fbpx

RUSSIA’S ELITE HACKERS HAVE A CLEVER NEW TRICK THAT’S VERY HARD TO FIX

old-style-computer

RUSSIA’S ELITE HACKERS HAVE A CLEVER NEW TRICK THAT’S VERY HARD TO FIX

ALYSSA FOOTE/GETTY IMAGES

By 

THE FANCY BEAR hacking group has plenty of tools at its disposal, as evidenced by its attacks against the Democratic National Committee, the Pyeongchang Olympics, and plenty more. But cybersecurity firm ESET appears to have caught the elite Russian team using a technique so advanced, it hadn’t ever been seen in the wild until now.

ESET found what’s known as a UEFI rootkit, which is a way to gain persistent access to a computer that’s hard to detect and even harder to clean up, on an unidentified victim’s machine. The technique isn’t unheard of; researchers have explored proofs of concept in the past and leaked files have indicated that both the CIA and the independent exploit-focused company Hacking Team have had the capability. But evidence that it has happened, in the form of malware called LoJax, represents a significant escalation in the Fancy Bear—which ESET calls Sednit—toolkit.

In a Flash

If “LoJax” sounds vaguely familiar, it’s because you might recall LoJack—formerly known as Computrace—security software that lets you track your laptop in the event of theft. LoJack turns out to be potent stuff. It sits in a computer’s firmware, making regular calls back to a server to announce its location. Crucially, that also means you can’t get rid of it by reinstalling your operating system or swapping in a new hard drive.


“It allows the attacker to take over the machine and download whatever they want.”

RICHARD HUMMEL, ARBOR NETWORKS


That’s an intentional security feature: If someone steals your computer, you want to make it as hard as possible for them to evade detection. But it also presents a unique opportunity to bad actors, as outlined in a 2016 presentation at a security conference called Zero Nights, and again in more detail this May by researchers at security firm Arbor Networks. Essentially, Fancy Bear figured out how to manipulate code from a decade-old version of LoJack to get it to call back not to the intended server, but one manned instead by Russian spies. That’s LoJax. And it’s a devil to get rid of.

“Whenever a computer infected with a UEFI malware boots, it will place the LoJax agent on the Windows file system, so that when Windows boots, it’s already infected with the LoJax agent. Even if you clean LoJax from Windows, as soon as you reboot, the UEFI implant will reinfect Windows,” says Alexis Dorais-Joncas, ESET’s security intelligence team lead.

It is possible to remove LoJax from your system entirely, but doing so requires serious technical skills. “You can’t just restart. You can’t just reinstall your hard drive. You can’t replace your hard drive. You actually have to flash your firmware,” says Richard Hummel, manager of threat intelligence for Arbor Networks. “Most people don’t know how to do that. The fact that it gets into that spot where it’s really difficult to use makes it really insidious.”

Most antivirus scanners and other security products also don’t look for UEFI issues, making it even harder to detect whether malicious code is there. And if it is, you’re in trouble.

“Decade-old software and hardware vulnerabilities are easily exploited by modern attackers, so companies must use good endpoint hygiene best practices including ensuring endpoints and firmware are up-to-date, leveraging anti-malware, and confirming other endpoint protection agents are always present and healthy,” says Dean Ćoza,  executive vice president of products at LoJack developer Absolute. “We take the security of our platform extremely seriously, and are working to confirm these issues do not impact our customers or partners.”

Takeover

The malware ESET observed does not itself actively steal data from an infected device. Think of it not as a robber, but as a door into your house that’s so hidden, you can’t see it even if you pore over every wall. LoJax gives Fancy Bear constant, remote access to a device, and the ability to install additional malware on it at any time.

“In effect, it allows the attacker to take over the machine and download whatever they want,” says Hummel. “They can also use the original intent of the malware, which is to track the location of the infected machines, possibly to specific owners that may be of interest to the attackers.”


“Probably more attacks will take place.”

ALEXIS DORAIS-JONCAS, ESET


Several details about the Fancy Bear UEFI attack remain either vague or unknown. ESET’s Dorais-Joncas confirmed that the device they spotted it on was “infected by several pieces of malware,” and that the hacking group targeted government entities in Europe. They don’t know exactly how Fancy Bear hackers gained access to the victim’s device in the first place, but Dorais-Joncas suggests that they likely followed their typical strategy of a spearphishing attack to gain an initial foothold, followed by movement through a network to locate more high-value targets.

