Month: December 2018

Ransomware Losses Top $1.5M Each Minute

Posted on

cyber security

A new report has found that 1.5 organizations fall victim to ransomware attacks every minute — and more than $1 million is lost each minute due to cybercrime.

RiskIQ’s 2018 “The Evil Internet Minute” investigated the cyber threats that organizations and internet users face every minute.

“With businesses expanding their online presence to create more touchpoints with customers, employees and partners, the boundaries between what’s inside the firewall and what’s outside become less and less discernible, opening a whole new front in the battle between attackers and security teams,” the company wrote in a blog post. “These attackers target brands and consumers on the open web with tactics like phishing, spinning up malicious mobile apps, hacking third-party suppliers and directly compromising websites.”

The report found that cybercrime costs businesses $600 billion each year, with ransomwarespecifically costing corporations $8 billion per year, or more than $15,000 per minute.

In addition, there are 1,274 new malware variants released each minute, 22.9 phishing email attacks per minute and 2.9 billion record leaks from publicly disclosed incidents each day (that’s more than 5,000 each minute). The data also showed .17 blacklisted mobile apps, .21 new phishing domains, .07 incidents of the Magecart credit card skimmer, .1 new sites running the CoinHive cryptocurrency mining script and four potentially vulnerable web components discovered during the evaluation process.

“This data shows that as organizations continue to roll out new digital strategies and initiatives, the new digital assets they create are subject to scores of malware, malvertising, phishing and crypto mining efforts on a massive scale, while rogue apps, domain and brand infringement, and social impersonation cause business disruption and material loss,” according to RiskIQ.

The company noted that the instances of these cybercrimes have gotten worse since last year, showing that companies need to do more to protect themselves and their clients.

“When brands understand what they look like from the outside-in, they can begin developing a digital threat management strategy that allows them to discover everything associated with their organization on the internet, both legitimate and malicious, and monitor it for potentially devastating cyberattacks. However, bringing the massive scope of an organization’s attack surface into focus is no easy task,” the company added.

Were You Attacked Today With Yesterday’s Hacking Technique?

Posted on

Originally seen: Forbes.com by Itzik Kotler on August 22, 2018

 

We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time — today’s hack, yesterday’s technique.

Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.

This large-scale recycling program means there is an abundance of bad actors spreading an abundance of viruses, trojan horses, ransomware and other junk intended to wreak havoc and steal money and intellectual property. One recent example of recycled software getting heavy use by the hacker community is Mimikatz, a tool used to capture passwords, user credentials and other sensitive information from Windows-based operating systems.

Mimikatz was first created in 2007 and since then has been instrumental in a number of large-scale malware attacks, including the NotPetya campaign that disrupted networks and commerce during the summer of 2017, costing affected companies hundreds of millions of dollars according to the tech journal eWeek. Mimikatz was also used in the PinkKite attack that infected retail point-of-sale (POS) systems, primarily throughout Europe and North America, stealing credit card data used in consumer transactions.

There are other common tools, many of which were developed for legitimate purposes, that have been co-opted by the hacker community in many malicious hacking campaigns. Microsoft originally created PowerShell to automate administrative tasks in Windows. Now PowerShell is available as open source code, supporting Linux and macOS, and available to the developer community — including hackers. PowerShell has been a key component in attacks using stolen passwords and digital credentials to give hackers access to and control of networks. PowerShell was used in the REDLeaves attack, discovered in 2016, targeting the health care and energy industries. PowerShell was also part of a state-sponsored attack targeting teams participating in the 2018 Winter Olympics.

Likewise, macros are small, code-based shortcuts developed for the Microsoft Office suite of products and are used to execute larger, more complex functions. Macros make life easier for Office users, but they have been adapted for spam attacks where they are embedded in attachments that look like legitimate files. Once clicked, the macro downloads malware to the victim’s computer, infecting it with whatever code the adversary wants. Macros were behind the Locky ransomware attack that bedeviled hospitals in the U.S. and elsewhere in 2016 by encoding important files that the hackers would only release upon receipt of payment in bitcoin.

