed malware on them. The 3 most common security vulnerabilities on websites identified by SiteLock are SQL injection (SQLi), cross-site scripting (XSS) and cross-site request forgery (CSRF).
SQLi security vulnerability allows attackers to inject malicious database code into website text fields or forms. In an SQL injection attack, an attacker can gain full access to the website’s MySQL database, administrative back end or the entire website. MySQL refers to an open source management system that makes it convenient to add, access and manage content in a website's database.
XSS security vulnerability allows attackers to inject malicious code into a web form or web application. In a cross-site scripting attack, the web application is tricked into doing something that it isn’t supposed to do. CSRF, meanwhile, is often used with social engineering – tricking victims. In a cross-site request forgery attack, an attacker forces authenticated users to do unauthorized actions while logged into a vulnerable web application.
SiteLock’s sampled websites showed that 7.19% of sites have an SQLi vulnerability, 1.56% of sites have an XSS vulnerability and .19% of sites have a CSRF vulnerability.
SiteLock’s study also found that sampled websites experience an average of 58 attacks per day, with 1% of the sites infected with a malware. The study further found that website attacks are becoming increasingly sneaky and difficult to detect. An example of a symptomless attack on websites is the browser-based cryptojacking, which doubled (2%) in number compared to last year’s number (1%), according to SiteLock’s study. In browser-based cryptojacking, an attacker hijacks a browser to mine a cryptocurrency.
McAfee’s Blockchain Threat Reportshowed that nearly 30,000 websites host the Coinhive code for mining cryptocurrency with or without a user’s consent. This number, according to McAfee Labs, only accounts for non-obfuscated sites, which means that the actual number is likely much higher.
As it stands, Coinhive resides in a gray area of legitimacy. In an ideal world, both the website owner and website visitor must consent to Coinhive’s browser-based cryptocurrency mining.
A website owner or, in the case of a cyberattack, an attacker may embed the Coinhive code into a website. When a user visits a website with an embedded Coinhive code, the cryptocurrency called “Monero” is then mined from the user's browser using the computing power or CPU of the website visitor. As of October 21, 2018, the price of one Monero coin is $103.
When the Coinhive code is embedded into the website by a website owner, the cryptomining income goes to the website owner. When the Coinhive code is embedded by a cyberattacker, the cryptomining income goes to the attacker.
Coinhive code made its way to YouTube. In January this year, Trend Microdiscovered that attackers abused Google's DoubleClick ad platform, enabling the attackers to display ads on YouTube that contain the Coinhive code. YouTube visitors in select countries, including Japan, France, Taiwan, Italy and Spain were affected, with 80% of the affected visitor's CPU resource was used to mine the cryptocurrency Monero.
"Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively,” a Google representative said in a statement. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
Check Pointranked 3 browser-based cryptocurrency mining scripts Coinhive (ranked #1), Crypto-Loot (ranked #2) and JSEcoin (ranked #4) as “February 2018’s Top 10 ‘Most Wanted’ Malware”.
Here are some of the security measures that need to be put in place in order to prevent attackers from installing malware into your website:
Use a Website Malware Scanner
A website malware scanner allows website owners to check their sites for web-based malware.
Keep All Website Applications Up-to-Date
Ensure that your web applications are up-to-date. Using outdated web applications with known security vulnerabilities can leave your website vulnerable to exploitation by cyberattackers.
Use Web Application Firewall (WAF)
Filtering web traffic via WAF is one of the measures in protecting your website from a successful cyberattack. Your traditional perimeter firewalls don’t protect your website.
Contact ustoday if you need assistance in protecting your website against cyberattacks.
Latest Phishing Campaign Attempts to Install Remcos Remote Access Tool into Victims' Computers
Thousands of Icelanders have been targeted in the latest phishing campaign that attempts to install the Remcos remote access tool into the victims' computers, this according to the recent report by Cyren.
While the actual victims may seem low, Cyren said, this could be the largest cyberattack to hit Iceland, a country with just close to 350,000 population.
Latest Phishing Attack Modus Operandi
Magni Reynir Sigurðsson, senior threat analyst at Cyren, reported that the phishing campaign targeting Icelanders, which has been observed since October 6th, begins with an email impersonating the Lögreglan – Icelandic police. The email requests the recipient to come to the police station for questioning. The email also threatens the recipient that an arrest warrant may be issued in case of non-compliance.
The attackers registered the domain name www[dot]logregian[dot]is. This domain name, on the first glance, is very similar to the official domain name of the Icelandic police www[dot]logreglan[dot]is. The only difference is that the “l” in the official site is changed to “i”. Buying this similarly named domain enables the attackers to send emails with sender address ending in “logregian[dot]is”, which on the first glance, closely resembles the emails from the official Icelandic police ending in “logreglan[dot]is”.
The link provided in the phishing email that purportedly leads to additional information about the case leads to the phishing site www[dot]logregian[dot]is that strikingly resembles the official site of the Icelandic police www[dot]logreglan[dot]is.
In the phishing site, the victim is asked to provide an Icelandic social security number. Unlike other phishing sites which can be fooled by entering wrong data, this phishing site knows whether the victim is entering the wrong social security number or not. When a wrong number is entered, an error alert is shown, and when the number entered is correct, this leads to a new phishing webpage that displays the victim's actual name. Sigurðsson hypothesized that the phishers used a database, containing Icelanders’ social security numbers and actual names, that was leaked years ago.
