The reason cybersecurity is a process, not a one-time solution, is that the Bad Guys – whether careless or malicious employees, hacktivists, cybercriminals, or rogue governments (not to be confused with the good governments, which only spy on us for our benefit) – are a problem that will never go away. Every new and improved security measure is only as good as the people who use it and only effective until somebody comes up with a way to beat it.
In this week’s Tales From Ransomware, we take a look at a ransomware that isn’t really ransomware. Nor even malware. But it can hijack your server anyway.
A few days ago we saw a typical Remote Desktop Protocol (RDP) attack, which lead us to believe that it was a similar attack to the one we told you about a few months ago which cybercriminals are using to infect devices with ransomware. But we were very wrong.
First of all because instead of encrypting data, it locks the desktop with a password that the victim doesn’t know. Secondly, it does not demand a ransom (!) in exchange for the credential, but rather seeks to keep the device locked for as long as possible so that it can be used for bitcoin mining for as long as possible. And thirdly, it doesn’t use malware as such.
Once they’ve gained access to your machine by brute force (this particular server was fielding 900 attempts daily) the attacker copies a file called BySH01.zip. This in turn contains:
The attacker runs the BySH01.exe file, and the following interface appears:
With the help of our colleagues at Panda Russia, those of us who don’t know Russian can get an approximate idea of what its telling us with the above word list.
Basically, the bitcoin mining application uses this interface to configure how many cores to use, what extension of processor instructions to use, what “wallet” to send the bitcoins to, etc. Once the desired configuration is selected, the attacker clicks on Установить to install and run the bitcoins mining application. The application is called CryptoNight, which was designed for mining bitcoins using CPUs.
Then they click on Локер, which installs and runs the desktop lock application. It is the commercial application Desktop Lock Express 2, modified only so that the information shown in the properties of the file are the same as those of the system file svchost.exe. Finally it clears all the files used in the attack except CryptoNight and Desktop Lock Express 2.
We detected and blocked several attacks in different countries. Examples such as this one show how, once again, cybercriminals take advantage of weak passwords that can be guessed using the brute force method over a given period of time. Malware is no longer necessary to gain access to the system, so it’s up to you to use a robust password that will keep out unwanted visitors.
In addition to using a solution like Adaptive Defense, which detects and prevents this kind of attack, a couple of tidbits of advice for all administrators who have to have an open RDP:
The post It Isn’t Ransomware, But It Will Take Over Your Server Anyway appeared first on Panda Security Mediacenter.
With everything that’s gone down in 2016 it’s easy to forget Tim Cook’s and Apple’s battle with the FBI over data encryption laws. Apple took a strong stance though, and other tech giants followed suite leading to a victory of sorts for (the little guy in) online privacy. In this era of web exposure, it was a step in the right direction for those who feel our online identities are increasingly vulnerable on the web.
All of this stands for little though when a security flaw in your operating system allows carefully encrypted messages to be effectively decrypted offline. That’s what happened to Apple with its iOS 9.2 operating system. Though the patches that ensued largely fixed the problem, the whole issue has understandably left iOS users with questions. What really happened and are we at immediate risk?
A paper released in March by researchers at John Hopkins University exposed weaknesses in Apple’s iMessage encryption protocol. It was found that a determined hacker could intercept the encrypted messages between two iPhones and reveal the 64-digit key used to decrypt the messages.
As iMessage doesn’t use a Message Authentication Code (MAC) or authenticated encryption scheme, it’s possible for the raw encryption stream, or “ciphertext” to be tampered with. iMessage instead, uses an ECDSA signature which simulates the functionality. It’s still no easy feat exploiting the security flaw detailed by the researchers. The attacker would ultimately have to predict or know parts of the message they are decrypting in order to substitute these parts in the ciphertext.
Using this method, a hacker can gradually figure out the contents of a message by replacing words. If they figure out, for example, that they have successfully replaced the word “house” in the message for “flat” they know the message contains the word “house”. Knowing whether the substitution has been successful though, is a whole other process which may only be possible with attachment messages.
