Cyber Security Threats: “Don't you be the next easy target”

This article highlights key areas of security of state information resources and the reliable operation of critical infrastructures in the areas of defence, national security, finance, energy, telecommunications, as well as private company cybersecurity issues.

Stages of cyber security development

Governments, businesses and civil society around the world are rapidly seizing new opportunities associated with information and communications technologies (ICTs) in order to gain a competitive position and improve their socio-economic situation. ICTs are an integral part of modern society and numerous international studies have proven the importance of ICTs to all aspects of economic and social development.

But an increase in cyber dependency also means an increase in risk. As digital technology development progresses, those that cannot adapt their strategies to encompass cyber security are becoming increasingly vulnerable to a growing number of cyber threats. In order to meet those threats, stakeholders from educational systems, business service providers and government regulators all have vital roles to play in promoting understanding of cybercrime and improving knowledge and skills to identify, address and prevent cybercrime.

Cybercrime was defined by the 2001 Budapest Convention, the first international treaty on crimes committed via the Internet and other computer networks, as encompassing four categories:

1. offences against confidentiality, integrity and availability of computer data and systems;

2. computer-related offences;

3. content-related offences; and,

4. offences related to infringements of copyright and related rights (http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm).

In its global study on cybercrime the United Nations Office on Drugs and Crime (UNODC) in 2013 found that, overall, countries were equally concerned about three broad categories of threats:

1. attacks on the confidentiality, integrity, and availability of information (CIA model);

2. financially-driven threats, such as fraud, forgery and phishing; and,

3. content-related crimes (http://www.unodc.org/unodc/en/organised-crime/expert-group-to-conduct-study-cybercrime-feb-2013.html).

Although regional differences are small, there is one discernable trend: in more economically developed countries, law enforcement agencies encounter acts against the CIA model much more frequently than in countries that are less economically developed.

The need for an integrated response to address and combat cyber security threats to human, economic, industrial and social security has contributed to the development of common criteria for evaluating ICT security. Government agencies and non-governmental groups have established standards for ICT products and services.

To date, 26 countries, including Australia, have signed the multilateral agreement for Common Criteria Recognition Arrangement (CCRA), according to which high and consistent performance standards are ensured for the evaluation of Information Technology (IT) products and protection profiles. The CCRA has developed an efficient process for IT product certification and validation which has helped increase confidence in the security of products and profiles.

The cost of financial cybercrimes is nevertheless reaching new and startling proportions, in particular for countries and corporations that are heavily cyber dependent. In 2011 Sony informed 77 million online users of its Playstation network that their personal information and credit card data may have been compromised by cyber criminals. The personal data reportedly included names, addresses, email address, birthdates, usernames, passwords, logins and security questions. Online industry website, ZDNet, reported that the legal fees, support and lost revenue from this breach alone would amount to a minimum USD 171,000,000. In Australia regulators found that Telstra breached the privacy of 15,775 of its customers when their information was made publicly available on the Internet in 2012. Microsoft, Google, Yahoo, AOL, Ebay, LinkedIn and Facebook are just some of the hundreds of online networks that have reported serious privacy breaches.

Apart from financially motivated cybercrime, there is also a growing area of politically motivated cyber threats. These persons’ aim is generally to compromise the integrity and availability of information for political purposes, whether the attacker is a nation-state, a group, or a single individual.

Recently, we have seen the emergence of the so-called 5th Hacking Generation. The elements of this new generation include::

  1. formation of an active underground economy;
  2. development of methods of cybercrime at a much faster rate;
  3. sale of hacker tools;
  4. formation of cybercrime social networks with escrow services.

The malware that these cybercriminals utilize can be licensed and receive technical support, the botnets can be rented by the hour. The prospective criminal is able to purchase their own crime spree. Pay-for-play malware infection services have appeared, and they are able in quick time to create botnets. Thus a lively market for zero-day exploits has been established.

slide1.JPG

Cybercrime Networks are expanding. As their activity intensifies, they are increasingly adopting legitimate characteristics of an extensive business network.

