Search Engines Blacklist Fewer Sites, Study Shows

A study conducted by SiteLock showed that search engines are blacklisting fewer sites.

Blacklisting happens when a search engine removes a website from its results due to the presence of a malicious software (malware).

In the second quarter of 2018, SiteLockanalyzed over 6 million websites through the use of malware scanners. SiteLock’s analysis showed that search engines like Google and Bing only blacklisted 17.5% of infected websites with malware in the second quarter of 2018, a 6% decrease from the previous year.

Prevalence of Website Malware

Website visitors and website owners alike rely on search engine warnings. On the part of website visitors, they rely on search engines to flag malicious websites that may leave them unprotected as they surf the web.

According to SiteLock, when website owners rely mainly on search engine warnings and outwardly facing symptoms, they may be missing malware that’s attacking their website visitors.

Even as search engines are blacklisting fewer sites, malicious websites aren’t getting fewer. SiteLock’s study showed that 9% or as many as 1.7 million websites have a major security vulnerability that could allow attackers to embed malware on them. The 3 most common security vulnerabilities on websites identified by SiteLock are SQL injection (SQLi), cross-site scripting (XSS) and cross-site request forgery (CSRF).

SQLi security vulnerability allows attackers to inject malicious database code into website text fields or forms. In an SQL injection attack, an attacker can gain full access to the website’s MySQL database, administrative back end or the entire website. MySQL refers to an open source management system that makes it convenient to add, access and manage content in a website's database. 

XSS security vulnerability allows attackers to inject malicious code into a web form or web application. In a cross-site scripting attack, the web application is tricked into doing something that it isn’t supposed to do. CSRF, meanwhile, is often used with social engineering – tricking victims. In a cross-site request forgery attack, an attacker forces authenticated users to do unauthorized actions while logged into a vulnerable web application.

SiteLock’s sampled websites showed that 7.19% of sites have an SQLi vulnerability, 1.56% of sites have an XSS vulnerability and .19% of sites have a CSRF vulnerability.

Browser-Based Cryptojacking

SiteLock’s study also found that sampled websites experience an average of 58 attacks per day, with 1% of the sites infected with a malware. The study further found that website attacks are becoming increasingly sneaky and difficult to detect. An example of a symptomless attack on websites is the browser-based cryptojacking, which doubled (2%) in number compared to last year’s number (1%), according to SiteLock’s study. In browser-based cryptojacking, an attacker hijacks a browser to mine a cryptocurrency.

McAfee’s Blockchain Threat Reportshowed that nearly 30,000 websites host the Coinhive code for mining cryptocurrency with or without a user’s consent. This number, according to McAfee Labs, only accounts for non-obfuscated sites, which means that the actual number is likely much higher.

As it stands, Coinhive resides in a gray area of legitimacy. In an ideal world, both the website owner and website visitor must consent to Coinhive’s browser-based cryptocurrency mining. 

A website owner or, in the case of a cyberattack, an attacker may embed the Coinhive code into a website. When a user visits a website with an embedded Coinhive code, the cryptocurrency called “Monero” is then mined from the user's browser using the computing power or CPU of the website visitor. As of October 21, 2018, the price of one Monero coin is $103.

When the Coinhive code is embedded into the website by a website owner, the cryptomining income goes to the website owner. When the Coinhive code is embedded by a cyberattacker, the cryptomining income goes to the attacker.

Coinhive code made its way to YouTube. In January this year, Trend Microdiscovered that attackers abused Google's DoubleClick ad platform, enabling the attackers to display ads on YouTube that contain the Coinhive code. YouTube visitors in select countries, including Japan, France, Taiwan, Italy and Spain were affected, with 80% of the affected visitor's CPU resource was used to mine the cryptocurrency Monero.

"Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively,” a Google representative said in a statement. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

Check Pointranked 3 browser-based cryptocurrency mining scripts Coinhive (ranked #1), Crypto-Loot (ranked #2) and JSEcoin (ranked #4) as “February 2018’s Top 10 ‘Most Wanted’ Malware”.

Prevention

Here are some of the security measures that need to be put in place in order to prevent attackers from installing malware into your website:

Use a Website Malware Scanner

A website malware scanner allows website owners to check their sites for web-based malware.

