Tag Archives: malware

VPNFilter and other neat tricks

The Spectre and Meltdown attacks that came to light at the beginning of the year have been the main focus of this year’s security issues however there has been a lot more going on than that.

On that note though, additional Spectre variations have been found (we’re up to v4 now); as well, the BSD team has alluded to a notice for the end of June potentially regarding Hyper Threading in Intel CPUs which could have far-reaching effects for virtualisation systems.

But on to the main topic of this post: VPNFilter is a modular malware that infects consumer or SOHO routers and can perform a number of malware-related functions. It is thought to be the work of Russian state-sponsored attackers “Fancy Bear” who have been fingered for previous attacks like BlackEnergy.

The attack is split into 3 stages:

  1. exploit router and pull down image from Photobucket website
  2. the metadata in the image is used to determine the IP address for stage 2; open a listener and wait for a trigger packet for direct connection
  3. connect from Command and Control, and engage plugins for stage 3

Some new stage 3 plugins have recently come to light including:

  1. inject malicious content into web traffic as it passes through a network device
  2. remove traces of itself from the device and render the device unusable
  3. perform man in the middle attacks (mitm) to deliver malware and exploits to connected systems
  4. packet sniffer module that monitors data specific to industrial control systems (SCADA)

If this sounds scary, then you’re on the right track. But think bigger, much bigger. Because the attacker is on the device connecting users to the internet, it could potentially both monitor and alter any internet traffic.

From ARSTechnica:

“Besides covertly manipulating traffic delivered to endpoints inside an infected network, ssler is also designed to steal sensitive data passed between connected end-points and the outside Internet. It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.”

What devices are affected? The full list is in the Cisco Talos blog post on the issue however briefly it includes upwards of 70 models from vendors like TP-Link, Dlink, Netgear, Linksys and Mikrotik, all of which are consumer units that can be expected to be used in SOHO environments.

On to Satori, a more recent botnet based on the formerly impressive Mirai code that caused havoc with denial-of-service attacks in 2016. Satori uses the Mirai code as a foundation for a series of evolving exploits that allows the botnet to control devices with even strong credentials.

The initial attack was targeted at Huawei and Realtek routers, however the botnet controllers have displayed impressive skills by moving on to bitcoin miners and now consumer routers like Dlink’s DSL2750B.

“Attack code exploiting the two-year-old remote code-execution vulnerability was published last month, although Satori’s customized payload delivers a worm. That means infections can spread from device to device with no end-user interaction required.”

Dlink currently has no firmware update for this issue. Which brings me back to a statement that I’ve echoed on this blog numerous times – no one should be using consumer routers, or at least routers that do not have a history of consistent security updates. The internet is littered with hundreds of models of router from many manufacturers that are full of holes that do not have a fix from the manufacturer.

Consumer manufacturers do not have the skill to design secure devices nor do they have the capacity to fix broken and exploitable devices. This leaves a sizeable portion of internet users at the mercy of attackers.

And that is scary.

Loki god of …?

In the field of IT Security, one learns very quickly that there’s always another security risk around the corner. An old favourite, the Loki Botnet, is back for another bite of the pie shortly after the fun with WannaCry a week ago.

( Loki a god in Norse mythology, was sometimes good and sometimes bad. Loki the virus is all bad. )

Loki is a malware bot that steals passwords from applications and e-wallets, and it’s been around since early 2015, so has a solid track record. There is a new variant doing the rounds and it’s upped the ante with the ability to steal credentials from over 100 applications. The virus initiates via email PDF attachment or web download so the standard advice of being wary of attachments applies.

It’s unclear at this time if the malware is stealing credentials from stored password databases or from the application itself while running. In all cases, it’s important to:

  1. not execute unknown email attachments
  2. use strong passwords
  3. make use of AV and anti-malware software

On a related note, browsers are often targets of password stealing malware – Firefox, IE, Opera and Safari are all on the list of browsers that Loki ‘supports’. Of note, Firefox ( and related browsers ) is the only one out of this bunch that supports a master password.

Firefox by default stores passwords in a file that is encrypted. Without a master password, this file could be copied to another Firefox instance and viewed there. The master password applies additional encryption and essentially 2FA which means that the password file is useless without the master password.

Chrome/IE uses the OS’ secure encrypted storage ( eg. WPA, Keychain or Wallet ) to store your information – if the OS is compromised then so are your details.

It’s useful to know that using sync solutions ( eg. Google SmartLock, Apple iCloud ) will mean that your details are stored on someone else’s systems and may be accessible by the provider.

Browser password managers know which site is related to which password entry – this means that they can protect you against phishing and other attacks( by checking SSL certs ) using lookalike sites and other tomfoolery. This is another reason to use SSL-encrypted sites.

I’ve written about password managers before, but to reiterate, if you want the best in password management and security, use a dedicated password manager. They provide strong encryption, master password and  encryption keys. And some provide neat tools to auto-input credentials into web sites and applications.

A little bit of ransomware with that Sauerkraut?

This past weekend’s shenanigans with WannaCry have been painful for many people. But the simple fact is that solutions for this specific issue ( and many others ) have been available for a long time.

The initial patch for the MS17-101 issue was released by Microsoft in March 2017. Didn’t update?

Many AV vendors have had virus definitions for WannaCry for some time already and at latest, on Friday evening. Don’t have ( updated ) AV?

Have an office  internet connection without a decent firewall?

Still running XP or Vista without extended support?

No 3-tier backups?

The only one to blame is yourself …

IT seems to be treated as an afterthought at many companies. Yet it is IT that helps facilitates your business and income.

Thom from OsNews says:

“Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions – they’re all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different – they’re not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low – an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.”

It’s time to put some effort into your IT – especially if you value your data and your business. It may be a difficult pill to swallow, but it’s a necessary one.

The NSA and Ransomware. Oh and a bit of HPE on the side.

If ever there was a perfect example of stupidity, the new highly virulent strain of WanaCrypt ransomware that is currently spreading like wildfire, is it. And that stupidity is care of the NSA; who in their infinite wisdom, wrote exploits based on 0-day vulnerabilities that should have been reported to the relevant vendors, but was instead appropriated.

Well the Shadow Brokers have now in turn appropriated this code from the NSA and and someone else has gotten hold of it to create a self-replicating variant of WannaCrypt or Wcry malware, that is currently causing havoc in hospitals, banks, telecom services, utilities and others, by encrypting drives and blocking access to systems.

Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April. The Wcry developers have combined the Eternalblue exploit with a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to vulnerable machine, without requiring operators to open e-mails, click on links, or take any other sort of action.

The exploit spreads via vulnerabilities in network -accessible Windows subsystems although the exact details are still vague. Microsoft has released a patch in March for the issue however many companies have yet to install the update.

Numerous companies have been affected during the course of today including Telefonica, Vodafone, 16 NHS hospitals across the UK, and many others. The ransomware has been detected in over 74 countries already and the demands include Bitcoin payment of up to $600 per infection. The speed and violence of infection show a highly capable piece of malware with advanced network replication techniques bypassing standard methods of protection.

What can you do to protect yourself?

  • shutdown any non-critical network file access/shares
  • seeing as the malware is probably initiated via email, be especially vigilant for spam emails
  • update all Windows systems with the patch listed above
  • segment sections of your network where possible

And in other news, HP has been including a dodgy Windows audio driver from Conexant for the last 2 years on many HP Laptops which, wait for it … logs all your keystrokes! Yay!

Security News – WK4 May 2016

The great Linkedin hack

A hacker called “Peace” recently tried to sell a password database of ~ 117 million Linkedin login details that come as a the result of a 2012 breach on the professional relationship social media site.

In a blog post published on May 18, LinkedIn CISO Cory Scott wrote, “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.”

All affected passwords are being reset, Scott wrote, and all those impacted will be notified. “We have no indication that this is as a result of a new security breach,” he added.

There is a high possibility that users who have not changed their password since that time will have been compromised. Even worse, the common practice of password reuse on other sites could result in hackers having access to those sites as well.