The security firm has more specificity, though, in terms of how exactly Fancy Bear operated once it got that initial control. First, the hackers used a widely available tool to read the UEFI firmware memory, to better understand what specific device they were attacking. Once in possession of that image, they modified it to add the malicious code and then rewrote the infected image back to the firmware memory. The process was not automated, says Dorais-Joncas; a human behind a keyboard went through every step.

Those details offer some hope for future potential victims. Namely, the attackers were only able to write onto the target computer’s firmware in the first place because it was an older device; Intel and others have baked in better protections against that behavior, especially after the Hacking Team and CIA revelations. Using the Windows Secure Boot feature, too, would prevent this type of attack, since it checks to make sure that the firmware image on your computer matches up with the one the manufacturer put there.

“On the other hand,” says Dorais-Joncas, “probably more attacks will take place,” given that Fancy Bear has figured out how to do it successfully. And now that it’s widely known that Fancy Bear did it, copycats may not be far behind.

“Whenever we see these new tactics, it does not take long for other hackers to figure out how they did it and to mimic it,” says Hummel.

Russia’s hackers already have an elaborate hacking toolkit. But the introduction of a UEFI rootkit—stealthy, complex, pernicious—affirms just how advanced their capabilities have become. And more importantly, how hard they are to defend against.

The Best Reason to use a Professional WordPress Developer

wordpress-locked

Thousands of WordPress sites backdoored with malicious code

Malicious code redirects users to tech support scams, some of which use new “evil cursor” Chrome bug.

 


Thousands of WordPress sites have been hacked and compromised with malicious code this month, according to security researchers at Sucuri and Malwarebytes.

All compromises seem to follow a similar pattern –to load malicious code from a known threat actor– although the entry vector for all these incidents appears to be different.

Researchers believe intruders are gaining access to these sites not by exploiting flaws in the WordPress CMS itself, but vulnerabilities in outdated themes and plugins.

Also: Access to over 3,000 backdoored sites sold on Russian hacking forum

When they gain access to a site, they plant a backdoor for future access and make modifications to the site’s code.

In most cases, they modify PHP or JavaScript files to load malicious code, although some users have reported seeing modifications made to database tables as well.

Malwarebytes security researcher Jérôme Segura said this malicious code filters users visiting the compromised sites and redirects some to tech support scams.

CNET: How to avoid tech support scams

He says some of the traffic patterns seen during the redirection process match the patterns of a well-known traffic distribution system used by several malware distribution campaigns.

Segura also said that some of tech support scams that users are landing on are using the “evil cursor” Chrome bug to prevent users from closing the malicious site’s tab, a trick that the researcher first spotted last week.

TechRepublic: Why that email from your boss could be a scam waiting to happen

This WordPress site hijacking campaign appears to have started this month, according to Sucuri, and has intensified in recent days, according to Segura.

Googling just one of the pieces of the malicious JavaScript code added to the hacked WordPress sites reveals just a small portion of the total number of hacked sites. In this case, this string search yielded over 2,500 results, including a corporate site belonging to Expedia Group, the parent company behind the Expedia portal.

wp-spam-campaign.png

Last week, ZDNet revealed that attackers had been scanning the Internet in an attempt to exploit a recent vulnerability in a popular WordPress plugin.

While Sucuri did not find confirmation that this vulnerability was now being used in this recent wave of site hacks, the company did confirm our initial report, based on WordFence’s telemetry.

Contact Spearhead Multimedia today and get your free WordPress Website security evaluation.

We offer special incentives for new clients who want to move to a new, secure host, update and harden their WordPress websites and create new WordPress websites.  Call 954-202-8004 or use the Contact Us form.

Mobile-First Indexing: Your Guide to Google’s Big Shift

Google-mobile-indexing

Mobile-First Indexing: Your Guide to Google’s Big Shift

 By 

As Google makes the big change to mobile-first indexing, it’s important that your site is ready for the shift. Are you fully prepared?

Let’s start at the beginning.

What Is Mobile-First Indexing?

The mobile-first initiative is an effort to address the growing percentage of mobile-users in today’s search landscape.

