Category Archives: Cyber Security News

Source Code For SLocker Android Ransomware That Mimics WannaCry Leaked Online

Bad news for Android users — Source code of for one of the oldest mobile and popular Android ransomware families has been leaked online, making it available for cyber criminals who can use it to develop more customised and advanced variants of Android ransomware.
Source code for the SLocker ransomware, which saw a six-fold increase in the number of new versions over the past six months, has just been leaked on GitHub and is now available to anyone who wants it.
The SLocker source code has been leaked by a user who uses ‘fs0c1ety’ as an online moniker and is urging all GitHub users to contribute to the code and submit bug reports.SLocker or Simple Locker is mobile lock screen and file-encrypting ransomware that encrypts files on the phone and uses the Tor for command and control (C&C) communication. The malware also posed as law enforcement agencies to convince victims into paying the ransom.
Famous for infecting thousands of Android devices in 2016, security researchers discovered more than 400 new variants of SLocker ransomware in the wild in May, and just after a month, the nasty Android ransomware was spotted copying the GUI of WannaCry.
Once infected, SLocker runs silently in the background of a victim’s device without their knowledge or consent and encrypts images, documents and videos on mobile devices.
Once it has encrypted files on the device, the Android ransomware hijacks the phone, blocking its user access completely, and attempts to threaten the victim into paying a ransom to unlock it.

Why Should You Worry?

Being in action from 2015, SLocker stands out as one of the first ransomware samples to encrypt Android files. The malware has modified beyond just locking screens and demanding payment to taking over administrative rights and controlling the device’s microphone, speakers, and the camera.And now since the source code of this nasty Android ransomware has been released online on GitHub, Android devices are most likely to receive an increasing number of ransomware attacks in upcoming days.
The leaked source code would be a golden opportunity for those who always look for such opportunities as these kinds of malware programs are only offered for sale in underground forums, but SLocker is now accessible to cybercriminals and fraudsters for FREE.Earlier this year, researchers discovered a variant of BankBot banking trojan in the wild which was developed using the leaked source code for the malware on an underground hacking forum.
Last year, the source code for the MazarBot (improved version of GM Bot) was also leaked online by its author in order to gain reputation on an underground forum.

How to Protect Yourself?

As I previously mentioned, users are always advised to follow some basic precautions in order to protect themselves against such threats:

  • Never open email attachments from unknown sources.
  • Never click on links in SMS or MMS messages.
  • Even if the email looks legit from some company, go directly to the source website and verify any possible updates.
  • Go to Settings → Security, and Turn OFF “Allow installation of apps from sources other than the Play Store.”
  • Always keep your Android devices, apps and Antivirus app up-to-date.
  • Avoid unknown and unsecured Wi-Fi hotspots and keep Wi-Fi switched off when not in use.

What is the hype around Firewall as a Service?

Admit it. Who would not want their firewall maintenance grunt work to go away?
For more than 20 years, companies either managed their edge firewall appliances or had service providers rack-and-stack appliances in their data centers and did it for them.
This was called a managed firewall — an appliance wrapped with a managed service, often from a carrier or managed security service provider (MSSP).
The provider assumed the management of the firewall box, its software, and even its policy and management from the over-burdened IT team. But customers ended up paying for the inefficiency of dealing with appliances (i.e. “grunt work”) because the problem just shifted to the provider. A new architecture was needed – a transformation from an appliance form factor to a true cloud service.In a 2016 Hype Cycle for Infrastructure Protection report, Gartner analyst Jeremy D’Hoinne initiated the emerging category of Firewall as a Service (FWaaS).

He defined FWaaS as “…a firewall delivered as a cloud-based service or hybrid solution (that is, cloud plus on-premises appliances). The promise of FWaaS is to provide simpler and more flexible architecture by leveraging centralized policy management, multiple enterprise firewall features and traffic tunneling to partially or fully move security inspections to a cloud infrastructure

Recently, in the 2017 Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls), the analysts reference a Gartner client survey indicating 14% of respondents were likely (8%) or very likely (6%) to consider moving all the firewall security functions to FWaaS.
FWaaS isn’t merely packaging of legacy appliances into a managed service. It is challenging the decades-old concept of the appliance as the primary form factor to deliver network security capabilities.

