scan router for malware

Read more »

The new strategies and tactics of cybercriminals

There has been an average of eight new threat samples per second, and an increasing use of fileless malware attacks leveraging Microsoft PowerShell in the last quarter of 2017, according to the McAfee Labs Threats Report: March 2018. The Q4 spike in Bitcoin value prompted cybercriminals to focus on cryptocurrency hijacking through a variety of methods, including malicious Android apps.

“The fourth quarter was defined by rapid cybercriminal adoption of newer tools and schemes—fileless malware, cryptocurrency mining, and steganography. Even tried-and-true tactics, such as ransomware campaigns, were leveraged beyond their usual means to create smoke and mirrors to distract defenders from actual attacks,” said Raj Samani, McAfee Fellow and Chief Scientist. “Collaboration and liberalized information-sharing to improve attack defenses remain critically important as defenders work to combat escalating asymmetrical cyberwarfare.”

Each quarter, McAfee Labs assesses the state of the cyber threat landscape based on threat data gathered by the McAfee Global Threat Intelligence cloud from hundreds of millions of sensors across multiple threat vectors around the world. McAfee Advanced Threat Research complements McAfee Labs by providing in-depth investigative analysis of cyberattacks from around the globe.

Cybercriminals Take On New Strategies, Tactics

The fourth quarter of 2017 saw the rise of newly diversified cybercriminals, as a significant number of actors embraced novel criminal activities to capture new revenue streams. For instance, the spike in the value of Bitcoin prompted actors to branch out from moneymakers such as ransomware, to the practice of  hijacking Bitcoin and Monero wallets. McAfee researchers discovered Android apps developed exclusively for the purpose of cryptocurrency mining and observed discussions in underground forums suggesting Litecoin as a safer model than Bitcoin, with less chance of exposure.

Cybercriminals also continued to adopt fileless malware leveraging Microsoft PowerShell, which surged 432% over the course of 2017, as the threat category became a go-to toolbox. The scripting language was used within Microsoft Office files to execute the first stage of attacks.

“By going digital along with so many other things in our world, crime has become easier to execute, less risky and more lucrative than ever before,” said Steve Grobman, Chief Technology Officer for McAfee. “It should be no surprise to see criminals focusing on stealthy fileless PowerShell attacks, low risk routes to cash through cryptocurrency mining, and attacks on soft targets such as hospitals.”

Health Care Targeted

Although publicly disclosed security incidents targeting health care decreased by 78% in the fourth quarter of 2017, the sector experienced a dramatic 210% overall increase in incidents in 2017. Through their investigations, McAfee Advanced Threat Research analysts conclude many incidents were caused by organizational failure to comply with security best practices or address known vulnerabilities in medical software.

McAfee Advanced Threat Research analysts looked into possible attack vectors related to health care data, finding exposed sensitive images and vulnerable software. Combining these attack vectors, analysts were able to reconstruct patient body parts, and print three-dimensional models.

“Health care is a valuable target for cybercriminals who have set aside ethics in favor of profits,” said Christiaan Beek, McAfee Lead Scientist and Senior Principal Engineer. “Our research uncovered classic software failures and security issues such as hardcoded embedded passwords, remote code execution, unsigned firmware, and more. Both health care organizations and developers creating software for their use must be more vigilant in ensuring they are up to date on security best practices.”

Q4 2017 Threats Activity

Fileless malware. In Q4 JavaScript malware growth continued to slow with new samples decreasing by 9%, while new PowerShell malware more than tripled, growing 267%.

Security incidents. McAfee Labs counted 222 publicly disclosed security incidents in Q4, a decrease of 15% from Q3. 30% of all publicly disclosed security incidents in Q4 took place in the Americas, followed by 14% in Europe and 11% in Asia.

Vertical industry targets. Public, health care, education, and finance, respectively, led vertical sector security incidents for 2017.

• Health care. Disclosed incidents experienced a surge in 2017, rising 210%, while falling 78% in Q4.
• Public sector. Disclosed incidents decreased 15% in 2017, down 37% in Q4.
• Education. Disclosed incidents rose 125% in 2017, remaining stagnant in Q4.
• Finance. Disclosed incidents rose 16% in 2017, falling 29% in Q4.