MySpace, Tumblr and Fling are other sites that were caught up in the same hack and are vulnerable too. If anyone has a MySpace ( new ) or LinkedIn account, now is the time to both change your password and enable 2-factor authentication.

As unwieldy as it sounds, using distinct and unique passwords for each site is the way to go. This is a huge burden to users with accounts on many sites, but a password manager ( like KeePass ) can assist greatly in improving security and automating the  chore of logging into sites.

Teamviewer becomes a remote pawn

The last month has seen a marked increase in Teamviewer attacks, either due to a breach in TV’s own systems or due to the above password reuse issue. The exact cause is not known yet but the problem is accelerating with more victims coming to the fore each day. Malware actors are logging into Teamviewer-accessible systems, dumping browser credential databases ( another reason to use a password manager instead of the browser’s password system ) and using these credentials ( yes people are saving their banking login details using their browser password manager ) to access financial systems, transfer money and cause all sorts of chaos.

One option is to not leave TV running on systems but rather to activate it as required. Not efficient or easy to use, but certainly much safer.

Squatting

Can you spell? Well that may be the difference between getting to the correct site or not. And being safe.

A class of threat called typosquatting, is making use of sites with addresses that are similar ( but not the same ) to well-known sites, to host malware. Eg. let’ s say you wanted to go to www.ibm.com but actually typed in www.bmi.com. You don’t notice the mistake and get sent on to a site that looks like www.ibm.com but is not. In addition, this mistaken site now hosts malware that infects your machine.

This issue is more common than one would like to think and malware authors are starting to put up a lot of sites with domain names that are similar to mainstream and popular sites. It’s not just important to monitor the SSL certificates of websites but also the address itself – this is especially true for transaction sites like online banking, eCommerce and the like. Be wary …

WordPress plugins, again …

WordPress is the most-used blogging platform in the world and has become very popular with website designers as well. WordPress has been a favourite target for hackers, but the developers are fairly proactive and for the most part, WP itself is kept secure. The same can not be said for WP’s impressive 3rd party plugin library where anyone can store and offer plugins.

These are regular recipients of hacks, including popular and well-maintained plugins. Recently, the WP Mobile Detector plugin has been compromised by a vulnerability that is being actively exploited to distribute porn-related spamming scripts. The plugin has been removed from the official WP plugin directory  but there are probably many site owners out there that are still vulnerable. There is no update for this issue yet so the only option is to disable the plugin.

Healthcare and your ( digital ) health

The breaching of healthcare systems is becoming an almost daily occurrence. This makes it even more concerning when healthcare companies ( eg. Discovery ) want to automatically provide your health status to 3rd parties via systems like Discovery HealthID. Like financial information, health details are some of the most private data that a private individual possesses. One cannot discount the benefits of 3rd parties having accessing to life-saving critical data about you especially in emergencies, but how is this data handled and secured outside of those emergencies?

I’m only using Discovery as an example here – they state in their T&C’s:

I understand that once Discovery Health has shared my information with authorised medical practitioners, Discovery Health has no further control over this information and they will not be accountable for its safeguarding. I also understand that the authorised medical practitioners have confirmed to Discovery Health that they will treat my information as confidential and in line with applicable laws.

and

I agree that by making this information available, Discovery Health will not be responsible for any loss or damage (whether direct or indirect) that may arise from the use of this information, other than where it is due to or attributable to grossly negligent or fraudulent conduct by Discovery Health.

What chance would one have to prove negligent conduct by one of these large companies? Food for thought.

The scourge of Ransomware

From Wikipedia:

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files.

To say that Ransomware has become a serious problem in recent times is putting it mildly. In the last year, numerous SA businesses and users have become victims of this nasty type of malware. According to BlueCoat, a security vendor, Ransomware is now the leading mobile threat and ranks very high on the list of desktop/server threats.

