IT Support and Hardware for Clinics
32.4K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

FBI Alert: $18 Million in Ransomware Losses

FBI Alert: $18 Million in Ransomware Losses | IT Support and Hardware for Clinics | Scoop.it

In the past year, U.S. businesses and consumers have experienced more than $18 million in losses stemming from a single strain of ransomware called CryptoWall, according to the Internet Crime Complaint Center.


In total, IC3 - a collaboration between the FBI and the National White Collar Crime Center - says it received 992 CryptoWall-related complaints from April 2014 to June 2015. And it says the reported losses relate not just to ransom payments potentially made by victims, but additional costs that can include "network mitigation, network countermeasures, loss of productivity, legal fees, IT services and/or the purchase of credit monitoring services for employees or customers."

The quantity of ransomware attacks continues to escalate, security experts say, because it offers criminals the potential for high rewards with little risk (see Crime: Why So Much Is Cyber-Enabled). Indeed, ransomware attacks can be launched en masse by remote attackers and are relatively cheap and easy to perpetrate. Even the process of collecting payments from victims - often payable in bitcoins - and providing decryption keys can be automated.

"In most cases, once the victim pays a ransom fee, he or she regains access to the files that were encrypted," IC3 reports. "Most criminals involved in ransomware schemes demand payment in Bitcoin. Criminals prefer Bitcoin because it's easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity."

Because ransomware can rely so heavily on social engineering - tricking - victims into executing related malware or falling for ransom scams, many security experts have urged businesses to continually educate their employees and customers about ways to spot such attacks and defend themselves.

Click-Fraud Attack Spike


Earlier this month, security firm Symantec warned that it had seen a spike in attacks that began with the year-old Poweliks Trojan, which was designed to perpetrate click fraud, and which also downloaded CryptoWall onto an infected system. Click fraud refers to infecting systems with malware that is used to make "bogus requests" for online advertising, without the malware revealing its presence to the user of the infected system.

Using a single piece of malware - or "dropper" - to infect a system and then download and install many other types of malware onto the same system is not a new attack technique.

For example, authorities have accused the gang behind Gameover Zeus of first using that Trojan to harvest bank credentials, and then infecting systems with Cryptolocker ransomware. The U.S. Department of Justice believes that the Gameover Zeus gang is responsible for more than $100 million in losses via the banking Trojan, and netted $27 million in ransom payments in just the first two months they began using Cryptolocker.

Attacks Get Modular


But attackers have been retooling their malware to make it easier to rapidly infect PCs with multiple types of malware. Security firm Trend Micro warned in 2013 that the aging Asprox botnet, which was first discovered in 2007, had re-emerged "with a new and improved modular framework," and been rebranded as Kuluoz malware, which was a dropper designed to download additional malware onto infected PCs.

By December 2014, the Level 42 threat-intelligence research group at security vendor Palo Alto Networks reported seeing a spike in Asprox-related attack activity. "This malware sends copies of itself over email quickly and to users all around the world and then attempts to download additional malware," it said. The researchers noted that of the 4,000 organizations that it was monitoring, the malware had been tied to "approximately 80 percent of all attack sessions" seen in October and had attempted to infect nearly half of all those organizations.

Also in December, the Association of National Advertisers warned that U.S. businesses were losing about $6.3 billion annually to click fraud. The same month, a study conducted for the ANA by the security firm White Ops found that botnets were responsible for "viewing" 11 percent of all online advertisement, and 23 percent of all online video advertisements.

Asprox Botnet Serves CryptoWall


But click-fraud malware attacks are increasingly blended with other types of malware as attackers attempt to monetize infected PCs as much - and as rapidly - as possible.

In a recent series of attacks, Asprox malware - now typically distributed via phishing attacks - "phoned home" to the Asprox command-and-control server after it infected a PC, and received back the Zemot dropper malware, according to a new report released by the security firm Damballa. The dropper then downloaded the Rovnix rootkit, as well as Rerdom, which is a click-fraud installer.

Damballa says that it has also seen Zemot get installed via crimeware toolkit exploits, which can exploit systems using known vulnerabilities, for example if attackers compromise otherwise legitimate websites and use them to launch drive-by attacks.

Inside enterprises, "click fraud is generally viewed as a low-priority risk," Damballa says. "In reality, click fraud is often a precursor to something more sinister. A device infected with click-fraud [malware] may leave the enterprise susceptible to dangerous downstream infections."

Indeed, Damballa reports that tests of Asprox-infected machines found that over the course of two hours, a single PC was infected with three different types of click-fraud malware, as well as the CryptoWall ransomware. Even after CryptoWall encrypted much of the infected PC's hard drive, furthermore, the click-fraud malware continued to operate, so long as the machine remained Internet-connected.

more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch | IT Support and Hardware for Clinics | Scoop.it

If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.

In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.

This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.

The original attack, which exploited a vulnerability in how Windows displayed icons for shortcut (LNK) files, was used to spread Stuxnet, a computer worm that sabotaged uranium enrichment centrifuges at Iran’s nuclear facility in Natanz.

Stuxnet, which is believed to have been created by the U.S. and Israel, was discovered in June 2010 after it spread beyond its intended target and ended up infecting tens of thousands of computers around the world. The LNK vulnerability, tracked as CVE-2010-2568, was one of several zero-day, or previously unknown, flaws that Stuxnet exploited. Microsoft patched the flaw in August that same year as part of a security bulletin called MS10-046.

“To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010,” the HP researchers said in a blog post Tuesday. “Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links.”

“The patch failed,” they said. “And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”

ZDI reported the LNK patch bypass found by Heerklotz to Microsoft, which treated it as a new vulnerability (CVE-2015-0096) and fixed it Tuesday as part of MS15-020. The ZDI researchers plan to examine the new update to see if there are any other possible bypasses.

However, applying the workaround published by Microsoft in 2010, which involves using the registry editor to manually disable the display of icons for shortcut files, will protect against the latest flaw too, they said.