Being able to match the social security number with actual name further give credence to this phishing campaign. To give further credence to this campaign, the attackers ask the victim to enter the authentication number contained in the email that was sent to him.
Entering the authentication number leads the victim to another phishing webpage that automatically downloads a .rar file that purportedly contains additional document about the case. When this .rar file is extracted, a .scr file (Windows Screensaver) disguised as a Word document with file name “Boðun í skýrslutöku LRH 30 Óktóber.scr”, roughly translated to English as “Called in for questioning by the police on October 30th” is shown.
When this disguised Word document is executed, a file called “Yfirvold.exe” and “Yfirvold.vbs” are dropped into the victim's computer. Sigurðsson said that the Yfirvold.vbs file is placed in the Windows Startup folder so that in case the victim reboots his computer the .vbs script will execute Yfirvold.exe – a malware that uses the code and components from a known remote access tool called “REMCOS”.
What Is REMCOS?
REMCOS stands for Remote Control & Surveillance Software. This software is sold online by the company called “Breaking Security”. Remcos’ price ranges from €58 to €389. Buyers of Remcos can also pay using a variety of cryptocurrencies.
Breaking Security markets Remcos as a legitimate software that allows users to remotely control and monitor Windows operating system, from Windows XP and all versions thereafter, including server editions. In addition to selling Remcos, Breaking Security also offers Octopus Protector, keylogger and mass mailer. Octopus Protector encrypts a file laden with malware on the disk, allowing it to bypass several antivirus protections. Keylogger records and sends the keystrokes made on a computer, while a mass mailer sends large volumes of emails.
In the case of the phishing attack targeted against thousands of Icelanders, according to Sigurðsson, the Remcos that’s installed into the victims’ computers comes with keylogging capability, collecting input from the victims’ keyboards and storing them in logs and then uploading them to the command and controller servers controlled by the attackers. These servers, Sigurðsson said, are located in Germany and Holland.
The Remcos that’s installed into the victims’ computers in the Iceland phishing attack also comes with a fact checker that checks if the victims are accessing the largest online banks in Iceland. According to security researcher MalwareHunterTeam, this fact-checking capability is a selective keylogger feature of Remcos.
According to researchers at Cisco Talos, Remcos was also used to attack international news agencies, diesel equipment manufacturers operating within the maritime and energy sector, and HVAC service providers operating within the energy sector.
"Since Remcos is advertised and sold on numerous hacking-related forums, we believe it is likely that multiple unrelated actors are leveraging this malware in their attacks using a variety of different methods to infect systems,” researchers at Cisco Talos said.
Similar to the phishing attack targetting Icelanders, the cyberattacks mentioned by Cisco Talos started with a phishing email, purportedly coming from a government agency and comes with an attached document.
Embedded into the attached document is a small executable. “The extracted executable is simple and functions as the downloader for the Remcos malware,” Cisco Talos researchers said. “It is a very basic program and is used to retrieve Remcos from an attacker-controlled server and execute it, thus infecting the system.”
While the company behind Remcos claims that its software is meant for legitimate use, data in the wild, including the cyber incidents reported by Cyren and Cisco Talos demonstrate that Remcos is being used by malicious actors.
Remcos is a powerful remote access tool that’s being regularly modified to include new functionalities to remotely control and monitor any Windows operating system.
Make sure that your organization is implementing security measures to combat Remcos and another phishing modus operandi.
When you need help, we are a phone call away. Connect with ustoday and protect your business.
Difference Between Malware Outbreak and Ransomware Attack
Are malware outbreak and ransomware attack the same or are they totally different?
The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.
Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.
To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.
CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.
The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".
When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.
What Is Ryuk?
Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.
Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.
According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.
The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".
What Is a Malware Outbreak?
Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.
Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:
Keep All Software Up-to-Date
Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.
Practice Network Segmentation
Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.
Contain the Outbreak
It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.
One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.
Full Malware Eradication Process
Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.
Backup Critical Files
Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.
When you need help, contactour cybersecurity experts and protect your data.
Why Your Organization Should Replace All TLS Certificates Issued by Symantec
October 2018 is a crucial month for anyone owning a website as two of the world’s biggest browsers, Chrome and Firefox, will “distrust” TLS certificates issued by Symantec.
What Is a TLS Certificate?
TLS stands for Transport Layer Security. This technology is meant to keep the internet connection secure by encrypting the information sent between the website and the browser, preventing cybercriminals from reading and modifying any information that’s being transferred.
The more popular TLS isn’t free. A website owner has to buy this technology – referred to as TLS certificate – from any of the companies trusted by browsers. Symantec was once a trusted issuer of TLS certificates by Google, the owner of Chrome, and Mozilla, the organization behind Firefox.
HTTPS, which stands for Hyper Text Transfer Protocol Secure, appears in the URL when a website uses a TLS certificate. Google has also been rewarding websites using TLS certificates with improved web rankings. As of July 2018, according to Mozilla, 3.5% of the top 1 million websites were still using Symantec TLS certificates.