Regional Targets.

• Americas. Disclosed incidents rose 46% in 2017, falling 46% in Q4.
• Asia. Disclosed incidents fell 58% in 2017, rising 28% in Q4.
• Europe. Disclosed incidents fell 20% in 2017, rising 18% in Q4.
• Oceana. Disclosed incidents rose 42% in 2017, falling 33% in Q4.

Attack vectors. In Q4 and 2017 overall, malware led disclosed attack vectors, followed by account hijacking, leaks, distributed denial of service, and code injection.

Ransomware. The fourth quarter saw notable industry and law enforcement successes against criminals responsible for ransomware campaigns. New ransomware samples grew 59% over the last four quarters, while new ransomware samples growth rose 35% in Q4. The total number of ransomware samples increased 16% in the last quarter to 14.8 million samples.

Mobile malware. New mobile malware decreased by 35% from Q3. In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%.

Malware overall. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters.

Mac malware. New Mac OS malware samples increased by 24% in Q4. Total Mac OS malware grew 243% in 2017.

Macro malware. New macro malware increased by 53% in Q4, declined by 35% in 2017.

Spam campaigns. 97% of spam botnet traffic in Q4 was driven by Necurs—recent purveyor of “lonely girl” spam, pump-and-dump stock spam, and Lockey ransomware downloaders—and by Gamut—sender of job offer–themed phishing and money mule recruitment emails.

Read more »

Move over ransomware attacks as hackers take to cryptojacking

When it comes to increased cryptojacking activities, India is second in the Asia-Pacific and Japan (APJ) region and ninth globally as hackers create a highly-profitable, new revenue stream with crypto-mining, cyber security giant Symantec said on Wednesday.

According to Symantec's "Internet Security Threat Report", detection of coinminers on endpoint computers increased by a whopping 8,500% in 2017.

"Cryptojacking is a rising threat to cyber and personal security," Tarun Kaura, Director, Enterprise Security Product Management, APJ at Symantec, said in a statement.

"The massive profit incentive puts people, devices and organizations at risk of unauthorised coinminers siphoning resources from their systems, further motivating criminals to infiltrate everything from home PCs to giant data centers," Kaura added.

Cryptojacking is defined as the secret use of a computing device to mine cryptocurrency.

With a low barrier of entry cyber criminals are harnessing stolen processing power and cloud CPU usage from consumers and enterprises to mine cryptocurrency.

Coinminers can slow devices, overheat batteries and in some cases, render devices unusable. For enterprise organisations, coinminers can put corporate networks at risk of shutdown and inflate cloud CPU usage, adding to the cost.

"Now you could be fighting for resources on your phone, computer or Internet of Things (IoT) device as attackers use them for profit. People need to expand their defenses or they will pay for the price for someone else using their device," Kaura added.

Symantec found 600 per cent increase in overall IoT attacks in 2017. India today ranks among the top five countries as a source for IoT attacks.

The firm also identified a 200% increase in attackers injecting malware implants into the software supply chain in 2017.

Threats in the mobile space continue to grow year-over-year, including the number of new mobile malware variants which increased by 54%.

Mobile users also face privacy risks from grayware apps that are not completely malicious but can be troublesome. Symantec found that 63% of grayware apps leak the device's phone number.

In 2017, the average ransom cost lowered to $522.

"Several cyber criminals may have shifted their focus to coin mining as an alternative to cashing in while cryptocurrency values are high," the report noted.

via gadgetsnow

Read more »

You don't want to see this screen

#Phishing is a threat. Protect your assets. Learn more at:

#cybersecurity #infosec #technology #hacker #data #dataprotection #risk #management #business #cybercrime #cyberattack #privacy #malware #ransomware #IoT #security #hackers

Read more »

Ten Percent of Mobile Subscribers at Serious Risk of ID Theft

Data aggregated from global operators indicates 60% of suspicious domains are linked to phishing

Thursday, November 2nd, 2017

EDISON, New Jersey, Nov. 2, 2017 /PRNewswire/ Korea IT Times--

Flash Networks, the leading provider of mobile Internet optimization, security, and engagement solutions, today published new market data highlighting the vulnerability of mobile users to ID theft via phishing attacks. Alarmingly, data collected from global operators shows that more than 10% of users are exposed to phishing attempts. Mobile subscribers are being exposed to increasing risk as the volume and sophistication of attacks escalate.