While the LNK attack was first discovered as part of Stuxnet, security researchers from Kaspersky Lab recently found that another computer worm, called Fanny, had used it since 2008. Fanny is part of a malware arsenal used by a highly sophisticated cyberespionage group that Kaspersky has dubbed Equation.

As revealed by a Kaspersky Lab report in August 2014, exploitation of the original CVE-2010-2568 vulnerability remained widespread even after the Microsoft patch in 2010, primarily because the exploit was integrated in more common threats like the Sality worm. From July 2010 to May 2014, Kaspersky Lab detected over 50 million instances of the CVE-2010-2568 exploit on more than 19 million computers worldwide.


more...
No comment yet.
Scoop.it!

New Android Trojan fakes device shut down, spies on users

New Android Trojan fakes device shut down, spies on users | IT Support and Hardware for Clinics | Scoop.it

A new Android Trojan that tricks users into believing they have shut their device down while it continues working, and is able to silently make calls, send messages, take photos and perform many other tasks, has been discovered and analyzed by AVG researchers.

They dubbed it, and AVG's security solutions detect it as PowerOffHijack.

PowerOffHijack has been discovered in China, where it has already infected over 10,000 devices. It is apparently being propagated via third-party online app stores, but the researchers haven't mentioned what apps it masquerades as.

The Trojan is capable of infecting Android versions below v5.0 (Lollipop).

How does it work?

"After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on," the researchers explained.

That's because the malware, after having previously obtained root access, is capable of injecting the system_server process that hooks the mWindowManagerFuncs object, and ultimately prevents the mWindowManagerFuncs.shutdown function to do its job, which is to first shut down radio service and then invoke the power manager service to turn the power off.

After keeping the power button pressed long enough to initiate the shut down procedure, the victims are presented with a fake pop-up that asks confirmation of the process, and see a fake shut down animation. The malware and the phone will continued working, but the screen will be black.


more...
No comment yet.
Scoop.it!

The 5 Most Dangerous Software Bugs of 2014 | WIRED

The 5 Most Dangerous Software Bugs of 2014 | WIRED | IT Support and Hardware for Clinics | Scoop.it

Dealing with the discovery of new software flaws, even those that leave users open to serious security exploits, has long been a part of everyday life online. But few years have seen quite so many bugs, or ones quite so massive. Throughout 2014, one Mothra-sized megabug after another sent systems administrators and users scrambling to remediate security crises that affected millions of machines.

Several of the bugs that shook the Internet this year blindsided the security community in part because they weren’t found in new software, the usual place to find hackable flaws. Instead, they were often in code that’s years or even decades old. In several cases the phenomenon was a kind of perverse tragedy of the commons: Major vulnerabilities in software used for so long by so many people that it was assumed they had long ago been audited it for vulnerabilities.

“The sentiment was that if something is so widely deployed by companies that have huge security budgets, it must have been checked a million times before,” says Karsten Nohl, a Berlin-based security researcher with SR Labs who has repeatedly found critical bugs in major software. “Everyone was relying on someone else to do the testing.”

Each of those major bug finds in commonly used tool, he says, inspired more hackers to start combing through legacy code for more long-dormant flaws. And in many cases, the results were chilling. Here’s a look at the biggest hacker exploits that spread through the research community and the world’s networks in 2014.

Heartbleed

When encryption software fails, the worst that usually happens is that some communications are left vulnerable. What makes the hacker exploit known as Heartbleed so dangerous is that it goes further. When Heartbleed was first exposed in April, it allowed a hacker to attack any of the two-thirds of Web servers that used the open source software OpenSSL and not merely strip its encryption, but force it to cough random data from its memory. That could allow the direct theft of passwords, private cryptographic keys, and other sensitive user data. Even after systems administrators implemented the patch created by Google engineer Neal Mehta and the security Codenomicon—who together discovered the flaw—users couldn’t be sure that their passwords hadn’t been stolen. As a result, Heartbleed also required one of the biggest mass password resets of all time.

Even today, many vulnerable OpenSSL devices still haven’t been patched: An analysis by John Matherly, the creator of the scanning tool Shodan, found that 300,000 machines remain unpatched. Many of them are likely so-called “embedded devices” like webcams, printers, storage servers, routers and firewalls.

Shellshock

The flaw in OpenSSL that made Heartbleed possible existed for more than two years. But the bug in Unix’s “bash” feature may win the prize for the oldest megabug to plague the world’s computers: It went undiscovered, at least in public, for 25 years. Any Linux or Mac server that included that shell tool could be tricked into obeying commands sent after a certain series of characters in an HTTP request. The result, within hours of the bug being revealed by the US Computer Emergency Readiness Team in September, was that thousands of machines were infected with malware that made them part of botnets used for denial of service attacks. And if that weren’t enough of a security debacle, US CERT’s initial patch was quickly found to have a bug itself that allowed it to be circumvented. Security researcher Robert David Graham, who first scanned the Internet to find vulnerable Shellshock devices, called it “slightly worse than Heartbleed.”

POODLE

Six months after Heartbleed hit encrypted servers around the world, another encryption bug found by a team of Google researchers struck at the other side of those protected connections: the PCs and phones that connect to those servers. The bug in SSL version 3 allowed an attacker to hijack a user’s session, intercepting all the data that traveled between their computer and a supposedly encrypted online service. Unlike Heartbleed, a hacker exploiting POODLE would have to be on the same network as his or her victim; the vulnerability mostly threatened users of open Wifi networks—Starbucks customers, not systems administrators.