It may sound simple, but it really isn’t. The full details of the security flaw, and the complex way it can be exploited are detailed in the John Hopkins paper.
The paper includes the recommendation that, in the long run, “Apple should replace the entirety of iMessage with a messaging system that has been properly designed and formally verified.”
Despite the recommendation, the answer is no. It is very unlikely. One thing that should be made clear is that these weaknesses were exposed as a result of months of investigation by an expert team of cryptologists. The type of hacker that would take advantage of these weaknesses would undeniably be a sophisticated attacker. That of course doesn’t mean that Apple shouldn’t take great measures to eradicate this vulnerability in their system.
Your messages, though, are not immediately at risk of being decrypted, and much less if you’ve installed the patches that came with iOS 9.3 and OS X 10.11.4 (though they don’t completely fix the problem). Tellingly, the flaws can’t be used to exploit numerous devices at the same time. As already mentioned, the process that was exposed by the John Hopskins paper is incredibly complex and relies on various steps that are by no means easy to complete successfully.
All of this means that it would take a very sophisticated attacker a complex and lengthy process (up to and beyond 70 hours) to decrypt one message. iMessage has a supported base of nearly one billion devices and handles more than 200,000 encrypted messages per second. We’ll let you do the math there but it seems highly unlikely that a hacker would try to exploit this weakness unless they’re trying to uncover very sensitive and important data.
A hacker would most likely carefully vet their target as someone who possesses valuable information that could then be contained within that person’s messages. If a hacker’s investing 70 hours of their time to uncover cat pics, the joke’s really on them.
Matthew D. Green, the well-known cryptographer and leader of the John Hopkins research team, has spoken with the Washington Post about the implications of his team’s research. “Even Apple, with all their skills -and they have terrific cryptographers- wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
So you’d probably need the resources of say, the FBI, to pull off an attack exploiting the vulnerability exposed in the John Hopkins paper. It seems very unlikely that individuals would be targeted en masse. 2016 has been such a surreal year though, who are we to say what is and isn’t possible?
The post What You Need To Know About The iMessage Security Flaw appeared first on Panda Security Mediacenter.
So, Donald Trump is president of the leading world power. Yes, that really happened. While the jury is still out on the reasons behind the new president’s rise to power, many believe it’s down to a sense of apathy towards left wing politicians, in this case Hillary Clinton and the Democrats, who would otherwise be the traditional harbingers of progress and change.
One political movement however, is trying to do away with this apathy by embracing something that we’re all about here at Panda Security: online privacy and security on the web!
Okay, you’ve most likely heard of them already as 2016 is looking to have been a watershed year for them, having tripled their seats in Iceland’s parliament during October’s elections.
This party have really caught our attention though, and that of many others worldwide, with the way they are embracing technology and highlighting how it can play a much much larger role in the future of democracy.
The Pirate Party can be considered a worldwide movement, with branches cropping up all over, including in the UK, Australia and the US.
The first iteration of the party was founded in Sweden by Rick Falkvinge in 2006 after the Pirate Bay torrent website was raided by police. The fact that visitors to the website more than doubled due to media exposure following the raid, was enough of a signal that legislation was out of touch with public opinion when it came to online distribution and surveillance laws. And so was named, Sweden’s Pirate Party.
Iceland’s Pirate Party is based on the Swedish party’s model, however, it has its own ideas about issues like data protection as well as how Iceland should be run as a country. Their propositions seem to be appealing to an Iceland that is increasingly looking to break from the status quo.
Birgitta Jónsdóttir, a former Wikileaks volunteer, co-founded Iceland’s Pirate Party in 2012 along with other prominent activists and hackers. According to Jónsdóttir, Iceland’s Pirate Party can sense the winds of change and they see a future of technology-centered upheaval. In a recent interview she said, “we have to be innovative to fight against political apathy”.
