Category Archives: Cyber Security News

Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

web-hosting-ransomware

South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them. According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files. However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted. The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers. According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities.

linux-ransomware

Since the hosting servers were running on Linux kernel 2.6.24.2, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system. “The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack,” researchers note. “Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2048 algorithm that is also stored in the file.” The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key. According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.Moreover, ensure that your systems are running the latest version of installed applications ……………

14-Year-Old Japanese Boy Arrested for Creating Ransomware

Japanese authorities have arrested a 14-year-old boy in Osaka, a prefecture and large port city, for allegedly creating and distributing a ransomware malware.This is the first such arrest in Japan which involves a Ransomware-related crime.Ransomware is a piece of malware that encrypts files on a victim’s computer and makes them inaccessible until the victim pays a ransom, usually in Bitcoins, in order to get the decryption keys for the encrypted files.Ransomware has been around for a few years, but currently, it has become a major cyber threat for businesses and users across the world.Just last month, the WannaCry ransomware hit over 300,000 PCs within just 72 hours, wreaking havoc worldwide.The recent arrest came after the teenager, who is a third-year junior high school student, created a ransomware virus and uploaded its source code on the Internet, according to multiple Japanese media.The student, who admitted to the allegations, combined free encryption software to develop his own ransomware infection and then uploaded it to a foreign website and even taught people to download and use it to spread further for financial gain.The teen also advertised the website through social media, including Twitter, telling users “I made ransomware. Please feel free to use it,” the sources said.According to Japanese police, the teen’s ransomware allowed a downloader to infect victims’ computers, demanding payment in digital currency. His ransomware framework has been downloaded over 100 times.

The authorities have not revealed the identity of the teenager, but have informed that the student just took about 3 days to create the ransomware program using his personal computer.
 The student also told the authorities that he learned to code on his own and created the ransomware out of curiosity in order to become famous.The Japanese police spotted the ransomware during “cyber patrolling” in January and confiscated the teen’s computer after searching his house in April.
Learn How to Code — Though it is never recommended to develop a malware and spread it for fun, financial gain or other purposes, learning to code is not a crime.If you’re looking to ‘learn how to code’ and seeking a career as an expert-level programmer, you should know how to play with codes and make your own.We have introduced an ultimate programming bundle that includes ten online training courses that could elevate your programming skills straight from beginner to advanced level.The Ultimate Learn to Code 2017 Bundle, comes with lifetime access, offers you professional training courses on Python, Ruby, Java, iOS, HTML, CSS, AngularJS and other programming languages that are in high demands.

Zomato hacked, data of 17 million users stolen: Report

India’s  largest-restaurant guide Zomato appears to have suffered a major security breach. According to a report in security blog HackRead, “A vendor going by the online handle of ‘nclay’ is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace.”
The company too has admitted the major security lapse in a blog post. “The reason you’re reading this blog post is because of a recent discovery by our security team — about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords,” said the company in the post. The company has total 120 million users.
The company, however, claimed that the data is safe. “The hashed password cannot be converted/decrypted back to plain text – so the sanctity of your password is intact in case you use the same password for other services,” adds Zomato’s blog post.
It also assured users that the “payment-related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.”
Zomato further added that on its part, it has reset the passwords of all affected users. “As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised.”
In its blog, HackRead claims that the price for the set of the whole package is claimed to be $1,001.43 and that the vendor has also shared a trove of sample data to prove that its data is legit.HackRead added that it tested the sample data on Zomato.com’s login page and found that “each and every account mentioned in the list exists on Zomato.” HackRead’s team reportedly also sent password reset email to some of the email addresses given in the data to further check the veracity of ‘nclay’s’ claims. This too revealed that the data is ‘genuine’ as email IDs turned to be registered with Zomato.
Zomato was founded in 2008 by Deepinder Goyal and Pankaj Chaddah. It has operations in 23 countries, including India, Australia and the United States.

