EU to Declare Cyber-Attacks “Act of War” – USA Likely to Follow 

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

The document developed as a deterrent to provocations by nation states like Russia and North Korea, will declare that member states may respond to online attacks with conventional weapons “in the gravest circumstances.”

This framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.

UK security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.

The problem is that definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.

It brings the EU in line with NATO policy in the past, establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense, which states that an attack on one member is an attack on all 29 allies.

McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.

“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added.”

I’m expecting the USA to follow with a similar statement, to function as an additional deterrent against the recent spate of Russian and North Korean incursions.

The vast majority of Russia’s attacks start with social engineering and spear phishing attacks. However, current investigations show that they also have been running paid propaganda campaigns through Facebook.

Full blog post with links to sources:
https://blog.knowbe4.com/eu-to-declare-cyber-attacks-act-of-war.-usa-likely-to-follow

2018 Is Likely to Be a Worse Year for Ransomware Than 2017

Sophos released their 2018 malware forecast this week. Their predictions would make any IT Pro concerned, link to a PDF of their report below. Read on for your executive summary.

Ransomware Mutations Running Amok

You have seen a lot in this blog this year about the WannaCry and NotPetya ransomware strains. Both attacks exploited the EternalBlue Windows SMB vulnerability, and both did not have workable decryption mechanisms for the few organizations desperate enough to try to pay the ransom.

Both incidents make one thing clear: WannaCry and NotPetya appear to be the work of military cyber warfare divisions. Their authors aren’t script kiddies, but professional Dev teams using sophisticated techniques. Nation states are fighting a cold cyber war, and both commercial and non-profit organizations are the collateral damage worldwide.

RaaS Is for Newbie Cyber Crims

There is an area where amateur cyber “crims” do come in, and that’s Ransomware as a Service, aka RaaS. Newbies without l33t skills simply buy the code on the dark web including easy how-to videos.

Sophos says that RaaS is growing in popularity on the Dark Web, and this year’s Cerber ransomware is their example of a worrisome trend. Here’s some of what it says in the report that specifically pertains to RaaS:

“Ransomware is big business on the Dark Web. Its creators realized they could make more money not just by extorting currency from their victims, but by selling kits buyers could use to make and distribute their own. We’ve seen a number of different services and pricing models in the past year, and expect to see many more in 2018.

One of the biggest examples, as mentioned above, is Cerber. Other examples include Satan, malicious software that once opened in a Windows system, encrypts all the files and demands a ransom for the decryption tools, and Philadelphia. The latter was notable for its marketing technique, which included a slick YouTube video advertisement on the open web.”

New “Marketing” Techniques

Sophos reports on an additional ransomware trend they found in a malware strain called Spora. Instead of demanding one ransom to decrypt an entire encrypted drive or partition, some ransomware offers victims multiple options. The options seen in Spora are:

  • Decrypt two files for nothing
  • Decrypt a selection of files for 30.00 dollars
  • Have the ransomware itself removed for 20.00 dollars
  • Buy what they call immunity for 50.00 dollars
  • Get everything on the computer restored for 120.00 dollars

Ransomware Is Now Targeting Non-Win OSen

September 2013 was when CryptoLocker reared its ugly head as the first weapons-grade ransomware that exclusively targeted Windows, which remains Target No. 1.

But Sophos notices a trend of ransomware targeting non-Windows operating systems. I would not be surprised if in 2018 a worldwide MacOS or Linux distro ransomware pandemic broke out.

Ransomware is also growing rapidly on Android. Sophos reported that the prevalence of Android ransomware has grown almost every month in 2017; 30.4% of the Android malware researched in September 2017 by Sophos was ransomware, and they expect that 45% of all Android malware in October was ransomware.

One of the biggest Android ransomware stories broke this October: DoubleLocker. Looks like Android ransomware is going to be a bigger problem in 2018.

Healthcare Continues to Be a Target.

Many cyber criminals are specifically targeting the healthcare industry. Sophos states this trend started in 2016. Healthcare is the single most targeted industry because they are the victims who are most likely to pay ransoms. The Sophos report shows that critical infrastructure, education and small businesses also are often targeted for ransomware attacks, as they’re more likely to pay up as well.

Between April 1st and October 3rd, Sophos notes that the top four countries for ransomware victims are the United States (17.2%), Great Britain (11.1%), Belgium (8.6%), and Singapore (6.5%.) And of course neither Ukraine or Russia even show up in the Top 16, because that’s where these organized cyber crime gangs are, and they know that FSB (KGB) swat teams will knock down their doors if they target these countries.

