If you are a hacker, you might have enjoyed the NSA’s private zero-day exploits, malware and hacking tools that were leaked last month.
But the question is: How these hacking tools ended up into the hands of hackers?
It has been found that the NSA itself was not directly hacked, but a former NSA employee carelessly left those hacking tools on a remote server three years ago after an
Two weeks ago we saw a ransomware attack in a server belonging to a French company. It was a Crysis variant, a ransomware family that appeared earlier this year. We witness thousands of infection attempts by ransomware on a daily basis, but this one caught our attention as the file somehow showed up in the computer when no one was supposed to be using it and in fact, there were no email clients or Internet browsers running there.
Why did the security measures in place allow this file into the server? That’s what we wanted to find out, and so we began an investigation. It turns out that this server is running Remote Desktop Protocol (RDP) and these cybercriminals used a brute force attack until they could guess the credentials to obtain remote access.
Back to the story—as most users do not have 2FA enabled and the passwords are not that complex nor random, it is pretty easy to get into a server using this kind of brute-force attack, a good dictionary or with the most common combinations. This is not a new technique. More than a year ago, I remember one wave that hit Spanish companies with ransomware using the exact same technique. Cybercriminals usually perform these attacks at night or during weekends, when there are few people in the office, or none at all.
Cybercriminals get into a server using this kind of brute force attack, a good dictionary or with the most common combinations.
In this case, the attack to the server started on May 16th, where they performed 700 login attempts. These were performed automatically, usually for a period of two hours approximately. Most of these attacks have been happening from 1am to 3am, or from 3am to 5am. Each and every day. The number of login attempts changes, for example on May 18th there were 1,976 while on July 1st there were 1,342.
After almost four months and more than 100,000 login attempts, the attackers were finally able to get into the server and drop the Crysis ransomware.
This week our colleagues from Trend Micro published an article that warned us about similar attacks happening in Australia and New Zealand that deploy Crysis variants. Unfortunately, we can say that those are not the only countries—this is happening at a worldwide level (at least since May).
Assuming you need to have RDP running and connected to the Internet, apart from monitoring connection attempts so you can learn that you are under attack, you should also enforce complex passwords. The best approach would be to implement 2FA, such as SMS passcode, so guessing passwords becomes useless.
We’ll continue to keep you informed with our Tales from Ransomwhere series!
The post Worldwide “Crysis” Through Remote Desktop Protocol appeared first on Panda Security Mediacenter.
Document-based macro malware flies under the security radar by first detecting existing documents on PC.
ESET’s latest research analyzes a piece of malware active since 2012, but which has targeted one specific country – Libya.
The post Book of Eli: African targeted attacks appeared first on WeLiveSecurity.
Hey! Wait! Wait! Wait!
Don’t plug in that USB stick into your laptop. It could infect your computer with malware and viruses.
Australia’s Victoria Police Force has issued a warning regarding unmarked USB flash drives containing harmful malware being dropped inside random people’s letterboxes in the Melbourne suburb of Pakenham.
It seems to one of the latest tactics of cyber criminals to
Zscaler identified a keylogger on steroids that targets passwords, webcam and software licenses.
The news of the week is discussed, including Schneier’s DDoS article, a patched IE/Edge zero day, a new OS X malware detection method, and Google’s Project Zero prize.
Developers behind Neverquest have had a busy summer adding new features to the potent Trojan.
Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus?
If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase the device’s performance.
But do you have any idea about the pre-installed apps and services your manufacturer has
This week Cylance’s Chad Skipper published an article called “Security Testing Houses: Know the Truth!” that all people interested in security solutions testing should read. There are some serious accusations against some testing houses and vendors (without naming them) such as:
– “vendors who pay so that their test results will show 100% efficacy”
– “bribing the testing house to hide the negative results of their tests.”
Even though I have been involved in this industry for more than 17 years, I am not aware of any case like those described above. That being said, I do agree with most of the article. To name a few: outdated testing methodologies, not enough samples being used, having to pay to challenge the test results… that happens. And it has to be fixed, that’s why organizations like AMTSO exist, and the first thing that came to my mind after reading the blog was “we need to have Chad in the next AMTSO meeting”. Guess what, when I asked AMTSO about it they told me he had already registered for the next meeting we’ll have next month in Malaga. Awesome!
Chad ends the article saying “Test for Yourself”. I also agree with this, and in fact it is something that has been happening for a long time. The largest customers we have in different areas (Governments, Telecommunications, Financial, Health, Facilities industries) have selected our EDR solution (Adaptive Defense 360) after several months of intensive and deep testing of different solutions.
The truth is that this kind of “do-it-yourself” testing is only available for big corporations. Small and medium companies lack the resources to do it properly, and that’s why they trust professional testing companies’ results to make decisions. Security Week’s Kevin Townsend wrote an article a few months ago about this topic in this fantastic article: “Inside The Competitive Testing Battlefield of Endpoint Security”.
Out of all the regular tests performed by the biggest testing companies one of the tests I like the most is the Real-World Protection Test performed by AV-Comparatives. In the aggregated February-June 2016 test with 1,868 test cases (PDF), how many vendors obtained 100% accuracy with 0 false positives? None of them. It is clear that Chad cannot be referring to AV-Comparatives when he is talking about vendors that pay to obtain a 100% efficacy.
This is the same AV-Comparatives I talked to last year to test our EDR solution, Adaptive Defense 360, with a number of other similar solutions. Have you seen that test? No, that’s because even though Panda offered to pay for each product included in that test, the other vendors (Cylance was NOT one of them) didn’t want to.
In 3 weeks I will be in Denver to discuss these topics at the 26th Virus Bulletin conference with ESET’s Righard Zwienenberg in our talk “Anti-malware Testing Undercover”.
The post Anti-malware Testing Undercover appeared first on Panda Security Mediacenter.
