Thought leadership. threat analysis, news and alerts.
Canada’s Anti-Spam Legislation (CASL) Goes After Malware Distributors
Canada’s Anti-Spam Legislation (CASL), the federal law which took effect in 2014, proves to be more than an anti-spam legislation with the recent application of the law of going after malicious actors spreading malicious software (malware).
The Canadian Radio-television and Telecommunications Commission (CRTC), in tandem with the Royal Canadian Mounted Police (RCMP), on March 27, 2019 executed a warrant at the home of a Toronto software developer behind the remote access trojan (RAT) called “Orcus”. Remote access trojan, in general, is a type of malware that facilitates covert and unauthorized remote access, enabling a malicious actor to access someone else's computer, no matter where this computer is geographically located, and make changes to this computer without the owner’s consent.
What Is Canada’s Anti-Spam Legislation (CASL)?
Canada’s Anti-Spam Legislation (CASL), which amended the Canadian Radio-television and Telecommunications Commission Act, covers more than just spam emails. Pertinent provisions of the law include:
Section 6: It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.
Section 7: It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or the person to whom the message is sent; or the alteration is made in accordance with a court order.
Section 8: A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of the computer system; or the person is acting in accordance with a court order.
Section 9: It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.
The maximum penalty for violating CASL is $1,000,000 in the case of an individual, and $10,000,000 in case the violator is an organization.
What Is Orcus RAT?
While authorities refused to name the subject of the March 27, 2019 CRTC warrant, the person who calls himself “Armada” said in a statement that his organization called “Orcus Technologies” was the subject of the said warrant. Since early 2016, Orcus Technologies has marketed Orcus RAT as a legitimate remote administration tool – a software that gives a person full access to a computer as if the person had physical access to the device.
Armada said authorities seized numerous backup hard drives which contained a large portion of Orcus Technologies business, including user information inclusive of user names, real names and financial transactions. As a result of the seizure, Armada said Orcus RAT is no longer a “safe or secure solution to Remote Administrative needs”.
One stand out feature of the Orcus RAT is its capability to load custom plugins built by users, as well as plugins that are available from the Orcus repository. While Orcus Technologies claims that Orcus RAT is a legitimate remote administration tool, it listed on its website capabilities that are beyond the scope of a legitimate remote administration tool such as disabling the light indicator on webcams in order not to alert the target that it’s enabled; restarting the server component or triggering a Blue Screen of Death (BSOD) if someone tries to kill its process and a plugin that can be used to perform distributed denial-of-service (DDoS) attack.
Orcus RAT also features capabilities such as password retrieval and key logging that are normally not seen in legitimate remote administration tools but only seen in remote access trojans, which facilitate covert and unauthorized remote access.
One such remote access trojan, which facilitates the installation of the Orcus RAT, was unleashed in December 2017 via a phishing campaign – a type of cyber-attack that uses spam emails as a weapon. The said spam emails arrived at the email inboxes of targeted bitcoin investors offering Gunbot, a trading automation software for cryptocurrencies. These spam emails contained an attachment. Analysis by researchers at Fortinetshowed that when this attachment is clicked by the recipient, it downloads from a specific URL a file that contains the malware and embedded in this malware is the Orcus RAT.
The Orcus RAT malware in this case, Fortinet researchers said, resulted in the loss of cryptocurrency investments and more. “In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool,” the researchers said. “Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”
CRTC Director Neil Barratt told KrebsOnSecuritythat CASL gives authorities a leeway to get malicious actors off the networks in Canada and elsewhere as the burden of proof required in CASL is lower than a criminal conviction.
“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”
Malicious Email Campaigns Geo-Targets Canadian Organizations, Report Says
Canadian organizations are increasingly becoming the targets of cyber-attackers as shown in the recent discovery of nearly 100 malicious email campaigns specifically targeting organizations based in Canada.
In the report "Beyond 'North America' - Threat actors target Canada specifically" researchers at Proofpoint reported that between the period of January 1, 2019 to May 1, 2019, threat actors conducted nearly 100 malicious email campaigns specifically targeting Canadian organizations or were customized for Canadian audiences.
Malicious Email Campaigns
Malicious email campaign, also known as phishing scam, is a type of cyber-attack that uses emails as a weapon. Phishing emails contain malicious attachments or malicious links.
Downloading this malicious attachment or clicking this malicious link could lead to compromise. Victims are tricked into opening the malicious email and downloading this malicious attachment or clicking this malicious link as threat actors use branding familiar to the recipients.
In the recent malicious email campaigns detected by Proofpoint researchers, the top affected organizations in Canada include financial services, energy/utilities, manufacturing, healthcare and technology. The researchers also observed that some of the malicious emails sent were customized for the French-speaking recipients in Canada.
In the nearly 100 malicious email campaigns specifically targeting Canadian organizations, Proofpoint researchers also observed that the threat actors tricked the victims into opening the malicious email or downloading the malicious attachment or clicking the malicious link by stealing the branding of several notable Canadian companies and agencies including national banks, major shipping and logistics organizations and government agencies.
“Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada …,” Proofpoint researchers said.
