New Ransomware Threat Spreads Globally

Here is yet another security threat that only infects those who do not keep their computers up to date.

A new ransomware called Petya which is very similar to WannaCry, is using the Eternal Blue exploit developed by the U.S. National Security Agency (NSA) to spread across the world. Ukraine’s national banks, power companies, airport, metro services and several organizations are now under attack by Petya. The attack is spreading fast and security companies are seeing thousands of infection attempts at the moment. More than 80 companies in Russia and Ukraine are reportedly infected already. Even the Chernobyl nuclear power plant is now under attack and they have now switched to manual monitoring of radiation. As you can see in the image above, this ransomware demands $300 in Bitcoin similar to WannaCry to get the decryption code.

This Petya ransomware affects only old Windows PCs which are running without latest updates. If you are running latest Windows 7 SP1 or latest OS from Microsoft with recent updates, you don’t have to worry about this cyberattack.

Dedicated readers – I urge you to keep your computers up to date with patches & fixes provided by Microsoft.

Share This:

Qakbot Attacks

Another week, another cyber-threat threatens the security of both individuals and business alike. This latest one, Qakbot has a special emphases on taking down business networks. It is just the latest cyber-threat and you can be sure that there will be many more – even more destructive ones to come. These threats will continue until our behavior changes in respect to how seriously we treat internet services. Security solutions are incredibly important, however even the best security solution cannot be 100% effective in this ever changing tech world. Cyber-criminals are continually changing their modes of attack and security solutions are often playing catch-up. The way we interact with internet services is the key to not only protecting ourselves – but each other. I touch on some of my recommendations for protecting yourself at the end of this article.

Image result for malware trojan

Introducing Qakbot

On Tuesday, researchers from Cylance said that Qakbot, an information-stealing Trojan and backdoor malware that targets the Microsoft Windows operating system and 64-bit browsers with a a target against business/enterprise users is on the loose.

Qakbot is a self-propagating kind of malware that has been circulating for several years now. The Trojan can spread not only through networks and external drives and devices but also focuses on stealing valuable credentials and taking control of the networks it has infected.

There has been a resurgence of the malware, according to Cylance, which had been made even more evasive and persistent with new, polymorphic features that enable the malicious code to squat in business networks for longer and “easily thwart legacy endpoint security solutions” by the use of muddying code, as well as constantly-evolving file makeup and signatures.

The Evil Tricks of Qakbot

Once a system has been infected with Qakbot through exploit kit use, phishing campaigns or malicious downloads, the malware does not lock a system in order to hold a business to ransom.

Instead, Qakbot is able to lock out Active Directories and once credentials have been stolen, use these to spam neighboring hosts and disrupt corporate activities. In turn, this may result in the compromise of additional hosts and further spread or the user accounts related to the authentication attempts being locked out.

New samples of the malware suggest that Qakbot now also targets victims globally due to the inclusion of international character sets, and a recent surge in attacks means that companies should stay on their guard against suspicious downloads or activity and keep their systems up-to-date to prevent infection.

Protecting Yourself

I do not mean to sound like a broken record each time I report on the latest security attack, but I have no choice. Protecting yourself against most security intrusions is actually quite easy, and you will find these tips throughout this fine blog. In fact what you see below is copied from my earlier post regarding the Wannacry Ransomware threat on May 15, 2017.


It is incredibly important to do the following:

  • Always make sure that you install the latest updates & patches for your operating system, especially Microsoft Windows.
  • Make sure you have an up to date anti-virus program running on your computer.
  • Do not click on links or attachments in email unless you are 100% certain it is legitimate and that you have requested it. If you are not sure about a hyperlink or attachment contact the sender directly to ask about it.
  • Do not visit questionable able websites.
  • When you are browsing website be certain to read carefully any dialog box that pops up before clicking on it.

Last but not the least, make sure that you run a backup of your system files regularly. If your PC gets infected and your important files are encrypted, you can get them later.


