5/31/16 Weekly News: Locky back in action, More iOS vulnerabilities, and Hacking as a business

This week we found several interesting topics, including a Ransomware campaign restarting, a new vulnerability discovered in iOS devices, and how hackers are increasingly treating their activities in a business-like fashion.


1. CSO Online, "New JavaScript spam wave distributes Locky Ransomware."

It appears that the "Locky" developers found a new way to distribute their ransomware variant. According to the article by CSO Online, ESET researchers have seen a recent influx of Locky being distributed through JavaScript attacks, opposed to previous methods using Office documents. This comes only a few weeks after the news that the Locky ransomware campaign was disrupted by white-hat hackers, which you can read about here.

The attacks are still primarily distributed through email. The article warns that the attackers are sending Zip folders containing .js and .jse files within, which do not require the users to execute them. This file type is rarely sent in email except for malicious uses, so it is best to avoid these opening these entirely. The biggest take away from this is to be careful of what emails you open, and especially of what attachments you open.

2. Security Week, "'SandJacking' Attack Allows Hackers to Install Evil iOS Apps."

Apple's patches to iOS unfortunately have only gone so far. According to this article by Security Week, security researcher Chilik Tamir discovered the iOS 8.3 update was a little less than adequate. The 8.3 update added some new features for users and patched some vulnerabilities, including one that Tamir discovered which allowed apps on iOS devices to be replaced with fake versions of the same app. This could have been exploited to spy on user activity and steal information off of devices running these malicious apps, and so it was patched in the 8.3 update to prevent replacement of legitimate apps.

Tamir however has found that Apple's patch ignored the restore process in their update, which allows the original attack to still be implemented. The process is slightly different, but can still be entirely automated. This form of attack is still a proof of concept and may not be known to attackers, but it is still a vulnerability that Apple has yet to patch. In any case, it is an interesting concept and yet further proof that sandbox environments like those found on iPhones are not impervious to malware incursion.

3. HPE Business Insights, "The (Big) Business of Hacking."

This article put forward by Hewlet-Packard Enterprises discusses a subject that has caught many people's interests recently: the strategic changes of hackers treating their illegal activities as a business. Increasingly, hackers and other cyber-criminal organizations have formed their own "companies," complete with accounting departments, payroll, and R&D. According to the article, these sorts of criminal companies are often offer several illicit products and services, including stolen information, rented hacking software, and even hacking as a service.

This can be a problem because these "companies" are regularly searching for new businesses to break into, as they often need new information to sell; and lots of it. The article discusses how personally identifiable information is often worth as little as $1 online, which means that criminal companies selling this information need to have masses of it to be successful. HPE goes on to mention that it is becoming increasingly important to have information security practices in place to defend against this sort of activity, as it will likely only increase as more hackers adopt a business model for their illegal activities.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

5/20/16 Weekly Security News: Extra Sneaky Malware, TeslaCrypt Ransomware is Over, and LinkedIn Breach Expanded

Welcome back for more weekly news updates on information security, brought here to you by Astria Business Solutions. This week saw many interesting developments, including a new and particularly stealthy form of malware, Ransomware encryption being beaten by an unlikely source, and new findings on the 2012 breach of LinkedIn user accounts. Read on for more information on this week's news.


1. Security Week: "Windows Malware Tries to Avoid 400 Security Products."

A particularly interesting new form of Malware was recently discovered, and it appears to target Windows systems without any antivirus. According to the article by Security Week, this malware known as "Furtim" initiates checks on systems where it may be installed, looking for over 400 different types of security products (such as antivirus or firewalls) on the system. If it finds any of these, the program immediately deletes itself, likely with the goal of never being caught on such systems.

If the malware does find a suitable system however, such as an undefended home computer, the malware will successfully install and proceed to steal any saved user account and password information on the infected system. It also blocks the user's access to 250 different security based websites, prevents downloads or updates of antivirus, blocks command line usage, and prevents the system from being shut down or put in hibernation, making it difficult to keep it from stealing other personal information from your system. The moral of the story is that if you do not have antivirus software of any sort, now would be an ideal time to install some.

2. CSO Online: "TeslaCrypt Victims Can Now Decrypt Their Files for Free."

Very good news for anyone hindered by the effects of the TeslaCrypt Ransomware, researchers now have a free tool to decrypt your files and once again obtain access to your computer. The especially strange part? The master decryption key used for the tool came directly from the developers of TeslaCrypt. CSO Online's article reported that the makers of TeslaCrypt decided to end their malicious activity of holding people's computers hostage through their Ransomware campaign. Researchers at ESET reached out to the group through official channels, asking for the master key to decrypt victims files, and the TeslaCrypt developers went ahead and made the key public.

Shortly after, ESET created a tool that is able to decrypt victims files and made it free to use for the public. If your system was previously infected with TeslaCrypt, you can find instructions on how to remove it from your system on ESET's website. This is certainly an unusual case, Ransomware decryption tools are not frequently developed, and rarely do their developers offer master keys such as in this instance. Remember: prevention is the best remedy for Ransomware.

3. Krebs on Security: "As Scope of 2012 Breach Expands, LinkedIn to Again Reset Passwords for Some Users."

Apparently, the breach of LinkedIn passwords back in 2012 was much larger than initially believed. Krebs on Security reported that while the initial scope of the breach appeared to be about 6.5 million users, in actuality it affected more than 117 million users, with the pool of user accounts being offered for sale on criminal websites. LinkedIn seems to be planning to force some of these users to reset their passwords, but not everyone will receive this prompt.

