Protect-Your-PC-From-Viruses

More »

Synchronized Security

Next-gen security with real-time intelligence sharing between your endpoints and firewall. More »

 

BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking

If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side.
Security researchers have just discovered total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT) devices—using the short-range wireless communication technology.
Using these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed BlueBorne, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.All an attacker need is for the victim’s device to have Bluetooth turned on and obviously, in close proximity to the attacker’s device. Moreover, successful exploitation doesn’t even require vulnerable devices to be paired with the attacker’s device.

BlueBorne: Wormable Bluetooth Attack

What’s more worrisome is that the BlueBorne attack could spread like the wormable WannaCry ransomware that emerged earlier this year and wrecked havoc by disrupting large companies and organisations worldwide.
Ben Seri, head of research team at Armis Labs, claims that during an experiment in the lab, his team was able to create a botnet network and install ransomware using the BlueBorne attack.However, Seri believes that it is difficult for even a skilled attacker to create a universal wormable exploit that could find Bluetooth-enabled devices, target all platform together and spread automatically from one infected device to others.

“Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet,” Armis said.
“The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure “air-gapped” networks which are disconnected from any other network, including the internet.”

Apply Security Patches to Prevent Bluetooth Hacking

The security firm responsibly disclosed the vulnerabilities to all the major affected companies a few months ago—including Google, Apple and Microsoft, Samsung and Linux Foundation.

These vulnerabilities include:

  • Information Leak Vulnerability in Android (CVE-2017-0785)
  • Remote Code Execution Vulnerability (CVE-2017-0781) in Android’s Bluetooth Network Encapsulation Protocol (BNEP) service
  • Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP’s Personal Area Networking (PAN) profile
  • The Bluetooth Pineapple in Android—Logical flaw (CVE-2017-0783)
  • Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)
  • Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)
  • The Bluetooth Pineapple in Windows—Logical flaw (CVE-2017-8628)
  • Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)

Google has already made security patches available to their customers, while Apple iOS devices running the most recent version of its mobile operating system (that is 10.x) are safe.

Millions of Devices Still Waiting for Security Patches

What’s worst? All iOS devices with 9.3.5 or older versions and over 1.1 Billion active Android devices running older than Marshmallow (6.x) are vulnerable to the BlueBorne attack.
Also, all Windows computers since Windows Vista are vulnerable.

“Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.” – a Microsoft spokesperson said.

Moreover, millions of smart Bluetooth devices running a version of Linux are also vulnerable to the attack. Commercial and consumer-oriented Linux platform (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable to at least one of the BlueBorne bugs.
Android users need to wait for security patches for their devices, as it depends on your device manufacturers.
In the meantime, they can install “BlueBorne Vulnerability Scanner” app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.

European Companies Must Tell Employees If Their Work Emails Are Being Monitored

Finally, European companies must inform employees in advance if their work email accounts are being monitored.
The European Court of Human Rights (ECHR) on Tuesday gave a landmark judgement concerning privacy in the workplace by overturning an earlier ruling that gave employers the right to spy on workplace communications.
The new ruling came in judging the case of Romanian engineer Bogdan Barbulescu, who was fired ten years ago for sending messages to his fianceé and brother using his workplace Yahoo Messenger account.Earlier Romanian courts had rejected Barbulescu’s complaint that his employer had violated his right to correspondence—including in January last year when it was ruled that it was not “unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours.
But now, the European court ruled by an 11-6 majority that Romanian judges failed to protect Barbulescu’s right to private life and correspondence, as set out in article 8 of the European Convention on Human Rights.
Apparently, Barbulescu’s employer had infringed his right to privacy by not informing him in advance that the company was monitoring his account and communications. His employer used surveillance software in order to monitor his computer activities.
The right to respect for private life and for the privacy of correspondence continued to exist, even if these might be restricted in so far as necessary,” the court writes in a press release about the decision.

The Court considered, following international and European standards, that to qualify as prior notice, the warning from an employer had to be given before the monitoring was initiated, especially where it entailed accessing the contents of employees’ communications.

The ruling will now become law in 47 countries that have ratified the European Convention on Human Rights.
In a Q & A section on its website, the European Court of Human Rights says the judgement doesn’t mean that companies can’t now monitor their employee’s communications at workplace and that they can still dismiss employees for private use.
However, the ECHR says that the employers must inform their staff in advance if their communications are being monitored, and that the monitoring must be carried out for legitimate purposes and limited.

Android Trojan Now Targets Non-Banking Apps that Require Card Payments

The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.
Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device’s calls and display overlays on top of taxi booking apps to steal banking information.
Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.

