Security Security

Total Page:16

File Type:pdf, Size:1020Kb

Security Security network SECURITY ISSN 1353-4858 October 2016 www.networksecuritynewsletter.com Featured in this issue: Contents The DNC server breach: who did it and what does NEWS US officially accuses Russia of DNC hack while it mean? election systems come under attack 1 n June 2016, the computer networks of what does it tell us about the role of FEATURES Ithe US Democratic National Committee cyber-attacks in modern politics? And The DNC server breach: who did it (DNC) were hacked. As a result, a number what lessons can organisations learn for and what does it mean? 5 of documents were leaked online. their own security? Michael Buratowski In June 2016, the computer networks of the US Democratic National Committee (DNC) were Security companies analysed the breach of Fidelis Cyber-security examines the hacked. As a result, a number of documents were and quickly came to the conclusion that hack and draws some conclusions. leaked online. Security companies analysed the breach and quickly came to the conclusion that the hackers were based in Russia. But Full story on page 5… the hackers were based in Russia. But what does it tell us about the role of cyber-attacks in modern Ransomware: taking businesses hostage politics? And what lessons can organisations learn for their own security? Michael Buratowski of uropol recently declared ransomware criminals apparently turning their atten- Fidelis Cybersecurity examines the hack and draws Eto be the biggest cyber-threat facing tions to those that are most vulnerable, some conclusions. European businesses and citizens. Both such as hospitals. The ransomware itself RANSOMWARE SPECIAL the nature of the chief targets and the is evolving too, and while some of it is Taking businesses hostage 8 ways in which they are being attacked poorly executed, the most advanced strains Ransomware is a rapidly growing menace. Europol are changing quickly as criminals spot show great sophistication. Steve Mansfield- recently declared it to be the biggest cyber-threat facing European businesses and citizens. Both the new opportunities for extorting money. Devine explores the nature of the threat nature of the chief targets and the ways in which A large proportion of organisations have and how businesses should respond. they are being attacked are changing quickly as criminals spot new opportunities for extorting been affected at some time, with cyber- Full story on page 8… money. A large proportion of organisations have been affected at some time, with cyber-criminals apparently turning their attentions to those that Ransomware: threat and response are most vulnerable – such as smaller firms with poor security and no backups or organisations that ow and why is the ransomware can result from an infection, discusses cannot tolerate interruptions to their operations, scourge growing? And what can such as hospitals. The ransomware itself is evolving H the dilemma of whether to pay the ran- too, and while some of it is poorly executed, the organisations do about it? som, explores how you can protect your- most advanced strains show great sophistication. In this interview, Tim Erridge of Steve Mansfield-Devine explores the nature of the self and speculates on how the threat will threat and how businesses should respond. Context Information Security, explains evolve in the future. the kind of damage to businesses that Full story on page 17… Threat and response 17 How and why is the ransomware scourge growing? And what can we do about it? In this US officially accuses Russia of DNC hack while interview, Tim Erridge of Context Information Security, explains the kind of damage to businesses election systems come under attack that can result from an infection, discusses the dilemma of whether to pay the ransom, explores S intelligence agency officials of the Director of National Intelligence. how you can protect yourself and speculates on how the threat will evolve in the future. Uhave now openly blamed The statement went on to say that the Russian hackers