Keep All Website Applications Up-to-Date

Ensure that your web applications are up-to-date. Using outdated web applications with known security vulnerabilities can leave your website vulnerable to exploitation by cyberattackers.

Use Web Application Firewall (WAF) 

Filtering web traffic via WAF is one of the measures in protecting your website from a successful cyberattack. Your traditional perimeter firewalls don’t protect your website.

Contact ustoday if you need assistance in protecting your website against cyberattacks.

Difference Between Malware Outbreak and Ransomware Attack

Are malware outbreak and ransomware attack the same or are they totally different?

The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.

Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.

To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.

CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.

The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".

When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.

What Is Ryuk?

Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.

Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.

According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.

The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".

What Is a Malware Outbreak?

Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.

Preventive Measures

Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:

Keep All Software Up-to-Date

Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.

Practice Network Segmentation

Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.

Contain the Outbreak

It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.

One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.

Full Malware Eradication Process

Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.

Backup Critical Files 

Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.

When you need help, contactour cybersecurity experts and protect your data.

AI-Powered Cyberthreats Coming Our Way

Researchers at IBM recently developed a malicious software (malware) called “DeepLocker” as a proof-of-concept to raise awareness that AI-powered cyberthreats are coming our way.

What Is DeepLocker?

DeepLocker is a malware that uses as its secret weapon the infamous WannaCry – a malware that locked more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017 and demanded ransom payment from victims for unlocking the computers.

DeepLocker hides the notorious WannaCry in a seemingly innocent video conference app to evade anti-virus and malware scanners. The video conference app operates as a normal video conference software until such time that it detects its target. Once it detects its target it unleashes this hidden cyberweapon.

IBM researchers trained the embedded AI model in DeepLocker to recognize the face of a target individual to act as a triggering condition to unlock WannaCry. The face of the target is, therefore, used as the preprogrammed key to unlock WannaCry.

Once the target sits in front of the computer and uses the malicious video conference app, the camera then feeds the app with the target’s face, and WannaCry will then be secretly executed, locking the victim’s computer and asking the victim to pay ransom to unlock the compromised computer.

DeepLocker is also designed in such a way that other malware, not just WannaCry can be embedded in it. Different AI models, including voice recognition, geolocation and system-level features can also be embedded in this IBM proof-of-concept malware.

Marc Ph. Stoecklin, Principal Research Scientist and Manager of the Cognitive Cybersecurity Intelligence (CCSI) group at the IBM T.J. Watson Research Center, in a blog postsaid, DeepLocker is similar to a sniper attack – a marked contrast to the traditional malware the employs “spray and pray” approach.

Stoecklin added that DeepLocker is good at evasion as it allows 3 layers of attack concealment. “That is, given a DeepLocker AI model alone, it is extremely difficult for malware analysts to figure out what class of target it is looking for,” Stoecklin said. “Is it after people’s faces or some other visual clues? What specific instance of the target class is the valid trigger condition? And what is the ultimate goal of the attack payload?”

There’s no evidence yet that a class of malware similar to DeepLocker is out in the wild. It won’t surprise the community though if this type of malware were already being deployed in the wild. The likelihood of AI-powered malware being deployed in the wild is high as the type of malware used as secret weapon by DeepLocker like WannaCry is publicly available. WannaCry, together with other spying tools, believed to be created by the US National Security Agency (NSA) was leaked to the public more than a year ago. AI models, including facial and voice recognition, are also publicly available.

Trustwaverecently released an open-sourced tool called “Social Mapper”, a tool that uses facial recognition to match social media profiles across a number of different sites on a large scale.

This tool automates the process of searching for names and pictures of individuals in popular social media sites, such as LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo and Douban. After scanning the internet, Social Mapper then spits out a report with links to targets’ profile pages as well as photos of the targets.

Trustwave’s Jacob Wilkins said that Social Mapper is meant for penetration testers and red teamers. "Once social mapper has finished running and you've collected the reports, what you do then is only limited by your imagination …,” Wilkins said.

For target lists of 1000 individuals, Wilkins said that it can take more than 15 hours and can eat up large amount of bandwidth.

Getting Ready for AI-Powered Cyberthreats

Even as cybercriminals are learning the ways of AI to their advantage or weaponize it, cybersecurity professionals, on the other hand, are leveraging the power of artificial intelligence for cybersecurity.

Once such approach is IBM’s proof-of-concept malware, believing that similar to the medical field, examining the virus is necessary to create the vaccine.

