SOREBRECT Ransomware: Fileless Malware Detected In The Wild

Attackers are constantly looking for new ways to evade detection. While new forms of cybercrime are on the rise, traditional activities seem to be shifting towards more illegitimate techniques that come with limitless attack vectors with low detection rates. New malware techniques take advantage of operating system features to inject malicious code into memory or the operating system registry without leaving a file on the disk.

Security researches firstly encountered SOREBRECT during their monitoring in this early year, affecting the systems and networks of organizations in the Middle East. Extracting and analysing the SOREBRECT samples revealed the unusual techniques it employs to encrypt its victim’s data. Unlike traditional ransomware, SOREBRECT has been designed to target enterprise's servers and endpoint. These attacks are known as fileless or non-malware ransomware and it leverages Microsoft’s PowerShell’s scripting language to target organizations through documents and/or applications that run through macros.

The experts noticed that the SOREBRECT fileless ransomware first compromises administrator credentials (i.e. by brute forcing attacks), then leverage Microsoft Sysinternals PsExec command-line utility to encrypt files. PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive login session, or manually transferring the malware into a remote machine, like in RDPs.

SOREBRECT takes this a notch further by maliciously deploying PsExec and performing code injection. It injects its code into Windows’ svchost.exe process, while the main binary self-destructs. The combination is potent: once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service-hosting system process—resumes the execution of the payload (file encryption). Because SOREBRECT becomes fileless after code injection, sourcing its binary sample at the endpoint level is challenging.

SOREBRECT can also scramble the files of other computers connected to the infected machine through the local network. It does so by scanning the network for asset discovery and enumerating open shares—folders, content or peripherals (i.e. printers) that others can readily access through the network.

How does Fileless Ransomware Work with PowerShell?

Non-malware aka fileless ransomware (unlike traditional ransomware) does not use files to encrypt your data; instead it writes scripts/macros which derive from PowerShell to encrypt the files.

What are the two ways fileless ransomware can penetrate your systems?

Via Phishing Attacks: An email is opened on a device and automatically writes macros directly to your device’s (i.e. tablet, laptop, cellphone or desktop) memory which starts dictating commands of payment as well as encrypting your data.

Via Compromised Websites: An employee browses or visits a compromised/malicious website in which the cyber criminals write scripts to the computer’s RAM to capture some pertinent information which will then either ask for cryptocurrency or immediately encrypt your files.

Why is fileless ransomware unique?

Fileless malware is unique and difficult to detect because the malicious code is embedded into a native scripting language or written straight into the computer’s RAM, where it hides in isolated spots within the computer’s memory. It’s not written to disk nor does the malicious code rely on the hard drive to run these commands.

What are the problems associated with Fileless Ransomware?

• Fileless ransomware leaves little trace behind nor can it be detected with any antivirus software.
• This ransomware strain allows cyber criminals to have access to your systems, meaning that they can infiltrate your computers, steal your information and encrypt your files without your IT staff even knowing. 
• It can lead to more attacks. As the cyber criminals are writing scripts they’re also gathering as much data from the victim’s computer as possible.

What can end users do to protect themselves?

Since the ransomware does not target individuals but organizations, sysadmins and information security professionals can protect themselves by:

1. BACKUP YOUR DATA
2. BLOCK ALL INFECTED EMAILS, PAGES & COMMUNICATION WITH BROWSERS AND SERVERS.
3. UPDATE YOUR SYSTEM
4. RESTRICT USER WRITE PERMISSIONS
5. BE VIGILANT
6. FOSTER A CYBER SECURITY AWARENESS SESSIONS

Humans are often the weakest defensive link, and this type of attack relies heavily on that vulnerability.

Millions Are Lost Cause Of Poor Endpoint Security

With more than 200 different products from 125 vendors to solve the top 20 security controls (deep breath), there’s no shortage of information security tools in the market. Organizations are building defensive arsenals with these tools, but the intruders are still slipping through the digital “doors and windows” left open and unlocked by the organization.

Why predict the next threat when you can confidently address the root cause of the problem? First, identify what needs to be managed and secured within an environment, then work to proactively secure every asset with the appropriate patches and security configuration controls. It’s the first thing we say to our customers: you can’t secure what you can’t manage, and you can’t manage what you don’t know about.

A new study reveals organizations are wasting an average of $6 million on the time to detect and contain insecure endpoints, among other staggering findings that show endpoint threats are a growing concern, companies are not efficiently protecting their proprietary data, and the cost and complexity of reducing endpoint risks are at an all-time high.

