STE WILLIAMS

Promo Back in 2008, San Francisco’s IT infrastructure ground to a halt. An engineer called Terry Childs who managed the network had consolidated all the sysadmin credentials giving access to the system’s privileged accounts, but after a dispute with the city government he refused to divulge these vital details.

Look at any major data breach and you will find that privileged credentials are the preferred route for cybercriminals and malicious insiders bent on traversing the network and wreaking havoc on an organisation’s most critical data, infrastructure and applications.

Every important IT initiative, from DevOps to cloud and business-critical apps, has an element of privilege in it. If access is left unmanaged and unsecured, this can become an ever-growing attack surface to worry about.

The first-ever Gartner Magic Quadrant for Privileged Access Managementⁱ named CyberArk a leader, positioned highest for ability to execute and furthest for completeness of vision. Separately, Gartner identified privileged account management as the number one project within its Top 10 Security Projects for 2018ⁱⁱ.

The software security firm agrees, insisting that Privileged Access Management is a vital sector that cannot be ignored. Perimeter defences are not enough: determined hackers will always find their way in and organisations must be able to stop the criminals from reaching their intended target.

Privileged access management is not just limited to one piece of software or infrastructure – it can span operating systems, network devices, hypervisors, databases, middleware, applications, cloud services and everything in between.

The CyberArk solution not only restricts access to an organisation’s critical assets to those who have the right credentials, but also focuses on heading off any cyber threats that have broken into the system and are making their way towards the heart of the enterprise with malicious intent.

You can read more and download the report here: download now.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

---

ⁱ Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Dale Gardner, Justin Taylor, Abhyuday Data, Michael Kelley, 3 December 2018

ⁱⁱ Gartner, Smarter with Gartner, Gartner Top 10 Security Projects for 2018, June 6, 2018

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/19/stop_the_credential_thieves_before_they_stop_your_business/

Germany’s top cybersecurity official has said he hasn’t seen any evidence for the espionage allegations against Huawei.

Arne Schönbohm, president of the German Federal Office for Information Security (BSI), the nation’s cyber-risk assessment agency in Bonn, told Der Spiegel that there is “currently no reliable evidence” of a risk from Huawei.

“For such serious decisions such as a ban, you need evidence,” Schönbohm said. Should that change, the BSI will “actively approach German industry” he assured the paper.

Huawei has opened a facility in Bonn, in west Germany, where it shares code and allows Schönbohm’s risk assessors to inspect Huawei kit. This is along the same lines as the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) in Banbury, informally known as “The Cell”, which addresses GCHQ’s concerns about backdoors in Huawei products.

This has been running for seven years and the Oversight Board has now produced four annual reports. The most recent, in July, warned that “the Oversight Board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated”.

UK’s Huawei handler dials back support for Chinese giant’s kit in critical infrastructure

READ MORE

HCSEC attempts to replicate Huawei binaries from source code provided by the company to ensure end-to-end scrutiny. It hasn’t fully completed this, the Oversight Board said, and also expressed concerns about third-party software (PDF).

“There are no concerns about individual companies,” Peter Altmaier, German Federal Minister for Economic Affairs and Energy, confirmed to Reuters on Monday. “But each product, each device must be secure if it is going to be used in Germany.”

The Five Eyes states have led concerns against Huawei without citing specific evidence. Australia confirmed in 2013 that it had blocked Huawei from its NBN fibre programme, and in August excluded it from selling 5G gear. A report last month suggested New Zealand companies were being advised to avoid doing deals with Huawei.

Twelve days ago, Canada arrested the founder’s daughter, Meng Wanzhou, on a US warrant over an unrelated issue: circumventing sanctions against Iran.

Huawei privately bridles at comparisons with the state-owned telco ZTE and can point out that it has been the victim of hacking. In 2014, the New York Times and Der Spiegel reported on “Operation Shotgiant”, a multiyear operation by America’s National Security Agency (NSA) that infiltrated Huawei’s network at its Shenzhen HQ and yielded confidential source code.

“Many of our targets communicate over Huawei produced products, we want to make sure that we know how to exploit these products,” one NSA document explained.

“The Huawei revelations are devastating rebuttals to hypocritical US complaints about Chinese penetration of US networks,” wrote former DoD counsel Jack Goldsmith.

Deutsche Telekom has a close strategic relationship with Huawei but said it was reviewing matters this week. Orange pledged to continue its relationships with Huawei’s European 5G rivals, Nokia and Ericsson.

Which comes as relief for the latter. The UK’s O2 is reportedly seeking up to £100m in damages from Ericsson for a bungle that deprived over 30 million customers of data access for 24 hours. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/18/german_cybersecurity_chief_show_me_the_huawei_evidence/

A California man is suing the US government for civil rights violations after he was apparently detained and forced to unlock his phone at an American airport.

Haisam Elsharkawi, a US citizen, claims he was cuffed, hauled away, and grilled by border officers until he agreed to surrender his smartphone. The unlocked device was then inspected by officials, it is alleged, and is believed to have been imaged, aka a copy of its files taken, as he waited to fly out to the Middle East.

Attorneys for Elsharkawi on Monday issued a summons against Uncle Sam, and earlier this month sought to haul into court Homeland Security, and the Customs and Border Protection agency as well as the CBP officers who allegedly detained him at Los Angeles International Airport in 2017.

According to the civil complaint [PDF] filed in a federal district court in Cali at the end of October, Elsharkawi was on the first leg of his trip from the US to Saudi Arabia on a Muslim pilgrimage when, at the gate, he was pulled aside by the agents and quizzed. It was during this questioning that Elsharkawi, 35, claims his First, Fourth, and Fifth Amendment rights were violated.

The border cops – Officer Rivas and Officer Rodriguez – were particularly interested in the $2,500 he had on him, and what he intended to do with the cash, it is claimed. They also searched his belongings, took his cellphone, and asked him to unlock it. Elsharkawi refused.

During this probing, it is alleged, the US citizen, who is of Egyptian descent, asked if he was under arrest, and if he needed a lawyer. He was told no, and the agents apparently accused him of being racist and disrespectful to the uniform. He asked if he could have his phone back to make a call, and also if he could leave – and that’s when things went really south, according to the filed paperwork.

After Elsharkawi was handcuffed by the officers and dragged to an elevator, he yelled to passengers and airline staff nearby to “please call a lawyer for me,” and “they are taking me somewhere that I don’t know and will not let me have a lawyer,” it is claimed. While in detention, he was interrogated until he gave in and unlocked his device.

“During this search, CBP agents so aggressively questioned Mr Elsharkawi that he felt compelled to request an attorney,” the lawsuit stated.

“The CBP agents also searched Mr Elsharkawi’s checked and carry-on luggage, and asked him to unlock his cellphone. When Mr Elsharkawi exercised his right to refuse to unlock his phone, the CBP agents handcuffed him, took him to a holding cell, and detained him until he had no reasonable alternative but to unlock his cellphone.”

Muslim American woman sues US border cops: Gimme back my seized iPhone’s data!

READ MORE

Elsharkawi would eventually be allowed to leave, having unlocked his smartphone for searching and imaging, but by that time he had missed his flight. He is suing for those costs as well as the emotional and physical harm from the alleged ordeal.

In filing the complaint, Elsharkawi’s attorneys noted a number of recent legal decisions and CBP directives [PDF] that limit when agents can force a person to unlock their phone and to what extent they can access and copy contents.

“The search of Mr Elsharkawi’s phone was not supported by any real suspicion of ongoing or imminent criminal activity, and as such, no basis for a search existed. Mr Elsharkawi accurately declared the amount of currency he had on his person,” the filing stated.

“In any event, CBP could have no reason to search his phone for physical currency. Further, Mr Elsharkawi has never experienced anything prior to this incident that would indicate he is on any Terrorist Watch List or is being investigated for terrorism, such as SSSS on his boarding pass, or being subjected to additional screening at an airport.”

Elsharkawi and his attorneys are now asking for a jury trial to decide damages.

