September 2016 Internet Security Report


September 2016 successfully delivered an eventful month for cyber security with a handful of threats, breaches and interesting developments in the security of Internet of Things devices. A Denial of Service attack on the website of investigative journalist Brian Kerbs was found to be largely comprised of compromised Internet of Things devices.  Ransomware continued to cause troubles for computer users on all level with a number of new variants and delivery methods being mixed into the threat landscape.

 

Threats

  • Ransomware continues to be a major threat to organisations worldwide with cybercriminals finding new ways to infect users. This month a new variant of ransomware called Mamba was identified which encrypts the whole disk instead of individual files. This is achieved by using a pirated version of the open source disk encryption tool DiskCryptor to encrypt the victim’s hard drive(s). Similar to most other ransomware variants, Mamba uses malicious attachments to deliver its payload and compromise the user’s system.Please ensure that you have adequate backup and restore policies in place and routinely test them to reduce the threat posed by Ransomware.

https://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-files/120730/
https://nakedsecurity.sophos.com/2016/09/27/mamba-ransomware-strikes-at-your-whole-disk-not-just-your-files/

  • A new Ransomware campaign appears to be targeting educational institutions and government agencies. This Ransomware is called MarsJoke and is distributed via emails with a link that downloads a file called ‘file_6.exe’. These emails bare the branding of popular shipping and postal companies.

https://threatpost.com/marsjoke-ransomware-targets-edu-gov-agencies/120856/

  • Victorian Police have released an advisory that unmarked USB drives have been placed in the letterboxes of Melbourne residents. The USB drives contain malicious software which appears to render victim computers useless.If you receive an unexpected USB drive in the mail, do not plug it into your computer or other devices. On top of malware contained on USB devices, these devices can contain hardware to emulate your computers keyboard and mouse to deliver malware, or in the case of the “USB Killer” permanently disable your USB port or even your computer.

http://www.businessinsider.com.au/melbourne-residents-are-receiving-harmful-usb-drives-in-their-letterboxes-2016-9
https://www.usbkill.com/usb-killer/8-usb-killer.html

  • APT group under the names APT28, Fancy Bear, Sednit, and Pawn Storm are undergoing a phishing campaign targeted at Mac OS X users. The campaign involves emails sent with attachments designed to look like a PDF document, however, the attachment is not a pdf document but an executable that opens a pdf document after running it in order to not arouse suspicion. User interaction is still required to deliver malware, but Mac users may be less cautious after the common fallacy that Mac OS X does not have viruses.

https://threatpost.com/sofacy-apt-targeting-os-x-machines-with-komplex-trojan/120882/

  • Malvertising is a term used for an online add or pop-up that is used as a means to compromise an end user through malicious scripting. These malicious ads are encountered as a result of general internet use and are often able to seamlessly compromise a user without generating visual prompts. Although not a new method for actors to compromise a host it has recently seen a resurgence in certain cases to spread ransomware.One example of this occurring recently was when popular website answers.com was observed to have been distributing malware through embedded advertising where users would be exposed to the RIG Exploit Kit serving up ransomware potentially without answers.com even realising it was happening.Ensuring that your operating system and applications are adequately patched is still the most effective way to mitigate this sort of drive-by download attack.

https://blog.malwarebytes.com/cybercrime/exploits/2016/09/rig-exploit-kit-takes-on-large-malvertising-campaign/
http://www.infosecurity-magazine.com/news/malvertising-attack-threatens-2/

 

Breaches

  • Point of Sale merchant H&L Australia has reportedly been breached by an unknown threat actor. The treat actor allegedly sold access to a database server and it is believed that at the very least a 14.1Gb database dump has been stolen. Customers of H&L Australia include Australian Leisure and Hospitality Group who operate around 330 pubs and clubs in Australia.

http://www.theregister.co.uk/2016/09/20/exclusive_hackers_claim_pos_tech_firm_breach/

  • UK-based smartphone news and reviews forum MoDaCo has confirmed a breach of 880 000 member usernames, passwords, email and IP addresses. The breach itself is believed to have occurred in January 2016 through the use of a compromised administrator account. Although a lot of information has been leaked, MoDaCo says passwords were stored using the Blowfish cipher.”Security researcher Troy Hunt, who runs ‘Have I Been Pwnd?’, says that 70 percent of the email addresses exposed in this breach were already contained in data batches from previous breaches of other online services.” – (Zeljka Zorz – helpnetsecurity.com, 2016)

Read more on Help Net Security website

 

Other

  • Investigative journalist Brian Krebs has been the target of one of the largest Distributed Denial of Service (DDoS) attacks ever recorded, with a whopping 620Gbps. Brian Krebs’s website krebsonsecurity.com had DDoS protection provided by Akamai, who were able to absorb the DDoS attack, but have since dropped Brian Kerbs as a client. The website is now protected by the Google Project Shield initiative, a free service for select journalists to protect from online censorship.

Read more on Krebs on Security website

  • Threat actor ‘The Shadow Brokers’ have acquired stolen NSA hacking tools and are attempting to sell them on the black market. These tools have been confirmed to be NSA tools via an unnamed source within the FBI investigation group currently investigating the incident. It is believed these tools were stolen when these tools were left on a remote staging server 3 years ago, that has since been compromised.So far there has been reportedly little interest in buying these tools, likely due to the NSA currently looking for evidence that the tools are being used, and the fear that the use of these tools could garner too much attention from the NSA.

Read more on Naked Security website

  • There has been an increase in technology development into sandbox-aware malware. There have been observed cases where a document based macro will search a system for the presence of word documents in order to detect if it is running in a sandbox environment or a real user’s system. As a result of this if the script did not detect more than 2-word documents on the host the script would terminate. However, where more than 2-word documents are identified the macro would call back to download its desired malware for execution.These advancements are showing a growing requirement to tailor sandbox environments to be a more realistic snapshot of the kinds of machines that malware target.

https://it.slashdot.org/story/16/09/24/1834249/malware-evades-detection-by-counting-word-documents
https://threatpost.com/malware-evades-detection-with-novel-technique/120787/