In the first four months of 2016, we have discovered new families and variants of ransomware, seen their vicious new routines, and witnessed threat actors behind these operations upping the ransomware game to new heights. All these developments further establish crypto-ransomware as a lucrative cybercriminal enterprise. As we predicted, this year is indeed shaping up to be the year of online extortion, and while the security industry may be doing an admirable job of keeping up with the latest new tactic and providing solutions, the not-so informed public and organizations may very well be on the receiving end of a crippling malware that can destroy personal and corporate files, as well as lead to huge financial losses.Read More
In early April of this year a zero-day exploit (designated as CVE-2016-1019) was found in Adobe Flash Player. This particular flaw was soon used by the Magnitude Exploit Kit, which led to an Adobe out-of-cycle patch. This flaw was being used to lead to drive-by download attacks with Locky ransomware as the payload.
However, this did not end the threat for users. We recently saw a new variant of this attack that added an unusual twist. On top of the Flash exploit, an old escalation of privileges exploit in Windows (CVE-2015-1701) was used to bypass sandbox technologies.Read More
In 2014, we began seeing attacks that abused the Windows PowerShell. Back then, it was uncommon for malware to use this particular feature of Windows. However, there are several reasons for an attacker to use this scripting technique.
For one, users cannot easily spot any malicious behavior since PowerShell runs in the background. Another is that PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present. This makes it an attractive tool for attackers for carrying out malicious activities while avoiding easy detection.Read More
The critical role of patch management comes into play when vulnerabilities are used by attackers as entry points to infiltrate their target systems and networks or when security flaws are abused to spread any threats. The case of the infamous SAMSAM crypto-ransomware supports this. The said threat deviated from other crypto-ransomware families. Instead of arriving via malicious URLs or spam emails, it leverages security flaws in unpatched servers. Last March 2016, SAMSAM hit the Maryland hospital by encrypting all its files, including those found in the network. From the healthcare industry, SAMSAM moves to target the education sector. In a recent attack, a significant number of servers and systems were exposed to SAMSAM and other malware via JBoss server vulnerabilities. JBoss is an open source application server that runs on Java. Systems or servers with ‘Destiny’ software were also affected. According to a report by CISCO, this software is typically used by K-12 schools worldwide. Follett has already released a patch to protect users of Destiny software.Read More
A small webhosting provider with servers in the Netherlands and Romania has been a hotbed of targeted attacks and advanced persistent threats (APT) since early 2015. Starting from May 2015 till today we counted over 100 serious APT incidents that originated from servers of this small provider. Pawn Storm used the servers for at least 80 high profile attacks against various governments in the US, Europe, Asia, and the Middle East. Formally the Virtual Private Server (VPS) hosting company is registered in Dubai, United Arab Emirates (UAE). But from public postings on the Internet, it is apparent that the owner doesn’t really care about laws in UAE. In fact, Pawn Storm and another APT group, attacked the government of UAE using servers of the VPS provider through highly targeted credential phishing. Other threat actors like DustySky (also known as the Gaza hackers) are also regularly using the VPS provider to host their Command and Control (C&C) servers and to send spear phishing e-mails.Read More