Massive ransomware infection hits computers in 99 countries

A massive cyber-attack using tools believed to have been stolen from the US National Security Agency (NSA) has struck organisations around the world.Cyber-security firm Avast said it had seen 75,000 cases of the ransomware – known as WannaCry and variants of that name – around the world.There are reports of infections in 99 countries, including Russia and China.Among the worst hit was the National Health Service (NHS) in England and Scotland.The BBC understands about 40 NHS organisations and some medical practices were hit, with operations and appointments cancelled.

How did the cyber-attack unfold?

The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down “one by one”.NHS staff shared screenshots of the WannaCry program, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.Throughout the day other, mainly European countries, reported infections.Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second largest mobile phone network were all reported to have been hit.Russia’s interior ministry said 1,000 of its computers had been infected but the virus was swiftly dealt with and no sensitive data was compromised.In Spain, a number of large firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – were also hit, with reports that staff at the firms were told to turn off their computers.People tweeted photos of affected computers including a local railway ticket machine in Germany and a university computer lab in Italy.France’s car-maker Renault, Portugal Telecom, the US delivery company FedEx and a local authority in Sweden were also affected.China has not officially commented on any attacks it may have suffered, but comments on social media said a university computer lab had been compromised.Coincidentally, finance ministers from the Group of Seven wealthiest countries have been meeting in Italy to discuss the threat of cyber-attacks on the global financial system.They are expected to release a statement later in which they pledge greater co-operation in the fight against cyber-crime, including spotting potential vulnerabilities and assessing security measures.

Unpatched WordPress Flaw Could Allow Hackers To Reset Admin Password

WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances.The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version.The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.

“This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website,” Golunski wrote in an advisory published today. “As there has been no progress, in this case, this advisory is finally released to the public without an official patch.”Golunski is the same researcher who discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server and compromise the target web application.The vulnerability lies in the way WordPress processes the password reset request, for the user it has been initiated.In general, when a user requests to reset his/her password through forgot password option, WordPress immediately generates a unique secret code and sends it to user’s email ID already stored in the database.

Palo Alto Networks clinch 500 customers in India in past 2 years

Bangalore: US based Palo Alto Networks, a network and enterprise security provider is growing faster with an expanding base of customers in the Indian market, according to company’s top executive.
“We have around 500 customers in India in past 2 years, which are across all verticals and market segments,” said Anil Bhasin, Palo Alto Networks’ Managing Director – India & SAARC, during a recent media briefing here.
“Most of these customers are replacing products and solutions of legacy security vendors and migrating to our offerings,” added Bhasin, who was appointed as top executive of company’s India operations in 2013.

The steady rise in customer base does suggest how Palo Alto Network’s business in India is flourishing, although it doesn’t provide specifics of its business in India.
However, citing IDC study, Bhasin said that company’s growth has been faster than the top four security vendors in India. According to IDC, the global security vendor revenues in first quarter 2016 rose to 5.5% year over year to $2.47 billion, while shipments grew 9.0% year over year to a total of 580,007 units.

As per IDC worldwide quarterly security appliance tracker Q1 2016 data released last month, Palo Palo Alto Networks revenue crossed $300 million and was third on the list of top five vendors, just after Cisco ($429 million) and Check Point ($342 million). In terms of market share, Palo Alto Networks was up from 9.3 percent in Q1,2015 to 12.4 percent in Q1, 2016 and it grew over 40 percent during that period as per IDC data.Company is moving fast enough to close in the gap between its two close competitors Cisco and Check with market share of 17.4 percent and 13.8 percent respectively.

