STE WILLIAMS

Attackers are increasingly using Linux security holes to target and infect Internet of Things (IoT) devices that include everything from webcams to internet-connecting household appliances.

That’s among the findings in a SophosLabs malware forecast released today, the first day of RSA Conference 2017 in San Francisco.

A hot topic at RSA

IoT threats have been discussed at RSA Conference for years now, but in largely theoretical terms. This past year, the theoretical turned into reality when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.

For that reason, the new SophosLabs report starts with a look at IoT threats. Based on months of research, SophosLabs determined that malware is being used to infect IoT devices via vulnerabilities in Linux. Default passwords, out-of-date versions of Linux and a lack of encryption will continue to make these devices ripe for abuse.

Linux malware

The frequency and complexity of Linux malware rose throughout 2016. One malware sample was built to evade AV detection with consistent static updates, encrypted/obfuscated strings and even some rudimentary UPX packer hacking.

SophosLabs noticed one family that was far more active than any of the others – Linux/ DDoS-BI, also known as Gayfgt – which spread by simply scanning over large IP blocks attempting to bruteforce SSH. It targeted low-hanging fruit such as any device that has a factory/default password.

In terms of frequency, cases of Linux/DDoS-BI have steadily increased since October, with brief drop-offs along the way. It is proving to be resilient. For example, more than a hundred cases were observed by late October and was up to around 150 by mid-November. By mid-December it was over 200, and it was up around 466 the week of January 20 before slightly dropping again.

The numbers represent samples processed by SophosLabs with a significant portion obtained by SophosLabs-run honeypots. They do not represent customer-reported detections.

Rising tide of LUA and Golang code

SophosLabs expects an increase in complexity and a lot more lua and Golang-based malware in the short term. It’s possible these will eventually drop off purely due to its compiled file size (Hello World in Go is ~500KB), as it’ll be more noticeable especially on embedded devices with limited resources.

Whatever happens in the next 12 months, one thing is clear: Golang – a free, open source programming language created at Google – has seen a surge in popularity among tool writers.

The ultimate target: IoT devices

Though the Linux malware we deconstructed has been used for a variety of purposes, we continue to watch for cases connected to attacks against IoT devices.

SophosLabs continues to receive samples of Mirai, the malware used in last year’s IoT-based attack against Dyn. In the following image, honeypot logs show Mirai going for low-hanging fruit as the username/password combo is root/root:

Next we see script that is typical for the Mirai, Gayfgt and Tsunami families, where they download a variety of different platform samples and try to run them to see if something works. Take note of the file name “dvrHelper” that the files are downloaded and saved as:

The next screenshot is of IDA disassembly. The left pane shows some individual characters that end up matching “dvrHelper” – just not in order, as it seems they want to check the path. The right pane shows deobfuscated strings including a YouTube link to Rick Astley – “Never Gonna Give You Up” (a bait-and-switch trick known as rickrolling).

It’s important to note that despite all the news coverage Mirai has received, we haven’t seen much of it affecting our customers. We see roughly two in 10,000 endpoints reporting Mirai detections.

But taken as a whole, the various malware samples reviewed by the lab point to an upward trajectory in IoT attacks.

Coming tomorrow: A look at the top 10 malware targeting Android.

Follow @NakedSecurity
Follow @BillBrenner70

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Rw6S-DF3rPc/

Opinion The cybersecurity industry is investing heavily in “machine learning” technologies in the hope of providing a more dynamic defence against malware. The practical upshot of this is that the delegates to the RSA Conference next week are likely to hear a lot about artificial intelligence in next-generation anti-virus (NGAV) even though neither term is particularly well defined.

The need for improved defences is clear enough, driven both by the volume of malware variants pushed out by the bad guys and the stratospheric rise in ransomware. File-encrypting ransomware, such as Locky, has become a lucrative money spinner for crooks, particularly in the last year or so.

Cybercriminals have used malware of various types (banking trojans, spyware etc ad nauseam) to run scams since the turn of the century if not earlier. The for-profit motive means that crooks have spent money testing their creations prior to their release in a bid to outpace defences. Malware slingers don’t even have to do this themselves, thanks to the availability of so-called crypting services that promise “fully undetectable” malware.

Releasing multiple variants of their nasties has also become standard practice among cybercrooks.

Pattern recognition

The security industry’s response to this was to use automation and cloud-based technologies. Anti-malware is long past reliance on signature detection alone. Whitelisting, heuristics (generic detection), behaviour-based detection have all come into play as part of a multi-layered defences.

