Tag Archives: Malware

Keep your drivers up to date without taxing your PC

Drivers have access to your entire Windows PC, which makes them malware targets – as it was the case with keyloggers hiding within audio drivers on laptops. Such attacks are often based on software vulnerabilities which should be patched as soon as an update becomes available. However, with most vendors this does not happen automatically. […]

The post Keep your drivers up to date without taxing your PC appeared first on Avira Blog.

Read More

Cyber Sabotage at the Winter Olympics

On Monday, while spectators were being dazzled by the opening ceremony of the 2018 Winter Olympics, held in Pyeongchang, the Olympics organizing committee was busy dealing with a cyberattack.

The decline in new malware samples and the professionalization of attacks on networks are setting new standards in cybersecurity. In this case, we’re dealing with a targeted attack and an act of sabotage, in which hackers sought to cause chaos during the opening ceremony. It affected some television and internet services before the ceremony, but was not successful in stealing data from servers.

Researchers from Cisco’s Talos division also added that the malware’s purpose was not theft, but rather destruction.

GoldDragoN, the latest Russian hack?

With the focus usually centered on maximum profit, there’s been an increase in the number of advanced infiltrations using sharp new tactics, such as malwareless attacks and the abuse of non-malicious tools.

PandaLabs explains that by not using malware, which is easily detected by advanced cybersecurity tools, attackers assume the identity of the administrator after having obtained  their network credentials. They warn that the techniques used by cybercriminals to attack without using malware can be highly varied, taking advantage of all kinds of non-malicious tools that are part of the day to day of IT managers.

In this case, the attack did in fact use malware (named GoldDragon), but to carry out certain actions it used non-malicious tools such as PsExec or the CMD itself. In this way, it was able to execute processes on other computers connected to the network without raising suspicion and without using a version modified by the attackers, but rather the official version.

To carry out its destructive actions, it launched system commands from a command window (cmd). Instructions looked like this:

C:Windowssystem32cmd.exe /c c:Windowssystem32vssadmin.exe delete shadows /all /quiet

Here, the vssadmin.exe is used to silently erase the backup copies created by the operating system.

Everything seems to indicate that the attack came from Russia. Ukrainian intelligence and a CIA report linked NotPetya and BadRabbit to Russian intelligence, and in the case of GoldDragon (also called Olympic Destroyer), all signs point to a more refined version of BadRabbit.

System tools as a new attack vector

Monitoring the execution of all processes on company workstations and servers is essential to avoiding close calls like the one we witnessed in this year’s winter olympics.

Traditional antiviruses are not able to detect these types of attack, nor to remediate them. However, Panda Adaptive Defense proposes a new security model based on the monitoring, control, and classification of behavior and the nature application in execution to offer robust and complete protection.

PandaLabs recommends the use of advanced cybersecurity solutions such as Panda Adaptive Defense, which also allow the client’s existing infrastructure to coexist with traditional antivirus systems and integrate with existing SIEM solutions.

The post Cyber Sabotage at the Winter Olympics appeared first on Panda Security Mediacenter.

Read More

How to Avoid Ransomware in 5 Easy Steps

As you scroll through your social media feed, a window pops up: “Your hard drive has been encrypted. You have 48 hours to pay $200 or your data will be destroyed.” You see a link and instructions to “pay in Bitcoin.” An ominous looking timer counts down the seconds and minutes for the two-day window. Nine, eight, seven….  

Your thoughts immediately go to the contents of your hard drive — your daughter’s graduation video, your bank statements, a life insurance policy, pictures of your grandchildren — they all sit there, vulnerable, helpless bits of ones and zeros…and you don’t know what the heck bitcoin is.

Welcome to the world of ransomware — digital data hostage-taking only Hollywood could make up. Ransomware is a security threat for people and business, and cybersecurity experts predict it will only get worse in the future. One cause for its popularity is the profitability of the enterprise. Cyberthieves rake in millions every year with threats to destroy or encrypt valuable data if their ransoms aren’t paid.

You don’t need to be a millionaire or multinational corporation to be at risk. Cyberthieves also target the data of average consumers. When they target consumers, hackers may only request a few hundred dollars ransom but when the threat includes a thousand people, it makes for quite the lucrative venture. Many ransomware victims feel the risk of losing their data is too great, so they pay up. However, this only encourages the criminals.