While this illicit activity has contributed to the relentless assault on personal and corporate networks, it has one major flaw that chief information security officers (CISOs) can exploit to protect their networks and endpoints. Because so many hackers conduct campaigns using recycled code, mass-marketed malware and reused techniques, the number of attacks has increased. But that also makes it possible, with the right security strategy, to identify the key signatures in those campaigns and thwart such attacks before they are successful.

The NotPetya and PinkKite campaigns targeted two different kinds of systems. Both used Mimikatz because it worked well for the job it was designed to perform. There was no reason to invent, test and try a new tool for stealing the credentials essential for their hacks because Mimikatz was already available. Because both NotPetya and PinkKite used Mimikatz, defenses configured to detect their telltale signatures would have been able to detect its presence. Security teams which used such defenses were alerted to an attack and with this knowledge could have quickly intervened to thwart the campaign and prevent infection.

This is not revelatory. I previously wrote about an entire information/cybersecurity industry sector built on the collection, analysis and use of this information known as threat intelligence, as a key part of a cyber-defense strategy. Knowing this, why aren’t more organizations taking advantage of this major flaw in the hackers’ use of recycled and open-source code? The information security industry may be too focused on generating fear, uncertainty and doubt than in helping companies establish the security priorities needed to bring to bear all the capabilities available to them.

Because of the adversary’s reuse of hacking tools, CISOs should make sure their systems are calibrated to not only detect the newest zero-day threats but also thwart the malware and methods that continue to wreak havoc on their networks. The information security industry is turning the corner in its fight against the global hacker community, and keeping pace with the threat means building on what we already know. After all, the key to stopping tomorrow’s hack can often be found in the lessons learned from yesterday’s attack.

PGA possibly infected with bitpayment

Posted on

Originally seen on BleepingComputer by: Lawrence Abrams on August 8, 2018 

If corporate America, government entities, and hospitals weren’t enough, now ransomware developers are attacking Golf!

According to a report from GolfWeek, computers at the PGA of America’s offices have been infected with ransomware. The victims learned they were infected on Tuesday when ransom notes started appearing on their screen.

“Your network has been penetrated,” the ransom note read according to Golfweek’s article. “All files on each host in the network have been encrypted with a strong algorythm [sic].”

Based on these strings and the misspelling of “algorithm”, PGA of America was most likely infected with the BitPaymer ransomware. This is the same type of ransomware that recently hit the Alaskan town of Matanuska-Susitna and forced them to use typewriters for a week.

BitPaymer becoming more active?

As already stated, based on the reported ransom note, PGA of America was most likely targeted by the BitPaymer Ransomware.  BitPaymer has been around for a while, but typically keeps a low profile.  There has been some moderate activity, though, with Bitpaymer over the last few weeks though as shown by the ID Ransomware chart below.

Like SamSam, BitPaymer tends to target organizations by hacking into Remote Desktop Services connected to the Internet.  Once inside a network, they traverse through it and encrypt every computer they can get access to.

Recent variants have been appending the .locked extension to encrypted files and dropping ransom notes of the same name as the encrypted files but with “.readme_txt” appended to it. For example, an encrypted file called test.jpg would also have a ransom note named test.jpg.readme_txt.

You can see an example ransom note for the BitPaymer Ransomware below. Notice the strings in the example below match those mentioned in the GolfWeek article.

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorythm.

Backups were either encrypted or deleted or backup disks were formatted.

We exclusively have decryption software for your situation.

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.


To get info(pay-to-decrypt your files) contact us at:

[first_contact_email]
or
[second_contact_email]

BTC wallet:
[bitcoin_address]

To confirm our honest intentions.
Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure we decrypts everything.
Files should have .LOCK extension of each included.
2 files we unlock for free.