It’s a complicated, and not infrequently criticised, mix.

For the last few years, vendors have talked about their use of the cloud as a differentiator from competitors. More recently, in the last few months, there has been a sea change in marketing messages and talking about “artificial intelligence” has become de rigour.

Next week’s RSA Conference is set to become a battleground for contrasting marketing claims about artificial intelligence and anti-malware.

Self described next-generation anti-virus firms, exemplified by Cylance, will argue that they are the first to apply artificial intelligence against the malware menace. In reality the technology is, in the opinion of this security writer, better described as pattern recognition and data analytics rather than what’s generally understood to be artificial intelligence.

This approach brings benefits such as a much smaller footprint on client machines, a lower attack surface and a reduction in the number of updates needed. The marketing martial doesn’t talk that, though – it talks about Cylance as the “first company to apply artificial intelligence, algorithmic science and machine learning to cybersecurity”.

SentinelOne, another next-gen contender, also talks about delivering realtime protection powered by “machine learning and dynamic behaviour analysis”, laying its own claim to applying AI to the security problem.

A load of spiel?

Established vendors are also claiming to use AI. Avast, Sophos (partly because of its recent acquisition of next-gen vendor Invincea) and more will also be talking artificial intelligence at San Francisco.

Long-standing experts argue that pattern recognition, theorem proving, neural networks, expert systems, machine vision – all “AI techniques” – have been applied in the anti-malware world for years.

There’s actually a third leg on this marketing chair. As well NGAV firms such as Cylance, which claims to be among the first to use artificial intelligence, and traditional developers, who say they have pioneers in the field (without talking much about it), there’s Carbon Black, which has begun talking about an alternative to AI. Its technology is based on event stream processing, the technique previously applied to algorithmic day-trading. Similar to those applications, “Streaming Prevention” continuously updates a risk profile based on a steady stream of computer activity.

The appearance of an alternative to AI for anti-malware would suggest that artificial intelligence is an established technique for combating malware.

Frankly, I’m skeptical.

What I can say for sure is that artificial intelligence has only recently begun reappearing in marketing pitches to tech reporters. The theme has come up before. CA talked about neugents, neural network agents “smarter than a million Albert Einsteins” for a couple of years around the turn of the millennium.

Nothing much came of that technology, which (being charitable) might have come before its time. Maybe, in a new century, AI can tame the malware menace that has surpassed the ability of mere meat sacks to contain. Alternatively, artificial intelligence for anti-virus might just be a rebrand of heuristics, more Gary Numan than Alicia Vikander, as some experts argue. ®

Bootnote

Whatever happens, we hope security software vendors avoid signing up singer and sometime tech pitchman Will.i.am to promote their wares. Look no further than Symantec’s ill-fate HackIsWack stunt, which roped in rapper Snoop Dogg, for a example of how such efforts can go hopelessly wrong.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/ai_agav_marketing_confusion_opinion/

Evidence has surfaced that hackers blamed for the infamous Sony Pictures hack and the notorious Bangladesh Central Bank account heist have launched a fresh wave of assaults.

The so-called Lazarus hackers are currently targeting scores of banks and other organisations across 31 countries, Symantec warns.

The attacks appeared to have come to light after Polish banks – who had been hit by malware sent through their hacked financial regulator – “shared indicators of compromise (IOCs)” of those attacks with other institutions.

The attackers appear to be using compromised websites to redirect visitors to a customised exploit kit, which is pre-configured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organisations located in 31 different countries. The vast majority of these organisations are banks, with a small number of telecoms and internet firms also on the list.

Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea. Some of the tools used in the Bangladesh bank heist shared code similarities with malware used in historic attacks linked to the group.

Code strings seen in the latest malware used “shares commonalities with code from malware used by the threat group known as Lazarus, the group behind the Sony wiper attacks,” according to Symantec.

More details on the attacks can be found in a blog post by Symantec here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/sony_pictures_hackers_lazarus_returns/

Ercan Findikoglu carried out three cyberattacks that enabled theft of $55 million through worldwide ATM withdrawals.

The mastermind behind three cyberattacks that allowed the theft of $55 million from ATMs worldwide has been sentenced to eight years in a US prison, Reuters reports. Ercan Findikoglu of Turkey allegedly carried out these crimes while facing Turkish charges for fake payment cards and was out on bail.

