Νέα Ασφάλειας

Researchers at Check Point have figured out the encryption method used by RansomWarrior. The Ransomware was developed in India.

The ransomware has targeted Windows users, the payload is delivered as an executable under file name “A Big Present.exe”  if the application is executed it will encrypt files with a .THBEC extension. The victims are given a link to the dark web website that takes payments in Bitcoin.

The Ransomware offers the victims to decrypt two files for free, however if the victims don’t pay the ransom they will not get the rest of their files back. The ransomware cheekily has a sentence saying that the police can’t help you.

How Did The Researchers Break the Encryption?

Researchers at Check Point found the malware was developed by some inexperienced hackers, the company was able to retrieve decryption keys from the malware. Check Point succeeded due to the weak encryption used by the ransomware. The Ransomware used only 1000 hard-coded keys within the RansomWarrior binary code.

The Key’s index is saved in the victim’s machine which is providing the means to unlock the files. The Researchers were able to create a decryption tool to retrieve the files of any user who might have been affected by the RansomWarrior. Most of the ransomware authors have been deploying mass spam messages to affect the entire networks.

Why Ransomware Became famous?

Some Ransomware products have made over $6 Million by just following a targeted campaign. However many have seen a move away from ransomware with a new focus on Cryptocurrency mining.

Hackers managed to siphon off over Rs 94 crore  (Around 12,000,000 Euro ) through a malware attack on the server of Pune-based Cosmos Bank and cloning thousands of the bank’s debit cards over a period of two days.

The fraudulent transactions were carried out on August 11 and August 13 and the malware attack by the hackers originated in Canada, Cosmos Bank chairman Milind Kale said.

“In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India,” he said.

On August 13, hackers again transferred Rs 13.92 crore in a Hong Kong-based bank by using fraudulent transactions.

Kale, however, said the cooperative bank’s core banking system was not affected and it has already appointed a professional forensic agency to investigate the fraud.

“On Saturday afternoon, the bank came to know about malware attack on its debit card payment system and it was observed that unusual repeated transactions were taking place through Visa and Rupay cards used at various ATMs for nearly two hours,” he said.

While cloning the cards and using a “parallel” or proxy switch system, the hackers self-approved the transactions and withdrew over Rs 80.5 crore in about 15,000 transactions, he added.

Explaining further, Kale said the core banking system of the bank receives debit card payment requests via ‘switching system’, but during this malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by this proxy switching system.

He said that as per the payment settlement system, Visa and Rupay raised the payment demand for all these transactions and as per the agreement, bank had to pay this Rs 80.5 crore amount to them.

Talking about the Rs 13.92 crore fraudulent transaction in a Hong Kong-based bank, he claimed that though the money has been transferred to that account, it is still in the baking channel.

As a precautionary measure, the bank has closed ATMs operations and suspended net and mobile banking facilities, according to the official.

“We appeal customers to remain calm and not to get panic as savings, term deposits, recurring accounts of all the stakeholders are fully safe,” Kale said.

The bank has also registered an FIR at the Chatushringi police station in the city. A case was registered under sections 43, 65, 66(C) and 66 (D) of the Information Technology Act and relevant sections of the Indian Penal Code.

When asked about the recovery of the amount, Kale said the malware attack was not against any bank but against the banking system and was done at international level in a very “coordinated way”.

“Since a lot of countries are involved, getting the money back will completely depend on coordinated efforts of all the agencies,” he said.

He said that the actual loss to the bank will be known only after reconciliation with Visa and Rupay.

The information contained in this website is for general information purposes only. The information is gathered from Economic Times while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

One in 13 UK cybersecurity professionals have admitted they also participate in black hat activities, according to new research from Malwarebytes.

The security vendor commissioned Osterman Research to poll 900 professionals in the US, UK Germany, Australia and Singapore to compile its latest study, White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime.

The UK stood out for three reasons. Its companies had the lowest average security budget of any globally, 97% of UK firms have fallen victim to a significant security threat over the past year, the highest of any country, and nearly 8% of respondents admitted to grey hat activity, versus a global average of 4.5%.

The study also revealed that 40% of UK security pros have known someone that has participated in black hat activity, 32% have been approached to take part and 21% have considered doing it.