Back in March, on their Webmaster Central Blog, Google announced that they are rolling out their mobile-first indexing initiative more broadly which is a big change to how Google crawls and indexes your site. The push is on now and Mobile Indexing is being fully implemented.

What’s Changing about Google’s Rankings?

Per Google, “Mobile-first indexing means Google will predominantly use the mobile version of your websites content for indexing and ranking.”

But what does that mean?

Currently, Google crawls and indexes your site based on the desktop version of your site and the content that exists there.  With this change, Google will be looking at your mobile site first and the content on that version to determine how your site is ranked.

For example:

Desktop vs. mobile versions of your site; Google will now index the mobile version of your site.

Over the course of the last year, Google has been slowly experimenting with a small percentage of sites to make the switch to crawling, indexing, and ultimately ranking sites based on their mobile experience, not their desktop as they always have.

This doesn’t mean your desktop site isn’t important anymore, it just means that they will be looking at it as a secondary source, not the primary one for crawling, indexing, and ranking as it has been in the past.  But even if your site is doing well organically, if it’s not responsive (mobile friendly), your ranking will drop substantially.  Don’t lose those years of building your search engine position, contact us today.

How Mobile-First Indexing May Impact Your Site

Depending on how you handle mobile, this change may or may not directly affect your site.

  • If your site is built in responsive design, you will see no impact, as your site adapts to all devices.
  • If you have a separate m. site (or something similar) and your primary content does not exist on it, then you are at risk of seeing a negative impact as Google will no longer be looking at your desktop version.
  • If you do not have a mobile site/experience then this change will negatively impact you.  Also, it’s 2018: if you don’t have a mobile-friendly site then you have much larger issues that this change.

What Mobile-First Best Practices Can I Follow To Ensure I Maximize My Opportunity?

Google has published an entire list of best practices for mobile-first indexing on their developers’ blog.

While there are many things to consider and you should read through the entire list above, two major points are ensuring you have mobile-friendly content and that your site loads as fast as possible.  Site speed is becoming an increasingly important ranking factor, which coincides with users’ needs to get everything as quickly and seamlessly as possible.  With the rapid adoption of AMP (accelerated mobile pages) and the popularity of Progressive Web Apps (PWA’s) growing, it’s not surprising to see Google pushing site owners in this direction.

How Do I Know If Google is Using Mobile-First Indexing for My Site?

Google will be notifying site owners that their sites are migrating to mobile-first indexing through Search Console.  The message will look like this:

Example of Google's notification of mobile first indexation

So you need to make sure that if you have an m. version of your site, it is verified in Search Console.

You will also see a significant increase in the Smartphone Googlebot crawl rate and Google will show the mobile version of pages in search results and cached pages.

What Do We Think About This?

This is a major change in how Google interacts with our websites and makes sense as more and more traffic continues to move to mobile.  While your desktop site will certainly remain important and Google will not be ignoring it, users have been trending towards mobile usage for years and this is the natural progression of our industry.

Companies need to take notice of this change.  Thinking mobile-first should not be something that is kicked down the road and moved down on priority lists, from a search perspective this should be top of mind for all organizations large and small.

Should you be concerned?  If you haven’t been paying attention to how your site functions on a mobile device, this probably isn’t going to pan out for you.  The good news is that all websites are living documents and can be changed and updated.  If you are coming in a little late to the game on mobile, then now is the time to improve that experience and ensure your site is set up to provide value to mobile users.

This is yet another banner that Google is waving to signal the importance of your mobile experience.  If you have been neglecting it, now is the time to rectify that and putting people and resources behind it.

If you think your site is not mobile friendly or have tested it and know, contact us for advice to bring your website up to speed with the current technologies.


What is the dark web? The good and bad of the Internet’s most private corner

ProtonMail-What-is-the-dark-web-diagram-2

What is the dark web? The good and bad of the Internet’s most private corner

You may have heard the dark web is a place for drug dealers and hitmen. That’s correct, but there’s more to it than that. In this article, find out what is the dark web, how to access it, and what you might find there.

The dark web is a part of the Internet that requires special software to access and is not indexed by search engines. It offers much greater privacy than the widely accessible parts of the World Wide Web.

