Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Threat Recap: Week of September 19th

 

It’s that time of week again. Our Threat Recap is bringing you the top news in cybersecurity from new OS releases to remote access of popular cars. Here are five of the major security stories happening this week.


New Ransomware Targets Disk Drives

With the current state of ransomware threatening computer systems around the world, the jump from encrypting specific file types to encyrpting the entire hard drive was inevitable. In the case of Mamba, the latest variant, it begins with replacing the Master Boot Record (MBR) and moves onto encrypting the hard drive itself. Once encryption is complete, the computer will then require a password to unlock, which just so happens to be the decryption key sitting behind the ransom’s paywall.

Remote Access: A Very Real Danger for Tesla

In a recent test, Chinese researchers were able to access several critical and non-critical components of a Tesla Model S. While it may seem benign to have your seat position changed or sunroof opened remotely, these tests have also proven the capability to control brake functionality. They’ve also shown that doors and trunks can be controlled from up to 12 miles away. Tesla has responded with updates to resolve this access, which only seems to occur when the in-dash web browser is in use.

Apple Releases New Mac OS Sierra

Apple announced the release of its latest iteration of the Mac OS, Sierra 10.12. With this update, Apple has been able to remove nearly 70 different security vulnerabilities that had been prevalent in its previous two operating systems. In addition to the OS release, Apple also pushed out Safari 10, the latest update for their web browser, which should also resolve over 20 security issues from previous versions.

Facebook Zero-Day Gives Full Access to Pages

With the continuing rise of businesses using social media to advertise their products and communicate with their customers, exploits are always being researched. Recently, a researcher was able to gain access to any Facebook page by using a bug in the way Facebook deals with its business accounts. By spoofing the Business Manager functionality, the researcher was able to view and edit all associated pages with a given business, without requiring login credentials.

MoDaCo Breach Leaks Data on 880,000 Users

In the past week, MoDaCo, a UK-based smartphone forum, announced they had fallen victim to a security breach. Users of the service have been receiving notifications to change their passwords, although officials are stating that user credentials were all hashed. Researchers have been able to identify around 70 percent of the leaked credentials were already released in previous data breaches, courtesy of Have I Been Pwnd?, a web service that will notify users if their email address has been identified in a data breach.

Protecting Against Emerging Ransomware

 

While ransomware has become a buzzword for some, cyber criminals have made it a lucrative business and one which they are constantly evolving. Each day, the Webroot BrightCloud® Threat Intelligence Platform monitors, classifies and scores 95% of the internet to discover 6,000 phishing sites and 80,000 variants of malware and PUAs.

According to Webroot’s latest research, more than 97% of threats are unique to a single endpoint making traditional signature-based antivirus underprepared and ineffective in protecting businesses against today’s threat landscape. In this podcast, Tyler Moffitt, Senior Threat Research Analyst for Webroot, joins Ryan Morris, contributing editor for Penton Technology, to explain the newest and most challenging forms of ransomware, such as malvertising. In addition, they dive into the latest threat trends and arm MSPs with tested and actionable suggestions to help protect themselves and their customers from becoming another statistic.

 

Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 1

Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 2

 

Threat Recap: Week of September 12th

 

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Patch Tuesday Changing Update Format

In one of the largest changes that Microsoft has implemented, Patch Tuesday is being replaced with monthly batch updates. With the new method of releasing updates, Microsoft is removing the capability of users to choose which updates they install by just forcing the entire update, along with any updates from the previous month that may have been missed. For Windows 10 users, they will begin seeing this new update method first, with other OS support likely to follow.

Phishing Attack Strikes Augusta University

Early this week, employees and students of Augusta University were recommended to change their login credentials, as several of the faculty members fell victim to an email phishing scam. While state authorities are investigating the breach, the University is working to protect the staff members whose information was accessed through the payroll system.

ClixSense Breach Leaves Millions of Users Vulnerable

Recently, ClixSense (the popular paid-to-click site) was compromised along with a page redirecting anyone attempting to access the site to a gay porn site. The company has since forced a password reset for all of its registered users, which number nearly 7 million. After further review, it appears the attackers were able to use an older, unused server to access the main database which held user’s passwords in plaintext, rather than being properly encrypted.