BitPaymer is also known to charge very large ransom amounts to decrypt computers. For example, one BitPaymer infection in the past asked for 53 bitcoins to decrypt an entire network.

Unfortunately, BitPaymer is a secure ransomware, which means either PGA of America is going to have to restore from backup or pay a hefty ransom payment.

Update 8/9/18: Article updated to clarify that the PGA of America’s computers were infected and not PGA Tour.

Cryptocurrency stealing malware

Posted on

Originally seen on securitynews on August 24, 2018

Over a billion worth of cryptocurrencies have been reportedly stolen this year so far and we continue to see reports of crypto theft daily. Every time a huge cyberheist is reported cryptocurrency prices slump but they remain attractive to cybercriminals looking to capitalize on its growth potential.

This week, the SonicWall Capture Labs Threat Research Team has come across a crypto-stealing malware which monitors the victim’s clipboard to watch out for cryptocurrency wallet addresses. Once detected, they will change the clipboard data with their own address. Unless the user is vigilant and carefully examines the address after they paste it, the transaction that happens after, will go to the cybercriminal’s address instead of the intended recipient.

Infection Cycle:

This malware purports to be an important document and uses the following filenames:

  • DOC_[*random numbers*].pdf
  • SCN_[*random numbers*].pdf
  • PDF_[*random numbers*].pdf

For more savvy users, looking at the file properties reveal that it pretends to be a text to speech application with an internal name of texttowav.exe.

It copies itself as drpbx.exe in the %APPDATA% directory. It also adds the following registry key to ensure persistence:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run drpbx %APPDATA%\drpbx\drpbx.exe

This malware was developed with Microsoft .NET framework and its assembly description shows it pretending to be a legitimate firefox file but misspelled “Mozzilla.”

To mislead the victim even more, upon execution it throws off a fake error.

During analysis, we noticed that this sample is packed using ConfuserEX and the main module is named “Bitcoinstealer” which establishes the real purpose of this malware.

Within its resource section is a subsection named “VanityAddresses.” This listed 10,000 different digital currency wallet addresses.

This malware’s method of stealing cryptocurrency is to monitor the clipboard data and match the contents using regex to identify whether a cryptocurrency wallet address has been copied, it then swaps that data with one from the 10,000 hardcoded addresses.

 

 

Victims Lose Access to Thousands of Photos as Instagram Hack Spreads

Posted on Updated on

Originally seen: August 14th, on threatpost by Tara Seals

In a probable quest to build a botnet, someone is hacking Instagram accounts, deleting handles, avatars and personal details, and linking them to a new email address.

An Instagram hack is spreading across the internet, with increasing numbers of victims finding their accounts hijacked and personal details altered — and account recovery so far impossible.

Starting in the beginning of the month, people started experiencing random log-outs on their accounts; from there, their handles, avatars and personal details like their bios have been deleted. On top of that, the accounts are linked to a new email address, thus subverting the account recovery process.

Oddly, prior, legitimate posts haven’t been deleted, nor have new posts appeared on the hijacked accounts’ timelines. This has led at least one security researcher to speculate that the malefactor is on a quest to build a botnet.

“Although no one seems to know for sure, I assume the hacked accounts were intended to be used as spambots,” said Paul Bischoff, privacy advocate at Comparitech.com, via email. “Even if some victims regain control of their accounts, many of those affected have likely quit the platform or just won’t go through the trouble, adding soldiers to the spambot army.”

The threat actor remains unknown; while the newly linked email address is a .ru Russian domain, that could be a red herring meant to point attribution away from the true perpetrator.

“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion – email addresses are easily spoofed, either to conceal identity or to encourage finger pointing toward the wrong place,” said Lee Munson, security researcher at Comparitech.com, in an email.

The situation, first reported by Mashable, seems to be worsening, with hundreds of complaints flooding the photo-sharing site’s Twitter feed, and many comments filtering into Reddit.

Many complain that they are getting no response from Instagram when they ask for help in gaining control of their accounts.

