Endpoint Security , Network & Perimeter , Technology

Security Experts See Surge in Malware Using JavaScript to Evade Defenses Mathew J. Schwartz (euroinfosec) • June 20, 2016    

After channeling horror films and holding control of smart TVs for ransom, the latest ransomware innovation du jour involves attackers crypto-locking files using nothing more than JavaScript code (see Malware, Ransomware Thrive Despite Criminal Prosecutions).

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

The JavaScript ransomware, which its developers named RAA, was discovered by two security researchers. One is known as JAMESWT_MHT, who's a member of a group that calls itself the Malware Hunter Team, while the other is benkow. The researchers flagged the malicious code via Twitter, noting that it appears to be "100 percent" written in JavaScript.

Because JavaScript doesn't include any strong cryptographic capabilities, the malware uses the CryptoJS library to forcibly encrypt a number of types of files using AES-256 encryption, then deletes the originals, the researchers tells technology blog BleepingComputer. The malware also searches for all external and network-attached drives to which the PC has access and can encrypt those too, the researchers say.

RAA also includes a version of the Pony malware embedded inside of it, which RAA also installs on an infected PC, according to an analysis of the malware published by ReaQta, a cybersecurity firm that was formed in 2014 by former employees of the Milan, Italy-based nation-state spyware shop Hacking Team.

While Pony can be used to download additional pieces of malware, for the RAA infection, it's also configured to steal passwords. "This malware can collect browser passwords and other user information from an infected machine and is usually used by hackers to gather critical information on infected systems," researchers from security firm Trend Micro say in a blog post. While Pony often uses behavior associated with banking Trojans, such as stealing access credentials for online accounts, at least to date, RAA's version of Pony doesn't appear to have been doing this.

After the ransomware encrypts files and reboots, Pony then gets executed, while end users see a ransom note written in Russian, according to ReaQta (see Please Don't Pay Ransoms, FBI Urges). "The ransomware asks for 0.39 bitcoins [$300] and due to the language of the refund information file, it's clear that the targeted country is Russia," ReaQta says.

Ransom demand issued by RAA, which is 100% built from JavaScript. Ransom note translation (from Russian) source: BleepingComputer.

But as Trend Micro notes: "It's only a matter of time until it's distributed more widely and localized for other languages."

SANS Sounds Warning

The arrival of the JavaScript ransomware comes as the SANS Institute warns that it's seen an overall uptick in exploit kits using JavaScript to infect systems with malware.

"If the JavaScript arrives in an inbound email, and one of your Windows-based users clicks it, it doesn't execute in the browser; it executes inside of the Windows shell," says Rob VandenBrink, who's an Internet Storm Center handler for SANS, as well as a senior consulting engineer at drug and diagnostic discovery company Compugen. To entice users to click on these files, he says many attackers will name files attached to spam messages using double extensions - such as "corporate layoffs.doc.js" - to make the file appear to be an Office document or PDF file.

Spot the malicious JavaScript attachments. (Hint: All.) Source: SANS Institute.

Blocking JavaScript Malware

Security experts say enterprise administrators can apply some relatively easy defenses against malware - including ransomware - that's been written in JavaScript. VandenBrink suggests these three steps:

Block JavaScript attachments: "Out of the gate we should strip out attachments of type .JS in emails at the spam gateway - there's no good reason to be emailing JavaScript files in and out of the organization, in almost all cases," he says. Re-associate JavaScript files: In Windows, associate JavaScript files on all systems with an application that won't execute the file, such as Notepad. This protects against any business partners "who might be whitelisted in the spam filter" or insiders - because "internal mail doesn't typically go through the spam filter" - who might unwittingly receive or transmit malicious JavaScript files. Use Group Policy: IT administrators can also force-block JavaScript from executing in the Windows shell on every PC inside an organization using Windows Group Policy, VandenBrink adds.

While forcibly blocking some types of technology, such as scripts, can have unintended effects, VandenBrink says that in most cases, no user needs to be running JavaScript at the Windows shell level.