Thanks to ZDNet for being on top of the Qakbot story which much of this information was attained.

Share This:

Important Security Patches Arrive for Apple Products

This past week Apple released multiple security upgrades yesterday for its iOS, watchOS, tvOS, and macOS systems, addressing dozens of security bugs across its devices. The iOS update fixes 41 security flaws, including some that could potentially allow a remote attacker to execute malicious code on an Apple mobile device.

The update is well-timed, as most of the world is still reeling from the latest WannaCry ransomeware attck that has been racing across the globe since late last week. While the ransomeware attack targets Windows systems, Mac users are likely to feel a little safer knowing they have the most recent security patches installed.

Mostly Security Fixes

Apple attributed almost half of the bug discoveries to Project Zero, Google’s internal security and bug-hunting initiative. The most significant patch Apple released last week was for macOS. The update includes several fixes to the operating systems kernel, some of which address security vulnerabilities that would allow an application to gain access to kernel privileges as well as execute arbitrary code with kernel privileges.

The iBooks application received several fixes for bugs that would have, among other things, allowed a maliciously crafted book to open Web sites on its own without user permission. Meanwhile SQLite, a relational database management system, received four separate patches for issues that could have given an attacker remote access to a user’s device.

Apple’s mobile operating system, iOS, also received a major security upgrade. Several of the fixes relate to similar problems as those addressed in the macOS patch, such as the SQLite vulnerabilities, and kernel and iBooks bugs. Another major component of the OS that was patched was WebKit, a component that helps power the Safari browser.

No New Functionality, But Some Glitches Fixed

The watchOS update includes improvements and bug fixes while the tvOS update provides bug fixes and other enhancements to the fourth-generation Apple TV.

WebKit received a whopping eight patches, including several that would have permitted hackers to attack a user’s device through malicious Web content. The upgrade also changes the way Wi-Fi network credentials are handled to prevent having a person’s username and password stolen when accessing a malicious hotspot.

The security fixes will likely be the foremost in users’ minds as they rush to update their devices, but they are not the only changes Apple rolled out yesterday. While the upgrades do not appear to include any major new functionality, they do address several performance issues that should make the user experience a bit more pleasant.

On the Macintosh platform that includes a fix for the problem where audio may stutter when played through USB headphones. The update fixes an issue affecting some enterprise and education clients that may cause the system date to be set to 2040, and also prevents a potential kernel panic from occurring when starting up from a NetInstall image. All of the updates can be downloaded over the air.

If you have any apple products you should take the time to update its operating system.

Share This:

Mastering Password Managers

With this past week’s WannaCry ransomware scare I thought I would take a little time, again to write about how incredibly important password management is to the security of your data. Passwords are of course, inconvenient, time consuming and memory challenging which is why many people do not handle them seriously. However without good password management you are seriously taking a chance with your security.

I also wrote earlier this week that Microsoft is looking to kill passwords altogether for their services, however we are not exactly sure when that is going to happen and Microsoft not withstanding passwords are going to be around for quite a while yet… so you might as well master them.

Here areof my favorite password management applications, each with a free option. My favorite is LastPass, however each will do the trick if you want to lock out the cyber-criminals from getting a hold of your data.


Image result for lastpass logo png

 

There are two versions of LastPass – free and premium. Both can store an unlimited number of account logins in a secure vault protected by a master password, will complete online forms for you automatically, and can employ multi-factor authentication.

The premium edition also syncs across multiple devices, stores passwords for desktop programs, and lets you share secured folders with other people. with customizable permissions.

One of LastPass’s best features is its ability to generate strong, unguessable passwords for all your accounts, which it then stores for you. There’s no need to remember long, awkward streams of characters, or re-use the same password for multiple accounts. It’s a class act.


Image result for dashlane png

Dashlane is LastPass’s most serious rival, and like LastPass it’s absolutely superb with strong password security, exceptional ease of use and ability to store notes for future reference.

