• Posted on June 10, 2017 11:11 am
    Joseph Forbes
    No comments

    Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities:  the ability of running any code on victim computers–downloading any file or malware, and  hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware. This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to  spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.   KEY FINDINGS Check Point analysts uncovered a high volume Chinese threat operation which has infected over 250 million computers worldwide, and 20% of corporate networks. The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware. Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent. The operation is run by Chinese digital marketing agency. Top infected countries are India (10.1%) and Brazil (9.6%)   Figure 1: Fireball Infection Flow     250 MILLIONS MACHINES AND 20% OF CORPORATE NETWORKS WORLDWIDE INFECTED The scope of the malware distribution is alarming. According to our analysis, over 250 million computers worldwide have been  infected: specifically,  25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States has  witnessed 5.5 million infections (2.2%). Based on Check Point’s global sensors,  20% of all corporate networks are affected . Hit rates in the US (10.7%) and China (4.7%) are alarming;but Indonesia (60%), India (43%) and Brazil (38%) have much more dangerous hit rates. Another indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000. Figure 2: Fireball Global Infection Rates (darker pink = more infections)   Ironically, although Rafotech doesn’t admit it produces browser-hijackers and fake search engines, it does (proudly) declare itself a successful marketing agency, reaching 300 million users worldwide – coincidentally similar to our number of estimated infections. Figure 3: Rafotech’s Advertisement on the Company’s Official Website   A BACKDOOR TO EVERY INFECTED NETWORK Fireball and similar browser-hijackers are hybrid creatures, half seemingly legitimate software (see the GOING UNDER THE RADAR section), and half malware. Although Rafotech  uses Fireball only for advertising and initiating traffic to its fake search engines, it  can perform any action on the victims’ machines These actions  can have serious consequences. How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more. These browser-hijackers are  capable on the browser level. This means that they can drive victims to malicious sites, spy on them and conduct successful malware dropping. From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C– it is not inferior to a typical malware. Many threat actors would like to have  a fraction of Rafotech’s power, as Fireball provides a critical backdoor, which can be further exploited.   GOING UNDER THE RADAR While the distribution of Fireball is both malicious and illegitimate, it actually carries digital certificates imparting them a legitimate appearance. Confused? You should be. Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. How is that? Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the installment of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider. This gray zone led to the birth of a new kind of monetizing method – bundling. Bundling is when a wanted program installs another program alongside it, sometimes with a user’s authorization and sometimes without. Rafotech uses bundling in high volume to spread Fireball.   Figure 4: Bundling in Action   According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal. The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature. So how do they carry digital certificates? One possibility is that issuers make their living from providing certificates, and small issuers with flexible ethics can enjoy the lack of clarity in the adware world’s legality to approve software such as Rafotech’s browser-hijackers. THE INFECTION MODEL As with other types of malware, there are many ways for Fireball to spread. We suspect that two popular vectors are bundling the malware to other Rafotech products – Deal Wifi and Mustang Browser – as well as bundling via other freeware distributors: products such as “Soso Desktop”, “FVP Imageviewer” and others. It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes. Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors. As with everything in the internet, remember that there are no free lunches. When you download freeware, or use cost-free services (streaming and downloads, for example), the service provider is making profit somehow. If it’s not from you or from advertisements, it will come from somewhere else.   Figure 5: Deal Wifi Installation Screen   HOW CAN I KNOW IF I AM INFECTED? To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions? If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. You can also use a recommended adware scanner, just to be extra cautious. Figure 6: trotux.com; a Fake Search Engine Run by Rafotech     THE RED BUTTON IN THE WRONG HANDS It doesn’t take much to imagine a scenario in which Rafotech decides to harvest sensitive information from all of its infected machines, and sell this data to threat groups or business rivals. Banking and credit card credentials, medical files, patents and business plans can all be widely exposed and abused by threat actors for various purposes. Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach. Severe damage can be caused to key organizations, from major service providers to critical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the damage caused by such massive data leakage (if even possible) could take years. Rafotech holds the power to initiate a global catastrophe and it is not alone. During our research we’ve tracked down additional browser-hijackers that, to our understanding, were developed by other companies. One such company is ELEX Technology, an Internet Services company also based in Beijing  produces products similar to those of Rafotech. Several findings lead us to suspect that the two companies are related, and may be collaborating in the distribution of browser-hijackers or in trading customers’ traffic. For example, an adware developed by ELEX, named YAC (“Yet Another Cleaner”) is suspected to be connected to Rafotech’s operation, dropping its browser-hijackers.   CONCLUSION In this research we’ve described Rafotech’s browser-hijackers operation – possibly the largest infection operation in history. We believe that although this is not a typical malware attack campaign, it has the potential to cause irreversible damage to its victims as well as worldwide internet users, and therefore it must be blocked by security companies. The full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber ecosystem. With a quarter billion infected machines and a grip in one of every five corporate networks, Rafotech’s activities make it an immense threat.   HOW DO I REMOVE THE MALWARE, ONCE INFECTED? To remove almost any adware, follow these simple steps: Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.   For Mac OS users: Use the Finder to locate the Applications Drag the suspicious file to the Trash. Empty the Trash.   Note – A usable program is not always installed on the machine and therefore may not be found on the program list.   Scan and clean your machine, using: Anti-Malware software Adware cleaner software   Remove malicious Add-ons, extensions or plug-ins from your browser: On Google Chrome:a.       Click the Chrome menu icon and select Tools > Extensions. b.      Locate and select any suspicious Add-ons. c.       Click the trash can icon to delete.   On Internet Explorer:a.       Click the Setting icon and select Manage Add-ons. b.      Locate and remove any malicious Add-ons. On Mozilla Firefox:a.       Click the Firefox menu icon and go to the Tools tab. b.      Select Add-ons > Extensions. A new window opens. c.       Remove any suspicious Add-ons. d.      Go to the Add-ons manager > Plugins. e.      Locate and disable any malicious plugins.   On Safari:a.       Make sure the browser is active. b.      Click the Safari tab and select preferences. A new window opens. c.       Select the Extensions tab. d.      Locate and uninstall any suspicious extensions.     Restore your internet browser to its default settings: On Google Chrome:a.       Click the Chrome menu icon, and select Settings. b.      In the On startup section, click Set Pages. c.       Delete the malicious pages from the Startup pages list. d.      Find the Show Home button option and select Change. e.      In the Open this page field, delete the malicious search engine page. f.        In the Search section, select Manage search engines. g.       Select the malicious search engine page and remove from the list. On Internet Explorer:a.       Select the Tools tab and then select Internet Options. A new window opens. b.      In the Advanced tab, select Reset. c.       Check the Delete personal settings box. d.      Click the Reset button. On Mozilla Firefox:a.       Enable the browser Menu Bar by clicking the blank space near the page tabs. b.      Click the Help tab, and go to Troubleshooting information. A new window opens. c.       Select Reset Firefox. On Safari:a.       Select the Safari tab and then select Preferences. A new window opens. b.      In the Privacy tab, the Manage Website Data… button. A new window opens. c.       Click the Remove All button.           INDICATORS OF COMPROMISE C&C addresses attirerpage[.]com s2s[.]rafotech[.]com trotux[.]com startpageing123[.]com funcionapage[.]com universalsearches[.]com thewebanswers[.]com nicesearches[.]com youndoo[.]com giqepofa[.]com mustang-browser[.]com forestbrowser[.]com luckysearch123[.]com ooxxsearch[.]com search2000s[.]com walasearch[.]com hohosearch[.]com yessearches[.]com d3l4qa0kmel7is[.]cloudfront[.]net d5ou3dytze6uf[.]cloudfront[.]net d1vh0xkmncek4z[.]cloudfront[.]net d26r15y2ken1t9[.]cloudfront[.]net d11eq81k50lwgi[.]cloudfront[.]net ddyv8sl7ewq1w[.]cloudfront[.]net d3i1asoswufp5k[.]cloudfront[.]net dc44qjwal3p07[.]cloudfront[.]net dv2m1uumnsgtu[.]cloudfront[.]net d1mxvenloqrqmu[.]cloudfront[.]net dfrs12kz9qye2[.]cloudfront[.]net dgkytklfjrqkb[.]cloudfront[.]net dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe   File Hashes FAB40A7BDE5250A6BC8644F4D6B9C28F 69FFDF99149D19BE7DC1C52F33AAA651 B56D1D35D46630335E03AF9ADD84B488 8C61A6937963507DC87D8BF00385C0BC 7ADB7F56E81456F3B421C01AB19B1900 84DCB96BDD84389D4449F13EAC75098 2B307E28CE531157611825EB0854C15F 7B2868FAA915A7FC6E2D7CC5A965B1E