Spokespeople for Uncle Sam’s border cops declined to comment on ongoing litigation, though we note that in the afore-linked PDF, the agency insists:

All persons, baggage, and merchandise arriving in, or departing from, the United States are subject to inspection, search and detention. This is because CBP officers must determine the identity and citizenship of all persons seeking entry into the United States, determine the admissibility of foreign nationals, and deter the entry of possible terrorists, terrorist weapons, controlled substances, and a wide variety of other prohibited and restricted items. Various laws that CBP is charged to enforce authorize such searches and detention (see, for example, 8 U.S.C. § 1357 and 19 U.S.C. §§ 1499, 1581, 1582).

Citizen or alien, agents can rifle through your stuff if you’re within 100 miles of the border, and without a warrant. The officers also insist such searches are rare. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/18/american_citizen_border_smartphone_search/

A server containing personal information, including social security numbers, of current and former NASA workers may have been hacked, and its data stolen, it emerged today.

According to an internal memo circulated to staff on Tuesday, in mid-October the US space agency investigated whether or not two of its machines holding employee records had been compromised, and discovered one of them may have been infiltrated by miscreants.

It was further feared that this sensitive personal data had been siphoned from the hijacked server. The agency’s top brass stressed no space missions were affected, and identity theft protection will be offered to all affected workers, past and present. The boffinry nerve-center’s IT staff have since secured the servers, and are combing through other systems to ensure they are fully defended, we’re told.

Anyone who joined, left, or transferred within the agency from July 2006 to October 2018 may have had their personal records swiped, according to NASA bosses. Right now, the agency employs roughly 17,300 people.

“Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within,” the memo, issued by assistant administrator Bob Gibbs, stated.

“NASA and its federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any agency missions were jeopardized by the cyber incidents.”

In a statement to The Register today, a spokesperson for NASA told us:

On Oct. 23, 2018, NASA cybersecurity personnel began investigating the potential compromise of two NASA servers. One of the servers contained personally identifiable information (PII) on current and past NASA employees and these data may have been exfiltrated. The agency will provide identity protection services to all potentially affected individuals.

NASA does not believe that any agency missions were jeopardized by the intrusions. Once discovered, NASA took immediate action to secure the impacted servers and has been working to perform a forensic analysis since then – this process will take time. The ongoing investigation is a top NASA priority.

NASA takes cybersecurity very seriously and is committed to devoting the necessary resources to ensure the security of agency information and IT systems. The agency is continuing its efforts to secure all servers, and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency.

We’ve asked NASA while it took nearly two months to inform staff, despite it being a top priority, and what exactly may have been exfiltrated. “We cannot go into specifics about the data,” a spokesperson told us, adding: “However, 2 CFR 200.79 defines PII as “…information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” ®

Additional reporting by Richard Speed.

In other space news… President Donald Trump today instructed the Pentagon to form the US Space Command, which will pull in service personnel from all corners of Uncle Sam’s armed forces. Space Command will be expected to take over space-related national security responsibilities previously held by the United States Strategic Command.

This is all part of the President’s desire to set up a new branch of the military dubbed Space Force, which will counter any moves by Russia or China to jam or destroy American satellites or disrupt other US space operations.

Crucially, Trump may be unable to get the Democrat-controlled House of Reps to sign off on his Space Force dream, and so Space Command may be an attempt at establishing another route to setting up a standalone space-focused branch of the military. Space Command will be led by a four-star Senate-approved general or admiral, and more details on how exactly it will play out will be revealed within the next few weeks, according to Vice President Mike Pence.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/18/nasa_server_hack/

In the good old days, incinerating backup tapes or shredding a few hard drives would have solved the problem. Today, we have a bigger challenge.

Over the last decade we meticulously taught ourselves how to collect, store, and process big data. Now, the next challenge is to get rid of this data.

The General Data Protection Regulation (GDPR), with its sweeping mandates for protecting personal data, was a wake-up call for businesses across the board that they needed to exercise greater control over many aspects of their data processing practices. The California Consumer Privacy Act followed suit, and there is a high probability that other upcoming privacy laws around the world will likely continue the trend.

Regulations around how data is used, data retention time frames, and data subjects’ right to be forgotten all necessitate particular attention to data destruction. In the good old days, incinerating backup tapes or shredding a few hard drives would have solved the problem. Today, we have a bigger challenge on our hands.