In addition to the Windows desktop password manager, there are browser plugins and mobile versions, and as with LastPass there’s a premium edition of Dashlane that adds unlimited syncing and sharing.

The premium edition of Dashlane costs US$39.99 per year, but the free version provides all the essentials: you get the core password manager, autofill and digital wallet features, all of which work flawlessly.


 

Image result for roboform logo

RoboForm claims to be the world’s best password manager, though its free version only lets you store up to 10 logins and lacks the breadth of features offered by some of its rivals. If you need to store more passwords, a premium account costs US$9.95 for the first year, though the mobile apps are free.

It’s available for Windows, Mac, iOS and Android, and is a good option for anybody who wants a simple and secure way to sync passwords between desktop, laptop and mobile devices.

RoboForm doesn’t have quite the same features lists as Dashlane or LastPass, but it’s a very good tool nonetheless and the free mobile apps are excellent.


Image result for keepass logo png

It isn’t the prettiest password manager around, but KeePass Password Safe is both free and open source with strong security, multiple user support and a whole bunch of plugins to expand the app further.

The password manager is small enough to run from USB without installing on a PC, it can input from and output to a wide range of file formats and there are stacks of customization options to play with.

The fact that KeePass Password Safe is open source means anybody can inspect the code for potential weaknesses, which means that any security issues can be identified and fixed quickly. It’s a great little app, if a bit intimidating for absolute beginners.


Image result for sticky password logo

Sticky Password comes from the team behind AVG Antivirus, so you can be confident that security is its top priority.

There are two versions of Sticky Password: free and premium. The latter adds cloud syncing and backup, and costs US$29.99, £19.99 (about AU$40) a year. There’s also a lifetime license available for $149.99, £96.99 (about AU$200) – an option not offered by any other premium password manager.

The app works on PC, Mac, Android and iOS, supports fingerprint authentication on mobile, is available as a portable USB version and offers lots of synchronisation options including Wi-Fi syncing with local devices. It doesn’t support the Edge browser just yet but it will once the Anniversary Update introduces extension support.


There you go. Give these a try. Anyone of them will help you lock down your accounts, secure your data and perhaps prevent a security disaster from impacting you. The time you spend doing this will be well spent… believe me.

Share This:

Protecting Yourself Against WannaCry

The WannaCry 2.0 ransomware is turning out to be one of the biggest security threats of recent times. It has spread in over 150 countries and affected more than 200,000 computers. This situation could’ve been avoided if the users had downloaded Windows security patch released in March. Well, you can still download the update and follow some basic safety measures to keep yourself away from such attacks.

Image result for wannacry logo

Ransomware has seen an abrupt rise in the recent years, and the present-day developments are only making this threat more infamous. If you love to keep yourself updated with the latest developments in the tech world, you might have heard about the notorious WannaCry ransomware, which is locking down people’s computers. It also goes by the other names like WannaDecrypt0r, WCry, and Wanna Decryptor.

What is WannaCry Ransomware?

More than 150 countries have been affected by WannaCry ransomware, which exploits EternalBlue vulnerability and uses phishing emails. The NSA was the first to discover this flaw, and it was made public by ShadowBrokers in April. After taking over a computer, WannaCry locks down the machine and asks for about $300 as a ransom. If the user fails to pay the ransom, the price increases with time.

Microsoft did release a patch for this leaked vulnerability in April, but many computer users and network administrators didn’t update their systems. As a result, they are at risk.

Wanadecrypt0r

How to Prevent Getting WannaCry and Other Ransomware

This malware is primarily impacting businesses and spreading through their network to control an entire company. But, it doesn’t mean that everyone else is safe.

So, if you’re using a computer which runs Windows operating system, you must take a few precautionary steps.