    Hacking, Internet, Internet Scam Notices
  • Posted on May 31, 2017 10:54 am
    Joseph Forbes
    No comments

    Ransomware cyber attacks are quickly becoming the preferred method of attack by cybercriminals. WannaCry, the latest global incident, is particularly damaging because it is also a worm—not just a ransomware program. As a result, it looks for other computers to spread to. When it infects a new computer, it encrypts the data and locks out the owner until a minimum of $300 in bitcoin is paid. To achieve its unprecedented rate of circulation across networks, WannaCry ransomware utilizes a Windows OS vulnerability that was recently exposed as part of the leaked NSA hacker tools. Microsoft has released a public bulletin along with patches for Windows XP, Windows 8, and certain server platforms that did not receive the original MS17-010 update. You may view their announcement in full here. Whether you call it WannaCry, WannaCrypt, WCrypt, Wanacrypt0r, WCry, or one of the other names currently vying for the “call me this” crown, the ubiquitous ransomware which brought portions of the UK’s NHS to its knees over the weekend along with everything from train stations to ATM machines is still with us, and causing mayhem Worldwide. As a result, our regular roundup has been replaced with what will hopefully serve as a useful place to collect links related to the attack. First thing’s first: this was a big enough incident that Microsoft created a special patch for Windows XP users, some three years after it had the plug pulled on support. Regardless of Windows OS, go get your update. Now that we have that out of the way, here’s some handy links for you to get a good overview of what’s been going on: A rundown by our good selves, detailing the spread and tactics used by this worm to deposit Ransomware globally. A deep dive into the Malware by one of our Malware research specialists. Watching the infection bounce around doctor’s surgeries. How the purchase of a URL dealt a massive blow to the previously unstoppable spread. What happens when the URL purchasing White Hat is doxxed by the press. People are paying to retrieve files, but it seems they’re taking quite a gamble. The Malware authors are processing decryption manually. If you pay, but they can’t be bothered / their PC explodes / they’re hauled off to jail, you’re definitely not getting files back anytime soon. More problems: fake decryption tools. Misery begets misery. It may be down, but it most certainly isn’t out with fresh infections still taking place. Accusations of an amateur hour operation, despite the problems caused so far. Another “kill-switch” domain has been registered, hoping to slow the follow-up tides of Ransomware related doom. The hunt is now on for the people behind it all. They’ve managed to annoy at least 3 major spy agencies, so good luck I guess. And finally… This is a rapidly changing story, with a lot of valuable follow-up data being posted to haunts favored by security researchers such as Twitter, and we’ll likely add more links as the days pass. Update your security tools, patch your version of Windows and stay safe!

    Blog Entry, Data Recovery, Hacking
  • Posted on April 17, 2017 11:46 am
    Joseph Forbes
    No comments

