More »

Synchronized Security

Synchronized Security

Next-gen security with real-time intelligence sharing between your endpoints and firewall. More »


Monthly Archives: July 2017

Companies fall in new global ransomware attack

Companies around the world have fallen victim to a new global ransomware attack.Infosec experts at McAfee said the ransomware – dubbed NotPetya – was a “nasty variant that encrypts files and the computer’s master boot record, rendering the machine unusable”.

Since the WannaCry attack just a few weeks ago prompted many people to apply the latest Windows patches to protect themselves, NotPetya introduced “more spreading mechanisms to be more successful”, McAfee said.Security vendor Symantec said NotPetya, a variant of Petya, propagates itself like WannaCry by exploiting the SMB exploit MS17-010 vulnerability, also known as Eternal Blue.EternalBlue was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017.

“NotPetya malware is behind what is quickly emerging as another devastating global ransomware incident, one with the potential to be even more damaging than WannaCry,” said Kobi Ben Naim, senior director of cyber research at CyberArk Labs.

“NotPetya is spreading using the incredibly efficient infection method used by WannaCry – a worm that quickly spreads the ransomware using the SMB vulnerability in Microsoft systems. The combination is potent and has the potential to inflict massive damage on scales we have not witnessed before.”

CyberArk Labs research found that NotPetya requires administrative rights to execute, so if a user clicks on a phishing link, the ransomware will still infect the network.

“In addition to patching, organisations need to be focused on protecting privileged credentials at the endpoint to avoid them being utilised to execute this attack,” Naim added.Update: IT security firm ESET have said that paying the ransom is no longer possible as the email to send the Bitcoin wallet ID and “personal installation key” has been shut down by the provider.

Here, there, Ransomware

Organisations in the UK, Ukraine, Netherlands, Spain, the United States and elsewhere have been affected by the ransomware attack, which demands users send US$300 in Bitcoin to recover their files.Telemetry from Kaspersky Labs indicates more than 2,000 attacks worldwide.Ukrainian firms, including the state power company and the country’s central bank, Russia’s biggest oil producer Rosneft, Danish shipping company Maersk, Netherlands-based shipping company TNT and US pharmaceutical-maker Merck have all reported issues as a result of the attack.Vice Prime Minister of Ukraine Pavlo Rozenko tweeted that the country’s Secretariat of the Cabinet of Ministers’ computer systems were down.

The Australian Government urged small businesses to take “urgent action to improve their cyber security” in the wake of the new attack.”We are aware of the situation and monitoring it closely, we are in contact with our Five Eyes partners,” said Minister Assisting the Prime Minister for Cyber Security, Dan Tehan.”It appears to be the same vulnerability as Wannacry. This ransomware attack is a wake-up call to all Australian businesses to regularly backup their data and install the latest security patches.”Businesses who believe they could be infected are urged to visit the Australian Cyber Security Centre (ACSC) website or call 1300 292371 (1300CYBER1) for more information.

CopyCat Android Rooting Malware Infected 14 Million Devices

A newly uncovered malware strain has already infected more than 14 Million Android devices around the world, earning its operators approximately $1.5 Million in fake ad revenues in just two months.
Dubbed CopyCat, the malware has capabilities to root infected devices, establish persistency, and inject malicious code into Zygote – a daemon responsible for launching apps on Android, providing the hackers full access to the devices.

Over 14 Million Devices Infected; 8 Million of them Rooted

According to the security researchers at Check Point who discovered this malware strain, CopyCat malware has infected 14 million devices, rooted nearly 8 million of them, had 3.8 million devices serve ads, and 4.4 million of them were used to steal credit for installing apps on Google Play.While the majority of victims hit by the CopyCat malware resides in South and Southeast Asia with India being the most affected country, more than 280,000 Android devices in the United States were also infected.While there’s no evidence that the CopyCat malware has been distributed on Google Play, the Check Point researchers believe that millions of victims got infected through third-party app downloads and phishing attacks.
Like Gooligan, CopyCat malware also uses “state-of-the-art technology” to carry out various forms of advertisement fraud.
CopyCat uses several exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot) to hit devices running Android 5.0 and earlier, which are all widely used and very old, with the most recent uncovered 2 years ago.
The success of the campaign clearly indicates that millions of Android users still rely on old, unpatched, unsupported devices.