DualToy USB Trojan Enhanced to Target iOS Users

When DualToy was first discovered in the early months of 2015, it was largely focused on Android devices located in China. DualToy is used to load malicious apps when an unsuspecting device is connected to an infected computer via USB. While users across the US and Europe are now seeing a wider spread of infected devices, even iOS users are affected as iTunes is being used to allow the trojan to steal user information.

Apple Switches to HTTPS for iOS Security Updates

In a big move by Apple, the company has finally made all iOS updates available over HTTPS, to ensure users are securely receiving them. This update comes along with the release of iOS 10, in addition to six other vulnerabilities that were patched. While some users experienced issues with the iOS 10 update putting their devices into a recovery mode, Apple was quick to resolve the issue and apologized for any inconveniences.

A Conversation with Hal Lonas about Threat Intelligence and Machine Learning

After sitting down with Hal Lonas to get a deeper look at the inner workings of Webroot, there was no questioning why he’s uniquely qualified to serve as the company’s CTO. And with machine learning getting thrown around as the hot new buzzword, it was refreshing to hear Hal’s down-to-earth perspective on motivations, ideas, solutions and what drives Webroot to continue innovating in the world of threat intelligence.

……………………………………………………………………………………


Tell me about your background. What led you to create BrightCloud?

I have been developing software products for years and got into the security software space as Director of Development with Websense in 2000. At the time, websites were being classified manually, even though the number of sites and security breaches were already increasing exponentially. It just seemed like the wrong way to solve the problem.

A few of us saw the trends of cloud computing, machine learning advances, and threat escalation as an opportunity to do things differently. So we dropped out of Websense and started BrightCloud, which was founded and architected on the belief that automated classification using machine learning and the scalability of the cloud was the only way to go.


BrightCloud technology does a great job in combatting today’s threats; dynamic ones that appear, damage, and disappear. Was it built with polymorphism in mind?

We actually didn’t build BrightCloud tech with polymorphic or transitory malware in mind. We built it to bring incredible speed, scale, and flexibility to finding threats. So when polymorphism came to the forefront several years ago and started overwhelming traditional signature-based solutions, we were at the right place at the right time. There are many other security problems that BrightCloud technology solves based on the architecture and platform we’ve built, for example finding phishing and fraudulent sites in real time.

You also have to credit Webroot’s vision in combining cloud-based endpoint security with Webroot threat intelligence. Webroot endpoint technology was designed from the ground up to be cloud-based and globally scalable, to minimize the time from threat detection to global protection. Additionally, Webroot had the guts to transform the product and the company from a traditional antivirus offering to a platform-based service approach. That’s a key aspect to the entire ecosystem we protect.


How is your approach to threat intelligence different from most?

Well for one thing, we don’t generate white lists, black lists, or static feeds of data. You could use our data in that way, but the threat landscape is way too big and dynamic for that, and we offer so much more. As soon as you publish a list, it’s out of date. Security professionals need a service where they can ask questions and get security advice at the moment of truth, which is just before you click on a website, before your firewall accepts a connection from an unknown IP, or before you run that downloaded file or mobile app. That’s what we do with the BrightCloud system at Webroot. And that’s what gives our products and partners protection no one else can provide.

The way our technology works, everything on the internet has a reputation score somewhere between totally trustworthy—so a score of 100—down to clear and present danger scores of single digits. That allows our customers to set a risk threshold for activity they want to allow or block, and decide when to warn users. That’s a very different approach than others in the field are taking. When we say ‘actionable threat intelligence’, that’s what we mean; we inform critical decisions at the moment of truth billions of times every day.


What approaches do you think cybercriminals will be using in the future?

Ransomware has been very successful, so I think we’re going to see more of that. The bad guys are going to find areas where we are lazy in protecting ourselves and they’re going to exploit those weaknesses. We might find things like demands of payments simply not to attack us, almost like extortion for so-called protection.

Besides security, we might also find other business areas where we’ll be forced to improve, like getting rid of passwords for authentication, and making data backups easier and testing them to see if they work.

