In Development
Receive Invite When Available
Receive Invite When Available
Analyzing the impact of a breach of computers at the U.S. Securities and Exchange Commission leads the latest edition of the ISMG Security Report.
Also in the report (click player beneath image to listen), we explore alternative plans to implement cybersecurity regulations on credit reporting bureaus in the wake of the Equifax breach.
The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Check out our Sept. 15 and Sept. 19 editions, which respectively analyze the struggles Equifax will face in the wake of the hack and whether chief information security officers should have academic degrees in IT or IT security.
The next ISMG Security Report will be posted on Tuesday, Sept. 26.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Google this week released an updated version of Chrome 61 to address two High severity vulnerabilities.
Available for download as version 61.0.3163.100, the new Chrome iteration was pushed to all Windows, Mac, and Linux users, and should reach all in the next several days/weeks.
The updated browser includes fixes for 3 security issues, two of which were discovered by external researchers. Two of the three security flaws were assessed with a High risk severity rating.
The first is an Out-of-bounds access in V8. Tracked as CVE-2017-5121, the flaw was discovered by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14, and was awarded a $7,500 bounty reward, Krishna Govind, Google Chrome, notes in a blog post.
Tracked as CVE-2017-5122, the second High risk flaw Google has addressed with the latest Chrome release is an Out-of-bounds access in V8 as well. Reported by Choongwoo Han of Naver Corporation on 2017-08-04, the vulnerability was awarded a $3,000 bounty.
To date, Google has addressed 25 vulnerabilities with various Chrome 61 releases, including 12 issues reported by external researchers. 8 of these security bugs were assessed High severity.
These include vulnerabilities such as use after free in PDFium, heap buffer overflow bugs in WebGL and Skia, a memory lifecycle issue in PDFium, and type confusion flaws in V8, in addition to the aforementioned out-of-bounds access issues in V8.
Issues of lower severity included a couple of use of uninitialized value bugs in Skia, a bypass of Content Security Policy in Blink, and a potential HTTPS downgrade during redirect navigation.
Google paid over $30,000 in bug bounty rewards to the external security researchers who reported these issues. The highest reward was $7,500, but three researchers received $5,000 each for their submissions.
Related: Fake Chrome Font Update Attack Distributes Backdoor
Related: One Million Exposed to Adware via Hijacked Chrome Extension
Related: Chrome 59 Patches 30 Vulnerabilities
A database that allowed hackers to monitor systems infected through a maliciously modified CCleaner installer was erased on September 12, Avast has discovered.
The MariaDB (fork of MySQL) database had been created on August 11, in preparation for the release of a backdoored CCleaner installer, but ran out of space. Coupled with the corruption of the database, the lack of space on the server resulted in the attackers erasing it entirely, the security researchers have discovered.
The attack on the popular Windows maintenance tool started in early July, before Avast purchased Piriform, the maker of CCleaner. Hackers managed to infiltrate the company’s systems and modify the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases to add backdoor code to them.
The code was designed to collect user information and send it to an attacker-controlled server, which was taken down on Sept. 15. The incident resulted in 2.27 million users downloading the infected CCleaner variants between Aug. 15 and Sept. 12, when the compromise was discovered.
The attack proved to be sophisticated and highly targeted rather than just a supply chain incident. The attackers had the ability to control which machines to be served a heavily obfuscated Stage 2 payload that packs various anti-debugging and anti-emulation capabilities.
The security researchers investigating the incident have discovered on the command and control (C&C) server a database containing information on the number of infected machines. It revealed that 700,000 machines reported to the C&C server between Sept. 12 and Sept. 16, and that the secondary payload had been delivered to at least 20 of them, affecting 8 organizations worldwide.
Avast now says that a database containing information on the machines that reported to the C&C before Sept. 12 was erased because it was stored on a low-end server that ran out of space. The attackers apparently attempted to fix the issue on Sept. 10, but decided to completely erase the database two days later, after discovering it was corrupted.
“It is unfortunate that the server was a low-end machine with limited disk capacity, because if weren’t for this (just 5 days before we took the server down), we would likely have a much clearer picture of exactly who was affected by the attack as the entire database would have been intact from the initial launch date,” Avast notes.