ZDNet also has predictions about the nasty future of ransomware with four ways the nightmare is about to get even worse:
http://www.zdnet.com/article/the-nasty-future-of-ransomware-four-ways-the-nightmare-is-about-to-get-even-worse/

From the Cyberheist News blog.

Bad Rabbit: Ten things you need to know about the latest ransomware outbreak

eset-flash-update-bad-rabbit

It’s the third major outbreak of the year – here’s what we know so far.

 

A new ransomware campaign has hit a number of high profile targets in Russia and Eastern Europe.

Dubbed Bad Rabbit, the ransomware first started infecting systems on Tuesday 24 October, and the way in which organisations appear to have been hit simultaneously immediately drew comparisons to this year’s WannaCry and Petya epidemics.

Following the initial outbreak, there was some confusion about what exactly Bad Rabbit is. Now the initial panic has died down, however, it’s possible to dig down into what exactly is going on.

1. The cyber-attack has hit organisations across Russia and Eastern Europe

Organisations across Russian and Ukraine — as well as a small number in Germany, and Turkey — have fallen victim to the ransomware. Researchers at Avast say they’ve also detected the malware in Poland and South Korea.

Russian cybersecurity company Group-IB confirmed at least three media organisations in the country have been hit by file-encrypting malware, while at the same time Russian news agency Interfax said its systems have been affected by a “hacker attack” — and were seemingly knocked offline by the incident.

Other organisations in the region including Odessa International Airport and the Kiev Metro also made statements about falling victim to a cyber-attack, while CERT-UA, the Computer Emergency Response Team of Ukraine, also posted that the “possible start of a new wave of cyberattacks to Ukraine’s information resources” had occurred, as reports of Bad Rabbit infections started to come in.

At the time of writing, it’s thought there are almost 200 infected targets and indicating that this isn’t an attack like WannaCry or Petya was — but it’s still causing problems for infected organisations.

“The total prevalence of known samples is quite low compared to the other “common” strains,” said Jakub Kroustek, malware analyst at Avast.

2. It’s definitely ransomware

Those unfortunate enough to fall victim to the attack quickly realised what had happened because the ransomware isn’t subtle — it presents victims with a ransom note telling them their files are “no longer accessible” and “no one will be able to recover them without our decryption service”.

bad-rabbit-ransom-note-eset.png
Bad Rabbit ransom note.Image: ESET

Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they’re told, and the payment for decrypting files is 0.05 bitcoin — around $285. Those who don’t pay the ransom before the timer reaches zero are told the fee will go up and they’ll have to pay more.

badrabbit.png
Bad Rabbit payment page.Image: Kaspersky Lab

The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.

3. It’s based on Petya/Not Petya

If the ransom note looks familiar, that’s because it’s almost identical to the one victims of June’s Petya outbreak saw. The similarities aren’t just cosmetic either — Bad Rabbit shares behind-the-scenes elements with Petya too.

Analysis by researchers at Crowdstrike has found that Bad Rabbit and NotPetya’s DLL (dynamic link library) share 67 percent of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor.

4. It spreads via a fake Flash update on compromised websites

The main way Bad Rabbit spreads is drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites — some of which have been compromised since June — are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.

eset-flash-update-bad-rabbit.png
A compromised website asking a user to install a fake Flash update which distributes Bad Rabbit.Image: ESET

Infected websites — mostly based in Russia, Bulgaria, and Turkey — are compromised by having JavaScript injected in their HTML body or in one of their .js files.

5. It can spread laterally across networks…

Much like Petya, Bad Rabbit comes with a potent trick up its sleeve in that it contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction, say researchers at Cisco Talos.

What aids Bad Rabbit’s ability to spread is a list of simple username and password combinations which it can exploit to brute-force its way across networks. The weak passwords list consists of a number of the usual suspects for weak passwords such as simple number combinations and ‘password’.

6. … but it doesn’t use EternalBlue

When Bad Rabbit first appeared, some suggested that like WannaCry, it exploited the EternalBlue exploit to spread. However, this now doesn’t appear to be the case.

“We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection,” Martin Lee, Technical Lead for Security Research at Talos told ZDNet.

7. It may not be indiscriminate

At the same point following the WannaCry outbreak, hundreds of thousands of systems around the world had fallen victim to ransomware. However, Bad Rabbit doesn’t appear to indiscriminately infecting targets, rather researchers have suggested that it only infects selected targets.

