CryptoWall 4 Is Being Distributed Via a New Campaign

There has been a huge explosion of online ransomware within the last year or two which has seen a huge number of consumer’s, unfortunately, falling victim to this ever present and growing technique. Now, there is a new technique which is being served to consumers via the PopAds network and it contains the Magnitude exploit kit via pop-under ads.

For those who are unfamiliar with a Pop-under ad, this is a type of online advertisement that appears behind the main browser window and remains open until the user manually closes it. Consumers who failed to update their version of Flash Player (which we are constantly being informed to do) were immediately infected with the CryptoWall ransomware.

The infection campaign began around the 1st January 2016 with ads being placed within avenues that included both NSFW and also video streaming sites. Below is an image to convey the geographic location of infections that have been caused by this new technique, as you can see, Spain is in the lead with 14.3% with the Netherlands, France and Poland that are next and are level with 11.4% each. The spread of countries according to this data is mostly within Europe, although an exception to this is South Korea.


Once a user has been infected they will typically see a CryptoWall ransom page window that will state the following as conveyed by the image below, it is a bit of an insult to say “Congratulations, you have become a part of  large community Cryptowall” Users will need to pay a ransom as is commonly associated with these typical types of ransomware infections.

These cases highlight the need for a strong and reliable backup system which will help to mitigate in the event that your hard drive is encrypted, also, it is always essential to keep your browser, plugins and various system updates current for your OS. If you wish to add further defenses then it may be worthwhile to either disable or uninstall Flash Player as well as running an up to date Anti-Virus and Malware scanner.

These types of infections will become more and more advanced and also very common in 2016 and vigilance is required by users in order to help to avoid such attacks.

Image courtesy of ssri

Add to Anti-Banner

WiFi Devices Used to Treat Infections

Researchers from the School of Engineering at Tufts University have developed an Implantable Medical Device (IMD) – made from silk and magnesium – that can be triggered by WiFi to treat bodily infections. The implant is designed to dissolve once it has fulfilled its purpose.

Fiorenzo Omenetto, Professor of Biomedical Engineering at Tufts University, said, “This is an important step forward for the development of on-demand medical devices that can be turned on remotely to perform a therapeutic function in a patient and then safely disappear after their use, requiring no retrieval.” He added, These wireless strategies could help manage post-surgical infection, for example, or pave the way for eventual ‘wi-fi’ drug delivery.”

The device was tested on living tissue from mice, treating a Staphylococcus aureus infection. A wireless transmitter administered two 10-minute heat treatments that, upon investigation 24 hours later, was revealed to have killed the bacteria.

Source: Medical Daily

Security Experts Say That USB Security is Fundamentally Broken

The common USB stick has become the most common way of sharing and storing files on-the-go. With this in mind, a variety of malware and viruses were created in an attempt to take control of computers who do not have any security measures installed, such as antivirus software. Other means of ‘cleaning’ an USB drive would be to format its content, leading to every file being deleted along with any malware and virus program that might be present on the drive.

However, two security researchers state that security problems with USB drives run deeper than expected. They state that the “risk isn’t just in what they carry, it’s built into the core of how they work.” This is why security researchers Karsten Nohl and Jakob Lell plan to present a proof-of-concept malicious software by the name of BadUSB which is stated to highlight that USB devices have long been fundamentally broken.

BadUSB can be installed on a USB device to completely take over a PC silently, alter files and even redirect the user’s internet traffic. The malware is said to be installed on the flash drive’s firmware and not the memory, which means that the code can remain hidden long after the flash memory has been erased. Also, the researchers state that there is no easy fix for the vulnerability. They say that the USB stick needs to be blocked from sharing its content with the system or, plainly said, the USB drive needs to be physically removed to stop the infection.

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

It is said that the vulnerability is not limited to USB drives. All sort of USB devices, spanning from keyboards to smartphones and even cameras can have their firmware reprogrammed with the malware in question. The researchers have stated that they used the BadUSB program on an Android device, having a “grab bag of evil tricks” happening as a result. Nohl and Lell tell that it replaced software being installed with a corrupted or backdoored version and even impersonated a USB keyboard that suddenly started typing commands.

The researchers tell that the infection can travel both from a computer to the USB and the other way around. Matt Blaze, a computer science professor from the University of Pennsylvania, is also aware of the shallow security veil that USB drives present. He also speculates that the NSA could have made a common practice out of infecting USB devices using this approach.

Matt points to a spying device by the name of ‘Cottonmouth’, which has been revealed in one of Edward Snowden’s leaks. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. However, the exact mechanism for that USB attack wasn’t described.

Thank you Wired for providing us with this information
Image courtesy of Wired

GoZeuS Returns a Month after Authorities Take Measures Against the Malware

Though authorities had taken action against the GoZeuS and CryptoLocker malware which stole hundreds of thousands of banking logins from users and blackmail them for millions of pounds, it seems that the malwares are back. A month after the campaign, online criminals seem to have tried to rebuild the sophisticated software named GameOver ZeuS, having researchers warn that new threats using much of the same code are aimed at UK users.

Reports say that the ‘original strain’ of the malware targeted by authorities around the world, including the NSA and the FBI, has been in a decline since the campaign started. However, it appears that criminals are now re-establishing the GameOver botnets by taking the original code and reworking it to avoid detection, much like a biological virus modifies its genetic code in order to survive medicine administered against it.