Briefly, Ransomware infection is primarily by email link or email attachment. Once the user clicks a link in the infected email or runs the attachment, the infection silently takes place. From there, files accessed by the user are encrypted with a key, known only by the malware author. A message ( in the form of a file typically called HELP_DECRYPT.TXT ) is left in the folder where the file was first encrypted – the message provides details of how to send payment, often in bitcoins, to the malware author, so that they will send the key to unencrypt your files.

CryptoWall 3 and earlier versions, as well as some competing malware, targeted specific files that you accessed. Newer variants like CrytoWall 4 will now encrypt an entire folder and not just the files you access. They also have the ability to infect/encrypt files on the network shares of servers. Chimera is a new type of Ransomware that threatens to post copies of your documents and images on the Internet unless a ransom is paid. PowerWorm has recently come to light as another variant that encrypts files – but it has a bug in that the key is destroyed ( mistakenly ) after encryption.  Which means that paying a ransom will not get you your files back – ever.

Another method of infection is through websites that are compromised by the Angler exploit kit. Just visiting the site results in a drive-by attack called Pony which scours the infected computer for any login credentials for websites, banking, network resources and applications. Once done, the infected computer is then redirected to alternate sites where Angler will install CryptoWall 4 which in turn will result in encrypted files. CryptoWall 4 also renames files with randomly generated characters meaning that you don’t even know which files have been encrypted.

This is real scary stuff …

Paying, what amounts to around R 5,000 – 30,000 ( 1 – 6 bitcoins ) per infection, is beyond the ability of most.  Another issue is that there is no guarantee that the perpetrator will actually send you the encryption key. Paying a ransom is not a good idea …

 

What can I do to protect myself?

  • always keep your Operating System and installed applications up to date
  • do not use Adobe Flash and plugins for browsers, and try to limit your usage of Java
  • make sure you have  a good Anti-Virus package installed and make sure it is updated continuously
  • do NOT click on links in emails ( even if they look genuine ) and do not save or run attachments from emails that appear to be from friends, family or known business connections
  • use common sense and logic when accessing email and visiting websites; look for things that are out of the ordinary and double check items that look ordinary
  • attend Security Awareness Training which gives you the tools to navigate email, websites and other internet applications safely
  • backup your data regularly

What can I do if I’m infected?

The answer to this is: nothing – if you’ve not followed the last recommendation above. The only option is to clear out the infection and restore data from backups. Clearing out the infection often means rebuilding the infected device from scratch, reinstalling all applications and restoring your data.

If you don’t have a backup, then there are no further options. Unless you want to take a chance and have the funds available to pay the ransom ….

Home routers: security fail

It’s no secret that I absolutely hate non-business/home-based ( ADSL/3G/other ) routers. From  a security point of view, they have a history of never-ending security issues that result in a variety of malicious attacks including DNS reflection, remote control, spam, malware infections and  other attacks.

There are other serious issues including ( but not limited to ):

  • vendors of these devices are slow to react to vulnerabilities and often don’t even patch these
  • users either don’t know that updates are available, don’t know how to apply patches/updates or just can’t be bothered to apply updates
  • the firewall/protection features of these devices are limited
  • there are common back-doors included in many of these devices which opens up access to attackers

Because non-business grade routers/firewalls don’t carry any sort of guarantee or warranty in terms of performance, vendors do not put ( as much ) effort into these in terms of keeping them secure. The following link describes just how bad the situation is:

http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

If you have any concern over your internet security or use your internet link for any secure services ( like online shopping or internet banking ), consider purchasing/using a business-grade firewall that will:

  • provide you with a decent level of protection
  • be updated regularly by the manufacturer

Keeping your desktop computers, laptops and mobile devices safe is only one part of home security. You also need to look at the security of your network devices  including routers, printers and WiFi access points as these are an important point of access to your home network and can compromise your systems as easily as a virus on your computer.

The end of Windows XP

Windows XP support will officially end on April the 8th next week.

This is a very important change that appears to have escaped many people. Why important? Because you will no longer be receiving any updates ( security or other ) from Microsoft for XP. That effectively means that if there is a security hole discovered in Windows XP from the 8th of April, it will be open for anyone to exploit and no fixes will be forthcoming from Microsoft.