We now work with complex, massively distributed computing environments. The resources we directly control are often spread across the globe, and the rest live in some external organization’s opaque cloud. System components interact in complex (and sometimes unexpected) ways, forming both explicit and implicit data flows between them. The challenge is to track down where exactly data is before we can even start thinking about how to destroy it.

Cryptographic Erasure
Cryptographic erasure roughly means encrypting the data first, and when it is time to delete it, discarding the encryption key instead. Under computational assumptions that the underlying cryptographic primitives cannot be broken (and we can all agree that cryptography is the strongest link in a secure system), without the key, that data could never be decrypted again. It is as good as deleted.

Many readers will be familiar with the term from the recent NIST and ISO guidelines that recommend it as a secure data destruction technique. Storage media vendors have also been promoting cryptographic erasure as a faster alternative to traditional data destruction mechanisms. For example, self-encrypting drives in the market can refresh the key stored in their onboard controller, instantaneously rendering the contents unreadable.

In reality, however, this idea dates all the way back to 1996, first publicly proposed by Dan Boneh and Richard Lipton. In their paper titled “A Revocable Backup System,” published in the USENIX Security Symposium, the authors describe a tape backup scheme in which backed-up data is encrypted with a periodically refreshed key. Every time the key changes, old backups are lost without requiring any modifications to the tape itself, analogous to modern self-encrypting drives.

So, how does this apply to our times and solve the problem of tracking data in and across complex computing environments? All of the previous examples focus on the use of cryptographic erasure as an efficient way to destroy all content on a given physical storage medium. However, let’s take a step back and get a better view of the general principle behind the idea.

Cryptographic Erasure: Two Useful Properties
First, unlike in the previous scenarios, we do not need to restrict ourselves to using a single key that encrypts an entire drive or data set. Instead, we can have as many unique keys as we need, encrypting data at the granularity that serves our purposes. For example, a cloud service provider may decide to assign a unique key for each of its customers, allowing it to selectively destroy a specific customer’s data when necessary. Otherwise, the provider may choose to partition the data at a finer granularity — a unique key per user, file, or even a database entry. The possibilities and business applications are immense.

Second, cryptographic erasure entirely bypasses the issue of tracking data flows. Whether the data resides in a remote data center, in someone else’s cloud, or in a long-forgotten tape archive is irrelevant. The encrypted data is always bound to the encryption key, and it is sufficient to know where our keys are to be able to destroy all instances of our data.

Unfortunately, there is no silver bullet in security, and this is not the exception. A prerequisite for this scheme to work is that all sensitive data must be encrypted at all times. (Maybe that is a good thing!) This implies a computational overhead for cryptographic operations, but more importantly, the decision to incorporate cryptographic erasure into a system is probably best considered at early architectural design stages. Integration into legacy systems may be difficult and error prone.

Furthermore, as with every cryptographic system, storage and distribution of keys becomes a prime concern, especially with very fine-grained data partitioning schemes that could require large numbers of keys. This would necessitate building an appropriate key management infrastructure — a task with which security professionals often have a love-hate relationship.

Cryptographic erasure is a powerful technique that can address emerging data destruction challenges, especially in the face of stringent privacy laws, where traditional approaches remain impractical. Security professionals should take advantage of this tool in their arsenal, understand its trade-offs, and recognize that cryptographic erasure can have advanced applications beyond wiping hard drives.

Related Content:

• 6 Ways to Strengthen Your GDPR Compliance Efforts
• How to Find a Privacy Job That You’ll Love ( Why)
• Security Researchers Struggle with Bot Management Programs

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally … View Full Bio

Article source: https://www.darkreading.com/endpoint/cryptographic-erasure-moving-beyond-hard-drive-destruction/a/d-id/1333492?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A popular free VPN is found to have a very high cost for users.

A VPN is often touted as a basic piece of any mobile device security plan. But when the chosen VPN turns out to be not just ineffective but actively working against your security, the user is left both vulnerable and betrayed.

Researchers at Trend Micro have singled out HolaVPN, a free “community VPN,” for using customer computers and devices as exit points for spam, phishing messages, and worse. The “worse” is especially important at businesses where employees have downloaded the HolaVPN software. In those cases, HolaVPN could provide a gateway into the enterprise network for malicious software of many varieties.