The best way to combat ransomware is by not becoming a victim in the first place. To that end, here are five immediate steps you can take to avoid ransomware attacks.   

Step 1: Set Your Operating System to Automatically Update

The first step to avoiding ransomware is to update your operating system (OS). Anything connected to the web works better when it’s OS is updated. Tech companies like Microsoft and Apple regularly research and release fixes for “bugs” and security patches for vulnerabilities in their systems. It’s a cybersecurity game of cat and mouse. Cyberthieves search for “holes,” and companies race to find them first and “patch” them.

Users are key players in the game because they are the ultimate gatekeepers of their operating systems. If your OS isn’t up to date, you can’t take advantage of the security updates. Plus, your computer runs better with an updated OS.

Set your OS to update automatically and you won’t need to remember to do it manually. While Windows 10 automatically updates (you have no choice), older versions don’t. But setting auto updates are easy, whether you’re on a Mac or PC.  

Step 2: Screenshot Your Bank Emails

Cybercriminals use trojans or worms to infect your computer with ransomware. So avoiding these will help you avoid ransomware. Worms and trojan malware are often spread through phishing email scams, which trick users into opening email attachments containing viruses or clicking links to fake websites posed as legitimate ones.

One of the best tips for keeping phishing emails at bay is learning to identify them. Hackers send phishing emails that look like they come from banks, credit card companies, or the IRS. Phishing emails kickstart your fears and anxieties by suggesting there are “problems with your account” or insisting that “Urgent action is required.” Who wouldn’t be scared if their bank sent them an email saying, “You are overdrawn in your account.”

Cybercriminals use this fear to distract people so they will overlook the telltale signs of the phishing email like misspellings or common fear-inducing subject lines.     

Take screenshots of all of the legitimate emails from your bank, credit card companies, and others business that manage your sensitive information. Use these screenshots to compare with future emails you receive so you can spot phishing phonies and avoid ransomware.

Step 3: Bookmark Your Most Visited Websites

The next step in your ransomware avoidance journey is to bookmark all of your most visited websites. Just as with phishing emails, cybercriminals build websites that look like bank or credit card sites. Then they trick users into clicking a link and visiting them. From there, hackers steal your sign-in credentials or infect your computer with malware.

Think twice before you visit a website by clicking a link in an email, comments section, or private messaging app. Instead, bookmark your most visited or high-value websites and visit them through your browser.  

Step 4: Backup Your Data to the Cloud and a Hard Drive

This step is a no-brainer. Ransomware works if you only have one copy of your data. If it’s irretrievable, then cyberthieves have the upperhand, but if you have multiple copies, you have taken away the power behind the threat.

Back up your data to both a cloud service and a hard drive. That way, you have a copy that’s available anywhere there’s internet access and one that’s physically accessible all the time. Both types of storage are relatively inexpensive and will certainly prove worth it if you’re ever a ransomware target.

After backing up your data, set up a schedule so you can keep your data current. If you haven’t backed up your data in six months, you’re probably just as vulnerable to ransomware attacks as having no backup at all.

The post How to Avoid Ransomware in 5 Easy Steps appeared first on Panda Security Mediacenter.

Read More

Your smartphone camera deserves better protection than a band-aid

Your smartphone camera deserves better protection than a band-aid - Protection d’appareil photo, Protezione fotocamera

Do you know who’s looking at you through your smartphone camera? The newly updated Avira Antivirus Security app answers that question and more by giving you direct control over your phone’s camera. Avira Antivirus Security does to smartphones what notable individuals such as Facebook’s Mark Zuckerberg and ex-FBI director James Comey are already doing with […]

The post Your smartphone camera deserves better protection than a band-aid appeared first on Avira Blog.

Read More

Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware

hacking-chinese-iron-tiger-apt

Security researchers have discovered a custom-built piece of malware that’s wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.

Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States.

Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.

However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency.

The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.

Since at least July last year, the PZChao campaign has been targeting organizations with a malicious VBS file attachment that delivers via highly-targeted phishing emails.

cyber-espionage-malware

If executed, the VBS script downloads additional payloads to an affected Windows machine from a distribution server hosting “down.pzchao.com,” which resolved to an IP address (125.7.152.55) in South Korea at the time of the investigation.