Prosecutors say Findikoglu and his accomplices hacked the database of debit card companies in “unlimited operations” and deleted the withdrawal limits of card accounts. This enabled “cashers” in worldwide locations to simultaneously withdraw cash from ATMs using data of victims stolen by Findikoglu. In one instance, $40 million was allegedly withdrawn using Oman’s Bank Muscat cards by cashers located in 24 countries and through 36,000 transactions.

Thirteen New York cashers allegedly involved in the theft of $2.8 million have pleaded guilty.

Findikoglu will be deported to Turkey for completing his sentence there once his US prison term is over, says defense lawyer Christopher Madiou.

Read full story here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/turkish-hacker-gets-8-years-in-us-jail-for-atm-theft-scheme/d/d-id/1328126?_mc=RSS_DR_EDT

The 99-page report breaks out 16 different attack scenarios and specifies the target, sophistication level, attributes, and attack patterns, along with their times to discovery and containment.

If the whole security management services thing doesn’t work out, Verizon may want to consider getting into the techno-thriller mystery writing business. Its newly released Data Breach Digest is chockablock with stories of online shenanigans (with some identifying details altered) that would be right at home in an episode of Mr. Robot.

In one example, an online gaming company finds its production network hacked; worse, points of top players were being siphoned off and customers’ personal information might have been compromised as well. Network and application logs were quickly parsed and Verizon’s RISK team identified 15 systems that process game-point transactions, yet only 14 of them were known to be legitimate resources.

Sure enough, the anomalous system, while valid, had been abandoned for more than a year after an employee left the company. But it remained attached to the network, if dormant, and was an inviting target for hackers who brute-forced it, then loaded it with malware to do their dirty work.

Situations like these, where hidden endpoints that could be anything from systems, user accounts, software, or data, are what Verizon labels “Unknown Unknowns,” and are the hardest for organizations to plan for and react to, Verizon says in its latest DBD report. “We’re seeing lots of cases of Unknown Unknowns … detection systems are picking up old and new malware that may be sitting there,” says John Grim, senior manager and lead for Verizon’s investigative response team. “We then come in and see if it’s done any damage or if it’s just laying in wait. Sometimes they emerge when we do testing.”

The DBD has two objectives: Sketch out the complexity of the most common kinds of attacks, and provide a guidebook for all the individuals affected in the chain of command.

The 99-page report breaks out 16 different attack scenarios and specifies the target, sophistication level, attributes, and the attack’s pattern, along with its times to discovery and containment. Each scenario identifies a threat actor along with their motives, tactics, and techniques; the targeted victim also gets profiled in terms of industry sector(s), key stakeholders, and the necessary countermeasures.

In another DBD scenario dubbed “Mobile Assault – The Secret Squirrel,” Verizon outlines the problems faced by a business traveler who may be forced to use sketchy Wi-Fi networks, hand over their laptop or smartphone at security checkpoints or immigration areas, or are required to decrypt their devices completely. There’s also the potential for loss, theft, or device tampering in a hotel room; in some instances, specific companies and individual personnel are targeted for the high-value data they carry or are able to access.

The fix for Mobile Assault is ridiculously simple. Employees no longer travel with their assigned corporate devices, but instead are given “travel” smartphones and laptops, and after every trip, these devices are wiped clean and rebuilt. “From a forensic examination standpoint, having this known baseline image to compare against drastically reduces analysis time and helps [the organization] focus on potential problems rather than background noise,” Verizon says in the new DBD report.

This year’s report also deconstructs the complexity of breaches from a human standpoint and a stakeholder perspective, Grim tells Dark Reading.

And it’s no longer enough to tell companies and end-user organizations, “This is the malware, and this is how you fix it,” Grim adds. “HR and legal need to be involved too if it’s an inside threat or involves employee records.” Grim is quick to emphasize that the DBD report isn’t just for IT staff or infosec professionals. Human resources professionals can query the report for HR issues, or HR in a specific industry sector. Incident responders can also query by industry, Grim says.

The DBD uses data derived from the Verizon’s more comprehensive Data Breach Investigation Report. This is the second year Verizon has released the digest.

Verizon also offers a five-point incident response plan for organizations that have discovered any kind of data breach:

• Preserve evidence; consider consequences of every action taken once the breach has been discovered.

• Be flexible; adapt to evolving situations.

• Establish consistent methods for communication.

• Know the limits of your own expertise; collaborate with other key stakeholders.

• Document actions and findings; be prepared to explain them.

Related Content:

• Pirates, Ships, And A Hacked CMS: Inside Verizon’s Breach Investigations
• Verizon DBIR: Over Half Of Data Breaches Exploited Legitimate Passwords In 2015
• Advanced Threat Hunting: Are You The Hunter Or The Hunted?