“Since entering the top 5 in the Q2, 2013, Palo Alto Networks has consistently grown its revenues faster than the overall market. In 1Q15, Palo Alto Networks grew its revenue 54.3% year over year with a net gain of 2.9 share points when compared to the same quarter a year ago,” IDC said in a note.
“We are trying to shift the market and are not seen as OEMs but security partner of customers. Our aim is to provide solutions with embedded security,” noted Bhasin.
One of the main reasons why customers are migrating to Palo Alto Networks, according to Bhasin has been the open approach with tech alliance partners that complements helps to address business issues of customers .
In terms of technology alliance to provide integrated security solutions to customers, Palo Alto Networks has a long list of partners including VMware, Citrix, Aruba, Arista, RSA, Amazon Web Services, Microsoft Azure and more.

It provides both on-premise and cloud based security, which addresses the hybrid model needs largely followed by most organizations and enterprises in recent times.
Although, Palo Alto Networks was a late entrant in the Indian market, which is largely dominated by established security vendors like Cisco, Juniper, Check Point, Fortinet and others, but it has significantly successful in penetrating this market.
Company had initiated its operations in 2013 with less than five staff but since than it has expanded its base considerably. Today, it has over 30 employees which include experienced sales and support team, five offices across the SAARC region, RMA (Return Material Authorization) depots and TAC (Technical Assistant Centre) in Chennai.
Besides, Palo Alto Networks’ growth is also driven by its 100 plus partners and over 200 certified engineers to serve the customers across the Indian market. Compared to competitors, company largely focuses on prevention strategy using automation and integration approach to strengthen security offering. “Customers want prevention of threats but in an automated way. Our 95% APIs are open, which allows them to get embedded into customer environments,” informed Bhasin.
It claimed to be the only security vendor with a Layer 7 architecture, which enables the company to block threats right at the platform layers and defunct them. Also it leverages the self-learning mechanism to address unknown threats.
Overall, the NYSE listed firm provides security cover to customers — right from networks to end-points.
“We make security as a strategic imperative through integration of technology, people and processes,” concluded Bhasin.

Pro-Pakistan group hacks websites of Indian universities, including DU, IITs

New Delhi: A Pro-Pakistan group hacked the official websites of four prominent Indian institutes—Indian Institute of Technology Delhi (IIT Delhi), IIT Varanasi, Aligarh Muslim University (AMU) and Delhi University (DU)— and some lesser known institutions several times on Tuesday.While all four educational institutes restored their websites initially, the hackers brought then down again and posted the pro-Pakistan, anti-India messages on these websites,As of 9.15pm, IIT Varanasi and IIT Delhi websites were showing the hackers’ message. AMU and DU websites had been restored.

The hacker group code named “Pakistan Haxors Crew ” wrote abuses about Indian government and the Indian Armed forces on the landing pages of the websites. The hacker group said: “Nothing deleted or stolen. Just here to deliver my message to Indians.”The Pakistan Haxors Crew also said the hack was in response to an Indian hacker hacking that country’s railways website

Other websites which were hacked Tuesday are University of Kota; Army Institute of Management and Technology, Greater Noida; Defence Institute of Advanced Technology; Army Institute of Management, Kolkata; National Aerospace Laboratories and Board of Research in Nuclear Sciences (BRNS).

“Greetings Government of India, and the people of India. 🙂 Do you know what your so-called heroes (soldiers) are doing in Kashmir? Do you know they are killing many innocent people in Kashmir?” read the message displayed on the websites.Officials at Delhi University said they were looking into the issue and the website will be restored soon.

IIT Delhi professor Sanjeev Sanghi said it has not lost any data due to the hacking. Sanghi said the “ERNET DNS (domain name service) server for the IIT Delhi website was targeted because of which IIT Delhi’s website was showing those pro-Pakistan messages. Sanghi said IIT Delhi has already in touch with the government over the development.“The website was inaccessible from outside the campus for some time due to some problems in the domain name. Servers were pointing incorrectly to another site,” said DU registrar Tarun Das. “The problem was detected and immediately rectified by contacting ERNET, which has provided the domain name for University of Delhi,” he added.The AMU spokesperson said that the matter has been brought to their notice and their IT department is looking into the issue. IIT-BHU could not be reached immediately.