AI-powered cyberthreats present a new challenge to cybersecurity professionals. According to IBM’s Stoecklin, AI-powered cyberthreats are characterized by increased evasiveness against rule-based security tools as AI can learn the rules and evade them. AI allows new scales and speeds of acting autonomously and adaptively, Stoecklin added.

To fight against AI-powered threats, Stoecklin said that cybersecurity professionals should focus on the following:

• Use of AI that goes beyond rule-based security against AI-powered cyberthreats
• Use cyber deception to misdirect and deactivate AI-powered attacks
• Monitor and analyze how apps function across different devices, and flagging events when a new app makes unanticipated actions

There are existing AI tools that cybersecurity professionals can depend upon. An example of an AI tool is Imperva’s Attack Analytics. This tool uses the power of artificial intelligence to automatically group, consolidate and analyze thousands of web application firewall (WAF) security alerts across different environments, including on-premises WAF, in the cloud or across hybrid environments.

Imperva’s Attack Analytics identifies the most critical security alerts, providing security teams a faster way to respond to critical threats.

A survey conducted by Imperva at the recent RSA security conference found that cybersecurity analysts receive more than 1 million security alerts a day. Artificial intelligence tools like Imperva’s Attack Analytics reduce the time-consuming tasks of identifying and prioritizing security alerts from days or weeks of work into mere minutes of work.

Fighting cyberthreats becomes more and more difficult. You don’t have to do it alone. Contact our expert team today and protect your data.

XMRig: Cryptomining Malware that Works Even Without Web Browser 

The cryptocurrency market may have lost nearly 70% of its market cap from the all-time high of $835 billion in December 2017, but this hasn’t stopped malicious individuals from getting ready for the next cryptocurrency bullrun by spreading cryptocurrency mining malware into the wild.

In the past few months, Coinhive, a cryptocurrency malware that works on web browsers, has wrecked havoc on victims’ computers. But another cryptocurrency malware called “XMRig” is starting to make ripples, entering Check Point’s March 2018 top ten most wanted malwareindex in the 8^thplace for the first time after a 70% increase in global impact.

Coinhive, ranked number one in Check Point’s March 2018 top ten most wanted malware, is a malware that utilizes scripts in taking over some of the processing power on the computers of website visitors without their permission to mine the cryptocurrency Monero.

Cryptocurrency mining is a process of verifying a transaction and a means by which a new coin is released. In order for the transactions to be verified and coins to be released, computational powers of computers are used.

In an ideal world, owners of computers used for cryptocurrency mining should give their consent and should be compensated. Malicious actors bypass this consent aspect and reap all the financial gains for themselves.

What is XMRig?

The original XMRig is an open source code used to mine the cryptocurrency Monero on computers using Windows operating system. The XMRig open source code is in itself not malicious. There are currently 3 software available to mine Monero but XMRig it seems is a choice among malicious actors. 

There’s a demand for Monero as this cryptocurrency boasts of easier mining and untraceable transactions. As of April 20, 2018 (10:30 am GMT+7) one Monero coin is worth $245.

Malicious actors, however, use the XMRig code to conduct illicit mining of Monero cryptocurrency by hijacking the computational power of the infected computers. 

XMRig, used as a cryptocurrency malware, was first seen in the wild in May 2017. As of January 2018, Palo Alto Networksestimated that XMRig victimized nearly 15 million people worldwide. The actual number of victims, Palo Alto Networks said, could be much higher.

In September 2017,security researchers Peter Kálnai and Michal Poslušnýreported that crooks made over $63,000 worth of Monero by modifying legitimate open source Monero mining software XMRig.

According to Kálnai and Poslušný, the malicious actors didn’t apply any changes to the XMRig codebase apart from adding a new wallet address, new mining pool URL and commands to “kill all previously running instances of itself so as not to compete with its new instance” – a process that takes more than just a couple of minutes.

It’s not unusual for malicious actors to reuse codes. Attackers often don’t reinvent the wheel if they don’t have to.

Means of Propagation

Unlike CoinHive, the XMRig cryptocurrency malware doesn’t need a web browser in order to hijack the computational power of the infected computers to mine the cryptocurrency Monero.

Here are 2 methods used by malicious actors to hijack computational power of the infected computers to conduct illicit mining of Monero:

1. Exploiting Known Vulnerability in Microsoft IIS 6.0

According to Kálnai and Poslušný, one of the means by which malicious actors propagate XMRig malware is by exploiting CVE-2017-7269, a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003. By exploiting the vulnerability in Microsoft IIS 6.0, an unauthenticated, remote attacker can execute arbitrary code.

The code to exploit this vulnerability is publicly available. Microsoft hasn’t confirmed this particular security vulnerability and neither has it issued a software update for this vulnerability. Technically though, Windows Server 2003 has reached the end of life (EOL) and as such Microsoft no longer issues software updates.

2. Malvertising Campaign

Adf.ly is an advertising service that pays users when their URLs are clicked. According to Palo Alto Networks, victims were presented with these Adfly advertising URLs, clicked on the provided link, were redirected and found themselves downloading the XMRig cryptocurrency malware onto their computers.

Server Operating System (OS) Attacks

Servers are particularly attractive to attackers as these machines have more computing power, run 24/7 and connect to reliable power source. The reality is that many organizations still use outdated server OS like Windows Server 2003. These outdated server OS are susceptible to repeated exploitation and infection like the XMRig cryptocurrency malware. Cryptocurrency malware like XMRig can result in the slow performance of the servers, shorten the lifespan of these machines and more electricity consumption.

“Cryptomining malware has been quite the success story for cybercriminals, and XMRig’s rise indicates that they are actively invested in modifying and improving their methods in order to stay ahead of the curve,” Maya Horowitz, Threat Intelligence Group Manager at Check Point, said in a statement. “Besides slowing down PCs and servers, cryptomining malware can spread laterally once inside the network, posing a major security threat to its victims. It is therefore critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”

How to Prevent XMRig Cryptocurrency Malware Attacks

Here are some of the ways to prevent XMRig cryptocurrency malware attacks:

1. Use Up-to-Date Software, Server OS 

In the case of Windows Server 2003, as the vendor, Microsoft in this case, has stopped issuing security updates, attackers then have a free pass on attacking this system, for instance, attacking a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003.

It’s therefore important to keep your organization’s OS server and all other software up-to-date.

2. Use Ad Blocker

Another way to prevent XMRig cryptocurrency malware is to use an ad blocker. With an ad blocker, you and your staff won’t anymore be susceptible to malvertising link that once clicked, redirects and downloads the XMRig cryptocurrency malware onto computers. An ad block blocks pop-ups, banners, video ads and other intrusive advertising, as well as malware.

Bitcoin Popularity Gives Rise to Cryptocurrency-Themed Malware

Amidst the surge of Bitcoin’s popularity, other cryptocurrencies have also risen along with it.

As of December 4, 2017, Bitcoin is worth near $11,000. Other cryptocurrencies have also increased their value. For example, Monero cryptocurrency is now worth $201. Bitcoin was introduced in 2009 and Monero in 2014.

Contrary to popular perception, Bitcoin transactions aren’t anonymous. All Bitcoin transactions are public records and can be tracked. Monero, meanwhile, markets itself as an anonymous cryptocurrency, claiming that a single Monero coin can’t have its entire transaction history revealed.

Both Bitcoin and Monero are cryptocurrencies that need to be mined. Cryptocurrency mining is defined as the process by which transactions are verified. It’s also a means by which a cryptocurrency or digital coin is released. For their effort and use of hardware, miners are given a small share of the cryptocurrency.

In the past, anyone with a PC could mine Bitcoin. Nowadays, only those who own computers with huge computing power can mine Bitcoin. Monero, on the other hand, can be mined by just anybody with just the use ordinary desktops, laptops and even smartphones.

Cryptocurrency-Themed Malware

Candid Wuest, security researcher at Symantec, told the BBC that malicious software (malware) connected with cryptocurrency increases "tenfold". "There's been a huge spike," said Wuest, adding that this surge had been caused by the rapid rise in Bitcoin's value.

Malwarebytes' security researcher Jerome Segura, meanwhile, told the BBC that Malwarebytes blocked nearly 250 million attempts to place cryptocurrency malware on to PCs.

Adylkuzz Cryptocurrency Malware

Adylkuzz is a malware that installs the code used to mine the cryptocurrency Monero without the knowledge and consent of the computer owner.