The first version of the malicious software (malware) Emotet, which was first observed in 2014 targeting German and Austrian victims, functioned as a banking trojan – a type of malware designed to steal financial data.
Since then, Emotet has evolved into a powerful malware, with its ability to continuously evolve and update its capabilities for various online criminal activities from information stealing to distributed denial-of-service (DDoS) attacks. In recent years, instead of delivering its own banking trojan, Emotet has delivered third-party banking trojans such as Qbot, The Trick, IcedID and Gootkit.
In 2018, the United States Computer Emergency Readiness Team (US-CERT)issued an alert, warning about the dangers of Emotet. "Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” US-CERT said. “Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
One of the reasons why Emotet continues to be among the most costly and destructive malware is its worm-like capability, that is, the ability to spread from computer to computer without any human action.
Emotet has been known to spread from computer to computer without any human interaction by accessing Server Message Block (SMB), an internet standard protocol that Windows uses to share files, printers and serial ports. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US-CERT said.
Emotet is also capable of spreading its own phishing email without human interaction through the use of Outlook scraper, a tool that’s used to scrape names and email addresses from the victim’s Outlook accounts and uses this names and email addresses to send out additional phishing emails from the compromised accounts.
According to Proofpoint researchers, the threat actor called “TA542” is the primary actor behind Emotet. Proofpoint researchers said that this threat actor is known to use the latest version of Emotet and develops malicious emails specific to given regions in the world.
"TA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries,” Proofpoint researchers said. “TA542 is currently one of the most prolific actors in the entire threat landscape. With TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow in the upcoming quarters.”
Even as Emotet has evolved in terms of capabilities, one thing remains constant with this malware: delivery is always via malicious email. As the delivery is always via malicious email, it’s important to protect your organization’s email system from this threat through the following mitigating measures:
Here are additional cyber-security measures in order to block or mitigate the effects of Emotet:
Timely identification and mitigation of IT risks can save your business from suffering costly consequences. Call us todayand we will show you how to better protectyour staff and your sensitive information against targeted attacks.
Legitimate Windows Tool AutoHotkey Now Part of Cyber Attackers Arsenal to Avoid Detection
Researchers at Trend Micro have discovered a new malicious software (malware) that uses the AutoHotkey – a Microsoft Windows tool initially aimed at providing easy keyboard shortcuts, enabling attackers to avoid detection, steal certain information and even gain remote control to a compromised computer.
This latest malware, according to Trend Microresearchers, initially infects a computer via a spear phishing attack, a form of a targeted cyber-attack that uses an email as a weapon. The malicious email used by the attackers contains a malicious attachment in the form of a disguised legitimate Excel file.
According to the researchers, at first glance, this disguised Excel file has only one filled sheet. Upon scrutiny, however, this file has another sheet with two blank columns. Upon closer look, the attackers had written malicious code on these two columns using white font, hiding the code in plain view.
Once the email receiver enables macro to open the disguised Excel file, AutoHotkey is then dropped onto the victim’s computer. The researchers said that the legitimate tool AutoHotkey allows the attackers to connect to the server that they control every 10 seconds to download, save and execute script files.
AutoHotkey, in this case, downloaded and executed TeamViewer, a software that allows attackers to gain remote control over the compromised computer. The researchers noted that AutoHotkey can download and execute other script files depending on the command it receives from the server controlled by the attackers.
Other malicious acts activated via AutoHotkey in this newly discovered malware include the creation of a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart, and the sending of the volume serial number of the C drive, which allows the attacker to identify the victim’s computer.
“We have yet to conclude this attack’s exact purpose,” researchers at Trend Micro said. “For now, we can surmise that it has the makings of a potential targeted attack because of its cyber espionage capabilities, as well as the potential for delivering ransomware and coinminer.”
History of AutoHotkey
AutoHotkey software is a free, open-source scripting language that was initially developed at providing easy keyboard shortcuts for Windows. This software, later on, evolved into something more than providing easy keyboard shortcuts as it allows Windows users to automate any desktop tasks, including monitoring programs, setting up scheduled tasks, and automating repetitive operations inside third-party software. The software was initially released 10 years ago, with the stable release of the software done only in November 2018.
The evolution of AutoHotkey made it an attractive tool for attackers. AutoHotkey, also known in the online gaming community as AHK, has been used numerous times in creating online game cheating tools. Beyond the gaming world, cyber attackers with varied criminal intents have made AutoHotkey as an addition to their attack arsenal.
An example of malware that abuses AutoHotkey is the malware called “Win32/Ahkarun.A”, an AutoHotKey compiled script that spreads itself without any human interaction through removable drives and sends the user's IP address to a remote server. According to Microsoft, which reported about the malware in June 2008, Ahkarun uses the common icon resembling a Windows file folder in order to trick a user into opening and executing the malware.
Once executed on the victim’s computer, this malware then awaits connections of removable media such as USB thumb drives, and when this happens the malware copies itself and components to the removable drive, and as a result performing malicious actions such as identifying the IP address of the infected machine and sending the obtained IP address to a predefined email account.
