Thought leadership. threat analysis, news and alerts.
Can Your Organization Survive a Cyberattack that Permanently Destroys Data?
Financial gain, either short-term or long-term, is often the motive of most cyber criminals. Some cyber criminals, however, aren’t after financial gain, but rather, they’re simply out to cause as much damage as possible.
The recent cyberattack at email service provider VFEmail shows an unconventional motive of simple destruction. Milwaukee-based VFEmail, founded in 2001, provides email service to businesses and individuals.
The first hints of the cyberattack on VFEmail came out last February 11, when the company’s Twitteraccount issued a series of tweets about the attack, starting with a tweet that said, “This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.”
By 5 PM on February 11, the company declared on its website, “We have suffered catastrophic destruction at the hands of a hacker.” The company added that the attacker destroyed nearly two decades' worth of emails of all data in the US, both primary and backup systems.
The company further said that the attacker hasn’t asked for ransom. “Just attack and destroy," the company said. When asked about the identity of the attacker, VFEmail owner Rick Romero tweetedit could be "someone who had data they didn't want found or I really pissed off."
This recent cyber incident isn’t the first time that cyber criminals have targeted VFEmail. In a blog postdated November 4, 2015, Romero shared that a group of hackers threatened to launch a distributed denial-of-service (DDoS) on his email service if he doesn’t pay 5 Bitcoins.
True enough, after refusing to pay the ransom, VFEmail’s email service was disrupted by a DDoS attack prompting Romero to expose the group's extortion campaign. In 2017, the company’s email service was once again disrupted by a series of DDoS attacks, prompting the company to change to a new hosting provider. In 2018, the company’s email service was once again disrupted by a DDoS attack.
It isn’t clear what actually caused the latest cyberattack on VFEmail. What’s clear though is that the company’s nearly two decades' worth of emails of all data in the US, both primary and backup systems, are lost forever.
Other Cases of Disruptive Cyberattacks
WannaCry and NotPetya
WannaCry and NotPetya are two examples of cyberattacks that were meant mainly to destroy. At the height of WannaCry attack on May 12, 2017, an estimated 300,000 computers in 150 countries were infected by WannaCry malicious software (malware). Six weeks after the WannaCry attack, NotPetya malware was launched although it didn’t have as much impact as WannaCry.
Both WannaCry and NotPetya exhibit the characteristics of a ransomware, a type of malware that’s designed to deny legitimate users access to computer files by encrypting these files. Similar to other ransomware, WannaCry and NotPetya attackers also demanded ransom from their victims, assuring them that once ransom is paid, the decryption key that would unlock the encrypted files would be given.
While exhibiting the characteristics of a ransomware, both WannaCry and NotPetya were later found to be wipers – malware whose sole purpose was to destroy. Both WannaCry and NotPetya are considered as wipers, not ransomware, as despite paying ransom to the attackers, the attackers wouldn’t be able to give the correct decryption key as they themselves have no way of determining who paid the ransom and who didn’t.
Shamoon is another malware whose main purpose is destruction. In December 2018, Italian oil services firm Saipemreported that its servers based in the Middle East, India, Aberdeen and, in a limited way, Italy were infected by a variant of Shamoon malware. As typical effects of the Shamoon malware, Saipem said in a statement, the infection resulted in the "cancellation of data and infrastructures." Days after the statement, the company’s head of digital and innovation, Mauro Piasere, told Reutersthat the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines.
According to Symantec, the latest version of Shamoon is far more destructive than the original Shamoon as the latest version has a new, second piece of wiping malware called “Trojan.Filerase,” a malware that deletes and overwrites files on the infected computer; while the original Shamoon malware itself erases the master boot record of the computer, rendering the computer unusable.
Because of the Filerase malware in the latest Shamoon version, Symantec said, recovery becomes impossible, compared to the older version of Shamoon in which the “files on the hard disk may be forensically recoverable.”
Here are some cybersecurity best practices in order to help prevent or minimize the effects of destructive cyberattacks – attacks that are meant to destroy:
Keep All Software Up-to-Date
Installing the latest patch or security update in a timely manner is one of the ways to keep destructive attacks at bay. Patches or security updates fix known security vulnerabilities that are likely to be exploited by cyber criminals.
Back-up Important Data
Similar to safeguarding your organization’s data from natural disasters, including fire and flood, having a back-up of important data will enable your organization to bounce back from a debilitating destructive cyberattack.
Practice Network Segmentation
It’s also important to practice network segmentation – the process of dividing your organization’s network into subnetworks. Network segmentation ensures that in case an attacker is able to infiltrate one of your organization’s network, the other networks won’t be affected.
Search Engines Blacklist Fewer Sites, Study Shows
A study conducted by SiteLock showed that search engines are blacklisting fewer sites.
Blacklisting happens when a search engine removes a website from its results due to the presence of a malicious software (malware).
In the second quarter of 2018, SiteLockanalyzed over 6 million websites through the use of malware scanners. SiteLock’s analysis showed that search engines like Google and Bing only blacklisted 17.5% of infected websites with malware in the second quarter of 2018, a 6% decrease from the previous year.
Prevalence of Website Malware
Website visitors and website owners alike rely on search engine warnings. On the part of website visitors, they rely on search engines to flag malicious websites that may leave them unprotected as they surf the web.
According to SiteLock, when website owners rely mainly on search engine warnings and outwardly facing symptoms, they may be missing malware that’s attacking their website visitors.
