Tag Archives: ESET

Cryptocurrency/cryptojacking updates

Steve Kaaru for Null TX: Hackers Mining Cryptos Using Leaked NSA Surveillance Tools, New Report Reveals – “The report revealed that cryptojacking incidences have spiked by over 450 percent in 2018, attributing the increased incidences to an NSA tool that was leaked in late 2017 which has been used by North Korean and Russian hackers in the past to infiltrate strategic targets. ”

The article is based on a report from the Cyber Threat Alliance THEY’RE DRINKING YOUR MILKSHAKE: CTA’S JOINT ANALYSIS ON ILLICIT CRYPTOCURRENCY MINING

Alyza Sebenius for Bloomberg: Hackers Are Targeting Bitcoin With a Leaked NSA Software Tip, Report Says


Lukas Stefanko for ESET: Fake finance apps on Google Play target users from around the world – “Cybercrooks use bogus apps to phish six online banks and a cryptocurrency exchange…the apps have impersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland, and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the impersonated legitimate services.”

David Harley

Advertisements

Who says there’s no IoT in Idiot?

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Tomáš Foltýn for ESET: Bluetooth bug could expose devices to snoopers – “The cryptographic bug, tracked as CVE-2018-5383, has been identified by scientists at the Israel Institute of Technology. It impacts two related Bluetooth features: Secure Simple Pairing and LE Secure Connections.”

Dave Cartwright for The Register: Some Things just aren’t meant to be (on Internet of Things networks). But we can work around that “Plus: Did you know ‘shadow IoT’ was a thing? It is.” Indeed it is, by analogy with “shadow IT”, where users install unapproved computing devices to the company network. Shadow IoT extends that to devices such as network cameras.

Richard Chirgwin for The Register: If you’re serious about securing IoT gadgets, may as well start here – “Mohit Sethi’s ambitious proposal … sets out a possible way to get IoT gadgets connected securely to the local network and internet, without trying to turn every home user into a seasoned sysadmin.”

The 2018 SANS Industrial IoT Security Survey report considers security concerns about  the use of the IIoT. Commentary from Help Net Security here. The report gives rise to particular concerns about the security of connected devices within critical infrastructure.

Pierluigi Paganani: Korean Davolink routers are easy exploitable due to poor cyber hygene [sic] – “Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.”

ZDnet: Flaw let researchers snoop on Swann smart security cameras – “Anyone could watch and listen to the live stream from the internet-connected smart camera.”

Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.

David Harley

AVIEN resource updates 8th June 2018

Updates to Cryptocurrency/Crypto-mining News and Resources

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Updates to GDPR page

James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside  – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary – you may not be able to read this without a router. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface. And sometimes even necessary devices entail security risks.]

Stephen Cobb for ESET: VPNFilter update: More bad news for routers 
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”

The Register: IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales “Amazon on Tuesday stopped selling CloudPets, a network-connected family of toys, in response to security and privacy concerns sounded by browser maker and internet community advocate Mozilla.” Commentary by Graham Cluley for BitDefender: Creepy CloudPets pulled from stores over security fears

Updates to Tech support scams resource page

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Updates to Chain Mail Check

Tomáš Foltýn for ESET: You have NOT won! A look at fake FIFA World Cup-themed lotteries and giveaways

“With the 2018 FIFA World Cup in Russia just days away, fraudsters are increasingly using all things soccer as bait to reel in unsuspecting fans so that they get more than they bargained for”

Updates to Mac Virus

John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

And from the New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too

David Harley

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary (routers, for instance, in the story that leads below). But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is always necessary, or even desirable, given how often that connectivity widens the attack surface.]

Stephen Cobb for ESET: Router reboot: How to, why to, and what not to do – “The FBI say yes but should you follow this advice? And if you do follow it, do you know how to do so safely?”