The security researchers also discovered that a Stage 3 payload might have been involved in the incident as well. The second-stage payload was designed to contact another C&C server, send some information on the infected machine, and retrieve and execute additional code from the server.
The Stage 2 payload uses the GeeSetup_x86.dll installer, which can fetch different malware depending on the infected system’s architecture. The embedded malware is saved into registry and elaborate tactics are used to extract the registry loader routine and run it, the researchers say.
On x64 systems, the attackers modified the C runtime (CRT) by adding a few instructions to the function __security_init_cookie, responsible for securing the code from buffer overflows. They added instructions to have the _pRawDllMain function pointer link to the special function that extracts a hidden registry payload loader.
The researchers also discovered that a kill switch was included in the second-stage payload as well, but that it was triggered only after infection. Specifically, when executed, the payload checks the presence of a file %TEMP%spf and terminates execution if the file exists.
The payload was also designed to retrieve the C&C IP address through one of three approaches: a GitHub page, a WordPress-hosted page, or by reading DNS records for an unnamed domain. During its investigation, Avast discovered that the GitHub and WordPress pages no longer exist, and that the unnamed domain doesn’t have an IP addresses registered to it. Thus, communication with the second C&C wasn’t possible and a Stage 3 payload couldn’t be delivered.
Related: Attack on Software Firm Was Sophisticated, Highly Targeted
Related: CCleaner Server Was Compromised in Early July
Ransomware has become prevalent because it is an easy way for criminals to make a quick buck; and because in many ways defenders have forgotten the basics of cybersecurity. The efficiency of ransomware as an illicit means of making money is supported by the emergence of ransomware-as-a-service (RaaS), and Bitcoin as a secure method of ransom collection. These are conclusions drawn from an analysis of more than 1000 ransomware samples categorized into 150 families.
"Attackers are looking to make quick, easy money with unsophisticated malware combined with sophisticated delivery methods," say Carbon Black's researchers Brian Baskin and Param Singh in a blog post on Thursday. "The majority of today's ransomware aims to target the largest vulnerable population possible." As a result, ransomware campaigns are often delivered by large scale phishing/spam campaigns. "These 'spray and pray' attacks often rely on spamming and phishing campaigns to guarantee a small percentage of infections to extort money. Similar to many spam campaigns, ransomware has been sent en masse to thousands of email addresses at a single organization, requiring just one person to execute the payload for a successful attack."
Separately, Datto's State of the Channel Ransomware Report (PDF), also published Thursday, claims that an estimated $301 million was paid in ransoms from 2016-2017. Datto analyzed data from 1,700+ Managed Service Providers (MSPs) serving 100,000+ small-to-mid-sized businesses (SMBs) around the globe. Despite the success of ransomware, Datto notes, "With a reliable backup and recovery solution (BDR) in place, 96% of MSPs report clients fully recover from ransomware attacks."
Webroot's September Threat Trends Report suggests that "some 93% of all phishing emails now lead to ransomware". Merging these two statistics suggests that a combination of effective spam/phishing prevention and good BDR would go a long way to combating the ransomware epidemic. Clearly, this is not yet happening.
Carbon Black's research suggests that businesses have taken the decision to concentrate on recovery rather than prevention. "These businesses implemented policies to quickly re-image the machine with its most recent backup and move on." However, it adds, "WannaCry and NotPetya have changed that equation by including worm functionality to spread across networks... Businesses that had accepted the risk of handling few ransomware incidents now risked losing complete networks."
While improved phishing/spam detection could prevent a high proportion of current ransomware getting through to the target, this is unlikely ever to be 100% effective. The next line of defense would be anti-virus software. However, malware in general -- and including ransomware -- is moving towards fileless delivery, employing scripts embedded in attachments to effect the infection. In such circumstances, there is no file for traditional anti-virus to detect.
An example of a large scale fileless ransomware campaign was described by Trustwave's SpiderLabs at the end of August 2017. Dr. Fahim Abbasi and Nicholas Ramos describe a campaign that involved millions of spam messages with obfuscated JavaScript in the attachment. If the JavaScript ran, it caused either Cerber or FakeGlobe ransomware to be downloaded and executed.
