New Trojan Malware Spreads via Word Document

There’s a new trojan malware spreading through malicious Word documents, and cybercriminals are using this virus to steal personal information and sensitive banking details. The malware, Ursnif trojan, attacks Windows operating systems and is popular with hackers since its main source code was leaked, becoming a more widely available option for cybercriminals to take advantage of. This type of trojan has existed in different forms over the years, starting in 2007 when the code first surfaced in the Gozi banking trojan. 

Since the code was leaked, hackers have customized it to their liking, stealing banking account information and other valuable account details. Cybersecurity firm Fortinet has identified a new version of the trojan that spreads through Word documents, it’s file format name: “info_[date].doc.” The hacker attaches a malicious macro script to launch once the document’s macros (a series of operations done through a single command) have been enabled.  

The macros can be enabled by clicking “Enable Content” which releases a VBA code that drops a version of the Ursnif malware onto the victim’s computer. This malware then runs “iexplorer.exe” processes to connect to a command and control server on the hacker’s end. In an effort to sway user suspicion, the host list for the server refers to security companies as well as Microsoft. 

Researchers have stated that the campaign is still operating. Even though these techniques might seem a little basic, an easy phishing email attack could give these cybercriminals a chance to invade networks and initiate an extensive cyberattack. 

As always, be mindful of the emails you receive, especially those with unsolicited document attachments, and check the sender email address to verify if the email is spam. When in doubt, directly contact the company referenced in the email using a phone number provided on the actual website.

Ransomware Attack Hits UK Police Federation

Just announced yesterday, the U.K. Police Federation of England and Wales (PFEW) survey headquarters had been hit with a cyberattack – the ransomware encrypting computer email systems and databases and deleting backup data.

The attack occurred on March 9 and affected this headquarters solely – consisting of approximately 119,000 police officers – as a statement provided by the Federation revealed how 43 branches spread throughout the U.K. and Wales were not affected.

In a tweet yesterday morning, the Police Federation explains how “[t]here is no evidence at this stage that any data was extracted from our systems but this cannot be discounted.”

Officers of the National Cyber Crime Unit have begun their investigation and are in contact with PFEW to determine the nature of the attack and the extent of damage. According to the PFEW, the attack was likely done as part of a much larger campaign set to cause further havoc.

The incident was reported to the data protection regulator in the U.K. within three days as part of European ordinance, although the PFEW announced the attack 12 days after it first occurred.

Norwegian Aluminum Producers Norsk Hydro Hit by Cyber Attack

Norsk Hydro, one of the largest Norwegian aluminum providers, partly shut down their operations due to a large scale ransomware attack. The company has been trying to neutralize the attack this week, as they were unaware of how significant the damage was on their operations. The main cause of the attack has now been identified (due to LockerGoga ransomware), and the company is currently working with external partners to restore full systems operations.

When the attack hit, Norsk Hydro stated their switch to manual operations. Their shares went down about two percent while aluminium prices went up 1.5%. There have been a lot of breaches that caused both data loss and other infrastructural issues. In the past, cybercriminals have managed to hack into companies such as Anthem, Yahoo!, and Marriott International just to name a few.

Norsk claimed to Business Insider, “We are working to [further] contain the situation and reduce impact, aiming to resume normal operation.”

On Thursday, March 21, Hydro’s specialists found what the source of the problem was and has been working to get their systems back to the way it was – in its pre-infected state. Safety issues have not been announced since the ransomware attack first struck on Tuesday, March 19. Manual operations are still being used, but the company had announced that “most operations are [now] running.” It is still unclear how long full restoration to normal IT operations will occur.

UPDATE 3/27/19: Norsk Hydro reported financial losses of up to $40 million based on the ransomware’s impact from last week. While the company is now running almost all its operations normally, the Extruded Solutions business division is still in recovery mode. The Building Systems unit is still “at a standstill,” as said in a press release. Delays are expected, but Norsk Hydro announced that this unit will “gradually ramp up production and shipments during the week.”

1-800-FLOWERS Affected by Undetected Credit Card Breach Over Four Year Period

In a recent filing with California’s Attorney General Office, 1-800-FLOWERS was revealed to be the victim of a silent malware attack that affected the business within a four year period. As the filing explains, customer credit card information was stolen from the Canadian branch’s website, while the main 1800Flowers.com website was unaffected.

What is interesting to note is how the malware affected the site for four years without any detection. During the time frame between August 15, 2014 and September 15, 2018, consumers’ first and last names, as well as card numbers, expiry dates, and security codes were all accessed by the unknown hacker(s).