The modern-day cybercrime hierarchy is often depicted as a pyramid. The FBI has defined the Cyber Theft Ring (https://archives.fbi.gov/archives/news/stories/2010/october/cyber-banking-fraud/cyber-banking-fraud-graphic). At the bottom of the pyramid we find the so-called “adventurers” that lack technical resources and users of the model of "criminal software as a service", who want to cash in, make a statement, or to achieve both goals. In the middle of the pyramid there are resellers and professionals in management of services infrastructure, so-called "intermediaries". Uptop in the pyramid we find creators of technological innovations, the big players, who are of greatest interest for law enforcement. But to find and catch the so-called big criminals, to convict them, is very difficult.

Financial cybercriminals tend to pursue a clear commercial objective. They pose a serious threat to the safety and reliability of financial operations. These cyber attackers know what kind of information they are looking for and what results are achievable. They “invest” in substantial resources researching their targets (often using publicly available information on social networks) and utilize sophisticated strategic planning to achieve their goals.

Most cybercrime schemes utilize a breach of trust in one form or another: malware often gets to the users via a seemingly legitimate link to a known and popular website. Electronic spam messages are received, at first glance, from legitimate, well-known or seemingly familiar companies. However they contain links to malicious sites. Third-party mobile applications containing malicious software are innocently but unwisely downloaded from popular Internet resources. Insiders use access privileges to steal valuable information and intellectual property from their employers.

Most iInternet users, in both public and private sectors, personal, business and government users want to be sure that they can trust the basic technologies they use every day at home or in their work. Unfortunately, this is not an easily achievable desire. All Internet users should be wary. You should assume the presumption that in the cyber world everyone and everything can’t be trusted.

On 1 October 2010 the FBI announced that it disrupted a large-scale, international, organized cybercrime operation, serving numerous search warrants and making scores of arrests (http://www.fraud-magazine.com/article.aspx?id=4294968850). “There are over 390 pending and closed victim cases attributed to this criminal network in field offices throughout the U.S.” said Gordon Snow, assistant director of the FBI’s Cyber Division.

“Operation Trident Beach” began in 2009 in Omaha, Nebraska, but continued in the United Kingdom, the Netherlands and Ukraine. According to the FBI, its agents in Omaha “were alerted to automated clearing house (ACH) batch payments to 46 separate bank accounts throughout the United States.” This prompted them to join forces with their international partners to investigate and dismantle the fraudulent operation.

According to the FBI, the cyber thieves targeted small- to medium-sized businesses, municipalities, churches and individuals infecting their computers with a version of the ZeuS Botnet via phishing e-mails, to ultimately steal US$70 million from victims’ bank accounts throughout the world.

ZeuS, GOZ, peer-to-peer ZeuS, P2P-ZeuS and ZeuS3 are analogous to each other and refer to a ZeuS based malware family (September 2011 to May 2014).

At that time “Gameover” (GOZ) malware was a relatively new, “private” version of ZeuS. There was support for the distributed command and control (C2) tools, integrated into the ZeuS botnet, implemented at the request of one of the “private” clients of the ZeuS author.

While ZeuS is a versatile malware kit that can be used for a variety of purposes, its key strength is in browser manipulation through the use of its dynamic configuration. This manipulation is achieved by a set of rules that tell the malware on which URL pattern to take which actions. This is known in the underground as webinjec. The result is that pages, which are loaded by the browser, regardless of the source being an HTTP or HTTPS resource, can be modified prior to rendering by the browser. The modifications can be relatively simple, such as displaying extra input fields during the login process, allowing the fraudsters to then use that information to execute attacks on the site itself with additional credentials or use the information to enrol victims for other services or abuse other services that could be easily monetized. The other end of the scale is injecting entire javascript frameworks that were utilised to socially engineer the victim for information, and then, on the banking side, automatically inserting and authorising transactions.

Espionage was one of the more unusual uses of GOZ. One instance focused on Georgia and Turkey, the botnets contained a number of commands, issued specifically to these countries, with queries which were very detailed, including searches for documents with certain levels of government secret classifications, and for specific government intelligence agency employees, in respect of information about politically sensitive issues in that region. Additionally, some of the member activity referred to other private malware systems. There were a total of 27 different backends, of which some were unused and some were used for debugging purposes, however, the total amount of members was quite large.

