TA17-163A: CrashOverRIDE Malware

I am subscribed to the Homeland Security National Cyber Awareness System and will begin posting these cyber-security bulletins here for all of you, my dedicated readers. 

The United States Computer Emergency Readiness Team (US-CERT) strives for a safer, stronger internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cyber-security information with trusted partners around the world.

TA17-163A: CrashOverride Malware

06/12/2017 05:44 PM EDT

Original release date: June 12, 2017

Systems Affected

Industrial Controls Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to the U.S. critical infrastructure.

Although this activity is still under investigation, NCCIC is sharing this report to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks. NCCIC continues to work with interagency and international partners on this activity and will provide updates as information becomes available.

For a downloadable copy of IOCs, see:

To report activity related to this Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870.

Risk Evaluation
NCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)
Yellow (Medium)
A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
Details

There is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems.

Description
Technical Analysis

CrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used outside the United States in electric power control systems. The platform fundamentally abuses a targeted ICS system’s legitimate control systems functionality to achieve its intended effect. While the known capabilities do not appear to be U.S.-focused, it is more important to recognize that the general TTPs used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities:

  1. Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability.
  2. Denies service to local serial COM ports on windows devices, therefore preventing legitimate communications with field equipment over serial from the affected device.
  3. Scans and maps ICS environment using a variety of protocols, including Open Platform Communications (OPC). This significantly improves the payload’s probability of success.
  4. Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In this instance, the relay would need to be manually reset to restore functionality.
  5. Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup restoration.
Detection

As CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify pre-courser activity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs, this alert will be updated.

NCCIC is providing a compilation of indicators of compromise (IOCs) from a variety of sources to aid in the detection of this malware in the appendices. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendor’s information referenced in this report. However, NCCIC has included this data to ensure wide distribution of the most comprehensive information available and will provide updates as warranted.

 

 

Share This:

US-CERT Alert – Lenovo Superfish Adware

Last week the National Cyber Awareness System issued an alert regarding Superfish which I also touched on. Today the US-CERT issued an update regarding the Superfish security flaw:

TA15-051A: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

02/20/2015 07:07 AM EST

Original release date: February 20, 2015 | Last revised: February 24, 2015

Systems Affected

Lenovo consumer PCs that have Superfish VisualDiscovery installed.

Overview

Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.

Description

Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack.  Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with.  Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.

Although Lenovo has stated they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.

To detect a system with Superfish installed, look for a HTTP GET request to:

superfish.aistcdn.com

The full request will look like:

http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]

Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is sent when a computer is turned off.

Superfish uses a vulnerable SSL decryption library by Komodia. Other applications that use the library may be similarly affected. Please refer to CERT Vulnerability Note VU#529496 for more details and updates.

Impact

A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser.

Solution

Uninstall Superfish VisualDiscovery and associated root CA certificate

Users should uninstall Superfish VisualDiscovery. Lenovo has provided a tool to uninstall Superfish and remove all associated certificates.

It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on deleting and managing certificates in the Windows certificate store. In the case of Superfish VisualDiscovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”

Mozilla provides similar guidance for their software, including the Firefox and Thunderbird certificate stores.

References

Share This:

US-CERT Alert – Apple iOS “Masque Attack” Technique

Today the United States Computer Emergency Readiness Team (US-CERT) has issued a warning regarding a newly identified cyber threat.

uscert14

Systems Affected

Apple (iOS) devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

Overview

A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Description

Masque Attack was discovered and described by FireEye mobile security researchers.[1] This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Impact

An app installed on an iOS device using this technique may:

  • Mimic the original app’s login interface to steal the victim’s login credentials.
  • Access sensitive data from local data caches.
  • Perform background monitoring of the user’s device.
  • Gain root privileges to the iOS device.
  • Be indistinguishable from a genuine app.

Solution

iOS users can protect themselves from Masque Attacks by following three steps:

  1. Don’t install apps from sources other than Apple’s official App Store or your own organization.
  2. Don’t click “Install” from a third-party pop-up when viewing a web page.
  3. When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.

Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1]. US-CERT does not endorse or support any particular product or vendor.