In February 2018, the research team at Ixiareported two cases of AutoHotkey-based malware, one distributing an cryptocurrency mining malware and the other distributing a clipboard hijacker. In cryptocurrency mining, an attacker hijacks the computing power of someone else’s computer for cryptocurrency mining. In clipboard hijacking, meanwhile, in the AutoHotkey-based malware discovered by the Ixia research team stays in the compromised computer’s memory and awaits for any activity in the clipboard. When a user inputs into the clipboard a cryptocurrency wallet address, the malware replaces the user’s cryptocurrency wallet address to the address owned and controlled by the attacker, thus tricking the victim into sending cryptocurrency to the attacker instead.
In March 2018, researchers at Cybereasondiscovered an AutoHotkey-based malware they called “Fauxpersky” as this malware masquerades as Kaspersky Antivirus and spreads through infected USB drives. Fauxpersky has a keylogging feature, recording every keystroke made by a computer user, exfiltrating the data recorded through Google Forms and depositing it in the attacker’s inbox.
As shown in the above-mentioned examples of AutoHotkey-based malware, criminals are starting to abuse legitimate Windows tool AutoHotkey. Being a legitimate Windows tool, often used by system administrators, AutoHotkey flies under the radar and drops a varied range of payloads – part of the malware that performs malicious actions – without triggering any anti-malware alarms.
One of the reasons why we see lesser abuses of AutoHotkey by cyber attackers, to date, is due to the fact that this software isn’t pre-installed on Windows computers. Attackers, therefore, have to take an extra step of dropping the software onto the victim’s computer and executing it in order for this tool to work.
Training your organization’s staff to recognize, avoid and report suspicious emails is one approach that could prevent AutoHotkey abuses. As exemplified in the newly discovered AutoHotkey-based malware, attackers initially infect their victims through phishing attacks, a type of cyber attack that utilized emails as a weapon.
Another approach in preventing AutoHotkey abuses is by disabling your organization’s active content (data connections or macros). When active content is disabled, the next time your organization’s staff receives an active content via email, this content can’t be opened and the Message Bar with the notice "Macros have been disabled” will then appear as an alert that the active content may contain malware and other security hazards that could harm your organization’s computer or network.
Why TajMahal Is the Most Alarming Malware to Date
The discovery of the malware called “TajMahal” is alarming, not because it attacked a certain diplomatic organization but because of the high number of malicious acts that it can do, totaling 80, and the malware’s stealth capability, evading discovery for nearly 5 years.
Researchers at Kaspersky Labrecently revealed that a diplomatic organization belonging to a Central Asian country, a type of organization that’s often subject to cyber-attack due to its line of work, was a victim of the malicious software (malware) TajMahal. This malware, the researchers said, remained undetected in the diplomatic organization’s network for nearly 5 years, with the first known legitimate sample timestamp from August 2013 and the last one from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is in August 2014. The researchers said they first discovered the malware on the victim’s machine in the autumn of 2018.
Old and New Hacking Tools
According to Kaspersky Lab researchers, TajMahal malware comes in two packages, one package is named “Tokyo” and the other “Yokohama”. Tokyo and Yokohama, the researchers said, share the same code base found on all infected computers of the said diplomatic organization. The Tokyo package facilitates the first stage of the malware infection, while the Yokohama package facilitates the deployment of the staggering 80 malicious cyber activities.
The Tokyo package uses PowerShell script, an old and tested strategy used by cyber attackers. McAfee Labsreport found that PowerShell attacks increased between 2016 and 2017, and IBM X-Forcealso noted the growth of PowerShell attacks from October 2017 to October 2018.
PowerShell is a legitimate tool used by system administrators in simplifying and automating the management of Microsoft Windows and Windows Server. Malicious actors, meanwhile, use PowerShell to hide their malicious code as the code is executed directly from the computer memory, making the attack fileless and thus stealthier than other types of attacks. PowerShell also allows remote access – the ability to access a computer from anywhere in the world so long as the computer is connected to the internet.
Yokohama, meanwhile, unleashes payloads – the portion of the malware which performs malicious actions, of which 80 of them were uncovered by Kaspersky Lab researchers. Old hacking techniques that form part of the Yokohama package include keylogging and audio, screen and webcam grabbing. In keylogging, every keystroke made by a computer user is recorded and sent to the malicious actors. In audio, screen and webcam grabbing, screenshots, audio or video, for instance, from VoIP audio or video calls, are covertly recorded and the sent to malicious actors.
Aside from the slew of time-tested hacking tools, Yokohama package, in particular, and TajMahal in general, packed the following new hacking capabilities:
Intercepting documents from print queue and stealing data from CD burnt and USB stick are particularly alarming as documents that are typically printed or copied to a CD or USB stick are sensitive and important. Any data stolen by the malware, whether text, audio, video or image, is then sent to the command and control server, a computer controlled by the attackers in the form of an XML file called "TajMahal" – the origin of the name of the malware.
According to the researchers at Kaspersky Lab, it’s not known how the TajMahal malware initially infected the diplomatic organization belonging to a Central Asian country. It isn’t also known is who is the individual or groups behind the TajMahal malware as this malware bears no resemblance with other known malware, which means that the attacker or attackers created this malware using new code base to evade detection. Anti-malware solutions typically block malware that bears small resemblance with other known malware.