When a visitor attempts to connect to a website, the browser used by the visitor requests the site to identify itself. The site then sends the browser a copy of its TLS certificate. The browser, in return, checks if this TLS certificate is a trusted one. If the browser finds that the TLS certificate can be trusted, the browser then sends back a digitally signed acknowledgment to start the TLS encrypted session.
Reasons Behind the Distrust of Symantec TLS Certificates
In March 2017, Ryan Sleevi, software engineer at Google Chrome, posted on an online forumGoogle’s findings, alleging that Symantec failed to properly validate TLS certificates. Sleevi said that Symantec mis-issued 30,000 TLS certificates over a period spanning several years.
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” Sleevi said.
Symantec, for its part, said that Google’s allegations are “exaggerated and misleading”. “Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading,” Symantec said. “For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program.”
Mozilla, for its part, conducted its own investigation surrounding Symantec’s issuance of TLS certificates. Mozilla said it found a set of issueswith Symantec TLS certificates. A consensus proposalwas reached among multiple browser makers, including Google and Mozilla, for a gradual distrust of Symantec TLS certificates.
On October 31, 2017, DigiCert, Inc. acquired Symantec’s website security business, and on December 1, 2017 DigiCert took over the validation and replacement of all Symantec TLS certificates, including TLS certificates issued by Symantec’s subsidiaries: Thawte, GeoTrust and RapidSSL.
“DigiCert will replace all affected certificates at no cost,” DigiCertsaid in a statement. “Additionally, you don’t need to switch to a new account/platform. Continue to use your current Symantec account to replace and order your SSL/TLS certificates.”
Implications of the Distrust of Symantec TLS Certificates
Mozillasets October 23, 2018 as the distrust date of all TLS certificates issued by Symantec. Googlesets October 16, 2018 as the distrust date for all TLS certificates issued by Symantec to non-enterprise users, while January 1, 2019 is the distrust date set by Google for all TLS certificates issued by Symantec to enterprise users. Apple, the owner of the Safari browser, sets “Fall 2018” as the date of complete distrust of Symantec TLS certificates.
In the case of Chrome, if website owners fail to replace their Symantec TLS certificates beyond the prescribed period by Google, the message below will be shown instead:
Image by Google
In the case of Firefox, the message below will be shown instead:
Image by Mozilla
As can be gleaned from the distrust notices by Google and Mozilla, failure to replace Symantec TLS certificates runs the risk of attackers trying to steal information from your organization’s website, including passwords, messages and credit card details.
According to Mozilla, whenever it connects to a website, it verifies that the TLS certificate presented by the website is valid and that the site’s encryption is strong enough to adequately protect the privacy of the visitor. If Firefox determines that the TLS certificate can’t be validated or if the encryption isn’t strong enough, the connection to the website will be stopped and instead, the message, “Your connection is not secure” will be shown, Mozilla said.
“When this error occurs, it indicates that the owners of the website need to work with their certificate authority to correct the policy problem,” Mozilla added.
Contact us today if your organization needs assistance in replacing legacy Symantec TLS certificates.
Most Universities at Risk of DDoS Attacks
The recent distributed denial of service (DDoS) attack on the online services of the Scotland-based University of Edinburgh adds to the growing list of universities hit by DDoS attacks.
Last September 10th, University of Edinburgh’s online services, including wireless services, websites and many online student services were disrupted for several hours as a result of a DDoS attack. The attack was done during the busy “Welcome Week” period of the university.
“I apologise for the disruption to this service, particularly during the busy Welcome Week period,” Gavin Ian McLachlan Chief Information Officer at the University of Edinburgh, said in a statement. “I realise how frustrating this must have been.”
DDoS Attacks on Colleges and Universities: Who, When and Why
A recent study conducted by Jisc provides a picture of who may be launching these DDoS attacks, in particular, on UK’s colleges and universities based on the specific time these attacks were done.
Jisc is a UK not-for-profit company that offers internet service via the Janet Networkto UK research and education community, including the University of Edinburgh.
Jisc said, “there is evidence both circumstantial and from the justice system to suggest that students and staff may well be responsible for many of the DDoS attacks we see on the Janet Network.”
The Jisc study found that DDoS attacks on colleges and universities were usually done during school period and attacks dramatically decrease during holiday times, such as summer breaks, Christmas, Easter and May half term breaks.
“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle,” Jisc said. “Or perhaps the bad guys simply take holidays at the same time as the education sector. Whichever the case, there’s no point sending a DDoS attack to an organization if there’s no one there to suffer the consequences.”
Several students had been prosecuted in the past for attacking their colleges or universities. Adam Mudd, a student at West Herts College, pleaded guilty for launching DDoS attacks against his college; while Paras Jha, a student at Rutgers University, pleaded guilty for launching DDoS attacks against his university.
These college and university students don’t just target their own schools. In April 2017, Adam Mudd received a 2-year jail sentence for running “Titanium Stresser”, a DDoS-for-hire service that launched 1.7 million DDoS attacks against victims worldwide.
In December 2017, Jha with two college-age friends, pleaded guilty for creating the Mirai botnet – referring to the hundreds of thousands of IoT devices compromised by Jha’s group using 62 common default login details and using them as a botnet or zombie army to conduct a number of powerful DDoS attacks.