Even as search engines are blacklisting fewer sites, malicious websites aren’t getting fewer. SiteLock’s study showed that 9% or as many as 1.7 million websites have a major security vulnerability that could allow attackers to embed malware on them. The 3 most common security vulnerabilities on websites identified by SiteLock are SQL injection (SQLi), cross-site scripting (XSS) and cross-site request forgery (CSRF).
SQLi security vulnerability allows attackers to inject malicious database code into website text fields or forms. In an SQL injection attack, an attacker can gain full access to the website’s MySQL database, administrative back end or the entire website. MySQL refers to an open source management system that makes it convenient to add, access and manage content in a website's database.
XSS security vulnerability allows attackers to inject malicious code into a web form or web application. In a cross-site scripting attack, the web application is tricked into doing something that it isn’t supposed to do. CSRF, meanwhile, is often used with social engineering – tricking victims. In a cross-site request forgery attack, an attacker forces authenticated users to do unauthorized actions while logged into a vulnerable web application.
SiteLock’s sampled websites showed that 7.19% of sites have an SQLi vulnerability, 1.56% of sites have an XSS vulnerability and .19% of sites have a CSRF vulnerability.
SiteLock’s study also found that sampled websites experience an average of 58 attacks per day, with 1% of the sites infected with a malware. The study further found that website attacks are becoming increasingly sneaky and difficult to detect. An example of a symptomless attack on websites is the browser-based cryptojacking, which doubled (2%) in number compared to last year’s number (1%), according to SiteLock’s study. In browser-based cryptojacking, an attacker hijacks a browser to mine a cryptocurrency.
McAfee’s Blockchain Threat Reportshowed that nearly 30,000 websites host the Coinhive code for mining cryptocurrency with or without a user’s consent. This number, according to McAfee Labs, only accounts for non-obfuscated sites, which means that the actual number is likely much higher.
As it stands, Coinhive resides in a gray area of legitimacy. In an ideal world, both the website owner and website visitor must consent to Coinhive’s browser-based cryptocurrency mining.
A website owner or, in the case of a cyberattack, an attacker may embed the Coinhive code into a website. When a user visits a website with an embedded Coinhive code, the cryptocurrency called “Monero” is then mined from the user's browser using the computing power or CPU of the website visitor. As of October 21, 2018, the price of one Monero coin is $103.
When the Coinhive code is embedded into the website by a website owner, the cryptomining income goes to the website owner. When the Coinhive code is embedded by a cyberattacker, the cryptomining income goes to the attacker.
Coinhive code made its way to YouTube. In January this year, Trend Microdiscovered that attackers abused Google's DoubleClick ad platform, enabling the attackers to display ads on YouTube that contain the Coinhive code. YouTube visitors in select countries, including Japan, France, Taiwan, Italy and Spain were affected, with 80% of the affected visitor's CPU resource was used to mine the cryptocurrency Monero.
"Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively,” a Google representative said in a statement. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
Check Pointranked 3 browser-based cryptocurrency mining scripts Coinhive (ranked #1), Crypto-Loot (ranked #2) and JSEcoin (ranked #4) as “February 2018’s Top 10 ‘Most Wanted’ Malware”.
Here are some of the security measures that need to be put in place in order to prevent attackers from installing malware into your website:
Use a Website Malware Scanner
A website malware scanner allows website owners to check their sites for web-based malware.
Keep All Website Applications Up-to-Date
Ensure that your web applications are up-to-date. Using outdated web applications with known security vulnerabilities can leave your website vulnerable to exploitation by cyberattackers.
Use Web Application Firewall (WAF)
Filtering web traffic via WAF is one of the measures in protecting your website from a successful cyberattack. Your traditional perimeter firewalls don’t protect your website.
Contact ustoday if you need assistance in protecting your website against cyberattacks.
Difference Between Malware Outbreak and Ransomware Attack
Are malware outbreak and ransomware attack the same or are they totally different?
The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.
Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.
To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.
CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.
The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".
When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.
What Is Ryuk?
Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.
Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.
According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.
The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".
What Is a Malware Outbreak?
Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.
Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:
Keep All Software Up-to-Date
Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.
Practice Network Segmentation
Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.
Contain the Outbreak
It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.
One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.
Full Malware Eradication Process
Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.
Backup Critical Files
Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.
When you need help, contactour cybersecurity experts and protect your data.
AI-Powered Cyberthreats Coming Our Way
Researchers at IBM recently developed a malicious software (malware) called “DeepLocker” as a proof-of-concept to raise awareness that AI-powered cyberthreats are coming our way.
What Is DeepLocker?
DeepLocker is a malware that uses as its secret weapon the infamous WannaCry – a malware that locked more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017 and demanded ransom payment from victims for unlocking the computers.
DeepLocker hides the notorious WannaCry in a seemingly innocent video conference app to evade anti-virus and malware scanners. The video conference app operates as a normal video conference software until such time that it detects its target. Once it detects its target it unleashes this hidden cyberweapon.
IBM researchers trained the embedded AI model in DeepLocker to recognize the face of a target individual to act as a triggering condition to unlock WannaCry. The face of the target is, therefore, used as the preprogrammed key to unlock WannaCry.
Once the target sits in front of the computer and uses the malicious video conference app, the camera then feeds the app with the target’s face, and WannaCry will then be secretly executed, locking the victim’s computer and asking the victim to pay ransom to unlock the compromised computer.
DeepLocker is also designed in such a way that other malware, not just WannaCry can be embedded in it. Different AI models, including voice recognition, geolocation and system-level features can also be embedded in this IBM proof-of-concept malware.
