Archive | March, 2016

Badlock – Daily Security Byte EP. 242

Last week, a researcher mysteriously warned the world about an upcoming critical SMB flaw, without sharing any technical details. The warning says the flaw is bad enough that network administrators will want to prepare for it, so they know what to patch immediately. Watch below to learn what little we know about this flaw, and how the security community has reacted to the early warning.

(Episode Runtime: 3:37)

Direct YouTube Link: https://www.youtube.com/watch?v=HnpMNsprYlU

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

VNCRoulette – Daily Security Byte EP. 241

Over the last decade, we’ve seen multiple researchers scan the Internet and find open servers available to anyone. You’d think people would’ve learned by now, and closed these open holes. However, a gray hat hackers latest experiment proves otherwise. Watch today’s Byte to heard about VNC Roulette, and what you should do to keep your servers private.

(Episode Runtime: 3:38)

Direct YouTube Link: https://www.youtube.com/watch?v=se8FBmdDSB4

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Petya Ransomware – Daily Security Byte EP. 240

As if ransomware wasn’t already bad enough, a new sample is trying to up the extortion pressure by encrypting your whole hard drive. Watch today’s video to learn more about this new threat, and why I think its novel tactics might backfire.

(Episode Runtime: 4:36)

Direct YouTube Link: https://www.youtube.com/watch?v=E3lAlzjDvUE

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Ethical Hackers Spread Ransomware – Daily Security Byte EP. 239

If you visit a site to get your ethical hacking certification, you’re probably not expecting to get a dose of ransomware along with it. However, that’s exactly what might have happened if you visited the CEH website recently. In today’s video I share a warning from Fox IT about an ironic website hijack.

(Episode Runtime: 2:36)

Direct YouTube Link: https://www.youtube.com/watch?v=9WT1NNhlCmE

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Macro Tip – Daily Security Byte EP. 238

Malware spread via malicious Office documents with evil macros is on the rise again. While Microsoft does have settings that allow you to disable or warn about macros, most businesses share documents with legitimate macros. How do you protect your users from evil macros while letting the legitimate documents use them? Watch today’s video to learn about Microsoft’s new macro safety feature.

(Episode Runtime: 2:20)

Direct YouTube Link: https://www.youtube.com/watch?v=Jhqq7npI8l8

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Locky Vigilante

Recently, while working with LastLine (our APT Blocker provider) on what I thought was a low score for a ransomware file, I uncovered something unusual. A lot of ransomware is currently being sent as a JavaScript (.js) attachment in emails. JavaScript on its own is relatively harmless, but it can be used to download and run more harmful files. In this instance, the JavaScript indeed downloaded an executable file from a compromised WordPress site (hxxp://www.xxxxxxxx.it/wp-content/plugins/hello123/89h766b.exe), which obviously seemed suspicious, and led me to believe that it was a malicious file. However, our advanced threat prevention system only gave the file a score of 0/100, suggesting it was benign. What was going on?

Initially, I thought our system missed a threat. Turns out, that despite being called “89h766b.exe”, it was in fact a harmless text file containing the text “STUPID LOCKY”.

Stupid Locky

So why did this seemingly malicious email campaign only spread a harmless text message complaining about Locky? My best guess is that some well-intentioned vigilante gained access to the command and control infrastructure attackers use to deliver their malicious executables. It looks like this vigilante replaced the harmful ransomware file with an innocuous text file, thus preventing the evil email campaign from working. While we thank the vigilante for their efforts, we recommend customers do not allow emails with .js attachments and use APT Blocker. Rob Collins

FBI Delays Apple Case – Daily Security Byte EP. 237

The FBI vs Apple court hearing was supposed to start Tuesday, but the FBI delayed it. What happened? Watch my daily video to find out and to learn what I think this means to the case.

(Episode Runtime: 4:52)

Direct YouTube Link: https://www.youtube.com/watch?v=L0hVttpqeB0

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Apple Patches iMessage and More – Daily Security Byte EP. 236

Today, Apple released security updates for all their operating systems, Safari, and Xcode. The updates fix many vulnerabilities, including a number of remote code execution flaws, and some cryptography issues with iMessage. Watch today’s video to learn more, and be sure to download the updates if you use Apple software.

(Episode Runtime: 2:29)

Direct YouTube Link: https://www.youtube.com/watch?v=ZdrxbfygTrk

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Steam Stealers – Daily Security Byte EP. 235

If you’re a Steam gamer, your credentials and library are a hot commodity on the Internet underground. Watch Friday’s video to learn about Steal Stealers, and how to avoid them.

(Episode Runtime: 3:06)

Direct YouTube Link: https://www.youtube.com/watch?v=4YqXzqao1pQ

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Short-Lived Crypto-Ransomware

Last week, researchers found a new crypto-ransomware variant that gave its encrypted files a .locked extension, which seems similar to the Locky ransomware. For a short time, this caused some to assume that this was a new Locky variant, and for reasons I’ll get to later, it gave them hope that we might be able to decrypt Locky files. Since I recently shared my own experiences with Locky, and how well WatchGuard appliances stop it, I was interested in this new variant and wanted to dispel any false impressions.

Unfortunately, those hopeful people’s first impressions proved wrong. This new sample is not connected to Locky. Nevertheless, it’s a great illustration that not every piece of ransomware succeeds. This sample didn’t survive long enough to get a widely known name, although it infected around 700 victims in one day.

Like other crypto-ransomware, this sample encodes files using AES encryption, and as I mentioned before, adds the .locked extension, which is likely why people confused it with Locky. However, remember that Locky uses the .locky extensions, not .locked.

Ransomware Letter

An example of this sample’s ransom note.

So why were people hopeful that we might decrypt Locky files? A few hours after the first infections, a person named Utku Sen published the decryption keys for the affected victims. How was this possible?

It turns out Sen is a researcher who developed a proof-of-concept (PoC) file-encryption project called EDA2. This new ransomware’s authors used code from the EDA2 project to encrypt their victims’ files. Fortunately for the victims, Sen built a backdoor into EDA2 to avoid malicious actors from abusing his encryption project for nefarious purposes. He simply used his backdoor to provide the decryption keys to all the victims. A few hours later, the Command & Control (C&C) servers for this crypto ransomware disappeared, probably because the attackers accepted their defeat.

Ransomware isn’t always devastating. In this case, quick help was made available to recover the victims’ files. However, not all cases are this easy. Other variants like Locky, Cryptowall, and newer TeslaCrypt variants use well-crafted encryption mechanisms, which are near impossible to crack on today’s computers in a reasonable amount of time. This is why you should keep your shields up, and use a combination of security services that offer layered protection against today’s even evolving threats.

Additionally, I  highly recommend you create regular backups of your data, and keep them in a safe and unconnected place. That way you can still restore your important data in worst case. One note; you may also want to backup any files that might get encrypted by ransomware. There’s no guarantee, but we have seen decryption tools for other crypto-malware variants published months after the first infections (e.g. Tesla Crypt 2). — Jonas Spieckermann

%d bloggers like this: