Thought leadership. threat analysis, news and alerts.
Difference Between Malware Outbreak and Ransomware Attack
Are malware outbreak and ransomware attack the same or are they totally different?
The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.
Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.
To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.
CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.
The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".
When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.
What Is Ryuk?
Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.
Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.
According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.
The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".
What Is a Malware Outbreak?
Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.
Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:
Keep All Software Up-to-Date
Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.
Practice Network Segmentation
Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.
Contain the Outbreak
It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.
One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.
Full Malware Eradication Process
Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.
Backup Critical Files
Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.
When you need help, contactour cybersecurity experts and protect your data.
Why Your Organization Should Replace All TLS Certificates Issued by Symantec
October 2018 is a crucial month for anyone owning a website as two of the world’s biggest browsers, Chrome and Firefox, will “distrust” TLS certificates issued by Symantec.
What Is a TLS Certificate?
TLS stands for Transport Layer Security. This technology is meant to keep the internet connection secure by encrypting the information sent between the website and the browser, preventing cybercriminals from reading and modifying any information that’s being transferred.
The more popular TLS isn’t free. A website owner has to buy this technology – referred to as TLS certificate – from any of the companies trusted by browsers. Symantec was once a trusted issuer of TLS certificates by Google, the owner of Chrome, and Mozilla, the organization behind Firefox.
HTTPS, which stands for Hyper Text Transfer Protocol Secure, appears in the URL when a website uses a TLS certificate. Google has also been rewarding websites using TLS certificates with improved web rankings. As of July 2018, according to Mozilla, 3.5% of the top 1 million websites were still using Symantec TLS certificates.
When a visitor attempts to connect to a website, the browser used by the visitor requests the site to identify itself. The site then sends the browser a copy of its TLS certificate. The browser, in return, checks if this TLS certificate is a trusted one. If the browser finds that the TLS certificate can be trusted, the browser then sends back a digitally signed acknowledgment to start the TLS encrypted session.
Reasons Behind the Distrust of Symantec TLS Certificates
In March 2017, Ryan Sleevi, software engineer at Google Chrome, posted on an online forumGoogle’s findings, alleging that Symantec failed to properly validate TLS certificates. Sleevi said that Symantec mis-issued 30,000 TLS certificates over a period spanning several years.
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” Sleevi said.
Symantec, for its part, said that Google’s allegations are “exaggerated and misleading”. “Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading,” Symantec said. “For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program.”
Mozilla, for its part, conducted its own investigation surrounding Symantec’s issuance of TLS certificates. Mozilla said it found a set of issueswith Symantec TLS certificates. A consensus proposalwas reached among multiple browser makers, including Google and Mozilla, for a gradual distrust of Symantec TLS certificates.
On October 31, 2017, DigiCert, Inc. acquired Symantec’s website security business, and on December 1, 2017 DigiCert took over the validation and replacement of all Symantec TLS certificates, including TLS certificates issued by Symantec’s subsidiaries: Thawte, GeoTrust and RapidSSL.
“DigiCert will replace all affected certificates at no cost,” DigiCertsaid in a statement. “Additionally, you don’t need to switch to a new account/platform. Continue to use your current Symantec account to replace and order your SSL/TLS certificates.”
Implications of the Distrust of Symantec TLS Certificates
Mozillasets October 23, 2018 as the distrust date of all TLS certificates issued by Symantec. Googlesets October 16, 2018 as the distrust date for all TLS certificates issued by Symantec to non-enterprise users, while January 1, 2019 is the distrust date set by Google for all TLS certificates issued by Symantec to enterprise users. Apple, the owner of the Safari browser, sets “Fall 2018” as the date of complete distrust of Symantec TLS certificates.
In the case of Chrome, if website owners fail to replace their Symantec TLS certificates beyond the prescribed period by Google, the message below will be shown instead:
Image by Google
In the case of Firefox, the message below will be shown instead:
Image by Mozilla
As can be gleaned from the distrust notices by Google and Mozilla, failure to replace Symantec TLS certificates runs the risk of attackers trying to steal information from your organization’s website, including passwords, messages and credit card details.
According to Mozilla, whenever it connects to a website, it verifies that the TLS certificate presented by the website is valid and that the site’s encryption is strong enough to adequately protect the privacy of the visitor. If Firefox determines that the TLS certificate can’t be validated or if the encryption isn’t strong enough, the connection to the website will be stopped and instead, the message, “Your connection is not secure” will be shown, Mozilla said.
“When this error occurs, it indicates that the owners of the website need to work with their certificate authority to correct the policy problem,” Mozilla added.
Contact us today if your organization needs assistance in replacing legacy Symantec TLS certificates.
Most Universities at Risk of DDoS Attacks
The recent distributed denial of service (DDoS) attack on the online services of the Scotland-based University of Edinburgh adds to the growing list of universities hit by DDoS attacks.
Last September 10th, University of Edinburgh’s online services, including wireless services, websites and many online student services were disrupted for several hours as a result of a DDoS attack. The attack was done during the busy “Welcome Week” period of the university.
“I apologise for the disruption to this service, particularly during the busy Welcome Week period,” Gavin Ian McLachlan Chief Information Officer at the University of Edinburgh, said in a statement. “I realise how frustrating this must have been.”
