Mar 13 2024

Keyloggers, spyware, and stealers dominate SMB malware detections

Category: Cybercrime,Malware,Spywaredisc7 @ 10:56 am

In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.

SMBs ransomware cyberthreat

Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.

Ransomware remains primary cyberthreat for SMBs

The Sophos report also analyses initial access brokers (IABs)—criminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs they’ve already cracked.

“The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software. Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts,” said Christopher Budd, director of Sophos X-Ops research at Sophos.

“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,” added Budd.

While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.

BEC attacks grow in sophistication

Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryption—when attackers use an unmanaged device on organizations’ networks to encrypt files on other systems in the network—increased by 62%.

In addition, this past year, Sophos’s Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPs’ remote monitoring and management (RMM) software.

Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.

These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.

In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an “invoice.” The download button contained a link to a malicious website.

Mastering Cyber Security Defense to Shield Against Identity Theft, Data breaches, Hackers, and more in the Modern Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: keylogger, Malware, SMB


Feb 08 2024

As-a-Service tools empower criminals with limited tech skills

Category: Cybercrime,Ransomware,Security Toolsdisc7 @ 9:45 am

As-a-service attacks continue to dominate the threat landscape, with Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) tools making up the majority of malicious tools in use by attackers, according to Darktrace.

Cybercriminals exploit as-a-Service tools

As-a-Service tools can provide attackers with everything from pre-made malware to templates for phishing emails, payment processing systems and even helplines to enable criminals to mount attacks with limited technical knowledge.

The most common as-a-Service tools Darktrace saw in use from July to December 2023 were:

  • Malware loaders (77% of investigated threats), which can deliver and execute other forms of malware and enable attackers to repeatedly target affected networks.
  • Cryptominers (52% of investigated threats), which use an infected device to mine for cryptocurrency.
  • Botnets (39% of investigated threats) enrol users in wider networks of infected devices, which attackers then leverage in larger-scale attacks on other targets.
  • Information-stealing malware (36% of investigated threats), malicious software like spyware or worms, designed to secretly access and collect sensitive data from a victim’s computer or network.
  • Proxy botnets (15% of investigated threats), more sophisticated botnets that use proxies to hide the true source of their activity.

Phishing threats escalate in business communications

Darktrace identified Hive ransomware as one of the major Ransomware-as-a-Service attacks at the beginning of 2023. With the dismantling of Hive by the US government in January 2023, Darktrace observed the rapid growth of a range of threats filling the void, including ScamClub, a malvertising actor notorious for spreading fake virus alerts to notable news sites, and AsyncRAT, responsible for attacking US infrastructure employees in recent months.

As businesses continue to rely on email and collaboration tools for communication, methods such as phishing continue to cause a headache for security teams. Darktrace detected 10.4 million phishing emails across its customer fleet between the 1st September and the 31st December 2023.

But the report also highlights how cybercriminals are embracing more sophisticated tools and tactics designed to evade traditional security parameters. One example is the rise of Microsoft Teams phishing in which attackers contact employees through Teams, posing as a co-worker and tricking them into clicking malicious links.

In one case in September 2023, Darktrace identified a suspected Teams phisher attempting to trick users into clicking a SharePoint link that would download the DarkGate malware and deploy further strains of malware across the network.

Multi-function malware on the rise

Another new trend identified is the growth of malware developed with multiple functions to inflict maximum damage. Often deployed by sophisticated groups like cyber cartels, these Swiss Army knife-style threats combine capabilities.

For example, the recent Black Basta ransomware also spreads the Qbot banking trojan for credential theft. Such multi-tasking malware lets attackers cast a wide net to monetise infections.

“Throughout 2023, we observed significant development and evolution of malware and ransomware threats, as well as changing attacker tactics and techniques resulting from innovation in the tech industry at large, including the rise in generative AI. Against this backdrop, the breadth, scope, and complexity of threats facing organizations has grown significantly,” comments Hanah Darley, Director of Threat Research, Darktrace. “Security teams face an up-hill battle to stay ahead of attackers, and need a security stack that keeps them ahead of novel attacks, not chasing yesterday’s threats.”

Future Crimes: Inside the Digital Underground and the Battle for Our Connected World

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: As-a-Service, darktrace, Malware


Apr 24 2023

Preventing Malware & Cyber Attacks: Simple Tips for Your Computer

Category: Cyber Attack,MalwareDISC @ 8:15 am

Living without the Internet is hardly imaginable today. However, the anonymity of the internet has led to the flourishing of cyber attacks and malware. Malicious software can cause damage to our devices, steal personal data, and lead to monetary loss. Therefore, protecting your computer from these threats is crucial. This article will outline some methods and resources for protecting your devices from malicious software, and explain why it’s essential to use malware removal at all times.