To date, the only known victim of the TajMahal malware is the diplomatic organization. According to the researchers at Kaspersky Lab, it’s unlikely that the attackers went all that trouble of creating a new malware just for one victim, and that the likely theory is that there are other victims that have yet to be identified. The researchers said that this theory is supported by the fact that they “couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected”.
TajMahal malware is a type of malware that shows the characteristics of an advanced persistent threat (APT), a cyberattack in which the attacker or attackers gain unauthorized access to a network and remain undetected for a prolonged period. The usual suspects of APT attacks are nation-state actors – individuals who have the “license to hack” on behalf of a particular nation or state to gain access to valuable data or intelligence and can create cyber incidents that have international significance.
In recent years, however, common cyber criminals, those whose motive is simply for profit, have gotten hold of the APT tools used by nation-state actors, making these APT tools part of their arsenal in attacking, not just large organizations but also small and medium-sized organizations – attacks that rendered these organizations vulnerable.
For instance, the APT hacking tool called “EternalBlue” has joined a long line of reliable favorites of common cyber criminals. EternalBlue is one of the hacking tools leaked publicly in 2017 by the group known as “Shadow Brokers”. This hacking tool is believed to be created by the U.S. National Security Agency (NSA) for its surveillance activities. A month before the public release of EternalBlue, Microsoft issued a security update, fixing the vulnerability exploited by EternalBlue.
This particular security update, however, wasn’t timely installed on hundreds of thousands of computers worldwide, leading to the successful unleashing of WannaCry, a malware that uses the EternalBlue hacking tool in exploiting the vulnerabilities in the Windows SMBv1 server (patched by Microsoft a month earlier), remotely encrypting files and locking users out of their own files and spreading it to other computers within a network without user interaction. Since the EternalBlue leak, many malware integrated the EternalBlue feature.
Combating malware and ATP threats has become a daily reality for many organizations. It requires specialized skills and resources. When your organization needs help, our cybersecurity experts a phone call away. Contact ustoday.
POS Malware Continues to Target Small and Medium-Sized Businesses
Two organizations, Flashpoint and Cisco Talos, recently revealed that point-of-sale (POS) malware continues to be a threat to small and medium-sized businesses.
What Is a Point-of-Sale (POS) Malware?
A point-of-sale (POS) malware is a malicious software that particularly targets POS, a system used for credit card transaction for payment of goods or services. Attackers may install a POS malware physically by tampering the PIN entry device pads or swapping out devices, an attack known as payment card skimming.
Another way of installing the POS malware is through remote installation, that is, the installation of a malware on environments where card-present retail transactions are conducted using a different computer stationed in another location. This present blog post covers the remote POS intrusion.
The goal of a POS malware is to obtain credit card details from customers. Stolen credit card details are typically sold by cyber criminals on the dark web. Buyers use these stolen credit card details to commit credit card fraud – unauthorized charges on someone else’s credit card.
Flashpoint researchers reported that the POS malware called DMSniff has been actively used by cyber criminals since at least 2016 against small and medium-sized businesses in the restaurant and entertainment industries. Similar to other POS malware, DMSniff harvests credit card details. Flashpoint researchers said the DMSniff malware was previously only sold privately.
One feature of DMSniff that’s rarely seen in POS malware, Flashpoint researchers noted is the use of domain generation algorithm (DGA), a feature that creates lists of command-and-control domains or webpages on the fly. Command-and-control domains are important to cyber criminals as malware typically receive commands and send stolen data via these domains.
To cripple the effectiveness of a malware, that is, preventing the malware to receive commands or share stolen data, law enforcement or hosting providers take down these malware command-and-control domains. With domain generation algorithm, attackers can create lists of command-and-control domains on the fly in case one domain is taken down. In addition, domain generation algorithm also bypasses weak blocking mechanisms.
Cisco Talos researchers, meanwhile, reported about the proliferation of the new POS malware called GlitchPOS. The sale of this malware opened a few weeks ago in one of the crimeware forums. This malware later turned up for sale in another crimeware forum. The author of the GlitchPOS malware even created a video, showing how this malware harvests credit card details.
Like other POS malware, the main purpose of GlitchPOS is to steal credit card details from the memory of the infected system. Unlike DMSniff, with its advanced domain generation algorithm feature, GlitchPOS contains few functions, such as connecting to the command-and-control server to do the following tasks: register the infected systems, exfiltrate credit card numbers from the memory of the infected system, update the "encryption" key and clean itself. Online services such as Dropbox and Google Drive are at times used by cyber criminals as command-and-control servers.
Verizon’s 2018 Data Breach Investigations Reportfound that the accommodation and food services industry was the hardest sector in terms of remote POS intrusion in 2018, with remote POS breaches 40 times more likely to occur on the accommodation and food services industry compared to other industries.
The 2018 Verizon report added that remote POS intrusions weren’t discovered for months in 96% of cases. They were only discovered via external sources such as detection as a Common Point of Purchase (CPP) or by law enforcement.
In February this year, North Country Business Products (NCBP), a Minnesota-based provider of point-of-sale products, disclosed that nearly 140 of its customers, mostly bars, restaurants, and coffee shops all over the US, have had POS systems infected with malware.