Gotofail

Heartbleed and Shellshock shook the security community so deeply that it may have almost forgotten the first mega-bug of 2014, one that affected exclusively Apple users. In February, Apple revealed that users were vulnerable to having their encrypted Internet traffic intercepted by anyone on their local network. The flaw, known as Gotofail, was caused by a single misplaced “goto” command in the code that governs how OSX and iOS implement SSL and TLS encryption. Compounding the problem, Apple released a patch for iOS without having one ready for OSX, in essence publicizing the bug while leaving its desktop users vulnerable. That dubious decision even prompted a profanity-laden blog post from one of Apple’s own former security engineers. “Did you seriously just use one of your platforms to drop an SSL [vulnerability] on your other platform? As I sit here on my Mac I’m vulnerable to this and there’s nothing I can do,” wrote Kristin Paget. “WHAT THE EVER LOVING F**K, APPLE??!?!!”

BadUSB

One of the most insidious hacks revealed in 2014 doesn’t exactly take advantage of any particular security flaw in a piece of software’s code—and that makes it practically impossible to patch. The attack, known as BadUSB, debuted by researcher Karsten Nohl at the Black Hat security conference in August, takes advantage of an inherent insecurity in USB devices. Because their firmware is rewritable, a hacker can created malware that invisibly infects the USB controller chip itself, rather than the Flash memory that’s typically scanned for viruses. A thumb drive, for instance, could contain undetectable malware that corrupts the files on it or causes it to impersonate a keyboard, secretly injecting commands on the user’s machine.

Only about half of USB chips are rewritable and thus vulnerable to BadUSB. But because USB device makers don’t reveal whose chips they use and often switch suppliers on a whim, it’s impossible for users to know which devices are susceptible to a BadUSB attack and which aren’t. The only real protection against the attack, according to Nohl, is to treat USB devices like “syringes,” never sharing them or plugging them into an untrusted machine.

Nohl considered his attack so serious that he declined to publish the proof-of-concept code that demonstrated it. But just a month later, another group of researchers released their own reverse-engineered version of the attack in order to pressure chip makers to fix the problem. Though it’s tough to say whether anyone has made use of that code, that means millions of USB devices in pockets around the world can no longer be trusted.



more...
No comment yet.
Scoop.it!

Sony Hack: Ties to Past 'Wiper' Attacks?

Sony Hack: Ties to Past 'Wiper' Attacks? | IT Support and Hardware for Clinics | Scoop.it

The "wiper" malware attack against Sony Pictures Entertainment has numerous commonalities with previous wiper attacks in Saudi Arabia and South Korea, anti-virus firm Kaspersky Lab reports.

While that's no smoking gun proving that the same group is behind all three attacks, "it is extraordinary that such unusual and focused acts of large-scale cyber destruction are being carried out with clearly recognizable similarities," says Kurt Baumgartner, a Kaspersky Lab principal researcher, in a blog post.


Previous, high-profile wiper malware attacks - designed to erase data from PC and file-server hard drives and delete the master boot record, so the machines cannot boot - have included the use of "Shamoon" malware against Saudi Aramco, and "Dark Seoul" malware against South Korean banks and broadcasters. The attacks - respectively launched in 2012 and 2013 - each resulted in an estimated 30,000 hard drives being erased. The identify of the attackers has never been confirmed - although South Korea published evidence of North Korean ties to Dark Seoul. Security experts say insiders, hacktivists or a nation state could be responsible.

Baumgartner sees an extensive list of similarities between the Shamoon and Dark Seoul campaigns, and the Nov. 24 Destover - also known as Wipal - malware campaign against Sony. From a timing perspective, for example, Kaspersky Lab says attackers compiled both the Dark Seoul and Destover wiper executable files 48 hours or less before the wiper attacks commenced, while Shamoon was compiled five days before the payload was set to "detonate."

For Sony, that timeline offers new clues about just how badly the company had likely been breached. "It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack," Baumgartner says, because it would have been very difficult to steal so much data and infect numerous systems in less than 48 hours.

Technical Similarities

Technically speaking, Shamoon and Destover both used commercially available EldoS RawDisk drivers, which enable developers to create applications that can gain direct access to Windows disks, thus allowing them to evade security restrictions or file locking, Baumgartner says. "The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself," he says. But the overwritten data wasn't just random zeros and ones. "Just like Shamoon, the DarkSeoul wiper event included vague, encoded pseudo-political messages used to overwrite disk data and the master boot record," he says.

By overwriting the master-boot record, or MBR, attackers could make it impossible to boot an infected Windows machine. But the good news, Baumgartner says, is that based on previous attacks, the attackers didn't forcibly wipe all data being stored on the disk, which ultimately made recovering whatever was being stored on the drive easier. "In the case of the DarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon 'destroyed' data," he says. "Destover data recovery is likely to be the same."

Shamoon, Dark Seoul and Destover were all hit-and-run attacks committed by groups about which nothing is known. "All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically charged event that was suggested as having been at the heart of the matter," Baumgartner says.

The graphic and warning used by the "Whois" team that claimed credit for Dark Seoul, and the "Guardians of Peace" - or G.O.P. - group that's claimed credit for hacking Sony, are aesthetically quite similar, including similar fonts, colors, warning language and love of skull graphics.

Not New: Sabotage, Ransomware

But the technical, timing and aesthetic similarities don't prove that the same group was behind all three attacks, and security experts say that whoever launched Destover may have just carefully studied Shamoon or Dark Seoul.

And sabotage attacks launched against individuals and businesses are nothing new. On an individual level, for example, "what we are seeing a lot of is so-called ransomware, which is effectively a monetized version of this type of [wiper malware] attack," Roel Schouwenberg, a security researcher at Kaspersky Lab, tells Information Security Media Group.

While security experts say large-scale wiper attacks are rare, cybercriminals do sometimes employ these tactics. In June, for example, criminals used a distributed-denial-of-service attack against source code hosting firm Code Spaces to obscure their simultaneous 12-hour hack attack in which they deleted most of the business's data, machine configurations as well as onsite and offsite backups, and then demanded a ransom. Instead, Code Spaces shuttered.

Leaked: PII For Actors, Directors

For Sony, the breach is embarrassing for executives and puts employees and freelancers at risk. The list of leaked data includes Social Security numbers for numerous current and former employees and freelancers, including actor Sylvester Stallone, Australian actress Rebel Wilson and director Judd Apatow, The Wall Street Journal reports.