References

Share This:

U.S. Government Releases Ransomware Alert

uscert14

Today the United Stated Computer Emergency Readiness Team (US-CERT) released an informational ALERT regarding Ransomware. There is some very good information here describing what Ransomware how it is related the Malware, it’s impact andwhat you can do to avoid it. 

TA14-295A: Crypto Ransomware

10/22/2014 05:28 PM EDT

Original release date: October 22, 2014

Systems Affected

Microsoft Windows

Overview

Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:

  • Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and
  • Provide prevention and mitigation information.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.

Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption to regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Maintain up-to-date anti-virus software.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.
  • Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.

Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC

Share This:

US-CERT Alert – (TA14-150A)

Today the United States Computer Emergency Readiness Team (US-CERT) has issued a warning regarding a newly identified cyber threat.

uscert14

Threat Name: GameOver Zeus PSP Malware

 

Systems Affected

  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Overview

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011[1], uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.

Description

GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer[2]. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks.

Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community[1]. GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data[3]. Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult[1].

Impact

A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users’ credentials for online services, including banking services.

Solution

Users are recommended to take the following actions to remediate GOZ infections:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
  • Change your passwords – Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
  • Keep your operating system and application software up-to-date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
  • Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.

Share This:

US CERT Issues Warning & KB 2963983

Department of Homeland Security recommends avoiding Microsoft browser until vulnerability in IE6 to IE11 is fixed.

 

uscert14

The Department of Homeland Security’s US-CERT team has issued an official advisory, warning Windows customers that they should not use any modern version of Internet Explorer, from IE6 to IE11. It’s important to note that Microsoft’s Security Advisory 2963983 lists the exploit as a problem even with IE11 running on Windows 8.1 and Windows RT 8.1. It isn’t clear from Microsoft’s list if the problem also affects Windows 8, Windows RT, and/or Windows 8.1 Update, although Server 2003, Server 2008, 2008 R2, 2012, and Server 2012 R2 running with their default settings aren’t vulnerable.

As Microsoft notes, this is a drive-by class security hole: Your machine can be compromised if you simply visit an infected site.

FireEye first caught and dissected the vulnerability, publishing an extensive examination on Saturday:

The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP… Threat actors are actively using this exploit in an ongoing campaign which we have named “Operation Clandestine Fox”… for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions (IE 9 thru 11) represent about a quarter of the total browser market.

The attack vector is quite ingenious in loading a Flash SWF file, using it to selectively spray memory, and looping back to a JavaScript program in IE. The program takes advantage of the IE bug to run a complex series of programs that ultimately lead to the breach. Flash itself doesn’t contain the bug, but it’s a handy foil for the IE exploit.

FireEye notes that disabling the Flash plug-in in IE will prevent this particular exploit from functioning. Since Flash is baked into IE10 and IE11, it appears that disabling Flash will only work in IE6 though IE9. But note that the security hole still exists in IE, even without Flash. It’s entirely possible that someone will come up with a nearly identical exploit that uses some other handy fixed-size heap allocation.

As for where this leaves Windows XP users, while the general exploit approach apparently works on XP systems — as suggested by the inclusion of Server 2003 SP 2 on Microsoft’s “affected programs” list — FireEye hasn’t uncovered in-the-wild exploits with IE6 thru IE8. (Also, XP won’t run IE9, IE10, or IE11.)

Clearly, XP users would be foolish to be running IE right now.

Will Microsoft patch IE on XP systems? It’s an interesting question, because the flaw is in IE, not XP. A related question: If Microsoft fixes IE6, IE7, and IE8 running on Server 2003 SP 2, will the same fix work on XP?

As for where this leaves Windows XP users, while the general exploit approach apparently works on XP systems — as suggested by the inclusion of Server 2003 SP 2 on Microsoft’s “affected programs” list — FireEye hasn’t uncovered in-the-wild exploits with IE6 thru IE8. (Also, XP won’t run IE9, IE10, or IE11.) Clearly, XP users would be foolish to be running IE right now, but that’s been true for many years.

Will Microsoft patch IE on XP systems? It’s an interesting question, because the flaw is in IE, not XP. A related question: If Microsoft fixes IE6, IE7, and IE8 running on Server 2003 SP 2, will the same fix work on XP?