Marc Ph. Stoecklin, Principal Research Scientist and Manager of the Cognitive Cybersecurity Intelligence (CCSI) group at the IBM T.J. Watson Research Center, in a blog postsaid, DeepLocker is similar to a sniper attack – a marked contrast to the traditional malware the employs “spray and pray” approach.
Stoecklin added that DeepLocker is good at evasion as it allows 3 layers of attack concealment. “That is, given a DeepLocker AI model alone, it is extremely difficult for malware analysts to figure out what class of target it is looking for,” Stoecklin said. “Is it after people’s faces or some other visual clues? What specific instance of the target class is the valid trigger condition? And what is the ultimate goal of the attack payload?”
There’s no evidence yet that a class of malware similar to DeepLocker is out in the wild. It won’t surprise the community though if this type of malware were already being deployed in the wild. The likelihood of AI-powered malware being deployed in the wild is high as the type of malware used as secret weapon by DeepLocker like WannaCry is publicly available. WannaCry, together with other spying tools, believed to be created by the US National Security Agency (NSA) was leaked to the public more than a year ago. AI models, including facial and voice recognition, are also publicly available.
Trustwaverecently released an open-sourced tool called “Social Mapper”, a tool that uses facial recognition to match social media profiles across a number of different sites on a large scale.
This tool automates the process of searching for names and pictures of individuals in popular social media sites, such as LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo and Douban. After scanning the internet, Social Mapper then spits out a report with links to targets’ profile pages as well as photos of the targets.
Trustwave’s Jacob Wilkins said that Social Mapper is meant for penetration testers and red teamers. "Once social mapper has finished running and you've collected the reports, what you do then is only limited by your imagination …,” Wilkins said.
For target lists of 1000 individuals, Wilkins said that it can take more than 15 hours and can eat up large amount of bandwidth.
Getting Ready for AI-Powered Cyberthreats
Even as cybercriminals are learning the ways of AI to their advantage or weaponize it, cybersecurity professionals, on the other hand, are leveraging the power of artificial intelligence for cybersecurity.
Once such approach is IBM’s proof-of-concept malware, believing that similar to the medical field, examining the virus is necessary to create the vaccine.
AI-powered cyberthreats present a new challenge to cybersecurity professionals. According to IBM’s Stoecklin, AI-powered cyberthreats are characterized by increased evasiveness against rule-based security tools as AI can learn the rules and evade them. AI allows new scales and speeds of acting autonomously and adaptively, Stoecklin added.
To fight against AI-powered threats, Stoecklin said that cybersecurity professionals should focus on the following:
There are existing AI tools that cybersecurity professionals can depend upon. An example of an AI tool is Imperva’s Attack Analytics. This tool uses the power of artificial intelligence to automatically group, consolidate and analyze thousands of web application firewall (WAF) security alerts across different environments, including on-premises WAF, in the cloud or across hybrid environments.
Imperva’s Attack Analytics identifies the most critical security alerts, providing security teams a faster way to respond to critical threats.
A survey conducted by Imperva at the recent RSA security conference found that cybersecurity analysts receive more than 1 million security alerts a day. Artificial intelligence tools like Imperva’s Attack Analytics reduce the time-consuming tasks of identifying and prioritizing security alerts from days or weeks of work into mere minutes of work.
Fighting cyberthreats becomes more and more difficult. You don’t have to do it alone. Contact our expert team today and protect your data.
XMRig: Cryptomining Malware that Works Even Without Web Browser
The cryptocurrency market may have lost nearly 70% of its market cap from the all-time high of $835 billion in December 2017, but this hasn’t stopped malicious individuals from getting ready for the next cryptocurrency bullrun by spreading cryptocurrency mining malware into the wild.
In the past few months, Coinhive, a cryptocurrency malware that works on web browsers, has wrecked havoc on victims’ computers. But another cryptocurrency malware called “XMRig” is starting to make ripples, entering Check Point’s March 2018 top ten most wanted malwareindex in the 8thplace for the first time after a 70% increase in global impact.
Coinhive, ranked number one in Check Point’s March 2018 top ten most wanted malware, is a malware that utilizes scripts in taking over some of the processing power on the computers of website visitors without their permission to mine the cryptocurrency Monero.
Cryptocurrency mining is a process of verifying a transaction and a means by which a new coin is released. In order for the transactions to be verified and coins to be released, computational powers of computers are used.
In an ideal world, owners of computers used for cryptocurrency mining should give their consent and should be compensated. Malicious actors bypass this consent aspect and reap all the financial gains for themselves.
What is XMRig?
The original XMRig is an open source code used to mine the cryptocurrency Monero on computers using Windows operating system. The XMRig open source code is in itself not malicious. There are currently 3 software available to mine Monero but XMRig it seems is a choice among malicious actors.
There’s a demand for Monero as this cryptocurrency boasts of easier mining and untraceable transactions. As of April 20, 2018 (10:30 am GMT+7) one Monero coin is worth $245.
Malicious actors, however, use the XMRig code to conduct illicit mining of Monero cryptocurrency by hijacking the computational power of the infected computers.
XMRig, used as a cryptocurrency malware, was first seen in the wild in May 2017. As of January 2018, Palo Alto Networksestimated that XMRig victimized nearly 15 million people worldwide. The actual number of victims, Palo Alto Networks said, could be much higher.