The most popular reasons given for doing so were to earn more money (54%), the challenge that it offers (53%), retaliation against an employer (39%), philosophical reasons or some sort of cause (31%) and that it is not perceived as wrong (30%).

The financial challenge is likely to continue as the average security budget in the UK for a 2500-employee organization is set to grow by just 10% to £220,000 in 2018, according to the report. The largest chunk of this (17%) is apparently spent on remediation, with respondents claiming they’d spend on average more than £188,000 to remediate an incident.

“Companies need to assign more resources to their security budget, and that includes salaries for security researchers and other technicians. If an employee begins grumbling about pay, and if human resources are unresponsive to his or her requests, then organizations may be setting themselves up for a much larger financial loss down the line,” senior malware intelligence analyst, Jérôme Segura, told Infosecurity.

“Companies need to look for signs of individuals becoming unhappy or unfulfilled in their position and address them early on. Having regular dialogues between HR, managers and employees can help avoid more complicated situations at a later date.”

Segura added that tightening access controls can also help to mitigate the inside threat.

 

The information contained in this website is for general information purposes only. The information is gathered from InfoSecurity while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

NETSCOUT’s Arbor Active Threat Level Analysis System (ATLAS®) has actively monitored the global internet threat landscape since 2007. Today, it provides visibility into approximately one-third of the global internet.

As threats grow across the landscape, NETSCOUT’s unique position protecting enterprise networks and the internet through our service provider customers gives us wide visibility into this dynamic and ever-changing environment. By drawing on that comprehensive view with analysis driven by NETSCOUT’s ATLAS Security Engineering & Response Team (ASERT), they created a representative view of the threat landscape as they observed in the first six months of 2018 based on their data and driven by extensive research and analysis.

What did they find? The complexion of the threat landscape is moving more rapidly, expanding footprint and changing tactics. Methods that are commonplace in the DDoS threat tool kit have sprung to crimeware and espionage. This accelerating internet-scale threat paradigm changes the frontiers for where and how attacks can be launched, observed and interdicted.

1. DDoS attacks enter the terabit era.

Last winter’s Memcached-based attacks ushered in the terabit era of DDoS attacks. In fact, NETSCOUT Arbor mitigated the largest DDoS attack yet seen, a 1.7 Tbps DDoS attack in February of 2018.

2. Attack volume up, frequency down.

They saw about 2.8 billion attacks in the first half of 2018. While that’s a huge number of attacks, the big news lies in size rather than frequency.

From 2017 to 2018, they saw a slight drop in attack frequency accompanied by a dramatic increase in attack size and scale. However, that drop in frequency doesn’t mean that DDoS attacks are abating. The maximum size of DDoS attacks increased 174% in H1 2018 compared with the same timeframe in 2017. It is our assessment that as attack tools grow more sophisticated, attackers have found it easier and cheaper to launch larger, more effective attacks.

3. APT groups expand beyond traditional arena.

More nations are operating offensive cyber programs and we in the research community are observing a broader set of threat actors. Indeed, nation-state-sponsored activity has developed beyond the actors commonly associated with China and Russia, as their findings include campaigns attributed to Iran, North Korea and Vietnam.

4. Crimeware actors diversify attack methods.

While email campaigns remain the primary attack venue, they observed notable changes in methods designed to accelerate malware proliferation. Inspired by 2017 worm events such as WannaCry, major crimeware groups added worm modules to other malware with distinct objectives such as credential-theft or traditional loaders. They also saw an increased focus on cryptocurrency mining in malware. It seems that attackers see this method as a less risky and more profitable alternative to ransomware, since the latter has the unfortunate side effect of drawing attention from law enforcement agencies.

5. Countries can be highly targeted by DDoS campaigns.

While the trend of a large increase in size of attacks over a growth in frequency played out fairly consistently across regions, they saw some countries and regions disproportionately targeted. The Asia Pacific experienced a disproportionally large number of high-volume attacks in comparison with other regions. China emerged as highly targeted country, with 17 attacks greater than 500 Gbps in the first half of 2018 versus none during the same timeframe the year before.