for the theft leaks were “consistent with the methods REGULARS of emails from the Democratic and motivations of Russian-directed News in brief 3 National Committee (DNC). efforts” and are intended to “interfere Reviews 4 “The US intelligence community is with the US election process. Such activity The Firewall 20 confident that the Russian Government is not new to Moscow – the Russians Events 20 directed the recent compromises,” said have used similar tactics and techniques a joint statement by the Department of across Europe and Eurasia, for example, Homeland Security (DHS) and Office Continued on page 2... Come and visit us at www.networksecuritynewsletter.com8 ISSN 1353-4858/101353-4858/16 © 20112016 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. NEWS ...Continued from front page has been called into question after Editorial Office: to influence public opinion there.” It suggestions that data stolen from the Elsevier Ltd added: “We believe, based on the scope World Anti-Doping Agency (WADA) The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom and sensitivity of these efforts, that only had been altered before being leaked. Fax:Tel: +44 +44 (0)1865 1865 843239 843973 Russia’s senior-most officials could have The Fancy Bear group apparently Web: www.networksecuritynewsletter.com authorised these activities.” leaked the documents from WADA’s PublishingPublisher: Director: Greg ValeroBethan Keall The “similar tactics” include using Anti-Doping Administration and E-mail: [email protected] Editor: Steve Mansfield-Devine sites such as DCLeaks.com and Management System (ADAMS) in Editor:E-mail: Steve [email protected] Mansfield-Devine Wikileaks to publish the stolen data. retaliation for Russian athletes being E-mail: [email protected] Senior Editor: Sarah Gordon A hacker (or team) using the name banned from the Olympics. But Senior Editor: Sarah Gordon Columnists: Karen Renaud, Colin Tankard ‘Guccifer 2.0’ has also cropped up multi- WADA said that “not all data released International Editoral Advisory Board: DarioInternational Forte, Edward EditoralAmoroso, AT&TAdvisory Bell Laboratories; Board: ple times in investigations into a variety by Fancy Bear (in its PDF documents) Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The of breaches. The joint statement is avail- accurately reflects ADAMS data”. Fortress;Fred Cohen,Bill Hancock, Fred Cohen Exodus & Communications;Associates; Jon David, Ken Lindup,The ConsultantFortress; Bill at Hancock, Cylink; Dennis Exodus Longley, Communications; Queensland Ken University Lindup, able here: http://bit.ly/2erkJfP. The attackers were able to gain access Consultantof Technology; at Cylink; Tim DennisMyers, Longley,Novell; Tom Queensland Mulhall; PadgetUniversity A number of organisations affiliated with to the ADAMS database after they Petterson,of Technology; Martin Tim Marietta; Myers, Novell; Eugene Tom Schultz, Mulhall; Hightower; Padget EugenePetterson, Spafford, Martin Purdue Marietta; University; Eugene Winn Schultz, Schwartau, Hightower; Inter.Pact the Democratic Party have come under obtained login credentials via phishing. Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas attack in recent months – apparently Bellingcat, a ‘citizen journalist’ organisa- ProductionE-mail: Support [email protected] Manager: Lin Lucas E-mail: [email protected] the work of two separate Russian groups tion that has been actively investigating the Subscription Information known in the security community as Cozy shooting down of Malaysian Airlines flight AnSubscription annual subscription Information to Network Security includes 12 Bear (aka APT 29), believed to be linked M17 by a Russian missile over Ukraine, issuesAn annual and subscriptiononline access to for Network up to 5 Securityusers. includes 12 Prices:issues and online access for up to 5 users. to Russia’s military intelligence service the has come under repeated cyber-attack. EPrices:1112 for all European countries & Iran US$1244E1424 for for all all European countries countries except Europe & Iran and Japan GRU, and Fancy Bear (aka APT 28). “From February 2015 to July 2016 ¥147US$1594 525 forfor allJapan countries except Europe and Japan There have been attempts to breach three researchers at Bellingcat – [Eliot] (Prices¥189 000 valid for until Japan 31 October 2016) ToSubscriptions subscribe send run forpayment 12 months, to the from address the dateabove. voter registration systems in at least 20 Higgins, Aric Toler and Veli-Peka Tel:payment +44 (0)1865is received. 