What is an FWaaS?

FWaaS offers a single logical firewall that is available anywhere, seamlessly scales to address any traffic workload, enforces unified policy, and self-maintained by a cloud provider.
Let’s look at these elements in more detail.

• Single, global firewall instance — One firewall instance for the entire global organization is radically different than the current architecture that places a network security stack at each location, a regional hub or a datacenter.
With FWaaS every organizational resource (data center, branch, cloud infrastructure or a mobile user) plugs into the FWaaS global service and leverages all of its security capabilities (application control, URL filtering, IPS, etc).

• Seamlessly scales to address inspection workload — FWaaS provides the necessary compute resources to perform all security processing on all traffic regardless of source or destination.
IT teams no longer need complex sizing processes to determine the appliance capacity needed to plan for today’s business requirements and future growth.For example, the increase in SSL traffic volume pressures appliance processing capacity and can force unplanned. FWaaS can scale to accommodate these needs without disrupting the customer’s business operations.

• Enforcing a unified policy — A single firewall, by design, has a single security policy. While legacy appliance vendors created centralized management consoles to ease managing distributed appliances, IT must still consider the individual firewalls instances per location and often customize policies to the locations’ unique attributes.
In heterogenous firewall environments (often created due to M&A) security policy is hard to configure and enforce increasing exposure to hackers and web-borne threats. Contrast that with a single cloud-based firewall that uniformly applies the security policy on all traffic, for all locations and users.

• Self-maintained — One of the most painful aspects of firewall management is maintaining the software through patches and upgrades. It is a risky process that could impact business connectivity and security.
Many IT teams tend to skip or completely avoid software upgrades, leaving enterprise exposed. Because the cloud-based firewall software is maintained by the FWaaS provider and is shared by all customers, the firewall is kept up to date by quickly fixing vulnerabilities and bugs, and rapidly evolving with new features and capabilities that the customers can immediately access.
FWaaS is bringing genuine relief to overburdened IT teams within enterprises and service providers. Instead of wasting cycles on sizing, deploying, patching, upgrading and configuring numerous edge devices, work can now shift to delivering true security value to the business through early detection and fast mitigation of true risk.

FWaaS Providers

FWaaS is not a mere concept. It has been deployed in production deployments and by several vendors.
Cato Networks is a provider of the Cato Cloud, built from the ground up to deliver Firewall as a Service.
Cato provides an optimized, global SD-WAN, ensuring resilient connectivity to its FWaaS in from all regions of the world. Cato can completely eliminate edge firewalls by inspecting both WAN and Internet-bound traffic. The Cato Cloud FWaaS further extends to mobile users and cloud datacenters.
Zscaler provides FWaaS for Internet-bound traffic from remote branches and mobile users. To secure WAN traffic, customers must rely on other means.

Palo Alto Networks recently announced a similar service. It uses its next generation firewall within a cloud service to protect users, whether in remote locations or mobile, accessing the Internet.
FWaaS is a viable alternative for IT teams that waste time and money to sustain their distributed edge firewall environments — the so-called appliance sprawl.
With FWaaS, they can now reduce the operational and capital expense of upgrading and refreshing appliances as well as the attack surface resulting from delayed patches and unmitigated vulnerabilities.
By simplifying the network security architecture, FWaaS makes IT more productive and the business secure.

Your Linux Machine Can Be Hacked Remotely With Just A Malicious DNS Response

A critical vulnerability has been discovered in Systemd, the popular init system and service manager for Linux operating systems, that could allow remote attackers to potentially trigger a buffer overflow to execute malicious code on the targeted machines via a DNS response.The vulnerability, designated as CVE-2017-9445, actually resides in the ‘dns_packet_new’ function of ‘systemd-resolved,’ a DNS response handler component that provides network name resolution to local applications.According to an advisory published Tuesday, a specially crafted malicious DNS response can crash ‘systemd-resolved’ program remotely when the system tries to lookup for a hostname on an attacker-controlled DNS service.
Eventually, large DNS response overflows the buffer, allowing an attacker to overwrite the memory which leads to remote code execution.
This means the attackers can remotely run any malware on the targeted system or server via their evil DNS service.”In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that’s too small,” explains Chris Coulson, Ubuntu developer at Canonical. “A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that’s too small, and subsequently write arbitrary data beyond the end of it.”This vulnerability has been present since Systemd version 223 introduced in June 2015 and is present in all the way up to, including Systemd version 233 launched in March this year.
Of course, systemd-resolved must be running on your system for it to be vulnerable.
The bug is present in Ubuntu versions 17.04 and version 16.10; Debian versions Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable); and various other Linux distributions that use Systemd.
Security patches have been rolled out to address the issue, so users and system administrators are strongly recommended to install them and update their Linux distros as soon as possible.