Allied Telesis launches next-generation firewalls for enterprises

Allied Telesis has launch its Next-Generation Firewalls (NGFWs), a new range of sophisticated security appliances for protecting enterprise and government organisations, remote offices, and embedded applications.”The new range of firewalls allows an enterprise to deploy next-generation security measures at the branch office, rather than relying on the firewall at the headquarters to protect everyone,” commented Graham Walker, Product Manager at Allied Telesis. “These new products allow up-to-the-minute protection company-wide, and at a fraction of the cost of traditional firewall solutions.”he new Allied Telesis NGFWs deliver a security platform with integrated application control, intrusion prevention, and actionable reporting. “Increased protection is available by subscribing to leading security services that provide web filtering, anti-malware, and protection against advanced persistent threats,” the company said.

The NGFWs offer simple management via a quick-start web-based GUI, and feature support for Allied Telesis Management Framework (AMF). “Packed with power from advanced multi-core CPUs, the new NGFWs offer blazing performance levels for sustained high traffic throughput.””With the increased use of mobility, BYO technology, cloud-based services and the Internet of Things, the Allied Telesis NGFWs enable organisations to easily make the move to user-based authentication and application-based control. Features such as high-throughput threat prevention, easy-to-use management, integration with leading edge IP reputation, and anti-malware services make the Allied Telesis Next-Generation Firewalls a fiercely competitive solution”.

Fortinet upgrades for better cloud, SD-WAN protection

fortinet security fabric

Fortinet has rolled out a new version of its FortiOS operating system that gives customers the ability to manage security capabilities across their cloud assets and software-defined wide area networking (SD-WAN) environments.

With FortiOS 5.6, the company’s Fortinet Security Fabric gives a view of customers’ public and private clouds – including Amazon Web Services and Azure – as well as assets on and their software-defined WANs, says John Maddison, Fortinet’s senior vice president of products.The company is also announcing FortiCASB, a platform for securing applications purchased as part of SaaS offerings. FortiCASB is available at the end of the current quarter. It can be managed as part of the Fortinet Security Fabric.That is an ecosystem of Fortine’st gear as well as that of 22 partners whose devices can become part of the fabric via APIs. Depending on the individual APIs, the level of integration can vary.With the new management capabilities, customers can apply a single security policy, for example to block a particular botnet, and have it applied to all the security elements in their network that are part of the security fabric, he says…..The SD WAN capabilities support branch office protection by performing SSL inspection, VPN tunneling and traffic shaping.The upgraded version of FortiOS is available now as part of FortiGate purchases.

Check Point Discloses Vulnerability that Allowed Hackers to Take over Hundreds of Millions of WhatsApp & Telegram Accounts

One of the most concerning revelations arising from the recent WikiLeaks publication is the possibility that government organizations can compromise WhatsApp, Telegram and other end-to-end encrypted chat applications. While this has yet to be proven, many end-users are concerned as WhatsApp and Telegram use end-to-end encryption to guarantee user privacy. This encryption is designed to ensure that only the people communicating can read the messages and nobody else in between.

Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform – WhatsApp Web and Telegram Web. The online version of these platforms mirror all messages sent and received by the user, and are fully synced with the users’ device.

This vulnerability, if exploited, would have allowed attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more. This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends’ accounts.

View the demos on WhatsApp and Telegram

The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code.

The file can be modified to contain attractive content to raise the chances a user will open it. In WhatsApp, once the user clicks to open the image, the malicious file allows the attacker to access the local storage, where user data is stored. In Telegram, the user should click again to open a new tab, in order for the attacker to access local storage. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.

Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.

Check Point disclosed this information to WhatsApp’s and Telegram’s security teams on March 7th. Both companies have verified and acknowledged the security issue and developed a fix for web clients worldwide soon after. “Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Oded Vanunu. WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.