843687/Fax: +44 (0)1865 834971 US states. These were of sufficient sever- Kivimaki – who had contributed MH17 Email:More information: [email protected], orhttp://store.elsevier.com/product.jsp?isbn=13534858 via www.networksecuritynewsletter.com ity to prompt the DHS to get involved,
Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • 2016.4 Vol.28 Mac はマルウェアから 100%安全か
    2016.4 Vol.28 Mac はマルウェアから 100%安全か セキュリティプレス・アン Mac 向けセキュリティソリューション AhnLab V3 365 Clinic for Mac Mac はマルウェアから 100%安全か AppleのMacは、多くの人にマルウェアから安全だと思われている。しかし実際はWindowほどではないにせよ、Mac向けのマルウ ェアもマルウェア史の初期から存在し続けていた。それは現在も同じで、Macも安全地帯ではないということだ。 今回のプレス・アンでは、最新Mac向けマルウェアの特徴を分析し、Mac環境を保護する方策を探る。 Appleのマッキントッシュ(Macintosh、以下Mac)に対するユーザーの信頼は厚く、次のような挿絵からも見て取れる。コンピューター使用中感電し たキャラに、「コンピューターに異常はないかい?」と聞いたところ「これはMacだから大丈夫」と断言する内容である。 [図1] The Brads- Impossible 2 セキュリティプレス・アン その信頼はセキュリティに関しても絶大で、どうやらMacは安全な環境であると思われているらしい。しかし前述のようにMac向けマルウェアは昔か ら存在していたし、Macの運営環境である「OS X」に移行してから10年間、脅威は持続的に発見されている。もちろんWindowに比べればMac向け マルウェアが少ないのは確かだが、最近発見されるマルウェアの傾向を見るとMacもまたマルウェアの安全地帯ではないことが分かる。最近登場して いるMac向けマルウェアの特徴を分析し、Macを保護するソリューションを見てみよう。 主なMacマルウェア 現在のMacも多くの進化を遂げた。プロセッサやOSの変化により、[図2]のようにOS環境がOS Xに変更された前後で発見されたマルウェアは異なる。 初期 偽装した セキュリティ プログラム リリース リリース [図2] Mac向けマルウェア史タイムライン OS X移行後に登場したマルウェアに関する詳細情報は次の通りだ。 マルウェア(発見時期) 特徴 備考 Renepo -システムセキュリティ設定: 低 -OS X 初のマルウェア (2004) -OS X ファイアウォール解除 -2004/3/3、ニックネーム DimBulbが「Macintosh Underground -ソフトウェアアップデート機能解除 forum」に参加後、3/13からスクリプトワームに対して掲載し、フォーラ -ohphoneX(ボイス及びビデオ共有)、d ムの参加者とマルウェア作成を開始。9/10の掲載バージョンが10/23に sniff(暗号スニファ)、John the Rippe 外部に知れ渡り、10/24から大炎上したことから作成を放棄 r(暗号クラック)をダウンロードインストール -Apple社ではマルウェアではないと否認し、対応せず RSPlug(Dnschanger) -DNSアドレスを変更してフィッシングサイ -使用者に実害を与えた初のOS X向けマルウェア (2007.10) トに誘導し、金銭的要求 3 セキュリティプレス・アン マルウェア(発見時期) 特徴 備考 MacSweeper -常に何かを診断し、購入要求 -OS X初の偽装アンチウィルスプログラム (2008.1.17) -KiVVi Softwareで作成し、強制マーケティングに使用したことで公式謝 罪 -2011/5以降Mac Defender、Mac Protector、Mac Security、 Mac Guard、Mac Shieldなど偽装プログラムが大幅に増加 -Apple社は同年5月末セキュリティアップデートを行い、偽装アンチウィルス
    [Show full text]
  • Ransomware Is Here: What You Can Do About It?
    WHITEPAPER Ransomware is Here: What you can do about it? Overview Over the last few years, ransomware has emerged as one of the most devastating and costly attacks in the hacker arsenal. Cyber thieves are increasingly using this form of attack to target individuals, corporate entities and public sector organizations alike by holding your system or files for ransom. Unlike other forms of cyber theft that often involve stolen financial or healthcare information, ransomware cuts out the middleman. In cases where an attacker steals health or financial documents, they must sell them on to third parties to make money. As far as ransomware is concerned, the money comes directly from the victim. Ransomware is a quickly growing threat vector. According to the FBI’s Internet Crime Complaint center (IC3), infected users made complaints about ransomware 2,453 times in 2015—nearly double the figure for 2014. What’s more, these figures most likely represent only the tip of the iceberg, as many users pay their ransom without making a report to the authorities. A recent survey conducted by a Cyber Security Research Center at the University of Kent found that over 40% of those infected with CryptoLocker actually agreed to pay the ransom demanded, which is a big incentive for hackers to target more systems. Lastly, hackers are rapidly iterating both malware and distribution techniques. In early Q2 of 2016, a new variant of ransomware, known as CryptXXX, emerged on the scene. This program is packed in such a way that users and antivirus software may initially confuse it for a Windows DLL file.