According to the U.S. Department of Justice, Jha’s involvement with the Mirai botnet ended when he posted the source code for Mirai on a criminal forum in the fall of 2016. In October 2016, internet infrastructure company Dyn became a target of DDoS attacks, which resulted in bringing down a big chunk of the internet on the U.S. east coast. The DDoS attacks against Dyn temporarily took offline major websites, such as Amazon, Twitter and Netflix. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dynsaid in a statement.
The Jisc study also showed a significant decrease of DDoS attacks on the Janet Network starting in April 2018. Jisc theorized that this reduction of DDoS attacks could be a result of the Operation Power Off, a coordinated operation conducted by the Dutch Police and the UK’s National Crime Agency with the support of Europol and a dozen law enforcement agencies from around the world.
Operation Power Off took down the DDoS marketplace webstresser.org and resulted in the arrests of the site’s administrators located in the UK, Croatia, Serbia and Canada.
According to the European Union Agency for Law Enforcement Cooperation (Europol), webstresser.org was the world’s biggest marketplace to hire DDoS services, with 4 million recorded attacks as of April 2018.
For as low as EUR 15 a month, individuals with little to no technical knowledge launched crippling DDoS attacks via webstresser.org, the Europol reported.
Jisc said that beyond disgruntled college and university students and staff, there are far more serious criminal players at work that these institutions ignore at their peril.
Jisc added that some of these more sophisticated DDoS attacks are designed, not just to bring down an online service offline but also to steal intellectual property, targeting valuable and sensitive and information held at these educational institutions.
Preparing for DDoS Attacks
Here are some security measures that can fortify your organization’s IT defenses in case a disgruntled student, a staff or other criminal elements decide to launch a DDoS attack against your organization:
Look for abnormal incoming traffic, including sudden traffic rise and visits from suspicious IP addresses and geolocations. These could all be indicators that criminal elements are testing your organization’s IT defenses prior to conducting a crippling DDoS attack or attacks.
Consider conducting your very own DDoS attack against your organization’s IT infrastructure. This simulated cyberattack, known in the cybersecurity community as pen testing, can prepare your organization when the real DDoS attacks happen.
Contact us today if you need assistance in protecting your organization against DDoS attacks.
U.S. Justice Dept. Charges Alleged Member of Lazarus Group Over WannaCry Cyberattack
The U.S. Justice Department has formally charged a North Korean national, believed to be a member of the notorious hacking group known as “Lazarus” over WannaCry cyberattack and two other high-profile attacks, the Sony Pictures cyberattack and the cyberheist at the Bangladesh Bank.
The Justice Department filed a criminal complaintlast June 8, 2018 against North Korean national Park Jin Hyok for WannaCry, Sony and Bangladesh Bank cyberattacks. This criminal complaint though wasn’t made public when it was filed. It was only made public during the recent announcement by the Justice Department.
The WannaCry, Sony and Bangladesh Bank cyberattacks are among the notorious cyberattacks in recent years. On May 12, 2017, WannaCry cyberattack shook the online world after it locked down more than 300,000 computers in over 150 countries in less than 24 hours and demanded ransom payment from victims.
The Sony Pictures cyberattack in November 2014 stunned the company after thousands of its computers were rendered inoperable and unreleased movie scripts and other confidential information were made public.
The cyberheist at the Bangladesh Bank shook the financial sector in February 2016, after the fraudulent transfer of $81 million from the bank. To date, this $81-million fraudulent bank transfer is the largest successful cybertheft from a financial institution.
The criminal complaint, specifically filed by Federal Bureau of Investigation (FBI) Special Agent Nathan Shields, stated that there’s sufficient evidence that shows Park was a member of the conspiracies that resulted to the WannaCry, Sony, Bangladesh Bank successful intrusions as well as attempted intrusions, including the attempted intrusion at the U.S. defense contractor Lockheed Martin.
Shields said that Park, a computer programmer, used to work at a China-based company Chosun Expo. This company, Shields said, is a "North Korean government front company for a North Korean hacking organization”.
Cybersecurity organizations like Symantec, BAE Systems and Kaspersky Lab have called this North Korean hacking organization as “Lazarus”.
"While some of these computer intrusions or attempted intrusions occurred months or years apart, and affected a wide range of individuals and businesses, they share certain connections and signatures, showing that they were perpetrated by the same group of individuals (the subjects),” Shields said.
Shields said that there are numerous connections between Park, his true-name email and social media accounts, and the operational accounts used by the Lazarus group to conduct the successful intrusions and attempted intrusions.
According to Shields, the strongest link between the Lazarus group and the successful intrusions in WannaCry, Sony and Bangladesh Bank, and the attempted intrusion in Lockheed Martin is the FakeTLS table.
Shields said the FakeTLS table was found in WannaCry Version 0. It was also found in all three samples of Macktruck malware found at Sony attack, the Macktruck malware found in a spear-phishing document used in the attempted intrusion at Lockheed Martin, and the Nestegg malware found at Bangladesh Bank cyberheist.
TLS, short for Transport Layer Security, refers to a cryptographic protocol that’s used to increase the security of communications between computers. The “FakeTLS”, meanwhile, refers to a protocol that mimics authentic encrypted TLS traffic, but actually uses a different encryption method. By utilizing “fake” TLS, Shields said, attackers can carry on communications without tripping security alerts as many intrusion detection systems “ignore the traffic because they assume the contents cannot be decrypted and that the traffic is a common communication protocol”.