"More than 600 files that contained Social Security numbers - these included Acrobat PDFs, Excel spreadsheets, and Word docs - with more than 47,000 unique SSNs were publicly available," says Todd Feinman, president and CEO of data loss and leak-prevention firm Identity Finder, in a blog post, referencing data that had been leaked by Dec. 3.

The leaked information is reportedly now circulating on BitTorrent sites, meaning that anyone can download the files and potentially use the data to commit identity theft. The risk of ID theft - for example to fraudulently open credit card accounts or take out mortgages in someone else's name - for 15,000 current and former employees is high, Feinman warns, because their full names, birthdates, and home addresses are also included in the leaked Sony data.

Sony has not responded to repeated requests for comment on the hack attack.



more...
No comment yet.
Scoop.it!

New Survey Reveals Enterprises Are At Risk From The Internet Of Things

New Survey Reveals Enterprises Are At Risk From The Internet Of Things | IT Support and Hardware for Clinics | Scoop.it
The Internet of Things (IoT) is challenging enterprises as IT teams struggle to secure the influx of newly connected devices.

Via Roger Smith, Paulo Félix
more...
Roger Smith's curator insight, December 3, 2014 7:27 PM

When your fridge can SPAM the Internet to using an air conditioner to bug a meeting room, IOT is going to cause many problems when it comes to security

Level343's curator insight, December 5, 2014 3:35 PM

BUSINESS PRODUCTIVITY RULES OUT OVER SECURITY

Another key finding from Tripwire’s survey is that while 63 percent of C-level executives expect business efficiencies and productivity to force them to adopt IoT devices regardless of the security risks, only 27 percent of them are “very concerned” about the risks.

Scoop.it!

Lenovo Patches Critical PC Flaws

Lenovo Patches Critical PC Flaws | IT Support and Hardware for Clinics | Scoop.it

Lenovo issued an emergency patch to fix flaws in software that it preinstalls on many of its Windows PCs after security researchers warned that it contained vulnerabilities that attackers could use to remotely seize control of systems.


The vulnerabilities affect the Lenovo System Update software - version 5.6.0.27 and before - which was previously known as ThinkVantage System Update. The Chinese PC manufacturer says the vulnerable software may be present on its ThinkPad, ThinkCenter and ThinkStation laptops and tablets, as well as Lenovo V/B/K/E Series devices.


The flaws were discovered by IOActive security researchers Michael Milvich and Sofiane Talmat in February, after which they alerted Lenovo and helped it prepare related fixes, which Lenovo released in April. But the researchers' findings were only made public this week.


One flaw, rated critical by the IOActive researchers, centered on a "race condition," in which attackers could have System Update verify that an executable file was legitimate, and then substitute a malicious executable. "Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation," Lenovo warns in a related security advisory.


To fix the flaws, users should update to version 5.06.0034 or later of Lenovo's software, which includes related patches. "Lenovo System Update automatically checks for a [new] version whenever the application is run," the company's security advisory says. "Click OK when prompted that new version is available." Alternately, users can download updates manually.

Follows Superfish

The security alert follows revelations in February that Lenovo, which is the world's largest PC manufacturer, had been preinstalling adware called Superfish on many of its PCs. Numerous security experts warned that the adware put users at risk because of the insecure manner in which it used digital certificates to intercept and decrypt otherwise encrypted Internet traffic.


Now, security experts are expressing dismay that yet more flaws have been found in Lenovo's preinstalled software. "Lenovo has been found wanting again on the security front," information security expert Alan Woodward, a professor at Surrey University, tells the BBC. Following on the Superfish debacle, he said Lenovo was demonstrating a "lamentable record for security."


While Lenovo initially defended Superfish - as a feature - it later backed off and began working with security firms to delete the software. The manufacturer also promised that beginning with new devices running the forthcoming Windows 10 operating system it would include only essential operating system and related software, including hardware drivers, security software and Lenovo's own applications, with a spokeswoman saying they would be free from "what our industry calls 'adware' and 'bloatware.'"

Predictable Security Tokens

While Superfish adware was preinstalled on many consumer-focused Lenovo systems, the new vulnerabilities are largely present on business-oriented machines.


Furthermore, Lenovo's System Update software is powerful, in that it will execute any code that it receives, for example to update the Windows operating system. Such functionality would be useful to attackers, of course, if they could trick it into installing malicious code. If that attack was successful, then the attackers could install a backdoor, execute malware that steals data stored on the device, and take full control of the machine.


To guard against that, the System Update software requires any client that attempts to connect to the service to authenticate itself, using a security token. "Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions," the IOActive researchers say about the previous version of System Update. "As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed." Lenovo's patch, however, fixes that problem.

Another Flaw Patched

Another problem present in previous versions of the Lenovo System Update software was a failure to conduct complete security checks on executable code.


"As a security measure, Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them," the IOActive researchers said in their vulnerability warning. As before, this flaw was patched by Lenovo in April.

In particular, the Lenovo software did not fully validate the certificate authority chain. As a result, an attacker could create a fake certificate authority, use it to sign a malicious executable, and then fool the System Update software into executing it.


For example, per the "classic coffee shop attack," a related man-in-the-middle attack could be launched if the attacker was connected to the same WiFi network as a vulnerable Lenovo PC, the researchers say. "The System Update uses TLS/SSL to secure its communications with the update server, which should protect against 'coffee shop' style attacks," they add.


But protection was provisional on the Lenovo software correctly handling digital certificates, which it was not. "Lenovo - like Fandango, Kredit Karma, and an estimated 40 percent or more of mobile application developers - were not able to validate if certificates were from a trusted authority," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, which develops software to secure and protect cryptographic keys and digital certificates. "As this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide [via] encryption, and go undetected."


Again, however, Lenovo and IOActive report that all of the above flaws have now been patched.


more...
No comment yet.
Scoop.it!

