Our analysis shows that the family-based pattern that identified the TorrentLocker malware that hit Australia also identified the outbreaks in Turkey, Italy, and France.
We observed that the TorrentLocker malware is configured for both Australia and countries in EMEA and shows similar payment pages for thesecountries. If users are not located in a targeted country, a generic English-language web page appears, and the ransom demand is made in US dollars. Below is a series of screenshots displayed by the TorrentLocker malware that incorrectly tells victims that it is the “CryptoLocker virus.”
Figure 1. Payment demands for various victims depending on their geo-locations.
In Australia, the base price is A$598 and displays a warning that the price will double after four days after the user is given the Bitcoin address.
Some examples of the IPs hosting fake domains from various counties TorrentLocker sites include 184.108.40.206, which hosts phishing pages for both Australia Post and Turkey’s TTNET. 220.127.116.11 hosted SDA Express TorrentLocker domains.
Microsoft Rates 7 Bulletins as ‘Important’, 1 as ‘Critical’
The security update rated “critical” is the Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393), or MS15-002, which affects various Microsoft Windows versions and could allow remote code execution on affected systems. According to the bulletin, only customers who enable the Telnet service are vulnerable. The bulletin also reports that Telnet is not installed by default on Windows Vista later operating systems.
MS15-005 and MS15-006 are both bulletins rated as ‘Important’ that describe a security feature bypass, which result in a system restart. Four of the ‘Important’ bulletins describe an elevation of privilege.
End of Mainstream Support for Windows 7
The first Patch Tuesday for the year also signals the end of mainstream support for Windows 7. This means that non-security updates will no longer be provided, but security updates will still be sent out. Windows 7 will end all support in January 2020.
It is highly recommended for users and system administrators to immediately patch these system vulnerabilities. Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:
1006439 – Microsoft Windows Telnet Service Buffer Overflow Vulnerability (CVE-2015-0014)
1006441 – Microsoft Windows Components Directory Traversal Elevation Of Privilege Vulnerability (CVE-2015-0016)
1006372 – Microsoft Network Policy Server RADIUS Implementation Denial Of Service Vulnerability (CVE-2015-0015)
For many users today, how they use technology is defined by mobile devices. Their primary device is not a desktop computer, or even a laptop. Instead, it’s a tablet or a smartphone. Instead of data stored on a hard drive or a USB stick, corporate data is now stored in the cloud and accessed as needed by users. If we look at the number of PCs versus smartphones sold, the trend is clear. In the 3rd quarter of 2014, analysts estimate that 79.4 million PCs were sold – compared to 301 million smartphones in the same period.
This changes the relationship that IT people have with end users. In the past, they would have given their users PCs that they could centrally control. However, for many organizations, that policy has not been acceptable: mobile devices are thought of as “personal” in a way that PCs are not.
The result has been the rise of BYOD, short for Bring Your Own Device. Users buy their own devices and are responsible for them, but the company pays at least some of the costs. In theory, everyone is happy: the user gets to use a device they chose, the company sees reduced costs and increased usage of newer, more efficient IT systems. What could possibly go wrong?
Unfortunately, BYOD can turn out not be a dream, but a nightmare. Company data ends up being mixed with personal data and thus put at a higher risk of leakage. The devices can also be compromised and used to target the rest of an organization. BYOD can turn out to be Bring Your Own Disaster.
There have been attempts to try and fix this, but they don’t work all that well. They try to separate the personal and the work-related on the device, but for both the user and the company they’re difficult to use.
So, what is a good solution to this seemingly intractable problem? We can look to the world of PCs for a possible solution. In a Virtual Desktop Infrastructure (VDI), users access virtual machines running on a server. Why can’t we do something similar for mobile devices?
Let’s call it a Virtual Mobile Infrastructure, or VMI. The client on the phone will do nothing but access a virtual mobile operating system running on company servers. Because it’s essentially the same OS as they’re used to on their devices, user acceptance should be high.
More importantly, though, a properly implemented VMI solution would not leave data at risk on the user’s device. There are many industries where this would be useful: for example, in medicine, there would be no risk that sensitive medical data would actually leave hospital servers. In industries where there are severe regulatory restrictions on how and where data can be accessed, this can allow employees to work in a more flexible manner.
VMI is an option that enterprises looking into implementing BYOD policies should seriously consider. BYOD brings many benefits to a company, but also attendant risks. VMI helps manage those risks so that companies can fully enjoy BYOD while reducing any potential problems.
For more information, you can watch the video below.
We recently reported that the EMEA (Europe-Middle East-Africa) region experienced a surge in ransomware, specifically, crypto-ransomware attacks. It appears that these attacks are no longer limited to that region. Research from Trend Micro engineers shows that the ANZ (Australia-New Zealand) region is the latest to be greatly affected by this type of malware—this time by TorrentLocker ransomware.
The Infection Chain
Figure 1. Infection diagram for ANZ attacks
The malware arrives through emails that pretend to be penal notices from the New South Wales government (referred in this entry as “NSW”) or shipping information from the Australia Post. Once users click the link, they will be redirected to a spoofed page bearing a newly-registered domain similar to the official, legitimate one.
The page instructs users to download a file by first entering a CAPTCHA code. If correctly entered, it triggers the download of the malicious file in a zipped format from SendSpace, a file-hosting site.
If the user opens the zipped file and executes the malware, it will connect to secure command-and-control (C&C) servers. After successful sending and receiving of information, the malware will then encrypt files in the users’ machines using Elliptic Curve Cryptography Encryption and appends the string .encrypted. Afterwards, it drops an .HTML file with decryption instructions and displays a ransom page. It also deletes the shadow copy of the infected system by executing the command line instruction vssadmin.exe Delete Shadows /All /Quiet, thus preventing the user to restore their files from back-up.
Based on feedback from the Smart Protection Network, 98.28% of the recipients are from Australia.
I do not exaggerate when I say that it is only a matter of time before your company has to deal with a targeted attack, if it has not yet. In 2014, we saw many victims grapple with an invisible enemy. A very big and recent example of this is the Sony attack which caused a lot of problems from the company, as well as the leakage of a lot of data. As threat defense experts, we strive to make the invisible visible: what are the most important things you should have learned from the cyber-attacks in 2014? What lessons can we bring into 2015?
Secure your data in the cloud
Accountability for cloud computing security became very clear in 2014. Cloud computing is a powerful capacity extender that is increasingly adopted by small, medium, and very large enterprises alike. And while users can expect a certain level of security under the “shared responsibility” model — such as in the way cloud service providers run cloud services and infrastructure including physical hardware and facilities — users must not forget that access to data in the cloud can be wholly compromised at their end.
In what turned out to be a prevalent “developer bad habit” discovered in March, for instance, thousands of secret keys to private accounts were found to be accessible in GitHub, a code-sharing site. This is the equivalent of having consumer user names and passwords leaked in public forums. In some ways this is even more critical, since the exposure of the keys mean that thousands of secret company documents, applications, software can be accessed by threat actors. And since the intruder will essentially log in as the developer, he/she can wipe out entire environments or hold them hostage.
In a much more fatal example, Code Spaces had to close down in 2014 after an attacker gained access to its control panel account and started deleting customer databases indiscriminately. For a business whose nature relies so strongly on software services, “paranoid security” should be a foregone conclusion. Cloud services have two- or multi-factor authentication options, completely private modes, or identity-/role-based management that can greatly reduce or make intrusions like this much more difficult for attackers.