Tag: Malware and Virus Protection

New Ransomware “BadRabbit” Starting To See Infections In The US

You may not have heard of the new strain of ransomware known as BadRabbit. If you haven’t, it’s because the overwhelming percentage of BadRabbit attacks have been occurring in Russia, which accounts for 71 percent of all known infections at present. Unfortunately, there have been a few infections reported in the United States, which may be a harbinger of things to come.

The new threat is functionally similar to NotPetya, which not only encrypts the files on a target system, but also then encrypts the file system, which gives the victim a lovely ransom lock screen before the OS can even boot up.

Fortunately, there are simple things you can do to help protect yourself from this latest threat.

Event Log Monitoring

Windows Defender is capable of recognizing the threat, provided you’re using detections update 1.255.29.0 or higher. If you haven’t updated to this version, do so immediately.

Once that is done, be aware that BadRabbit will schedule tasks using the names “Viserion,” “Rhaegal” and “Drogon.” If you see any of these, it’s a clear sign of an infection in process on your network. Administrators can attach scheduled tasks to events bearing these names, running specified commands should one of these be detected. For example: initiating a “shutdown -a” command.

Obviously, this stuff can be quite complicated. We would highly recommend you reach out to us to not only scan your network, but to also evaluate your entire network for potential threats or vulnerabilities. Ransomware is a real threat that is literally shutting down businesses, and this is on a global scale. If you aren’t being proactive against hackers, you can easily find yourself locked out of your own network.

BadRabbit is just the latest in hackers’ arsenal of ransomware and threats on your network. If you are as concerned as we are, give us a quick call.

Large Number Of HP Models May Have Keyloggers

HP is in the news again. If you missed the initial story, earlier in the year, it was reported that an audio driver that came pre-installed on a number of HP laptops contained keylogging code that stored every key stroke made by the person using the machine to a human-readable file. Once discovered, HP issued a patch that removed the keylogging function and deleted the data file.

Now, an independent security researcher going by the name “ZwClose” has discovered more built-in keyloggers in 460 HP Notebook models and counting.

At issue is the SynTP.sys file, which is an integral part of the Synaptics Touchpad driver that ships with a great many HP Notebooks. Although the keylogger is disabled by default, a hacker could enable it using open source tools, simply by changing a registry value.

After HP was notified, the company released a security advisory, which included the following:

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”

Since the release of the security advisory, HP has issued a driver update that removes the code for all affected models, so from a business and security standpoint, there’s nothing to be done here.

In an era where privacy on the internet is under increasingly intense assault, however, it’s worth noting that this is the second time an issue like this has been tied to HP equipment, and that’s concerning.  Privacy matters, and if you’re concerned about it, then two such issues might be enough to make you start looking at some other vendor when it comes time to start replacing or upgrading your equipment.

Popular Android Keyboard App Collected Private Information, Has Been Breached

How many apps do you have on your smartphone? Do you know how much data they’re collecting about you?

Most people have scores of apps installed (and often hundreds), even if they only use a few on a regular basis, and shockingly, most users have no idea just how much information those apps are collecting about them.

However much you imagine, the answer is probably “more.”

This point was driven home painfully, courtesy of a recent discovery by a team of researchers at the Kromtech Security Center. They found completely insecure database online, a staggering 577GB in size, owned by an Israeli-based startup called AI.type, makers of a virtual keyboard app bearing the same name.

The information it contained is simply mind boggling.

Not only does it contain personal information on 31 million of the app’s 40 million users, but the database contents reveal just how intrusive AI.type actually is. The data includes:

  • Each user’s full name, email address and phone number
  • What OS version the user is using (AI.type is only available to Android users)
  • Each user’s nation of residence, mobile network name and what languages each user has enabled
  • IP and GPS location data
  • All information included with each user’s social media profiles, including birthdays, photos, posts, etc.
  • Each user’s device name, the make and model of their smartphone and screen resolution

As If that wasn’t enough, the research team also discovered that each user’s contact list had been scraped (including names, email addresses and phone numbers), and that the company was tracking a whole range of internet behaviors, including Google search queries, number of messages sent per day, the average length of those messages and more.

Obviously, there’s no reason that a simple keyboard app needs this level of information on its users. The only possible explanation is that it’s being collected for resale. If you use the app, be aware that the company knows almost everything about you and everyone you’ve been in contact with on your phone, and now, so do a lot of other people who don’t have your best interests at heart.

USB Drives Could Be Huge Factor In Data Loss, Theft

Most people agree that the use of USB drives increases efficiency and boosts productivity, which goes a long way toward explaining their popularity, but these handy little drives can also be problematic.