“@instagram this is the 6th time I’ve reached out and no response… my account has been hacked and I need it recovered!!,” said one disgruntled user, @brycehendrixx.

Others complained of deeper issues: “@instagram someone hacked my account and changed my username and pword but is keeping all of my pictures up as if it is them,” tweeted Alyssa Rogalski. “You rejected my report and said they did not violate any of your guidelines, so youre saying it’s ok if someone hacking and impersonating me?”

For its part, Instagram – which is owned by Facebook – issued a boilerplate media statement: “We work hard to provide the Instagram community with a safe and secure experience. When we become aware of an account that has been compromised, we shut off access to the account and the people who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts.”

However, as mentioned, account recovery doesn’t seem to be on the table for most victims.

“My account has been hacked for 3 days now and no one has reached out,” tweeted one affected user, Liz Teal. “Email, phone number, username and profile picture changed- so you cannot go through the steps they have in place on their FAQ page. Unbelievable!”

Threatpost has reached out to Instagram directly and will update this post with any further details or responses.

“There’s not much to go on now, and Instagram has not stated how or why these attacks occurred,” said Bischoff. “While it is possible that hackers breached Instagram to take over these accounts, I think it is more likely that the victims’ login credentials were stolen by malware or compromised in a phishing attempt. The original report does not specify whether victims are Android or iOS users, which would have helped to pinpoint the cause.”

Perhaps most perplexing, one victim told Mashable that he had two-factor authentication (2FA) enabled – and was still hacked. There could be straightforward explanations for this, according to researchers.

“While it’s unclear how these hackers defeated Instagram’s 2FA, it likely has to do with the spate of SIM hacking that has seen several prominent websites being hacked,” said Bill Evans, vice president at One Identity, via email. “To thwart this scenario, websites need to build support for app-based 2FA…It’s far less susceptible to hacking than SMS-based hacking, which depends on a second factor code being sent via SMS to the user’s phone. As previously reported, it appears that Instagram is moving in this direction – which is great.”

Comparitech.com’s Munson added: “While 2FA is a very good secondary line of defense, it is not infallible. Typically, it can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, my getting them to login to a fake version of the site they were intending to visit. To protect against such account hijacks on Instagram, people should definitely employ two-factor authentication, but they should also be careful to only access the site through the app (only downloaded from an official app store) or by typing the URL directly into their browser.”

Recent App Issues Reveal Facebook’s Struggles to Temper Data Privacy Woes

Posted on

Originally Seen: August 23rd on Threatpost by Lindsey O’Donnell

Facebook has been struggling to keep its data privacy woes at bay this week, between banning apps on its social media platform – and pulling its own app from Apple’s store.

Facebook was hit with a double privacy punch regarding data privacy on Wednesday. First, Facebook acknowledged in a public post that one of the apps on its platform, myPersonality, inappropriately shared 4 million users’ data with researchers. Also on Wednesday, The Wall Street Journal reported that Facebook pulled its data security service, Onavo Protect, from Apple’s official App Store after Apple said that the app violated its data collection policies.

Facebook responded: “We will continue to investigate apps and make the changes needed to our platform to ensure that we are doing all we can to protect people’s information.”

The news comes as privacy experts are pushing the social media giant to double-down on its efforts around social media data privacy – especially on the heels of its backlash around the Cambridge Analytica scandal in March.

The recent incidents also reveal a behind-the-curtains look at how the giant is still struggling to navigate data privacy.

Facebook VP of Product Partnerships Ime Archibong said on Wednesday that the company will ban an app called myPersonality and notify the roughly 4 million impacted users after discovering that the app had misused information collected from them.

“Today we banned myPersonality — an app that was mainly active prior to 2012 — from Facebook for failing to agree to our request to audit and because it’s clear that they shared information with researchers as well as companies with only limited protections in place,” Archibong said in a post.