6. Vertical industry targets expand.

Analysis of targeted verticals reveals some insights year over year. Telecommunications providers and hosting services continued to observe the overwhelming majority of attacks, but they also saw big shifts year over year in a number of vertical sectors. Attacks on system integrators and consultancies were up, and government agencies such as consulates, embassies, the International Monetary Fund, the State Department, and the United Nations experienced a sharp uptick in attacks. This aligns with the use of DDoS against targets by government as well as those ideologically opposed to the interests represented by these institutions.

7. New DDoS attack vectors are rapidly leveraged…

The Memcached attack campaign used vulnerabilities in misconfigured Memcached servers to launch enormous DDoS attacks, a process that took very little time from initial reporting to the first attack tool being made available and utilized to cause global impact. While there was considerable mobilization worldwide to fix vulnerable servers, the vector remains exploitable and will continue to be used. The reality is, once a DDoS type is invented, it never really goes away.

8. …While old ones get new life.

Simple Service Discovery Protocol (SSDP) has been used for reflection/amplification attacks for many years, and ASERT debunked reports this year that claimed this existing tool represented a new type of DDoS campaign with potentially millions of vulnerable devices. However, ASERT did uncover a new class of SSDP abuse where naive devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets has ephemeral source and destination ports, making mitigation more difficult—an SSDP diffraction attack.

9. Targeted APT campaign can involve internet-scale footprints

As nation-state APT groups continue to develop globally, they were particularly interested in the observations of internet-scale activity in the strategic sphere, where campaigns such as NotPetya, CCleaner, VPNFilter, etc., involved broad proliferation across the internet, even as the ultimate targets in some instances were highly selective. These are distinct from the targeted attacks enterprises have become accustomed to dealing with over time, which often involve direct spear-phishing and limited scope to avoid detection and maintain presence. In this respect, targeted campaigns can now be backed by internet-scale intrusions

New crimeware platforms and targets emerge.

Not satisfied with adding new malware modules, crimeware actors also busily developed new platforms, such as such as the Kardon Loader beta observed by ASERT. At the same time, well-known malware platforms such as Panda Banker are being directed at new targets.

 

The information contained in this website is for general information purposes only. The information is gathered from ArborNetworks while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The ICS (Industrial Control System) environments that handle the generation, transmission and metering of energy have long been on the radar of attackers. In recent years attackers have hacked into the control system of a dam in New York, shut down the Ukraine’s power grid and installed malware on the OSes of U.S. companies in the energy, nuclear and water sectors. The U.S. government, realizing that a cyberattack on energy utilities would have major repercussions for businesses and citizens alike, this November will test the ability of the nation’s power grid to bounce back from a simultaneous cyberattack on electric, oil and natural gas infrastructure.

The specter of cyberattacks against utility providers and the interest in protecting them come as the profile of adversaries who target ICS environments is broadening. While ICS attackers linked to APT (Advanced Persistent Threat) groups and nation-state actors are still targeting these systems, a greater variety of threat actors with a range of skills is also going after ICS environments. That assessment is based on data collected from a honeypot Cybereason setup to emulate the power transmission substation of a major electricity provider.

Accompanying this variety of threat actors is a new approach to sourcing ICS assets. Instead of  strategically selecting targets, performing through reconnaissance and targeting individuals with potential network access — the typical infiltration path used by attackers who usually target ICS environments — the actors who compromised Cybereason’s honeypot bought the asset off a dark Web forum. The playbook the attackers used after they compromised the network also differed from the traditional ICS threat actor profile and showed that while they had some advanced methods, a few of their techniques were sloppy.

Still, judging by how quickly these attackers operated, they’re very familiar with ICS environments, the security measures that utility providers implement and know how to move from an IT environment to an OT (operational technology) environment. Accessing the OT environment is the attackers’ ultimate goal since these systems operate the equipment that delivers power to homes and offices. Whoever controls the OT environment determines who gets utilities like electricity, natural gas and water.

Unlike other attackers who buy and sell access to compromised networks, the adversaries who purchased access to the honeypot showed no interest in partaking in more generic and less targeted activity like running botnets for cryptomining, spamming and launching DDoS attacks, said Cybereason CISO Israel Barak. In this case, the attackers had one intention: getting to the OT network.