Tip #1: Keep Your Operating System and Software Up to Date

One of the most crucial things you can do to keep your computer secure is to keep your operating system and software up to date. Security patches are frequently released by software developers to address flaws that hackers could exploit. Failing to update your system and software leaves your computer vulnerable to potential threats.

To ensure that your operating system and software are up to date, it’s important to turn on automatic updates. This will ensure that your system gets updates as soon as they become available. Additionally, you can manually check for updates by accessing the settings for your software or operating system. By doing this, you can be certain that your computer is protected against potential threats.

Tip #2: Use Antivirus and Anti-Malware Software

Antivirus and malware removal software are essential tools for protecting your computer against malicious software such as viruses, spyware, and ransomware. These programs scan your computer on a regular basis for malware and remove it if found. By using antivirus and anti-malware software, you can safeguard your computer from malicious attacks and maintain its security.

When it comes to antivirus and anti-malware software, it’s crucial to choose a reputable and trustworthy option that offers comprehensive protection against various types of malware. With numerous software options available on the market, selecting the right one can be overwhelming. However, by doing some research and selecting the one that meets your needs, you can ensure that your computer remains protected from potential threats.

Tip #3: Use a Firewall

firewall is a crucial security system that monitors and controls network traffic, both incoming and outgoing. It serves as a barrier between your computer and the internet, blocking unauthorized access. By utilizing a firewall, you can protect your computer from potential cyber attacks and enhance its security.

Most operating systems come with a built-in firewall that you can enable by going to your system’s settings. However, you can further increase your computer’s security by installing a third-party firewall. These firewalls offer additional features and customization options that can help you tailor the protection to your needs. By using a firewall, you can safeguard your computer against potential threats and enhance its overall security.

Tip #4: Use Strong and Unique Passwords

Using strong and unique passwords is crucial in safeguarding your device against potential cyber attacks. Cybercriminals frequently use automated programs to guess passwords and weak passwords are easily guessed, allowing them to gain access to your computer more easily. By using strong and unique passwords, you can significantly enhance your computer’s security.

To create a strong password, use a combination of letters, numbers, and symbols. Avoid using common phrases or words that are easily guessed. Additionally, do not use the same password for multiple accounts, as this can leave you vulnerable if one account is compromised. Consider using a password manager to generate and store strong and unique passwords for all your accounts. By taking these steps, you can ensure that your computer remains protected against potential threats.

Tip #5: Be Wary of Phishing Scams

Phishing scams are a type of social engineering attack that cybercriminals use to trick people into disclosing sensitive information like passwords and credit card numbers. These scams can be sent via email, text messages, or even social media. Falling prey to a phishing scam can lead to significant financial loss and compromise your personal information.

To avoid falling victim to phishing scams, it’s important to be cautious of any suspicious emails or messages. Do not click on any unknown links or download any attachments from suspicious sources. Always check the sender’s email address to ensure that it is from a legitimate source.

If you receive an email that appears to be from your bank or another financial institution, do not provide any sensitive information. Instead, contact the institution directly to confirm the authenticity of the email. By taking these steps, you can protect yourself from phishing scams and keep your personal information secure.

Tip #6: Use Two-Factor Authentication

Two-factor authentication (2FA) is a crucial security measure that adds an extra layer of protection to your online accounts. This security measure requires users to provide two forms of identification before accessing their accounts, making it more difficult for cybercriminals to access your information. Two-factor authentication can prevent unauthorized access to your accounts and protect your sensitive information from being compromised.

Many online services, such as email and social media platforms, offer two-factor authentication as an additional security measure. To enable two-factor authentication, go to your account settings and follow the instructions provided by the service. You can usually choose between receiving a code via text message or using an authentication app. Enabling two-factor authentication can greatly improve the security of your accounts and help keep your personal information safe.

Tip #7: Back Up Your Data Regularly

The best practice to protect your data from cyber attacks is to regularly back it up. If your computer is infected with malware or hacked, you might lose all your data. By backing up your data regularly, you can easily restore your data in the event of a cyber attack.

In conclusion, adhering to the tips and tools mentioned above can not only safeguard your personal or business data but also prevent potential embarrassment and costly fines.
Use anti-virus and anti-malware software.