The Monero mining code is maliciously installed by Adylkuzz into a computer by exploiting a Windows operating system vulnerability called “EternalBlue”. The ransomware WannaCry also exploited the same vulnerability in Windows operating system. Unlike WannaCry which can self-propagate on its own to infect others, Adylkuzz has no self-propagation capacity.

Monero mining – courtesy by Adylkuzz malware – operates in the background and users of compromised computers are unlikely to notice this unauthorized activity.

Cryptojacking

Cryptojacking refers to the malicious installation of crypto mining software in a website without the knowledge and consent of the owner as well as lack of knowledge and consent of website visitors.

Coinhive is a software that enables cryptocurrency miners to install Monero cryptocurrency mining code on a website using JavaScript. Coinhive operates on the premise that cryptocurrency mining can be a means for website owners to earn revenue, in lieu of advertising.

Once CoinHive is installed in a website, the CPU power of every site visitor is used for cryptocurrency mining. CoinHive requires a unique ID to which the crypto mining income is delivered. The more computers are compromised for crypto mining, the more Monero coins the attackers get. Earned Monero coins can easily be converted to Bitcoins by selling it to a number of trading exchanges that also allow anonymity.

There’s nothing wrong with utilizing cryptocurrency mining instead of the traditional advertising in websites. What’s unacceptable is when cryptocurrency mining code is installed without the authorization of the site owner as well as without the authorization of site visitors.

Early this month, one security researcher found Coinhive mining code on 2,496 online stores. It’s presumed that the installation of this crypto mining code on these online stores were done maliciously as these store owners are less likely to earn few extra money through crypto mining.

The researcher found that 85% of the 2,496 compromised stores are linked to only 2 CoinHive accounts, while the remaining 15% of the infected stores are linked to several unique CoinHive accounts.

In September of this year, Showtime websites – showtime.com and showtimeanytime.com – were found to be running Coinhive mining code. Following public exposure, the code has since been removed.

Malwarebytes' security researcher Segura, meanwhile, discovered a technique that allows attackers to use the CPU power of every site visitor for cryptocurrency mining even if the visitor closes his or her browser.

Malwarebytes tested this discovery using the latest version of Google Chrome browser. The researchers at Malwarebytes observed the following process:

1. Once a user visits a compromised website, the crypto mining code is then silently loaded.
2. CPU power of the site visitor is used for cryptocurrency mining activity.
3. Even when the user leaves the site and closes the Chrome browser, the CPU activity of the user still remains higher than normal as crypto mining continues.

Attackers fool users into believing that the browser is closed by hiding the browser under the taskbar's clock. Resizing the taskbar will reveal this still operational browser. Below is the screencap of the hidden browser.

“Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons,” Malwarebytes said. “Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement.”

Coinhive, in a statement, said, “We're a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users what's going on, let alone asking for their permission.”

How to Prevent Cryptocurrency Mining Attacks

Cryptocurrency mining is perfect for computers specifically meant for this purpose. Mining cryptocurrency, however, on desktop, laptops or smartphones on top of everyday usage has negative effects.

Crypto mining involves enormous calculations that ordinary computers aren’t meant to do. On smartphones, crypto mining can quickly deplete batteries. And across computing devices used for ordinary usage, crypto mining can decrease speed, efficiency and even damage the hardware.

Here are some tips on how to prevent cryptocurrency mining attacks:

Keep your Windows operating system up-to-date, to block, in particular, Adylkuzz malware as Microsoft already patched the vulnerability exploited by this malware.

To ensure that your browser stays close even after clicking the “x” button, run Task Manager and terminate running browser.

Hackers Use Google Search Results to Spread Malware

Ramnit Malware Makes a Comeback via Google Play

Ramnit, the once notorious malware that infected 3.2 million computers around the world, has resurfaced via infected apps on Google Play.

Symantec researchers found 92 distinct apps on Google Play with a total of 250,000 downloads laden with Ramnit malware. Some of the Ramnit-infected apps that turned up on Google Play were educational and tutorial apps.

Symantec informed Google of the presence of these infected apps and the company has removed them from the app store. This isn’t the first time that Ramnit-infected apps have turned up on Google Play. In March of this year, more than 100 Ramnit-infected apps were similarly removed from Google Play.