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/verizon-data-breach-digest-triangulates-humanity-inside-security/d/d-id/1328123?_mc=RSS_DR_EDT

Italy’s foreign ministry was victim of a cyberattack last year, but hackers did not gain access to classified information.

Italy’s foreign ministry was the target of a cyberattack early last year. Sources close to the ministry report the activity continued for more than four months, but hackers didn’t access classified data, says Reuters.

The report confirms a Guardian article stating Russia was suspected to be behind the incident. Reuters also learnt from an Italian government source this year that the Foreign Ministry had been hacked in the past, most likely by Russia.

“These were not attacks on the encrypted computer system which carries the most important and sensitive information, but the email system for staff at the foreign ministry and embassies,” the ministry source said.

The department was headed by current Prime Minister Paolo Gentiloni when the attack took place. He was not affected because he did not use email for official work purposes at the time, a government official reported to the Guardian.

Read Reuters for details. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/russia-suspect-in-italian-ministry-hack/d/d-id/1328125?_mc=RSS_DR_EDT

Ransomware attackers are getting more aggressive, destructive, and unpredictable.

RSA CONFERENCE 2017 – San Francisco – The data-hostage crisis isn’t going away anytime soon:  In fact, it’s starting to get a lot scarier and destructive, and with a more unpredictable outcome.

Security experts long have warned that ponying up with the ransom fee only plays into the hands of ransomware attackers; it doesn’t necessarily guarantee victims get their data back and unscathed, even though most of these bad guys thus far honor their promise of decrypting hijacked data after they receive their payment. Ransomware is rising dramatically, growing by a rate of 167 times year over year, according to SonicWall, with some 638 million attack attempts in 2016, up from 4 million the previous year. Kaspersky Lab data as of last October shows there’s a ransomware attack every 40 seconds.

James Lyne, global head of security research at Sophos Labs, warns that ransomware attacks are starting to become more of a no-win for victims, as some attackers are also now stealing the data they encrypt for further monetization, destroying it altogether, and even waging subsequent attacks on a victim. The attackers are more sophisticated with their encryption methods, and more aggressive, instituting tighter payment deadlines and including organized-crime style threats that sound more like a physical hostage negotiation, he explains.

He describes their brazen demands and attacks as a “shock-and-awe” approach that’s catching fire among cybercriminals hoping to more efficiently strong-arm their victims and potentially cash out more quickly.

“We’re seeing more and more inclusion of a timer” and a warning that the victim has X amount of time to pay the ransom or the attackers will begin to delete the files, or purge the data entirely, he says. In one attack Lyne investigated, the attackers warned the victim if he or she balked at payment or contacted law enforcement, they would delete the keys for decrypting the data so it wouldn’t be retrievable at all.

“Not even the cybercriminals can recover the data” then, he says.

“It irrevocably shreds them. You’re not going to get the data back even if you go to a forensics specialist,” Lyne says. “They’re starting to move toward a more aggressive approach of ‘hand over the money more quickly.'”

“It’s a really interesting tactic because it invokes panic in the user” so they are afraid to talk to tech support for help, he says.

Reinfection is also becoming a trend, where attackers who have successfully forced a victim to pay up to get their data back later target the same victim multiple times. “Traditional blackmailers know if someone pays once, they are probably going to pay again,” he says. 

Lyne plans to show such case of a repeat attack during his RSAC session entitled Reversing the Year: Let’s Hack IoT, Ransomware and Evasive Payloads. “I’m going to show an example of where they got infected and the user pays, cleans up, and the attacker waits a period of time before doing the exact same thing again,” he says.

So the days of cleanup post-ransomware infection meaning the event is over may soon be gone. Variants such as Ranscam actually erase the victim’s files after promising to relinquish the files after the ransom is paid. The Ranscam attackers basically fool the victim into thinking the data is retrievable; they didn’t even invest in encryption, so it’s a rather evil but ingenious way to wage a low-cost, high-return attack, according to Cisco’s Williams.

Lyne says another big worry is ransomware attackers pilfering the data they locked for future monetization after the victim pays up. To date, most ransomware attacks have been opportunistic rather than targeted, even though industries such as healthcare and law enforcement have been among the hardest hit.

“In truth, most of these we’ve heard of weren’t targeted … the samples I look at have no example that they targeted specific types of businesses,” he says.