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Best Practices to Protect Against Ransomware, Phishing & Email Fraud
    WHITE PAPER Best Practices for Protecting Against Phishing, Ransomware and Email Fraud An Osterman Research White Paper Published April 2018 SPON Osterman Research, Inc. P.O. Box 1058 • Black Diamond • Washington • 98010-1058 • USA +1 206 683 5683 • [email protected] www.ostermanresearch.com • @mosterman Executive Summary • Various types of security threats are increasing in number and severity at a rapid pace, most notably cryptojacking malware that is focused on mining coins for the roughly 1,400 cryptocurrencies currently in use. • Organizations have been victimized by a wide range of threats and exploits, most notably phishing attacks that have penetrated corporate defenses, targeted email attacks launched from compromised accounts, and sensitive or confidential information accidentally leaked through email. • Threats are becoming more sophisticated as well-financed cybercriminal gangs develop improved variants of malware and social engineering attacks. The result is that the perceived effectiveness of current security solutions is not improving – or is actually getting worse – for many organizations. • Decision makers are most concerned about endpoints getting infected with malware through email or web browsing, user credentials being stolen through email-based phishing, and senior executives’ credentials being stolen through email-based spearphishing. • Four of the five leading concerns expressed by decision makers focus on email as the primary threat vector for cybercriminal activity, and nearly one-half of attacks are focused on account takeovers. Many organizations • Most decision makers have little confidence that their security infrastructure can adequately address infections on mobile devices, are not CEO Fraud/BEC, and preventing users personal devices from introducing malware into the corporate network.
    [Show full text]
  • ATTACK LANDSCAPE UPDATE Ransomware 2.0, Automated Recon, Supply Chain Attacks, and Other Trending Threats
    ATTACK LANDSCAPE UPDATE Ransomware 2.0, automated recon, supply chain attacks, and other trending threats Attack Landscape Update 1 CONTENTS Foreword: 2020 proved that our health data really is a target 3 Introduction 5 Trending Threats 6 Ransomware 2.0 6 Infostealers and automated recon 9 Dodging detection 13 Email threats: Coming to an inbox near you 14 You’ve got mail malware 14 Phishing for sensitive data 17 COVID-themed spam continues to spread 20 Vulnerabilities: The legacy of unpatched software 21 Legacy systems, legacy vulns 22 The vulnerabilities of 2020 23 Honeypots:Tracking opportunistic attacks 24 Conclusion 28 Attack Landscape Update 2 FOREWORD: 2020 PROVED THAT OUR HEALTH DATA REALLY IS A TARGET By Mikko Hypponen For many years, our clients and customers have asked me about personal health data. “Isn’t it true that health data is one of the prime targets of evil hackers? Isn’t it true that they’re after my medical history?” they have asked. For years my answer has been: “No, it’s not.” Around 99% of the cases we investigate at F-Secure Labs are criminals who are trying to make money. My thinking has been that if you’re trying to make money, your prime target is financial information like credit card data, not X-ray images. But now I’m changing my mind. The reason? The rise in attacks against hospitals, medical research units, and even patients that has occurred during the pandemic – in particular, the October attack against the Psychotherapy Center Vastaamo in Finland, in which sensitive information related to tens of thousands of patients was compromised.
    [Show full text]
  • Fraud; Recognition & Prevention
    Fraud; Recognition & Prevention Issue 10 July 2021 WORLD LEADERS IN PIONEERING BODY WORN VIDEO TECHNOLOGY Proud to be supporting the return of these LIVE events across the UK in Autumn 2021... The Emergency Services Show 7th and 8th September | NEC Birmingham | stand L85 International Security Expo At the forefront 28th and 29th September | London Olympia | stand C2 of mobile, digital BAPCO Annual Conference & Exhibition evidence gathering 12th and 13th October | Ricoh Arena Coventry | stand C20 technology since 2005. FIND OUT MORE: WWW.AUDAXUK.COM | [email protected] | WWW.VIMEO.COM/SHOWCASE/AUDAXGLOBAL 2 Foreword: Well at long last there is light at the end of the very long COVID tunnel. As numerous industries start to return to normal, or are even doing better than anticipated, due to the economic defibrillator that the lifting of restrictions represents to so many. I am personally seeing a shortage of trained and licenced security officers in several sectors. Just maybe, this will force a rise in contract charge rates, and drive salaries up! I can but hope. One sector of society that have enjoyed lockdown and has made a fortune from an unexpectedly housebound population, are the fraudsters and con artists….. There has never been such a deluge of online cons, telephone scams and fake NHS sites selling tests, vaccines and all manner of bogus stuff, all capitalising on the understandable fears and concerns of the nation, and the desire we all have to protect and do the best for our families and loved ones. What can you do to protect yourself and those you hold dear, from this non-stop deluge of lies, cons, misinformation and very clever schemes designed to part you from as much money as possible? As luck would have it, amongst other things, this issue is taking a look at the many devious faces of fraud, and some of the top experts in their fields have contributed some great advice and guidance designed to help you avoid the many traps that the criminal fraternity have set for the unwary.