Catalin Cimpanu for Bleeping Computer: The VPNFilter Botnet Is Attempting a Comeback – “…APT28 appears to be unphased by the FBI’s takedown of its original VPNFilter botnet and is now looking for new devices to compromise, and maybe this time, get to carry out its planned attack.”

Talos: VPNFilter Update – VPNFilter exploits endpoints, targets new devices “In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints.”

Mark Pesce for The Register: ‘Moore’s Revenge’ is upon us and will make the world weird – “When everything’s smart, the potential for dumb mistakes becomes enormous”.

Zeljka Zorz for Help Net Security: How Mirai spawned the current IoT malware landscape (with particular reference to Satori, JenX, OMG and Wicked.

Gareth Corfield for The Register: UK.gov lobs £25m at self-driving, self-parking, self-selling auto autos – “Not just the vehicle tech but a data marketplace too” What could go wrong? Well, maybe stay away from Westworld and Jurassic Park…

John Leyden for The Register: Crappy IoT on the high seas: Holes punched in hull of maritime security – “Researchers able to nudge ships off course … Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking and worse”

David Harley

Ransomware – should you pay up?

According to Help Net Security, the 2018 Risk:Value Report from NTT Security reveals some disquieting facts about how organizations deal with ransomware:

  • 33% would pay a ransom demand rather than invest in better security.
  • 16% are not sure whether they’d pay up or not.
  • Just over half would be prepared to invest actively in information security.

For the report, NTT “surveyed 1,800 C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from across multiple industry sectors.”#

I haven’t downloaded the actual report, as to do so requires registration and I don’t particularly want to be regarded as a potential customer by NTT. And, in fact, while there are evidently lots of other interesting data in the report, I want to focus here on the willingness of so many organizations to accede to the demands of the criminals. Let me refer you to an article by Kevin Townsend from 2016, in which he quoted me at some length (and I discussed those issues at greater length here). Better still, here’s a longer section from the text I originally sent him in response to this question:

“…some figures suggest that 40% of corporate victims pay up. Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risk decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic?”

[Perhaps it’s a positive that the later report suggests a lower figure of victims that pay up, but there are probably too many variables to rely on that being a definite trend. Anyway, since the question seems to have been put hypothetically, it’s quite possible that respondents would react quite differently if they actually found themselves in the position of ransomware victims, by gritting their teeth and ponying up.]

Anyway, this was my (very slightly edited) response:

 In the abstract, there’s an undeniable argument that if you give in and pay the ransom, you’ve directly contributed to the well-being of criminality. In many cases, it’s a purely economic decision: it’s cheaper to pay up than lose the data. In fact, you’re sustaining a protection racket. On the other hand, if you don’t pay up, you probably don’t get your data back – sometimes there is an effective free decrypter available, but most of the time we can’t provide one – and maybe the damage is so severe that you go out of business. You can’t blame people – or companies – to prefer paying up to economic suicide, any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the Board of Directors to survive the damage to their finances.

If people and companies didn’t pay up, then ransomware attacks would become uneconomic, which wouldn’t stop criminality, but would force crooks to explore other avenues – or maybe I should say dark alleyways. However, the attacks will remain economically viable as long as people aren’t prepared or able to defend their data proactively. It’s easy for those who have the knowledge and resources to implement adequate defences – not as easy as many commentators point out – to say that it’s ‘wrong’ to give in to ransom demands. Of course companies should implement such defences, and that would impact on the viability of the attacks. If they don’t do so because it’s cheaper to pay up than to spend money on a backup strategy, then that is reprehensible. I don’t know how often that happens, though: after all, sound backup practice is a defence against all sorts of misfortune, not just ransomware.