Also, as legacy operating systems from Microsoft, Apple, and Google get more secure, attacking them will become less easy and profitable. That means the bad guys are going to look at other areas to attack, like newer home and business devices connected to the internet. We describe this as the new and expanding attack surface area.

As more new products and devices get added to networks, it seems as if those products are being rushed to market and that security is an afterthought. In a lot of cases, many times not in the product at all when it’s released.


We observed in our quarterly threat brief that malware attacks have actually gone down in the past few months. Does that mean that the overall threat level is decreasing?

There may be a number of contributing factors here. Based on what we’ve observed, our impression is that even if there are fewer attacks, they’re more impactful. For example, a single organization hit by ransomware may struggle for days or weeks trying to recover or decide whether they should pay. Additionally, cybercriminals are taking time to regroup as security solutions get smarter and as more threats are stopped earlier by machine learning and automation. As the bad guys figure out their next move, we’ll see threats take off again, most likely in new areas.


Can machine learning help combat the threats that are keeping you up at night?

Absolutely. Not only can it help, but we believe it’s the only way to solve the growing threat problem, which is why our next quarterly threat brief will focus specifically on machine learning. Of course you have to be smart about it, and threat researchers and analysts are still key parts of the puzzle, but we’ve figured out how to leverage and amplify their knowledge and productivity a thousand-fold. As threats become more transitory and harder to find, humans are going to be even more overwhelmed and won’t be able to keep up without automation.

Threat Recap: Week of September 5th

 

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.


No Site is Immune to  User Information Exposure

In yet another example of poor cybersecurity, Brazzers has issued a statement regarding the unauthorized access to nearly 800,000 sets of usernames, passwords, and email addresses. The data itself lacked any encryption and was viewable in plaintext. Users of the Brazzers forums are being suggested to change their passwords for the site, as well as any sites they may have reused the password on.

Dridex Adds Crypto-Currency Wallets to Attack Vector List

While Dridex, a prolific banking trojan, has been laying low for the past several months, its authors have made significant changes. The first noticeable change is the addition of several crypto-currency wallet managers to its list of keyword searches done when infecting a new computer. By capturing and analyzing data from the infected computer, the command-and-control servers are able to make decisions on how to proceed based on the criteria that is met.

Russian Instant Messaging Service Breached

It was recently announced that over 33 million user accounts from QIP.ru, a Russian instant messaging service, had been illegally accessed and posted publicly. Unfortunately for users of the service, all of their information was unencrypted, leaving it accessible to anyone. After further analysis of the stolen data, it has again been proven that users pick amazingly simple passwords that are also used by thousands of other individuals.

Google to Begin Marking HTTP Sites As Unsafe

In a push to get all website owners to use HTTPS, Google has announced that starting in January of 2017, Google Chrome will begin flagging sites that transmit passwords or credit card information over HTTP. With this effort, Google hopes to make Internet transactions safer. Already they have had a significantly positive response with many of their top 100 sites switching to HTTPS as default.

Cybersecurity Lacking for High-Demand Devices

As we expand further into internet-connected, wearable devices, one commonality has become glaringly obvious–cybersecurity has been a low priority for many companies. As they rush to push these devices to market, there is a lack of significant testing done to ensure customers’ private information is safe. Even more worrying is this security void when it comes to connected systems in homes, as physical security for clients can be breached wirelessly if the connected system is simply shut off.

Threat Recap: Week of August 29th

 

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.


European Company Loses Millions in Targeted Phishing Scam

In the last couple weeks, Leoni AG, one of the largest electrical wiring companies in Europe fell victim to a Business Email Compromise (BEC) scam involving the CFO transferring a significant sum of money to a non-verified bank account. This location was likely the main target due to it being the only one of four factories that has the authorization to transfer money, and did so by spoofing an email to the companies CFO with very specific details about their internal transfer protocol, and “sent” from one of the company’s higher ranking executives.