"File-based solutions that focus on static indicators of files such as file names, unique strings, and hashes, are missing ransomware attacks as they don't have visibility into the 'DNA' of an attack," warns Carbon Black. "Without tracking malicious behavior and intent, such defensive methods could be unable to accurately predict future attacks involving volatile code leveraging such tools as JavaScript, PowerShell, Visual Basic, and Active Server Pages (ASP)."
Although ransomware uses the latest fileless techniques to beat defenses, the malware itself is often very simple. The Carbon Black researchers do not expect this to continue.
While most ransomware attacks Windows, they suggest that Linux will increasingly be targeted so that larger organizations can be extorted. "For example," they say, "attackers will increasingly look to conduct SQL injections to infect servers and charge a higher ransom price. We have already observed attacks hitting MongoDB earlier this year which provide an excellent foreshadowing." This will be in tandem with more focused targeting, both in sectors attacked and content encrypted. "A focused targeting of extensions can allow many ransomware samples to hide under the radar of many defenders."
Currently, most ransomware simply encrypts files. In the future, Baskin and Singh expect more of the malware to exfiltrate data prior to encrypting and ransoming files. They also believe that ransomware will increasingly be used as a smokescreen, just as DDoS attacks are already used to complicate response to financial fraud. In such circumstances, following large scale data exfiltration, "adversaries can thwart many incident response efforts by forcing responders to focus on decrypting files instead of investigating data and credentials exfiltrated."
More worryingly, the researchers also expect ransomware to become a false flag disguising a nation-state cyber weapon, "as seen with NotPetya. Solely from dynamic analysis it was perceived to be Petya, when more detailed analysis showed it wasn't. Such quick analysis also insinuated it to be obvious ransomware, but a greater depth of disassembly showed that data was not held at ransom; it was simply destroyed." Ransomware without decryption is nothing short of a wiper.
The simple message from Carbon Black is that despite the current success of ransomware, it is largely in the hands of relatively unskilled criminals. This won't continue. Ransomware will increasingly be adopted by sophisticated groups who will use it in a targeted manner, often to augment or disguise other purposes – or simply as an obfuscated nation-state cyber weapon. While the problem of ransomware is severe today, it will likely get much worse over the next few years.
Locky ransomware, the infamous threat that dominated malware charts in 2016, is being aggressively distributed in a series of spam runs that have been ongoing for several weeks, security researchers warn.
First observed in early 2016 and mainly associated with spam campaigns fueled by the Necurs botnet, Locky was relatively silent in early 2017, but reemerged in new campaigns in April and June, and began ramping up activity in early August.
In late August, Locky started appearing in numerous campaigns, and is currently featured in attacks that ramp up to tens of millions of spam messages per day, targeting users all around the world. According to Trend Micro, the runs affect users in over 70 countries.
In most of the newly observed attacks, Locky has been distributed alongside another ransomware family calked FakeGlobe, also known as Globe Imposter, Trend Micro says. The spam messages, which feature either malicious links or macro-enabled documents, direct users to Locky for one hour, and then switch to FakeGlobe the next.
“This is not the first time we’ve seen download URLs serving different malware in rotation. However, typically the malware were different types, pairing information stealers and banking Trojans with ransomware. Now we see that cybercriminals are simply doubling up on ransomware, which is quite dangerous for users,” Trend Micro points out.
While Trend Micro says it was able to block nearly 600,000 emails carrying Locky, Barracuda researchers this week saw over 27 million of such emails during a 24-hour period alone.
Most of the emails were sent from Vietnam, but India, Columbia, Turkey and Greece also accounted for large numbers of messages (overall, spam originated from a total of 185 different countries). Most of the affected users were located in the US, Japan, Germany, and China.
Panda Security has also observed the massive distribution campaigns and confirms that the runs started to grow in volume on Tuesday. At the moment, the researchers say, the attackers send around 1 million phishing messages every hour.
Most of the messages are disguised as fake Amazon Marketplace and Herbalife invoices, but phony printer orders have been observed. The emails contain an archive as attachment. While in some cases .zip files are used, other emails feature .7z or 7-zip attachments.
While some of the ransomware samples observed recently used the .lukitus variant of Locky, more recent samples are appending the .ykcol extension to the encrypted files. The malware would also drop ransom notes named ykcol.htm and ykcol.bmp, demanding a .25 Bitcoin (around $1,000) ransom.