The Cybersecurity Playbook for Modern Enterprises: An end-to-end guide to preventing data breaches and cyber attacks


InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services


InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: cyber attacks, data breaches, Malware


Apr 09 2023

Malware types and analysis

Category: Information Security,MalwareDISC @ 9:48 am

Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises, (Windows Internals Supplements)

Malware analysis reports – Reports and IoCs from the NCSC malware analysis team

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Malware, Malware Analysis, windows malware


Dec 29 2022

GuLoader Malware Uses Advanced Anti-Analysis Techniques to Evade Detection

Category: Antivirus,Malware,Threat detectionDISC @ 11:30 am

An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.

While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.

Evolution of GuLoader Malware

On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTeslaFormBookNanocoreNETWIRERemcos, and the Parallax RAT using the VBS downloader. 

GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems. 

It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.

A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected. 

GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.

Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.

Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.

There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.

In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking. 

Anti-Analysis Techniques

Here below we have mentioned the anti-analysis techniques used:-

  • Anti-Debugging
  • Anti-Virtual Machine
  • Process Hollowing

It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.

GuLoader Malware Advanced Anti-Analysis

Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

Malware Analysis

Infosec books | InfoSec tools | InfoSec services

Tags: Antivirus Bypass Techniques, Evade Detection, Malware


Dec 12 2022

95.6% of New Malware in 2022 Targeted Windows

Category: Malware,Windows SecurityDISC @ 11:06 am

Malware attacks are a growing problem in our increasingly digital world. By infiltrating computers and networks, malicious software can cause serious harm to those affected by it.

One of the most common types of malware is ransomware (encryption-based malware), which prevents users from accessing their files until they pay a hefty fee to the cyber attacker. This type of attack has been used to target everything from individuals to large organizations, including government agencies and healthcare providers.

In addition to financial losses, malware attacks can have devastating effects on businesses and individuals. In some cases, sensitive data can be stolen or destroyed as part of an attack. This can lead to identity theft and other forms of fraud, as well as put organizations at risk for long-term damage if confidential information is exposed or compromised.

Research Findings

A recent study by Atlas VPN shows how malware infection is on the rise and the trends in the new malware samples found in the first three quarters of 2022. 

According to researchers, 59.58 million samples of new Windows malware were found in the first three quarters of 2022 and these make up 95.6% of all new malware discovered during that time period. 

This analysis was based on data by AV-TEST GmbH, an independent organization that evaluates and rates antivirus and supplies services in IT Security and Antivirus Research. The study also includes new malware samples detected in the four quarters of 2021 and the first three quarters of 2022. 

Windows, Linux, and Android Malware

Overall, there is a downward trend in the data with the malware samples this year has decreased by 34% as compared to the same period last year. However, the numbers are still exceptionally high.

Following Windows on the list is Linux malware with 1.76 million new malware samples – 2.8% of the total malware threats in 2022. 

Android malware takes third place with the first three quarters of 2022 seeing 938,379 new Android malware threats, constituting 1.5% of the total new malware. 

Lastly, 8,329 samples of never before seen malware threats aimed at macOS were observed in the same period. 

Total Number of Malware

The study also shows that the total number of malware threats found in the first three quarters of 2022 across all operating systems amount to 62.29 million. This is about 228,164 malware threats daily. 

If we make a quarter-by-quarter comparison, the first quarter of 2022 saw the most significant number of malware samples – 22.35 million. However, this number dropped by 4% to 21.49 million in the second quarter of this year. Again, it decreased by another 14% to 18.45 million. 

The numbers continue to plummet into the fourth quarter of the year with 7.62 million new threats found in October and November – nearly 60% less than at the same time last year. 

Protection Against Malware

Malware is a pervasive threat to internet users on both personal and professional networks. It can cause serious damage to computers, networks, and data that can be expensive to fix. Fortunately, there are steps you can take to protect yourself from malware.

The most important step in protecting your network from malware is keeping your anti-malware software up to date. Regularly updating anti-malware programs ensures that they’re able to detect the latest threats and keep them away from your computer or network.

Additionally, be sure not to click on suspicious links or download files from unknown sources as these could contain malicious code that could harm your system.

Another way to stay safe online is by using a secure web browser with built-in security features like pop-up blockers, phishing protection, and ad blockers ((don’t use it on Hackread.com though :0)) for enhanced protection against malicious activities.