Hotel & Restaurant Chain Warns of Jeopardized Payment Terminals

Recently, Kimpton Hotels has issued a statement that verifies the presence of malware on payment processing devices in over 60 of their locations across the country. It is believed that credit cards used at these locations in the first half of 2016 may be compromised and should be monitored for illicit transactions taking place. While the incident is still under investigation as yet another victim in a long line of large-profile targets, Kimpton officials are still unclear on the source of the breach.

Blizzard and EA Face DDoS Attacks during Releases

With the launch of the latest World of Warcraft expansion, Legion, occurring in the same week as the online-beta release of Battlefield 1, it comes as no surprise that both companies were in a prime position for a cyberattack. Unfortunately, that’s just what happened, as both companies were hit with DDoS attacks that brought several servers down for a period, and affected latency for many gamers trying to access the games upon availability.

NHS Hospitals Hit with Ransomware, Not Paying Up

In a recent study done of nearly 60 NHS institutions in the UK, over half had been the victims of at least one ransomware attack in the last year, though none had resulted in the ransom being paid. Of the hospitals that were affected, the vast majority were able to recover their encrypted data by restoring from backups that are created and stored internally. While ransomware is continuing its spread across the globe in search of easy targets, the best defense is still to have full backups of sensitive information and be prepared for what has become an inevitability for many organizations.

Hacker Exposes Poor IT Security of Kuwait Auto Import Company

While many hackers are on the lookout for a quick payday, or simply to prove they have the capabilities, one hacker has made his mission to teach poor IT admins a lesson. By breaching the Kuwait Automotive Import Company’s main site and obtaining sensitive details on over 10,000 customers, the hacker has definitely sent a message on the importance of strong cybersecurity. After the breach took place, the entire data dump was posted to pastebin, where it remains readily available to the general public.

Fantom ransomware impersonates Windows update

 

Fantom_PropertiesWindows 10 has been notorious about automatically installing updates on users’ machines and now there is a ransomware that aims to capitalize on it. The new ransomware, Fantom, is based on the EDA2 open-source ransomware project on GitHub called hidden tear that’s recently been abandoned.

Fantom behind the scenes

In an attempt to conceal malicious intention, the authors of this ransomware modified the file properties to show copyright and legal trademarks mimicking a Windows update.

Once this dropper is executed, the payload “WindowsUpdate.exe” is dropped in AppData\Local\Temp displaying the fake Windows Update screen as shown below. This screen locks you out of doing anything else on your computer, keeping in line with the scam that Windows 10 doing its normal interrupt of updates.

The percentage counter does work and will go up at about a percent per minute. However, it’s fake and doesn’t represent anything other than to communicate to you that this “Windows update” will take a while and that you shouldn’t be alarmed of CPU usage and hard drive activity. You can close this fake update overlay by ending the process “WindowsUpdate.exe” using task manager, but the encryption of your files is unaffected.

 

Fantom_DECRYPT_YOUR_FILES.HTMLDECRYPT_YOUR_FILES.HTML ransom note

Encryption is done using AES-128 encryption and when a file is encrypted it will append “.fantom” to the extension of the file. Also in every directory that a file is encrypted, a standard ransom note “DECRYPT_YOUR_FILES.HTML” is created.

The ransom note doesn’t have an onion link as your payment portal for your files – a standard for most encrypting ransomware. Instead, you’re asked to email the cyber criminals and await response. This tactic is meant to target less savvy computer users who would be intimidated by creating a bitcoin wallet address and using a tor browser to connect to the darknet for ransom payment. To increase odds of gaining trust, two “freebie” files for decryption are allowed.

 

However, it’s clear that these cyber criminals have a very loose grip on the English language so we don’t anticipate much traction with their scams through email. We also reached out as a test and have yet to hear back in over 24 hours.

 

Fantom_Attention

 

Employ a backup solution

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 Analyzed: 7D80230DF68CCBA871815D68F016C282

Additional MD5 seen: 4AC83757EBF7ACD787F732AA398E6D53
65E9E1566DEC1586358BEC5DE9905065
60DBBC069931FB82C7F8818E08C85164
86313D2C01DC48D617D52BC2C388957F

Threat Recap: Week of August 22nd

 

This week’s Threat Recap covers everything from, ‘Fantom’, the new ransomware that disguises itself as a Windows update, to hackers using Facebook photos to trick facial-recognition logins.