“Our observations suggest that this been a targeted attack against corporate networks,” said Kaspersky Lab researchers.

Meanwhile, researchers at ESET say instructions in the script injected into infected websites “can determine if the visitor is of interest and then add content to the page” if the target is deemed suitable for infection.

However, at this stage, there’s no obvious reason why media organisations and infrastructure in Russia and Ukraine has been specifically targeted in this attack.

8. It isn’t clear who is behind it

At this time, it’s still unknown who is distributing the ransomware or why, but the similarity to Petya has led some researchers to suggest that Bad Rabbit is by the same attack group — although that doesn’t help identify the attacker or the motive either, because the perpetrator of June’s epidemic has never been identified.

What marks this attack out is how it has primarily infected Russia – Eastern Europe cybercriminal organisations tend to avoid attacking the ‘motherland’, indicating this unlikely to be a Russian group.

9. It contains Game of Thrones references

Whoever it behind Bad Rabbit, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Drogon, and Rhaegal, the dragons which feature in television series and the novels it is based on. The authors of the code are therefore not doing much to change the stereotypical image of hackers being geeks and nerds.

kasperky-bad-rabbit-got-references.png
References to Game of Thrones dragons in the code.Image: Kaspersky Lab


10. You can protect yourself against becoming infected by it

At this stage, it’s unknown if it’s possible to decrypt files locked by Bad Rabbit without giving in and paying the ransom – although researchers say that those who fall victim shouldn’t pay the fee, as it will only encourage the growth of ransomware.

A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don’t potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ in order to prevent infection.

PREVIOUS COVERAGE

Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchers

Updated: Organisations in Russia, Ukraine and other countries have fallen victim to what is thought to be a new variant of ransomware.

READ MORE ON RANSOMWARE

New Evil Locky Ransomware Strain Evades Machine Learning Security Software

ransomwareHere is the latest tactic in the cat-and-mouse game between cybercrime and security software vendors. The bad guys have come up with new a ransomware phishing attack, tricking users to open what appears to be a document scanned from an internal Konica Minolta C224e.

This model is one of the most popular business scanner/printers in the world. The emails are written to make the user think that the communication is from a vendor.

Basically, Locky is back with a vengeance and a whole new bag of evil tricks.

The campaign launched Sept. 18 features a sophisticated new wrinkle, enabling it to slip past many of the machine learning algorithm-based software sold by some of the industry’s most popular vendors, said security firm Comodo.

“The method of phishing is by an attachment of an email; the attachment is disguised as a printer output, and it contains a script inside an archive file,” said Fatih Orhan, vice president of Comodo Threat Research Labs. “These are not enough to make a phishing detection.”

This is the third recent massive Locky attack

The third in an increasingly sophisticated series of ransomware attacks launched this summer is dubbed IKARUS by Comodo, some other security vendors are calling it Locky Diablo6.

As in previous attacks, the Eastern European Locky cyber mafia is using a botnet of zombie computers which makes it hard to simply block by IP.

“Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless,” the report continues.

The most innovative hook of this new feature involves the way these criminal hackers manage to evade spam filters.

Here is how it evades machine learning

“Machine learning algorithms need to extract the attachment, open the archive, extract the script and understand it has a malicious intent,” said Orhan, the Comodo research head. “But usually, these scripts contain just a download component and do not have malicious intent on their own.”

“That’s why even machine learning is not sufficient in making these kind of detections,” he continued. “Complex solutions are needed to run the script dynamically, download actual payload, and perform malware analysis to conclude that it is phishing.”

In other words, it looks like that again the bad guys are ahead of your spam filters, whether that is a traditional or new machine-learning flavor.

Now, the Locky payload still ultimately uses an executable file written to disk, so your endpoint security may be able to block it. There are other types of attacks that take advantage of machine learning blind spots (fileless attacks, for example), but this isn’t one of them. What the bad guys behind Locky count on is cranking out so many new variants that antivirus (even some machine learning ones) won’t recognize and block it.

How vulnerable is your network against a ransomware attack?

Bad guys are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s “RanSim” gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 10 infection scenarios and show you if a workstation is vulnerable to infection.

This will take you 5 minutes and may give you some insights you never expected! Get your complimentary download of RanSim here:
https://info.knowbe4.com/ransomware-simulator-tool-1chn

Positive SSL