In September 2017,security researchers Peter Kálnai and Michal Poslušnýreported that crooks made over $63,000 worth of Monero by modifying legitimate open source Monero mining software XMRig.
According to Kálnai and Poslušný, the malicious actors didn’t apply any changes to the XMRig codebase apart from adding a new wallet address, new mining pool URL and commands to “kill all previously running instances of itself so as not to compete with its new instance” – a process that takes more than just a couple of minutes.
It’s not unusual for malicious actors to reuse codes. Attackers often don’t reinvent the wheel if they don’t have to.
Means of Propagation
Unlike CoinHive, the XMRig cryptocurrency malware doesn’t need a web browser in order to hijack the computational power of the infected computers to mine the cryptocurrency Monero.
Here are 2 methods used by malicious actors to hijack computational power of the infected computers to conduct illicit mining of Monero:
1. Exploiting Known Vulnerability in Microsoft IIS 6.0
According to Kálnai and Poslušný, one of the means by which malicious actors propagate XMRig malware is by exploiting CVE-2017-7269, a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003. By exploiting the vulnerability in Microsoft IIS 6.0, an unauthenticated, remote attacker can execute arbitrary code.
The code to exploit this vulnerability is publicly available. Microsoft hasn’t confirmed this particular security vulnerability and neither has it issued a software update for this vulnerability. Technically though, Windows Server 2003 has reached the end of life (EOL) and as such Microsoft no longer issues software updates.
2. Malvertising Campaign
Adf.ly is an advertising service that pays users when their URLs are clicked. According to Palo Alto Networks, victims were presented with these Adfly advertising URLs, clicked on the provided link, were redirected and found themselves downloading the XMRig cryptocurrency malware onto their computers.
Server Operating System (OS) Attacks
Servers are particularly attractive to attackers as these machines have more computing power, run 24/7 and connect to reliable power source. The reality is that many organizations still use outdated server OS like Windows Server 2003. These outdated server OS are susceptible to repeated exploitation and infection like the XMRig cryptocurrency malware. Cryptocurrency malware like XMRig can result in the slow performance of the servers, shorten the lifespan of these machines and more electricity consumption.
“Cryptomining malware has been quite the success story for cybercriminals, and XMRig’s rise indicates that they are actively invested in modifying and improving their methods in order to stay ahead of the curve,” Maya Horowitz, Threat Intelligence Group Manager at Check Point, said in a statement. “Besides slowing down PCs and servers, cryptomining malware can spread laterally once inside the network, posing a major security threat to its victims. It is therefore critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”
How to Prevent XMRig Cryptocurrency Malware Attacks
Here are some of the ways to prevent XMRig cryptocurrency malware attacks:
1. Use Up-to-Date Software, Server OS
In the case of Windows Server 2003, as the vendor, Microsoft in this case, has stopped issuing security updates, attackers then have a free pass on attacking this system, for instance, attacking a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003.
It’s therefore important to keep your organization’s OS server and all other software up-to-date.
2. Use Ad Blocker
Another way to prevent XMRig cryptocurrency malware is to use an ad blocker. With an ad blocker, you and your staff won’t anymore be susceptible to malvertising link that once clicked, redirects and downloads the XMRig cryptocurrency malware onto computers. An ad block blocks pop-ups, banners, video ads and other intrusive advertising, as well as malware.
Bitcoin Popularity Gives Rise to Cryptocurrency-Themed Malware
Amidst the surge of Bitcoin’s popularity, other cryptocurrencies have also risen along with it.
As of December 4, 2017, Bitcoin is worth near $11,000. Other cryptocurrencies have also increased their value. For example, Monero cryptocurrency is now worth $201. Bitcoin was introduced in 2009 and Monero in 2014.
Contrary to popular perception, Bitcoin transactions aren’t anonymous. All Bitcoin transactions are public records and can be tracked. Monero, meanwhile, markets itself as an anonymous cryptocurrency, claiming that a single Monero coin can’t have its entire transaction history revealed.
Both Bitcoin and Monero are cryptocurrencies that need to be mined. Cryptocurrency mining is defined as the process by which transactions are verified. It’s also a means by which a cryptocurrency or digital coin is released. For their effort and use of hardware, miners are given a small share of the cryptocurrency.
In the past, anyone with a PC could mine Bitcoin. Nowadays, only those who own computers with huge computing power can mine Bitcoin. Monero, on the other hand, can be mined by just anybody with just the use ordinary desktops, laptops and even smartphones.
Candid Wuest, security researcher at Symantec, told the BBC that malicious software (malware) connected with cryptocurrency increases "tenfold". "There's been a huge spike," said Wuest, adding that this surge had been caused by the rapid rise in Bitcoin's value.
Malwarebytes' security researcher Jerome Segura, meanwhile, told the BBC that Malwarebytes blocked nearly 250 million attempts to place cryptocurrency malware on to PCs.
Adylkuzz Cryptocurrency Malware
Adylkuzz is a malware that installs the code used to mine the cryptocurrency Monero without the knowledge and consent of the computer owner.
The Monero mining code is maliciously installed by Adylkuzz into a computer by exploiting a Windows operating system vulnerability called “EternalBlue”. The ransomware WannaCry also exploited the same vulnerability in Windows operating system. Unlike WannaCry which can self-propagate on its own to infect others, Adylkuzz has no self-propagation capacity.
Monero mining – courtesy by Adylkuzz malware – operates in the background and users of compromised computers are unlikely to notice this unauthorized activity.