Causes of Remote POS Intrusions
Here are some of the common causes of remote POS intrusions:
SSH Brute Forcing & Common Exploit Scanners
In the case of DMSniff malware, Flashpoint researchers suspected (with low confidence) that the initial infection could either be SSH brute forcing or common exploit scanners.
In SSH brute forcing, an attacker tries every possible password combination until it cracks the password of SSH, also known as Secure Shell or Secure Socket Shell, a network protocol that gives users, particularly system administrators, a means to access a computer over the internet. Common exploit scanners, meanwhile, are automated tools that are used to test applications and networks against known and new security vulnerabilities.
Supply Chain Attack
Supplier of point-of-sale products North Country Business Products revealed that POS systems of its nearly 140 business clients were infected with POS malware as cyber criminals compromised its IT system and later on planted POS malware on the network of some of its customers.
Lack of Trained Security Staff
Verizon’s 2018 Data Breach Investigations Report, meanwhile, said that businesses in the accommodation and food services industry rely almost exclusively on payment cards for their existence. Despite this reliance, this industry, in particular, restaurants are small organizations that typically don’t have trained security staff.
Good security controls and training will minimize the likelihood of a data breach for your business.
When you need help of experienced cybersecurity professionals, our team is a phone call away. Contact ustoday and protect your business.
Decade-Old Qbot Banking Malware Makes a Comeback
The decade-old Qbot banking malicious software (malware) has made a comeback, this time exploiting a tool that already exists on targeted computers: BITSAdmin.
Researchers at Varonisrevealed that thousands of computers around the globe have been compromised and under active control by a new variant of the Qbot malware, this time leveraging BITSAdmin, a common administration tool. The researchers said they found 2,726 unique victim IP addresses infected with this new variant of Qbot.
The researchers added that the number of victims is likely much larger as many organizations use port address translation that hides internal IP addresses. Majority of the Qbot malware victims, Varonis researchers said were located in the U.S., but victims were also found in Canada, the U.K., France, Brazil, Germany, South Africa, Russia, China and India.
What Is Qbot?
Qbot, also known as Qakbot or Pinkslipbot, is a malware that was first observed in the wild in 2007. Through the years, this malware has morphed into various versions due in part to the fact that the source code of this malware is publicly available. The various versions of Qbot retain the primary purpose of this malware, that is, to steal online banking account information from compromised computers.
According to Microsoft, over the years, cybercriminals behind Qbot have improved the Qbot code, enabling this malware to better “evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.”
Various versions of Qbot, including the latest version observed by Varonis, steal online banking account information from compromised computers through keylogging and hooking.
In keylogging, every keystroke that the victim enters is automatically captured and sent to the Qbot attackers. Hooking, also known as code hooking, modifies the behavior of a computer program. For instance, antivirus programs use hooking once it discovers the presence of a malware. On the flip side, cyberattackers use hooking as well, for instance, altering the behavior of a computer program or a browser, which can lead to exfiltration of passwords and cookies (referring to the text file that a web browser stores on a user's computer).
Another common feature of Qbot variants is the worm-like capability or the ability to spread across an organization’s network and infect other systems without user interaction. According to Microsoft, Qbot "can drop copies in other machines in the network using Server Message Block (SMB) and then use remote execution to activate.” SMB is a Microsoft Windows protocol for sharing files over a network.
Another common feature of Qbot variants is the initial infection process. Like many other cyberattacks, Qbot initially arrives on the victim's computer through malicious email campaigns, containing a malicious attachment and/or link.
What Is BITSAdmin?
BITS in the term “BITSAdmin” stands for Background Intelligent Transfer Service (BITS). BITS is a component of Microsoft Windows operating systems which facilitates updates and other applications to operate in the background without interrupting other networked applications.
Cybercriminals have learned to abuse BITS by using this legitimate administration tool for downloading, executing and even cleaning up after running malicious code. The interface to create and manage BITS jobs or tasks is accessible through PowerShell, a tool capable of executing code from memory and providing administrative access directly to a device's core, and BITSAdmin tool, a tool that can be used to create download or upload BITS jobs and monitor their progress.
In the past, cybercriminals behind Qbot have used PowerShell to download and run the Mimikatz, another malware that steals credentials, allowing attackers to move rapidly across a network once they have established an initial foothold.
Researchers at Varonis reported that the latest Qbot, uses BITSAdmin, another common administration tool in Windows operating systems, to download Qbot’s loader – a component that executes the core malware.
The abuse of legitimate administration tools such as PowerShell and the BITSAdmin are examples of “living off the land” cyberattack techniques that exploit tools that already exist on targeted computers. Exploiting these common administration tools makes detection difficult.
One probable explanation why the cyberattackers behind the latest variant of Qbot use the administration tool BITSAdmin, instead of PowerShell, is that PowerShell is now closely monitored on enterprise systems. A recent study conducted by IBMshowed that more than half or 57% of cyberattacks exploit tools that already exist on targeted computers. The IBM study highlighted that the administration tool that’s often exploited by cyberattackers is PowerShell.