It is incredibly important to do the following:

  • Always make sure that you install the latest updates & patches for your operating system, especially Microsoft Windows.
  • Make sure you have an up to date anti-virus program running on your computer.
  • Do not click on links or attachments in email unless you are 100% certain it is legitimate and that you have requested it. If you are not sure about a hyperlink or attachment contact the sender directly to ask about it.
  • Do not visit questionable able websites.
  • When you are browsing website be certain to read carefully any dialog box that pops up before clicking on it.

Last but not the least, make sure that you run a backup of your system files regularly. If your PC gets infected and your important files are encrypted, you can get them later.


Microsoft’s Response

While Microsoft quickly issued fixes for the latest versions of Windows last month, this left Windows XP unprotected. Many of the machines attacked today have been breached simply because the latest Windows updates have not been applied quickly enough, but there are still organizations that continue to run Windows XP despite the risks. Microsoft is now taking what it describes as a “highly unusual” step to provide public patches for Windows operating systems that are in custom support only. This includes specific fixes for Windows XP, Windows 8, and Windows Server 2003. You can read my report about this here.

If you want to learn more you can read many of my ransomware related articles here.

Share This:

Windows XP Gets an Emergency Patch

If you are still using Windows XP (which you shouldn’t be) Microsoft is actually releasing an emergency patch for the retired operating system.

Why is Microsoft doing this?

Microsoft has taken the unprecedented step of issuing patches for unsupported operating systems, including Windows XP  as a result of the massive WannaCrypt ransomware attacks against organisations across the globe.

wannacry-talos.jpg

Businesses, governments and individuals in 74 countries across the globe have been victims of more than 45,000 attacks by this one strain of Ransomware in the space of just a few hours.

What is Wannacrypt?

Wannacrypt ransomware demands $300 in Bitcoin for unlocking encrypted files – a price which doubles after three days. Users are also threatened with having all their files permanently deleted if the ransom isn’t paid in a week.

Hospitals across the UK have had systems knocked offline by the ransomware attack, with patient appointments cancelled and doctors and nurses resorting to pen and paper and NHS England declaring the cyberattack as a ‘major incident’ – a total of 45 NHS organisations are now own to be affected.

The Dangers of Ransomware

Cybersecurity researchers have suggested the ransomware attacks are so potent because they exploit a a known software flaw dubbed EternalBlue. This Windows flaw is one of many zero-days which was apparently known by the NSA before being leaked by the Shadow Brokers hacking collective. Microsoft released a patch for the vulnerability earlier this year, but only for the most recent operating systems.

I applaud Microsoft for taking the action of patching their retired operating systems which is an effort to protect all of us.

Share This:

Ransomware Rises

Ransomware attacks have increased by 50% since 2016 reports Verizon. This is bad news for all of us.

Image result for ransomware

Additional reports also recently reported that cyber-criminals have increasingly shifted from going after individuals to attacking entire organizations. Government organizations were the most frequent target of these ransomware attacks, followed by health care businesses and financial services.

Instances of ransomware attacks have grown along with the market for bitcoin, the digital currency that is most commonly how cyber-criminals demand ransoms.

An Old & Tried Threat Expands

While most malware is delivered through infected websites, increasingly criminals have been turning to phishing, which is the tactic of using fraudulent emails designed to get a user to download attachments or click on links to websites that are infected with malware to carry out attacks. A fifth of all malware raids began with a phishing email in 2016, while fewer than 1 in 10 did the year before, according to the report.

These “phishing” emails are often targeted at specific job functions, such as HR and accounting – whose employees are most likely to open attachments or click on links.

Same Threat – Bigger Target

While in the past most ransomware simply encrypted the data on the device where it was first opened criminal gangs have increasingly been using more sophisticated hacking techniques, seeking out business critical systems and encrypting entire data servers.

Caution Rules

As you can see by whats going on here the best defense is not clicking on links or attachments in email – unless you are 100% certain that the email is legitimate.