DDoS Attacks on Colleges and Universities: Who, When and Why
A recent study conducted by Jisc provides a picture of who may be launching these DDoS attacks, in particular, on UK’s colleges and universities based on the specific time these attacks were done.
Jisc is a UK not-for-profit company that offers internet service via the Janet Networkto UK research and education community, including the University of Edinburgh.
Jisc said, “there is evidence both circumstantial and from the justice system to suggest that students and staff may well be responsible for many of the DDoS attacks we see on the Janet Network.”
The Jisc study found that DDoS attacks on colleges and universities were usually done during school period and attacks dramatically decrease during holiday times, such as summer breaks, Christmas, Easter and May half term breaks.
“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle,” Jisc said. “Or perhaps the bad guys simply take holidays at the same time as the education sector. Whichever the case, there’s no point sending a DDoS attack to an organization if there’s no one there to suffer the consequences.”
Several students had been prosecuted in the past for attacking their colleges or universities. Adam Mudd, a student at West Herts College, pleaded guilty for launching DDoS attacks against his college; while Paras Jha, a student at Rutgers University, pleaded guilty for launching DDoS attacks against his university.
These college and university students don’t just target their own schools. In April 2017, Adam Mudd received a 2-year jail sentence for running “Titanium Stresser”, a DDoS-for-hire service that launched 1.7 million DDoS attacks against victims worldwide.
In December 2017, Jha with two college-age friends, pleaded guilty for creating the Mirai botnet – referring to the hundreds of thousands of IoT devices compromised by Jha’s group using 62 common default login details and using them as a botnet or zombie army to conduct a number of powerful DDoS attacks.
According to the U.S. Department of Justice, Jha’s involvement with the Mirai botnet ended when he posted the source code for Mirai on a criminal forum in the fall of 2016. In October 2016, internet infrastructure company Dyn became a target of DDoS attacks, which resulted in bringing down a big chunk of the internet on the U.S. east coast. The DDoS attacks against Dyn temporarily took offline major websites, such as Amazon, Twitter and Netflix. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dynsaid in a statement.
The Jisc study also showed a significant decrease of DDoS attacks on the Janet Network starting in April 2018. Jisc theorized that this reduction of DDoS attacks could be a result of the Operation Power Off, a coordinated operation conducted by the Dutch Police and the UK’s National Crime Agency with the support of Europol and a dozen law enforcement agencies from around the world.
Operation Power Off took down the DDoS marketplace webstresser.org and resulted in the arrests of the site’s administrators located in the UK, Croatia, Serbia and Canada.
According to the European Union Agency for Law Enforcement Cooperation (Europol), webstresser.org was the world’s biggest marketplace to hire DDoS services, with 4 million recorded attacks as of April 2018.
For as low as EUR 15 a month, individuals with little to no technical knowledge launched crippling DDoS attacks via webstresser.org, the Europol reported.
Jisc said that beyond disgruntled college and university students and staff, there are far more serious criminal players at work that these institutions ignore at their peril.
Jisc added that some of these more sophisticated DDoS attacks are designed, not just to bring down an online service offline but also to steal intellectual property, targeting valuable and sensitive and information held at these educational institutions.
Preparing for DDoS Attacks
Here are some security measures that can fortify your organization’s IT defenses in case a disgruntled student, a staff or other criminal elements decide to launch a DDoS attack against your organization:
Look for abnormal incoming traffic, including sudden traffic rise and visits from suspicious IP addresses and geolocations. These could all be indicators that criminal elements are testing your organization’s IT defenses prior to conducting a crippling DDoS attack or attacks.
Consider conducting your very own DDoS attack against your organization’s IT infrastructure. This simulated cyberattack, known in the cybersecurity community as pen testing, can prepare your organization when the real DDoS attacks happen.
Contact us today if you need assistance in protecting your organization against DDoS attacks.
U.S. Justice Dept. Charges Alleged Member of Lazarus Group Over WannaCry Cyberattack
The U.S. Justice Department has formally charged a North Korean national, believed to be a member of the notorious hacking group known as “Lazarus” over WannaCry cyberattack and two other high-profile attacks, the Sony Pictures cyberattack and the cyberheist at the Bangladesh Bank.
The Justice Department filed a criminal complaintlast June 8, 2018 against North Korean national Park Jin Hyok for WannaCry, Sony and Bangladesh Bank cyberattacks. This criminal complaint though wasn’t made public when it was filed. It was only made public during the recent announcement by the Justice Department.
The WannaCry, Sony and Bangladesh Bank cyberattacks are among the notorious cyberattacks in recent years. On May 12, 2017, WannaCry cyberattack shook the online world after it locked down more than 300,000 computers in over 150 countries in less than 24 hours and demanded ransom payment from victims.
The Sony Pictures cyberattack in November 2014 stunned the company after thousands of its computers were rendered inoperable and unreleased movie scripts and other confidential information were made public.
The cyberheist at the Bangladesh Bank shook the financial sector in February 2016, after the fraudulent transfer of $81 million from the bank. To date, this $81-million fraudulent bank transfer is the largest successful cybertheft from a financial institution.
The criminal complaint, specifically filed by Federal Bureau of Investigation (FBI) Special Agent Nathan Shields, stated that there’s sufficient evidence that shows Park was a member of the conspiracies that resulted to the WannaCry, Sony, Bangladesh Bank successful intrusions as well as attempted intrusions, including the attempted intrusion at the U.S. defense contractor Lockheed Martin.