According to a recently published survey by Apricorn, 87 percent of employees surveyed report that they have lost or had a USB drive stolen and failed to notify their employer. Worse, 80 percent of employees surveyed reported using non-encrypted USB drives that they’ve often acquired for free at trade shows or conferences.

The fact that these drives are unencrypted is bad enough, but there’s another, even more frightening dimension to the problem. Such drives could be pre-loaded with malware, which could easily make it onto your company’s network the moment they’re connected to any office machine.

Apricorn had this to say about the results of the survey:

“With the ever-increasing amount of data breaches and compromises, companies need to carefully monitor what data is being created in their organizations, and what is leaving.

Government, healthcare, finance and education industries have access to copious amounts of sensitive information and most of these industries are using USBs without advanced permission. Not only are these companies leaving themselves vulnerable, they are placing their customers’ and employees’ data at risk.”

Although the company notes that there is an awareness of the damage that lost or compromised data can cause, not much is being done about preventing that loss, at least where the use of USB drives is concerned. According to the survey, fully half of the respondents indicated that they didn’t need to seek permission to use a USB drive to copy or transport potentially sensitive information.

Does your company have a robust set of policies in place to control the use of USB drives? Are all the USBs used by your employees encrypted and secure? Do you have a policy in place regarding proper reporting procedures should a USB drive go missing? Important questions, all.

Android Gets Fix For KRACK WiFi Vulnerability

Last month, a new WiFi security vulnerability known as “Krack” was discovered by a security researcher named Mathy Vanhoef. It was about as serious as a security flaw could be, enabling hackers to clone a router and funnel traffic through it, either monitoring all the activity on the network, or, if they wanted to be more destructive, conducting all manner of “man in the middle” attacks against anyone on the network.

The major tech companies were all given advance notice of Vanhoef’s research, and as such, not long after it was published, many responded almost immediately with patches. Apple, for example, released a Krack patch at the end of October.

Microsoft was even quicker to respond, releasing a patch to the problem quietly before Vanhoef’s research was even published.

In that regard, Google has been a bit behind the curve, but as of the release of this month’s Android Security Bulletin, the company has at last provided a fix for the issue.

This month’s update is spread over the following three updates:

• 2017-11-01
• 2017-11-05
• And 2017-11-06

The fix for the Krack issue is contained in this last one.

If your Android device is set to automatically receive security updates, then there’s nothing for you to do. The patch has already been installed on your phone.

If you tend to take a skeptical view of automatic updates, then at the very least, be sure to grab 2017-11-06. If you don’t, you’re probably putting your organization at unnecessary risk. If you want to check to see if you’re vulnerable before applying the update, you can do that, too. Vanhoef released his proof-of-concept code and detection tools on his GitHub account, and since releasing the data, an interested third-party has developed a tool aptly named “Krack Detector” you can use to see if you need the fix.

Either way, it’s worth looking into, and something your team should make a priority.

Issue With Android Could Let Someone Record Screen And Audio

Do you have an Android phone? Is it running either Lolipop, Marshmallow or Nougat? Those three account for slightly more than 75 percent of the Android phones in service today, so odds are excellent that you do. If so, you should be aware of a nasty vulnerability that could allow a hacker to perform at-will screen captures and audio recording without your knowledge.

The issue resides within Android’s MediaProjection service, which has been a part of the OS since its earliest days. The reason that it has only recently become an issue, though, is that prior to the release of Android Lolipop (version 5.0), third-party apps couldn’t make use of it. It required both root-level access and the app in question had to be signed with the device’s release keys, which meant that only system-level apps deployed by Android OEMs could utilize MediaProjection.

That changed with the release of Lolipop, which opened the service up so that anyone could use it.  Unfortunately, when Google relaxed access to the service, they didn’t put it behind a permission that apps could require from users. All a third-party developer needs to do to access MediaProjection is to make an “intent call” that would show a System UI popup, warning users that an app wanted to capture the screen and/or system audio.

Here’s the problem, though. Security researchers discovered that an attacker could detect when the system popup would appear, and knowing that piece of information, they could trigger some other message to appear on top of it, effectively blinding the phone’s owner to the fact that screen captures and audio recordings were in process.

Since the discovery of the security flaw, Google has released a patch that addresses it. Unfortunately, the patch only applies to Android Oreo (8.0). Older phones are still vulnerable.

If there’s one saving grace, it is the fact that the attack is not completely stealthy, and observant users will note the screencast icon in the phone’s notification bar. It’s far from perfect protection, but it’s something, so be aware if you’ve got an older Android phone.

Microsoft Word Gets Update To Disable DDE After Malware Concerns

In recent months, Microsoft Word has been getting a fair amount of bad press, thanks to an old-but-still-supported feature called DDE (Dynamic Data Exchange). This is the feature that allows Word to pull data from other MS Office applications. For instance, if you embed a chart into your Word document, each time you open the doc, it will automatically poll the spreadsheet the chart was created from and update it dynamically.