Shields added that the following technical similarities connect the malware used in WannaCry, Sony, Bangladesh Bank and Lockheed Martin:
Kaspersky Lab, for its part, said Lazarus is operating a malware factory that produces new samples via multiple independent conveyors. “The scale of the Lazarus operations is shocking,” Kaspersky Lab said.
Kaspersky Lab also agrees that Lazarus group was responsible for the WannaCry, Sony and Bangladesh Bank attacks.
According to Kaspersky Lab, from December 2015 to March 2017, its researchers collected malware samples relating to Lazarus group activity which appeared in financial institutions, casinos, software developers for investment companies and cryptocurrency businesses. Kaspersky Lab researchers found that although the Lazarus group was careful enough to wipe any traces of their illegal activities, one server that the group breached contained a serious mistake with an important evidence left behind.
The compromised server, Kaspersky Lab said, was used as a command and control center for a malware. While the group tested the compromised server using VPN/proxy servers to conceal their true IP address, the group committed one mistake as one connection came from a very rare IP address range in North Korea, Kaspersky Lab said.
Symantec, for its part, said there’s a strong link between Lazarus and WannaCry, Sony and Bangladesh Bank attacks.
According to Symantec, evidence gathered from an early version of WannaCry malware found three other malware: Trojan.Volgmer and two variants of Backdoor.Destover – software programs that were used as disk-wiping tools used in the Sony attack. Symantec added that WannaCry shares a code with Backdoor.Contopee – a malware used by the Lazarus group in intrusions at banks.
The attack methods of Lazarus group keep on evolving. One form of cyberdefense, therefore, isn’t enough to counter these attacks. Here are some of the attack methods used by the Lazarus group and corresponding preventive measures:
1. Exercise Caution in Clicking Links
One of the intrusion methods used by Lazarus is via spear-phishing email. According to the FBI, the group made an exact copy of a legitimate Facebook email but the hyperlinked text “Log In” that supposedly lead to the official Facebook page instead goes to a URL controlled by the group and directed victims to a malware.
2. Exercise Caution in Visiting Websites
One of the intrusion methods used by Lazarus, according to Kaspersky Lab, is by hacking government websites through known security vulnerabilities. When a target visits said compromised government website, the target’s computer then becomes infected.
3. Keep All Software Up-to-Date
The simple reason that the Lazarus group was successful in its WannaCry attack is that many have failed to update their Windows operating system. WannaCry Version 2, the one that hit worldwide on May 12, 2017, compromised Windows operating systems that fail to install Microsoft’s March 14, 2017 security update and older versions of Windows that were no longer supported, including Windows XP, Windows 8, and Windows Server 2003.
Study Reveals Canadian Companies View Cybersecurity as Top Priority
According to a recent study, effective cybersecurity is a top priorityfor most Canadian organizations.
This is no surprise, considering the rise of DDoS, ransomware and other online threats in 2018. In Canada and the United States, cybersecurity has continued to make headlines, leading to wider awareness of the risks among businesses.
For example, DraftKings has finally been granted the legal right to unmask the individuals behind a DDoS attackon the company. The fantasy / sports betting brand’s operations were disrupted by the assault on August 8, which caused the website to actually go offline for 26 minutes.
DraftKings managed to trace the DDoS attack and sought a subpoena to get the relevant ISPs to uncover the identities of those involved. Though DraftKings may not have suffered a huge amount of damage or loss of business, the company’s commitment to finding out exactly who initiated the attack could inspire more brands to essentially go on the offensive following an attack.
Businesses and organizations of all sizes must take steps to protect themselves and their clients from any cybersecurity risks, and it’s a pressing concern for most Canadian firms. The survey found more and more are extra vigilant, seeking effective safeguards against DDoS, ransomware and email threats.
Almost six out of 10 businesses questioned claimed email security was a key focus, while defenses against ransomware and intrusions came hot on its heels. Cloud-based storage and productivity / collaboration tools are now common fixtures for many businesses, and due caution when using these is critical.
The Repercussions of Security Breaches
Companies may find the prospect of protecting themselves from attacks daunting, especially as DDoS attackers have grown more bold. Attacks can have a serious impact on a business’s processes: i they can’t provide the services their clients expect, their income could be affected and their reputation may be damaged in the long term.
Why? Because existing and potential customers will wonder how seriously said business takes their security. They might also wonder if the company is taking due care of their own details too. If in doubt, there are sure to be other businesses offering the same services or products out there.
Basically, DDoS attacks involve launching a bombardment of traffic against a specific IP address and genuine users trying to access the targeted website will struggle to get through. This problematic traffic is created by multiple sources, which makes blocking DDoS assaults outright more difficult than malicious activities originating from a single source.
Earlier in the year, GitHub — a well-known code repository — was subject to a major DDoS attackthat made headlines. The site was taken offline due to a 1.3Tbps (terabits per second) assault, which was the most powerful to be recorded at the time.
GitHub became aware of an issue due to outages, and called for assistance from its DDoS mitigation specialists. All incoming traffic was channeled to scrubbing centers and malicious packets were blocked effectively. Fortunately for GitHub, the attackers ceased their malicious activities after eight minutes.