 

Another Massive Ransomware Outbreak Has Battered Ukraine And Is Spreading Fast

Ukraine’s government, National Bank and biggest power companies all warned of cyberattacks Tuesday. Airports and metro services in the country were also reportedly affected, though it appears they’re victims of another massive ransomware outbreak that’s spreading across the world fast and hitting a significant number of critical infrastructure providers.Whispers of WannaCry abound, though security experts said a different breed, named Petya, is to blame. “[We’re seeing] several thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours,” said Kaspersky Lab’s Costin Raiu. “We are seeing infections from many different countries.”This morning saw major Danish transport and energy company Maersk report a cyber attack, noting on its website: “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” And Russian oil industry giant Rosnoft said it was facing a “powerful hacker attack.” Neither said what kind of attack they were under.The impact currently appears to be most severe in Ukraine, including major energy companies such as the state-owned Ukrenergo and Kiev’s main supplier Kyivenergo. Government officials have reportedly sent images of their infected computers, including this from deputy prime minister Pavlo Rozenko:

A Ukrenergo spokesperson told Forbes  power systems were unaffected, adding: “On June 27, a part of Ukrenergo’s computer network was cyberattacked. Similarly, as it is already known with the media, networks and other companies, including the energy sector, were attacked.Our specialists take all the necessary measures for the complete restoration of the computer system, including the official [website].” The site remains down at the time of publication.The National Bank blamed an “unknown virus” as the culprit, hitting several Ukrainian banks and some commercial enterprises. “As a result of cyber attacks, these banks have difficulties with customer service and banking operations,” a statement on the organization’s website read.The deputy general director of Kiev’s Borispol Airport, Eugene Dykhne, said in a Facebook post: “Our IT services are working together to resolve the situation. There may be delays in flights due to the situation… The official Site of the airport and the flight schedules are not working.”

Kiev Metro, meanwhile, said today in a Twitter alert that it wasn’t able to accept bank card payments as a result of a ransomware infection.It’s currently unclear whether the attacks are purely ransomware, or if myriad attacks are currently hitting various parts of Ukraine. Attacks on Ukraine’s power grid in 2015 and 2016 were believed to have been perpetrated by Russia, though the country denies all cyberattacks on foreign soil.Though ransomware is typically used by cybercriminals, with WannaCry it was alleged a nation state was likely responsible for spreading the malware: North Korea. Cyber intelligence companies and the NSA believe with medium confidence that the nation used leaked NSA cyber weapons to carry out the attacks that took out hospitals in the U.K and infected hundreds of thousands of others.

Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

web-hosting-ransomware

South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them. According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files. However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted. The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers. According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities.

linux-ransomware

Since the hosting servers were running on Linux kernel 2.6.24.2, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system. “The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack,” researchers note. “Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.” The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key. According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.Moreover, ensure that your systems are running the latest version of installed applications ……………

14-Year-Old Japanese Boy Arrested for Creating Ransomware

Japanese authorities have arrested a 14-year-old boy in Osaka, a prefecture and large port city, for allegedly creating and distributing a ransomware malware.This is the first such arrest in Japan which involves a Ransomware-related crime.Ransomware is a piece of malware that encrypts files on a victim’s computer and makes them inaccessible until the victim pays a ransom, usually in Bitcoins, in order to get the decryption keys for the encrypted files.Ransomware has been around for a few years, but currently, it has become a major cyber threat for businesses and users across the world.Just last month, the WannaCry ransomware hit over 300,000 PCs within just 72 hours, wreaking havoc worldwide.The recent arrest came after the teenager, who is a third-year junior high school student, created a ransomware virus and uploaded its source code on the Internet, according to multiple Japanese media.The student, who admitted to the allegations, combined free encryption software to develop his own ransomware infection and then uploaded it to a foreign website and even taught people to download and use it to spread further for financial gain.The teen also advertised the website through social media, including Twitter, telling users “I made ransomware. Please feel free to use it,” the sources said.According to Japanese police, the teen’s ransomware allowed a downloader to infect victims’ computers, demanding payment in digital currency. His ransomware framework has been downloaded over 100 times.