The report did not disclose the number of consumers affected by the breach, but the company is required to inform its customers of the incident when a breach affects more than 500 people, this according to California law.

Interestingly enough, 1-800-FLOWERS was the second company to report a four-year long breach, as the Marriott was also affected within a four-year period when hackers stole 500 million guest records.

For now, the company recommends that all its customers keep a close watch on their payment records and to report any suspicious charges to their bank or issuing card company.

Surviving a Ransomware Attack

The rate of ransomware attacks may have gone down, but does that mean there were fewer attacks? The rates have shown a slight decrease from the previous year, with 1,783 attacks in 2017 compared to a whopping 2,673 reported in 2016. Yet, while such numbers may indicate this catastrophic cybercrime is on the decline, the reality surfaces as most attacks being under-reported, leaving many to wonder how frequently the attacks occur and how the cost will affect businesses.

According to Ms.Smith of CSO reporting, Verizon analytics have found that ransomware incidents have actually doubled. Researchers have found that attackers usually demand a cryptocurrency payment to be able to release an affected user’s files, but there is no assurance to do so after payment is received. Through such ransomware attacks, cybercriminals are always thinking of ways to maximize their profit.

As former Whitehouse CIO who is now president and CEO of Fortalice Solutions explains, “We used to hear very often that it was mostly consumers – but [for those attacks] you’re looking at $75 as a cyber-criminal.” Attackers have a strategy to target all businesses utilizing the internet for their needs, raising a corporate concern of impending cyberattacks.

In 2017, the WannaCry, NotPetya, and BadRabbit strains didn’t simply upset business forms; rather, the attacks greatly impacted universal brands like FedEx from a functional operation. This took the ransomware danger vector to a “totally new level,” using worms to proliferate through frameworks and affecting 300-400,000 gadgets around the world, says Steven Wilson, leader of Europol’s EC3 digital wrongdoing focus. The cyber-threat further continues with cheap off-the-rack shelf kits sold online, allowing an attacker to access ransomware tools necessary to carry out another business damaging strike.

“Just think: your entire customer records database is gone,” says Wilson. “You don’t know who owes you money, who you owe money to, or who you’re going to sell your product to. That’s the reality if ransomware strikes you. Everything is gone.”

Raising Awareness

While ransomware such as WannaCry is still very much prevalent, cybercrime attacks like these helped raise awareness of any more possible strikes. From ongoing evidential trends, ransomware is here to stay. Fortunately, there are cyber-hygiene steps you can acquaint yourself with to prevent attacks from happening in the future.

Having up to date computer operating systems is the first step to preparedness, as the latest versions of anti-malware software can assist in the case of an attack. In the event of a major ransomware strike, it is always best to keep and regularly update backup storage of all files for recovery.

As Payton explains, “Organizations should also consider network segmentation and introduce kill switches to prevent malware from moving laterally, as WannaCry did.” [It’s always best to] practice for the worst and hope for the best – making sure you’re thinking ahead, practicing that digital disaster, practicing your comms plan,” Payton further suggesting that organizations also perform test runs on full restores.

How can the technology community help?

Through public and private bodies working together and familiarizing themselves with program vulnerabilities, ransomware disasters can surely be prevented. Working as a key to inform decryptors of dangerous ransomware, NoMoreRansom, for instance, pools assets crosswise over associations and can help the technology community be one step ahead of the next crippling attack.

For more on ransomware preparedness strategies, please click here to learn more about preventing ransomware.

Blue Screen of Death? Beware- It Might Be a Scam

 

If you’re purchasing security software, you’d think what you’re buying is safe, right? Well, think again. Reports are showing that scammers are tricking innocent people into buying a fake security software for $25. Isn’t that crazy?

They use two different ways to scam the victims: the first one is by sending fake Blue Screens of Death (BSOD), and the other way is sending a phony “Troubleshooter for Windows” pop up. The supposed security application they try to sell is called “Windows Defender Essentials. By the name, we would assume that it’s a legitimate product since it sounds like “Windows Defender,” an actual Microsoft product. Right off the bat, this throws unsuspecting victims off from realizing it’s a fake software.

A Malwarebytes researcher discovered that the app they are using to distribute has a cracked software install which shows an unexpected error instead of the normal “troubleshooting” pop up. This message displays an error which states, “Missing .Dll registry files resulting in computer failure.” When the victims click “Next,” they fall right into the scammers’ trap. They believe they are going to see what the issue is, but little do they know, they are being scammed.  They are led to a list that shows fake problems and says the troubleshooter couldn’t fix the problem – But this is where the scammers get smart. The message follows, “It will be resolved by clicking a “Recommended” link to “Buy Windows Defender Essentials,” which ultimately leads the victims to send $25 to the scammer’s PayPal account in order to “solve the issue.” After they’ve paid, the screen unlocks to once again to their normal screen.