This latest security flaw will certainly tests Microsoft’s mettle relating to their seriousness regarding ending XP support.

Share This:

US-CERT: Windows XP End of Life

uscert14

The United States Computer Emergency Readiness Team (US-CERT) was created in 2003 to help protect the internet infrastructure of the United States by coordinating defense against and responding to cyber-alerts.

From time to time I post their relevant alerts here. Although I have written about the end of Windows XP many times I wanted to post this US-CERT Alert.

TA14-069A: Microsoft Ending Support for Windows XP and Office 2003

Original release date: March 10, 2014

Systems Affected

  • Microsoft Windows XP with Service Pack 3 (SP3) Operating System
  • Microsoft Office 2003 Products

Overview

Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:

  • Security patches which help protect PCs from harmful viruses, spyware, and other malicious software
  • Assisted technical support from Microsoft
  • Software and content updates

Description

All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3]

Microsoft will send “End of Support” notifications to users of Windows XP who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration manager, or Windows Intune will not receive the notification. [4]

Impact

Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows XP or Office 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements. [4]

Solution

Computers operating Windows XP with SP3 or running Office 2003 products will continue to work after support ends. However, using unsupported software may increase the risk of viruses and other security threats.

Users have the option to upgrade to a currently supported operating system or office productivity suite. The Microsoft “End of Support” pages for Windows XP and Office 2003 offer additional details.

There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows XP or Office 2003 to a currently supported operating system or office productivity suite. US-CERT does not endorse or support any particular product or vendor.

Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to receive support temporarily. Users should consult the support pages of their chosen alternative browser for more details.

Share This:

TA13-317A: Microsoft Updates for Multiple Vulnerabilities

 
Original release date: November 13, 2013 | Last revised: November 16, 2013

Systems Affected

  • Windows Operating System and Components

  • Microsoft Office

  • Internet Explorer

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for November 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities. The November Security Bulletin includes a patch for the new “watering hole” campaign which utilizes a US-based website that specializes in domestic and international security policy.

Impact

These vulnerabilities could allow remote code execution, elevation of privilege, information disclosure or denial of service.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for November 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History

  • November 13, 2013: Initial Release

Share This:

TA13-309A: CryptoLocker Ransomware Infections

This is the 3rd Cyrpto-Locker Alert issued by the US Government.
Please take it seriously bloggers.



Original release date: November 05, 2013 | Last revised: November 15, 2013



Systems Affected

Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems


Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links

  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments

  • Maintain up-to-date anti-virus software

  • Perform regular offline backups of all systems to limit the impact of data and/or system loss

  • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity

  • Secure open-share drives by only allowing writable access to necessary user groups or authenticated users

  • Keep your operating system and software up-to-date with the latest patches

  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams

  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

Mitigation

US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

  • Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network

  • Users who are infected should change all passwords AFTER removing the malware from their system

  • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:

    • Restore from backup,

    • Restore from a shadow copy or

    • Perform a system restore.

References

Revision History

  • November 5, 2013: Initial Release

  • November 13, 2013: Update to Systems Affected (inclusion of Windows 8)

  • November 15, 2013: Updates to Impact and Prevention sections.

Share This:

TA13-309A: CryptoLocker Ransomware Infections

As I have reported previously the CryptoLocker virus is a very serious computer threat to everyone.

The United States Emergency Computer Response Team (US-CERT) has today issued an alert regarding the threat. I have been posting relevant US-CERT warnings on this blog so here is this one.

Systems Affected

Microsoft Windows systems running Windows 7, Vista, and XP operating systems

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.
While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention
US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
  • Maintain up-to-date anti-virus software
  • Perform regular backups of all systems to limit the impact of data and/or system loss
  • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
  • Secure open-share drives by only allowing connections from authorized users
  • Keep your operating system and software up-to-date with the latest patches
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

Mitigation
US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

  • Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network
  • Users who are infected should change all passwords AFTER removing the malware from their system
  • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:
    • Restore from backup,
    • Restore from a shadow copy or
    • Perform a system restore.

References

Share This:

1 2