Ransoc, A New Type of Ransomware
A new ransomware variant was discovered been in the past few weeks. This variant doesn’t encrypt your hard drive or anything like the traditional ransomware instead it displays a full screen web application that prevents a user from accessing other applications nor the operating system. Called Ransoc because of it’s connections to social media, the malware searches for illegal files on the system and scrapes social media information from the user profiles. Social media accounts include Facebook, Linkedin and Skype. Ransoc also prevents the user from killing the malware through regedit, msconfig or task manager as it resets and checks every 100s. Depending on what is found that is illegal (it searches the system for child pornography, media files downloaded through torrent, etc) the ransomware displays a fake legal notice in full screen view (similar to a browser locker) threatening to expose the user if they don’t pay. Normally the payment is made using bitcoins but in this case the credits cards are even accepted. The gutsy approach is confidence that the user will not contact authorities to minimize the risk of getting exposed.
http://www.sectechno.com/ransoc-malware-that-uses-social-networks-for-a-customized-attack/
https://www.proofpoint.com/uk/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles
Facebook is Buying Up Stolen Passwords
Facebook is buying passwords from the online black market and comparing them to the passwords of the users. The list of passwords, captured in plaintext, goes through a hash function and compares the hash results to their user’s hashed password. Allegedly Facebook doesn’t store passwords in plaintext, when a user logs on the password entered it compared to the hash stored in the system for that user. Facebook does the same for the passwords it mines from the online black market. If a match is found, Facebook locks the account and hides the account from the public until the user changes his or her password. I’ve seen this before somewhere else, in fact I was alerted to it through CSID, an identity protection company. CSID alerted me that the password for one of my monitored email accounts was found online in black market. I changed that password so fast..
https://nakedsecurity.sophos.com/2016/11/11/facebook-is-buying-up-stolen-passwords-on-the-black-market/
Nessus Scan Report
Trump’s Email Servers!?!?!
A security researcher recently discovered that the some of the email servers linked to Mr. Trump’s organization (including hotels and other businesses) has some serious security flaw. One of the biggest issue is that the email servers are running Windows Server 2003, an operating system that Microsoft hasn’t supported since July of 2015. Even worse, the email servers are not patched. Also an issue is the use of out-dated software, in this case Microsoft IIS 6.0. IIS version 6 is a web server that comes with MS Windows Server 2003, so it is also unsupported by Microsoft. And to add to all that, the servers use one factor authentication. What’s interesting is the researcher got all this from doing what we’ve done in class in regards to reconnaissance. He searched through public info and he didn’t run any advanced scans. Isn’t ironic how Mr. Trump talks about the lack of security in Mrs. Clinton’s email servers but has the same issues with his own servers.
Links:
iOS 10 Security Flaw makes cracking encrypted backups easier
While updating its Phone Breaker software for iOS 10, Elcomsoft, a Russian cybersecurity firm, discovered a security flaw where encrypted backups can be hacked fairly easily. Apple’s chosen password verification method contains a flaw that makes it possible to bypass some security checks. In the past, iOS 9 limited the amount of password attempts that could be made even when with GPU acceleration at 150k times a second. With iOS10, the flaw allows 6 million times a second. By allowing more attempts in a second, the risk of hackers successfully entering the phone has increased tremendously. Elcomsoft says at that speed “hackers would only need to leave their software running for 2 days until the odds of success approached 90 percent”. But, the real risk is the local encrypted backup done through iTunes. With a full backup, a user’s keychain, Apple’s storage system for passwords,cc numbers and other personal info, is encrypted and stored on the local PC/machine. With the possibility of being able to retrieve the password fairly easy, hackers can gain access to the PC/machine containing the backup and decrypt it as well the keychain to gain access to personal information.
http://www.techrepublic.com/article/beware-ios-10-security-flaw-makes-cracking-encrypted-backups-2500-times-easier/
Dietz & Watson: Reconnaissance Assignment- Brent Easley and Jimmy Jouthe
CryptoMining Malware Detected on NAS Servers
Security firm, Sophos, discovered a malware named Mal/Miner-C, a software written in a scripting language (NSIS- NullSoft Scripting Install System) used to create Windows installers, on computers and NAS servers. The malware used these systems as leverage to mine Monero. Monero is an open source secure, private untraceable currency and it doesn’t require a huge amount of processing power, hence easier to mine. So this malware was using the infected system resources to do the mining and with so many systems, the Monero can add up pretty quick. But in order for it to work the user/client has to run the malware, which comes to them as a file that needs to be downloaded and with a little social engineering things can get a little hairy. What’s interesting is Mal/Miner-C abused FTP servers using software components that randomly generates ip addresses and attempts to connect to them using stored usernames and passwords. Once the malware was in the server, like a worm it copied itself into underlying folders and so on until every folder in the server contains the malware. Mal/Miner-C has also been affecting NAS storage devices, specifically Seagate Central. Although Seagate is not the target, it did expose a risk. Seagate allows remote access to private and public folders and if enabled, allows users to access their private folders remotely but also allows anybody to access and write to the public folder. Even further, the public folder cannot be deleted, so to be safe users has to forgo accessing their files remotely altogether.
http://www.securityweek.com/nas-devices-used-spread-cryptocurrency-mining-malware
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf?la=en
https://getmonero.org/home
“Air Gapped” Computers can also be Vulnerable
Logicaly removed and physically separated from unsecured public networks, “Air Gapping” a system is way to ensure security on a system. The idea being if the system is not connected to the public network it is considered less risky and thus less vulnerable to get a threat. But as technology advances that is becoming more of a pain and work to achieve. Researchers at the Cyber Security Research Center in Israel have found a way to transmit data from an “air-gapped” computer using software installed on an USB drive and a nearby receiver with a radio frequency (RF) antenna. The software on the USB drive (USBee, created by the CSRC) can generate controlled RF emissions from a data bus of a USB connector and send data to a nearby receiver at 80 bytes per second. This is interesting to me because they were able to use the internal resources of the computer to pretty much create a transmitter out of a simple portable storage device using code, that’s impressive! Protecting “air-gapped” systems not only requires separating it from unsecured networks but also shielding the containing room in a location away from antennas and quite possibly removing USB ports or creating systems with the minimum amount of hidden USB ports that would be available to only those that need access.
http://www.darkreading.com/vulnerabilities—threats/air-gapped-systems-foiled-again-via-usb-drive-/d/d-id/1326803
http://in.bgu.ac.il/en/Pages/news/datastolen_usb.aspx