Before this, another company — Dyn — was targeted in a 1.2Tbps assault in 2016. This struck in multiple sessions. The first started first thing in the morning and lasted around two hours before being stopped, while the second came later on. A third assault was launched in the late afternoon.
During these waves of DDoS attacks, Dyn saw its internet directory servers disrupted by a powerful load of requests from millions of IP addresses. This was a serious incident that had been planned with great care for maximum impact.
Taking Steps to Maximize Safety
Cybercriminals are developing increasingly sophisticated ways to disrupt and attack targets, but having an effective cybersecurity plan in place can help you to stay protected.
Below, we look at just a few of the ways you can stop a DDoS attack and potentially minimize the damage it may cause.
Spot the attack ASAP
Being able to identify when your website is under attack can help you prevent a DDoS disaster.
Problems affecting your site are an obvious indication of impending issues, and its worth getting to know what your inbound traffic patterns tend to be at different times. For example, if you can be sure your traffic tends to spike on a Saturday afternoon and a Sunday morning, any rush of traffic on a weekday could be a warning sign.
Of course, you have to be able to eliminate any potential reasons for this before panicking. A sale, large discounts or an improved marketing strategy could all lead to unexpected increases in your traffic. It sounds obvious, but is well worth bearing in mind to avoid false alarms.
Invest in more bandwidth
Another effective step to protect your business from DDoS attacks is to increase your bandwidth. Having access to more than you think you’re likely to need for everyday operations can help you accommodate larger traffic surges and shifting traffic patterns.
While this may not be viable for smaller companies on a tight budget, it could be a worthwhile option even if the bandwidth is only adjusted a little.
Making changes to your working processes and set-up gradually can help to protect you with minimal disruption, but the increase in DDoS attacks in the past couple of years demonstrates just how vital proper defenses are. Companies have to to take effective steps to ensure they remain safeguarded as attackers continue to advance their methods.
Working with professional cybersecurity specialists with years of experience helping companies across various sectors can help you stay safe. Our Automated DDoS Mitigation service provides guaranteed DDoS attack protection, with no hardware or software to buy. This service is powered by our partner’s innovative technology and includes a high-powered CDN to increase your domain’s performance by as much as 50 percent.
Want to discuss how we can help protect your business from DDoS attacks? Please don’t hesitate to get in touch. Our team is here to answer any questions you may have.
Microsoft Windows Privilege Escalation Vulnerability Leaked via Twitter
A security researcher who goes by the name “SandboxEscaper” leaked via Twitter an exploit code for a Microsoft Windows privilege escalation vulnerability.
In the now-deleted Twitter post, SandboxEscaper provided a link to a Github repository that contains the code necessary to exploit a Microsoft Windows privilege escalation vulnerability. Other security researchers have since verified the authenticity of the vulnerability exploit disclosed by SandboxEscaper.
The bug uncovered by SandboxEscaper lies in Microsoft Windows task scheduler service. Task scheduler allows users to schedule any program to run at a convenient time or when a specific event occurs.
SandboxEscaper found that task scheduler uses unsecured API that allows an attacker, having access to a computer as a local user to gain system-level privileges, enabling the attacker to overwrite system files with malicious code to hijack Windows.
“The Microsoft Windows task scheduler SchRpcSetSecurity API contains a vulnerability in the handling of ALPC, which can allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs,” CERT Coordination Center (CERT/CC)described the uncovered flaw. “This can be leveraged to gain SYSTEM privileges.”
“The flaw is that the Task Scheduler API function SchRpcSetSecurity fails to check permissions,” security researcher Kevin Beaumont, for his part, noted. “So anybody – even a guest – can call it and set file permissions on anything locally.”
As a proof-of-concept, SandboxEscaper overwrites a file used by Windows' printing subsystem with a malicious code when an attempt is made to print.
According to CERT/CC, the exploit code leaked by SandboxEscaper works on 64-bit Windows 10, Windows Server 2016 systems, 32-bit Windows 10 with minor modifications and with other Windows versions with further modifications. CERT/CC said it’s currently unaware of a practical solution to this problem.
A Microsoft spokesperson told the Registerthat the company will “proactively update impacted devices as soon as possible.”
In another Twitter post, SandboxEscaper blamed depression for leaking the vulnerability exploit before Microsoft has time to issue a security update or a patch.
Exploits for privilege escalation vulnerabilities are rarely leaked to the public prior to a patch as many software vendors like Microsoft now offer financial rewards to security researchers who uncover and discreetly inform the concerned software vendors. This gives security vendors time to create a security fix to the reported problem.
Dangers of Privilege Escalation Attacks
In a privilege escalation attack, the attacker has to have local access to the computer or computer network that he or she wants to compromise. A local user needs the system administrator's password to complete certain tasks, such as overwriting system files. As such, this is given less priority by software vendors when it comes to patching.
Remote code execution attacks, on the other hand, are given high priority in terms of patching as these attacks don’t require that the attacker have local access to the target computer.
In a remote code execution attack, an attacker can install malicious code on a computer even when he or she has no local access, provided though that the computer is connected to the internet. An example of the remote code execution attack was the WannaCry attack. Hours after the WannaCry attack on May 12, 2017, Microsoft issued a security update for Windows platforms originally not covered by an earlier security patch, showing the importance of patching remote code execution attacks.