Community VPNs are those in which the users’ computers and devices provide exit points for other users in exchange for low- or no-cost services.

Malicious file access was only part of the problem. The software for HolaVPN failed to provide encryption for users depending on the service to protect their data from theft.

Even without malware or data theft, HolaVPN users were subject to a variety of annoying and possibly misleading messages. In their research, the Trend Micro team found that 85% of the HolaVPN traffic they analyzed was concerned with mobile ads and other mobile-related domains and software.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/trend-micro-finds-major-flaws-in-holavpn/d/d-id/1333515?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A data leak was disclosed after attackers targeted a support form, which had “unusual activity.”

Twitter has disclosed a data leak related to a bug in one of its support forms and now suspects the activity could be the work of nation-state actors.

On Nov. 15, 2018, the social platform learned of a problem in a support form used by account holders to report issues to Twitter. The bug could be used to learn the country code of phone numbers associated with different accounts, as well as whether the account had been locked. Twitter locks accounts if they appear to be compromised or violate its rules or terms of service.

The issue was resolved by Nov. 16. Since then, Twitter has been investigating its origin and background. In a support page published on Dec. 17, it reports “unusual activity” involving the affected support forum’s API, particularly a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia.

“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” the support page explains.

Compared with breaches stemming from other social platforms – the September Facebook breach, for example, or the recent  Google+ vulnerability – this incident puts less personal data at risk. However, the nature of activity surrounding this issue is concerning. Country codes can be used by nation-states to map the general location of people they might want to pursue.

Twitter reports no action is required by account holders and the problem has been resolved.

“We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” officials write. Affected users have been informed.

Related Content:

• 7 Common Breach Disclosure Mistakes
• 8 Security Tips to Gift Your Loved Ones For the Holidays
• 53 Bugs in 50 Days: Researchers Fuzz Adobe Reader
• Facebook: Photo API Bug Exposed 6.8M User Photos

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/twitter-hack-may-have-state-sponsored-ties/d/d-id/1333516?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Steganography via tweet images gave attackers a way to pass on malicious instructions to Trojan, researchers say.

A new and otherwise ordinary malware tool is garnering some attention from security researchers for its ability to retrieve malicious commands via code hidden in a couple of Twitter memes.

The malware (TROJAN.MSIL.BERBOMTHUM.AA) targets Windows systems and, like more than 90% of all malicious code, is distributed via phishing attacks. Once installed on a system, the malware can perform several common functions like capturing local screen shots, enumerating applications on the system, checking for vulnerabilities in them, capturing clipboard content, and sending files back to the attacker.

What’s noteworthy about the new Trojan is its use of the Twitter memes to retrieve malicious instructions, according to Trend Micro, the first to report on the threat. The authors of the malware—currently unknown—posted two tweets featuring the malicious memes in late October using a Twitter account that appears to have been created last year.

Embedded in the memes is a /print command that basically instructs the infected computer to take screen shots and perform other malicious functions. The malware extracts the command after first downloading the malicious memes to the infected system. The malware supports a variety of other commands including /processos for retrieving a list of running processes, /clip for capturing clipboard contents, and /username for grabbing the username from the infected system.

The screenshots and other captured data are then sent to a control server whose address the malware obtains via a hard-coded URL on pastebin.com, Trend Micro said in a report on the attack.

This is not the first time that attackers have used steganography—a method for hiding code and malicious payloads in images—to try and sneak malware and malicious activity past threat detection tools. Neither is the new Trojan the first example of malware using a popular social media platform for command and communication purposes. In fact, Trend Micro itself last year had warned about the growing abuse, by cybercriminals, of chat platform APIs for command and communication purposes.

But by combining the two techniques—steganography and the use of Twitter—the attackers are making it harder for defenders to discover and take down the malicious activity says Mark Nunnikhoven, Trend Micro’s vice president of cloud research.

TROJAN.MSIL.BERBOMTHUM.AA is a relatively standard piece of malware. “There’s nothing particularly unique about it beyond how it is set up to retrieve commands,” Nunnikhoven says. “If the infected organization is analyzing network traffic, it’s unlikely that they would count traffic to and from Twitter.com as out of the ordinary.”  

