An advanced spyware has recently been discovered by researchers at Symantec and Kaspersky Lab. This spyware, called Remsec, has been active as far back as October 2011. Remsec is highly sophisticated and uses stealth techniques and encryption to avoid detection, something that it clearly does very well. Once deployed, Remsec opens a backdoor into the infected system, monitors network traffic, logs keystrokes, and has the ability to steal files. It also allows for custom modules to be deployed into the infected system.
Researchers have suggested that Remsec might be the work of a nation state due to its sophistication and have found IP addresses within the U.S. that may have a connection to it. The targets that have been discovered so far are in countries such as China, Russia, and Iran among others. According to researchers at Symantec, none of the currently known infections appear to be normal targets for APTs like this one, which brings up a lot of questions about who might be behind this, and what their goal is.
Boston, MA – At this year’s Boston Cyber Security Summit, one FBI agent announced some surprising advice when dealing with ransomware. “To be honest, we often advise people just to pay the ransom”, said Joseph Bonavolonta, an assistant special agent in charge of the FBI’s Cyber and Counterintelligence Program in the Boston office. “The ransomware is that good”, he said. Ransomware is used by malicious attackers by encrypting a computer’s files and then holds the key needed to unlock them for a specified value typically ranging from $200 to $10000. Ransomware attacks often use strains like CryptoLocker and CryptoWall which are so difficult to crack that it is cheaper to pay the ransom them to hire a professional to come and fix the computer.
The FBI has stated by regularly backing up your system, these sort of criminal threats would be ineffective. Between April 2014 and June 2015, the FBI’s Internet Crime Complaint Center reported it received almost 1000 CryptoWall complaints and that the victims together lost more than $18 million. Also, according to the Cyber Threat Alliance, the criminals behind CryptoWall have earned about $325 million.
In order for businesses to deal with the mass increase of ransomware, the FBI gives the option of revert to back-up systems, contact a security professional, or pay. Many of the businesses have been going to the FBI for advice and assistance on defeating the malware and getting their data back, but even the FBI admits that ransomware is “pretty good”, meaning they can’t always help due to the strength of the malware. “Law enforcement traditionally has struggled to chase down cybercriminals who use ransomware”, says Marco Balduzzi who researches the dark Web. He mentions that the attackers are often paid in bitcoin which is difficult to trace. Then they convert the bitcoin to other virtual currencies which make it nearly impossible to track back to the criminal.
The FBI saying the best way to deal with ransomware is simply to pay off the ransom is a surprise that leads to the fact that hackers have established a new and complex method of gaining the money they want while the general public’s awareness of these attacks have decreased, perhaps during a time where people should be most aware of cyber threats.
According to a recent survey, Healthcare is the latest favourite of the hacking community. There’s a shortage of security professionals in the healthcare business, and while many respondents involved in tech are worried about personal records and other data, the ones who aren’t involved in tech, while worried, do not believe their corporations to have been hit.
The tech respondents have a right to be worried. Recently, it’s come to light that Healthcare experiences 340% more security attacks and incidents than any other sector, and advanced malware is suspected in 1 of every 600 attacks, making Healthcare four times more likely to be hit by advanced malware than any other sector.
There are many ways that hackers can get in. With the digitalization of patient records, as well as the addition of wearable technology, such as smart watches and smartphones, hackers are finding many new avenues to break into the system. While security for wearable technology is a separate issue, Jonathan Collins, a principal analyst for ABI Research says that they can pave the way for easier access to Healthcare records.
Today Apple had what quickly becoming know as their largest account theft, due to malware. Palo Alto Networks and Weip Tech came across a server that held over 225, 000 valid user names and passwords that had been stolen via a new malware family named KeyRaider in the iOS.
The malware only effects users with jailbroken iOS devices has struck users in 18 countries. According to Claud Xiao, “The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”
KeyRaider is also stealing Apple’s push notifications and private keys, but it’s also sharing the App store’s purchasing information. These stolen credentials eventually allow users to make purchases for free using iOS jailbreak tweaks.
They’ve also been locking down devices, and holding them for ransom. It disables unlocking operations, and demands a ransom without going through the Apple push servers.
According to Jonathan Sander (the Lieberman Software VP), and Tim Erlin (Tripwire’s Director of IT Security and Risk Strategy), jailbreaking your iPhone paints a target on your back, and in this case it was taken advantage of.
Once again, another popular website is facing the consequences of a phishing attack, although this time it is a little different. Normally when you think of a phishing attack you come to the conclusion that some clueless individual clicked a link in an email and corrupted the system, or gave away important information to a phony account and cost their business millions of dollars. The blame isn’t as easily directed on certain individuals this time around.
For anyone who doesn’t know what careerbuilder.com is or has never heard of it, it is a popular job searching service website. Tons of companies post job advertisements on this website such as open positions, then users can browse these job postings by area or category and apply. Generally you are able to just apply right from the website and upload your resume and attach it as a word document. Whenever a job seeker uploads their resume to a job posting, careerbuilder then notifies the company of the uploaded document. The people behind these attacks just simply title the document things such as “resume.doc” or “cv.doc” and employers open them as if it was just another typical resume. The employees download these attachments which on the surface appear to be just another applicant, but the files then go on to exploit a memory corruption vulnerability in Word RTF. This causes the infected machine to download a payload, which downloads a .zip file containing an image file which then drops a rootkit, Sheldor, on the machine. An image file is used because anti-virus programs tend to look past image files as they are expected to be nothing more than that. This is a dangerous peace of malware working its way into the organizations seeking new employees. Although the methods behind these attacks require a lot more work from the attackers due to having to find job posting and actually apply to them manually with their documents, the benefit is that it is very likely the majority of their attempts will indeed be successful. Typically, these kind of phishing attacks are just attempted with fake email accounts trying to fool people and is much less likely to work.
Researchers from a firm known as Proofpoint uncovered the information behind these malware attacks stating that the malicious documents were created in a program called Microsoft Word Intruder (MWI), a FireEye tool that was created in April of this year. This tool is sold on underground forums and serves up CVE-weaponized docs and costs around $2000-$3500 to purchase. Proofpoint also claims that careerbuilder took swift action against these attacks, but didn’t state exactly how. The bigger issue here is the fact that these attacks are always going to be a risk on job search websites and other alike websites with file attachments for attackers to parse out malware.