Malware Spy On Telephonic Conversations

Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.When calls are made to or received from certain phone numbers on the victim’s device, the malware begins to record those conversations and sends the recordings to the attacker’s server.
Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.

Malware Exploits Overlay Feature to Steal Credit Card Details

In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.
The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.
Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:

  • Android Pay
  • Google Play Store
  • Apps for paying traffic tickets
  • Apps for booking flights and hotel rooms
  • Apps for booking taxis

Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.

Ways to Protect Against Such Android Banking Trojans

The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.
You can also go to Settings → Security and make sure “Unknown sources” option is turned off in order to block installation of apps from unknown sources.
Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.
It’s always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.

Apple Users, Beware! A Nearly-Undetectable Malware Targeting Mac Computers

Yes, even Mac could also get viruses that could silently spy on its users. So, if you own a Mac and think you are immune to malware, you are wrong.
An unusual piece of malware that can remotely take control of webcams, screen, mouse, keyboards, and install additional malicious software has been infecting hundreds of Mac computers for more than five years—and it was detected just a few months back.
Dubbed FruitFly, the Mac malware was initially detected earlier this year by Malwarebytes researcher Thomas Reed, and Apple quickly released security patches to address the dangerous malware.
Now months later, Patrick Wardle, an ex-NSA hacker and now chief security researcher at security firm Synack, discovered around 400 Mac computers infected with the newer strain of the FruitFly malware (FruitFly 2) in the wild.Wardle believes the number of infected Macs with FruitFly 2 would likely be much higher, as he only had access to some servers used to control FruitFly.
Although it is unknown who is behind FruitFly or how the malware gets into Mac computers, the researchers believe the nasty malware has been active for around ten years, as some of its code dates back to as far as 1998.

“FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years,” Wardle wrote in the abstract of his talk, which he is going to present at the Black Hat later this week.Since the initial infection vector for FruitFly is unclear, like most malware, Fruitfly could likely infect Macs either through an infected website delivering the infection or via phishing emails or a booby-trapped application.
FruitFly is surveillance malware that’s capable of executing shell commands, moving and clicking a mouse cursor, capturing webcam, killing processes, grabbing the system’s uptime, retrieving screen captures, and even alerting the hacker when victims are again active on their Mac.

“The only reason I can think of that this malware has not been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” Reed wrote in the January blog post.

“Although there is no evidence at this point linking this malware to a specific group, the fact that it has been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.”

Wardle was able to uncover FruitFly victims after registering a backup command and control (C&C) server that was once used by the attacker. He then noticed around 400 Mac users infected with FruitFly started connecting to that server.
From there, the researcher was also able to see IP addresses of FruitFly infected victims, indicating 90 percent of victims were located in the United States.Wardle was even able to see the name of victims’ Macs as well, making it “really easy to pretty accurately say who is getting infected,” he told Forbes.
But rather than taking over those computers or spying on the victims, Wardle contacted law enforcement and handed over what he found to law enforcement agents, who are now investigating the matter.
Wardle believes surveillance was the primary purpose of FruitFly, though it is yet unclear whether it is government or other hacker groups.

“This did not look like cyber crime type behaviour; there were no ads, no keyloggers, or ransomware,” Wardle said. “Its features had looked like they were actions that would support interactivity—it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.”

Since the Fruitfly’s code even includes Linux shell commands, the malware would work just fine on Linux operating system. So, it would not come as a surprise if a Linux variant of Fruitfly was in operation.

 

Companies fall in new global ransomware attack

Companies around the world have fallen victim to a new global ransomware attack.Infosec experts at McAfee said the ransomware – dubbed NotPetya – was a “nasty variant that encrypts files and the computer’s master boot record, rendering the machine unusable”.

Since the WannaCry attack just a few weeks ago prompted many people to apply the latest Windows patches to protect themselves, NotPetya introduced “more spreading mechanisms to be more successful”, McAfee said.Security vendor Symantec said NotPetya, a variant of Petya, propagates itself like WannaCry by exploiting the SMB exploit MS17-010 vulnerability, also known as Eternal Blue.EternalBlue was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017.

“NotPetya malware is behind what is quickly emerging as another devastating global ransomware incident, one with the potential to be even more damaging than WannaCry,” said Kobi Ben Naim, senior director of cyber research at CyberArk Labs.

“NotPetya is spreading using the incredibly efficient infection method used by WannaCry – a worm that quickly spreads the ransomware using the SMB vulnerability in Microsoft systems. The combination is potent and has the potential to inflict massive damage on scales we have not witnessed before.”