“The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment,” Barak said.

Despite displaying a level of sophistication, the attackers made some amateur moves that indicate their approach needs some refinement, said Ross Rustici, Cybereason’s Senior Director of Intelligence. He noted that the attackers disabled the security tools on one of the honeypot’s servers, a move that “made a lot of noise” and, in an enterprise, would draw the security team’s attention.

“The approach of going after ICS environments and ignoring everything else and living off the network to conduct activity is a level of sophistication you don’t normally see in honeypots. But they made some mistakes, raising red flags that don’t allow us to put them in that upper echelon of attackers. You don’t see that level of amateurism from APT actors who go after ICS environments,” he said.

For sale: Access to a power transmission substation’s IT and OT environments

The honeypot environment went live late in the second quarter and had a network architecture that’s representative of a typical power substation including an IT environment, an OT environment and HMI (human machine interface) management systems. The environment employed customary security controls including segmentation between the different environments.

The honeypot contained bait to entice attackers, including three Internet facing servers (Sharepoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers. However, the servers’ DNS names were registered and the environment’s internal identifiers used a moniker that resembled the name of a major, well-known electricity provider.

Two days after the honeypot was launched, Cybereason determined that a black market seller had discovered it based on a toolset that had been installed in the environment. The tool — xDedic RDP Patch — is commonly found in assets that are being sold in the xDedic black market. It allows a victim and an attacker to use the same credentials to simultaneously log-in to a machine using RDP (Remote Desktop Protocol).

The seller also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic. The backdoors would allow the asset’s new owner to access the honeypot even if the administrator passwords were changed, a scenario that could have otherwise prevented the adversaries from accessing the servers.

Under new ownership

For the next few days, the honeypot was hit with cryptomining bots, phishing bots, DDoS bots, activity that Internet-connected assets typically experience. Then 10 days after the honeypot went live, the actor who is assumed to be the asset’s new owner connected to it using one of the backdoors created by the seller. The transaction most likely took place in a nonpublic channel, preventing Cybereason from obtaining information on how the payment was made.

Ain’t no security measure strong enough to keep me from you

After being stymied by the firewall, the adversaries began using a multipoint network reconnaissance process to identify potential paths from the IT environment into the OT environment. This approach assumes that different assets in an environment have different segmentation and network accessibility policies. For instance, in a typical IT/OT environment, certain assets (monitoring systems, data repositories and file servers, for example) that are hosted in the IT environment are also accessible from the OT environment. Using multipoint network reconnaissance the attackers move laterally to multiple assets and run parallel network discovery processes to locate an asset that is accessible to the OT network or any its HMI components.

The attackers moved from the remote server to a Sharepoint server, to the domain controller to the SQL server, running network discovery to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT controllers.

“In two days, the attackers got into the environment, conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted,” Barak said.

What this means for security professionals

Barak suggested that organizations and companies with ICS environments operate a unified SOC that provides visibility into the IT and OT environments. As the honeypot demonstrated, attackers are looking to use IT environments as gateways into OT environments.

“Companies may have a NOC monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment,” Barak said.

Threat hunting is critical, he added. This activity looks for indicators that attackers are already in a company’s environment. Instead of waiting to react to an alert issued by a security tool, threat hunting allows defenders to take a proactive approach to security by detecting adversaries before they cause severe damage to a network.

The activity observed in the honeypot also suggests an increased risk for operators. The possibility that this is a trophy taker rather than an APT actor with training on these types of environments dramatically increases the risk of a mistake having real-world consequences.

“The biggest lesson learned from the honeypot is that multiple tiers of attackers find ICS environments interesting. That’s increasing risk for people who operate those types of systems. The security basics are really what’s going to prevent a bad day from becoming a catastrophic day,” Rustici said.

Many of these systems are old and fragile and even trained hacking units make mistakes that cause failures in these controls. Hackers seeking to make a name for themselves or simply prove that they can get into a system are far more likely to cause failures out of ignorance rather than malice. This makes incident response and attribution harder, but it also is more likely to result in an unintended real-world effect, he said.

 

The information contained in this website is for general information purposes only. The information is gathered from CYBEREASON while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.