The authorities have not revealed the identity of the teenager, but have informed that the student just took about 3 days to create the ransomware program using his personal computer.
 The student also told the authorities that he learned to code on his own and created the ransomware out of curiosity in order to become famous.The Japanese police spotted the ransomware during “cyber patrolling” in January and confiscated the teen’s computer after searching his house in April.
Learn How to Code — Though it is never recommended to develop a malware and spread it for fun, financial gain or other purposes, learning to code is not a crime.If you’re looking to ‘learn how to code’ and seeking a career as an expert-level programmer, you should know how to play with codes and make your own.We have introduced an ultimate programming bundle that includes ten online training courses that could elevate your programming skills straight from beginner to advanced level.The Ultimate Learn to Code 2017 Bundle, comes with lifetime access, offers you professional training courses on Python, Ruby, Java, iOS, HTML, CSS, AngularJS and other programming languages that are in high demands.

Zomato hacked, data of 17 million users stolen: Report

India’s  largest-restaurant guide Zomato appears to have suffered a major security breach. According to a report in security blog HackRead, “A vendor going by the online handle of ‘nclay’ is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace.”
The company too has admitted the major security lapse in a blog post. “The reason you’re reading this blog post is because of a recent discovery by our security team — about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords,” said the company in the post. The company has total 120 million users.
The company, however, claimed that the data is safe. “The hashed password cannot be converted/decrypted back to plain text – so the sanctity of your password is intact in case you use the same password for other services,” adds Zomato’s blog post.
It also assured users that the “payment-related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.”
Zomato further added that on its part, it has reset the passwords of all affected users. “As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised.”
In its blog, HackRead claims that the price for the set of the whole package is claimed to be $1,001.43 and that the vendor has also shared a trove of sample data to prove that its data is legit.HackRead added that it tested the sample data on Zomato.com’s login page and found that “each and every account mentioned in the list exists on Zomato.” HackRead’s team reportedly also sent password reset email to some of the email addresses given in the data to further check the veracity of ‘nclay’s’ claims. This too revealed that the data is ‘genuine’ as email IDs turned to be registered with Zomato.
Zomato was founded in 2008 by Deepinder Goyal and Pankaj Chaddah. It has operations in 23 countries, including India, Australia and the United States.

Massive ransomware infection hits computers in 99 countries

A massive cyber-attack using tools believed to have been stolen from the US National Security Agency (NSA) has struck organisations around the world.Cyber-security firm Avast said it had seen 75,000 cases of the ransomware – known as WannaCry and variants of that name – around the world.There are reports of infections in 99 countries, including Russia and China.Among the worst hit was the National Health Service (NHS) in England and Scotland.The BBC understands about 40 NHS organisations and some medical practices were hit, with operations and appointments cancelled.

How did the cyber-attack unfold?

The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down “one by one”.NHS staff shared screenshots of the WannaCry program, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.Throughout the day other, mainly European countries, reported infections.Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second largest mobile phone network were all reported to have been hit.Russia’s interior ministry said 1,000 of its computers had been infected but the virus was swiftly dealt with and no sensitive data was compromised.In Spain, a number of large firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – were also hit, with reports that staff at the firms were told to turn off their computers.People tweeted photos of affected computers including a local railway ticket machine in Germany and a university computer lab in Italy.France’s car-maker Renault, Portugal Telecom, the US delivery company FedEx and a local authority in Sweden were also affected.China has not officially commented on any attacks it may have suffered, but comments on social media said a university computer lab had been compromised.Coincidentally, finance ministers from the Group of Seven wealthiest countries have been meeting in Italy to discuss the threat of cyber-attacks on the global financial system.They are expected to release a statement later in which they pledge greater co-operation in the fight against cyber-crime, including spotting potential vulnerabilities and assessing security measures.