Decryption Keys Released for Wildfire Ransomware

Recently, researchers have announced the public availability of decryption keys for users affected by the Wildfire ransomware variant. This particular variant did focused on mainly Dutch email domains and infected over 5,300 systems in the last month alone. Infected users were demanded a ransom of 1.5 bitcoins after opening a fake delivery form via email attachment.

Android Botnet Receiving Commands from Twitter

A new Android app called Android/Twitoor has been used as a backdoor to spread malware onto smartphones. By having the malware check several Twitter accounts periodically, the app is able to receive updates without the malware authors having a need to maintain their own command and control servers. Windows-based Twitter botnets have been in use for several years now, but Android-based version is a much newer practice, as many users rely more and more on mobile devices for everyday banking, communication, etc.

Fantom – New Ransomware Disguised as Windows Update

A new ransomware variant has been discovered in the wild called Fantom. The ransomware disguises itself as an important windows update while it begins encrypting the victim’s files. Once executed, the malware runs a file called WindowsUpdate.exe and displays a locked splash screen showing the update currently in progress. Once encryption is complete, the user is left with an ominous wallpaper and their files showing the added ‘.fantom’ extension.

iOS Vulnerabilities Used to Target Foreign Activist

It has been discovered that three previously unknown vulnerabilities in Apple’s iOS were used to spy on human rights activist, Ahmed Mansoor. It is believed Ahmed received an SMS message that contained a malicious link that was used to infect the smartphone with data-stealing software. Apple has since patched the vulnerabilities that were exploited, though it is still unknown how the attackers gained access to the vulnerabilities, as they would be highly valuable.

Hackers Use Facebook Photos to Fool Facial-Recognition Logins

Biometrics becoming a more implemented form of security, and it was only a matter of time before criminals found a workaround. Using some simple Internet searching and software that creates a 3D facial model, researchers were able to bypass 80% of facial-recognition authenticators they tested. Even more worrisome, by using the 3D rendering software, they were able to simulate movement of certain facial features, in order to pass some of the “liveness” checks that were made.

Threat Recap: Week of August 15th

 

This week’s Threat Recap is filled with everything from the latest retailer succumbing to malware infection to a possible hack on the NSA. Read up on five of the latest threat happenings to stay informed and up-to-date.

Eddie Bauer Stores Compromised

It is reported that point of sale systems at several Eddie Bauer stores across North America have been compromised. Eddie Bauer states nearly all of its 350 stores may be affected. In their official statement, the company ensured customers that only in-store purchases were at risk and that those shopping through their website weren’t impacted.


Hospitals Remain a Prime Target for Ransomware

The big score for cyber criminals is usually international corporations; however, hospitals are quickly becoming the most commonly targeted organizations for ransomware attacks. Reliance on outdated security measures makes health care facilities tempting to target. The latest in these attacks are coming from email phishing campaigns that employ macro-based malware that is launched by having macros enabled in Office 2007 applications.


Possible NSA Hack Reveals Zero-day Vulnerabilities

Claims of an  NSA hack surfaced this week and several of their exploit tools have been publicly released. That’s in addition to information on several zero-day bugs found in Cisco and Juniper Networks’ software. Both companies have begun patching these vulnerabilities that may have been active for years, yet unknown to all but the NSA. This is not the first time the NSA has held onto zero-day exploits to keep them from being resolved for their own purposes. However, it does leave a question of how many more do they still have?


SMS Scam Target Empathetic Users

Many cellular users in the UK have been victims of a new SMS scam. The scam SMS pretends to be an acquaintance involved in a serious accident and needs a text reply back. Some victims claim it showed a message from their child and sternly requests a text reply to an unknown number. Those falling for the scam have been charged £20 for replying, in hopes of helping their injured friend.


Student Loan Phishing Scheme Ready for New School Year

The Student Loans Company, based in the UK, issued warnings to its customers about fake emails being sent out requesting both personal and financial information. The fake emails seem to be easy to spot, as they tend to have spelling errors and address their victims vaguely, rather than using their names.