I was taken to task by a commenter on one of my ESET blogs for implying that paying the ransom is sometimes acceptable, pointing out that (I’m paraphrasing) failing to ensure that all an organization’s data could be backed up and recovered as necessary is essentially a symptom of management failure. I’m inclined to agree, in general, as I think my quoted text above bears out. Do incompetence and clinging to false economy make it unacceptable to pay a ransom? Well, that’s a more complicated question. After all, the people who are penalized if an organization chooses not to pay ransom and therefore loses its data are by no means always the people whose incompetence and penny-pinching put their data in jeopardy. I’ll come back to that.

He also asserted that apart from the fact that payment perpetuates the problem, some of the money paid in ransom goes to fund organized crime and even terrorism. Well, that’s a very good point. And while I don’t think it’s necessarily up to me to decide what is or isn’t ‘acceptable’ behaviour on the part of a victim of ransomware, I would at least agree that a ransomware victim (individual or organization) should take into account that possibility. I don’t know how much money paid to ransomware gangs actually does go to organized crime or to fund terrorism, but I’m certainly not going to say it doesn’t happen.

But does that mean that paying ransom should in itself be a crime? Well, we don’t usually go after people who pay up in cases of kidnapping, protection rackets, and so forth, even though those payments may subsidize all sorts of undesirable activities, so I’m not convinced. The more so since I can think of several scenarios that might be seen as being in mitigation. To quote myself again (again, lightly edited):

  • An individual is faced with losing decades worth of family photos or other irreplaceable data.
  • A healthcare organization faces an ethical dilemma because the medical records of thousands of clients are at risk: if they pay, criminals benefit, but if they don’t, the health of many is put at risk. It’s easy to say it’s the victims’ own fault in these cases, but it isn’t necessarily the case: data might be backed up but unrecoverable for a variety of reasons – a failed or incompetent 3rd-party provider, or natural disaster, for instance.

There might be an argument for criminalizing ransom payment where a company could access backups but chooses not to because it’s cheaper to pay up, but that’s still penalizing the victim for the actions of the criminal.

David Harley

Tech support scams article for ESET

Update to Tech support scams resource page

Article by me for ESET: Tech support scams and the call of the void

“Christopher Burgess for Security Boulevard on what happens When Scammers Fill the Tech Support Void … says: “I still haven’t figured out why those companies that provide tech support tend to hide the connectivity to these saviors of their brand in the weeds of the website, but they do, and we search—and sometimes we strike gold.”

However, I don’t think the reluctance of companies to draw attention to their support services is too much of a mystery…”

There may be persuasive reasons why providers are reluctant to engage directly with their customers, but the consequences may be grim for both provider and customer.

David Harley

Ransomware/Wiper-related updates

Updates to: Ransomware Resources

Help Net Security: Organisations across the UK are still struggling with ransomware

F-Secure: The Changing State of Ransomware

Updates to Specific Ransomware Families and Types

In response to this useful article by Kaspersky, this page now includes information on wipers, which often resemble or masquerade as ransomware but are essentially just destructive.

Kaspersky Threat Post: 

Secrets of the Wiper: Inside the World’s Most Destructive Malware. “Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer: All of these wiper malwares, and others like them, have a singular purpose of destroying systems and/or data, usually causing great financial and reputational damage to victim companies.”

ESET has previously published quite a lot of material on Black Energy which can be found here. Of course, other articles are available, but I get to see most of the ESET articles before they’re published, so I’m more aware of them.

Added to the WannaCry (WannaCrypt, WannaCryptor etc.) resources page: 

Bleeping Computer: One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever

ESET:

David Harley

Resource updates May 1 2018

Updates to Anti-Social Media 

The Guardian: WhatsApp CEO Jan Koum quits over privacy disagreements with Facebook – “WhatsApp was built with a focus on privacy and a disdain for ads, but the Facebook-owned service is now under pressure to make money”

Selina Wang for Bloomberg: Twitter Sold Data Access to Cambridge Analytica–Linked Researcher. And commentary from Help Net.