The threat actors behind the attack campaign have control over at least five malicious subdomains of the “pzchao.com” domain, and each one is used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.

The payloads deployed by the threat actors are “diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system,” researchers noted.

The first payload dropped on the compromised machines is a Bitcoin miner, disguised as a ‘java.exe’ file, that mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.

For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords and upload them to the command and control server.

PZChao’s final payload includes a slightly modified version of Gh0st remote access trojan (RAT) which is designed to act as a backdoor implant and behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.

The Gh0st RAT is equipped with massive cyber-espionage capabilities, including:

  • Real-time and offline remote keystroke logging
  • Listing of all active processes and opened windows
  • Listening in on conversations via microphone
  • Eavesdropping on webcams’ live video feed
  • Allowing for remote shutdown and reboot of the system
  • Downloading binaries from the Internet to remote host
  • Modifying and stealing files and more.
All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims and exfiltrate confidential data easily.

While the tools used in the PZChao campaign are a few years old, “they are battle-tested and more than suitable for future attacks,” researchers say.

Active since 2010, Iron Tiger, also known as “Emissary Panda” or “Threat Group-3390,” is a Chinese advanced persistent threat (APT) group that was behind previous campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.

Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, and Tibet, besides attacking targets in the U.S.

For further insights, you can read the detailed technical paper [PDF] published by Bitdefender.

WannaMine – new cryptocurrency malware exposes failings of traditional anti-virus tools

Cryptocurrencies have hit the headlines again this week, but this time it is not for good reasons. Nicknamed “WannaMine”, a new malware variant has been taking over computers around the world, hijacking them to mine a cryptocurrency called Monero.

WannaMine was first discovered by Panda Security in October last year, but the malware is only just coming to the attention of the general public, thanks to a number of high profile infections. But unlike other malware variants, WannaMine is proving particularly hard to detect and block.

What does WannaMine do?

At the most basic level, WannaMine has been designed to mine a cryptocurrency called Monero. The malware silently infects a victim’s computer, and then uses it to run complex decryption routines that create new Monero. The currency is then added to a digital wallet belonging to the hackers, ready to be spent whenever they choose.

This may sound relatively harmless, but the mining process takes priority over legitimate activities. An infected computer begins to slow down – a particularly frustrating experience for users.

What is the problem?

There are several serious problems with WannaMine. First, the way in which it tries to make maximum use of the processor and RAM places the computer under great strain. Eventually the computer will begin to fail, requiring costly repairs – or even complete replacement.

The second major problem is to do with the way in which WannaMine spreads itself. Initially there is nothing unusual about the malware – users are tricked into downloading the malware via email attachments or infected websites. Once installed however, WannaMine uses some very clever tricks to spread across the network.

By using two (important) built-in Windows tools – PowerShell and Windows Management Instrumentation – WannaMine tries to capture login details that allow it to connect to other computers remotely. If that technique fails, WannaMine then falls back on the same security exploit (EternalBlue) used by the WannaCry ransomware to spread itself.

Because it uses built-in Windows tools WannaMine is being described as “fileless”, making it incredibly hard to detect and block. In fact, some reports suggest that many traditional anti-virus applications cannot detect WannaMine, or protect users against it.

Protecting against WannaMine

The only way to spot a WannaMine infection is by carefully monitoring the applications and services running on a computer, using a technique that Panda Security call “Adaptive Defense”. Panda Security scans all incoming files and prevents infection before WannaMine can compromise a computer.

As well as having a robust, modern anti-virus application installed on all your computers, it is vital that they are all routinely updated and patched to close the loopholes used by malware. The EternalBlue exploit used by WannaMine and WannaCry was patched by Microsoft in March 2017 – but many Windows users have not applied the update, leaving themselves vulnerable.

Keeping your computer up-to-date and installing security tools like Panda Antivirus will help to block cryptocurrency malware before it can take over your computer. And as WannaMine shows – if your computer is infected, it may soon spread to other computers and devices on your network.

Download your Antivirus

The post WannaMine – new cryptocurrency malware exposes failings of traditional anti-virus tools appeared first on Panda Security Mediacenter.

Read More