It’s a good feature, but unfortunately, it’s subject to abuse by hackers, who can use it to insert malicious code.

For a long time, Microsoft held the opinion that DDE wasn’t flawed per se, and as such, refused to take any action to try and limit its abuse. The thinking was that the company had already done enough since MS Office is designed to display a warning message before actually opening a file, which gives the user a choice.

Unfortunately, hackers have found ways to game that system as well and get around the warning box, and ultimately, that’s what changed the company’s mind.

Back in October, Microsoft published Security Advisory 4053440, which warned of the potential dangers of DDE and advised users on how to disable the feature in Word, Outlook and Excel. The company has now taken things a step further, disabling the feature inside MS Word in the Office Defense in Depth Update, ADV170021.

In fact, the company now sees the problem as being so severe and pervasive that they took the unusual step of issuing an emergency, out-of-band patch to update Word 2003 and 2007, two versions that Microsoft has officially stopped supporting.

If your employees use MS Office, this most recent patch is of critical importance, so if you’re not getting updates automatically, make sure your team knows to grab and apply this one.

Researchers Find Malware Targeting Industrial Systems

In the malware ecosystem, few strains are more terrifying than those that target industrial control systems. Think Stuxnet, Industroyer and IronGate. Recently, security researchers from FireEye have identified a new threat in this class of malware. Alternately called “Triton” or “TRISIS,” this new code targets Triconex Safety Instrumented Systems (SIS) controllers, which are manufactured by Schneider Electric. These control systems are found in a wide range of industrial equipment. They are, in effect, the gears that keep the machine of modern industry moving.

So far, there’s suggestive evidence that at least one state-sponsored attack has been carried out using the new strain of malware, although neither the identity of the target of the attack, nor the organization responsible for it have been disclosed. All we know for sure is that the attack was launched against an industrial concern in the Middle East.

The code base of the new threat utilizes the TriStation Protocol, which is a proprietary tool used by Triconex SIS products. There is no public documentation available for the protocol, which suggests that the hackers who developed the malware must have reverse engineered it.

A spokesman for FireEye had this to say about the code in general and the recent attack:

“The attacker gained remote access to an SIS engineering workstation and deployed the Triton attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation.

The attacker deployed Triton shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool, which would require access to hardware and software that is not widely available.”

The real danger of software like this is that it can reprogram control systems to ignore when equipment begins operating beyond normal operating parameters, which can lead to physical damage to critical infrastructure.

If deployed against a power station, for instance, it could result in widespread blackouts. If deployed against a nuclear installation, it could send the reactor into a meltdown.

Threats like these are becoming more common by the day, and with hundreds of millions of controllers deployed around the world, it’s just a matter of time before the hackers succeed at hitting close to home.

A Million Imgur Users Affected By Breach

<img class=”alignleft size-medium wp-image-7149″ src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/AXMillion-300×195.jpg” alt=”” width=”300″ height=”195″ />Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:
<ul>
<li>Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.</li>
<li>At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.</li>
<li>In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.</li>
</ul>
All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.

Corporate Attacks On The Rise Through Vulnerable Printers

Few things are more ubiquitous in an office environment than printers. Of course, these days, most printers are much more than simply that. They can also scan, copy and even send emails. As such, they’ve become an increasingly attractive option to hack, according to the latest data released by Barracuda Networks.

The reason is simple. Most printers aren’t as well protected as PCs and other devices on your network. They’re the weak point in your company’s defensive armor.

The upsurge in this type of attack seems to be focused on Cannon, HP and Epson printers, and works like this:

A printer is compromised and used to send spoofed scanned attachments, usually bearing an innocuous subject line such as “Scanned From HP,” “Scanned from Epson” or “Scanned from Cannon.”

Most employees don’t think twice about opening such attachments because they appear to be from a legitimate source inside the company, which is, of course, exactly what the hackers are counting on.

While any sort of payload can be delivered in this manner, the most common strain found installs a back door on the target PC, allowing the hackers to:

  • Monitor behavior and log keystrokes
  • Change computer settings
  • Copy files
  • Access other connected systems
  • And more.

In a clear indication that the malware could be used to launch a ransomware style attack, it also gives the hackers the ability to replace the PC’s wallpaper with any file they choose.

Employees should be more mindful about this type of attack and always double check to make sure the sender is valid. Also, it’s important to hover over the links embedded in such emails in order to be sure they’re valid before clicking on them.

If you haven’t been on the receiving end of an attack like this yet, count yourself lucky and stay vigilant.