The problem here is that LinkedIn is only forcing some users to change their passwords, and not all. Since the breach was initially believed to only have been 6.5 million users, only those users were initially required to reset their passwords. Now it has been shown that the same breach actually affected over 117 million users. Even if LinkedIn forces all of these users to change their passwords, what happens if next year they discover the breach was even larger? When incidents such as these occur, companies need to be open with their users, and at least suggest password changes to them all.

One important take-away, it is advised you change your LinkedIn passwords, whether you receive official notification or not. With breaches such as these it is often difficult to assess the full scope, and it's much better to take a brief precaution than to have your account stolen for reputation hijacking purposes.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

Internet of Things (IoT) Risks Can Include... Printers?

This week we'll go back to the subject of the Internet of Things (IoT), but not to cover security systems or smart fridges this time. An IoT device that is often unfortunately overlooked in security audits is the ever common printer. While most offices have printers, and many have networked printers, wired or wireless, the majority of users simply would not expect hackers to try and attack a printer. But unfortunately, they often do.

According to CSO Online's article on this very subject, 35% of all security breaches in offices were traced back to printers or other similar multi-function devices. That's a significant percentage! So what is it that makes printers such a common target for cyber-criminals?

Essentially the base cause is that few people even consider printers to be a security risk. Most people see printers as relatively simple devices that take what is on the screen and put it onto paper. After all, if a hacker did manage to break in to it, all they could do is print their own documents, right?

The truth however is that printers are indeed computers, albeit specialized computers. While their main function is to print, they also store data of what they have printed, and have to communicate with other computers on the network, such as any computer that wants to print to it. This means hackers that break in to a printer can also communicate with those computers, and could even steal any documents that was previously printed on that device.

Further problems arise as printers are often not kept updated, or even no longer supported by their manufacturers. Updates on printers and other devices are designed not only to improve the product with new features, but more commonly to patch vulnerabilities in the software. But oftentimes, such as with printers, users are unaware of updates to their devices and do not install them. Other times, the printer is just very old, and no longer supported by the manufacturer with updates.

These factors add up to make printers a very convenient target for hackers. Since they provide a suitable platform to attack further into the network, are often easier to hack because of infrequent updates, and are regularly overlooked as a potential entryway, printers make an easy access point for many cyber-criminals.

The article does offer thoughts on printer defense, but mostly recommends upgrading. Newer printers often include more security features than older ones, some models even include encryption as an option. This however can be expensive and impractical in some cases.

To start securing your printers, look and see if they are still supported by their manufacturers with updates. Updating will often patch the most severe vulnerabilities, and could make a difference in securing the printer.


If you need further assistance, you can always contact Astria. We work with businesses to provide comprehensive security, and can also assess your network for vulnerabilities from things like printers and IoT devices. For more information on our services, visit our website at AstriaBiz.com

5/12/16 Weekly News: Locky Disrupted, Equifax Breached, and New Threats to Androids

This week we have several interesting articles to highlight, covering Ransomware, data breaches, and smartphone vulnerabilities.


1. Security Week: "Hackers Disrupt Locky Ransomware Campaign"

No one is quite sure how, or even why, but someone has managed to disrupt the dangerous "Locky" ransomware campaign. The article above by Security Week discusses how now, when the Locky payload is meant to be downloaded from the attackers' server, a 12kb executable file is downloaded instead. The file doesn't contain a valid structure or any threats to the systems that download it, and apparently will only display an error message stating: "Stupid Locky." It is likely that white-hat hackers were responsible for this disruption, and replaced the real executable for Locky with the fake one.

The article warns that this is likely only temporary good news, however. The developers of Locky have been continually improving their ransomware variant, and likely will be able to recreate it. But at least for now, there is a reprieve from this particular attack.

2. Krebs on Security: "Crooks Grab W-2's from Credit Bureau Equifax."

Photo Credit: Mike Stewart, AP

One of the big-three credit bureaus, Equifax, seems to have had another breech of W-2 data. Their website, W-2Express, provides the employees of many businesses the opportunity to view their W-2's online, but apparently comes with vulnerabilities built in for some users. Krebs on Security reported that Kroger employees were the unfortunate victims this time, and any employees that did not log in to change their passwords from the default may have been exposed in the data breach. According to Kroger, the breach does not appear to have come from their systems.

Equifax also does not believe the breach was in their systems, but that the passwords were obtained through other methods. W-2Express' default password value is unfortunately simply the last 4 digits of an employee's SSN and the 4 digits of their birth year. Unfortunately, this information is often fairly simply for many criminals to obtain, and allowed the breach of even more personal data via their W-2's. Neither party is certain how many individuals were effected by this breach, but it likely was fairly sizable for Kroger to send a letter to all current employees about the incident.

3. CSO Online: "Qualcomm flaw puts millions of Android devices at risk."

As if Android phones did not have enough security risks, a new, major issue in Qualcomm chips has caused further security concerns. CSO Online reported that this vulnerability puts these devices at risk for theft of text messages and call history. This flaw was patched in March, but older Android phones have no access to this patch. With the number of phones present with this flaw, and the number that cannot be updated, millions of Android devices are unfortunately left vulnerable to this exploit.

According to the article, devices running Android KitKat 4.4 and above are less effected by these risks, but still may have some risks. But any phones running Jelly Bean, KitKat, Lolipop are exposed to this threat. It is strongly advised if you are using a phone with one of these operating systems that you check with your phone's manufacturer for a patch for the vulnerability, tracked as CVE-2016-2060.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com