Hiding in Plain Sight

Using the steganography technique, the attackers are hiding their CC channel in a stream of legitimate activity associated with a commonly used social media tool, he notes. “The takeaway for enterprises is that attackers are growing more sophisticated with how they avoid traditional security techniques and controls,” he says.

Trend Micro has no specific intel on the attacker and its motivation, nor are there hints or indicators in the malware itself that make attribution possible, Nunnikhoven adds.

Travis Smith, principal security researcher at Tripwire, says the use of social media for command and communication is not uncommon. However, sophisticated attackers tend to avoid it since it’s a known technique and relatively easily detectable via social media scanning tools. At the same time, malicious code hidden in images posted to social media can be hard to detect, he says.

“When you do not own the original image that is being used to hide data within, it can become increasingly difficult to detect the usage of steganography,” especially when the payload is small, such as the test for C2, he says.

Currently there are no tools available that continuously scan social media images for malware. “The amount of images being posted to social media on a daily basis would make that type of analysis impractical,” he says.

Related Content:

• Steganography Use on the Rise Among Cyber Espionage, Cybercrime Groups
• Email, Social Media Still Security Nightmares
• Expect API Breaches to Accelerate
• 8 Keys to a Successful Penetration Test

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/memes-on-twitter-used-to-communicate-with-malware/d/d-id/1333518?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The fall of cryptocurrency’s value doesn’t signify an end to cryptomining, but attackers may be more particular about when they use it.

Cryptocurrency has begun to lose its value, prompting financially motivated cybercriminals to rethink their attack strategies as the payoff for cryptojacking declines.

Cybercriminals go where the money is, and in 2018 the money was in digital currencies. Malicious cryptomining, in which attackers inject malware into target systems and hijack their power to illegally mine cryptocurrency, became the go-to attack vector. Businesses, with their plethora of vulnerable machines, became hot targets for cybercriminals looking for steady, easy money.

Ransomware attacks exchange victims’ data for a lump sum of cash and there’s no guarantee attackers will receive a payout. Cryptomining generates revenue, and lots of it, on a regular basis. While ransomware rose this year, cryptomining skyrocketed 629% in Q1 2018 alone, McAfee Labs reported. In Q2, cryptomining samples grew 86% to reach more than 2.5 million new ones.

“What adversaries realize is there’s a reliable, dependable way to get consistent money and they really flock toward it because of that,” says Cisco Talos threat researcher Nick Basini.

The mass adoption of cryptomining comes with risks. Chief among them: cryptocurrency’s value. In a new report from Cisco Talos, he explains how an adversary could make $0.25 per day on a basic home computer. Now, a little more than $.04 per day can be made on the same device. Basini notes that around 75% to 85% of cryptocurrency’s value has been lost throughout 2018.

“What we’ve really seen over the last year, and more recently over the last couple of months, is there has been a marked decrease in all cryptocurrencies,” he says. Monero, the preferred digital currency among cybercriminals, has taken the hardest hit. Cybercriminals aren’t abandoning cryptojacking any time soon, but they are changing their strategies, he adds.

Making Choices with Modular Malware

In a report on their research, Talos analysts report spam levels are a strong indicator of how an attack is affecting the threat landscape. Much of the spam they see is generated by botnets, and those botnets are intended to generate revenue. In early 2018, Talos saw “near constant campaigns” delivering malicious cryptominers or using a downloader.

As the year went on and cryptocurrency prices dropped, adversaries began exploring different tactics and sending different payloads. The trend, Basini says, is moving toward modular malware that lets adversaries deliver varied threats depending on the target machine. Cryptojacking is far from the only way to monetize a compromised system, he points out.

“It’s a natural evolution,” says Basini of the shift. “But also, adversaries have options, and in the past they didn’t really have that.”

Modular malware lets cybercriminals learn more about a device so they can decide how to proceed. When it lands on a machine, it collects data, like what type of hardware it is, where it’s located, whether it’s attached to a domain, and who owns the domain. This data could dictate the payload. A gaming machine with a lot of horsepower would be handy for cryptomining; an executive’s laptop would grant access more powerful than mining would provide.