Shields said that Park, a computer programmer, used to work at a China-based company Chosun Expo. This company, Shields said, is a "North Korean government front company for a North Korean hacking organization”.
Cybersecurity organizations like Symantec, BAE Systems and Kaspersky Lab have called this North Korean hacking organization as “Lazarus”.
"While some of these computer intrusions or attempted intrusions occurred months or years apart, and affected a wide range of individuals and businesses, they share certain connections and signatures, showing that they were perpetrated by the same group of individuals (the subjects),” Shields said.
Shields said that there are numerous connections between Park, his true-name email and social media accounts, and the operational accounts used by the Lazarus group to conduct the successful intrusions and attempted intrusions.
According to Shields, the strongest link between the Lazarus group and the successful intrusions in WannaCry, Sony and Bangladesh Bank, and the attempted intrusion in Lockheed Martin is the FakeTLS table.
Shields said the FakeTLS table was found in WannaCry Version 0. It was also found in all three samples of Macktruck malware found at Sony attack, the Macktruck malware found in a spear-phishing document used in the attempted intrusion at Lockheed Martin, and the Nestegg malware found at Bangladesh Bank cyberheist.
TLS, short for Transport Layer Security, refers to a cryptographic protocol that’s used to increase the security of communications between computers. The “FakeTLS”, meanwhile, refers to a protocol that mimics authentic encrypted TLS traffic, but actually uses a different encryption method. By utilizing “fake” TLS, Shields said, attackers can carry on communications without tripping security alerts as many intrusion detection systems “ignore the traffic because they assume the contents cannot be decrypted and that the traffic is a common communication protocol”.
Shields added that the following technical similarities connect the malware used in WannaCry, Sony, Bangladesh Bank and Lockheed Martin:
Kaspersky Lab, for its part, said Lazarus is operating a malware factory that produces new samples via multiple independent conveyors. “The scale of the Lazarus operations is shocking,” Kaspersky Lab said.
Kaspersky Lab also agrees that Lazarus group was responsible for the WannaCry, Sony and Bangladesh Bank attacks.
According to Kaspersky Lab, from December 2015 to March 2017, its researchers collected malware samples relating to Lazarus group activity which appeared in financial institutions, casinos, software developers for investment companies and cryptocurrency businesses. Kaspersky Lab researchers found that although the Lazarus group was careful enough to wipe any traces of their illegal activities, one server that the group breached contained a serious mistake with an important evidence left behind.
The compromised server, Kaspersky Lab said, was used as a command and control center for a malware. While the group tested the compromised server using VPN/proxy servers to conceal their true IP address, the group committed one mistake as one connection came from a very rare IP address range in North Korea, Kaspersky Lab said.
Symantec, for its part, said there’s a strong link between Lazarus and WannaCry, Sony and Bangladesh Bank attacks.
According to Symantec, evidence gathered from an early version of WannaCry malware found three other malware: Trojan.Volgmer and two variants of Backdoor.Destover – software programs that were used as disk-wiping tools used in the Sony attack. Symantec added that WannaCry shares a code with Backdoor.Contopee – a malware used by the Lazarus group in intrusions at banks.
The attack methods of Lazarus group keep on evolving. One form of cyberdefense, therefore, isn’t enough to counter these attacks. Here are some of the attack methods used by the Lazarus group and corresponding preventive measures:
1. Exercise Caution in Clicking Links
One of the intrusion methods used by Lazarus is via spear-phishing email. According to the FBI, the group made an exact copy of a legitimate Facebook email but the hyperlinked text “Log In” that supposedly lead to the official Facebook page instead goes to a URL controlled by the group and directed victims to a malware.
2. Exercise Caution in Visiting Websites
One of the intrusion methods used by Lazarus, according to Kaspersky Lab, is by hacking government websites through known security vulnerabilities. When a target visits said compromised government website, the target’s computer then becomes infected.
3. Keep All Software Up-to-Date
The simple reason that the Lazarus group was successful in its WannaCry attack is that many have failed to update their Windows operating system. WannaCry Version 2, the one that hit worldwide on May 12, 2017, compromised Windows operating systems that fail to install Microsoft’s March 14, 2017 security update and older versions of Windows that were no longer supported, including Windows XP, Windows 8, and Windows Server 2003.
Study Reveals Canadian Companies View Cybersecurity as Top Priority
According to a recent study, effective cybersecurity is a top priorityfor most Canadian organizations.
This is no surprise, considering the rise of DDoS, ransomware and other online threats in 2018. In Canada and the United States, cybersecurity has continued to make headlines, leading to wider awareness of the risks among businesses.
For example, DraftKings has finally been granted the legal right to unmask the individuals behind a DDoS attackon the company. The fantasy / sports betting brand’s operations were disrupted by the assault on August 8, which caused the website to actually go offline for 26 minutes.
DraftKings managed to trace the DDoS attack and sought a subpoena to get the relevant ISPs to uncover the identities of those involved. Though DraftKings may not have suffered a huge amount of damage or loss of business, the company’s commitment to finding out exactly who initiated the attack could inspire more brands to essentially go on the offensive following an attack.