Ransomware Attacks' New Focus: Businesses

Ransomware Attacks' New Focus: Businesses | IT Support and Hardware for Clinics | Scoop.it

Ransomware attacks are getting more agile, varied and widespread, and are increasingly taking aim at businesses of all sizes in all sectors, rather than consumers.

These attacks involve two-part schemes. First, a device is infected with malware that locks the user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.

In recent weeks, three reports from security firms and researchers have noted new ransomware scheme trends that are making these attacks more difficult to thwart and detect.

As a result, experts say businesses need to focus more attention on employee education about how to avoid falling victim to these attacks and other socially engineered schemes.

New Attacks

On March 2, security firm FireEye warned that hundreds of websites may have been exposed to "malvertisements" - ads containing ransomware - via criminals' abuse of ad networks that use real-time bidding.

"Real-time bidding is an ad sale and delivery system that allows for instant, autonomous ad auctions at the time the ads are served," FireEye says. "A number of buyers set up bids ahead of time for a certain amount of ad impressions (i.e., page loads) on pre-selected sites and certain target demographic characteristics. When a user requests an ad, the ad exchange awards the highest bidder who has an active bid on advertising matching the incoming user's demographic profile. As a result, the auction winner's ad is displayed."

In another recently released report, anti-virus provider Bitdefender noted that cybercriminals were using help files as a way of infecting devices with a variant of the ransomware known as CryptoWall. Attackers sent malicious emails with the subject "Incoming Fax Report" that contained help files with a compiled HTML extensions, Bitdefender noted. When users opened the files, they were presented with a help window that automatically downloaded CryptoWall in the background.

In a third report, released March 6, a French malware researcher known as Kafeine said he discovered what at first appeared to be a new version of the ransomware known as TorrentLocker, but was later determined to be new malware. This is concerning, researchers say, because it proves how quickly hackers are adapting by developing entirely new malware strains that evade current detection mechanisms.

The Evolution of Ransomware

"Ransomware is flourishing as the criminal community appreciates its viability and the ease by which ransomware can be shared," says Tom Kellermann, chief cybersecurity officer at security firm Trend Micro. "The most troubling evolution is the migration to mobile ransomware.

In May 2014, security researchers warned of a new type of ransomware attack taking aim at employees and customers of banking institutions in Europe. The attack was being spread to mobile devices through the banking Trojan known as Svpeng (see New Ransomware Targets Mobile).

Today, attacks waged against Windows and Android operating systems have continued to spread.

"There is a lot of momentum behind ransomware and we do expect it to be a continuing issue throughout the rest of this year and beyond," says John Miller, manager of the Cyber Crime Threat Scape at cyber-intelligence firm iSIGHT Partners. "Law enforcement in different countries can help educate residents about the threats," which are designed for targeted global markets based on language and payments habits, he explains.

But it's up to individual companies to educate their own employees about how to identify a ransomware attack before becoming victimized, Miller adds.

Why Ransomware Is So Dangerous

Rather than targeting home-users' files, as was common in 2012 and 2013, attacks emerging in late 2014 started targeting business assets by encrypting enterprise database files and shared storage systems, says Jeff Horne, vice president of the security firm Accuvant.

"This is extremely dangerous to an enterprise network, as it could potentially destroy a business if offline backups haven't been stored," Horne says. "The real issue is the encryption that is being utilized, more often than not, cannot be broken with today's computers. Therefore, when these files are locked, if the ransom isn't paid, the files are gone until computers can break the encryption."

Another danger, he says, is that hackers sometimes collect the ransom but never unencrypt the data, making it virtually useless to the business.

Randy Abrams, research director for cyberthreat intelligence firm NSS Labs, malware strains used in ransomware attacks are getting stealthier. And like Horne, he says the encryption hackers are using to lock files is getting harder to break.

"Older ransomware used cryptographic techniques that could be cracked," Abrams says. "This currently is no longer the case."

Ransomware can be devastating to victims who have no back-ups or who don't back up to local or network-connected drives, he says. "Online backup services, such as Carbonite, are very useful. But users must be certain that file types are also backed up."

A Growing Threat

The use of ransomware is spreading because the attacks make good business sense for cybercriminals because they can reap big payouts, iSIGHT's Miller says. "Windows ransomware is all over the place," he says. "It's very effective and very popular."

Cryptolocker was the first type of ransomware that got attention, Miller points out, "and criminals' observations of the damage that Cryptolocker was doing made them realize how profitable ransomware could be."

Today's attackers, who range from organized cybercrime rings to nation-states, are selling ransomware using sophisticated business models, says Peter Tran, general manager and senior director of security firm RSA's global advanced cyber-defense practice.

"The hacker distribution techniques and ecosystem are run like a business," Tran says. "The development, buying, selling, trading and distribution creates micro-economies that scale very quickly for both cybercriminals and nation-state attackers. This is a global network much like the open-source software developer communities, where software can be developed very quickly and with greater capacity than closed, proprietary development."

Also, most of the malware strains used in these attacks are evading detection by anti-virus programs, he adds.

"In the past 12 months, over 300 million malware samples have been reported in circulation, many of which are modifications of existing variants, but many are unique," Tran says. "The sheer scale is overwhelming."


more...
No comment yet.
Scoop.it!

'Freak' Flaw Also Affects Windows

'Freak' Flaw Also Affects Windows | IT Support and Hardware for Clinics | Scoop.it

Microsoft is warning that all Windows operating systems are at risk from the vulnerability known as Freak, for "Factoring RSA-EXPORT Keys." The flaw exists in SSL, which is used to secure online communications, and could be abused by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

A new Microsoft security advisory (KB3046015) warns that Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms, is at risk from the Freak flaw.


"Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows," the alert says. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

As yet, there's no patch available for vulnerable Windows systems, although information security experts say they expect Microsoft to release related fixes quickly. In the interim, Microsoft has detailed a temporary workaround that can be used for most Windows systems. "You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor," it says. But it warns: "Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround."