But what does she mean by this? Well, the Pirate Party are very much working within the political system to advocate a peaceful political revolution based on greater political transparency, and a grass roots approach to politics. Think Mr.Robot gone mainstream.
The Pirate Party want to increase public participation in common-decision making by giving them direct access to the process via the Internet. Under their system, the public would be able to propose and veto legislation using the party’s online voting system.
Jónsdóttir has also gone on record saying the Pirates would implement propositions such as the United Nations’ proposed resolution, ‘The right to privacy in the digital age’. The resolution, aimed largely at addressing and curbing world governments’ illegal surveillance methods has, for all intents and purposes, been largely ignored by world governments.
The party’s success and recent popularity also comes after the backlash the traditional parties in Iceland have suffered following the 2008 financial crisis and, most recently, the stepping down of the country’s prime minister, Sigmundur Davíð Gunnlaugsson, following his implication in the Panama Papers scandal. Many Icelanders feel it’s time for change and that the Pirate Party are
In a recent interview, Jónsdóttir said “we do not define ourselves as left or right but rather as a party that focuses on [reforming] the systems. In other words, we consider ourselves hackers.”
Well, yes and no. A hacker can be defined in various ways; it could be someone who breaks down firewalls and retrieves information, often illegally, or someone who finds simple solutions –a hack- to everyday problems. The Pirate Party propose themselves as the latter, a party that will introduce simple hacks to problems they feel the current system refuses to deal with.
Many questions still arise as to how their vision of Iceland’s future would function in the real world. Increasing democratic reach through the use of the Internet seems like a logical step in this technological age, but what are the dangers? In this future world, could a DDOS attack bring government to a halt? Could a malicious hacker bypass encryption and twist legislation by altering online poll results in their favor? Would transferring the democratic process onto the web empower hackers in new unconceivable ways?
In a recent interview, Ben de Biel, a spokesperson for Berlin’s Pirate Party claimed, “the established parties browse the Internet but we work with it.” Whilst any Pirate Party coming to power would lead to unprecedented change, Iceland’s is the closest to getting there. Their plans, if put into action, could lead to very positive change in digital privacy laws, however, they would also bring to light an increasing necessity for cyber security in an age that is becoming more and more technology reliant.
The post Pirate Party: the Future of Politics? appeared first on Panda Security Mediacenter.
In 2017, it’s not easy to find a company that doesn’t have any sort of presence on social networks. A Twitter account, a Facebook page, and a lot of Instagram photos come standard in any business’s digital communications pack.
Added to this are all of the employees who access their own accounts during work hours. Despite all this activity, there are still plenty of corporations that don’t regulate it, putting their own security at risk.
According to a recent study by the Pew Research Center, around 50% of the companies analyzed have no briefing for social media use within the company.
Businesses that don’t take this security issue seriously are exposing themselves to a diversity of threats. First, they may witness their own employees leaving negative posts about the company from their work stations. Worse still, they could publish confidential corporate data.
Aside from avoiding potential scenarios in which lead to a corporate crisis, the main goal of a social network strategy should be too clearly define what your employees are permitted to do on them during work hours. One of the premises that should be clearly established is to not follow links whose origin is unknown or untrusted.
In that way, and with the right protection, it is possible to avoid some of the risks hiding in the deepest corners of social networks. Phishing attacks, spam, or any type of malware could jeopardize corporate secrets. A clear policy for Twitter & Company is critical.
Best social network practices could also increase productivity. This is demonstrably true, according to the same Pew Research study, as we see that 40% of employees at a company with no such policy use social platforms to relax a bit.
On the other hand, when a clear policy is in fact in place we see the number drop to 30%. Not only, then, are we avoiding risks, but also promoting a more professional work environment. Does your business have rules for the use of social networks in the workplace?
The post Why Your Business Needs a Security Strategy for Social Networks appeared first on Panda Security Mediacenter.