After the recent political changes in Ukraine, which led to a more pro-western government in 2014, one botnet, which had been previously used for banking fraud, was then used for a large volume of infections in Ukraine to search for certain types of politically sensitive information.

Layers of Internet

Do you know what Internet are you using and how much of it?

Ordinary people only use the so called “Surface Web” which comprises just 4% of the whole Internet space. Let’s examine what we are using and the layers Internet has.

Surface Web. The magnitude of the web is growing. According to one estimate, there were 334.6 million Internet top-level domain names registered globally during the second quarter of 2016. This is a 12.9% increase from the number of domain names registered during the same period in 2015. As of February 2017, there were estimated to be more than 1.154 billion websites. As researchers have noted, these numbers “only hint at the size of the Web,” as the volume of users and web sites are constantly fluctuating.

slide2.JPG

Deep Web. The Deep Web, cannot be accessed by traditional search engines, because the content in this layer of the web is not indexed. Information in the Deep Web is not “static or linked to other pages” as is information on the Surface Web. As the US Congressional Research Service has noted, it is impossible to measure the size of the Deep Web. While some early estimates put the size of the Deep Web at 4,000 - 5,000 times larger than the surface web, the changing dynamic of how information is accessed and presented means that the Deep Web is growing exponentially and at a rate that defies quantification.”

Dark Web. The Dark Web comprises hidden Internet sites which cannot be navigated without the use of special software such as The Onion Router (TOR). Because individuals may access the Dark Web assuming anonymity and little risk of detection, they often use this arena for a variety of legal and illegal activities, trading in digital currencies such as Bitcoin. Illicit use of the Dark Web includes illegal drug and weapons trafficking, selling of child pornography. It is also used by the military, law enforcement and as a bastion of free speech by political dissidents who fear detection. It is unclear, how much of the Web is taken up by Dark Web content and which proportion of the Dark Web is used for legal or illegal activities.

The Cyber Warfare begins

Shadow Brokers VS. Equation Group

WikiLeaks, Shadow Brokers, and others are making the most of the tools leaked or stolen from the Equation Group - a name alternately applied to the set of tools, or to the operators of the namesake collection, allegedly tied to the US National Security Agency (NSA)(https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/)

In August 2016, the Shadow Brokers hacking group - which many consider to be affiliated with Russian state intelligence - announced that it had stolen the collection of tools from the Equation Group, and put them up for auction to the highest bidder.

In March 2017, WikiLeaks made public the “Vault7” information about a similar collection of hacking tools. This second wave did not contain executable software, but rather a large assemblage of information about vulnerabilities, exploit tool development, and details of operations and maintenance. Even so, it contained sufficient detail about undisclosed vulnerabilities, for example in the details of the “EXTRABACON” tool, that it was considered a zero-day event for certain network devices.

Not to be outdone, in April 2017, the Shadow Brokers released a large set of operable tools thought to be the collection they were unsuccessful at auctioning and a majority of what had been originally taken from Equation Group. It is unclear if this is actually the full collection they had in hand or a subset, but the security implications are sufficient to warrant priority response either way.

What attack tools and malware do the Equation Group use?

  • EQUATIONDRUG – A complex attack and espionage platform. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.
  • GRAYFISH – The most sophisticated attack platform from the Equation Group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.
  • DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If its true get upgraded to a more sophisticated platform, such as EQUATIONDRUG or GRAYFISH.
  • EQUESTRE – Same as EQUATIONDRUG.
  • TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.
  • FANNY – A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DOUBLEFANTASY, and then to the EQUATIONDRUG system. FANNY used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.
  • EQUATIONLASER – An early implant from the Equation Group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG

In the upcoming 2nd part of this article, I am going explore especially dangerous cyber threats, including cyber attacks on critical infrastructure and their distribution, providing real examples of attacks..

Three main conclusions on the current state of cyber threats (Cisco Annual Report 2016):

  1. Increased attack surface.
  2. Distribution and complexity of attack model.
  3. A complexity of threats and solutions.