Businesses and organizations of all sizes must take steps to protect themselves and their clients from any cybersecurity risks, and it’s a pressing concern for most Canadian firms. The survey found more and more are extra vigilant, seeking effective safeguards against DDoS, ransomware and email threats.
Almost six out of 10 businesses questioned claimed email security was a key focus, while defenses against ransomware and intrusions came hot on its heels. Cloud-based storage and productivity / collaboration tools are now common fixtures for many businesses, and due caution when using these is critical.
The Repercussions of Security Breaches
Companies may find the prospect of protecting themselves from attacks daunting, especially as DDoS attackers have grown more bold. Attacks can have a serious impact on a business’s processes: i they can’t provide the services their clients expect, their income could be affected and their reputation may be damaged in the long term.
Why? Because existing and potential customers will wonder how seriously said business takes their security. They might also wonder if the company is taking due care of their own details too. If in doubt, there are sure to be other businesses offering the same services or products out there.
Basically, DDoS attacks involve launching a bombardment of traffic against a specific IP address and genuine users trying to access the targeted website will struggle to get through. This problematic traffic is created by multiple sources, which makes blocking DDoS assaults outright more difficult than malicious activities originating from a single source.
Earlier in the year, GitHub — a well-known code repository — was subject to a major DDoS attackthat made headlines. The site was taken offline due to a 1.3Tbps (terabits per second) assault, which was the most powerful to be recorded at the time.
GitHub became aware of an issue due to outages, and called for assistance from its DDoS mitigation specialists. All incoming traffic was channeled to scrubbing centers and malicious packets were blocked effectively. Fortunately for GitHub, the attackers ceased their malicious activities after eight minutes.
Before this, another company — Dyn — was targeted in a 1.2Tbps assault in 2016. This struck in multiple sessions. The first started first thing in the morning and lasted around two hours before being stopped, while the second came later on. A third assault was launched in the late afternoon.
During these waves of DDoS attacks, Dyn saw its internet directory servers disrupted by a powerful load of requests from millions of IP addresses. This was a serious incident that had been planned with great care for maximum impact.
Taking Steps to Maximize Safety
Cybercriminals are developing increasingly sophisticated ways to disrupt and attack targets, but having an effective cybersecurity plan in place can help you to stay protected.
Below, we look at just a few of the ways you can stop a DDoS attack and potentially minimize the damage it may cause.
Spot the attack ASAP
Being able to identify when your website is under attack can help you prevent a DDoS disaster.
Problems affecting your site are an obvious indication of impending issues, and its worth getting to know what your inbound traffic patterns tend to be at different times. For example, if you can be sure your traffic tends to spike on a Saturday afternoon and a Sunday morning, any rush of traffic on a weekday could be a warning sign.
Of course, you have to be able to eliminate any potential reasons for this before panicking. A sale, large discounts or an improved marketing strategy could all lead to unexpected increases in your traffic. It sounds obvious, but is well worth bearing in mind to avoid false alarms.
Invest in more bandwidth
Another effective step to protect your business from DDoS attacks is to increase your bandwidth. Having access to more than you think you’re likely to need for everyday operations can help you accommodate larger traffic surges and shifting traffic patterns.
While this may not be viable for smaller companies on a tight budget, it could be a worthwhile option even if the bandwidth is only adjusted a little.
Making changes to your working processes and set-up gradually can help to protect you with minimal disruption, but the increase in DDoS attacks in the past couple of years demonstrates just how vital proper defenses are. Companies have to to take effective steps to ensure they remain safeguarded as attackers continue to advance their methods.
Working with professional cybersecurity specialists with years of experience helping companies across various sectors can help you stay safe. Our Automated DDoS Mitigation service provides guaranteed DDoS attack protection, with no hardware or software to buy. This service is powered by our partner’s innovative technology and includes a high-powered CDN to increase your domain’s performance by as much as 50 percent.
Want to discuss how we can help protect your business from DDoS attacks? Please don’t hesitate to get in touch. Our team is here to answer any questions you may have.
Microsoft Windows Privilege Escalation Vulnerability Leaked via Twitter
A security researcher who goes by the name “SandboxEscaper” leaked via Twitter an exploit code for a Microsoft Windows privilege escalation vulnerability.
In the now-deleted Twitter post, SandboxEscaper provided a link to a Github repository that contains the code necessary to exploit a Microsoft Windows privilege escalation vulnerability. Other security researchers have since verified the authenticity of the vulnerability exploit disclosed by SandboxEscaper.
The bug uncovered by SandboxEscaper lies in Microsoft Windows task scheduler service. Task scheduler allows users to schedule any program to run at a convenient time or when a specific event occurs.
SandboxEscaper found that task scheduler uses unsecured API that allows an attacker, having access to a computer as a local user to gain system-level privileges, enabling the attacker to overwrite system files with malicious code to hijack Windows.
“The Microsoft Windows task scheduler SchRpcSetSecurity API contains a vulnerability in the handling of ALPC, which can allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs,” CERT Coordination Center (CERT/CC)described the uncovered flaw. “This can be leveraged to gain SYSTEM privileges.”
“The flaw is that the Task Scheduler API function SchRpcSetSecurity fails to check permissions,” security researcher Kevin Beaumont, for his part, noted. “So anybody – even a guest – can call it and set file permissions on anything locally.”