The research did not take into account the liability associated with increased risks of data breaches that are becoming all too commonplace as workers place data at risk on laptops, mobile phones and tablets.

Key findings from the study include the following:

• 56% of companies lack a cohesive compliance strategy,
• 70% report a “below average” ability to minimize endpoint failure damages.
• 28 percent of respondents say their organizations rely upon automated analysis and inspection to determine compliance.
• 63% could not monitor endpoint devices when they left the corporate network
• 53% of companies reveal that malware infected endpoints have increased in the last 12 months.
• Respondents believe automation increases efficiency and offers better visibility of dark endpoints: It costs organizations an average of $1.37 million annually in wasted time responding to erroneous malware alerts. Enterprises could save nearly $2.1 million annually with automated endpoint security solutions.

This study along with recent ransomware attacks and high-profile data breaches show the danger of today’s endpoint blind spots, and underscore that automation and newer approaches to endpoint security are key to safeguarding endpoints and the sensitive data on them for optimal business performance.

All in all, we found:

Adobe: 2,771 critical vulnerabilities (CVSS 5 or higher) with 98.9% of endpoints running vulnerable version of Shockwave. 91% had vulnerable versions of Flash.

Java: 106 distinct versions of Java detected with 97.8% of endpoints impacted by vulnerabilities.

Windows Patches: 77% of machines were missing six or more critical updates, with 1.6 million missing patches in all and 2007 being the oldest reported missing critical patch — a nearly 10 year old missing critical patch.

SCCM: 20% of machines with unhealthy SCCM clients.

After an Assessment, the end of the story isn’t just fixing your patches and closing your vulnerabilities. An assessment report is simply a snapshot of today. If it’s the end of your actions, you’ll find yourself in the exact same position soon enough if your tools and workflows aren’t corrected. Therefore, it is necessary to establish a process and measure the effectiveness for continual improvement.

Don’t waste time guessing where the next attack might occur, when you can fix the underlying problems.

National Critical Information Infrastructure Protection Centre (NCIIPC)

In the recent times, there is an increasing stress upon cyber security at the international level. This is so because cyber-attacks are happening at the international level and all the countries are facing this threat. Countries are trying to coordinate cyber security initiatives at national and international levels. However, cyber security in India is still not up to the mark. India is increasingly facing cyber-attacks and cyber threats from foreign nationals.

For instance, cyber terrorism against India, cyber warfare against India, cyber espionage against India and cyber-attacks against India have increased a lot. Previously, we did not have a strong cyber law to deter cyber-attacks and cyber-crimes. Further, we had no cyber security laws in India as well.

In the verge of finding a strong solution to this, a national critical information infrastructure protection centre (NCIIPC) of India was been proposed & brought into existence. It intends to ensure critical infrastructure protection and critical ICT infrastructure protection in India.

Ministry of communication and information technology (MCIT) has already taken certain initiatives in this regard. For instance, a central monitoring system (CMS) project of India has been launched by MCIT to monitor and intercept electronic communications, messages and information. Further, a national telecom network security coordination board (NTNSCB) of India has also been proposed to strengthen the national telecom security of India.

Similarly, the home ministry of India has also launched national intelligence grid (Natgrid) project of India, crime and criminal tracking networks and systems (CCTNS) project of India, national counter terrorism centre (NCTC) of India, etc. These projects intend to strengthen the intelligence gathering and counter terrorism capabilities of India.

The cyber law of India must be suitably amended, perhaps repealed, to make a more robust and stringent cyber law of India. We need dedicated cyber security legal framework in India and cyber forensics laws in India.

What is NCIIPC?

National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government of India created through a gazette notification based in New Delhi, India, it is designated as the National Nodal Agency in respect of Critical Information Infrastructure Protection.

NCIIPC has broadly identified many critical sectors, few of them are as follows: 

• Power & Energy
• Banking, Financial Institutions & Insurance
• Information and Communication Technology
• Transportation
• Government (except those under the Ministry of Defence)
• Strategic Public Enterprises
• States and Union Territories

What NCIIPC does?

It takes all necessary measures to facilitate protection of Critical Information Infrastructure from unauthorized access, modification, use, disclosure, disruption, incapacitation or distraction through coherent coordination, synergy and raising information security awareness among all stakeholders. 

Operations of NCIIPC:

• They protect and deliver advice that aims to reduce the vulnerabilities of critical information infrastructure, against cyber terrorism, cyber warfare and other threats.
• They identify all critical information infrastructure elements for approval by the appropriate Government for notifying the same.
• They coordinate, share, monitor, collect, analyse and forecast, national level threat to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts.
• They evolve protection strategies, policies, vulnerability assessment and auditing methodologies and plans for their dissemination and implementation for protection of Critical Information Infrastructure.
• They develop/organise training and awareness programs as also nurturing and development of audit and certification agencies for protection of Critical Information Infrastructure.
• They issue guidelines, advisories and vulnerability or audit notes etc. relating to protection of critical information infrastructure and practices, procedures, prevention and response in consultation with the stake holders, in close coordination with Indian Computer Emergency Response Team and other organisations working in the field or related fields.
• In the event of any threat to critical information infrastructure the National Critical Information Infrastructure Protection Centre may call for information and give directions to the critical sectors or persons serving or having a critical impact on Critical Information Infrastructure.
• Undertaking research and development and allied activities, providing funding (including grants-in-aid) for creating, collaborating and development of innovative future technology for developing and enabling the growth of skills, working closely with wider public sector industries, academia and with international partners for protection of Critical Information Infrastructure.

NCIIPC has also been instrumental in declaring two major entities as protected – systems of the Aadhar unique identification project and the Long Range Identification and Tracking (LRIT) system of the Ministry of Shipping. The agency has also started approaching various sectors to create guidelines that can set standards for private and public sector entities across the board.

Would like to add that with the establishment of the National Critical Information Infrastructure Protection Centre (NCIIPC) in 2014, India has taken an important measure towards strengthening its cybersecurity which maintains a 24x7 Help Desk to facilitate reporting of incidents. It plays a crucial role to coordinate the response of the various CII stake-holders in close cooperation with CERT-India.

Your PowerPoint files are delivering malware. Check how!!!

Cyber criminals have been leveraging a new technique, which involves PowerPoint files and mouse over events, to get users to execute arbitrary code on their systems and download malware.

It’s not uncommon for malicious actors to deliver malware using specially crafted Office files, particularly Word documents. These attacks typically rely on social engineering to trick the targeted user into enabling VBA macros embedded in the document. Security researchers recently discovered several malicious PowerPoint files that exploit the mouse over events to execute PowerShell code. Threat actors are sending out spam messages with subject lines such as “Purchase Order #130527” and “Confirmation,” and attachments named “order.ppsx” or “invoice.ppsx.”

An analysis conducted by Ruben Daniel Dodge shows that when the PowerPoint presentation is opened, it displays the text “Loading...Please wait” as a hyperlink. If the user hovers the mouse over the link – even without clicking it – the execution of PowerShell code is triggered. The Protected View security feature, which is enabled by default in most supported versions of Office, informs the user of the risks and prompts them to enable or disable the content.

If the victim enables the content, the PowerShell code is executed and a domain named “cccn.nl” is contacted. A file is downloaded from this domain and executed, ultimately resulting in the deployment of a malware downloader. The researchers highlighted that the attacks doesn’t work if the user opens the PowerPoint document with PowerPoint Viewer.

The security firm pointed out that while the attack does not work if the malicious presentation is opened using PowerPoint Viewer, and most versions of Office warn the user before the code is executed, the method could still be efficient in some cases.

“Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros,” continues SentinelOne Labs.

Using OneLogin Password Manager? You Are Definitely At A Greater Risk !!!

Are you using OneLogin password manager? If yes, then immediately change all your account passwords right away.

Customer data residing in password management service OneLogin was compromised when a “malicious actor” accessed information on keys used for encryption, the firm reports. ZDNet reported that the company told users, "all customers served by our data center are affected and customer data was potentially compromised." Although the company did not provide many details about the nature of the cyberattack, the statement released by the firm suggest that the data breach is extensive.

Well, this isn't the first time a password manager has faced a hack. Popular tool LastPass was hacked in 2015. And OneLogin faced a different hack of one aspect of its service last year.

How did the attack took place?

OneLogin, which aims at offering a service that "secures connections across all users, all devices, and every application," has not yet revealed potential weaknesses in its service that may have exposed its users’ data in the first place.

The attack occurred on May 31 around 2am PST (09:00 GMT), according to OneLogin. Staff were not aware of the breach until seven hours later at 9am PST and it was shut down the affected instance as well as the AWS keys that were used to create it within minutes. Later in the day, the company said in an update: "Our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US."