Cyberattackers that abuse PowerShell and BITSAdmin have first to execute their malicious code on the targeted computer. The initial infection of PowerShell and BITSAdmin-based attacks is often phishing attacks, attacks that use malicious emails that contain malicious attachments and/or links.
In the case of the latest variant of Qbot, Varonis researchers said the first infection was likely carried out via a phishing email that tricked the victim into running a malicious file. Cybersecurity best practices for mitigating phishing attacks also apply for mitigating PowerShell and BITSAdmin-based attacks. These mitigating measures include deleting any suspicious emails, especially those containing suspicious links and/or attachments, and avoiding enabling macros in Microsoft Office.
Disabling all BITS functionality, meanwhile, as a preventive measure is a tricky business as this will likely have unintentional side effects, such as preventing legitimate software patching and updating. Some of the mitigating measures that are specific to BITSAdmin-based attacks include modifying host firewall rules and other network controls to only allow legitimate BITS traffic, and monitoring usage of the BITSAdmin tool, including the command options “Transfer”, “Create”, “AddFile”, “SetNotifyFlags”, “SetNotifyCmdLine”, “SetMinRetryDelay” and “Resume”.
Can Your Organization Survive a Cyberattack that Permanently Destroys Data?
Financial gain, either short-term or long-term, is often the motive of most cyber criminals. Some cyber criminals, however, aren’t after financial gain, but rather, they’re simply out to cause as much damage as possible.
The recent cyberattack at email service provider VFEmail shows an unconventional motive of simple destruction. Milwaukee-based VFEmail, founded in 2001, provides email service to businesses and individuals.
The first hints of the cyberattack on VFEmail came out last February 11, when the company’s Twitteraccount issued a series of tweets about the attack, starting with a tweet that said, “This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.”
By 5 PM on February 11, the company declared on its website, “We have suffered catastrophic destruction at the hands of a hacker.” The company added that the attacker destroyed nearly two decades' worth of emails of all data in the US, both primary and backup systems.
The company further said that the attacker hasn’t asked for ransom. “Just attack and destroy," the company said. When asked about the identity of the attacker, VFEmail owner Rick Romero tweetedit could be "someone who had data they didn't want found or I really pissed off."
This recent cyber incident isn’t the first time that cyber criminals have targeted VFEmail. In a blog postdated November 4, 2015, Romero shared that a group of hackers threatened to launch a distributed denial-of-service (DDoS) on his email service if he doesn’t pay 5 Bitcoins.
True enough, after refusing to pay the ransom, VFEmail’s email service was disrupted by a DDoS attack prompting Romero to expose the group's extortion campaign. In 2017, the company’s email service was once again disrupted by a series of DDoS attacks, prompting the company to change to a new hosting provider. In 2018, the company’s email service was once again disrupted by a DDoS attack.
It isn’t clear what actually caused the latest cyberattack on VFEmail. What’s clear though is that the company’s nearly two decades' worth of emails of all data in the US, both primary and backup systems, are lost forever.
Other Cases of Disruptive Cyberattacks
WannaCry and NotPetya
WannaCry and NotPetya are two examples of cyberattacks that were meant mainly to destroy. At the height of WannaCry attack on May 12, 2017, an estimated 300,000 computers in 150 countries were infected by WannaCry malicious software (malware). Six weeks after the WannaCry attack, NotPetya malware was launched although it didn’t have as much impact as WannaCry.
Both WannaCry and NotPetya exhibit the characteristics of a ransomware, a type of malware that’s designed to deny legitimate users access to computer files by encrypting these files. Similar to other ransomware, WannaCry and NotPetya attackers also demanded ransom from their victims, assuring them that once ransom is paid, the decryption key that would unlock the encrypted files would be given.
While exhibiting the characteristics of a ransomware, both WannaCry and NotPetya were later found to be wipers – malware whose sole purpose was to destroy. Both WannaCry and NotPetya are considered as wipers, not ransomware, as despite paying ransom to the attackers, the attackers wouldn’t be able to give the correct decryption key as they themselves have no way of determining who paid the ransom and who didn’t.
Shamoon is another malware whose main purpose is destruction. In December 2018, Italian oil services firm Saipemreported that its servers based in the Middle East, India, Aberdeen and, in a limited way, Italy were infected by a variant of Shamoon malware. As typical effects of the Shamoon malware, Saipem said in a statement, the infection resulted in the "cancellation of data and infrastructures." Days after the statement, the company’s head of digital and innovation, Mauro Piasere, told Reutersthat the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines.
According to Symantec, the latest version of Shamoon is far more destructive than the original Shamoon as the latest version has a new, second piece of wiping malware called “Trojan.Filerase,” a malware that deletes and overwrites files on the infected computer; while the original Shamoon malware itself erases the master boot record of the computer, rendering the computer unusable.
Because of the Filerase malware in the latest Shamoon version, Symantec said, recovery becomes impossible, compared to the older version of Shamoon in which the “files on the hard disk may be forensically recoverable.”
Here are some cybersecurity best practices in order to help prevent or minimize the effects of destructive cyberattacks – attacks that are meant to destroy:
Keep All Software Up-to-Date
Installing the latest patch or security update in a timely manner is one of the ways to keep destructive attacks at bay. Patches or security updates fix known security vulnerabilities that are likely to be exploited by cyber criminals.