Cybersecurity , Data Breach , Risk Management

12 Top Cloud Threats of 2016 Presented by Palerra     60 Minutes     The Cloud Security Alliance (CSA) Top Threats Working Group released a report titled, "The Treacherous 12: Cloud Computing Top Threats in 2016." In this report, the CSA concludes that although cloud services deliver business-supporting technology more efficiently than ever before, they also bring significant risk. Regardless of whether the IT department sanctions new cloud services or not, the door is wide open for the Treacherous 12. The CSA report points out that businesses need to take security policies, processes, and best practices into account. At the same time, Gartner predicts that through 2020, 95 percent of cloud security failures will be the customer's fault. This does not mean that customers lack security expertise. It does mean, however, that it is no longer sufficient to know how to make decisions about risk mitigation in the cloud. Automation is the key. Cloud security automation is where Cloud Access Security Brokers (CASBs) come into play. A CASB helps automate visibility, compliance, data security, and threat protection for cloud services. In this webinar you will learn about: The CSA Working Group's definition of the top cloud computing threats in 2016; The role of CASBs in protecting you from the Treacherous 12. You might also be interested in … GAO: Sensitive Government Data at Risk of Disclosure

In this edition of the ISMG Security Report, DataBreachToday Executive Editor Mathew J. Schwartz analyzes the new ransomware threat posed by JavaScript.

You'll also hear (click on player beneath image to listen):

A report on what the founders of an investment fund based on the digital currency ethereum are doing after an apparent hack; A discussion by HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee on how enterprises can address the security and privacy threats posed by virtual reality technology; A report by Jeremy Kirk, ISMG managing editor for security and technology, on an FBI warning on a new type of business email compromise scam; and Insights on why a blood test could be a form of user authentication.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Please check out our June 14 and June 17 reports, which respectively analyze Symantec's purchase of Blue Coat and how the Watergate break-in of Democratic Party headquarters might have played out if today's information technology had been available in 1972. The next ISMG Security Report will be posted Friday, June 25.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.

As the PCI Security Standards Council celebrates its 10th anniversary, Troy Leach, the council's chief technology offer, offers his assessment of how its PCI Data Security Standard might evolve in the next 10 years.

The types of security controls the PCI-DSS will need to include 10 years from now will hinge on the amount of static payment data used to conduct transactions, he says in an interview with Information Security Media Group (see audio player below photo).

"If we reflect to 10 years ago, I couldn't have imagined that we would have so many payments being run through phones and watches ..." Leach says. "The ecosystem in which payments operates today is different than it was 10 years ago. What we need to be cognizant of is an ability to create dynamic data that changes how those transactions occur, how they work with security. And so as long as there are static data that we need to protect, the relevancy of DSS, or parts of the DSS, to control and protect that information will remain. The question is: What does a payment account number look like in 10 years?"

Evolution of the Standard

Leach says that if payments continue to evolve, relying more heavily on dynamic rather than static data, then the PCI-DSS will have to evolve as well.

"If it is dynamic information, then we have to focus our attention on how that dynamic information is created, how authentication to that transaction occurs, and other relevant aspects of a payment transaction, rather than the ... amount of controls that are required in the diverse types of technology environments we operate in today," he says.

PCI-DSS was created so organizations could re-evaluate how they were actually using and managing cardholder information, Leach says. "If we reflect back to that time, people were not aware of the risks associated with storing cardholder information or using it for loyalty programs or customer management programs. So much of the DSS effort in the beginning was actually to educate about the removal of unnecessary storage of information that was associated with many breaches at the time."

In a dynamic payments environment, however, concerns about stored payment data go away, Leach says.

During this interview, Leach also discusses:

The PCI Council's accomplishments over the past 10 years; How EMV and the PCI-DSS will complement each other; Hot topics to be addressed during this fall's round of PCI Council community meetings, which kick off Sept. 20 in Las Vegas.

In his role at the PCI Council, Leach partners with council representatives, PCI participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure. He is a congressional subject-matter expert on payment security and is the current chairman of the council's standards committee.

In the weeks ahead, ISMG will offer a series of interviews and updates about the global outlook for the evolving role of PCI-DSS.