Privilege escalation attacks, however, aren’t given similar immediate attention. Privilege escalation vulnerabilities are typically patched during scheduled updates, like Microsoft’s regular security updates every second Tuesday of each month.
Client-side exploits, however, make privilege escalation attacks dangerous as attackers then effectively become local users and escalate their privileges to system administrators.
"If an attacker can gain access to a system through a client side exploit, they may then effectively become the local user, and escalate to local system,” SANS Technology Instituteinstructor Adrien de Beaupre wrote in a post "Privilege escalation, why should I care?" “Local system priv on a Windows computer is just a hop, skip, and jump away from being Domain administrator.”
Client-side exploits come in numerous and varied formats. Compared to remote execution attack like the WannaCry that has worm capability – meaning, it replicates itself without user interaction, client-side exploits need user interaction, such as clicking a malicious link or downloading a malicious email attachment.
The fact that the exploit code is out and there’s no official patch from the software vendor should warrant some caution. However, unofficial patch has been posted by 0Patch.com
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”
That means that the next Windows update is still days away – this coming September 11th. This gives attackers a window to exploit the flaw exposed by SandboxEscaper in the wild.
According to Kevin Beaumont, if you use Microsoft Sysmon, a sure way to find out whether a Microsoft Windows task scheduler exploit is being used is by looking for spoolsv.exe spawning abnormal processes.
Here are some general measures in preventing privilege escalation attacks like the one exposed by SandboxEscaper:
Mirai Is Evolving as a DDoS Attack Tool
Mirai, the malware that nearly brought down the internet, is evolving and being refined by cybercriminals as a distributed denial of service (DDoS) attack tool.
Symantec's Principal Threat Analysis Engineer Dinesh Venkatesan recently disclosed that he uncovered multiple Mirai variants. Venkatesan said that these multiple Mirai variants are hosted in a live remote server.
Each of these Mirai variants is described to be aimed for a particular platform, making the Mirai portable across different platforms.
According to Venkatesan, one of the major obstacles encountered by script-kiddies, also known as copy/paste malware authors, is portability – the ability of a malware to run on different platforms “in a self-contained capsule without any runtime surprises or misconfiguration”.
The newly uncovered Mirai variants found an answer to the problem of portability by leveraging on the open source tool called “Aboriginal Linux”. According to the author of Aboriginal Linux, this open source tool "automatically create cross compilers and bootable system images for various targets, such as arm, mips, powerpc, and x86".
Using the Aboriginal Linux, the author or authors of the newly uncovered Mirai variants were able to develop versions of the malware tailored for a targeted platform, ranging from routers, IP cameras and even Android devices.
Symantec's Venkatesan said that the newly uncovered Mirai variants spread by scanning devices with default factory login details or known security vulnerabilities.
Original Mirai Botnet
In December last year, 21-year old Paras Jha, along with his two college-age friends Josiah White and Dalton Norman, pleaded guilty for creating the Mirai botnet.
According to the U.S. Department of Justice, in the summer and fall of 2016, Jha, White and Norman created and launched the Mirai botnet – referring to computers infected by the Mirai malware and controlled by Jha’s group without the knowledge or permission of the owners of the computers.
The U.S. Department of Justice said the trio used the Mirai botnet, which at its peak consisted of hundreds of thousands of compromised IoT devices, to launch DDoS attacks.
DDoS attacks refer to cyberattacks which use multiple computers (like the Mirai botnet), controlling these computers without the computers’ owners knowledge for the purpose of making an online service unavailable by overwhelming it with traffic.
"The defendants [Jha, White and Norman] used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers,” the U.S. Department of Justice said.
While the latest Mirai variants infect not just IoT devices but also Android devices, the computers infected by the original Mirai malware were limited to IoT devices, including routers, wireless cameras, digital video and recorders.
According to the U.S. Department of Justice, the trio’s involvement with the original Mirai ended when Jha posted the source code of Mirai on an online forum in September 2016. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
Jha’s group was able to infect hundreds of thousands of IoT devices with the Mirai malware and turned it into a botnet or zombie army for DDoS attacks by using a short list of 62 common default usernames and passwords.
In October 2016, the DDoS attack against the internet infrastructure company Dynbrought down a big part of the internet on the U.S. east coast. The DDoS attack against Dyn made the world’s top websites, such as Amazon, Twitter and Netflix, temporarily inaccessible. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dyn said in a statement.
Other Mirai Variants
Early variants of Mirai include Satori, a Mirai variant that morphed into several versions as well. One version of Satori targets Huawei home router HG532. Satori was first observed in the wild by Check Pointresearchers in November 2017. Similar to the original Mirai, Satori has DDoS capabilities and has been reported to launch several DDoS attacks.
According to Check Point, Huawei was informed prior to the public disclosure of Satori. Before the public disclosure of Satori as well Huawei patched the vulnerability.
In May 2018, researchers at FortiGuard Labsuncovered another variant of Mirai called “Wicked”. This Mirai variant particularly infects Netgear routers and CCTV-DVR devices.
According to FortiGuard Labs, Wicked infects Netgear routers and CCTV-DVR devices by using known and available cyberexploits, many of them are old exploits. Similar to the original Mirai and other Mirai variants, Wicked can also be used for DDoS attacks.