95.6% of New Malware in 2022 Targeted Windows

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Tags: Malware, Malware Analysis


Nov 14 2022

Researchers Sound Alarm on Dangerous BatLoader Malware Dropper

Category: Information Security,MalwareDISC @ 11:36 pm

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

Little Red Flying Fox Bat (Pteropus scapulatus) in flight during the day

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

https://www.darkreading.com/attacks-breaches/researchers-alarm-batloader-malware-dropper

Tags: Malware


Oct 31 2022

Active Raspberry Robin Worm Launch a ‘Hands-on-Keyboard’ Attacks To Hack Entire Networks

Category: MalwareDISC @ 12:47 pm

During recent research, Microsoft has discovered evidence of a complex interconnected malware ecosystem that is associated with the Raspberry Robin worm.

With other malware families, there are several root links to the Raspberry Robin worm were identified. Even security experts have detected that it uses alternate infection tactics as well.

Infections like these lead to a variety of complications and here below we have listed them:- 

  • Hands-on-keyboard attacks: When attackers are already inside your environment following a breach, a hands-on keyboard attack will occur. It is a two-sided operation; on one end it’s the cybercriminal who sits at a keyboard, while on the other side it’s your compromised network that is being accessed.
  • Human-operated ransomware activity: It occurs when cybercriminals are involved in an active attack on a victim. Using this approach, an organization’s on-premises infrastructure is penetrated, privileges are elevated, and ransomware is deployed by the threat actors.

Compromised 1,000 Organizations

In the past 30 days, on more than 1000 organizations’ 3000 devices, the Raspberry Robin worm has initiated payload alerts. There have been instances where the Raspberry Robin worm has been installed on the victims’ systems with malware called FakeUpdates.

Raspberry Worm is also known as QNAP Worm, as for command-and-control, it uses the compromised QNAP storage servers. Through infected USB drives containing malicious. LNK files, Raspberry Robin spreads to other devices.

The worm will spawn a msiexec process using cmd[.]exe as soon as a USB device is attached.

In order to communicate with its C2 servers, the malware communicates with compromised Windows devices.

Raspberry Robin’s Connection

Microsoft Security Threat Intelligence Center (MSTIC) observed Raspberry Robin in October 2022, and it’s being used by DEV-0950, which is another actor who was also involved in the post-compromise activity.

As a result of the DEV-0950 activity, the Cobalt Strike was compromised through hands-on keyboard activity. The majority of the victims of DEV-0950 are traditionally acquired via phishing scams.

However, the operators of DEV-0950 have moved to use Raspberry Robin instead of the traditional method. The advantage of this approach is that the payloads can be delivered to existing infections and the campaigns can move to the stage of ransomware more quickly.

Mitigations

To mitigate the impact of this threat, it is also possible for defenders to apply the following mitigation measures:-

  • When mounting the drive, prevent autorun from being used and code from being executed.
  • Make sure the tamper protection setting is enabled in order to protect Microsoft Defender Antivirus from being interrupted by attacks.
  • It is very important to turn on cloud-delivered protection for Microsoft Defender Antivirus or your antivirus software counterpart if it supports the feature.
  • The USB port should be blocked from running untrusted or unsigned processes.
  • Scripts that may be obfuscated should be blocked from being executed.
  • It is imperative to block executable files from running unless they fulfill all the trusted criteria.
  • The local security authority subsystem of Windows should be protected against credential theft.

Tags: Active Raspberry Robin Worm, Malware


May 26 2021

New Disk Wiping Malware Targets Israel

Category: MalwareDISC @ 10:51 am

Advanced malware analysis

Tags: data destruction, Malware, ransomware


Apr 19 2019

Malware Analysis

Category: MalwareDISC @ 12:17 pm

Malware Analysis

 

 
Introduction to Malware Analysis | SANS Lenny Zeltser

 
Five Awesome Tools to perform Behavioural Analysis of Malware


 Subscribe in a reader




Tags: complex malware, Malware, malware 2.0


Jul 22 2013

Your employees aren’t the only threat to InfoSec and Compliance

Category: cyber security,Information SecurityDISC @ 1:18 pm

Information security

Information security (Photo credit: Wikipedia)

July 22nd, 2013 by Lewis Morgan 

I overheard a conversation the other day, one which left me so stunned that I’ve decided to write about it….

Two men having dinner behind me (I got the impression they were both directors) were discussing the £200k fine the NHS received for losing patient data. Eventually, the conversation turned into a discussion about information security as a whole. I won’t go into all the details but one of them said, “We don’t particularly focus on cyber security, it’s always large organisations which are in the news about getting hacked and being a small company, we’re not under threat”. It bothered me (probably more than it should have) that someone in control of an organisation has that attitude to cyber security. If an organisation of 5 employees was hacked, the same day as, let’s say DELL, were hacked – who’d make it into the news? DELL would, why? Because it’s likely to be more of an interest to the readers/listeners and will have a bigger impact on the public compared to that of the smaller organisation.