As Fortinet points out, the recently used .ykcol extension is actually the original .locky extension spelled backwards. The researchers also noticed that the second wave of spam carried email subject “Message from km_c224e,” which was previously used in campaigns delivering Dridex and Jaff ransomware.
“Despite a few minor alterations, Locky is still the same dangerous ransom malware from a year ago. It has the capabilities and distribution network necessary to cause significant damage to any system unfortunate enough to be hit by it. Over the past few months, we have seen it distributing massive spam campaigns and we don’t see it slowing down any time soon,” Fortinet notes.
Related: Locky Ransomware Campaign Ramps Up
Access control company SecureAuth announced this week that it will merge with Core Security, a firm focused on vulnerability discovery, identity governance, and threat management.
Through the merger, the two are aiming to bring together security operations and identity and access management (IAM).
SecureAuth and Core Security aim to become an independent security vendor that will bring together network, endpoint, vulnerability, and identity security.
Jeff Kukowski, currently the Chief Executive Officer at SecureAuth, will serve as CEO of the combined company. The merger is pending regulatory approval from the U.S. Federal government.
"The security industry must deliver an integrated and relevant approach to our customers. Despite the incredible amount of money spent on security technology, front-line security professionals in the most sophisticated Security Operations Centers (SOC) are challenged in managing and visualizing the full attack surface. Including identity information into the threat landscape alongside traditional network, endpoint, and vulnerability information substantially reduces threat discovery and response time,” Kukowski said.
“We can now deliver an entirely new approach to integrating security operations and deploying advanced machine learning to achieve real automation in the SOC,” Kukowski added.
Backed by K1 Investment Management and Toba Capital, the merged company also announced raising over $200 million.
Responding to a SecurityWeek inquiry on additional details on the funding, Jeff Nolan, CMO of SecureAuth, revealed in an emailed statement that SecureAuth was in fact acquired by K1.
“K1 Investment Management acquired SecureAuth for $225 million, existing investor Toba Capital rolled a portion of their proceeds forward and K1 allocating additional capital for the company. The merger with Core Security, pending regulatory approval, occurred after the acquisition of SecureAuth,” Nolan revealed.
The newly merged company says it will serve 1,500 customers across all industry verticals and monitors over 750 million devices daily. It has 360 employees, over 75 patents issued and pending, and a network of global locations.
In July 2016, Atlanta-based Damballa was bought for what amounts to a pittance by neighboring Roswell-based Core Security.
Related: Rethinking the Model for Cybersecurity Technology Innovation
NVIDIA has started releasing patches for several denial-of-service (DoS) and privilege escalation vulnerabilities affecting its GeForce, NVS, Quadro and Tesla graphics card drivers.
A security advisory published by the company on Thursday reveals the existence of four high severity flaws in the kernel mode layer handler (nvlddmkm.sys) for the DxgkDdiEscape function.
This interface was analyzed earlier this year by Google Project Zero researchers as part of their attempts to attack the NVIDIA kernel mode drivers on Windows. The experts, who found a total of 16 security holes, described DxgkDdiEscape as a “well known entry point for potential vulnerabilities.”
The vulnerabilities disclosed on Thursday by NVIDIA exist because a value passed from a user to the driver is not validated properly. A local attacker can exploit this weakness to cause a DoS condition or to escalate privileges.
The other four flaws, classified as medium severity, are related to improper access controls, incorrect initialization of internal objects, and unvalidated user input. They can be exploited by a local attacker to cause a DoS condition.
All of the vulnerabilities affect the Windows drivers, but some also impact Linux, FreeBSD and Solaris. The flaws have been addressed in the Windows drivers for GeForce, NVS and Quadro with the release of version 385.69. An update for Tesla is expected to become available next week. For Linux, FreeBSD and Solaris, versions 384.90 and 375.88 patch the vulnerabilities.
Nine DoS and privilege escalation flaws were patched by NVIDIA in its GPU display drivers in late July. A majority of those security holes were classified as high severity.
Lenovo also published an advisory this week to alert its customers about the NVIDIA display driver vulnerabilities patched in July.
Related: Researcher Unwraps Dangerous NVIDIA Driver Exploit on Christmas Day
Related: NVIDIA Releases Fix For Dangerous Display Driver Exploit
Related: Following Developer Site Hack, NVIDIA Shuts Down Online Store