In an information-based economy where bring-your-own devices (BYOD) and, increasingly, bring-your-own applications (BYOA), are the norm, IT groups are struggling to enable their organizations to be fast and flexible while protecting their digital assets. Shadow IT, also referred to as rogue or cockroach IT, emcompasses the devices, software, and services outside the ownership or control of IT groups. While Shadow IT poses a significant threat to the management and security of organizations, it can also be a source of speed, agility, and freedom to enable business success.
A link shows up in your inbox from a colleague that you never really hit it off with, or a cousin you’re on the outs with. You open it, and the cat’s out of the bag: you’ve been infected with a ransomware that has abducted all of the files on your computer.
This new malicious software is called Popcorn Time and its purpose is to get the victim to collaborate with the cybercriminal to infect new users. It is particularly cruel because, aside from demanding a 1 bitcoin payment (about $900 as of this writing) to return access to the encrypted files, the victim is offered the chance to recover the files for free if they contribute to its propagation.
The victim will be able to share the Popcorn Time download link with other users. If two of the newly infected decide to pay the ransom or pass the chain along, the accomplice will receive a code to unblock their files.
Essentially, Popcorn Time works like any other ransomware — it infects computers and encrypts its files. The twist lies in the morbid way it spreads itself that enables cybercriminals to take advantage of the word-of-mouth phenomenon.
“The model for getting it off your system is sort of a pyramid scheme, multi-level marketing style approach,” explains Kevin Butler, security expert at the University of Florida. “It could certainly make for some interesting discussions amongst one’s group of friends if you’re trying to figure out who infected you with this malware.”
Dissemination strategies like this one may not have such a significant impact as they seem to have at first glance. Is it easier to propagate a malware by asking for the collaboration of users, or by sending mass emails that get to many recipients quickly and at the same time?
One way or another, it’s crucial to be protected in the face of such dangerous threats as Popcorn Time, whether or not they propagate as a viral phenomenon. Keeping our operating systems updated, not clicking on suspicious links — even if an acquaintance has sent it — and keeping a good cybersecurity solution installed — this is some of the advice to be followed if you want to avoid having your files abducted by a cybercriminal.
The post The Cruelest Ransomware Propagates Like a Meme appeared first on Panda Security Mediacenter.
Defending your devices in our hyperconnected world is no simple task. Your protection should include a wide range of defense mechanisms, a necessary deployment that, until now, has forced IT organizations to purchase and maintain a variety of products from different providers.
In December, AV-Comparatives gave their stamp of approval to the three principles of the Adaptive Defense 360 security model: continuous monitoring of all applications on company servers and workstations, automatic classification of endpoint processes using big data and machine learning techniques in a Cloud-based platform, and the possibility, should a process not be automatically classified, of a PandaLabs expert technician analyzing the behavior in depth.
“The evaluation by AV-Comparatives is a good reflection of the value of Adaptive Defense to our customers,” said Iratxe Vázquez, Product Manager at Panda Security. “We protect from and detect all types of known and unknown malware and zero-day security attacks (ransomware, bot networks, exploits, fileless malware, APTs, etc.), all thanks to the continuous monitoring of all processes running on our customers’ devices.”
The Adaptive Defense 360 solution has been endorsed as the first and only product that combines endpoint protection (EPP) and endpoint detection and response (EDR) in a single platform.
“As this solution classifies all executed processes, it cannot fail to record any malware.”
Panda Security’s advanced cybersecurity solution detects and blocks malware that other protection systems don’t even see. “We know that Adaptive Defense is easily one of the best solutions on the market, and we needed this to be certified by a prestigious laboratory in the world of security,” said Luis Corrons, Technical Director of PandaLabs.
Adaptive Defense 360 achieved 99.4% detection in the 220 analyzed samples and 0 false positives in the independent analysis performed by the esteemed AV-Comparatives Institute, which establishes this solution as the most advanced end-user cybersecurity software.
“For us it was essential that the tests were done with the utmost rigor, as we were looking for an environment that would perfectly simulate the real world and the threats to which companies are constantly exposed,” says Corrons.