The combination of these creates problems and increases the gaps in the security system. As a result, the attackers manage to make incursions into the IT system of the company faster than it can eliminate flaws in the security system.

The aim of the attacks on infrastructure is significant resources of the Internet.

 

Especially dangerous threats. Major findings

Attacks on critical infrastructure

Many consider the purported Russian DDoS attacks on Estonia in April 2007 as an example of the first cyber war, although it is probably more appropriately labelled as a web-war or cyber terrorism since offline consequences were limited and no physical damage occurred. The attacks were carried out using a botnet, which is a collection of computers controlled remotely that can overwhelm web servers, rendering them unavailable. To distinguish such attacks from more serious ones, cyber warfare often indicates a cyber-attack with offline consequences to critical infrastructures. In 2010, for example, Stuxnet, a malicious software, or malware as it is commonly known, reportedly succeeded in physically disrupting Iran's nuclear power reactors.

The Sandworm cybercrime gang has upped its game. They were initially named after the Sandworm malware which targeted and sabotaged Industrial Control Systems and Supervisory Control And Data Acquisition (SCADA) industrial devices in America during 2014.

The Sandworm gang later evolved into the TeleBots gang, which developed the TeleBots backdoor trojan, and the KillDisk disk-wiping malware.

On 23d December 2015, around half of the homes in the Ivano-Frankivsk region in Ukraine (population around 1.4 million) were left without electricity for a few hours. According to the Ukrainian news media outlet TSN, the cause of the power outage was a “hacker attack” utilising a “virus”. Looking at ESET’s own telemetry, it was discovered that the reported case was not an isolated incident and that other energy companies in Ukraine were targeted by cybercriminals at the same time.

The attackers have been using a malware family: BlackEnergy. Specifically, the BlackEnergy backdoor has been used to plant a KillDisk component onto the targeted computers that would render them unbootable.

The BlackEnergy trojan has been used for various purposes in the past few years. At the Virus Bulletin conference in 2014, a series of cyber-espionage attacks against high-value, government-related targets in Ukraine was discussed. The malware operators have used numerous spreading mechanisms to infect their victims, including the infamous PowerPoint 0-day CVE-2014-4114. While the primary objectives of the 2014 attacks appeared to be espionage, the discovery of BlackEnergy trojan-droppers capable of infecting SCADA Industrial Control Systems hinted that the gang might be up to something more dramatic.

In the recent attacks against electricity distribution companies in Ukraine, a destructive KillDisk trojan was downloaded and executed on systems previously infected with the BlackEnergy trojan.

The new KillDisk strain uses very robust encryption, giving each file its own AES key, and then encrypting the AES key with a public RSA-1028 key. These guys know what they are doing.

The link between BlackEnergy and KillDisk was first reported by CERT-UA in November 2015. In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents have been destroyed as a result of the attack.

The attack scenario is simple: the target gets a spear-phishing email that contains an attachment with a malicious document. The Ukrainian security company CyS Centrum published two screenshots of emails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to Rada (the Ukrainian Parliament). The document itself contains text trying to convince the victim to run the macro in the document. This is an example where social engineering is used instead of exploiting software vulnerabilities. If victims are successfully tricked, they end up infected with BlackEnergy Lite.

Given the sophistication needed, attacks with such consequences are rare but increasingly likely as countries invest in cyber-attack capabilities and consider disruption through cyber means as a potential alternative to diplomacy or traditional military action.

Cyber espionage

It is similar to offline espionage, in essence, to eavesdrop or steal information without being detected. In the private sector, it would be labelled corporate espionage and considered a cyber-crime, but when countries or individuals are targeted, the motivation is primarily political. Several high-profile incidents have been uncovered in recent years, although the perpetrators are rarely identified. In 2008, for example, Ronald Deibert of University of Toronto and Rafal Rohosinski of SecDev Group, a consultancy, uncovered a malware, which was remotely controlled to send information to a secret location without duplicating itself like traditional viruses.

About one-third of the infected computers are said to be high-value targets and the perpetrators were never discovered. In August 2011, McAfee, a security company, uncovered an espionage program, termed Operation Shady RAT, which was designed to steal information from corporations and governments alike.