Data from mobile operator deployments reveal that:

• 3% of all domains visited are classified as suspicious
• 60% of suspicious domains are linked to phishing
• The percentage of mobile users exposed to phishing attempts is increasing, with 10% of subscribers visiting suspicious domains at least once a month  
• Threats are dynamic in terms of intensity, location, and time. While massive phishing attempts may occur at one location, a dramatic shift in the target demographics of phishing attempts may be seen elsewhere at a different time.

"A single click taking an unsuspecting mobile user to a fake website can quickly lead to identity theft," said Dror Shlomo, VP Product at Flash Networks. "Through deep inspection of network traffic, xtraArmor provides subscribers with the strongest possible protection against threats such as viruses, malware, spyware, and phishing before the traffic is delivered to the subscribers' devices."

Flash Networks xtraArmor is a clientless solution for detecting and preventing threats aimed at mobile devices. xtraArmor is powered by industry-leading security technology from Symantec. Integrating seamlessly with mobile operators' networks, the virtualized solution enables operators to protect subscribers and devices from advanced phishing, viruses, malware, spyware, ransomware, and other threats. Using multi-layered detection technologies, such as advanced heuristics, machine learning, and behavior analysis, xtraArmor detects malicious traffic, generates alerts, and prevents such traffic from reaching mobile devices.

About Flash Networks 

Flash Networks is a leading provider of virtual optimization, security and engagement solutions that enable operators to improve RAN spectral efficiency, boost network speed, optimize video and web traffic, generate over-the-top revenues and secure the mobile Internet for subscribers and devices.

With offices in North America, Europe, Latin America, and Asia, Flash Networks services hundreds of millions of subscribers daily at leading global carriers. For more information, visit http://www.flashnetworks.com.

Read more »

WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: this flaw, if exploited, gives an attacker a skeleton key to access any WPA2 network without a password. Once they're in, they can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.

But because Vanhoef hasn't released any proof-of-concept exploit code, there's little risk of immediate or widespread attacks.

News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.

The warning came at around the time of the Black Hat security conference, when Vanhoef presented a talk on networking protocols, with a focus on the Wi-Fi handshake that authenticates a user joining a network.

The cyber-emergency unit has since reserved ten common vulnerabilities and exposures (CVE) records for the various vulnerabilities.

Cisco, Intel, Juniper, Samsung, and Toshiba are among the companies affected.

At its heart, the flaw is found in the cryptographic nonce, a randomly generated number that's used only once to prevent replay attacks, in which a hacker impersonates a user who was legitimately authenticated.

In this case, an attacker can trick a victim into reinstalling a key that's already in use. Reusing the nonce can allow an adversary to attack the encryption by replaying, decrypting, or forging packets.

Windows and latest versions of Apple's iOS are largely immune from the flaws, according to security researcher Kevin Beaumont, in a blog post.

However, Vanhoef said the security issue is "exceptionally devastating" for Android 6.0 Marshmallow and above.

via zdnet

Read more »

Here is every patch for KRACK Wi-Fi attack available right now

Monday morning was not a great time to be an IT admin, with the public release of a bug which allowed WPA2 security to be broken.

As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates.

The security protocol, an upgrade from WPA, is used to protect and secure communications between everything from our routers, mobile devices, and Internet of Things (IoT) devices, but there is an issue in the system's four-way handshake which permits devices with a pre-shared password to join a network.

According to security researcher Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks (MiTM) and eavesdrop on communication sent from a WPA2-enabled device.

US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the exploit from being utilized in the wild -- of which there are no current reports of this bug being harnessed by cyberattackers.

The bug is present in WPA2's cryptographic nonce and can be utilized to dupe a connected party into reinstalling a key which is already in use. While the nonce is meant to prevent replay attacks, in this case, attackers are then given the opportunity to replay, decrypt, or forge packets.