Of course, it’s hard to predict the future of something as volatile as cryptocurrency. If the value of cryptocurrency goes back up, “everything goes out the window,” Basini notes. For now, though, attackers are getting smarter about maximizing ROI for each of their targets.

“These types of modular malware frameworks that allow adversaries to deliver varied payloads are going to continue to rise in popularity, as the final payload can depend on a lot of external factors,” Basini explains in the report.

Cryptomining Attackers: Where to Next?

In a separate post, Talos researchers dive into the activity of three separate attack groups focused on cryptomining: Rocke, 8220 Mining Group, and Tor2Mine. Early investigations mistakenly interpreted the three as being a single actor; further analysis showed three groups with similar TTPs which have amassed hundreds of thousands of US dollars combined.

Shared TTPs include malicious shell scripts disguised as JPEG files with the name “logo*.jpg” that download and execute miners. They also scan for, and attempt to exploit, recently published bugs in servers like Apache Struts 2, Oracle WebLogic, and Drupal. They use malicious scripts and malware hosted on Pastebin sites, Git repositories, and .tk top-level domains.

Researchers have been watching these groups and their cryptomining activity since early 2018, Basini says, and they are all affected by the decline in cryptocurrency’s value. For example, Rocke started to develop destructive malware disguised as ransomware, an effort to diversify payloads in response to the drop in value.

Related Content:

• How to Engage Your Cyber Enemies
• 8 Security Tips to Gift Your Loved Ones For the Holidays
• Disk-Wiping ‘Shamoon’ Malware Resurfaces With File-Erasing Malware in Tow
• 53 Bugs in 50 Days: Researchers Fuzz Adobe Reader

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/perimeter/when-cryptocurrency-falls-what-happens-to-cryptominers/d/d-id/1333519?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Thanks to Hajnalka Kope of SophosLabs for the research behind this article.

Last month the world learned that the FBI thinks it has identified the two people behind the notorious SamSam ransomware attacks.

SamSam, you may recall, gained notoriety for plundering ransoms from vulnerable targets like hospitals, and for devastating attacks like the one that embattled the City of Atlanta in early 2018.

As with other targeted attacks, SamSam was deployed manually after its operators had broken into a vulnerable network via a poorly-protected RDP port. The SamSam gang’s methodical and patient attacks put them in a position to extort enormous ransoms, and helped them accrue almost $7 million since December 2015.

As you might expect, things have been a bit quiet from SamSam since the FBI’s indictment. The Iranian suspects are beyond the agency’s reach, but they have been identified, their operation has been compromised and, for the time being at least, activities have ceased.

The unmasking followed a period of apparently diminishing returns for SamSam attacks. After the publication of extensive research by Sophos in August, SamSam’s monthly earnings began to decline, even while the frequency of attacks seemed to increase.

Now SamSam seems to have left the stage, but the brand of destructive, stealthy attacks it exemplified didn’t start with SamSam and they didn’t end with it either. In fact, while SamSam may have gained infamy, other kinds of targeted ransomware, like Dharma and BitPaymer, have been deployed more widely, and demanded higher ransoms.

The threat of targeted ransomware is undimmed, and continues to evolve. In August 2018, just as SamSam’s influence begun to diminish, a new strain of targeted ransomware appeared.

Ryuk

Ryuk, named after a character in the manga series Death Note, represents an evolution in ransomware that’s either learning from, building on, stealing from, or paying homage to the targeted malware that’s gone before.

Targeted ransomware of all stripes seems to have converged on a method that, sadly, just works and Ryuk follows it too.

The attackers:

1. Enter the victim’s network via a weak RDP (Remote Desktop Protocol) password.
2. Escalate their privileges until they’re an administrator.
3. Uses their privileged position to overcome security software.
4. Spread their ransomware as widely as possible before encrypting the victim’s files.
5. Leave notes demanding payment in return for decrypting the files.
6. Waits for the victim to contact them via email.

Hackers using targeted ransomware work hard to achieve administrator access because it allows their software to cause so much damage – enough that many victims have no option but to pay five- or six-figure ransoms.