A recent Trend Micro study found 20 percent of IT leaders believe cyber espionage will be the top threat of 2017 (https://www.scmagazine.com/cyberespionage-may-be-next-top-threat-to-businesses-this-year/article/644720/)

The study queried 2,402 enterprises IT decision makers in the U.S. and Europe and found that 17 percent said targeted attacks, followed by 16 percent that reported phishing attacks as being the year's top threat.

Last year, phishing attacks were reported as the biggest threat according to 31 percent of respondents, followed by business email compromise at 17 percent, and cyber espionage at 15 percent.

Cyber espionage is a possibility anywhere there is data of interest and organisations that hold a lot of intellectual property such as pharmaceuticals, biotech, engineering, military contractors are prime targets, Trend Micro Vice President of Cloud Research Mark Nunnikhoven told SC Media.

He added that there is a long history of corporate and nation-state espionage and now that everything is digital, the scale and ease in which these attacks can happen is unprecedented.

“I believe that raised awareness around cyber-espionage is the recognition that cyberattacks aren't just about criminals getting user data and selling it on the underground,” Nunnikhoven said. “There's any entire another level where illicit means are used for specific, targeted attacks that lead to political/business advantage.”

Nunnikhoven added that there will always be a constant level of activity between nation-state actors and that on the corporate level, anytime there's enough money at stake the temptation is there and it may be in the industries where you least expect it such as when the former St. Louis Cardinals official hacked into the Houston Astros' computer systems in order to gather intelligence and obtain an unfair advantage.

“When it comes to defending, every organisation should be prioritising their critical data and ensuring that every reasonable precaution is taken to keep it safe,” he said. “If your organisation is a likely target for espionage-like activities, you're going to want to ensure you're taking additional precautions around processes (to defend against social engineering) and security monitoring.”

 

Ransomware

Ransomware is dominating the malware market. Ransomware Trojans are a type of cyberware that is designed to extort money from a victim. Although it is not a new threat, it has evolved to become the most profitable malware type in history - and businesses are now becoming a target of choice for some ransomware operators. In the first half of 2016, ransomware campaigns targeting both individual and enterprise users became more widespread and potent. On the horizon: faster and more effective propagation methods that maximise the impact of ransomware campaigns and increase the probability that adversaries will generate significant revenue. 2016-2017 years saw a number of ransomware families, including Cryptolocker, Cryptowall, CoinVault, BitCryptor, TorrentLocker, TeslaCrypt, WannaCry and others, wreaking havoc by encrypting files of private and corporate users alike. Once encrypted, the malware author typically demands ransom in exchange for decryption keys required to restore the files. In coordinated takedowns between law enforcement and security researchers, some ransomware operations were stopped or at least slowed. This often includes taking over the command and control infrastructure, which contains the decryption keys. One excellent example is the CoinVault takedown by the Netherland National High Tech Crime, which exposed over 14,000 decryption keys.

  • CryptoLocker

Gameover ZeuS (GOZ-see above) is a peer-to-peer (a network in which interconnected nodes ("peers") share resources amongst each other without the use of a centralised administrative system) botnet based on components from the earlier ZeuS trojan.

Unlike its predecessor the ZeuS trojan, Gameover ZeuS uses an encrypted peer-to-peer communication system to communicate with its nodes and its command and control servers, greatly reducing its vulnerability to law enforcement operations.

According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware.

CryptoLocker is a Trojan horse-extortionist, encrypts files on the compromised system and holds "hostage" to ransom. For payments, virtual money is commonly used, such as Bitcoin virtual money.

After encryption of the system, CryptoLocker generates a pop-up window with the message that in order to restore the files the user needs to pay the ransom. To encrypt files on the compromised system, it uses cryptographic public key algorithms. Infecting the attacked system, CryptoLocker generates a key and sends the private key to the attacker's server. For the payment of ransom malware usually gives the user 72 hours, warning that after this time CryptoLocker server will destroy the private key, and with it the ability to restore files.

US officials believe CryptoLocker earned nearly USD15 million a month.