Nemucod Ransomware Analysis

Today, we’ll look at yet another variant in the massive crop of malware that takes users’ files hostage: Nemucod ransomware.

Nemucod is a ransomware which changes file names to *.crypted. While it’s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but one constant has remained the same – it is deployed via bogus shipping invoice spam email. The Javascript initially received in a spam email downloads malware and encryption components stored on compromised websites. Because this ransomware is written in a scripting language, it’s easily to modify and re-deploy. This has, for a majority, bypassed antivirus protection and spam email protection. However, a flaw was found in the encryption routine,which allows victims to recover their files.

  • January 2016: Nemucod changes file names to “.crypted” but does not actually encrypt them
  • March 2016: Adds XOR encryption using a 255 byte key contained in a downloaded executable. This downloaded executable encrypts the first 2048 bytes of a file
  • April 2016: 7-Zip used instead which created an archive to password protect files
  • April 2016: Instead of a hardcoded key, the Javascript generates a key and passes it as an argument to the downloaded executable and performs the encryption of the first 1024 bytes of each targeted file
  • May 2016: A small change is added to the previous build, which encrypts 2048 bytes instead of 1024 bytes
  • June – August 2016: A PHP script is used along with a PHP interpreter to encrypt the first 1024 bytes of a file

Email Example:

 

 

 

 

 

 

 

 

After opening the spam email attachment, you can see that the file located inside is a Javascript file cleverly disguised as a “.doc”. The file appears to be a .doc for users with the folder option setting “hide extensions for known file types” enabled.

Javascript Analysis:

Upon first opening the sample, it is heavily obfuscated; this is by design to thwart AV analysis and static detection

Nemucod Java

After de-obfuscating the script, I found that several compromised domains are used to store multiple files to be used later on in the execution routine. Of the downloaded files, we can see that two (a1.exe and a2.exe) are designed as a backdoor on the system. a1.exe is usually W32.Kovter and a2.exe is usually W32.Boaxxe. Since PHP is not installed natively on the Windows OS, the 3rd and 4th files downloaded (a.exe and php4ts.dll) are part of a portable PHP interpreter which allows the ransomware (a.php – 5th file downloaded) the ability to run.

Nemucod Java 2

Nemucod Java 3

Analysis of a.php:

We at first saw several samples of a.php written in plain text without obfuscation, but the developers changed this quickly to thwart static detection techniques. The obfuscation techniques below use chr() to encode each as a number specified in ASCII, while also using array() to store the php script in a list of array values.

Examples of Obfuscated ransomware variants:

chr()

Nemucod chr

To de-obfuscate, I converted all of the chr values to ascii characters and finally decoded base 64 stored to get the original script.

Array()

Nemucod Array

To de-obfuscate, I echoed the output of implode for all of the arrays (and removed eval) using the following at the end of the script:

;echo implode($f,”); ?>

De-obfuscated:

Nemucod php

The PHP script first uses “set_time_limit(0);” to keep the interpreter running.

A recursive Tree function is used with preg_match to match folders:

winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache

If a match is found, the script opens the directory and checks for more directories using is_dir; if a directory is found, it runs TREE again, which continues the loop to check if the object is a folder or a file.

Once a file is found, it uses preg_match again to match its file extension:

zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso

Once a file matching the file extensions above is found, it stores that file name and path as the variable “$fp” and a new variable is made “$x” which uses the function fread.

fread() reads up to length bytes from the file pointer referenced by handle.

After reading the first 1024 bytes of a file, a for loop is used with strlen and the variable $k (a base 64 string) to encrypt the files.

 

If you have found yourself a victim of this ransomware, please submit a support ticket.