That privacy also makes the dark web a setting for illegal activity, scams, and offensive content. The high-profile rise and fall of the Silk Road marketplace for illicit drugs is the best-known example of this. But despite the sensational media coverage, few people really understand what the dark web is or how it works. For instance, it might surprise some people to learn that The New York Timesand Facebook both maintain websites on the dark web.

The dark web isn’t “dark” because it’s bad; it’s dark because it’s the only place on the Internet that offers a bit of privacy. In this article, we’ll explain how that works, what actually happens on the dark web, and how you can check it out for yourself.

What is the dark web?

Think of the Internet as divided into three parts: the clearweb, the deep web, and the dark web.

The clearweb is the Internet most of us are familiar with. Its pages are searchable in Google, but it makes up just a small percentage of all the content on the Internet. The deep web comprises the majority of the Internet, but it is not indexed by search engines, it is often password-protected, and therefore it’s not generally accessible. The deep web includes things like financial databases, web archives, and password-protected pages.

The dark web is a small portion of the deep web. It runs on top of existing Internet infrastructure, but it is a parallel web that cannot be accessed without special tools. For this reason the dark web is sometimes referred to as the hidden web.

Websites on the dark web have domains ending in “.onion” and are sometimes known as onion sites. They’re called onion sites because of the kind of encryption technology they use to hide the IP address of the servers that host them. Websites on the dark web mask their data behind multiple layers of encryption (like the layers of an onion), and can only be accessed through the Tor network, which is a network of computers around the world maintained by volunteers. Because the routing is random and the data is encrypted, it’s extremely difficult for anyone to trace any piece of traffic back to its source.

How to access the dark web

Tor is the most popular dark web interface, with millions of users. There are a number of ways to access the Tor network, including via the Tor browser , the operating system Tails, or by installing Tor on your computer. ProtonVPN also provides one-click Tor access through the Tor over VPN feature. From there, you can browse the web normally as well as gain access to highly private and secure onion sites.

Unlike the regular web, however, even after you have connected to the dark web, it isn’t so easy to find websites. Dark web sites use randomly generated domains that aren’t easy to remember. The dark web is also difficult to index, meaning search engines are ineffective. There are a number of link directories, such as The Hidden Wiki, that attempt to catalogue the dark web. But because dark web sites change their domain frequently, you’ll find a lot of dead links. A typical onion site url looks something like this:

http://3g2upl4pq6kufc4m.onion/

Some special onion sites, though, have easy to remember domain names and also SSL encryption (URLs that start with “https” instead of “http”). For example, ProtonMail’s Tor encrypted email site is at https://protonirockerxow.onion while Facebook’s onion site is at https://facebookcorewwwi.onion. You can learn more about these special onion sites here.

What’s on the dark web?

The illicit uses of the dark web are well documented: assassination services, ecommerce sites for buying guns and drugs, and so on. It’s best to stay clear of anything that seems suspect while browsing there. However, there are plenty of 100% legal things you can do on the dark web. You can read ProPublica or The New York Timescheck your email in ProtonMail, or browse your Facebook wall. All of these mainstream websites offer dark web access because of the benefits to privacy and freedom of information.

One of the biggest advantages of the dark web is the difficulty of blocking it. Common forms of censorship, which block traffic to websites at specific choke points along the Internet hierarchy, do not work with encrypted overlay networks. (As a result, some dictators have, for example, tried to block Tor itself.)

For similar reasons, the dark web is more resistant to surveillance by governments and corporations (such as Internet service providers). Whistleblowers, journalists, and other professionals at risk of targeted surveillance use the dark web to communicate sensitive information. And organizations including Human Rights Watch and the Electronic Frontier Foundation support the use of and access to the dark web.

One of the only drawbacks of the dark web is its speed. For instance, because Tor bounces your traffic through multiple servers around the world, it necessarily slows your connection. But when you need it, the dark web can be vitally important: When Turkey temporarily blocked ProtonMail for some users, our onion site was one of the only ways people could gain access to email.

So, there’s no reason to be afraid of the dark web. On the contrary, the dark web is an essential privacy tool. As governments work to weaken encryption with backdoors and corporations gain greater access to everything we do, privacy and security technologies like the dark web must be vigorously defended. And that starts with understanding them beyond sensational headlines.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!