  • WannaCry

It was being called the most successful ransomware attack of all time. The WannaCry ransomware struck across the globe in May 2017.

The WannaCry ransomware attack was a worldwide cyberattack by the WannaCry ransomware crypto worm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

The attack started on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries. Parts of Britain's National Health Service (NHS), Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies.

Symantec (https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware) has uncovered further links to more closely tie the WannaCry attacks with the Lazarus group (https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group):

  • Co-occurrence of known Lazarus tools and WannaCry ransomware: Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as a method of propagating WannaCry, but this is unconfirmed.
  • Shared code: As tweeted by Google’s Neel Mehta, there is some shared code between known Lazarus tools and the WannaCry ransomware. Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 cyphers which to date have only been seen across Lazarus tools (including Contone and Brambul) and WannaCry versions.

While these findings do not indicate a definitive link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds.

 

A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry) has hit hundreds of thousands of computers worldwide since its emergence on Friday 12, May 2017. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organisation’s network by exploiting critical vulnerabilities in Windows computers, which were patched by Microsoft in March 2017 (MS17-010). The exploit, known as “Eternal Blue,” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them and then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the Internet.

Additionally, Talos (http://blog.talosintelligence.com/2017/05/wannacry.html#more) has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release, it has been widely analysed and studied by the security industry as well as on various underground hacking forums.

WannaCry appears to primarily utilise the ETERNALBLUE modules and the DOUBLEPULSAR backdoor. The malware uses ETERNALBLUE for the initial exploitation of the SMB vulnerability. If successful it will then implant the DOUBLEPULSAR backdoor and utilise it to install the malware. If the DOUBLEPULSAR backdoor is already installed the malware will still leverage this to install the ransomware payload. This is the cause of the worm-like activity that has been widely observed across the Internet.

The unique trifecta of a broadly available vulnerability with a working exploit and the ability for execution without human intervention created the perfect environment for a “wormable” ransomware attack. Since the WannaCry attack, another attack called Adylkuzz has surfaced that takes advantage of the same Windows vulnerability, emphasising the need for action.

Organisations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organisations should have SMB ports (139, 445) blocked from all externally accessible hosts.

How do hackers obfuscate file extensions?

File Extensions are the last three parts of a ­file name after the period. A fi­le may be called note.txt where the “.txt” section determines the type of a ­file and what program opens it. The reason this is important in ransomware is that often your computer will be set to hide ­file extensions. Let’s say someone sends you a ­file called “Payroll Accounts.xls”. Often your email will show the ­file extension, but when you download the ­file, you may not see the extension anymore. The “Payroll Accounts.xls” ­file is actually “Payroll Accounts.xls.exe”. This is a simple example since there are other ways to get around this. A hacker may include a Zip fi­le called “Family photos” that contains multiple ­files inside with altered extensions. Your email program only sees a Zip ­file, but in reality, the Zip ­file contains a single ­file called “photo_album.jpg.exe”. The last thing to realise is that .exe ­files are not the only dangerous type of ­file out there. The following is a short list of potentially dangerous ­file types: .exe, .bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh, .jar: - http://security.fsu.edu/sites/g/files/upcbnu581/files/Ransomware%20Rescue.pdf

The best protection against ransomware is a sound backup policy for all important files on the system. By default, Windows keeps shadow copies of the files in the user’s home folder. Sometimes the system can be recovered from a ransomware attack by restoring shadow copies, but ransomware authors will try to disable shadow copy restores by deleting them.

As security products improve at inspecting and identifying packed or unusual code, malware authors appear to be moving towards blended scripts to prevent detection. Over the past year, there has been a general shift from wholesale packing of malware executables towards better utilizing the inherent strengths of high-level language compiled binaries (i.e., HLL/C, MFC, .NET, Visual Basic, etc.) and off-the-shelf scripting engines (i.e., AutoIt, script, vb script, PowerShell, etc.). Regardless of the type of malware, this combination provides a new level of difficulty in detection and eradication.

Binaries compiled in .NET, Visual Basic, and MFC are less trivial to emulate and traverse. This allows for malicious functionality to be more easily hidden, from both inexperienced malware analysts and automated scanning tools.