MyPersonality is a Facebook app, created in 2007, enabling users to participate in psychological research by filling in a personality questionnaire, and then also offered users feedback on their scores. David Stillwell, the creator of the app, did not respond to a request for comment on the situation from Threatpost.

“As well as the data from the tests, around 40% of the respondents also opted in to share data from their Facebook profile, resulting in one of the largest social science research databases in history,” according to the app project’s website. “The application was active until 2012 and collected data from over 6 million volunteers during this time. This data was anonymised and samples of it were shared with registered academic collaborators around the world through the myPersonality project, resulting in over 45 scientific publications in peer-reviewed journals.”

Facebook did not specify what specific data was passed to researchers, and where the specific violations occurred. There is no current evidence that myPersonality had accessed the Facebook “friends” of those impacted – though that may change, Facebook said.

But apps passing data to outside third parties is a sore spot for Facebook. In March, the company’s firestorm around data privacy and misuse started with an app developer violating the company’s platform policies by collecting data via an app under the pretense of using it for psychological research – and instead passing users’ personal information to Cambridge Analytica and its parent company SCL.

myPersonality is only one of many apps that the company has looked at – Facebook said that since March, it has investigated thousands of apps, and suspended 400 of those due to concerns around data misuse and user data privacy.

Interestingly, last week one of those initially suspended apps, Crimson Hexagon, announcedthat it has been un-suspended from Facebook’s platform.

Facebook, in July, said it had suspended Crimson Hexagon due to concerns about the collection and sharing of data. The company launched an investigation into the Boston-based company’s collection of public user data was a violation of its policies concerning using data for government surveillance.

Fast forward to last week, Crimson Hexagon announced that it has been re-instated on Facebook and its customer base will now be able to once again access those data sources.

“Several of Facebook’s questions focused on a small number of our government customers, which represent less than 5 percent of our business,” said Dan Shore, senior vice president with Crimson Hexagon in a post. “Historically, we have vetted potential government customers similar to our other customers — with a goal of understanding their proposed use of our platform in order to make them successful. To our knowledge, no government customer has used the Crimson Hexagon platform for surveillance of any individual or group.”

In another turn of events around data privacy, Facebook’s data security app Onavo Protect was pulled from Apple’s app store after the phone company said it violated its data policies, according to The Wall Street Journal report.

Onavo Protect is a mobile VPN app that encrypts users’ personal information and monitors their data to help customers manage their mobile data usage and limit apps that use lots of data.

Onavo Protect, which was acquired by Facebook in 2013 and alerts customers when they visit a potentially malicious website, was collecting and analyzing users’ behavior to understand customer activity outside of Facebook’s app, the report alleged.

Facebook confirmed to Threatpost that they pulled the app from Apple’s App Store, however: “We’ve always been clear when people download Onavo about the information that is collected and how it is used,” a spokesperson told us. “As a developer on Apple’s platform we follow the rules they’ve put in place.”

According to the report, Onavo Protect violates Apple’s developer agreement preventing apps from utilizing data that is not relevant to the their purpose. The app also did not follow new rules that Apple unveiled earlier this summer to limit developer data harvesting. Onavo Protect’s website shows that the app is still available on Android.

Between the Onavo Protect incident and its investigation of apps on its own platform, it’s clear that Facebook is struggling to navigate the data privacy policy landscape in an environment filled with data, experts say.

“The [March] Facebook breach made it clear: social media platforms need to be completely transparent and ask for double opt-in,” Andrew Avanessian, chief operations officer at Avecto told Threatpost. “We need these platforms to have different incentives than they have in the past and dedicate their companies to protecting user data. There needs to be a fundamental overhaul for social platforms.Data privacy is everyone’s issue and I think it will make developers stop and think about how they are using other people’s data.”

Morten Brøgger, CEO of Wire, agreed: “Every company and customer has the right to know where their data is going and how it is being used,” he said. “Businesses need to be choose which applications they use wisely, and should only allow those which are fully open sourced and independently audited to be used in the business setting.”