Cyber Advisors Blog

In the Know - Cyber Security  update - Week of July 16th 2017

Posted by Eric Brown on Jul 23, 2017 9:31:50 PM

More malware finds MacOS, French domain registrar loses control of 751 domain names, attackers demonstrate taking full control of a Segway MiniPro (while its being ridden), the Devil’s Ivy exploit leaves millions of IOT devices vulnerable, and more cryptocurrency is stolen, $30M more. 

1.  OSX/Dok targets Macs in bank account theft.

Due to the rise in popularity of Macs (3x market share growth in the last decade – Gartner) and the (false) stigma that Macs are invulnerable to malware, we are seeing a rise in the number of malware ports from macOS to windows.

Repackaged Windows Retefe Trojan has become OSX/Dok on Macs.  This new Mac malware is pushing Signal, a private messaging app onto victims’ mobile devices as part of a complex operation to steal banking credentials.  The initial attack starts with a phishing email that includes a malicious application signed with an Apple certificate which helps to bypass macOS Gatekeeper (an app that verifies apps haven’t been tampered with since they were signed).

 After a successful install, the malware OSX/Dok disables security updates and blocks communications with Apple and antivirus websites.  Next, a Tor browser and proxy file are installed, which setup a man-in-the-middle attack and redirect user traffic to a list of banking sites to a fake sites hosted by the attackers such as cbhbank, credit-suisse, etc.  Once the attackers have captured the victim’s account information they have access to do whatever they want with it.

When the victim visits one of these sites (hosted by the attacker) they are prompted to enter a mobile number to receive a download link for a mobile application (Signal – an encrypted messaging app).  While Signal isn’t directly used in the attack, researchers believe that the platform may be used to communicate with the impacted user at a later date.

More info and screenshots:
https://www.grahamcluley.com/dok-mac-malware/

2.  Gandi.net domain name registrar hacked – losses control of 751 domains
An unauthorized connection to a technical partner resulted in the modification of the name servers controlling 751 domain names pointing their traffic to a malicious site.

The attacker was able to make the changes by accessing the web portal of a technical partner using covertly gained login-credentials.  It is believed that the credentials were obtained from an insecure connection to the technical partner’s web portal (the platform allows access via http).

Additionally, the attacker also hijacked email, DNS MX, and SPF records.  The domain hijacking event also broke incoming HTTPS traffic to the affected domains. 

Read More

Topics: Education

In the Know - Cyber Security  update - Week of July 9th 2017

Posted by Eric Brown on Jul 16, 2017 10:11:01 PM

Girl Scouts gear girls up for cybersecurity jobs, WWE exposes a massive amount of data on its customers, AT&T transfers a phone number to attacker, bitcoin mines beneath datacenters, and a study shows that Thursday is the day that receives the highest number of malicious attachments.

Read More

Topics: Education

In the Know - Cyber Security  update - Week of July 2nd 2017

Posted by Eric Brown on Jul 10, 2017 8:23:27 AM

Last week brought two bitcoin related attacks, largely the result of successful social engineering (voice phishing), one on South Korean bitcoin exchange, BitThumb and the second, a website hijack of  classicetherwallet.com.   AV-Test’s comprehensive security report shows Mac and Android malware on the rise.  Servers of Intellect Services, authors of M.E.Doc raided by Ukrainian Police.  And finally, a BIND flaw is patched.

Read More

Topics: Education

In the Know - Cyber Security  update - Week of June 26th 2017

Posted by Eric Brown on Jul 3, 2017 8:19:24 AM
1.  Blank Slate Ransomware Campaign

Empty email messages that don’t have a body, but contain an attachment are something to be mindful of.  If this type of email makes it through your spam and malware filters its best to delete it right away.   However, a new Blank Slate campaign has emerged which contains a Microsoft-themed email body.  The email suggests that your Microsoft account was just logged into and that if you didn’t do so then you should click on a link to report that you didn’t login.   Once you click on the link it will download a zip file which containing javascript which leads to crypto ransomware.

Read More

Topics: Education

In The Know - Cyber Security Update - Week of June 19th 2017

Posted by Eric Brown on Jun 26, 2017 8:30:59 AM
1.  Google will stop scanning its 1.2+ billion Gmail account inboxes for ad personalization

Google aims to align its free consumer email service (Gmail) with its G Suite business class offering.  This includes no longer using Gmail inboxes as input for ad personalization.  Google claims that this change will bring Gmail ads in line with the way ads are personalized for other Google products.  While inboxes may no longer be directly scanned for ad personalization, Google likely has other ways to gather this information.

Read More

Topics: Education

In The Know - Cyber Security Update - Week of June 12th 2017

Posted by Eric Brown on Jun 18, 2017 9:50:21 PM

1.  Mac Ransomware as a service and Mac spyware released

Read More

Topics: Education

Fighting Back Against Ransomware

Posted by Eric Brown on May 15, 2017 11:24:46 AM

As you’ve probably seen in the news this weekend, criminal hackers have released a new strain of ransomware that spreads itself automatically across all workstations in a network, causing a global epidemic. If you or a co-worker are not paying attention and accidentally open one of these phishing email attachments, you might infect not only your own workstation, but immediately everyone else's computer too. 

Be very careful when you get an email with an attachment you did not ask for. If there is a .zip file in the attachment, do not click on it but delete the whole email. Remember: "When in doubt, throw it out!"

Read More

Topics: Education

A new ransomware WCry and Microsoft Security Bulletin MS17-010

Posted by Igor Bogachev on May 12, 2017 9:32:46 PM

There is another ransomware attack that has so far that hit 74 countries around the globe. This new ransomware is named WCry (also referenced under names WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r). The vulnerability was discovered in pretty much all the Microsoft operating systems, from Vista to Windows 10 and from Windows 2008 to Windows 2016 servers.

Read More

Topics: Education

Microsoft’s Emergency Fix for Critical Antivirus Bug

Posted by Igor Bogachev on May 9, 2017 9:27:10 AM

Microsoft released an emergency fix yesterday Monday May 8th to address the critical security vulnerability in the Microsoft Malware Protection Engine which affects a number of Microsoft products, including Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. These tools are enabled by default in Windows 8, 8.1, 10, and Windows Server 2012

Read More

Topics: Education

Researchers Sound Alarm for A Critical 0-Day Threat in Microsoft

Posted by Igor Bogachev on Apr 13, 2017 1:53:33 PM

Monday night, researchers sounded the alarm about a critical 0-day threat known as CVE-2017-0199 in Microsoft Word that allowed booby-trapped Dridex phishing attacks to be sent to millions of employees claiming to be a PDF sent to them by their company copier. This one is particularly bad because it bypasses exploit mitigations built into Windows, doesn't require your employee to enable macros, works even against Windows 10 which is Redmond's most secure OS yet, and this exploit works on most or all Windows versions of Word.

Read More

Topics: Education