Artificial intelligence and machine learning are booming trends this 2017, allowing companies to use data science to optimize resources and improve their productivity. Imagine the effectiveness of a cybersecurity software that combines both of these trends.
“The protection that Adaptive Defense 360 offers is much more than a marketing strategy,” said Iratxe Vázquez. “This solution is a protection strategy, a new security model that our customers will need in order to deal with cyber threats. The attacker continually adapts his behavior, easily avoiding traditional antiviruses. He infiltrates and acts quietly, making all kinds of lateral movements that we monitor, analyze and block before he reaches his targets.”
Adaptive Defense 360 is part of an intelligent cyber security platform, capable of merging contextual intelligence with defense operations.
“We continuously monitor and evaluate the behavior of everything running on our clients’ machines, using Machine Learning’s adaptive techniques in Big Data environments, which gives way to exponentially increasing knowledge of malware, tactics, techniques, and malicious processes, along with reliable application information, “explains Iratxe Vázquez.
Adaptive 360 is also integrated with SIEM solutions (Security Information and Event Management), which add detailed information on the activity of running applications at workstations. For those customers who do not have a SIEM, Adaptive Defense 360 incorporates its own security event management and storage system for real-time analysis of information collected with the Advanced Reporting Tool.
AV-Comparatives has seen what we can do, and they liked what they saw. How about you? Have you witnessed intelligent cybersecurity in action yet?
Follow the links to download the first infographic on the most notable examples of ransomware in 2016.
The post Adaptive Defense 360 Given Stamp of Approval by AV-Comparatives appeared first on Panda Security Mediacenter.
Ghost Push is a malware family that exploits vulnerabilities to gain root access to Android devices to then download and review other apps in the background. Using social engineering, users are tricked into downloading Ghost Push from third party app stores or via links sent in text messages. Once installed, Ghost Push tries to gain root access. As the name suggests, Ghost Push acts in a ghostly fashion once it has root access, meaning infected users don’t notice anything – everything happens in the background. Recently, a new variant of the Ghost Push malware, Gooligan, was detected spreading in the wild. The Gooligan variant steals email addresses and authentication tokens stored on the infected devices, gaining access to users’ Google account data, including Gmail and Google Play. More than one million users’ Google Play accounts were affected.
Data theft and ransomware attacks with a direct financial impact on their victims are some of the primary threats that the health care industry is facing. Healthcare was the most affected sector in terms of cyberattacks in 2015, accumulating a total of 253 security holes and 112 million stolen records.
Despite its long history of lucrative attacks and the thousands of people affected by its intrusions, ransomware was given the same treatment as other infractions in the eyes of the The Health Insurance Portability and Accountability Act of 1996 (HIPAA). This US legislation grants privacy to data and the provision of security to safeguard medical information. Until now, ransomware was part and parcel with the rest of the legislation.
The current scenario calls for greater protection of the multitudes of devices that compose a hospital’s IT infrastructure. The US Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) has declared that ransomware infections constitute a serious violation of the standard. It has been raised to the level of a serious infraction and a breach of cybersecurity.
With the recognition of the activity of encryption (typical of a majority of ransomware incidents) as a form of unauthorized acquisition and diffusion of medical data, ransomware has become subject to HIPPA security rules. This has established the national standards to protect patient information that is stored or transmitted electronically.
If it seems like cybersecurity breaches are a major hassle in themselves, we must now think of the other fiscal penalties that come into play if security protocols are not met. Non-compliance with these protocols could come to light in the event of a cyberattack such as ransomware.
Adaptive Defense 360 is the only advanced cybersecurity system that combines latest generation protection, detection, and remediation technology with the ability to classify 100% of running processes.
This solution classifies all active processes in every endpoint, guaranteeing protection against known malware and against threats such as zero-day attacks, Advanced Persistent Threats, and targeted attacks.
Better to prevent infection now than to cure it later.
The post Health Care Legislation Raises Ransomware to Level of Cybersecurity Breach appeared first on Panda Security Mediacenter.