Unpatched WordPress Flaw Could Allow Hackers To Reset Admin Password

WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances.The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version.The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.

“This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website,” Golunski wrote in an advisory published today. “As there has been no progress, in this case, this advisory is finally released to the public without an official patch.”Golunski is the same researcher who discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server and compromise the target web application.The vulnerability lies in the way WordPress processes the password reset request, for the user it has been initiated.In general, when a user requests to reset his/her password through forgot password option, WordPress immediately generates a unique secret code and sends it to user’s email ID already stored in the database.

Palo Alto Networks clinch 500 customers in India in past 2 years

Bangalore: US based Palo Alto Networks, a network and enterprise security provider is growing faster with an expanding base of customers in the Indian market, according to company’s top executive.
“We have around 500 customers in India in past 2 years, which are across all verticals and market segments,” said Anil Bhasin, Palo Alto Networks’ Managing Director – India & SAARC, during a recent media briefing here.
“Most of these customers are replacing products and solutions of legacy security vendors and migrating to our offerings,” added Bhasin, who was appointed as top executive of company’s India operations in 2013.

The steady rise in customer base does suggest how Palo Alto Network’s business in India is flourishing, although it doesn’t provide specifics of its business in India.
However, citing IDC study, Bhasin said that company’s growth has been faster than the top four security vendors in India. According to IDC, the global security vendor revenues in first quarter 2016 rose to 5.5% year over year to $2.47 billion, while shipments grew 9.0% year over year to a total of 580,007 units.

As per IDC worldwide quarterly security appliance tracker Q1 2016 data released last month, Palo Palo Alto Networks revenue crossed $300 million and was third on the list of top five vendors, just after Cisco ($429 million) and Check Point ($342 million). In terms of market share, Palo Alto Networks was up from 9.3 percent in Q1,2015 to 12.4 percent in Q1, 2016 and it grew over 40 percent during that period as per IDC data.Company is moving fast enough to close in the gap between its two close competitors Cisco and Check with market share of 17.4 percent and 13.8 percent respectively.

“Since entering the top 5 in the Q2, 2013, Palo Alto Networks has consistently grown its revenues faster than the overall market. In 1Q15, Palo Alto Networks grew its revenue 54.3% year over year with a net gain of 2.9 share points when compared to the same quarter a year ago,” IDC said in a note.
“We are trying to shift the market and are not seen as OEMs but security partner of customers. Our aim is to provide solutions with embedded security,” noted Bhasin.
One of the main reasons why customers are migrating to Palo Alto Networks, according to Bhasin has been the open approach with tech alliance partners that complements helps to address business issues of customers .
In terms of technology alliance to provide integrated security solutions to customers, Palo Alto Networks has a long list of partners including VMware, Citrix, Aruba, Arista, RSA, Amazon Web Services, Microsoft Azure and more.

It provides both on-premise and cloud based security, which addresses the hybrid model needs largely followed by most organizations and enterprises in recent times.
Although, Palo Alto Networks was a late entrant in the Indian market, which is largely dominated by established security vendors like Cisco, Juniper, Check Point, Fortinet and others, but it has significantly successful in penetrating this market.
Company had initiated its operations in 2013 with less than five staff but since than it has expanded its base considerably. Today, it has over 30 employees which include experienced sales and support team, five offices across the SAARC region, RMA (Return Material Authorization) depots and TAC (Technical Assistant Centre) in Chennai.
Besides, Palo Alto Networks’ growth is also driven by its 100 plus partners and over 200 certified engineers to serve the customers across the Indian market. Compared to competitors, company largely focuses on prevention strategy using automation and integration approach to strengthen security offering. “Customers want prevention of threats but in an automated way. Our 95% APIs are open, which allows them to get embedded into customer environments,” informed Bhasin.
It claimed to be the only security vendor with a Layer 7 architecture, which enables the company to block threats right at the platform layers and defunct them. Also it leverages the self-learning mechanism to address unknown threats.
Overall, the NYSE listed firm provides security cover to customers — right from networks to end-points.
“We make security as a strategic imperative through integration of technology, people and processes,” concluded Bhasin.