Ramnit first appeared in the wild in 2010. In February 2015, a law enforcement operation led by the European Union Agency for Law Enforcement Cooperation (Europol) crippled the operation of the cybercrime group behind Ramnit by shutting down the command and control servers, as well as shutting down and 300 internet domain addresses used by the group. At the time, the group already infected 3.2 million computers in total and defrauding undetermined large number of victims.

The law enforcement operation against the group behind Ramnit was participated by investigators from Germany, Italy, the Netherlands and the UK. Representatives from the private industry like Symantec and Microsoft were also involved in the law enforcement operation.

Ramnit Features

Ramnit is a multi-feature cybercrime tool. It compromised a victim in the following manner:

Spy Tool

This malware monitors web browsing activities and detects when certain websites like online banking sites are visited. Ramnit can inject itself into the web browser and alter the website of the bank to make it appear that the bank is asking the user additional information like credit card details.

Cookie Grabber

This malware can hijack online banking sessions. Ramnit attackers achieve this by stealing session cookies from web browsers and by using the stolen cookies to impersonate victims to authenticate themselves on websites.

Drive Scanner

This malware scans computer’s hard drive. It’s configured in such a way to search for specific folders that are considered likely to contain sensitive information like passwords.

Remote Access

This malware can gain remote access – upload, download, or delete files and execute commands – on the victim’s computer in two ways: by connecting to an anonymous FTP server and by Virtual network computing (VNC) module.

Persistent Threat

Ramnit is a persistent cyber threat. The malware’s creators made sure that once a computer is infected it’ll be difficult to remove the malware from the compromised computer.

Once the malware is installed on the compromised computer, it copies itself to the computer’s memory, hard drive and removable drive. The malware’s version that’s copied to the computer’s memory checks the hard disk-based copy of the malware. If the memory-based copy of the malware detects that the hard disk-based copy has been quarantined or removed, it’ll create another malware copy for the hard disk to sustain the infection.

Microsoft describes Ramnit malware this way: "This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running."

How Ramnit Spreads

While the latest method of propagation of Ramnit is via Android apps, this doesn’t, however, mean that this malware works with Android devices. Since its appearance in 2010, this malware has always been a threat to computers using Windows as an operating system.

Ramnit won’t run on your Android device even if you’ve the misfortune of downloading a Ramnit-infected app on Google Play. In order for the Windows infection to happen, an Android device loaded with a Ramnit-infected app has to be connected to a Windows computer. Once the malware compromised a Windows computer, it searches for all exe, .dll, .htm, and .html files on any removable drives like USB drive and the local hard disk and infects them by making copies of itself.

“The HTML file infection process uses two tactics: injecting VBScript code into an HTML page that drops and executes the worm, and also injecting a hidden iframe into HTML files that downloads a remote file if the page is opened in a browser,” Symantec said.

Ramnit malware is one of the reasons why it’s unsafe to use or borrow removable drive or USB flash drive of another. You never know, this USB drive may be laden with the Ramnit malware.

In addition to propagating the malware through infected apps and through infected removable drives, Ramnit attackers also spread the malware through malicious emails and exploit kits served through malicious advertisements on social media pages and websites. Public FTP servers are also used by Ramnit attackers to distribute the malware. The Europol considers Ramnit as a botnet.

“This botnet – a term used to describe a network of infected computers - was used by the criminals running it to gain remote access and control of the infected computers, enabling them to steal personal and banking information, namely passwords, and disable antivirus protection,” Europol said. “This malware, infecting users running Windows operating systems, explored different infection vectors such as links contained in spam emails or by visiting infected websites.”

"Despite the setback many years ago, Ramnit’s operators have not completely gone away and there also seem to be many latent infections worldwide,” Symantec said. “We know that Google has a system in place for vetting uploaded apps, but we don’t have visibility into the processes for vetting submitted apps, so we can’t say for sure why these infected apps are getting through the vetting process.”

How to Prevent Ramnit Attacks

According to Microsoft, Windows Defender Antivirus detects and removes Ramnit malware.

Here are additional tips for preventing Ramnit attacks:

1. Keep your operating system and all software up-to-date.
2. Only install apps from trusted sources.
3. Carefully scrutinize the permissions requested by an app.
4. Exercise caution with emails and websites. Think before you click anything.
5. Backup your data.

Bad Rabbit Ransomware, New variant of NotPetya, Is Spreading

Bad Rabbit ransomware, a new variant of NotPetya, is spreading across Eastern Europe and other parts of the world.