Ransomware for Thermostats

 

We all know that Internet of Things (IoT) is the future and that everything from your refrigerator to your toaster may eventually connect to the internet. With that being the case, it’s important to remember that these connected devices need to be designed with security in mind. On Saturday at the Def Con hacking conference in Las Vegas, Andrew Tierney and Ken Munro showcased a ‘smart’ thermostat hack, in which they were able to install encrypting ransomware onto the device, fortunately just as a proof of concept. Check it out:

thermostat

The hacked thermostat (displayed in the screenshot above) runs a Linux operating system and has an SD card slot for owners to load custom settings and wallpapers. The researchers found that the thermostat didn’t check what files were being loaded or executed. Theoretically, this would allow hackers to hide malware into an application that looks just like a picture and fool users into transferring it onto their thermostat, which would then allow it to run automatically. At that point, hackers would have full control of the device and could lock the owner out. “It actually works, it locks the thermostat,” Munro said. This achieves the predictions of others in the security industry.

DLeBMBk

Despite the above tweet, Tierney and Munro declined to confirm the brand of this particular thermostat that they hacked. Because this test was so new, despite the vulnerability being showcased, the reserachers haven’t yet disclosed the vulnerability to the manufacturer, but the plan is to disclose the bug today. They also said that the fix should be easy to deploy. While this ransomware isn’t an immediate threat to anyone using smart devices in their homes today, the point has been proven that it’s very possible to create ransomware for these new and emerging IoT devices. “You’re not just buying [Internet of Things] gear,” Tierney warned, “You’re inviting people on your network and you have no idea what these things do.”

 

 

Threat Recap: Week of August 1st

There’s a lot that happens in the security world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Banner Health Warns Patients Over Cyber Attack

Recently, Banner Health has begun notifying nearly 4 million of its patients about a possible data breach that occurred around the start of July. Along with patient information, the credit card processing systems were affected at refreshment outlets located in three Tucson facilities. Officials claim that not all of their 29 locations were targeted, however. Patients of the affected sites are being notified by mail.

http://tucson.com/news/local/banner-health-notifying-million-people-of-cyber-attack/article_81861b1e-59b9-11e6-87fe-b3263dd6bd7d.html

Apple Uses Bug Patch To Cease Jailbreaking of iOS

With the most recent update of iOS (9.3.4), Apple resolved a vulnerability that could allow for unauthorized code execution. The bug was found by Team Pangu, a prominent figure in the jailbreaking community. The patch also means that current jailbreaking tools may no longer work in the new version of iOS, but this likely won’t slow down the developers that are updating their jailbreaking tools just as quickly.

http://arstechnica.com/apple/2016/08/apple-thwarts-jailbreakers-with-ios-9-3-4-update/

iPhone Phishing Emails Getting More Convincing

Attempts at email phishing are starting to look ever more convincing, and Apple users are the latest target. Recently, users have been seeing email order confirmations for new iPhones, but with incorrect shipping addresses and accompanied with a single clickable link for those wanting to ‘claim’ they didn’t authorize the purchase. By simply using a fake shipping address, many victims would likely look past the rest of the email in an effort to stop the transaction from occurring. Unfortunately for those who click the hyperlink, they are brought to a fake Apple Login page that requests payment information to “cancel” the order.

https://www.helpnetsecurity.com/2016/08/05/fake-iphone-order-dispatch/

Iris Scanning For Mobile Hits The Market

Samsung has recently announced its new Galaxy Note 7, which has a feature that is meant to replace passwords for mobile devices and PCs in the near future: iris scanning. With a simple infrared scanner located on the front of the device, users are able to scan their way into accessing their Galaxy phones. While Samsung is not the first company to offer iris scanning, it is projected to be soon available from other manufacturers, including Microsoft who will be looking to use it with their Windows 10 operating system.

http://www.csoonline.com/article/3103516/security/kill-a-smartphone-password-with-a-scan-of-your-eye.html

Brazilians Target of Latest Zeus Variant

With the Rio 2016 Olympic games a mere day away, more bad news is plaguing Brazilians and visitors alike. A recent variant of the Zeus Trojan, labeled Panda Banker, has its sights set on many of the largest Brazilian banks and other local services. Like many others trojans, this particular variant is spread through spam email and exploit kits, but operates using account takeover in real-time by holding the victim in a loop of pop-up windows while the account is compromised.

https://www.helpnetsecurity.com/2016/08/05/zeus-panda-steals-everything/