I never see stories in the news of someone being hit by a bus in my local town, but it doesn’t mean I’ll walk in front of one holding a sign saying ‘hit me’. That’s effectively what this director is doing, turning a blind eye to a large threat just because he’s not seen an example of a small organisation being hacked – chances are he doesn’t even read the publications which cover those stories.

Ignorance

It’s a strong word, isn’t it? Personally I hate calling people ignorant, I’d rather use a more constructive word such as ‘unaware’, but I feel that using the word ignorance will raise some eyebrows.

As a director of a company, your aim is to maximise revenue, minimise costs and anything in between.

You need a future for your organisation; this is usually done by investing in your marketing efforts, improving your products/services and providing the best customer service possible. But what do you do to actually secure a future? It’s all good and well having a 5 year plan which see’s 400% growth in revenue, but how do you make sure that your organisation will even exist in 5 years?

2 years into your plan and you’re hitting your targets – but you’ve just discovered that there’s been a data breach and your customers credit card details have been sold online.

Your plans have now become redundant; they are depending on how prepared you are to handle the situation, so are your staff. The cost of recovering from a data breach for a small organisation is between £35 – 65K (and that’s not including fines). Can your organisation afford that? Probably not, but you could have afforded the costs which would have prevented this breach in the first place.

Let’s say that the breach happened because a new member of staff was unaware that they shouldn’t open emails in the spam folder. An email was opened, malicious software was installed and login credentials were stolen. You could have trained that member of staff on basic information security in under an hour, for £45. But instead, you chose to ignore your IT Manager who’s been raising spam issues at each monthly meeting but all you chose to hear is “we’ve not been hacked” and “invest” which is enough for you to move on.

What your IT Manager is really telling you is “We’ve recently been receiving a large amount of emails into our spam filter, and some are getting through. I think we need to invest in a more advanced spam filter, and perhaps train some of the staff on which emails to avoid. A virus from an email could lead to a hack, it’s not happened yet but there’s a chance it will.”

Forget blaming the IT Manager or the new member of staff when that breach happens, it comes down to you and your:

Inability to perceive cyber threats

Grey areas in appropriate knowledge

Naivety

Overhead cost restrictions

Refusal to listen to something you don’t understand

Absent mindedness

No interest in the customer’s best interests

Careless decisions

Eventual disaster

 

Cyber security threats are real, so why are you ignoring them?

To save money? Tell that to a judge

Introduction to Hacking & Crimeware

You don’t understand the threats? Read this book

 




Tags: Computer security, data breach, Email spam, hackers, Information Security, Malware


Jan 04 2013

Controls against industrial Malware

Category: MalwareDISC @ 11:43 pm

Malicious software is called a malware and malware may include viruses, worms and trojans. A virus is a piece of code which is capable of replicating itself and mainly it depends on a host file (a document) to reach its target. However worm does not rely on the host file to reach the target but it does replicate. Main property of Trojan is concealment of code and ultimately used to get control of target system.

Modern day malware Stuxnet can manipulate Programmable Logic Controllers (PLCs) of critical infrastructure. Industrial Control System (ICS), SCADA, and manufactruing insdutry infrastructure is controled by the PLCs. Another malware, named Duqu, Flame by its discoverers, is similar to Stuxnet in many respects. Like modern trojans Duqu communicates with a command and control server in encrypted form which gives you an idea of sophistication to develop this malware. In the past year the discovery of the Stuxnet malware – and subsequently of the Flame, Duqu and most recently Gauss malware – has brought the issue of state-sponsored cyberwarfare into sharp focus in security community which are simply known as modern day (WMD) weapon of mass destruction.

The discovery of these modern day malware caused an uproar among the security community when it was found that these malware had been specifically designed as a highly targeted industrial espionage tool. Perhaps this create a frenzy out there to deveop these kind of tools but that bring out some questions which I’m unable to answer. Is it legal for a state to develop these tools? Is it legal for a state to use these tools in offense? do we have any international charter on the legality of these tools, otherwise Stuxnet, Duqu and Flame may set a wrong legal precedence of what’s good for the goose is good for the gander.

Main sources of malware infection may be USB drive, CD Rom, internet and unaware users but basically malware can install itself on your computer by simply visiting an infected/implanted website (pirated software, web sites with illegal content)

An organization should perform a comprehensive risk assessment on their malware policy to determine if they will accept the risk of adobe attachment and other executable files to pass through their perimeter gateway. Organization may need to consider all the possible sources of malware threats in their risk assessment which may include but not limited to spyware.