CyberArk Labs research found that NotPetya requires administrative rights to execute, so if a user clicks on a phishing link, the ransomware will still infect the network.

“In addition to patching, organisations need to be focused on protecting privileged credentials at the endpoint to avoid them being utilised to execute this attack,” Naim added.Update: IT security firm ESET have said that paying the ransom is no longer possible as the email to send the Bitcoin wallet ID and “personal installation key” has been shut down by the provider.

Here, there, Ransomware

Organisations in the UK, Ukraine, Netherlands, Spain, the United States and elsewhere have been affected by the ransomware attack, which demands users send US$300 in Bitcoin to recover their files.Telemetry from Kaspersky Labs indicates more than 2,000 attacks worldwide.Ukrainian firms, including the state power company and the country’s central bank, Russia’s biggest oil producer Rosneft, Danish shipping company Maersk, Netherlands-based shipping company TNT and US pharmaceutical-maker Merck have all reported issues as a result of the attack.Vice Prime Minister of Ukraine Pavlo Rozenko tweeted that the country’s Secretariat of the Cabinet of Ministers’ computer systems were down.

The Australian Government urged small businesses to take “urgent action to improve their cyber security” in the wake of the new attack.”We are aware of the situation and monitoring it closely, we are in contact with our Five Eyes partners,” said Minister Assisting the Prime Minister for Cyber Security, Dan Tehan.”It appears to be the same vulnerability as Wannacry. This ransomware attack is a wake-up call to all Australian businesses to regularly backup their data and install the latest security patches.”Businesses who believe they could be infected are urged to visit the Australian Cyber Security Centre (ACSC) website or call 1300 292371 (1300CYBER1) for more information.

CopyCat Android Rooting Malware Infected 14 Million Devices

A newly uncovered malware strain has already infected more than 14 Million Android devices around the world, earning its operators approximately $1.5 Million in fake ad revenues in just two months.
Dubbed CopyCat, the malware has capabilities to root infected devices, establish persistency, and inject malicious code into Zygote – a daemon responsible for launching apps on Android, providing the hackers full access to the devices.

Over 14 Million Devices Infected; 8 Million of them Rooted

According to the security researchers at Check Point who discovered this malware strain, CopyCat malware has infected 14 million devices, rooted nearly 8 million of them, had 3.8 million devices serve ads, and 4.4 million of them were used to steal credit for installing apps on Google Play.While the majority of victims hit by the CopyCat malware resides in South and Southeast Asia with India being the most affected country, more than 280,000 Android devices in the United States were also infected.While there’s no evidence that the CopyCat malware has been distributed on Google Play, the Check Point researchers believe that millions of victims got infected through third-party app downloads and phishing attacks.
Like Gooligan, CopyCat malware also uses “state-of-the-art technology” to carry out various forms of advertisement fraud.
CopyCat uses several exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot) to hit devices running Android 5.0 and earlier, which are all widely used and very old, with the most recent uncovered 2 years ago.
The success of the campaign clearly indicates that millions of Android users still rely on old, unpatched, unsupported devices.

Here’s How CopyCat Infects Android Devices

CopyCat disguises as a popular Android app that users download from third-party stores. Once downloaded, the malware starts collecting data about the infected device and downloads rootkits to help root the victim’s smartphone.
After rooting the Android device, the CopyCat malware removes security defenses from the device and injects code into the Zygote app launching process to fraudulently install apps and display ads and generate revenue.

“CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what’s causing the ads to pop-up on their screens,” Check Point researchers say.

“CopyCat also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given a large number of devices infected by the malware.”

In just two months of time span, the CopyCat malware helped the hackers make more than $1.5 Million in revenue. The majority of profit (over $735,000) came from nearly 4.9 million fake installations on infected devices, which displays up to 100 million ads.The majority of victims are located in India, Pakistan, Bangladesh, Indonesia, and Myanmar, though over 381,000 devices in Canada and more than 280,000 devices in the U.S. are infected with CopyCat.

CopyCat Malware Spreads Using Chinese Advertising Network

While there’s no direct evidence on who is behind the CopyCat malware campaign, researchers at Check Point found below-mentioned connections that indicate hackers might have used Chinese advertising network ‘MobiSummer’ for the distribution of the malware.