Cryptojacking refers to the malicious installation of crypto mining software in a website without the knowledge and consent of the owner as well as lack of knowledge and consent of website visitors.
Once CoinHive is installed in a website, the CPU power of every site visitor is used for cryptocurrency mining. CoinHive requires a unique ID to which the crypto mining income is delivered. The more computers are compromised for crypto mining, the more Monero coins the attackers get. Earned Monero coins can easily be converted to Bitcoins by selling it to a number of trading exchanges that also allow anonymity.
There’s nothing wrong with utilizing cryptocurrency mining instead of the traditional advertising in websites. What’s unacceptable is when cryptocurrency mining code is installed without the authorization of the site owner as well as without the authorization of site visitors.
Early this month, one security researcher found Coinhive mining code on 2,496 online stores. It’s presumed that the installation of this crypto mining code on these online stores were done maliciously as these store owners are less likely to earn few extra money through crypto mining.
The researcher found that 85% of the 2,496 compromised stores are linked to only 2 CoinHive accounts, while the remaining 15% of the infected stores are linked to several unique CoinHive accounts.
In September of this year, Showtime websites – showtime.com and showtimeanytime.com – were found to be running Coinhive mining code. Following public exposure, the code has since been removed.
Malwarebytes' security researcher Segura, meanwhile, discovered a technique that allows attackers to use the CPU power of every site visitor for cryptocurrency mining even if the visitor closes his or her browser.
Malwarebytes tested this discovery using the latest version of Google Chrome browser. The researchers at Malwarebytes observed the following process:
Attackers fool users into believing that the browser is closed by hiding the browser under the taskbar's clock. Resizing the taskbar will reveal this still operational browser. Below is the screencap of the hidden browser.
“Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons,” Malwarebytes said. “Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement.”
Coinhive, in a statement, said, “We're a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users what's going on, let alone asking for their permission.”
How to Prevent Cryptocurrency Mining Attacks
Cryptocurrency mining is perfect for computers specifically meant for this purpose. Mining cryptocurrency, however, on desktop, laptops or smartphones on top of everyday usage has negative effects.
Crypto mining involves enormous calculations that ordinary computers aren’t meant to do. On smartphones, crypto mining can quickly deplete batteries. And across computing devices used for ordinary usage, crypto mining can decrease speed, efficiency and even damage the hardware.
Here are some tips on how to prevent cryptocurrency mining attacks:
Keep your Windows operating system up-to-date, to block, in particular, Adylkuzz malware as Microsoft already patched the vulnerability exploited by this malware.
To ensure that your browser stays close even after clicking the “x” button, run Task Manager and terminate running browser.
Hackers Use Google Search Results to Spread Malware
Cybercriminals are continually finding new ways to distribute their malicious software. This time, they took advantage of Google search results in spreading their malware.
Researchers at Cisco discovered that Google search results are being used by cybercriminals for spreading their malware. Cybercriminals took advantage of the links provided by Google search results in spreading the new version of the banking malware dubbed as “Zeus Panda”, also known as “Panda Banker”.
Google search is the digital world’s go-to place whenever we want to know something. Google answers our questions by providing links that it believes (based on its algorithm or criteria) are the best responses to our queries.
Billions of people around the world are using Google search. According to StatCounter, a Dublin-based web tracking service, as of October 2017, Google received the bulk of the search engine market share worldwide (91.47%), followed by Bing (2.75%), Yahoo (2.25%) and Baidu (1.8%).
Zeus Panda, the malware distributed by the threat actors via malicious links on Google search, is a malware that borrows some of the code of another malware called “Zeus” – a malware that first appeared in 2007. Cybercriminals have since earned hundreds of millions of dollars using the Zeus malware by stealing banking credentials and generating fraudulent banking transactions.
How Zeus Panda Spreads via Google Search ResultsIn order that these malicious links show up on the first page of Google search results, threat actors used the process called “SEO”, short for search engine optimization. Google, for its part, allows legitimate SEO – referred to as "whitehat" SEO. One of the legitimate SEO techniques used by the threat actors is the use of targeted banking related keywords to zero in their target victims.
“By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc.,” Cisco researchers said.
Threat actors, for instance, used the banking related keywords "al rajhi bank working hours during ramadan". The screencap below from Cisco researchers shows one of the top links in the Google search results for the above-mentioned keywords.
Below are the other keywords used by the threat actors:
"nordea sweden bank account number"
"how many digits in karur vysya bank account number"
"how to cancel a cheque commonwealth bank"
"salary slip format in excel with formula free download"
"bank of baroda account balance check"
"bank guarantee format mt760"
"sbi bank recurring deposit form"
"axis bank mobile banking download link"
As can be gleaned from the above-mentioned keywords, certain geographic regions appear to be directly targeted, with many of these keywords targeting users trying to search about financial institutions in India as well as the Middle East. The treat actors compromised business websites that have received high number of reviews and high ratings to appear legitimate to victims. Once a victim clicks on this compromised link, a multi-stage malware infection process is then initiated.
As shown below, the victim is redirected to a compromised site that shows a fake alert from Windows Defender that the Zeus virus is detected.
Once the victim clicks the “OK” button, the victim is once again redirected to another compromised site which hosts a malicious Word document as shown below.
Clicking on the "Enable Editing" and click "Enable Content" will initiate the downloading of the new version of Zeus Panda malware into the victim's computer.
This new version of Zeus Panda shares many characteristics of its predecessor Zeus Panda. Both borrowed the code of Zeus malware – the creator of which released the source code to the public in 2011. Both are designed to steal banking and other sensitive credentials and conduct fraudulent banking transactions.