Malware Controls:
• High level formal malware policy and procedure. There should be a formal policy and procedure for USB drives if risk assessment determines that USB drive risk is not acceptable to business. Then there is a need to implement a control (policy, procedure, technical or training) or multiple of these controls to mitigate this risk to acceptable level.
• Anti-Virus policy which makes it mandatory to install, and signature file updates should take place on a regular interval (daily)
• Patch policy for all the latest patches, fixes and service packs that are published by the vendors
• Regular audit or review of anti-malware software and data file on the system
• All email attachment, software downloads should be checked for malware at the perimeter and adobe attachment and executable treated based on the risk assessment (drop, pass)
• User awareness training to possible infected email, spyware and infected website
• There should be a business continuity plan to recover from a possible malware attack

Related Books

Malware Titles from DISC InfoSec Store
Anti-Malware Software from DISC Infosec store
Anti-Virus software from DISC InfoSec Store
Anti-Malware Titles from eBay

Free Online Virus Scan

Norton Virus Scan | McAfee Virus Scan | Analyze suspicious files




Tags: anti virus, Malicious Software, Malware, Security, Spyware and Adware, trojan, Trojan Horses, Viruses


Nov 01 2012

10 reasons to ponder before using your smartphone for banking

Category: Smart PhoneDISC @ 11:55 am


 

Mobile Payment Security

01) There is no clear legislation that sets out your rights to receive a refund if your bank account is fraudulently emptied due to mobile bank app insecurity. The burden of proof seems to be on the user to protect their handset, operating system, software, mobile operator infrastructure and everything else in the “chain” of the transaction.

02) Of course you want to be able to use WiFi hotspots, this means you are in most cases operating on an insecure wireless network. It’s so easy for “bad guys” to sniff the air with a free utility and read your details.

03) Most users have not even set up a basic passcode on their devices (smartphones). Therefore if some gets access to the device, they have potentially access to their bank account.

04)  Most app stores do not test the security of apps. It is very easy for the “bad guys” to put Malware in the apps that can steal information from your device or other apps on your phone/device (e.g. banking app). Or it can happen when the app updates.

05) Most Smartphone device users have not installed security software on their device. Therefore they have less security than comparing to a laptop or PC with security software installed.

06) The average Smartphone users does not regularly perform OS (Operating System) updates. Many of these updates are critical security patches.

07) Due to performance issues, many of the lower cost handset manufacturers are disabling security features in order to improve performance of the device.

08) Malware on the Android platform smartphone alone has gone up over 400% in the last year

09) The technology that keeps apps separate on device does not separate them out into private sandboxes. This means that one app can read the details stored in another app without much difficulty.

10) ) If you check the T&C’s (terms and conditions) from  local  banking app and they may  want you to grant permission for the app to know your phone location (GeoIP).




Tags: Android, Geolocation, Malware, Operating system, Personal computer, Security, Smartphone, Wi-Fi


Oct 23 2012

The Rise of Malicious Traffic on Networks and how it Infect

Category: MalwareDISC @ 4:12 pm

 

Malware logo Crystal 128.

Malware logo Crystal 128. (Photo credit: Wikipedia)

Sophisticated malicious attacks can go largely undetected by most antivirus software.  Defense in depth approach requires organizations to monitor for malicious activity, malware (bot traffic) at various levels of the network, perimeter layer, application level and subsequently at critical data level.

How an end user might become infected, the obvious scenario being possibly our less educated users who could potentially be clicking in links in email messages from senders they might not be aware of or people visiting some high-risk sites such as those offering free downloads. The second scenario which is less obvious is where a user may click a link from a known good site which may contain a link to a bad site. The most common situation here is where advertising may have been purchased and site owners may not have been able to perform the due diligence to make sure a reputable company has purchased the ad space. Finally we’ve got our third and scarier scenario where a trusted site has actually been compromised and infected with some kind of malware.

According to Symantec‘s most recent Internet Security Threat Report, Global networks faced more than 286 million cyberthreats in 2010, as attackers employed more sophisticated methods that make malware harder to detect and more difficult to remove. Furthermore, the number of Web-based attacks increased 93% in 2010, and malware writers have been turning their attention to social-networking sites such as Twitter and Facebook, where it’s estimated that 17% of links are connected to malware.

So the malicious activity is on the rise based on the Symantec report, which emphasis the point to monitor and evaluate the harmful traffic into your network.  Malicious activity monitoring also requires an effective incident handling procedures to analyze, evaluate and taking appropriate actions with malicious events at hand.  An incident handling procedures also differentiate the event from incident meaning when an event turn into an incident.