To date, however, there's no fix or workaround available for Windows Server 2003. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft says.

Risks to Apple, Android, Cloud

After quietly warning security vendors, government agencies and other organizations in recent weeks, security researchers first sounded a public alert about the Freak vulnerability on March 3. They've warned that the vulnerability exists in versions of OpenSSL prior to 1.0.1k, all Android devices that ship with the standard browser, as well as in Apple SSL/TLS clients, which are used by both Mac OS X clients and iOS mobile devices, among other operating systems. The vulnerability has been designated as CVE-2015-0204.

The Freak flaw could be exploited to downgrade a browser or other client's Internet connection from a relatively secure cipher, to an outdated - and weak - "export cipher," which attackers could then crack, allowing them to intercept communications or inject attack code into browsers. "What Freak allows you to do is, if you can break the RSA export-strength key, then you can provide a 'valid' certificate for a man-in-the-middle attack," says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. Tenable, which sells the widely used Nessus vulnerability scanner, has released a Nessus plug-in that will scan for Windows clients and servers that are vulnerable to Freak.

No Attacks Seen

But to date, there have been no signs that the Freak flaw has ever been exploited in the wild - against Windows servers and systems, or any other device. "The reality is, it's still really difficult to do - to break a key, it would still take a few hours or $100 of Amazon EC2 time," Millard says, referring to Amazon's Elastic Compute Cloud, which offers on-demand processing power. "There are so many other ways to break into a site. Hackers are smart; they don't use a sledgehammer to crack a walnut."

Still, related vulnerabilities remain widespread. The Freak Attack website, which is run by researchers at the University of Michigan, has been tracking the extent of the Freak vulnerability. The site reports that as of March 6, 9.5 percent of the websites on the Alexa index of the 1 million most popular top-level domains remained vulnerable to Freak, although that was a decrease from 12.2 percent of all such sites when the Freak vulnerability was first publicized on March 3. But 37 percent of all HTTPS servers with browser-trusted certificates remained vulnerable to Freak, as did 26 percent of all HTTPS servers, and neither of those statistics had declined since Freak was first publicized, the researchers say.

As of March 6, the Freak Attack website reported that the following client software remained vulnerable to the Freak flaw:

  • Internet Explorer
  • Chrome on Mac OS (patch available now)
  • Chrome on Android
  • Safari on Mac OS (patch due week of March 9)
  • Safari on iOS (patch due week of March 9)
  • Stock Android Browser
  • BlackBerry Browser
  • Opera on Mac OS
  • Opera on Linux

Cloud security firm Skyhigh Networks reported that as of March 4, 766 cloud providers also remained unpatched against the vulnerability, thus leaving their users at risk. "These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services," Sekhar Sarukkai, vice president of engineering at Skyhigh, says in a March 5 blog post. Across the company's 350 customers, meanwhile, he reports that 99 percent use at least one cloud provider that's vulnerable to the Freak flaw, while the average company uses 122 vulnerable services.

Don't Freak: How to Mitigate

The Freak Attack site says that to mitigate the vulnerability, anyone running a server "should immediately disable support for TLS export cipher suites," and that anyone who uses a browser should ensure that they have the latest version installed, and keep checking for new upgrades, since all major browsers should soon see a fix.

Finally, Freak Attack recommends that all systems administrators and developers ensure that their TLS libraries are fully updated. "Both OpenSSL and Microsoft Schannel are known to be vulnerable," it says. "Note that these libraries are used internally by many other programs." The site offers a number of tools that can be used to test for related flaws.

This is not the first time that the Microsoft Schannel has been at risk from a newly discovered vulnerability. In particular, a zero-day vulnerability in Schannel was discovered in November 2014. Before that, Schannel was at risk from the so-called POODLE flaw - first publicly revealed Oct. 14 - in SSL, and which was later found in TLS. The flaw could be exploited to intercept and read encrypted Internet communications, steal session cookies and impersonate users.


more...
No comment yet.
Scoop.it!

Why Fraud Is Shifting to Mobile Devices

Why Fraud Is Shifting to Mobile Devices | IT Support and Hardware for Clinics | Scoop.it

As a result of the explosive growth in worldwide use of smart phones, mobile malware will play a much bigger role in fraud this year, predicts Daniel Cohen, who heads up the anti-fraud services group at security firm RSA, which just released its 2014 Cybercrime Roundup report.


Mobile devices will be the new focus for phishing attacks, taking the place of spam attacks that for more than a decade have been waged against PCs, Cohen, an expert on phishing trends, says in an interview with Information Security Media Group.

"Smart phone technology is the fastest adopted technology in the history of mankind," Cohen says. In 2014, 1.3 billion new smart phones were purchased by consumers throughout the world, while in 2015, forecasts suggest that another 2 billion of these devices will be shipped to consumers, he points out.

"The bad guys are looking at this ... and they understand that they have to be on those platforms and those systems," he says.

Security Challenges for Mobile

This shift to mobile fraud is posing challenges for security teams, because the methods used to protect end-users from attacks waged against PCs don't translate well for mobile, Cohen notes.

The mobile threat involves the use of what Cohen describes as "permission-ware." The end-user knowingly downloads mobile applications and gives those apps permission to run on his device, Cohen says. So when the app is malicious, the user determines the number of permissions that app will have once it's installed.

Cohen points to Svpeng, mobile ransomware identified by security firm Kaspersky Labs in summer 2014, as an example of the kind of threat that will become more common this year.

"Svpeng started out as a phishing attack on the mobile phone," Cohen says. "The app would wait for a legitimate app to launch, and once that app launched, the malicious app, Svpeng, would launch and then ask for more information. ... In 2015, we will see the mobile channel leveraged more and more in attacks like this."

In the interview, Cohen also discusses:

  • How the underground economy is evolving and fueling the rapid spread of malware and phishing attacks;
  • Why the U.S. continues to rank No. 1 for phishing attacks waged against banking brands; and
  • Why remote-access attacks waged against point-of-sale vendors are expected to increase this year.