Like its peers, the gang behind Ryuk appears to seek out targets who can pay those kind of eye-watering ransoms, and it has been reported in market sectors such as commodities, manufacturing, and according to some reports healthcare.

When it’s run, Ryuk drops and executes its payload before covering its tracks by deleting itself. The payload cloaks itself by injecting itself into processes run by NT AUTHORITY, taking care to avoid csrss.exe, explorer.exe, and lsass.exe.

To maximise the damage it can cause, the malware tries to shut down a long list of processes and services, such as those associated with security software, before it begins encrypting files.

Ryuk’s encryption seems to be based on code found in an older piece of ransomware, known as Hermes, which is thought by some to be a product of North Korea’s Lazarus hacking group.

According to SophosLabs, both ransomware families: use similar encryption logic; use the same file marker for encrypted files; use the same allowlist when deciding which directories should not be encrypted; and write a batch script file named window.bat.

And, like Hermes, when Ryuk has finished encrypting a computer’s files it attempts to delete any Shadow Copies, eliminating its ability to restore files to a point in time before the attack.

Another legacy of Hermes is that Ryuk writes the string HERMES into the encrypted files, so that it can identify which files it has already encrypted.

By excluding directories with names like Chrome, Mozilla and Windows, and files with .dll, .lnk, .hrmlog, .ini or .exe extensions, from its encryption, the malware leaves web browsers and basic operating system components untouched. Victims are left with just enough elbow room to read a ransom note, buy some cryptocurrency and pay a ransom, but not much else.

Ransom notes are left throughout the afflicted network in both a short and long form, the shorter of which bears a strong similarity to the ransom notes left by BitPaymer ransomware.

Ryuk ransom note (short)

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorithm.

Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.

We exclusively have decryption software for your situation
No decryption software is available in the public. 

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
 
To get info (decrypt your files) contact us at
████████@protonmail.com 
or
████████@tutanota.com

BTC wallet:
████████████████████████████████

Ryuk 

BitPaymer ransom note

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorythm.

Backups were either encrypted or deleted or backup disks were formatted.

We exclusively have decryption software for your situation

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted and readme files.
DO NOT MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.

To get info(pay-to-decrypt your files) contact us at:
████████@protonmail.com
or
████████@tutanota.com 

BTC wallet:
████████████████████████████████

To confirm our honest intentions.
Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure we decrypts everything 
Files should have both .locked and .readme_txt extensions of each included.
2 files we unlock for free.

KEY:AQIAAAFoAAAApAAApiQdDD0QxLNwn]Vc26GOQ1RI/n8SwuHzWbXD]Ym3+TnvL69poNWPnnZVBNdo
ProXalFT4B0HvYRdf7T+UPqhISUdsqzsVMZhblWz57z7R5LkHAN]s3VY3wg63BIrl9UVCHOlAjcj
zIPm6B3uTFSNo2pe0OwYcir7yXz5qjMImVQw= 

Ryuk demands ransoms of between 15 and 50 bitcoins (between $50,000 and $170,000), with the price escalating by 0.5 bitcoins every day the victim doesn’t pay.

Unlike SamSam, which arranged ransom payments using a Dark Web site visible to anyone who knew the address, each Ryuk attack has a unique email address and Bitcoin ID. This makes negotiations and payments harder to track, but Ryuk is known to have made more than $600,000 USD within two weeks in August.

Bitcoin payments are public so, in an apparent attempt to make following the money harder, Ryuk ransoms are sub-divided into new Bitcoin addresses over and over. Each subdivision sees an address’s contents split into portions of 25% and 75%, with each portion deposited into a new address until the funds at any one address are negligible.

What to do?

The similarities in approach taken by different targeted ransomware groups is a matter of convergence. They do the same things because that’s what delivers them the best balance of risk and reward.

That homogeneity gives defenders one advantage: the same diligence and precautions required to prevent an attack by one form of targeted ransomware are much the same as those required to stop any other. You can read more about those precautions in the article How to defend yourself against SamSam ransomware.

More information about how targeted ransomware attacks work, and how to defeat them, is available in the SophosLabs 2019 Threat Report.

Image of Ryuk cosplayer courtesy of Flickr user Roger Murmann under Creative Commons license.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0CmBJ_iIyhM/