Real time malicious activity monitoring at perimeter will work nicely with ISO 27001 (ISMS) process. It will not only satisfy the auditor need for monitoring and maintaining of certain controls in the standard  but also new threats to the organization will serve as a feed to required risk assessment process which can be evaluated against relevant vulnerabilities.

Below are some of the famous malicious attacks which can be used to breach network:

SQL injection—By analysing the URL syntax of targeted websites, hackers are able to embed instructions to upload malware that gives them remote access to the target servers.

Exploiting system vulnerabilities in another method—In many cases, laptops, desktops, and servers do not have the latest security patches deployed, which creates a gap in the security posture. Gaps or system vulnerabilities can also be created by improper computer or security configurations. Cyber-criminals search for and exploit these weaknesses to gain access to the corporate network and confidential information.

Targeted malwareCybercriminals use spam, email, and instant message communications often disguised to come from known entities to direct users to websites that are compromised with malware. This section includes several different approaches that cybercriminals leverage to infect systems with malicious code.




Tags: anti virus, facebook, Internet security, Malware, Security, Symantec


Apr 25 2011

Phishing emerges as major corporate security threat

Category: Email SecurityDISC @ 9:11 pm

A picture of the EVEREST visualization facilit...

Image via Wikipedia

Source: Computer World

The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and RSA are stark reminders of the serious threat posed by what some experts have dismissed as as a low-tech method of attack.

Oak Ridge, a U.S. Department of Energy-run research lab, this week disclosed it had shut down all Internet access and email services after discovering a sophisticated data stealing malware program on its networks.

According to the lab, the breach originated in a phishing email that was sent to about 570 employees. The emails were disguised to appear as notes about benefits changes written by the lab’s HR department. When a handful of employees clicked on the embedded link in the email, a malware program was downloaded onto their computers.

In terms of internal security, people are the weakest link – which makes phishing the emerging threat to any organization. Regular awareness training is one of the key control to countermeasure Phishing.

Latest titles on Phishing and countermeasures




Tags: Internet access, Malware, Oak Ridge National Laboratory, phishing, RSA, U.S. Department of Energy, United States, United States Department of Energy


Jan 11 2011

Biggest mobile malware threat

Category: Malware,Smart Phone,Web 2.0DISC @ 2:39 pm
Image representing Facebook as depicted in Cru...
Image via CrunchBase

Facebook is biggest mobile malware threat, says security firm
Researcher claims bad links on Facebook responsible for much higher infection rate that targeted mobile malware

By Joan Goodchild -CSO

The biggest mobile infection threat isn’t malware that specifically targets mobile devices, according to new research from security firm BitDefender. Malware that targets Facebook is a far bigger problem for mobile security, the firm claims.

Spam links on social networks are infecting mobile devices via bad links on Facebook because the worms and other malware are often platform-independent and are widely spread as malware that targets PCs.

BitDefender officials point to Google statistics, which reveal almost one quarter of Facebook users who fell for a recent scam on the social network did so from their mobile device. The URL that was studied was one that claimed to show users a girl’s Facebook status which got her expelled from school. It generated 28,672 clicks — 24 percent of which originated from mobile platforms. Users who clicked on the link — whether on their PC or mobile device — downloaded a Facebook worm and fell victim to an adword-based money grabbing scheme.

“When data security researchers focus on finding malware specifically designed for mobile platforms, they lose sight of an important mobile platform threat source — the social network,” said George Petre, BitDefender Threat Intelligence Team Leader.

Mobile Malware Attacks and Defense

The Truth About Facebook – Privacy Settings Every Facebook User Should Know, and Much More – The Facts You Should Know




Tags: facebook, Google, Koobface, Malware, Mobile device, Mobile operating system, Social network, Uniform Resource Locator


Jan 06 2011

The Basics of Stuxnet Worm and How it infects PLCs

Category: MalwareDISC @ 1:01 pm
Future of Mobile Malware & Cloud Computing Key...
Image by biatch0r via Flickr

Considered to be the most intricately designed piece of malware ever, Stuxnet leverages attack vectors onto industrial control systems, a territory rarely ventured into by traditional malware. Stuxnet targets industries, power plants and other facilities that use automation and control equipment from the leading German industrial vendor, Siemens. The term, critical infrastructure refers to industrial systems that are essential for the functioning and safety of our societies. Considering the profound dependence of critical infrastructure on industrial control and automation equipment, it is essential to reassess the impact this new generation of malware on the stability and security of our society.