What type of information was stolen?

Although it is not clear exactly what data has been stolen in the hack, a detailed post on a support page that is accessible to customers only, apparently says that all customers served by the company's US data centre are affected, whose data has been compromised though there are no traces of any exact number of counts here.

OneLogin allows corporate users to access multiple web applications, sites, and services with just one password. It's thought that the company has 12 million users serving more than 2,000 companies in dozens of countries. The single sign-on provider integrates hundreds of different third-party apps and services, such as Amazon Web Services, Microsoft's Office 365, LinkedIn, Slack, Salesforce, SharePoint, Zendesk, Twitter and Google services.

It is said that, this threat actor was able to access database tables that contain information about users, apps, and various types of keys. It encrypts certain sensitive data at rest, it could not rule out the possibility that the hacker also obtained the ability to decrypt data.

What is OneLogin doing in this scenario?

OneLogin has blocked the unauthorized access to its data centre and is actively working with law enforcement and security firm to investigate the incident and verify the extent of the impact.

"We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident," the company's chief security officer Alvaro Hoyos said.

"We are actively working to determine how best to prevent such an incident from occurring in the future."

What should you do now?

First of all, change passwords for all your accounts that you have linked with OneLogin.

The company has given customers an extensive list of actions to do to protect themselves and minimise the risk to their data, which includes:

• Forcing a password reset for all of its customers.
• Create new security credentials, OAuth tokens and certificates for apps and websites.
• Recondition secrets stored in OneLogin's secure notes.

For any other queries, OneLogin customers can contact the company at security-support@onelogin.com

It's the second such breach in as many years. Last August, the company warned users that its Secure Notes service which they used for log storage and analytics has been accessed by an "unauthorized user" to one of the company's standalone systems.

Pacemakers: Pay for your life or die

Have you ever thought how safe are your pacemakers from the hands of hackers. Yes you heard it right, today here we are talking about the thousands of security flaws identified in Pacemakers that hackers could easily exploit which could cause for a life.

A pacemaker is a small electrical battery-operated device that's surgically placed in the chest or abdomen to help control abnormal heart rhythms. This device uses electrical pulses to prompt the heart to beat at a normal rate. Millions of people that rely on pacemakers to keep their hearts beating are at risk of software malfunctions and hackers, which could eventually take their lives. 

In a recent study, researchers from security firm White Scope analysed seven pacemaker products from four different vendors and discovered that they use more than 300 third-party libraries, 174 of which are known to have over 8,600 vulnerabilities that hackers could exploit in pacemaker programmers.

The White Scope analysis covered implantable cardiac devices, home monitoring equipment, pacemaker programmers, and cloud-based systems to send patient's vital data over the Internet to doctors for examining. All of the programmers examined by the security firm had outdated software with known vulnerabilities, many of which run Windows XP.

What's more frightening?

Researchers discovered that the Pacemaker devices do not authenticate these programmers, which means anyone who gets their hands on an external monitoring device could potentially harm heart patients with an implanted pacemaker that could harm or kill them.

So, any working tool sold on eBay has the potential to harm patients with the implant.

"All manufacturers have devices that are available on auction websites," the researchers said. "Programmers can cost anywhere from $500-$3000, home monitoring equipment from $15-$300, and pacemaker devices $200-$3000."

Is that all? NO, there is more to know:

The list of security vulnerabilities the researchers discovered in devices made by four vendors includes hardcoded credentials, unsecured external USB connections, the failure to map the firmware to protected memory, lack of encrypted pacemaker firmware updates, and using universal authentication tokens for pairing with the implanted device.

1. In few instances, researchers discovered unencrypted patients' data stored on the pacemaker programmers which included names, phone numbers, medical information and Social Security numbers (SSNs), leaving them wide open for hackers to steal.
2. Another major issue identified was the lack of most basic authentication process i.e. the login & password. Over here this basic process is so vulnerable that allows the physicians to authenticate a programmer or cardiac implant devices without even entering a password. In short, anyone within range of the devices or systems can change the pacemaker's settings of a patient using a programmer from the same manufacturer.

It seems while cyber security firms are continually improving software and security systems to protect systems from hackers, medical devices such as insulin pumps or pacemakers are so very much vulnerable to life-threatening hacks.