According to the Russian News Agency TASS, Bad Rabbit ransomware attacked the Russian mass media and Ukraine’s airport and subway. Symantec reported that Bad Rabbit primarily attacked Russia (86%), followed by Japan (3%) Bulgaria (2%), Ukraine (1%), US (1%) and all other countries (7%).

NotPetya versus Bad Rabbit

NotPetya is a malicious software (malware) that was released into the wild in June of this year. It wreaked havoc to thousands of computers worldwide, including Belgium, Brazil, Germany, Russia and the US. Merck, Nuance Communications, FedEx are some of the victims of NotPetya.

Similar to NotPetya, users of computers infected by Bad Rabbit received a notice that their files are encrypted. Both malware have the same style of ransom note, suggesting to victims to pay certain amount to get access to files. Both are worms, which mean that they’ve the ability to self-propagate – self-reproduce by infecting other computers in the network.

One stark difference between NotPetya and Bad Rabbit is the use of self-propagation tools. While NotPetya self-propagates using EternalBlue and EternalRomance, Bad Rabbit self-propagates by only using EternalRomance.

EternalBlue and EternalRomance are just two of the many exploits released in April of this year by the group called “Shadow Brokers”. The group claimed that EternalBlue, EternalRomance and the other hacking tools they’ve released were used by the National Security Agency (NSA) in exploiting the vulnerabilities in Windows operating system. According to Microsoft, it released a security update or patch dated March 17, 2017, fixing the vulnerabilities exposed by Shadow Brokers.

The second difference between NotPetya and Bad Rabbit is that NotPetya is a “wiper” rather than a ransomware. A wiper’s aim is to wipe out or delete all computer files for good, while ransomware’s aim is to generate money from victims. None of the victims of NotPetya were able to unlock their encrypted files. According to Symantec, its analysis of Bad Rabbit confirms that it’s not a wiper as the encrypted files can be recovered if the key is known.

How Bad Rabbit Works

Bad Rabbit infects victims’ computers in the following manner:

• Use of Watering Holes

The first contact of victims of Bad Rabbit is via watering holes – legitimate websites that are altered by cybercriminals. Bad Rabbit compromised many popular websites in the affected countries.

According to researchers at ESET – the first who observed Bad Rabbit’s campaign last October 24th, some compromised sites have JavaScript injected in their HTML body or in one of their .js file.

• Social Engineering

Once a victim visits one of these compromised sites, Bad Rabbit malware is dropped or downloaded into the victim's computer as a fake software update to Adobe Flash Player.

Bad Rabbit malware masquerading as an update to Flash Player enters the victim’s computer by employing social engineering – convincing the victim that there’s a need to update his or her Flash Player. In the middle of the computer screen, a popup shows up asking the user to download an update for Flash Player.

• Use of Open-Source Tools

Once the fake Adobe Flash Player "Install" button is clicked, the Bad Rabbit malware drops five open-sourced tools described below into the victim’s computer. According to Symantec, the download originates from a particular domain. It’s possible though that victims may have been redirected there from another compromised sites, Symantec said.

1. Mimikatz

Mimikatz is an open-sourced tool used for changing privileges and recovering Windows passwords in plaintext.

2. Default Passwords

In addition to Mimikatz, Bad Rabbit also uses a hardcoded list of commonly used default passwords in attempting to guess Windows passwords.

3. ReactOS

ReactOS is an open-sourced tool that’s used as an alternative to Windows operating system. The use of ReactOS, according to Symantec, reduces the amount of detectable suspicious activity on an infected computer.

4. DiskCryptor

DiskCryptor is an open-sourced tool that’s used to perform encryption. After individual files in the victim’s computer are encrypted, Bad Rabbit will then conduct a full disk encryption. Once the system is restarted, a ransom note is displayed, demanding a ransom amounting to 0.05 Bitcoin (US$280).

5. EternalRomance

Bad Rabbit spreads to other vulnerable computers in the network by using EternalRomance, an exploit that bypasses security over Server Message Block (SMB) – referred to as the transport protocol used by computers using Windows operating system for a variety of purposes, including file sharing, printer sharing and access to remote Windows services.

According to researchers at RiskIQ, long before the distribution of Bad Rabbit ransomware last October 24th, cyber attackers have already compromised the affected websites used as watering holes. The researchers said that they “can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck.”