Zeus Panda malware was first discovered by the researcher only known as “Fox IT” in February 2016. As reported by Proofpoint, this early version of Zeus Panda stole banking credentials of customers from European and Australian banks, UK online casinos and international online payment systems.
Unlike the new version of the malware which uses Google search results to spread the malware, the older version of Zeus Panda was spread using malicious email attachments, malicious email links and web injects.
In August 2016, Proofpoint found that millions of emails were sent to organizations involved in manufacturing, retail, insurance and related sector. The email messages masquerading as coming from legitimate banks contained malicious links leading to Microsoft Word documents. These documents contain macros which, if enabled, download Zeus Panda malware.
In October of this year, IBM reported that customers in North America were targeted by the Zeus Panda malware. For this October 2017 campaign, IBM said, the threat actors distributed the malware via malicious emails purporting to come from courier services like UPS. These fake emails, according to IBM, contain embedded links that lead the recipient to a site infected by Zeus Panda malware.
According to Proofpoint, the early version of Zeus Panda was also spread using web injects – a process by which cybercriminals intercept online banking traffic and modify banking sites on infected computers in order to carry out man-in-the-browser (MITB) attacks. In carrying out MITB attacks, threat actors infect a web browser to modify web pages of banks, online casinos and international online payment systems and modify the transaction content.
How to Prevent Zeus Panda Attacks
In order to prevent being a victim of the Zeus Panda malware, it’s important to think twice before clicking anything online and opening an email attachment. As shown by the new version of Zeus Panda, it’s important to remain discerning and vigilant in the results of a Google search.
Cisco researchers who discovered the new version of Zeus Panda said, “Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape.”
Ramnit Malware Makes a Comeback via Google Play
Ramnit, the once notorious malware that infected 3.2 million computers around the world, has resurfaced via infected apps on Google Play.
Symantec researchers found 92 distinct apps on Google Play with a total of 250,000 downloads laden with Ramnit malware. Some of the Ramnit-infected apps that turned up on Google Play were educational and tutorial apps.
Symantec informed Google of the presence of these infected apps and the company has removed them from the app store. This isn’t the first time that Ramnit-infected apps have turned up on Google Play. In March of this year, more than 100 Ramnit-infected apps were similarly removed from Google Play.
Ramnit first appeared in the wild in 2010. In February 2015, a law enforcement operation led by the European Union Agency for Law Enforcement Cooperation (Europol) crippled the operation of the cybercrime group behind Ramnit by shutting down the command and control servers, as well as shutting down and 300 internet domain addresses used by the group. At the time, the group already infected 3.2 million computers in total and defrauding undetermined large number of victims.
The law enforcement operation against the group behind Ramnit was participated by investigators from Germany, Italy, the Netherlands and the UK. Representatives from the private industry like Symantec and Microsoft were also involved in the law enforcement operation.
Ramnit is a multi-feature cybercrime tool. It compromised a victim in the following manner:
This malware monitors web browsing activities and detects when certain websites like online banking sites are visited. Ramnit can inject itself into the web browser and alter the website of the bank to make it appear that the bank is asking the user additional information like credit card details.
This malware can hijack online banking sessions. Ramnit attackers achieve this by stealing session cookies from web browsers and by using the stolen cookies to impersonate victims to authenticate themselves on websites.
This malware scans computer’s hard drive. It’s configured in such a way to search for specific folders that are considered likely to contain sensitive information like passwords.
This malware can gain remote access – upload, download, or delete files and execute commands – on the victim’s computer in two ways: by connecting to an anonymous FTP server and by Virtual network computing (VNC) module.
Ramnit is a persistent cyber threat. The malware’s creators made sure that once a computer is infected it’ll be difficult to remove the malware from the compromised computer.
Once the malware is installed on the compromised computer, it copies itself to the computer’s memory, hard drive and removable drive. The malware’s version that’s copied to the computer’s memory checks the hard disk-based copy of the malware. If the memory-based copy of the malware detects that the hard disk-based copy has been quarantined or removed, it’ll create another malware copy for the hard disk to sustain the infection.
Microsoft describes Ramnit malware this way: "This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running."
How Ramnit Spreads
While the latest method of propagation of Ramnit is via Android apps, this doesn’t, however, mean that this malware works with Android devices. Since its appearance in 2010, this malware has always been a threat to computers using Windows as an operating system.
Ramnit won’t run on your Android device even if you’ve the misfortune of downloading a Ramnit-infected app on Google Play. In order for the Windows infection to happen, an Android device loaded with a Ramnit-infected app has to be connected to a Windows computer. Once the malware compromised a Windows computer, it searches for all exe, .dll, .htm, and .html files on any removable drives like USB drive and the local hard disk and infects them by making copies of itself.
“The HTML file infection process uses two tactics: injecting VBScript code into an HTML page that drops and executes the worm, and also injecting a hidden iframe into HTML files that downloads a remote file if the page is opened in a browser,” Symantec said.
Ramnit malware is one of the reasons why it’s unsafe to use or borrow removable drive or USB flash drive of another. You never know, this USB drive may be laden with the Ramnit malware.
In addition to propagating the malware through infected apps and through infected removable drives, Ramnit attackers also spread the malware through malicious emails and exploit kits served through malicious advertisements on social media pages and websites. Public FTP servers are also used by Ramnit attackers to distribute the malware. The Europol considers Ramnit as a botnet.