Even so, he’s seeing ransomware attackers stealing credentials and other potentially valuable data from their marks. “It encrypts your data, you pay money to get it back and it then nicks your data” as well, says Lyne, who will demonstrate one such attack here.

“It’s not widespread … but it’s something people need to be aware of now,” he says. “You can’t just pay money and consider the incident over.”

Another thing to watch for: ransomware targeting databases, which indeed is a sign of fishing for valuable data. 

Headless But Deadly

Another sign of the times with the ransomware boom is campaigns that are abandoned by the attackers but still spread to victims, leaving them stranded with encrypted data and no ransom payment option. “We see this quite a lot,” Lyne says, and it tends to be lower-level, older variants such as Vipasana and Satana, and campaigns where the email or payment contact channel are shut down. “Now there’s ransomware floating around that’s shredware: there isn’t a way to get your data back,”  he says.

Craig Williams, senior technical leader and security outreach manager for Cisco Talos, points to CryptoWall 3 as an example of this: “When it was abandoned, it stopped working and there was no key exchange,” which made it benign, he says.

The Talos team was seeing 130,000 ransomware samples per day in December of last year.

With the newer generation of more sophisticated and businesslike ransomware, more of the old-school rudimentary variants are likely to be scrapped in favor of more effective attack tools. Even so, the phishing emails and other ransomware-rigged places will still infect users. “This is a sign of things to come. So you should prepare,” Lyne says.

Meantime, ransomware variants such as Samsam, which included a self-propagation feature that let it spread like a worm, rather than just via email or malicious web content. Worm-like ransomware spreading could infect more victims more quickly, Cisco’s Williams says.

Be Prepared Or Prepare To Lose Data

The best defense from ransomware is preparation: expect the worst, and run regular backups. “Have a backup that works, one that’s not constantly connected to your computer such that you end up with an encrypted backup that’s also infected with ransomware,” Lyne says. There are even ransomware variants that target backups, so offline data backups are the best bet.

Cloud-based backups can be helpful as well, Cisco’s Williams says. “Don’t put your eggs in one basket … Have unique usernames and passwords” for those types of  services, he says. 

Related Content:

• 6 Free Ransomware Decryption Tools
• Why Ransomware Is Only Going To Get Worse
• Ransomware: How A Security Inconvenience Became The Industry’s Most-Feared Vulnerability

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/shock-and-awe-ransomware-attacks-multiply/d/d-id/1328124?_mc=RSS_DR_EDT

BSides SF Comfortable illusions about how security is working are crippling the ability of government and industry to fight the threat, a former member of the FBI’s netsec team has told the B-Sides San Francisco security conference.

Society is operating under the illusion that governments and corporations are taking rational choices about computer security, but the fact of the matter is that we’re downing under a sea of false positive, bad management, and a false belief in the power of technology to save us.

“The government is very reactive,” said Jason Truppi, director of endpoint detection and response at security firm Tanium and a former FBI investigator. “Over time we’ve learned it wasn’t working – just being reactive, not proactive.”

Truppi said we need to disabuse ourselves of the notion puncture the comfortable thought bubble that government and industry is working together to solve online threats. In reality, he says, the commercial sector and government are working to very different agendas and the result is a hopeless mishmash of confusing loyalties.

On threat intelligence sharing, for example, the government encourages business to share news of vulnerabilities. But the subsequent investigations can be wide-ranging and lead to business’ people being charged for unrelated matters. A result companies are increasingly unwilling to share data if it exposes them to wider risks.

The fact of the matter is that companies don’t get their own infosec problems and don’t care that much. Truppi, who has now moved to the commercial sector, said that companies are still trying to hire good network security people, but bog them down in useless false alerts and management panics.

Threat lag

A single false alert can take up days of time, he warned, but upper management – who don’t understand the issues – can tie up days of team time dealing with an alert that isn’t a serious issue. Stock market fraud is a case in point, he said.

The traditional view is that hackers will try to fake stock trades, but Truppi argued that tactic is old hat. It’s much easier, and more profitable, to use insider trading to extract money than trying to fake stock trades that can be checked before the payout.

All it needs is one unsecured endpoint, he said. After that the keys to the palace are open. Compliance rules don’t help much, since they are dealing with yesterday’s threat.

But IT department’s incident response (IR) are getting drowned out with false threat information. The result is incident report fatigue, whereby you get so many false positives that the IR team is overwhelmed, and that means they burn out and move to other roles.

Computer security teams move in groups, he opined, and once you lose a key team member you’ll likely lose the whole team. That means you lose all your intellectual reserves, since infosec people seldom share information outside teams.