Back-up Important Data
Similar to safeguarding your organization’s data from natural disasters, including fire and flood, having a back-up of important data will enable your organization to bounce back from a debilitating destructive cyberattack.
Practice Network Segmentation
It’s also important to practice network segmentation – the process of dividing your organization’s network into subnetworks. Network segmentation ensures that in case an attacker is able to infiltrate one of your organization’s network, the other networks won’t be affected.
Search Engines Blacklist Fewer Sites, Study Shows
A study conducted by SiteLock showed that search engines are blacklisting fewer sites.
Blacklisting happens when a search engine removes a website from its results due to the presence of a malicious software (malware).
In the second quarter of 2018, SiteLockanalyzed over 6 million websites through the use of malware scanners. SiteLock’s analysis showed that search engines like Google and Bing only blacklisted 17.5% of infected websites with malware in the second quarter of 2018, a 6% decrease from the previous year.
Prevalence of Website Malware
Website visitors and website owners alike rely on search engine warnings. On the part of website visitors, they rely on search engines to flag malicious websites that may leave them unprotected as they surf the web.
According to SiteLock, when website owners rely mainly on search engine warnings and outwardly facing symptoms, they may be missing malware that’s attacking their website visitors.
Even as search engines are blacklisting fewer sites, malicious websites aren’t getting fewer. SiteLock’s study showed that 9% or as many as 1.7 million websites have a major security vulnerability that could allow attackers to embed malware on them. The 3 most common security vulnerabilities on websites identified by SiteLock are SQL injection (SQLi), cross-site scripting (XSS) and cross-site request forgery (CSRF).
SQLi security vulnerability allows attackers to inject malicious database code into website text fields or forms. In an SQL injection attack, an attacker can gain full access to the website’s MySQL database, administrative back end or the entire website. MySQL refers to an open source management system that makes it convenient to add, access and manage content in a website's database.
XSS security vulnerability allows attackers to inject malicious code into a web form or web application. In a cross-site scripting attack, the web application is tricked into doing something that it isn’t supposed to do. CSRF, meanwhile, is often used with social engineering – tricking victims. In a cross-site request forgery attack, an attacker forces authenticated users to do unauthorized actions while logged into a vulnerable web application.
SiteLock’s sampled websites showed that 7.19% of sites have an SQLi vulnerability, 1.56% of sites have an XSS vulnerability and .19% of sites have a CSRF vulnerability.
SiteLock’s study also found that sampled websites experience an average of 58 attacks per day, with 1% of the sites infected with a malware. The study further found that website attacks are becoming increasingly sneaky and difficult to detect. An example of a symptomless attack on websites is the browser-based cryptojacking, which doubled (2%) in number compared to last year’s number (1%), according to SiteLock’s study. In browser-based cryptojacking, an attacker hijacks a browser to mine a cryptocurrency.
McAfee’s Blockchain Threat Reportshowed that nearly 30,000 websites host the Coinhive code for mining cryptocurrency with or without a user’s consent. This number, according to McAfee Labs, only accounts for non-obfuscated sites, which means that the actual number is likely much higher.
As it stands, Coinhive resides in a gray area of legitimacy. In an ideal world, both the website owner and website visitor must consent to Coinhive’s browser-based cryptocurrency mining.
A website owner or, in the case of a cyberattack, an attacker may embed the Coinhive code into a website. When a user visits a website with an embedded Coinhive code, the cryptocurrency called “Monero” is then mined from the user's browser using the computing power or CPU of the website visitor. As of October 21, 2018, the price of one Monero coin is $103.
When the Coinhive code is embedded into the website by a website owner, the cryptomining income goes to the website owner. When the Coinhive code is embedded by a cyberattacker, the cryptomining income goes to the attacker.
Coinhive code made its way to YouTube. In January this year, Trend Microdiscovered that attackers abused Google's DoubleClick ad platform, enabling the attackers to display ads on YouTube that contain the Coinhive code. YouTube visitors in select countries, including Japan, France, Taiwan, Italy and Spain were affected, with 80% of the affected visitor's CPU resource was used to mine the cryptocurrency Monero.
"Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively,” a Google representative said in a statement. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
Check Pointranked 3 browser-based cryptocurrency mining scripts Coinhive (ranked #1), Crypto-Loot (ranked #2) and JSEcoin (ranked #4) as “February 2018’s Top 10 ‘Most Wanted’ Malware”.
Here are some of the security measures that need to be put in place in order to prevent attackers from installing malware into your website:
Use a Website Malware Scanner
A website malware scanner allows website owners to check their sites for web-based malware.
Keep All Website Applications Up-to-Date
Ensure that your web applications are up-to-date. Using outdated web applications with known security vulnerabilities can leave your website vulnerable to exploitation by cyberattackers.
Use Web Application Firewall (WAF)
Filtering web traffic via WAF is one of the measures in protecting your website from a successful cyberattack. Your traditional perimeter firewalls don’t protect your website.
Contact ustoday if you need assistance in protecting your website against cyberattacks.