Fireball Malware: Infects More than 250 Million Computers

China has long known to be a country that harbour hackers and virus makers. These would traditionally be users and bot farms that’d create malware which hacked systems worldwide. It now turns out that a Chinese digital advertising agency has joined the fray by creating a virus called “Fireball”. This malware is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.

A Beijing-based digital advertising company called Rafotech recently created this malware to generate profits for their own company. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information.

Fig 1. Rafotech's Advertisement on the Company's Official Website

Therefore, to maximize their ad revenues, Rafotech created this Fireball virus which is estimated to have infected over 250 million computers worldwide already. As the company uses digital certificates for this Fireball virus, it has managed to evade blocking and detection techniques employed by websites and security programs. 

The threat from the Fireball malware is even greater as this bug can access your personal information, passwords, and ever credit card data. While it seems that Rafotech has used it only for fake ad clicks until now, there is no guarantee that the company might not try to hack your personal information and use it for their profit.

Key Findings:

• A high volume Chinese threat operation which has infected over 250 million computers worldwide and 20% of corporate networks.
• Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
• Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.
• Chinese digital marketing agency runs this operation.
• Top infected countries are India (10.1%) and Brazil (9.6%).

According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

Fig 2. Fireball Global Infection Rates (darker pink = more infections)

Execution Flow:

Fireball acts as a browser hijacker, in any case, it can be transformed into a full-working malware down-loader. It controls user’s browsers and diverts them to fake web search engines. These fake search Engines have tracking pixel which gather’s users sensitive information.

Fig 3. Fireball Infection Flow

Am I Infected?

To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?

If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. Also, cross with the number of browser add-ons you have installed, If there are no changes then you are not infected with the adware. You can also use a recommended adware scanner, just to be extra cautious.

If I am infected, how to remove?

The primary way to prevent such infections is to be very careful when you agree to install. You should always pay attention when installing software, as software installers usually include optional installs. Opt for custom installation and then de-select anything that is unnecessary or unfamiliar.

To remove almost any adware, follow these simple steps:

• Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.

       For Mac OS users:

1. Use the Finder to locate the Applications
2. Drag the suspicious file to the Trash.
3. Empty the Trash.

• Scan and clean your machine, using:

1. Anti-Malware software
2. Adware cleaner software

• Remove malicious Add-ons, extensions or plug-ins from your browser:

      On Google Chrome:

1. Click the Chrome menu icon and select Tools > Extensions.
2. Locate and select any suspicious Add-ons.
3. Click the trash can icon to delete.

      On Internet Explorer:

1. Click the Setting icon and select Manage Add-ons.
2. Locate and remove any malicious Add-ons.

      On Mozilla Explorer:

1. Click the Firefox menu icon and go to the Tools tab.
2. Select Add-ons > Extensions.

      A new window opens.

1. Remove any suspicious Add-ons.
2. Go to the Add-ons manager > Plugins.
3. Locate and disable any malicious plugins.

      On Safari:

1. Make sure the browser is active.
2. Click the Safari tab and select preferences.

      A new window opens.

1. Select the Extensions tab.
2. Locate and uninstall any suspicious extensions.

• Restore your internet browser to its default settings:

      On Google Chrome:

1. Click the Chrome menu icon, and select Settings.
2. In the On start-up section, click Set Pages.
3. Delete the malicious pages from the Start-up pages list.
4. Find the Show Home button option and select Change.
5. In the Open this page field, delete the malicious search engine page.
6. In the Search section, select Manage search engines.
7. Select the malicious search engine page and remove from the list.

     On Internet Explorer:

1. Select the Tools tab and then select Internet Options.

      A new window opens.

1. In the Advanced tab, select Reset.
2. Check the Delete personal settings box.
3. Click the Reset button.

    On Mozilla Firefox:

1. Enable the browser Menu Bar by clicking the blank space near the page tabs.
2. Click the Help tab, and go to Troubleshooting information.

     A new window opens.

1. Select Reset Firefox.

     On Safari:

1. Select the Safari tab and then select Preferences.

      A new window opens.

1. In the Privacy tab, the Manage Website Data… button.

      A new window opens.

1. Click the Remove All button.

We would also advice users to refrain from clicking on unknown links, websites, and advertisements in order to prevent their systems from getting affected by Fireball and other similar malware.

As hackers get increasingly creative, the only way to defend against them is by greater cyber-security and knowledge. With regards to users, it is important that you stay vigilant and ensure that you never click on unknown websites that don’t look genuine or install apps that seem to be made by smaller or unknown Chinese developers.