    [Show full text]
  • History of Ransomware
    THREAT INTEL REPORT History of Ransomware What is ransomware? Ransomware is a type of malicious software, or malware, that denies a victim access to a computer system or data until a ransom is paid.1 The first case of ransomware occurred in 1989 and has since evolved into one of the most profitable cybercrimes. This evolution is charted in Figure 1 at the end of the report, for easy visual reference of the timeline discussed below. 1989: The AIDS Trojan The first ransomware virus was created by Harvard-trained evolutionary biologist Joseph L. Popp in 1989.2 Popp conducted the attack by distributing 20,000 floppy discs to AIDS researchers from 90 countries that attended the World Health Organizations (WHO) International AIDS Conference in Stockholm.3 Popp claimed that the discs contained a program that analyzed an individual’s risk of acquiring AIDS through a risk questionnaire.4 However, the disc contained a malware program that hid file directories, locked file names, and demanded victims send $189 to a P.O. box in Panama if the victims wanted their data back.5 Referred to as the “AIDS Trojan” and the “PS Cyborg,” the malware utilized simple symmetric cryptography and tools were soon available to decrypt the file names.6 The healthcare industry remains a popular target of ransomware attacks over thirty years after the AIDS Trojan. 2005: GPCoder and Archiveus The next evolution of ransomware emerged after computing was transformed by the internet in the early 2000s. One of the first examples of ransomware distributed online was the GPCoder 1 “Ransomware,” Cybersecurity and Infrastructure Security Agency, 2020, https://www.us- cert.gov/Ransomware.
    [Show full text]
  • And You Thought It Could Not Get Worse
    And You Thought It Could Not Get Worse Joe Vigorito/Director, Mobility & Security Annese & Associates, Inc. Sad State of Security “Many cyberattacks can be mitigated by relatively simple measures. Unfortunately, some people fail to take what appear to be basic precautions–such as using strong passwords, applying patches, and running a security solution. In many cases, breaking into a company’s network is easier than it sounds.” Costin Raiu Director, Global Research & Analysis Team Kaspersky Lab “I could teach a third-grader to do it.” Darren Martyn aka “PwnSauce” LulzSec After hacking senate.gov in 2011 The Current State of Cybersecurity is Not Nearly Good Enough, and is getting worse all the time! Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ Not getting worse? Lets look… • Yahoo! – Perpetrator unknown. 500 million accounts in Sept. ‘16, 1 billion in December. User names, email addresses, date of birth, passwords, phone #’s and security questions leaked • Mark Zuckerberg Hack – OurMine Group. His Pinterest and Twitter accounts were hacked multiple times because he used the password ‘dadada’ • Oracle Micros Hack – Russian hacking group known for hacking banks compromised Oracle’s POS system code on one of the top 3 payment card systems globally Not getting worse? Lets look… • Yahoo! – Perpetrator unknown.