Difference Between Malware Outbreak and Ransomware Attack
Are malware outbreak and ransomware attack the same or are they totally different?
The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.
Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.
To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.
CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.
The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".
When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.
What Is Ryuk?
Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.
Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.
According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.
The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".
What Is a Malware Outbreak?
Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.
Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:
Keep All Software Up-to-Date
Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.
Practice Network Segmentation
Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.
Contain the Outbreak
It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.
One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.
Full Malware Eradication Process
Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.
Backup Critical Files
Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.
When you need help, contactour cybersecurity experts and protect your data.
AI-Powered Cyberthreats Coming Our Way
Researchers at IBM recently developed a malicious software (malware) called “DeepLocker” as a proof-of-concept to raise awareness that AI-powered cyberthreats are coming our way.
What Is DeepLocker?
DeepLocker is a malware that uses as its secret weapon the infamous WannaCry – a malware that locked more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017 and demanded ransom payment from victims for unlocking the computers.
DeepLocker hides the notorious WannaCry in a seemingly innocent video conference app to evade anti-virus and malware scanners. The video conference app operates as a normal video conference software until such time that it detects its target. Once it detects its target it unleashes this hidden cyberweapon.
IBM researchers trained the embedded AI model in DeepLocker to recognize the face of a target individual to act as a triggering condition to unlock WannaCry. The face of the target is, therefore, used as the preprogrammed key to unlock WannaCry.
Once the target sits in front of the computer and uses the malicious video conference app, the camera then feeds the app with the target’s face, and WannaCry will then be secretly executed, locking the victim’s computer and asking the victim to pay ransom to unlock the compromised computer.
DeepLocker is also designed in such a way that other malware, not just WannaCry can be embedded in it. Different AI models, including voice recognition, geolocation and system-level features can also be embedded in this IBM proof-of-concept malware.
Marc Ph. Stoecklin, Principal Research Scientist and Manager of the Cognitive Cybersecurity Intelligence (CCSI) group at the IBM T.J. Watson Research Center, in a blog postsaid, DeepLocker is similar to a sniper attack – a marked contrast to the traditional malware the employs “spray and pray” approach.
Stoecklin added that DeepLocker is good at evasion as it allows 3 layers of attack concealment. “That is, given a DeepLocker AI model alone, it is extremely difficult for malware analysts to figure out what class of target it is looking for,” Stoecklin said. “Is it after people’s faces or some other visual clues? What specific instance of the target class is the valid trigger condition? And what is the ultimate goal of the attack payload?”
There’s no evidence yet that a class of malware similar to DeepLocker is out in the wild. It won’t surprise the community though if this type of malware were already being deployed in the wild. The likelihood of AI-powered malware being deployed in the wild is high as the type of malware used as secret weapon by DeepLocker like WannaCry is publicly available. WannaCry, together with other spying tools, believed to be created by the US National Security Agency (NSA) was leaked to the public more than a year ago. AI models, including facial and voice recognition, are also publicly available.
Trustwaverecently released an open-sourced tool called “Social Mapper”, a tool that uses facial recognition to match social media profiles across a number of different sites on a large scale.
This tool automates the process of searching for names and pictures of individuals in popular social media sites, such as LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo and Douban. After scanning the internet, Social Mapper then spits out a report with links to targets’ profile pages as well as photos of the targets.
Trustwave’s Jacob Wilkins said that Social Mapper is meant for penetration testers and red teamers. "Once social mapper has finished running and you've collected the reports, what you do then is only limited by your imagination …,” Wilkins said.
For target lists of 1000 individuals, Wilkins said that it can take more than 15 hours and can eat up large amount of bandwidth.
Getting Ready for AI-Powered Cyberthreats
Even as cybercriminals are learning the ways of AI to their advantage or weaponize it, cybersecurity professionals, on the other hand, are leveraging the power of artificial intelligence for cybersecurity.
Once such approach is IBM’s proof-of-concept malware, believing that similar to the medical field, examining the virus is necessary to create the vaccine.
AI-powered cyberthreats present a new challenge to cybersecurity professionals. According to IBM’s Stoecklin, AI-powered cyberthreats are characterized by increased evasiveness against rule-based security tools as AI can learn the rules and evade them. AI allows new scales and speeds of acting autonomously and adaptively, Stoecklin added.
To fight against AI-powered threats, Stoecklin said that cybersecurity professionals should focus on the following:
There are existing AI tools that cybersecurity professionals can depend upon. An example of an AI tool is Imperva’s Attack Analytics. This tool uses the power of artificial intelligence to automatically group, consolidate and analyze thousands of web application firewall (WAF) security alerts across different environments, including on-premises WAF, in the cloud or across hybrid environments.
Imperva’s Attack Analytics identifies the most critical security alerts, providing security teams a faster way to respond to critical threats.
A survey conducted by Imperva at the recent RSA security conference found that cybersecurity analysts receive more than 1 million security alerts a day. Artificial intelligence tools like Imperva’s Attack Analytics reduce the time-consuming tasks of identifying and prioritizing security alerts from days or weeks of work into mere minutes of work.
Fighting cyberthreats becomes more and more difficult. You don’t have to do it alone. Contact our expert team today and protect your data.
Steve E. Driz