As a proof-of-concept, SandboxEscaper overwrites a file used by Windows' printing subsystem with a malicious code when an attempt is made to print.
According to CERT/CC, the exploit code leaked by SandboxEscaper works on 64-bit Windows 10, Windows Server 2016 systems, 32-bit Windows 10 with minor modifications and with other Windows versions with further modifications. CERT/CC said it’s currently unaware of a practical solution to this problem.
A Microsoft spokesperson told the Registerthat the company will “proactively update impacted devices as soon as possible.”
In another Twitter post, SandboxEscaper blamed depression for leaking the vulnerability exploit before Microsoft has time to issue a security update or a patch.
Exploits for privilege escalation vulnerabilities are rarely leaked to the public prior to a patch as many software vendors like Microsoft now offer financial rewards to security researchers who uncover and discreetly inform the concerned software vendors. This gives security vendors time to create a security fix to the reported problem.
Dangers of Privilege Escalation Attacks
In a privilege escalation attack, the attacker has to have local access to the computer or computer network that he or she wants to compromise. A local user needs the system administrator's password to complete certain tasks, such as overwriting system files. As such, this is given less priority by software vendors when it comes to patching.
Remote code execution attacks, on the other hand, are given high priority in terms of patching as these attacks don’t require that the attacker have local access to the target computer.
In a remote code execution attack, an attacker can install malicious code on a computer even when he or she has no local access, provided though that the computer is connected to the internet. An example of the remote code execution attack was the WannaCry attack. Hours after the WannaCry attack on May 12, 2017, Microsoft issued a security update for Windows platforms originally not covered by an earlier security patch, showing the importance of patching remote code execution attacks.
Privilege escalation attacks, however, aren’t given similar immediate attention. Privilege escalation vulnerabilities are typically patched during scheduled updates, like Microsoft’s regular security updates every second Tuesday of each month.
Client-side exploits, however, make privilege escalation attacks dangerous as attackers then effectively become local users and escalate their privileges to system administrators.
"If an attacker can gain access to a system through a client side exploit, they may then effectively become the local user, and escalate to local system,” SANS Technology Instituteinstructor Adrien de Beaupre wrote in a post "Privilege escalation, why should I care?" “Local system priv on a Windows computer is just a hop, skip, and jump away from being Domain administrator.”
Client-side exploits come in numerous and varied formats. Compared to remote execution attack like the WannaCry that has worm capability – meaning, it replicates itself without user interaction, client-side exploits need user interaction, such as clicking a malicious link or downloading a malicious email attachment.
The fact that the exploit code is out and there’s no official patch from the software vendor should warrant some caution. However, unofficial patch has been posted by 0Patch.com
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”
That means that the next Windows update is still days away – this coming September 11th. This gives attackers a window to exploit the flaw exposed by SandboxEscaper in the wild.
According to Kevin Beaumont, if you use Microsoft Sysmon, a sure way to find out whether a Microsoft Windows task scheduler exploit is being used is by looking for spoolsv.exe spawning abnormal processes.
Here are some general measures in preventing privilege escalation attacks like the one exposed by SandboxEscaper:
Mirai Is Evolving as a DDoS Attack Tool
Mirai, the malware that nearly brought down the internet, is evolving and being refined by cybercriminals as a distributed denial of service (DDoS) attack tool.
Symantec's Principal Threat Analysis Engineer Dinesh Venkatesan recently disclosed that he uncovered multiple Mirai variants. Venkatesan said that these multiple Mirai variants are hosted in a live remote server.
Each of these Mirai variants is described to be aimed for a particular platform, making the Mirai portable across different platforms.
According to Venkatesan, one of the major obstacles encountered by script-kiddies, also known as copy/paste malware authors, is portability – the ability of a malware to run on different platforms “in a self-contained capsule without any runtime surprises or misconfiguration”.
The newly uncovered Mirai variants found an answer to the problem of portability by leveraging on the open source tool called “Aboriginal Linux”. According to the author of Aboriginal Linux, this open source tool "automatically create cross compilers and bootable system images for various targets, such as arm, mips, powerpc, and x86".
Using the Aboriginal Linux, the author or authors of the newly uncovered Mirai variants were able to develop versions of the malware tailored for a targeted platform, ranging from routers, IP cameras and even Android devices.
Symantec's Venkatesan said that the newly uncovered Mirai variants spread by scanning devices with default factory login details or known security vulnerabilities.
Original Mirai Botnet
In December last year, 21-year old Paras Jha, along with his two college-age friends Josiah White and Dalton Norman, pleaded guilty for creating the Mirai botnet.
According to the U.S. Department of Justice, in the summer and fall of 2016, Jha, White and Norman created and launched the Mirai botnet – referring to computers infected by the Mirai malware and controlled by Jha’s group without the knowledge or permission of the owners of the computers.
The U.S. Department of Justice said the trio used the Mirai botnet, which at its peak consisted of hundreds of thousands of compromised IoT devices, to launch DDoS attacks.
DDoS attacks refer to cyberattacks which use multiple computers (like the Mirai botnet), controlling these computers without the computers’ owners knowledge for the purpose of making an online service unavailable by overwhelming it with traffic.
"The defendants [Jha, White and Norman] used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers,” the U.S. Department of Justice said.