ENISA: Strengthening network & information security & protecting against online disinformation (“fake news”) – “In this paper, ENISA presents some views on the problem of online disinformation in the EU from a Network and Information Security (NIS) perspective. A number of recommendations are presented which relate both to general NIS measures, as well as targeted measures to protect against online disinformation specifically.”

Updates to Cryptocurrency/Crypto-mining News and Resources

Coin Telegraph: Scammers Hijack Verified Twitter Account To Steal Crypto By Posing As Telegram CEO

Updates to Chain Mail Check

ESET: This test will tell you how likely you are to fall for fraud

David Harley

April 15th resource updates

Updates to Anti-Social Media 

The Register: Super Cali’s frickin’ whiz kids no longer oppose us: Even though Facebook thought info law was quite atrocious – “Zuck & Co end fight against California’s privacy legislation” Extra points to El Reg for the title, even if it doesn’t actually scan very well. 🙂

Sophos: Facebook shines a little light on ‘shadow profiles’ (or what Facebook knows about people who haven’t signed up to Facebook).

Also from Sophos: Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society. OPRS is a privacy advocacy and research group aiming to “to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online…”

Updates to Cryptocurrency/Crypto-mining News and Resources

F5: WINDOWS IIS 6.0 CVE-2017-7269 IS TARGETED AGAIN TO MINE ELECTRONEUM – “Last year, ESET security researchers reported that the same IIS vulnerability was abused to mine Monero, and install malware to launch targeted attacks against organizations by the notorious “Lazarus” group.”

The Register: Tried checking under the sofa? Indian BTC exchange Coinsecure finds itself $3.5m lighter. “Indian Bitcoin exchange Coinsecure has mislaid 438.318 BTC belonging to its customers.”

Help Net Security: 2.5 billion crypto mining attempts detected in enterprise networks – “The volume of cryptomining transactions has been steadily growing since Coinhive came out with its browser-based cryptomining service in September 2017.” This is commentary on an earlier article from Zscaler: Cryptomining is here to stay in the enterprise.

Updates to Meltdown/Spectre – Related Resources

Help Net Security: AMD users running Windows 10 get their Spectre fix – microcode to mitigate Spectre variant 2, and a Microsoft update for Windows 10 users.

Updates to Specific Ransomware Families and Types

[14th April 2018] Bleeping Computer re PUBG (and RensenWare, a blast from the past): PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown’s Battlegrounds, based on research from MalwareHunter. Described as a joke, but apart from the fact that such messing with a victim’s data might conceivably go horribly wrong in some circumstances – it doesn’t appear to be an impeccably well-coded program – and is likely in any case to cause the victim serious concern, it looks to me as though this is criminal activity, involving unauthorized access and modification in most jurisdictions.

Updates to Mac Virus

The Register: Exposed: Lazy Android mobe makers couldn’t care less about security  “Never. Is never a good time to get vulnerability fixes? Never is OK with you? Cool, never it is”

Graham Cluley for Bitdefender: China forces spyware onto Muslim’s Android phones, complete with security holes. Links to Adam Lynn’s report for the Open Technology Fund: App Targeting Uyghur Population Censors Content, Lacks Basic Security

Updates to Anti-Malware Testing

[14th April 2018]

Fairness and ethical testing: Pointer to a blog for ESET by Tony Anscombe: Anti-Malware testing needs standards, and testers need to adopt them “A closer look at Anti-Malware tests and the sometimes unreliable nature of the process.” A good summary, and a useful reminder of the work that AMTSO is doing, but it’s a shame that after all these years we still need to keep making these points.

David Harley

Resource updates: April 5th-7th 2018

Updates to Anti-Social Media 

Updates to Cryptocurrency/Crypto-mining News and Resources

Updates to Meltdown/Spectre – Related Resources

Only distantly related, but…

Updates to Specific Ransomware Families and Types

[3rd April 2018] Peter Kálnai and Anton Cherepanov for ESET: Lazarus KillDisks Central American casino – “The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets.”

Updates to Mac Virus

 

David Harley