    A hacker is a tech-savvy user who manipulates and bypasses computer systems to make them do the unintended. Sometimes this manipulation is noble, with the goal to create something beneficial. Other times, hacking is harsh and done with the wicked goal to hurt people through identity theft or other harm. You are likely familiar with the stereotypical 1980's hacker: the evil criminal who is socially isolated. While this stereotype does indeed describe some modern 'black hat' hackers, there exists a subset of hackers who are not criminals. In fact, there are many hackers who use their knowledge for good. This is broken down into three categories Today, 'hacker' is a descriptor that subdivides into 3 categories: 'Black Hat' Hackers: criminals and wrongdoers. 'White Hat' Hackers: ethical hackers who work to protect systems and people. 'Grey Hat' Hackers: dabble in both black hat and white hat tinkering. Classic 'Black Hat' Hackers = Criminals/Lawbreakers 'Black hat hacker' = criminal with evil intent. Gu / Getty This is the classic definition of a hacker: a computer user who willfully vandalizes or commits theft on other people's networks. 'Black hat' is a stylish way to describe their malicious motivations. Black hats are gifted but unethical computer users who are motivated by feelings of power, money and petty revenge. They are electronic thugs in every sense of the word, and they share the same personality traits as emotionally stunted teens who smash bus stop windows for personal satisfaction. Black hat hackers are renowned for the following common cybercrimes: DDoS Distributed, Denial of Service (flood) attacks that impair computer networks. Identity theft, Phishing, scams, social engineering schemes. Vandalism of systems, defacing, disabling, removing access. The creation of destructive programs, like worms, and CryptoLocker! 'White Hat' Ethical Hackers = Network Security Specialists 'White hat' hacker = security professional. Yan / Getty Different from the classic black hat hackers, white hat hackers are either driven by honorable motivations, or they are mercenaries working on honorable agendas. Also known as 'ethical hackers', white hats are talented computer security users often employed to help protect computer networks. Some white hats are reformed black hats, like former convicts who take on work as store security guards. While they themselves may have been unethical in the past, their current vocation is considered a white hat. With experience in what the 'bad guy' can do, these reformed hats, are among the most skilled at protecting their clients. Ethical hackers are motivated by a steady paycheck. It is not surprising to see ethical hackers spending those paychecks on very expensive personal computers in their personal lives, so they can play online games after work. As long as they have a good-paying job to support their personal habits, an ethical hacker is usually not motivated to destroy nor steal from their employer. Special note: some white hat hackers are 'academic hackers'. These are computer artisans who are less interested in protecting systems, and more interested in creating clever programs and beautiful interfaces. Their motivation is to improve a system through alterations and additions. Academic hackers can be casual hobbyists, or they can be serious computer engineers working on their graduate-level degrees. These are the people who create new viruses, as proof of concepts.  No intentions on making the world worse, but to help bright to light problems that need solving. 'Grey Hat Hackers' = Conflicted, Uncertain Which Side of the Law They Stand Grey hat hackers: a mix of good and evil. Peoplemages / Getty Grey hat hackers are often hobbyists with intermediate technical skills. These hobbyists enjoy disassembling and modifying their own computers for hobby pleasure, and they will sometimes dabble in minor white collar crimes like file sharing and cracking software. Indeed, if you are a P2P downloader, you are a type of gray hat hacker.  These are undisciplined members of the profession. Often users with access to tools, and 'kits' that enable their ability to accomplish their goals.  In most cases Grey hats are people who never gained the formal understanding of what they are doing. Gray hat hackers rarely escalate into becoming serious black hat hackers. Often times, Grey hats end up getting caught, or warned into stopping their activities. Subcategories of Hackers: Script Kiddies and Hacktivists Script Kiddies: this is a stylish name for novice hackers who are unskilled. Script kiddies can be white hat, black hat, or grey hat. These are people who feel empowered enough to cause others and themselves damages. Hacktivists: this is the hacker who is also a social activist fighting for a cause. Some people would argue that famous hackers like Lulzsec and Anonymous are hacktivists fighting government corruption and corporate misdeeds. Hacktivists can be white hat, black hat, or grey hat. Only a specified team they support at the time being. More About Computer Hackers Computer hacking is often exaggerated by the media, and very few public narratives give hackers the fair shake that they deserve. While most movies and TV shows of hackers are absurd, you might consider watching Mr. Robot if you want to see what hacktivists do. Every savvy web user should know about the unsavory people on the Web. Understanding common hacker attacks and scams will help you navigate online intelligently and confidently.