While the latest Mirai variants infect not just IoT devices but also Android devices, the computers infected by the original Mirai malware were limited to IoT devices, including routers, wireless cameras, digital video and recorders.
According to the U.S. Department of Justice, the trio’s involvement with the original Mirai ended when Jha posted the source code of Mirai on an online forum in September 2016. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
Jha’s group was able to infect hundreds of thousands of IoT devices with the Mirai malware and turned it into a botnet or zombie army for DDoS attacks by using a short list of 62 common default usernames and passwords.
In October 2016, the DDoS attack against the internet infrastructure company Dynbrought down a big part of the internet on the U.S. east coast. The DDoS attack against Dyn made the world’s top websites, such as Amazon, Twitter and Netflix, temporarily inaccessible. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dyn said in a statement.
Other Mirai Variants
Early variants of Mirai include Satori, a Mirai variant that morphed into several versions as well. One version of Satori targets Huawei home router HG532. Satori was first observed in the wild by Check Pointresearchers in November 2017. Similar to the original Mirai, Satori has DDoS capabilities and has been reported to launch several DDoS attacks.
According to Check Point, Huawei was informed prior to the public disclosure of Satori. Before the public disclosure of Satori as well Huawei patched the vulnerability.
In May 2018, researchers at FortiGuard Labsuncovered another variant of Mirai called “Wicked”. This Mirai variant particularly infects Netgear routers and CCTV-DVR devices.
According to FortiGuard Labs, Wicked infects Netgear routers and CCTV-DVR devices by using known and available cyberexploits, many of them are old exploits. Similar to the original Mirai and other Mirai variants, Wicked can also be used for DDoS attacks.
Here are some measures in preventing attackers from turning your organization’s IoT devices into a zombie soldier for DDoS attacks:
-Change default login details into something strong and unique
-Install firmware updates in a timely manner
-When setting up Wi-Fi network access, use a strong encryption method
-Use wired connections instead of wireless connections
-Disable the following:
If your organization has an online presence, it's imperative that your organization is equipped in stopping DDoS attacks.
A successful DDoS attack against your organization’s online service negatively impacts your organization’s reputation, can cause loss of customer trust and financial losses. Prolong and unmitigated DDoS attacks can also result in permanent business closure.
Contact us today if you need assistance in securing your organization’s online services from DDoS attacks and if your organization needs assistance in securing IoT devices from being turned into zombie devices for DDoS attacks.
Nearly Half of the World’s Top Websites Are Risky to Visit, Study Finds
A new study from Menlo Security showed that almost half of the world’s top websites are risky to visit.
According to Menlo Security'sState of the Web (First Half 2018), 42% or nearly half of the Alexa top 100,000 websites are “risky”. The Menlo Security study considers a website as risky when it falls in one of these three criteria:
According to Menlo researchers, the practice of classifying the world’s websites into logical categories is no longer defendable as more than a third of all sites in categories including News and Media, Entertainment and Arts, Shopping and Travel are risky.
Even websites categorized as safe aren’t safe by deﬁnition, with 49% of “News and Media” sites falling within Menlo’s criteria as risky, as 45% of Entertainment and Arts, 41% Travel, 40% Personal Sites and Blogs, 39% Society, 39% Business and Economy and 38% Shopping.
3 Variables that Can Put A Website at Risk
Here are 3 variables that can make a website risky:
1. Risks Linked with Background Websites
Menlo researchers found that every time a visitor visits a website, the site calls on average 25 other sites – also as known as background sites – to fetch a content, for instance, a viral video from a content delivery network (CDN) or an advertisement display from an advertisement delivery network.
Every time you visit a website, therefore, you’re not just visiting one website, but 25 sites on average. Any of these background sites could be used by cyberattackers to compromise the main site and eventually website visitors.
An example of a background site which cybercriminals could compromise the main site is through malvertisement, short for malware advertisement. In malvertisement, the advertisement being displayed on the main site could be infected by a malware. If a visitor clicks on a malvertisement, the visitor's computer then becomes infected with a malware.
2. Risks Linked with Use of Active Content
Active content refers to a software that web developers use to produce personalized and dynamic websites. By using software like Flash, active content allows stock tickers to continuously update, and animated images, maps or drop-down boxes to function.
The trade-off with these active contents is that while these contents make websites personalized and dynamic, web developers lose the control in securing the sites as similar to malvertisements, these contents have to be fetched from background sites. These background sites could be compromised and used to deliver a malware.
Adobe Flash, one of the software used for active content, is known to be packed with security loopholes, making this software the favorite tool by cyberattackers. While Adobe tries to make Flash more secure, the product is simply unfortunate enough to rank as one of the most frequently exploited software by cybercriminals.
3. Risk Linked with Use of Vulnerable Web Software
According to Menlo Security, many of today’s top websites and their accompanying background sites run on vulnerable web software.
"Many of the world’s most popular websites run on back-end web servers that are outdated, including some that have not been updated for years or even decades,” Menlo Security said. “This leaves those websites extremely vulnerable to web-borne malware, exposing site visitors to possible infections, incursions, or breaches. Use of outdated server software also threatens any site to which it serves as a ‘background website.’ Simply put, the older the software, the higher the risk.”