While Windows XP has never been what you might term a secure operating system, Microsoft have to this point, continued to fix vulnerabilities, bugs and other issues in XP.  And it’s these fixes that have improved the security level of XP significantly. That will no longer be the case from next week on.

What is really worrying is that many companies are still running a fairly large percentage of Windows XP systems – it’s estimated that up to 25% of Enterprise/Corporate systems are still Windows XP. And many smaller businesses have a higher percentage as they can’t afford the Windows software and hardware upgrade cycle.

The risk of security breaches on systems running Windows XP beyond April 2014 is high. This is not an overstatement – it’s a certainty! Even the European Cybercrime Centre has warned of impending XP security risks.

What can you do?

1. make an asset list of both hardware and software

It’s important to understand what hardware and software you have as this will dictate whether you can upgrade to a newer version of Windows or not. As well, certain older applications will not be able to run on Windows 7 and later, even in compatibility mode.

2. Test your hardware

Use one of your PCs/Laptops as a test-bed for checking if Windows 7/8 will run on them without issue. Use the Windows 7 Upgrade Advisor and Microsoft Upgrade Advisor to see if your machines meet the minimum requirements. Minimum requirements also don’t mean a good experience; Windows has, and always will, require more memory and faster disk to perform adequately.

Note that certain MS Windows version upgrades won’t keep any of your existing data or applications so you need to a. create backups and b. do a clean install. Check with your hardware vendor to see if there are any driver updates for your hardware that is required for Windows upgrades.

Here is more info on upgrading Windows XP to Windows 7. Note also that Windows 7 support ends in 2020 which is not that far away so keep that in mind when upgrading.

2. Test your applications

Take a Windows 7 or later system and run all your applications on that system to make sure they will execute without issues. If you find any issues, try the application compatibility modes in Windows 7 and later – if this does not solve the issue, then approach the manufacturer for a fix or look for equivalent applications that are compatible.

3. Update or install a good Anti-Virus package

It cannot be underestimated how valuable a good AV package is. This is generally the first line of defense when accessing network resources or using portable data devices ( USB, CD, DVD etc. ). The package should include malware protection, email scanning and URL/Link scanning. Many AV packages now also come with cloud-based sandbox technologies which enhance the ability to detect 0-day vulnerabilities. Note that AV packages will NOT be able to provide full protection for Windows XP systems after the end-of-support date.

4. Do not use Internet Explorer 6 or earlier

In fact, don’t use Internet Explorer at all – use an alternate browser such as Firefox or Chrome.

5. Do not use a Windows XP system to do banking or other financial transactions

You are literally inviting crackers into your bank account if you continue to use Windows XP from next week on for banking and/or other financial transactions. Use an alternate locked-down system running a memory stick-based system like Linux for any secure internet browsing requirements. You are welcome to contact me for pre-configured memory sticks or pen drives.

6. Contact your technical IT support  company for assistance

Your IT service company is in the best position to determine possible solutions for you in this regard. Don’t underestimate the value they can provide in assisting you in either mitigating the security risks for XP or upgrading to Windows 7 or something else.

9 years ago, I took the decision to ditch Windows altogether. I’ve never looked back – not only does my current system ( Linux ) provide good performance on lower spec hardware but it’s also relatively immune to the bulk of exploits out there. This means I’m secure in the knowledge that when I’m doing Internet Banking, my money is not going to disappear.

This path is not for everyone. However, you need to look at the  alternatives – whether it’s upgrading Windows to a newer version or migrating to a completely new platform like Mac OS or Linux, you need to make the decision now.

Any delay beyond next week is likely to be a costly move.

Large security breach involving fast food outlets and banks in SA

A variant of the Dexter malware has apparently been running on POS systems unchecked for quite a while. All of SA’s banks have been hard hit by the losses incurred as a result of arguably one of the largest security breaches in SA history. More info here:

http://www.techcentral.co.za/sa-banks-in-massive-data-breach/44338/