 

Distribution of ransomware worldwide

ON THE RISE: Ransomware

The Infoblox DNS Threat Index set a new record in the first quarter of 2016, driven in large part by a 35-fold increase in ransomware

Q1 2016: $209 MILLION IN COSTS ASSOCIATED WITH RANSOMWARE

Security Recommendations

As the next generation of ransomware evolves, organisations need to employ a “first line of defence” that will impede the opportunity for lateral movement and propagation and reduce adversaries’ time to operate. That first line (in addition to basic best practices such as patching vulnerable Internet infrastructure and systems and improving password management) includes network segmentation.

Organisations can use network segmentation to stop or slow the lateral movement of self-propagating threats as well as contain them. There are multiple components for segmented networks that organisations should consider implementing such as:

  • VLANs and subnets for logically separating access to data, including at the workstation level;
  • Dedicated firewall and gateway segmentation;
  • Host-based firewalls with configured ingress and egress filtering;
  • Application blacklisting and whitelisting;
  • Role-based network share permissions (least privilege);
  • Proper credential management.

Upgrading ageing infrastructure and systems and patching known vulnerabilities will undermine the ability of cybercriminals to use those assets to carry out their campaigns. The adversaries responsible for the SamSam ransomware attacks have already alerted the shadow economy to a new frontier ripe with old vulnerabilities that can be exploited to compromise users and reach new heights of profitability.

THE LAST LINE OF DEFENSE: BACKUP RECOVERY

Backup recovery is the last line of defence for organisations that want to avoid – today, and in the future – paying a “king’s ransom” to attackers who have encrypted their data with ransomware. However, the ability to recover from a ransomware attack with minimal data loss and service interruption will depend on whether system backups were made correctly. In a ransomware scenario in which local backups are deleted, removed, or otherwise made inaccessible by attackers, off-site backups are often an organisation’s only hope of restoring service without paying the ransom. How often backups are sent off-site determines how much data, if any, would be inaccessible or lost.

DO NOT DISMISS THE THREAT OF BROWSER INFECTIONS

When ad injectors deliver malicious advertising through HTTPS encrypted traffic, defenders cannot readily identify the threat. And as adversaries increase their use of HTTPS to conceal their activity, it is becoming even more imperative for security teams to stop viewing browser infections as a low-severity threat to their organisation and its users.

A seemingly benign browser infection can quickly become a much bigger problem, and there is evidence that malicious ad injectors have become an important tool for adversaries laying the groundwork for higher-risk attacks.

By making monitoring of browser infections a higher priority, organisations will be better positioned to quickly identify and remediate these threats. Behavioural analytics tools and collaborative threat intelligence are critical resources for defenders in remediating these types of threats. Educating users to alert security teams to an increase in pop-up ads and other unwanted advertising is also vital for defence.

Android ransomware

Ransomware is a very successful model of attack and its mobile version is not much different from its desktop counterpart. Usually, the user is tricked into installing a useful app: for example, an app that pretends to be Adobe Flash player. Once installed and executed, the malicious application attempts to encrypt all accessible documents, images, and multimedia files on the device. When this process is finished, the ransomware application displays a text, a warning that often seems to come from law enforcement agencies such as the FBI and instructs the user how to pay to restore files and access the device.

Some of the most successful Android ransomware families are Simplocker and Koler. The recently discovered Locker family actually sets a PIN for the device and makes the restore almost impossible if the user is not willing to pay the attackers for recovery instructions.

In the upcoming 3d part of this article, I am going to explore information-stealing malware and “Cryptocurrency” Cyberattacks.

 

Зберегти

Зберегти

SOROCHAN HOLDINGS LIMITED a company incorporated in Cyprus, under registration No. HE 244352 having its registered office at Thessalonikis NICOLAOU PENTADROMOS CENTER, 10th floor, Flat/Office 1002, P.C. 3025, Limassol, Cyprus

info@intecracy.com

Зберегти

Зберегти

Зберегти

Зберегти

Зберегти

Зберегти

Intecracy Group

Intecracy Group is an international consortium of companies working in the Information & Communication Technology (ICT) industry.