Vulnerable web software refers to a software that has been repeatedly attacked over the years. It also refers to a software that has reached its end of mainstream support, including the end of security updates or patches from the software vendor.
Menlo researchers found that many Business and Economy websites still use Microsoft’s IIS version 5 web server, a software that Microsoft stopped providing updates or patches more than 12 years ago.
Microsoft’s IIS version 5 web server has been exploited by cybercriminals in the past. An example of a malware that exploited the security vulnerability in Microsoft’s IIS version 5 web server is the infamous Code Red, a malware that appeared in three versions from July 2001 to August 2001. The first version of this malware defaced webpages and launched a denial of service attack against www.whitehouse.gov.
Code Red, also known as ISS Buffer Overflow vulnerability, allows an attacker to gain full system level access to any server that’s using the Microsoft Internet Information Services (IIS) Web server software. An attacker that exploits the Code Red or ISS Buffer Overflow vulnerability can perform any system level action, including installing malware, adding, changing or deleting files, and manipulating web server content.
Here are some of the best practices to the lower the odds of being victimized from risky websites:
If you’re a website owner, make sure that your server runs up-to-date software. Running your company website on Microsoft’s IIS 5 web server, a software that Microsoft no longer supports, is a big security risk for your company. Attackers have been known to exploit computer programs that no longer receive security updates or patches from vendors. To keep your website safe, it’s also important to use technologies that prevent the introduction of malicious code via background sites.
As a website visitor, you can lower your odds of being victimized by a risky website by making sure that your computer programs are up-to-date. It’s also important to avoid vulnerable software like Adobe Flash.
Reddit Data Breach Highlights Weaknesses of SMS-Based 2-Factor Authentication
Reddit recently announced that it succumbed to a cyberattack, an attack that was born out of the weaknesses inherent to SMS-based 2-factor authentication (2FA).
Reddit, in a statement, said that an attacker managed to access the company’s complete copy of a database backup containing user data starting from the site’s launch in 2005 up to May 2007. The data accessed during this period include passwords of users and public and private messages.
The company added that email address of current users, source code, internal logs, configuration files and other employee workspace files have also been accessed by the attacker.
While acknowledging that the recent cyberattack was a serious attack, according to Reddit, the attacker didn’t do much damage to the site itself as the attacker only gained read-only access, not write access to Reddit systems.
Reddit said that the attacker entered the company’s systems as a result of the weaknesses inherent to SMS-based 2FA. “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said.
What Is Two-Factor Authentication (2FA)?
Two-Factor Authentication, also known as 2FA, is an added layer of protection that’s meant to ensure that security of online accounts goes further than a username and a password.
Here are the 3 most common types of 2FA or security keys for securing your online accounts:
1. SMS-Based 2FA
In SMS-based 2FA, whenever you log-in to your online account, after entering your username and password, a verification code will be sent in a form of an SMS message to your mobile phone. Once the correct verification code is entered after entering the correct username and password, you’ll then gain access to your online account.
In the case of the Reddit cyberattack, it wasn’t disclosed how the attacker carried out the "SMS intercept".
The publicly known scenario for SMS intercept is via SIM swapping, also known as SIM hijacking. In SIM swapping, an attacker calls a cell phone carrier’s tech support pretending to be the target victim and claims that the target’s SIM card is lost. The attacker then requests that the phone number of the target be transferred (also known as ported) to a new SIM card that the attacker already owns.
The attacker in this scam convinces the phone carrier’s tech support to make the necessary transfer of phone number to a new SIM card by providing the target’s personally identifiable information, including Social Security Number or home address, details that are available online after many data breaches from other companies in the past.
Once an attacker convinces the phone carrier’s tech support for the SIM-swap, it’s game over for the target. The immediate effect is that the target loses phone service and any 2FA verification code delivered via SMS is sent to the new SIM card that the attacker controls.
2. App-Based 2FA
In app-based 2FA, you need to download an app, such as Google Authenticatoror Authy, to your mobile phone or PC. Once installed and configured, you can get the verification code, after entering your correct username and password, through your device.
Unlike the SMS-based 2FA, you can still get the verification code when your phone service gets shut off. The downside of app-based 2FA is that the verification code needs to be entered into the same login page on a website along with the username and password. This allows cyberattackers to subvert the username, password and verification code by cyberattacks such as phishing and man-in-the-middle.
In a phishing attack, a user is duped into revealing sensitive data, including username and password. In man-in-the-middle attack, the attacker positions himself in a conversation between a user and an application, making it appear as if a normal exchange of information is conducted.
3. Hardware-Based 2FA
Hardware-based 2FA, also known as physical security key, comes in the form of a USB device. Login process can be completed by inserting the USB device to the USB port and by pressing a button in the USB device, eliminating the need for retyping verification codes. This is also meant to verify that you’re not a remote malicious hacker.
Unlike the SMS-based 2FA and app-based 2FA, in hardware-based 2FA, you don’t need your mobile phone to access your online accounts.
Yubico, the most popular maker of hardware-based security keys, sells its basic model for only $20. Last month, Googleannounced that its own hardware-based security keys called “Titan Security Keys” are available to Google Cloud customers and will soon be available for anyone to purchase on the Google Store.
Last month also, Google told cybersecurity journalist Brian Krebsthat since early 2017, more than 85,000 of its employees have been using physical security keys. Since then, the tech giant said that 85,000+ of its employees haven’t fallen prey to phishing attacks on their work-related accounts.