In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android version 6.0 Marshmallow and above.

The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched IoT devices being exposed for use by botnets.

The vulnerability does not mean the world of WPA2 has come crumbling down, but it is up to vendors to mitigate the issues this may cause.

In total, 10 CVE numbers have been preserved to describe the vulnerability and its impact, and according to the US Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.

So who is on top of the game?

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available."

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

The WiFi Standard: A fix is available for vendors but not directly for end users.

Mikrotik: The vendor has already released patches which fix the vulnerablities.

Google: Google told The Verge that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

OpenBSD: Patches are now available.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Check back as we update this story.

via zdnet

Read more »

Low-cost tools making #cybercrime more accessible

A report from the security vendor has said the increasing affordability of cybercrime tools is providing budding criminals with a low barrier of entry into the game.

Malware as a service, along with the affordability of spam botnets, is providing criminals with a low barrier of entry into the cybercrime space, a report from SecureWorks has said.

In 2017 State of Cybercrime: Exposing the threats techniques and markets that fuel the economy of cybercriminals, the SecureWorks Counter Threat Unit explained that less experienced hackers are able to purchase information-stealing malware for reasonably low prices, and, as a result, this has increased who can conduct malicious activity online.

"The internet underground is thriving with ready-to-purchase malware. In underground forums, inexperienced or less-skilled cybercriminals are able to purchase information-stealing malware for reasonably low prices, typically in the form of pre-compiled binaries or premium builder kits that enable attackers to custom configure their own binaries," the report explains.

Similarly, spam botnets, labelled the most frequently used method for the distribution of all "wares" by SecureWorks, are readily available for a low cost to budding cybercriminals.

"Today, cybercriminals can tap into large botnets to increase the spread of their spam exponentially, a product that can be thought of as 'spam as a service'," the report says.

As one example, the report says one large spam botnet known as Kelihos was charged at as little as $200 per million emails sent for pharmaceutical and counterfeit goods-type messages.

Personal information remains a popular commodity, SecureWorks said, with tested and verified credit card data available in some cases for as little as $10, and highly detailed personal information records also offered for as low as $10.

In total, the report details 11 key findings based on the company's research. However, in addition to the malware and ransomware explosion that was WannaCry and Petya, as well as the business email compromise (BEC) threat that accounted for $5 billion in losses globally between October 2013 and December 2016, SecureWorks highlighted that online crime is a market economy of its own.

The global financial toll of cybercrime is difficult to quantify, but pointing to a report from the US Federal Bureau of Investigation (FBI), SecureWorks said internet crime led to losses in excess of $1.3 billion [PDF] in 2016.

The report from SecureWorks labelled the online criminal landscape as one that is complex and composed of actors with a diverse range of capabilities.

As defined by SecureWorks, the underground internet is the collection of forums, digital shop fronts, and chat rooms that cybercriminals use to form alliances, trade tools, and techniques, and sell compromised data that can include banking details and personally identifiable information, as well as anything else.

However, SecureWorks concedes that the full extent of cybercrime is not visible solely through this window.

"Lucrative online criminality is run like a business, controlled by organised crime groups who are focused on minimising risk and maximising profit," the report says. "Such groups have considerable reach, will often be active in other areas of more traditional criminality, and, when necessary, will employ the services of other professional criminals who specialise in certain areas, such as moving money or goods around the world."

With money in tow, cybercrime organisations are often able to scoop up security talent before the good guys can employ them. This has created an underground job market that SecureWorks said mainly requires skills in malware writing, inject writing, data processing, network and sysadmin, and network exploitation, as well as vendors to perform exploit kit loading.

Money muling, where a "middleman" takes the data and passes it on -- knowingly or unknowingly -- to the cybercriminal, also continues to be a valuable component of the online criminal landscape, the report explained.

SecureWorks also said the perceived gap between criminality and nation states, in terms of both actors and capabilities, will continue to shrink, pointing to the $81 million Bangladesh heist -- and the criminals' links with North Korea -- as its example.

#cyberattack #CyberSecurity #Ransomware #Malware #tech #hacker

via zdnet

Read more »