Here’s How CopyCat Infects Android Devices

CopyCat disguises as a popular Android app that users download from third-party stores. Once downloaded, the malware starts collecting data about the infected device and downloads rootkits to help root the victim’s smartphone.
After rooting the Android device, the CopyCat malware removes security defenses from the device and injects code into the Zygote app launching process to fraudulently install apps and display ads and generate revenue.

“CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what’s causing the ads to pop-up on their screens,” Check Point researchers say.

“CopyCat also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given a large number of devices infected by the malware.”

In just two months of time span, the CopyCat malware helped the hackers make more than $1.5 Million in revenue. The majority of profit (over $735,000) came from nearly 4.9 million fake installations on infected devices, which displays up to 100 million ads.The majority of victims are located in India, Pakistan, Bangladesh, Indonesia, and Myanmar, though over 381,000 devices in Canada and more than 280,000 devices in the U.S. are infected with CopyCat.

CopyCat Malware Spreads Using Chinese Advertising Network

While there’s no direct evidence on who is behind the CopyCat malware campaign, researchers at Check Point found below-mentioned connections that indicate hackers might have used Chinese advertising network ‘MobiSummer’ for the distribution of the malware.

  • CopyCat malware and MobiSummer operate on the same server
  • Several lines of CopyCat’s code is signed by MobiSummer
  • CopyCat and MobiSummer use the same remote services
  • CopyCat did not target Chinese users despite over half of the victims residing in Asia
  • “It is important to note that while these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer’s code and infrastructure without the firm’s knowledge” Check Point researchers say. Android users on older devices are still vulnerable to the CopyCat attack, but only if they are downloading apps from third-party app stores.
    In March 2017, Check Point researchers informed Google about the CopyCat campaign, and the tech giant has already updated Play Protect to block the malware.
    So, Android users even on older devices are protected through Play Protect, which is updated regularly as malware strains such as CopyCat continue to grow.

Adwind RAT Returns! Cross-Platform Malware Targeting Aerospace Industries

Hackers and cyber criminals are becoming dramatically more adept, innovative, and stealthy with each passing day.
While other operating systems are more widely in use, cybercriminals have now shifted from traditional activities to more clandestine techniques that come with limitless attack vectors, support for cross platforms and low detection rates.Security researchers have discovered that infamous Adwind, a popular cross-platform Remote Access Trojan written in Java, has re-emerged and currently being used to “target enterprises in the aerospace industry, with Switzerland, Austria, Ukraine, and the US the most affected countries.”
Adwind — also known as AlienSpy, Frutas, jFrutas, Unrecom, Sockrat, JSocket, and jRat — has been in development since 2013 and is capable of infecting all the major operating systems, including Windows, Mac, Linux, and Android.

Adwind has several malicious capabilities including stealing credentials, keylogging, taking pictures or screenshots, data gathering and exfiltrate data. The trojan can even turn infected machines into botnets to abuse them for destructing online services by carrying out DDoS attacks.
Researchers from Trend Micro recently noticed a sudden rise in the number of Adwind infections during June 2017 — at least 117,649 instances in the wild, which is 107 percent more than the previous month.According to a blog post published today, the malicious campaign was noticed on two different occasions.
First was observed on June 7 and used a link to divert victims to their .NET-written malware equipped with spyware capabilities, while the second wave was noticed on June 14 and used different domains hosting their malware and command-and-control servers.
Both waves eventually employed a similar social engineering tactic to trick victims into clicking the malicious links within a spam email that impersonate the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.
Once infected, the malware also collects system’s fingerprints, along with the list of installed antivirus and firewall applications.t can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions,” the researchers wrote.My advice for users to remain protected from such malware is always to be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.
Additionally, keep your systems and antivirus products up-to-date in order to protect against any latest threat.