    Blog Entry, EDUCATION, Hacking
  • Posted on March 27, 2017 2:45 pm
    Joseph Forbes
    1

    The Cyber Division of the U.S. Federal Bureau of Investigation (FBI) has issued an alert to warn the healthcare industry that malicious actors are actively targeting File Transfer Protocol (FTP) servers that allow anonymous access. According to the law enforcement agency, attackers have targeted the FTP servers of medical and dental facilities in an effort to obtain access to protected health information (PHI) and personally identifiable information (PII), and use it to intimidate, blackmail and harass business owners. “The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server,” the FBI said. The agency cited research conducted in 2015 by the University of Michigan, which showed that more than one million FTP servers had been configured for anonymous access. These servers allow users to authenticate with only a username, such as “anonymous” or “ftp,” and either a generic password or no password at all. The FBI pointed out that vulnerable FTP servers can also be abused to store malicious tools or to launch cyberattacks. “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud,” the FBI warned. In 2015, IBM named healthcare as the most attacked industry, with more than 100 million records compromised, after in the previous year this sector did not even make it to the top five. An IBM report for 2016 showed that the volume of compromised records was smaller, but the number of data breaches increased, causing operational, reputational and financial damage to healthcare organizations. A report published recently by Fortinet showed the top threats targeting healthcare companies in the last quarter of 2016, including malware, ransomware, IPS events, exploit kits and botnets.

    Blog Entry, DATA, Hacking
  • Posted on March 14, 2017 11:45 am
    Joseph Forbes
    No comments

    Several small and midsize businesses are susceptible to Distributed Denial of Service (DDoS) attacks. What would be the best way for such businesses to handle this problem? Plan ahead – this is what security experts suggest based on their experiences in the past! A majority of the small businesses and start-ups have small teams with very little resources to defend DDoS attacks. As indicated by the name of the attack, it stops users from accessing the services and a site by hurling lot of data against the firm’s web and hosting services. If you are wondering if DDoS attacks are really so common that businesses need to be concerned about it, statistics indicate that around 2,000 such attacks happen on a daily basis costing a loss of revenue in the range of $5,000 - $40,000 per hour for businesses. Hackers can be fake vandalists, competitors, hactivists or extortionists. If your company isn’t equipped with professional network security experts, here are few things you can do to stay safe from DDoS attacks. Stay Prepared Every business should have a disaster recovery plan ready for DDoS attacks. Some of the best practices should include identifying the key employees who are given the responsibility. Establish the roles of every team member, their tasks and requirements. Give the team the needed practice on a mock basis so that those involved are aware of how to handle things when a disaster happens inevitably. Work with your internal PR and IT teams, ISP and hosting providers to recognize the susceptible aspects of failure, routes of escape and technical gaps. Understand DDoS Attack  There are many well-tested DDoS prevention programs that run advanced algorithms to identify various kinds of traffic. They try to sniff out, identify and filter different kinds of benign and malevolent bots and allow only legitimate traffic. It’s not easy to judge from just one instance if the hack is just amateurish or professional, though it’s fairly assumed that any network attack that crosses 50 Gbps is likely to be professional. Mostly multiplied under the inoffensive category of 'network security programs,' few of the very common hack devices are called stressors or booters. As implied by the name, these devices intensify and focus the payload of DDoS. Be Ready to Respond with Your Guns As in all cases of disaster reaction, stay calm without panicking. Ensure that your services are up and running; give your customers a brief. Your team can respond readily only if you’ve prepared properly. Co-ordinate with your team members and optimize the tactics for the disaster response. Once the attack is mitigated by your tech team, ensure that the communication team is ready to reveal the details to the press and legal team is prepared to handle the possible regulatory and compliance part. If you are asked to pay the attacker a ransom, don’t do it as this will only mark your organization and they may return for more. Once you are identified this way, other hackers may also sense it and come your way. Learn and Implement Once the attack subsides, try to learn things from the attack. Analyse strongly as to what went right and what went wrong.  Ensure that your legal and IT teams collect the required forensic information. Create a communication protocol to deal with the internal team queries, your clients and the press. Try to detect the network holdups from the attack and select an infrastructure with inherent resiliency. Analysis and communication are the two aspects that will go a long way in preparing for the next attack and enhance your team morale. And, you should be wary of the latest threats emerging in the cyber world such as the latest DDoS Extortion Attack.

    Blog Entry, DATA, Hacking