A security company by the name of Malcovery has stated that the new trojan based on the GameOver Zeus binary is spreading through spam emails, claiming to be from the NatWest bank, coming with an attached statement in the content. Anyone who opens the ‘statement’ are said to risk infection, since traditional anti-virus software cannot detect the malicious software. Also, the CEO of Heimdal Security, Morten Kjærsgaard, states that the heads of the original GoZeuS will try to use lesser-known strains in order to avoid law enforcement agencies detecting it.

“Until we start to see a more clear movement pattern of these new Zeus variants, which are starting to surface, we can’t say anything definitive about their extent,” said Kjærsgaard. “There is no doubt though, that many small malware variants could pose the same financial problem for end users as one big nasty piece of malware.” he added.

While the GameOver Zeus botnet earned more than $100 million for its creators, more infections are likely to take place given the new strains. In June however, US authorities are said to have named Evgeniy Bogachev, a Russian national, as the main suspect behind the original malware.

Thank you The Guardian for providing us with this information
Image courtesy of The Guardian

More Than One Thousand Power Plants Found Compromised by Unknown Cyberattack

Since the major topics nowadays are secret service cyber conspiracies and cyberattacks, the latest news points to another cyberattack aimed at more than one thousand power plants worldwide.

Symantec, a company specialising in software security, has apparently uncovered a malware campaign started by a group called Dragonfly, allowing remote access to computer systems from various power plants. Symantec stated that the group has used the malware only to spy on its victims, though serious damage could have been done as well.

A number of 1,018 organisations across 84 countries are stated to have been infected, spanning from grid operations to gas pipelines. It has later been discovered that Dragonfly’s base servers were based in Eastern Europe, leading to the conclusion that the group is of Russian origin. They reportedly used techniques spanning from garden pushing attacks, to campaigns targeting component manufacturers, allowing infections to take hold in any downstream system.

The comparison made against the infected systems led to the conclusion that the sophisticated Stuxnet virus has been used, something which the US previously used to damage nuclear power plants in Iran back in 2010. Up to this point, the real purpose of this major cyberattack is unclear.

Thank you The Verge for providing us with this information
Image courtesy of Picture-Newsletter

Hackers Use ‘The Cloud’ to Control Malware and Botnets

Security firm Trend Micro has apparently revealed new evidence of botnets and malware not only being hosted in the cloud, but also being remotely controlled from cloud servers. The main goal for hackers has been revealed to be disguising their malicious software as regular traffic between corporate end points and cloud services.

Trend Micro has revealed in a blog post a case where hackers were using DropBox in order to host the command and control instructions for malware and botnets, which eventually made it past corporate firewalls. While the news is not new, the cloud has apparently increased in popularity as well as security risk. In the past, small files needed to be controlled by a command and control (C&C) system, which was usually hosted by hackers or placed on servers easily identified as suspicious.

With cloud-based systems however, hackers can now place the C&C on cloud servers and communicate with the botnets and malware like ‘normal traffic’, making it harder to be identified. The company has emphasized that any cloud-based solution can eventually be used as a host for C&C software. Companies not using any type of cloud-based solution but receive traffic spikes from any of them have some type of warning and are encouraged to investigate the activity.

However, this does not mean that every company using cloud-based solutions is now infected. Trend Micro has just shed some light on how hackers are able to and could try infecting corporate systems using the technique described above. A good counter-technique for security specialists in order to prevent such hacking practices is to closely monitor all traffic between end-point users and cloud-based solution, marking anomalies and suspicious activities as threat until otherwise proven to be ‘safe’.

Thank you Network World for providing us with this information
Image courtesy of LifeHacker

Hide Your Windows, Mac And Linux Devices, ‘Cause Java-based Malware Is Coming!

We have seen similar incidents in the past, may it be ad-related such as the Yahoo! incident, or directly involving the Java platform. It has been reported that a Java-based malware bot is currently ‘roaming’ around, infecting all three major operating systems: Windows, Mac OS X and Linux.

Researchers have revealed a fragment of botnet malware that is capable of infecting the latter mentioned OSes, being a cross-platform HEUR:Backdoor.Java.Agent.a, having been reported in a blog post published by Kaspersky Lab. It reportedly takes control of computers by exploiting CVE-2013-2465, a critical Java vulnerability which Oracle patched last June.

The Java vulnerability is said to be present on Java 7 Update 21 and earlier versions. Once the malware has infected the computer, it copies itself to the autostart directory of its respective platform to ensure it runs at every startup. Compromised computers then report to an Internet relay chat channel that acts as a command and control server.

It is reportedly designed to generate Distributed-Denial-of-Service, or DDnS, which targets the attacker wants to designate as a ‘target’, having it packed with ‘features’ such as setting the IP address, port number, intensity, and duration of attacks. The malware is said to be written entirely in Java, allowing it to run on Windows OS X and Linux machines. To make matters even worse, the bot incorporates PircBot, an IRC programming interface based on Java.

In addition to all that, the malware also is said to use Zelix Klassmaster obfuscator to prevent it from being reverse engineered by whitehat and competing blackhat hackers. Apart from obfuscating bytecode, Zelix encrypts some of the inner workings of the malware. It is extremely recommended to update to the latest Java 7 Update 51 found on Oracle’s official website here.

Thank you arstechnica for providing us with this inforamtion
Image courtesy of arstechnica