    [Show full text]
  • Keranger – Overview – Technical Information – Route of Infection – Correspondence Situation of Xprotect – Common Point with Linux.Encoder
    FFRI,Inc.FFRI, Inc. The Advent of New Ransomware Fourteenforty ResearchTargeting Institute, The Mac Inc. OS X FFRI, Inc. http://www.ffri.jp FFRI,Inc.FFRI, Inc. Table of Contents • Background • KeRanger – Overview – Technical Information – Route of Infection – Correspondence situation of XProtect – Common point with Linux.Encoder • Measures for Ransomware • Conclusion/Wrapup 2 FFRI,Inc.FFRI, Inc. Background • In Japan, it has been reported many damage caused by ransomware such as TeslaCrypt 3.0 and Locky from the end of 2015. • These malware are targeting a Windows PC primarily because it does not work with devices operating at the *nix based OS. • However, ransomware which has targeted the Linux server has been discovered in October 2015. Furthermore, new ransomware which is working completely in Mac OS X has been discovered in March 2016. • In this slide, we describe focused on KeRanger a ransomware of Mac OS X. 3 FFRI,Inc.FFRI, Inc. KeRanger: Overview • A Ransomware which is working completely for the first time in Mac OS X that reported by Palo Alto Networks. • Characteristics – Disguised in Transmission (BitTorrent client app). – To avoid the Gatekeeper by a valid code signing. – After infection, to encrypt a specific area through the hiding period of 3 days. • Current Status – Apple • Revoked the certificate. • Added a signature to XProtect. – Client app • It has been replaced to legitimate app. Source: https://www.transmissionhttps://www.transmi ssionbt.com/bt.com/ 4 FFRI,Inc.FFRI, Inc. KeRanger: Technical Information <Trojan> • Contamination of malware – The executable (Mach-O) file that disguised itself as an RTF file is included in disguised DMG file.
    [Show full text]
  • Ransomware V.1 - 1 - © Copyright Profit
    Ransomware v.1 - 1 - © Copyright PROFiT PROFiT Prevention of Fraud in Travel www.profit.uk.com INDUSTRY BRIEFING NOTE no. 6 _____________ _____ ________________________________________ _____________________________________________________________________________________________________________________________ _____________________________________________________________________________________________________________________________ ______ _________________________________________________________________________________________________________________________ ________ RANSOMWARE Part 1 of 2 DISCLAIMER PROFiT has put together this information in good faith using information from partners and internet sources in order to help organisations suffering a ransomware attack. We have not checked any links or websites that are mentioned and cannot verify the credenti als of any organisation or website mentioned nor guarantee that any of the decrypt tools will work. Accordingly you should always proceed with caution. Any materials, opinions and advice given in this publication are for information only based on data av ailable to the authors and are correct at the time of publication. The authors do not accept liability for any mistakes, errors, or omissions that subsequently come to light. The contents of this publication may not reflect the views of some of the organ isations listed. BACKGROUND The concept of r ansomware is very simple. Once a computer is infected by ransomware malware it launches a ‘packet ’ containing an algorithm which then silently encrypts (the process of converting information or data into a code) the user's data. Once the encryption is complete the ransomware displays a message demanding a p ayment – usually in Bitcoins – in order to obtain the key to decrypt the data. Often the ransom d emand comes with a deadline, and if payment is not received by that deadline, the ransom demanded may increase , the files may be locked permanently, or the files may be destroyed .
    [Show full text]
  • Master Thesis Detecting Malicious Behaviour Using System Calls
    Master thesis Detecting malicious behaviour using system calls Vincent Van Mieghem Delft University of Technology Master thesis Detecting malicious behaviour using system calls by Vincent Van Mieghem to obtain the degree of Master of Science at the Delft University of Technology, to be defended publicly on 14th of July 2016 at 15:00. Student number: 4113640 Project duration: November 2, 2015 – June 30, 2016 Thesis committee: Prof. dr. ir. J. van den Berg, TU Delft Dr. ir. C. Doerr, TU Delft, supervisor Dr. ir. S. Verwer, TU Delft, supervisor Dr. J. Pouwelse, TU Delft M. Boone, Fox-IT, supervisor This thesis is confidential and cannot be made public until 14th July 2016. An electronic version of this thesis is available at http://repository.tudelft.nl/. Acknowledgements I would first like to thank my thesis supervisors Christian Doerr and Sicco Verwer for their supervision and valuable feedback during this work. I would also like to thank Maarten Boone from Fox-IT. Without his extraordinary amount of expertise and ideas, this Master thesis would not have been possible. I would like to thank several people in the information security industry. Pedro Vilaça for his work on bypassing XNU kernel protections. Patrick Wardle and Xiao Claud for their generosity in sharing OS X malware samples. VirusTotal for providing an educational account on their terrific service. Finally, I must express my very profound gratitude to my parents, brother and my girlfriend for pro- viding me with support and encouragement throughout my years of study and through the process of researching and writing this thesis.
    [Show full text]