“This botnet – a term used to describe a network of infected computers - was used by the criminals running it to gain remote access and control of the infected computers, enabling them to steal personal and banking information, namely passwords, and disable antivirus protection,” Europol said. “This malware, infecting users running Windows operating systems, explored different infection vectors such as links contained in spam emails or by visiting infected websites.”
"Despite the setback many years ago, Ramnit’s operators have not completely gone away and there also seem to be many latent infections worldwide,” Symantec said. “We know that Google has a system in place for vetting uploaded apps, but we don’t have visibility into the processes for vetting submitted apps, so we can’t say for sure why these infected apps are getting through the vetting process.”
How to Prevent Ramnit Attacks
According to Microsoft, Windows Defender Antivirus detects and removes Ramnit malware.
Here are additional tips for preventing Ramnit attacks:
Bad Rabbit Ransomware, New variant of NotPetya, Is Spreading
Bad Rabbit ransomware, a new variant of NotPetya, is spreading across Eastern Europe and other parts of the world.
According to the Russian News Agency TASS, Bad Rabbit ransomware attacked the Russian mass media and Ukraine’s airport and subway. Symantec reported that Bad Rabbit primarily attacked Russia (86%), followed by Japan (3%) Bulgaria (2%), Ukraine (1%), US (1%) and all other countries (7%).
NotPetya versus Bad Rabbit
NotPetya is a malicious software (malware) that was released into the wild in June of this year. It wreaked havoc to thousands of computers worldwide, including Belgium, Brazil, Germany, Russia and the US. Merck, Nuance Communications, FedEx are some of the victims of NotPetya.
Similar to NotPetya, users of computers infected by Bad Rabbit received a notice that their files are encrypted. Both malware have the same style of ransom note, suggesting to victims to pay certain amount to get access to files. Both are worms, which mean that they’ve the ability to self-propagate – self-reproduce by infecting other computers in the network.
One stark difference between NotPetya and Bad Rabbit is the use of self-propagation tools. While NotPetya self-propagates using EternalBlue and EternalRomance, Bad Rabbit self-propagates by only using EternalRomance.
EternalBlue and EternalRomance are just two of the many exploits released in April of this year by the group called “Shadow Brokers”. The group claimed that EternalBlue, EternalRomance and the other hacking tools they’ve released were used by the National Security Agency (NSA) in exploiting the vulnerabilities in Windows operating system. According to Microsoft, it released a security update or patch dated March 17, 2017, fixing the vulnerabilities exposed by Shadow Brokers.
The second difference between NotPetya and Bad Rabbit is that NotPetya is a “wiper” rather than a ransomware. A wiper’s aim is to wipe out or delete all computer files for good, while ransomware’s aim is to generate money from victims. None of the victims of NotPetya were able to unlock their encrypted files. According to Symantec, its analysis of Bad Rabbit confirms that it’s not a wiper as the encrypted files can be recovered if the key is known.
How Bad Rabbit Works
Bad Rabbit infects victims’ computers in the following manner:
The first contact of victims of Bad Rabbit is via watering holes – legitimate websites that are altered by cybercriminals. Bad Rabbit compromised many popular websites in the affected countries.
Once a victim visits one of these compromised sites, Bad Rabbit malware is dropped or downloaded into the victim's computer as a fake software update to Adobe Flash Player.
Bad Rabbit malware masquerading as an update to Flash Player enters the victim’s computer by employing social engineering – convincing the victim that there’s a need to update his or her Flash Player. In the middle of the computer screen, a popup shows up asking the user to download an update for Flash Player.
Once the fake Adobe Flash Player "Install" button is clicked, the Bad Rabbit malware drops five open-sourced tools described below into the victim’s computer. According to Symantec, the download originates from a particular domain. It’s possible though that victims may have been redirected there from another compromised sites, Symantec said.
Mimikatz is an open-sourced tool used for changing privileges and recovering Windows passwords in plaintext.
In addition to Mimikatz, Bad Rabbit also uses a hardcoded list of commonly used default passwords in attempting to guess Windows passwords.
ReactOS is an open-sourced tool that’s used as an alternative to Windows operating system. The use of ReactOS, according to Symantec, reduces the amount of detectable suspicious activity on an infected computer.
DiskCryptor is an open-sourced tool that’s used to perform encryption. After individual files in the victim’s computer are encrypted, Bad Rabbit will then conduct a full disk encryption. Once the system is restarted, a ransom note is displayed, demanding a ransom amounting to 0.05 Bitcoin (US$280).
Bad Rabbit spreads to other vulnerable computers in the network by using EternalRomance, an exploit that bypasses security over Server Message Block (SMB) – referred to as the transport protocol used by computers using Windows operating system for a variety of purposes, including file sharing, printer sharing and access to remote Windows services.
According to researchers at RiskIQ, long before the distribution of Bad Rabbit ransomware last October 24th, cyber attackers have already compromised the affected websites used as watering holes. The researchers said that they “can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck.”
"The thing we do not understand at this point is why they decided to burn this information position to mass distribute the Bad Rabbit ransomware rather than save it for another type of malware," RiskIQ researchers said.
How to Prevent Bad Rabbit Attacks
As Bad Rabbit uses factory or default passwords, it’s important to protect your computer with a strong password. This security measure, however, isn’t enough to protect you from Bad Rabbit.
Bad Rabbit self-propagates by using the hacking tool EternalRomance. A security update or patch that stops EternalRomance has already been made available by Microsoft since March 17, 2017.
"Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware,"
In an effort to keep your all software up-to-date, be careful though of falling into traps of fake updates.
Fake Adobe Flash Player update has long been the favorite of many cyber criminals as they always find security vulnerabilities of this software. If an update pops up in your monitor, don’t click the button, and visit the official Adobe website for updates.
4 Lessons Small Businesses Can Learn from WannaCry and NotPetya Cyber Attacks
WannaCry and NotPetya, also known as Petya, have been the most talked about cyber attacks in the past three months. WannaCry was released into the wild in May this year; NotPetya in June this year.
Their popularity is understandable given that the combined victims of these two cyber attacks reached hundreds of thousands worldwide, with WannaCry affecting over 300,000 computers in 150 countries; NotPetya affecting over 12,500 computers in 65 countries.
Most importantly, these two cyber attacks, labeled as ransomware – malicious software that encrypts computer data and asks for ransom money to unlock it – victimized big corporations and big government institutions worldwide.
WannaCry disrupted the operations of UK’s National Health Service, U.S. express delivery company FedEx and Renault's assembly plant in Slovenia. NotPetya, on the other hand, disrupted the operations of the Chernobyl nuclear plant, U.S.-based pharmaceutical company Merck and Danish shipping firm Maersk.
While big corporations affected by NotPetya such as Nuance, TNT Express, Saint-Gobain, Reckitt Benckiser Group and Mondelēz International publicly acknowledged that their operations have been disrupted, and they have suffered economic losses because of the attack, these big corporations have proven their resilience.
“If a public breach damages a brand and causes customers to switch to a competitor, a larger business can weather the impact better than a smaller business,” Cisco said in its 2017 midyear cyber security report. “When attackers breach networks and steal information, small and medium-sized businesses (SMBs) are less resilient in dealing with the impacts than larger organizations.”
Here are 4 lessons small businesses can learn from WannaCry and NotPetya cyber attacks:
1. Use the Latest Operating System
Users of old operating systems are vulnerable to cyber attacks.
Majority of NotPetya ransomware infections, according to Microsoft in a bulletin dated June 29, this year, were observed in computers using Windows 7. Windows 10, on the other hand, according to Microsoft is resilient against the NotPetya ransomware attack.
For WannaCry, users of old Microsoft operating systems – in particular, Windows XP, Windows 8 and Windows Server 2003 – fell victim to this malicious software. Microsoft ended its support for Windows XP on April 8, 2014; Windows Server 2003 on July 14, 2015; and Windows 8 on January 13, 2016.
For Windows XP, Microsoft issued this statement:
"After April 8, 2014, Microsoft will no longer provide security updates or technical support for Windows XP. Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. PCs running Windows XP after April 8, 2014, should not be considered to be protected, and it is important that you migrate to a current supported operating system – such as Windows 10 – so you can receive regular security updates to protect their computer from malicious attacks."
In the paper “The hackers holding hospitals to ransom” published in the British Medical Journal (BMJ) two days before the WannaCry attack, Krishna Chinthapalli, a doctor at the National Hospital for Neurology and Neurosurgery in London, found that a number of British hospitals were using Windows XP, an operating system introduced by Microsoft in 2001.
2. Install Security Update of the Latest Operating System
Even if you’re using the latest operating system and you fail to install the latest security update or patch, your computers are still vulnerable to cyber attacks.
Users of Windows 10 – the latest operating system from Microsoft – who failed to install the security update released by Microsoft on March 14, 2017 fell victim to WannaCry.
Microsoft said that its March 14, 2017 update resolves vulnerabilities in Microsoft Windows that “could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” WannaCry exactly exploited this specific security vulnerability mentioned in the March 14th update by Microsoft.
3. Paying Ransom Isn’t a Guarantee that You’ll Get Your Data Back
In a typical ransomware, computer data is encrypted, a ransom note is shown on the computer screen of the victim, the victim pays and the victim recovers data as the data is decrypted.
WannaCry victims paid close to $100,000 – paid in bitcoins; NotPetya victims paid close to $10,000. These earnings are stark contrast to the number one top grossing ransomware Locky which earned $7.8 million, and the second top grossing ransomware Cerber which earned $6.9 million based on the data provided in a Google-led study (PDF).
The reason why these two didn’t earn that much bitcoins is that many victims early on knew that these malicious programs couldn’t restore their data despite paying ransom. According to the Google-led study, WannaCry and NotPetya are "impostors” as they are in reality “wipeware” pretending to be ransomware.
Matt Suiche from Comae Technologies concluded that NotPetya is a wiper as it “does permanent and irreversible damages to the disk”. Suiche differentiates a wiper and a ransomware, this way: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”
Victims of NotPetya also can’t pay ransom as the payment email address isn’t accessible anymore. The email address specified in the NotPetya ransomware notice was immediately blocked by the email provider Posteo. The perpetrator or perpetrators of NotPetya also didn’t replace the blocked address with another one.
In the case of WannaCry, McAfee researchers found that while WannaCry can decrypt files, “WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.”
4. Backup Your Data
Make your organization resilient to cyber attacks by backing up your critical data. You can always get back your operating system or other software applications by reinstalling them. It may, however, be impossible to recreate your data lost to cyber criminals. It’s important then to always backup your critical data.
Backing up data on a regular basis isn’t just helpful in case cyber attackers corrupt your data, it’s also valuable in case your computers are stolen or destroyed as result of fire or other disasters.
Steve E. Driz