Share This:

The Wrath of Locky Part 2

One of the most common types of ransomware, “Locky” all but disappeared late last year. Sadly however this very dangerous cyber threat has reemerged and is worse then ever. Everyone should make themselves aware of this particular cyber threat – because once your data is infected – you may never see it again.

The New Locky Brings a New Infection Mechanism

This current wave of SPAM comes in the form of emails that pretend to be payment receipts with various subjects. According to an article by My Online Security, the email subjects include Receipt 435, Payment Receipt 2724, Payment-2677, Payment Receipt_739, and Payment#229, where the numbers change.

Locky SPAM Email
Locky SPAM Email

These emails include a PDF attachment with a name like P72732.pdf. When these PDFs are opened, the target will be prompted to open an embedded Word document as shown below.

Malicious PDF SPAM
Malicious PDF SPAM

If a user opens the file, the Word document will open and the target will be greeted with the typical Malicious word document prompt. That is the prompting to enable the macros by clicking on Enable Content in order to properly see the document.

Enable Macros in Malicious Word Document
Enable Macros in Malicious Word Document

When the macros are enabled, the macros are currently downloading an encrypted Locky binary from http://uwdesign.com.br/9yg65, decrypting the file, saving it to %Temp%\redchip2.exe, and then executing the file to begin the encryption process. Redchip2.exe currently has a 7/55 detection on VirusTotal.

Just like previous variants, Locky deletes Shadow Volume Copies using a Scheduled Task and appends the .OSIRIS extension to encrypted files.  You can see the task used below.


  
  
  
    IgnoreNew
    false
    false
    true
    true
    false
    
      PT10M
      PT1H
      true
      false
    
    true
    true
    false
    false
    false
    PT72H
    7C:\Windows\system32\vssadmin.exe
      Delete Shadows /Quiet /All
    
  

While encrypting files it will routinely send status updates to the Command & Control servers located at 188.120.239.230/checkupdate and 80.85.158.212/checkupdate. When done it will display the ransom note to let the victim know that they have been infected.

Locky Ransom Note
Locky Ransom Note

Unfortunately, at this time there is still no way to decrypt files encrypted by Locky.

Protecting Yourself Against Ransomware

As I continually recommend you should never open an attachment from a sender that you did not request. This goes for hyperlinks in email messages as well that you did not request. If you receive email messages from “lenders” or “creditors” regarding payments etc that include documents call the lender and speak to someone. Do not open the attachment p or click on the hyperlink unless you are 100% certain of its legitimacy.

Share This:

Technology Training Day @ West Chester

Today much of our staff got together for our quarterly technology training. Although you may have not been there – you can check out much of what we talked about right here.

We covered Microsoft Excel, Outlook, Word, OneNote, Skype for Business and the very scary situation that is Ransomware.

 

Share This:

Skype Hit with Ransomware Threat

If you use Skype*, do not respond to any pop-up messages similar to this one:

Several people have reported receiving “fake Flash” ads in Skype which, if triggered, can lead to a ransomware attack.

It has been reported that if an effort to infect a user’s PC with ransomware an advertisement appears followed by the above pop-up message. The triggered ad has obviously been designed to look like the real thing. Do not be fooled. The app, when opened, would download a malicious payload, which locks the user’s computer and encrypts its files for ransom.

Many other users in the past few days have also complained of similar issues with Skype’s in-app ads, with at least two other people having the same “fake Flash” ad into Thursday. I hope this problem has Microsoft re-considering in-app advertisements in Skype.

All signs point to this “fake Flash” ad as a spin off of a recent Locky ransomware campaign that also delivers a Kovter trojan, which remains on the system to carry out click-fraud and malvertising campaigns. Locky, which became one of the most notorious ransomware threats last year, uses a similar malicious JavaScript-based attack to lock computers, which execute directly on Windows without the help of any other app. I wrote about Locky back in May 2016. Check it out here.

* This threat does not involve Microsoft’s Skype for Business service.

Share This:

1 2 3