The big picture

The biggest illusion in computer security is that firms, and government, know what they are doing, Truppi said.

Five years ago everyone assumed that big finance houses knew what they were doing to lock down bank accounts. Now they are playing catchup.

But at least banks are better than most, Truppi opined. Far too many companies think that if they have a disaster recovery plan in place then they’re sorted. But it doesn’t work that way.

We’re only at the start of the distributed denial of service attack stage, he said. We’re going to see major internet outages thanks to botnets of things taking down sections of the internet. How we deal with that will be a deciding factor.

A Mirai-style botnet is coming that could take down the internet for serious periods of time, he warned. And don’t expect those fancy AI systems we keep hearing about to have your back. Turuppi said they are mostly bunk. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/12/b_sides_sfo_security_is_broken_says_taniums_jason_truppi/

Microsoft’s pointed out that the United States’ National Security Agency has added some Surface devices to the nation’s okay-for-accessing-secure-information list.

That list’s proper name is the Commercial Solutions for Classified Program and was created because the US government used to spend years building a secure suite of products before releasing them to government users.

That approach would leave workers wielding out-of-date technology, which didn’t exactly help US government workers to become efficient.

The list therefore offers products that, when used in concert with others on the list, can be assembled into acceptably secure “capability packages”.

The NSA’s added the Surface Pro 3, Surface Pro 4 and Surface Book to the list, all running Windows 10. The Surface Pro also makes it when running Windows 8.1

Microsoft’s the only laptop and desktop OS vendor on the list, but is hardly alone on the list for mobile devices. Apple, LG and Samsung devices all make it, as do Blackberry OS 10.3 and the Boeing/Blackberry “Black” Android collaboration. The rest of the list covers all manner of enterprise hardware and software and offers a who’s-who of big-name tech vendors.

Microsoft’s singular inclusion for PCs is therefore good news for Surface and Windows 10, until President Trump worries about the price of either. And maybe it’s a warning, too, that it might not be a coincidence that you keep seeing a chap with a Surface in coffee shops, on the train, down at the supermarket … ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/surface_makes_nsa_secure_kit_list/

The Mirai malware that hijacked hundreds of thousands of IoT gadgets, routers and other devices is now capable of infecting Windows systems.

The software nasty, discovered in August 2016, broke into heaps of insecure Linux-powered gizmos worldwide before running distributed denial of service attacks, most notably against DNS provider Dyn. Many household names relied on Dyn’s servers to prop up their websites and online services; these big brands effectively became unreachable to consumers for hours at a time during the now infamous attack last October.

Many of the commandeered devices were personal digital video recorders, webcams, and the like. The malware spread by scanning the internet for machines with open ports and then using default or hardcoded passwords to log in and take over.

This week, researchers at Russian security software maker Dr Web documented a Windows version of the Mirai bot that scans the ‘net for vulnerable IoT devices after infecting a Microsoft-powered host. That means vulnerable gear on a corporate network, hopefully shielded from the open internet by a firewall, can be attacked by adjacent Windows clients and servers if they get infected.

The Windows build, Trojan.Mirai.1, written in C++, uses lists of IP addresses and passwords to scan networks and attempt to log into devices. If it gets into a Linux machine, via Telnet for example, it downloads and runs Linux.Mirai on the compromised node, which continues the malware’s spread. If Trojan.Mirai.1 finds a Windows box on a network, it attempts to use WMI and IPC to launch a new process on the computer to infect it and continue the spread.

The cyber-nasty, first spotted on Microsoft-powered systems at the end of January, also uses the MS SQL Server event service, if available, to execute commands as an administrator and install malicious software.

How the trojan gets its foothold on a corporate network is up to the malware’s masterminds: an booby-trapped email attachment, for instance, could be a starting point of a network infection. If your Windows PCs and servers are infected by unauthorized software, worrying about your IoT gadgets may be the last thing on your mind, of course. Having said that, only one or two Windows machines have to be successfully attacked for the malware to move on to an organization’s vulnerable Linux gizmos.

Richard Meeus, a technology veep at California-based DDoS mitigators Nsfocus IB, said the latest flavor of Mirai poses a greater risk to enterprises.

“The use of Windows to distribute Mirai means that it has now established a bridgehead into private networks,” Meeus said. “Previously, IoT devices that were not connected directly to the internet were not thought to be as heavily at risk as those that were. With Windows ever-present in many homes and businesses, Mirai now has a new vehicle to infect even more devices.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/10/windows_mirai_bot/