  • CopyCat malware and MobiSummer operate on the same server
  • Several lines of CopyCat’s code is signed by MobiSummer
  • CopyCat and MobiSummer use the same remote services
  • CopyCat did not target Chinese users despite over half of the victims residing in Asia
  • “It is important to note that while these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer’s code and infrastructure without the firm’s knowledge” Check Point researchers say. Android users on older devices are still vulnerable to the CopyCat attack, but only if they are downloading apps from third-party app stores.
    In March 2017, Check Point researchers informed Google about the CopyCat campaign, and the tech giant has already updated Play Protect to block the malware.
    So, Android users even on older devices are protected through Play Protect, which is updated regularly as malware strains such as CopyCat continue to grow.

Adwind RAT Returns! Cross-Platform Malware Targeting Aerospace Industries

Hackers and cyber criminals are becoming dramatically more adept, innovative, and stealthy with each passing day.
While other operating systems are more widely in use, cybercriminals have now shifted from traditional activities to more clandestine techniques that come with limitless attack vectors, support for cross platforms and low detection rates.Security researchers have discovered that infamous Adwind, a popular cross-platform Remote Access Trojan written in Java, has re-emerged and currently being used to “target enterprises in the aerospace industry, with Switzerland, Austria, Ukraine, and the US the most affected countries.”
Adwind — also known as AlienSpy, Frutas, jFrutas, Unrecom, Sockrat, JSocket, and jRat — has been in development since 2013 and is capable of infecting all the major operating systems, including Windows, Mac, Linux, and Android.

Adwind has several malicious capabilities including stealing credentials, keylogging, taking pictures or screenshots, data gathering and exfiltrate data. The trojan can even turn infected machines into botnets to abuse them for destructing online services by carrying out DDoS attacks.
Researchers from Trend Micro recently noticed a sudden rise in the number of Adwind infections during June 2017 — at least 117,649 instances in the wild, which is 107 percent more than the previous month.According to a blog post published today, the malicious campaign was noticed on two different occasions.
First was observed on June 7 and used a link to divert victims to their .NET-written malware equipped with spyware capabilities, while the second wave was noticed on June 14 and used different domains hosting their malware and command-and-control servers.
Both waves eventually employed a similar social engineering tactic to trick victims into clicking the malicious links within a spam email that impersonate the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.
Once infected, the malware also collects system’s fingerprints, along with the list of installed antivirus and firewall applications.t can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions,” the researchers wrote.My advice for users to remain protected from such malware is always to be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.
Additionally, keep your systems and antivirus products up-to-date in order to protect against any latest threat.

 

Ukraine cyber attack: Chaos as national bank, state power provider and airport hit by hackers

Ukraine’s national bank, state power company and largest airport are among the targets of a huge cyber attack on government infrastructure.Rozenko Pavlo, the deputy Prime Minister, said he and other members of the Ukrainian government were unable to access their computers.“We also have a network ‘down’,” he wrote. “This image is being displayed by all computers of the government.”The photo showed his PC displaying a message claiming a disk “contains errors and needs to be prepared”, urging the user not to turn it off.

Images from other affected computers and disabled cash points showed what appeared to be ransomware, demanding a payment of $300 (£235) in Bitcoin to re-gain access to encrypted files.Analysts said the virus, named Petrwrap or Petya, appeared to work similarly to the WannaCry ransomware that infected more than 230,000 computers in 150 countries last month.Ukrainian state-run aircraft manufacturerAntonov was among the companies hit, along with power distributor Ukrenergo, which said the attack did not affect power supplies.The National Bank of Ukraine said an “unknown virus” was to blame, saying several unnamed Ukrainian banks were affected  along with financial firms. “As a result of cyber attacks, these banks have difficulties with customer service and banking operations,” a statement said.“The National Bank bank is confident that the banking infrastructure’s defence against cyber fraud is properly set up and attempted cyber attacks on banks’ IT systems will be neutralised.”Oschadbank, one of Ukraine’s largest state-owned lenders, said some of its services had been affected by a “hacking attack” but guaranteed that customer data was safe.Computers and departure boards at Boryspil International Airport in Kiev – the largest in Ukraine – were also down.“The official site of the airport and the scoreboard with the schedule of flights aren’t working!” the airport’s acting director, Pavel Ryabikin, wrote on Facebook.Meanwhile, the hack caused authorities in the Chernobyl exclusion zone to switch to manual radiation monitoring at the site of the 1986 nuclear disaster.The Ukrposhta state postal service, television stations and transport were also affected by the attack, which left Kiev metro passengers unable to pay using bank cards.