Here are some measures in preventing attackers from turning your organization’s IoT devices into a zombie soldier for DDoS attacks:
-Change default login details into something strong and unique
-Install firmware updates in a timely manner
-When setting up Wi-Fi network access, use a strong encryption method
-Use wired connections instead of wireless connections
-Disable the following:
If your organization has an online presence, it's imperative that your organization is equipped in stopping DDoS attacks.
A successful DDoS attack against your organization’s online service negatively impacts your organization’s reputation, can cause loss of customer trust and financial losses. Prolong and unmitigated DDoS attacks can also result in permanent business closure.
Contact us today if you need assistance in securing your organization’s online services from DDoS attacks and if your organization needs assistance in securing IoT devices from being turned into zombie devices for DDoS attacks.
Nearly Half of the World’s Top Websites Are Risky to Visit, Study Finds
A new study from Menlo Security showed that almost half of the world’s top websites are risky to visit.
According to Menlo Security'sState of the Web (First Half 2018), 42% or nearly half of the Alexa top 100,000 websites are “risky”. The Menlo Security study considers a website as risky when it falls in one of these three criteria:
According to Menlo researchers, the practice of classifying the world’s websites into logical categories is no longer defendable as more than a third of all sites in categories including News and Media, Entertainment and Arts, Shopping and Travel are risky.
Even websites categorized as safe aren’t safe by deﬁnition, with 49% of “News and Media” sites falling within Menlo’s criteria as risky, as 45% of Entertainment and Arts, 41% Travel, 40% Personal Sites and Blogs, 39% Society, 39% Business and Economy and 38% Shopping.
3 Variables that Can Put A Website at Risk
Here are 3 variables that can make a website risky:
1. Risks Linked with Background Websites
Menlo researchers found that every time a visitor visits a website, the site calls on average 25 other sites – also as known as background sites – to fetch a content, for instance, a viral video from a content delivery network (CDN) or an advertisement display from an advertisement delivery network.
Every time you visit a website, therefore, you’re not just visiting one website, but 25 sites on average. Any of these background sites could be used by cyberattackers to compromise the main site and eventually website visitors.
An example of a background site which cybercriminals could compromise the main site is through malvertisement, short for malware advertisement. In malvertisement, the advertisement being displayed on the main site could be infected by a malware. If a visitor clicks on a malvertisement, the visitor's computer then becomes infected with a malware.
2. Risks Linked with Use of Active Content
Active content refers to a software that web developers use to produce personalized and dynamic websites. By using software like Flash, active content allows stock tickers to continuously update, and animated images, maps or drop-down boxes to function.
The trade-off with these active contents is that while these contents make websites personalized and dynamic, web developers lose the control in securing the sites as similar to malvertisements, these contents have to be fetched from background sites. These background sites could be compromised and used to deliver a malware.
Adobe Flash, one of the software used for active content, is known to be packed with security loopholes, making this software the favorite tool by cyberattackers. While Adobe tries to make Flash more secure, the product is simply unfortunate enough to rank as one of the most frequently exploited software by cybercriminals.
3. Risk Linked with Use of Vulnerable Web Software
According to Menlo Security, many of today’s top websites and their accompanying background sites run on vulnerable web software.
"Many of the world’s most popular websites run on back-end web servers that are outdated, including some that have not been updated for years or even decades,” Menlo Security said. “This leaves those websites extremely vulnerable to web-borne malware, exposing site visitors to possible infections, incursions, or breaches. Use of outdated server software also threatens any site to which it serves as a ‘background website.’ Simply put, the older the software, the higher the risk.”
Vulnerable web software refers to a software that has been repeatedly attacked over the years. It also refers to a software that has reached its end of mainstream support, including the end of security updates or patches from the software vendor.
Menlo researchers found that many Business and Economy websites still use Microsoft’s IIS version 5 web server, a software that Microsoft stopped providing updates or patches more than 12 years ago.
Microsoft’s IIS version 5 web server has been exploited by cybercriminals in the past. An example of a malware that exploited the security vulnerability in Microsoft’s IIS version 5 web server is the infamous Code Red, a malware that appeared in three versions from July 2001 to August 2001. The first version of this malware defaced webpages and launched a denial of service attack against www.whitehouse.gov.
Code Red, also known as ISS Buffer Overflow vulnerability, allows an attacker to gain full system level access to any server that’s using the Microsoft Internet Information Services (IIS) Web server software. An attacker that exploits the Code Red or ISS Buffer Overflow vulnerability can perform any system level action, including installing malware, adding, changing or deleting files, and manipulating web server content.
Here are some of the best practices to the lower the odds of being victimized from risky websites:
If you’re a website owner, make sure that your server runs up-to-date software. Running your company website on Microsoft’s IIS 5 web server, a software that Microsoft no longer supports, is a big security risk for your company. Attackers have been known to exploit computer programs that no longer receive security updates or patches from vendors. To keep your website safe, it’s also important to use technologies that prevent the introduction of malicious code via background sites.
As a website visitor, you can lower your odds of being victimized by a risky website by making sure that your computer programs are up-to-date. It’s also important to avoid vulnerable software like Adobe Flash.
Steve E. Driz