"The thing we do not understand at this point is why they decided to burn this information position to mass distribute the Bad Rabbit ransomware rather than save it for another type of malware," RiskIQ researchers said.

How to Prevent Bad Rabbit Attacks

1. Use strong password

As Bad Rabbit uses factory or default passwords, it’s important to protect your computer with a strong password. This security measure, however, isn’t enough to protect you from Bad Rabbit.

2. Keep Your Operating System and Software Up-to-date

Bad Rabbit self-propagates by using the hacking tool EternalRomance. A security update or patch that stops EternalRomance has already been made available by Microsoft since March 17, 2017.

"Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware,"

US Computer Emergency Readiness Team (US-CERT) said.

3. Don’t Be Fooled by Fake Software Updates

In an effort to keep your all software up-to-date, be careful though of falling into traps of fake updates.

Fake Adobe Flash Player update has long been the favorite of many cyber criminals as they always find security vulnerabilities of this software. If an update pops up in your monitor, don’t click the button, and visit the official Adobe website for updates.

4 Lessons Small Businesses Can Learn from WannaCry and NotPetya Cyber Attacks

How Ransomware Works and What You Should Do

Understanding how ransomware works is the first step to protecting your interests. Here's what happens and how you can be proactive.

Ransomware is on the rise. 

You may have heard of this term, but aren't sure exactly what it means. 

As a computer user, you should take careful precautions to protect yourself against malware, or know what to do in case of a ransomware attack.

Keep reading to find out how ransomware works and how you can prevent it!

What is Ransomware?

Before diving into how ransomware works, let's take a look at what ransomware actually is.

A type of malware, ransomware is delivered to your computer system through various means.

Ransomware can make its way to you through the following:

• Infected email attachments
• Drive-by-downloads
• Socially engineered malware
• Malvertising
• Hacked websites

There are different types of ransomware. However, each and every type will prevent you from using your computer normally. 

How Ransomware Works

Ransomware works by first infecting a computer. Then, using modern cryptography methods, it encrypts files.

Once encrypted, the files cannot be decrypted without the "key." The key is what hackers will provide once you have paid them ransom. 

Unfortuantely, hackers can target any computer users. Whether it's a home computer you're working on, endpoints in an enterprise network, or even servers used by a government agency or healthcare provider, ransomware can affect you.

This means ransomware can get onto your computer from nearly any source that any other malware (including viruses) can come from. 

Ransomware can prevent you from accessing programs such as Windows, encrypt files so that you cannot use them, and/or stop certain web applications from running, such as your web browser.

What to do After a Ransomware Attack

1. Is your computer part of a network? If so, remove the infected system from the network.
2. If you feel it's necessary, create a copy of your disk or the impacted files for analysis later on (this may be needed for decryption of files).
3. Do you have a healthy system restore point? If so, see if you can go back and try if that works for you.
4. If you have recent backups of your data, that's great news! Format and clean and reinstall Windows. Then, restore your backed up data--this will give you a fresh start. 
5. Boot into Safe Mode. Then, run your antivirus software deep-scan--hopefully, that will be able to disinfect your computer, although it's not always the answer.
6. Identify the ransomware that infected your computer. To do this, you can use a free online service, such as ID Ransomware.
7. If you successfully identify the ransomware, check to see if a ransomware decrypt tool is available for your type of ransomware. Then, make use of what you can find.
8. If the ransomware totally blocked access to your computer, give Kaspersky WindowsUnlocker a try, as it can clean up a ransomware infected Registry and give you access back. 
9. Finally, remember to report your ransomware case to your local cyber crime cell, police, or the FBI. 

How to Prevent a Ransomware Attack

The best solution to ransomware is to be safe on the internet. This includes with emails and online chat. 

Check out the list below for how to make sure you stay safe on the internet:

• Don't click on a link on a webpage, in an email, or in a chat message unless you are positive that the page or sender is trustworthy.
• If you're ever unsure if you can trust the page or sender--don't click the link!
• You can catch on to fake emails or webpages if you spot bad spelling or if they look unusual. Keep an eye out for strange spellings of company names or unusual spaces, symbols or punctuation.

What do you know about how ransomware works and how to protect yourself from it? Tell us about your experiences with ransomware in the comments!