Many ATMs were disabled, displaying the message left by hackers, as were tills in supermarkets.Maersk said its IT systems were down across “multiple sites and businesses due to a cyber attack”, although it was unclear whether it was related to the situation in Ukraine.The Danish business congolmerate is the largest container shipping company in the world and also operates in the oil and gas sectors.Rosneft, a Russian government-owned oil firm, said it was also targeted by a “massive hacker attack” on its servers, as was steel maker Evraz.“The cyber attack could lead to serious consequences, however, due to the fact that the Company has switched to a reserve control system, neither oil production nor preparation processes were stopped,” a statement from Rosneft said.There were confirmed reports of the virus spreading to countries including Spain, France and India.The cyber attack – a day before Ukraine marks its Constitution Day – struck hours after a high-ranking intelligence officer was assassinated in a car bombing in Kiev.Police said Colonel Maksim Shapoval, a member of the defence ministry’s main intelligence directorate, was killed in the “terrorist act” on Tuesday.Ukraine has blamed Russia for repeated cyber attacks targeting crucial infrastructure during the past three years, including one on its power grid that left part of western Ukraine temporarily without electricity in December 2015.Relations between Kiev and the Kremlin collapsed in 2014 following Moscow’s annexation of Crimea and support for pro-Russian separatists in eastern Ukraine, where fighting continues despite a ceasefire agreement.Russia denies carrying out cyber attacks on Ukraine and allegations it has fuelled the eastern conflict by supplying rebels with troops and weapons.The UK’s Houses of Parliament were targeted in a separate attack on Friday that compromised up to 90 accounts as part of efforts to access the accounts of MPs, peers and their staff by searching for weak passwords.Less than 1% of the system’s 9,000 users were directly impacted by the “determined and sustained” attack, officials said, but some functions were temporarily shut down as a precaution.An increasing number of global cyber attacks, including those targeting the election campaigns of Hillary Clinton and Emmanuel Macron, have sparked warnings of a “permanent war” online.Guillaume Poupard, director general of the National Cybersecurity Agency of France (ANSSI) said intensifying attacks were coming from unspecified states, as well as criminal and extremist groups.“We must work collectively, not just with two or three Western countries, but on a global scale,” he added, saying attacks could aim at espionage, fraud, sabotage or destruction.“We are getting closer, clearly, to a state of war – a state of war that could be more complicated, probably, than those we’ve known until now.”

Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

web-hosting-ransomware

South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them. According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files. However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted. The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers. According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities.

linux-ransomware

Since the hosting servers were running on Linux kernel 2.6.24.2, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system. “The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack,” researchers note. “Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.” The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key. According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.Moreover, ensure that your systems are running the latest version of installed applications ……………

Dangerous Malware Discovered that Can Take Down Electric Power Grids

Last December, a cyber attack on Ukrainian Electric power grid caused the power outage in the northern part of Kiev — the country’s capital — and surrounding areas, causing a blackout for tens of thousands of citizens for an hour and fifteen minutes around midnightNow, security researchers have discovered the culprit behind those cyber attacks on the Ukrainian industrial control systems..Slovakia-based security software maker ESET and US critical infrastructure security firm Dragos Inc. say they have discovered a new dangerous piece of malware in the wild that targets critical industrial control systems and is capable of causing blackouts.Dubbed “Industroyer” or “CrashOverRide,” the grid-sabotaging malware was likely to be used in the December 2016 cyber attack against Ukrainian electric utility Ukrenergo, which the security firms say represents a dangerous advancement in critical infrastructure hacking.According to the researchers, CrashOverRide is the biggest threat designed to disrupt industrial control systems, after Stuxnet — the first malware allegedly developed by the US and Israel to sabotage the Iranian nuclear facilities in 2009.

This Malware Does Not Exploit Any Software Flaw

 

power-grid-malware
Unlike Stuxnet worm, the CrashOverRide malware does not exploit any “zero-day” software vulnerabilities to do its malicious activities; instead, it relies on four industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems.The CrashOverRide malware can control electricity substation’ switches and circuit breakers, designed decades ago, allowing an attacker to simply turning off power distribution, cascading failures and causing more severe damage to equipment.Industroyer malware is a backdoor that first installs four payload components to take control of switches and circuit breakers; and then connects to a remote command-and-control server to receive commands from the attackers.”Industroyer payloads show the authors’ in-depth knowledge and understanding of industrial control systems.” ESET researchers explain.”The malware contains a few more features that are designed to enable it to remain under the radar, to ensure the malware’s persistence, and to wipe all traces of itself after it has done its job.”Since there have been four malware discovered in the wild to date that target industrial control systems, including Stuxnet, Havex, BlackEnergy, and CrashOverRide; Stuxnet and CrashOverRide were designed only for sabotage, while BlackEnergy and Havex were meant for conducting espionage.”The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages,” reads Dragos analysis [PDF] of the malware.