Google said that Titan Security Keys enhanced protection against phishing as the “2-step verification with a security key uses cryptography to provide two-way verification: it makes sure you're logging into the service you originally registered the security key with, and the service verifies that it's the correct security key as well”.
The downside of having physical security keys is that it’s a security risk to carry these devices around as once attackers get hold of them, it’s also game over for the targets. Physical security keys, therefore, have to be kept in a safe and secure place.
When you have questions concerning your options of better protecting mission critical data, our experts are a phone call away.
AI-Powered Cyberthreats Coming Our Way
Researchers at IBM recently developed a malicious software (malware) called “DeepLocker” as a proof-of-concept to raise awareness that AI-powered cyberthreats are coming our way.
What Is DeepLocker?
DeepLocker is a malware that uses as its secret weapon the infamous WannaCry – a malware that locked more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017 and demanded ransom payment from victims for unlocking the computers.
DeepLocker hides the notorious WannaCry in a seemingly innocent video conference app to evade anti-virus and malware scanners. The video conference app operates as a normal video conference software until such time that it detects its target. Once it detects its target it unleashes this hidden cyberweapon.
IBM researchers trained the embedded AI model in DeepLocker to recognize the face of a target individual to act as a triggering condition to unlock WannaCry. The face of the target is, therefore, used as the preprogrammed key to unlock WannaCry.
Once the target sits in front of the computer and uses the malicious video conference app, the camera then feeds the app with the target’s face, and WannaCry will then be secretly executed, locking the victim’s computer and asking the victim to pay ransom to unlock the compromised computer.
DeepLocker is also designed in such a way that other malware, not just WannaCry can be embedded in it. Different AI models, including voice recognition, geolocation and system-level features can also be embedded in this IBM proof-of-concept malware.
Marc Ph. Stoecklin, Principal Research Scientist and Manager of the Cognitive Cybersecurity Intelligence (CCSI) group at the IBM T.J. Watson Research Center, in a blog postsaid, DeepLocker is similar to a sniper attack – a marked contrast to the traditional malware the employs “spray and pray” approach.
Stoecklin added that DeepLocker is good at evasion as it allows 3 layers of attack concealment. “That is, given a DeepLocker AI model alone, it is extremely difficult for malware analysts to figure out what class of target it is looking for,” Stoecklin said. “Is it after people’s faces or some other visual clues? What specific instance of the target class is the valid trigger condition? And what is the ultimate goal of the attack payload?”
There’s no evidence yet that a class of malware similar to DeepLocker is out in the wild. It won’t surprise the community though if this type of malware were already being deployed in the wild. The likelihood of AI-powered malware being deployed in the wild is high as the type of malware used as secret weapon by DeepLocker like WannaCry is publicly available. WannaCry, together with other spying tools, believed to be created by the US National Security Agency (NSA) was leaked to the public more than a year ago. AI models, including facial and voice recognition, are also publicly available.
Trustwaverecently released an open-sourced tool called “Social Mapper”, a tool that uses facial recognition to match social media profiles across a number of different sites on a large scale.
This tool automates the process of searching for names and pictures of individuals in popular social media sites, such as LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo and Douban. After scanning the internet, Social Mapper then spits out a report with links to targets’ profile pages as well as photos of the targets.
Trustwave’s Jacob Wilkins said that Social Mapper is meant for penetration testers and red teamers. "Once social mapper has finished running and you've collected the reports, what you do then is only limited by your imagination …,” Wilkins said.
For target lists of 1000 individuals, Wilkins said that it can take more than 15 hours and can eat up large amount of bandwidth.
Getting Ready for AI-Powered Cyberthreats
Even as cybercriminals are learning the ways of AI to their advantage or weaponize it, cybersecurity professionals, on the other hand, are leveraging the power of artificial intelligence for cybersecurity.
Once such approach is IBM’s proof-of-concept malware, believing that similar to the medical field, examining the virus is necessary to create the vaccine.
AI-powered cyberthreats present a new challenge to cybersecurity professionals. According to IBM’s Stoecklin, AI-powered cyberthreats are characterized by increased evasiveness against rule-based security tools as AI can learn the rules and evade them. AI allows new scales and speeds of acting autonomously and adaptively, Stoecklin added.
To fight against AI-powered threats, Stoecklin said that cybersecurity professionals should focus on the following:
There are existing AI tools that cybersecurity professionals can depend upon. An example of an AI tool is Imperva’s Attack Analytics. This tool uses the power of artificial intelligence to automatically group, consolidate and analyze thousands of web application firewall (WAF) security alerts across different environments, including on-premises WAF, in the cloud or across hybrid environments.
Imperva’s Attack Analytics identifies the most critical security alerts, providing security teams a faster way to respond to critical threats.
A survey conducted by Imperva at the recent RSA security conference found that cybersecurity analysts receive more than 1 million security alerts a day. Artificial intelligence tools like Imperva’s Attack Analytics reduce the time-consuming tasks of identifying and prioritizing security alerts from days or weeks of work into mere minutes of work.
Fighting cyberthreats becomes more and more difficult. You don’t have to do it alone. Contact our expert team today and protect your data.
Steve E. Driz