Download WhitePaper

Has Israel Begun A Cyber War On Iran With The Stuxnet ‘Missile’?: An article from: APS Diplomat News Service

The New Face of War: How War Will Be Fought in the 21st Century




Tags: Business, Control system, Critical infrastructure, Industrial control systems, Iran, Malware, Siemens, Symantec


Jan 03 2011

New virus threatens phones using Android

Category: MalwareDISC @ 5:39 pm
it's real :)
Image via Wikipedia

Mobile Malware Attacks and Defense

WASHINGTON (AFP) – A virus infecting mobile phones using Google’s Android operating system has emerged in China that can allow a hacker to gain access to personal data, US security experts said.

A report this week from Lookout Mobile Security said the new Trojan affecting Android devices has been dubbed “Geinimi” and “can compromise a significant amount of personal data on a user?s phone and send it to remote servers.”

The firm called the virus “the most sophisticated Android malware we’ve seen to date.”

“Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone,” Lookout said.

“Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities.”

The motive for the virus was not clear, accoring the Lookout, which added that this could be used for anything from “a malicious ad-network to an attempt to create an Android botnet.”

But the company said the only users likely to be affected are those downloading Android apps from China.

The infected apps included repackaged versions sold in China of Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.

“It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected,” the security firm said.

Mobile Malware Attacks and Defense




Tags: Android, china, Google, Malware, mobile phone, Security, Servers, Trojan horse


Oct 01 2010

Stuxnet, world’s first “cyber superweapon,” attacks China

Category: CybercrimeDISC @ 2:01 pm
Computer worm
Image by toastiest via Flickr

Stuxnet, the most sophisticated malware ever designed, could make factory boilers explode, destroy gas pipelines, or even cause a nuclear plant to malfunction; experts suspect it was designed by Israeli intelligence programmers to disrupt the operations of Iran’s nuclear facilities — especially that country’s centrifuge farms and the nuclear reactor in Bushehr; it has now infected Chinese industrial control systems as well; one security expert says: “The Stuxnet worm is a wake-up call to governments around the world— It is the first known worm to target industrial control systems”

To read the remaining article …..




Tags: Bushehr, Business, Computer worm, Control system, Iran, Israel, Malware, Nuclear


Mar 24 2010

8 tips for safer online shopping

Category: Information SecurityDISC @ 6:14 pm

By Microsoft.com
Online threats today come in the form of attacks on you and attacks on your computer. Here are eight (8) ways for you to have a safer online shopping experience:

1. Keep your computer software up to date.
Keep all software (including your web browser) current with automatic updates. If you are not already running Internet Explorer 8, the latest version of our web browser, click the button to the right to get it.

2. Defend your computer.
Use firewall, antivirus, antispam, and antispyware software. For an added layer of protection on your PC, you can download Microsoft Security Essentials for free or find other antivirus solutions.

3. Avoid phishing scams and malware.
By default Internet Explorer 8 runs SmartScreen Filter to help block and warn you of malicious software or phishing threats. SmartScreen Filter alerts you if a site you are trying to open has been reported as unsafe and allows you to report any unsafe sites you find.

4. Protect yourself from emerging threats
Cross-site scripting attacks are one of the increasingly sophisticated methods online criminals use to get your personal information. By default Internet Explorer 8 helps protect you against these attacks with a built-in Cross Site Scripting (XSS) Filter that is always on.

5. Identify fake Web addresses.
Internet Explorer 8 helps you avoid deceptive websites that can trick you with misleading addresses. The domain name in the address bar is highlighted in black to make it easier to identify a site’s true identity.

6. Browse more privately.
When you’re using a public computer to check e-mail or you’re shopping for a “surprise” gift on a family PC, it’s a good idea to use InPrivate Browsing—a feature that helps prevent your browsing history, cookies, and other information from being retained on your computer.

7. Make sure payment websites use encryption.
To confirm that a website uses encryption when processing credit card information, look for:

■ An “s” after http in the Web address—it should read https:

■ A tiny closed padlock in the address bar, or at the lower-right corner of the window.

■ A green address bar—Internet Explorer 8 uses this to indicate a trustworthy site.

8. Never respond to unsolicited requests to update your account information.
These e-mail messages might be scams for stealing your identity. Most legitimate companies never send unsolicited e-mail or instant message requests for your passwords or other personal information. And remember, if it sounds too good to be true, it probably is.




Tags: cross site scripting, Internet Explorer, Internet Explorer 8, Malware, Microsoft Security Essentials, phishing, Web browser


Next Page »