At RSA, Cohen serves as the head of the anti-fraud services group, where he focuses on phishing attacks, malware and threat intelligence.


more...
No comment yet.
Scoop.it!

TorrentLocker ransom rampage encrypts 285 million files and counting

TorrentLocker ransom rampage encrypts 285 million files and counting | IT Support and Hardware for Clinics | Scoop.it

Slovakian security wizards ESET have delved deep into the guts of the TorrentLocker ransom malware and pulled out some interesting details of its destructive life story starting with the number of files it has encrypted—a misery-inducing 285 million to date.

Although TorrentLocker is nowhere near the scale of the infamous CryptoLocker, and will likely never acquire the latter’s notoriety, that sort of file scrambling still adds up to 39,670 infected PCs by ESET’s calculation.

On the basis of the spam used to distribute the malware, victims have also been surprisingly concentrated on a small group of countries: the UK, Australia, Canada, Czech Republic, Italy, Ireland, France, Germany, The Netherlands, New Zealand, Spain and Turkey. That means the US was apparently not targeted for some reason although some Americans might have encountered the malware through other channels.

Of the nearly 40,000 victims detected by analyzing numbers inside its command and control, ESET found 570 that had paid the Bitcoin ransom, netting the criminals between $292,700 and $585,401 (£200,000 and up). With a conversion rate of 1.45 percent that’s actually a decent pay-off in line with other examples of ransom malware analysed in a similar way.

As a side note, earlier this year ESET estimated that the total value of Bitcoins entering a wallet suspected of receiving TorrentLocker’s scam proceeds was around $40 million although not all of this would have been from ransom malware. Exactly how much money it has made is therefore still not clear.

A couple of smaller points worth pulling out. Versions of TorrentLocker appear to have been around a bit longer that previously realized, with the earliest examples turning up in anti-virus nets in February 2014, months before security company iSight Partners first publicised it.

Like Rumpelstiltskin, TorrentLocker also has its own private name that ESET reveals to be the rather prosaic ‘Racketeer’, presumably a translation of a Russian noun.

“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking Trojan malware,” said ESET’s Canadian-based researcher, Marc-Etienne M. Lveill.

As reported elsewhere, the attackers had also fixed an AES encryption flaw that made it possible to work out the key used to scramble files, he said.

The easiest to overlook aspect of ESET’s research is that it reveals the lures used in TorrentLocker’s spam campaign. As with every other malware attack through this channel, people receive an attachment they are socially-engineered into opening. Some of the lures are quite devious and in some countries will definitely grab the attention of users—an alleged unpaid invoice, a speeding ticket, and package tracking—all localized to the country of the victim.



more...
No comment yet.
Scoop.it!

Devastating malware that hit Sony Pictures similar to other data wiping programs

Devastating malware that hit Sony Pictures similar to other data wiping programs | IT Support and Hardware for Clinics | Scoop.it

A malware program with data wiping functionality that was recently used to attack Sony Pictures Entertainment bears technical similarities to destructive malware that affected organizations in South Korea and the Middle East in the past.

Security researchers from Kaspersky Lab, Symantec and Blue Coat Systems independently reported that Trojan Destover, the malicious program used in the Sony Pictures attack, relied on a legitimate commercial driver called EldoS RawDisk to overwrite data and master boot records.

That same driver was used by a piece of malware called Shamoon that is believed to have been used in August 2012 to render up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia.

A previously unknown hacktivist group called the Cutting Sword of Justice took credit for the attack on Saudi Aramco through a series of posts on Pastebin. The group said it targeted the company because it was the main financial source for Saudi Arabia’s Al Saud regime, which the group claimed supported oppressive government actions in countries like Syria, Bahrain, Yemen, Lebanon and Egypt.

The attack against Sony Pictures Entertainment was carried out by another previously unknown group called the Guardian of Peace (GOP), which claimed to have targeted the company because “Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years.”

The sharing of a third-party driver is not enough evidence to establish a direct link between the two malware programs, but it is possible that the Destover creators copied techniques from Shamoon, especially since the EldoS RawDisk driver is an unusual choice for implementing data wiping functionality.

Both Destover and Shamoon stored the EldoS RawDisk driver in their resource sections and both were compiled just days before being used in attacks, researchers from Kaspersky Lab said in a blog post.


Destover shares even more commonalities with another wiper malware program called DarkSeoul or Jokra that affected several banks and broadcasting organizations in South Korea in March 2013.

“The malware used in the Jokra attacks contained code that did not begin wiping the hard drive until a set time period expired,” researchers from Symantec said in a blog post. “Destover is also configured to perform a delayed wipe. Furthermore, media outlets in South Korea have reported that a number of similar file names were used in both attacks.”

The Jokra attacks were accompanied by website defacements that displayed a message from an obscure group of hackers called the Whois Team. “This is the beginning of our movement,” the message said. “User accounts and all data are in our hands.”

The GOP also left a message for Sony Pictures informing the company that it had obtained its internal data and both GOP’s and Whois Team’s messages were accompanied by images of skeletons, though this might be a mere coincidence.

“Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack,” the Kaspersky researchers said. “It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.”

A more direct connection was established by Symantec between Destover and a backdoor program known as Volgmer that allows attackers to retrieve system information, execute commands, upload files, and download files for execution.

“Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets,” the Symantec researchers said. “The shared C&C indicates that the same group may be behind both attacks.”

The apparent links between Destover and malware that was used to target South Korean organizations will likely fuel ongoing speculation that North Korea might be behind the attack against Sony Pictures Entertainment, supposedly as retaliation for an upcoming comedy film called “The Interview” in which two reporters are asked by the CIA to assassinate North Korean leader Kim Jong Un. North Korea reportedly denied its involvement in the attack.

These commonalities “do not prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover,” the Kaspersky researchers said. “But it should be noted that the reactionary events and the groups’ operational and toolset characteristics all carry marked similarities. And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities.”




more...
No comment yet.
Scoop.it!