A Microsoft representative has confirmed that this was a scam and they recommend users to follow advice on how to protect themselves against similar tech support scams. If you think it’s too good to be true, it is. You can read about the scams in their April 3rd and November 20th blogs.

This warning also goes for the “Click to Call” functionality on a fake website, which leads you to calling a bogus support hotline – don’t fall into the trap!

According to the tech support site Bleeping Computer, there is a way to shut down the program without having to pay. All you need to do is hit Ctrl+O to open a dialogue box and then enter a code which you can find here. This makes the program think that you have paid the $25, and it stops automatically.  

Here are some more instructions on how to remove the false troubleshooting messaging. 

Hopefully this will help you stay safe from the scammers in 2018!

Adobe Hacked

In a blog post today, Adobe Chief Security Officer, Brad Arkin announced a major security breach affecting 2.9 million customers. The attackers accessed customer IDs, encrypted passwords, ancrypted debit and credit card numbers, and other customer-related order information.

Adobe

Adobe has ensured that they have reset relevant customer passwords and are in the process of contacting all customers affected by the attack.

DDoS Attacks Slow Entire Internet

This week, users worldwide wonder why their Internet connections are slow, or why access to certain sites is temporarily unavailable. The cause of the problem is that anti-spam organization, Spamhaus, and Dutch hosting company, Cyberbunker, are involved in a cyber-attack of such large scale that Internet users are feeling the effects.

spamhaus

Cyberbunker, known for its unique facility, a former NATO command bunker, was recently put on Spamhaus’ blacklist, used by email providers to filter out spam messages.  Cyberbunker has admitted to providing its services to any organization, short of terrorists and child pornographers, yet has retaliated against Spamhaus. Spamhaus still distributed its blacklists, but experienced a Distributed Denial of Service (DDoS) attack starting on March 19.

For some perspective: While prior attacks against major banks reached a magnitude of about 50 billion bits per second, the current attacks use a data stream of 300 billion bits per second.

zombie-computer-3d

Most DDoS attacks only affect a few networks, but in this case, the use of a Domain Name System (DNS) flood has affected millions of Internet users. The attackers used botnets to send messages appearing to come from Spamhaus to the millions of computers making up the DNS, whose servers then amplified these messages which are sent as false requests to Spamhaus’ computers until its servers are overwhelmed and become unreachable. The use of the DNS makes it impossible to stop the attacks without halting the Internet worldwide.

Several cyber-police forces are currently investigating the attacks.

CISPA Bill to be Revived

CISPA, short for the Cyber Intelligence Sharing and Protection Act will likely be brought back for voting in Washington after recent reports of cyber espionage attempts against U.S. targets. Chairman of the House Intelligence Committee, Mike Rogers, claims that “American businesses are under siege,” making the controversial bill a necessity. Today hackers are considered the new terrorists and the head of Homeland Security, Janet Napolitano, believes a “cyber 9-11” is probable if no cyber security legislation is enacted.

While we doubt that the threat of a nationwide crippling infrastructure cyber attack is near, businesses large and small should be taking the necessary precautions to prevent security breaches from hackers more interested in gaining valuable information. Recent targets have included several U.S. banks, the Federal Reserve’s website, the Wall Street Journal, New York Times and The Washington Post. Most of these attacks have been traced overseas to China.

security-100023223-gallery
Image courtesy of PCWorld.com

If passed, CISPA would grant immunity from privacy laws to companies and federal parties which share customer information that relates to “cyber security”. The issue of course, is how easy it is for companies to cross the fine line between “sharing” this information for security purposes and misusing this immunity for spying. CISPA was passed by the House of Representatives last Spring, but never made it to the floor after a veto threat was issued by the White House. President Obama is reportedly preparing to issue an executive order on cyber security after the Union Address scheduled for February 12.

So how could this affect us? Overall, if the bill passes with restrictions on the use of “sharing” information and companies act within those boundaries, the bill would work for its intended purpose of preventing cyber attacks from overseas. This seems unlikely though, and it would also increase the government’s surveillance abilities, making most uncomfortable. However, it is unlikely that the bill will pass through the House it’s second time around without major changes, and we hope the President’s plans to address cyber security will create more options for better security without compromising privacy.