Defending Against 'Wiper' Malware

Defending Against 'Wiper' Malware | IT Support and Hardware for Clinics | Scoop.it
In the wake of the FBI issuing a warning that a U.S. business has been attacked using a dangerous form of "wiper" malware, security experts say businesses must protect themselves against attack code that aims to delete the content of every hard drive it touches.

See Also: Preparing for OCR Audits: Presented by Mac McMillan of the HIMSS Privacy and Policy Task Force

Defensive measures organizations can take include segmenting important information to hardened networks, backing up data offsite in case systems get wiped, and investing in appropriate resources to detect breaches quickly (see: Speeding Up Breach Detection).
Related Content

NATO Faces Challenges in Mounting Cyber-Defense
Senators Probe Home Depot, Apple Breaches
Breach Response: Are We Doing Enough?
3 Key Questions from CEOs to CISOs
Redeeming NIST's Reputation

Related Whitepapers

Securing Cloud Workloads
Secure Mobile Banking: Protecting Your Customers and Your Bottom Line
How JPMorgan Chase Adopted DMARC to Stop Cyberattacks and Protect their Brand
Protecting Customers and Safeguarding Brand Reputation in the Era of the Cybercriminal
Fight Phishing and Fradulent Email with Big Data

The FBI alert is reportedly tied to the Nov. 24 hack of Sony Pictures Entertainment, which locked employees out of their PCs, instead displaying a message that their system had been "Hacked By #GOP," referring to a group of attackers calling themselves Guardians of Peace (see Sony Hack: FBI Issues Malware Alert).
Malware Characteristics

The alert is notable because attackers rarely employ wiper malware that's designed to delete the content of drives. To date, wiper malware has only been seen in a handful of attacks, mostly in the Middle East or South Korea, Costin Riau, who heads the information security research team at anti-virus vendor Kaspersky Lab, says in a blog post.

But many information security experts say they've never seen such an attack launched against a business in the United States. "This is somewhat of a watershed event," says Alex Cox, senior manager at information security research organization RSA FirstWatch. "Up until now, we have had very limited examples of large-scale data destruction."

That's because the majority of attack code is designed to steal data - and especially financial or intellectual property details - rather than destroy it. "Wiper-type malware is rare because the motive of modern virus writers is to infect machines silently and avoid detection for as long as possible to enable attackers to control the infected machine for longer and to steal [valuable] information," says Brian Honan, who heads Ireland's computer emergency response team. "Wiper malware, in contrast, is noisy [and] those infected will know straightaway."

Wiper malware attacks the master boot record and core file system operations, says David Kennedy, CEO of TrustedSec, an information security consulting service. "It makes it hard to recover from the malicious software, which could be disastrous for organizations," he says.

This form of malware also operates fairly swiftly, says Shirley Inscoe, an analyst at the consultancy Aite Group. "Once the malware gets into a system, it spreads and could be very difficult to detect and shut down in time to avoid major disruption."

As a result, many information security experts believe that the attack referenced by the FBI may not be the work of garden-variety cybercriminals. "Data deletion would typically be associated with hacktivism - deletion of backups - or strategic political or wartime goals, such as Stuxnet," Cox says. "Destroying access to a network doesn't really fit the cybercrime model - where criminals want to retain quiet access to continue their theft - or the APT model where nation-states want to retain access for espionage purposes. A dead network is a network that gives no data."

As the Sony Pictures attack demonstrates, wiper malware can also be used to disrupt an entire business. "When I think of such threats, it's Shamoon that comes to mind," says Sean Sullivan, security adviser at Finnish anti-virus firm F-Secure, referring to malware that was used in August 2012 to wipe an estimated 30,000 PCs at Saudi Aramco, Saudi Arabia's state-owned petroleum and natural gas producer. Security experts never identified exactly who launched Shamoon.

Wiper malware has typically been the domain of someone who wants to air a grievance, says John Hultquist, who heads the cyber-espionage practice at threat-intelligence firm iSight Partners. "Even though it has practical effects - for instance, halting oil production or shutting down operations - its greatest impact is perception - the message being sent," he says.
Defensive Measures

Organizations can take several steps to protect themselves against wiper malware, starting with using segmented networks, F-Secure's Sullivan says. "Isolate important intellectual property to hardened networks," he advises. "Access those networks 'remotely' - [using] some kind of remote desktop software." That adds a security layer that makes it more difficult for attackers' malware to access - or wipe - PCs connected to that network.

Backing up data is also essential, in case systems get wiped and must be reinstalled, and such backups must be disconnected from the network, lest they get deleted by the same wiper malware. "Continual, offsite data backups are critical for any organization," says Michael Sutton, vice president of security research at cloud security firm Zscaler. "Backups can be a challenge with a mobile workforce when devices rarely return to the corporate office, but Internet-based backup solutions provide a means of remote backup so long as an Internet connection is available."

In addition, organizations that received the FBI alert can use the file structure for the malicious software, which was provided, to help detect a malware intrusion, Kennedy at TrustedSec says. "However, note that these [file structures] could change when deployed in other systems," he says. "The best approach is still having multiple layers of defense in order to prevent an attack from occurring in the first place."

The attack against Sony also illustrates the critical importance of having business continuity and disaster recovery plans, says Rick Holland, principal security analyst at Forrester Research. "InfoSec teams need to be highly engaged with the groups that put these plans together," he says. Servers are obviously included in such plans, but they also need to extend to workstations and desktops that are critical to business operations, Holland adds.

"Events like this could lead organizations to research virtual desktop deployments, which make recovering from these types of attacks much easier," he says.

Investing appropriate resources into quickly detecting breaches is also essential. "The unfortunate reality of today's threat landscape is that enterprises will be breached," Sutton says. "When that occurs, it is essential that the breach is quickly identified and isolated as to limit the overall damage."
more...
No comment yet.