29 Apr 2015 03:00 PM |
Those are the five words that no one wants to see pop up on their screen. Websense® Security Labs™ researchers have identified an interesting tactic in the proliferation of Crypto ransomware. One published example exploits the very human vulnerability concerning the fear of receiving a parking fine . In more recent incarnations, attackers have chosen to use the sophisticated Angler exploit kit to leverage software vulnerabilities instead. What if you were offered a chance to turn $1 into $100 right away” or “Invest $1 today to make $1,000 tomorrow,” or asked “Do you need money?” Does that catch your fancy? The attackers certainly hoped the Polish victims they specifically targeted would be tempted. This variant was initially identified by monitoring email campaigns that encourage recipients to click on URLs hosted on compromised pages. Spammers use compromised site URLs to ensure a higher click through rate in their messages. Compromised sites are far less suspicious than newly registered websites even to a perceptive victim. What's interesting is that attackers are having compromised sites deliver spam in most cases, but when a potentially targeted victim arrives at the compromised site, they get redirected to malware. In this case, the malware is Teslacrypt delivered via the Angler exploit kit. As a side note, Teslacrypt has also been delivered via various other exploit kits in the past. By emulating the lure URL in the Websense File Sandbox, we were able to track the infection chain starting from the email lure, through to the Angler exploit kit, to the eventual execution of Teslacrypt on the system. The attacker did go to great lengths to use as much stealth as possible to evade detection at various stages of the attack kill chain. There are 3 very significant benefits to the attacker in using the Angler exploit kit: Angler provides "1 click" infection. Victims have significantly lower chances of realizing that what they are being asked to do is not legitimate. Angler provides "fileless" delivery. The malicious application is never written to the victim’s hard drive, thereby greatly reducing the chance of detection by anti-virus (AV) software. Angler has been shown to scan for AV before deciding whether to write malware to the system or store it in memory. Angler provides encrypted malware delivery. The downloaded malware does not look like an executable on the wire. This decreases the chance of detection at the network level. The report below shows the Websense File Sandbox analysis for the file-based delivery of TeslaCrypt: The command and control communication is shown below: The raft of suspicious behaviors allows the file-based delivery to be more easily identified as a malicious executable. The fileless delivery method adds significantly more stealth to the infection process. Static detection was significantly less effective than sandbox analysis with only 20% Virus Total detection at the time of writing this blog. This low detection rate will only get worse with the fileless delivery mechanism, since anti-virus software may not even get a chance to analyze the file. Mitigation Websense customers are protected at the time of initial email delivery via TRITON AP-EMAIL. Should users reach malicious content, protection is offered via ACE, the Websense Advanced Classification Engine, at the different stages of the attack kill chain as detailed below: Stage 2 (Lure) – ACE has protection against malicious email delivery and websites injected with malicious content leading to exploit kit content Stage 3 (Redirect) – ACE has protection against redirections known to be associated with Angler Stage 4 (Exploit Kit) – ACE has protection against the Angler exploit kit Stage 5 (Dropper) – ACE file sandboxing identifies malicious binaries associated with Angler and TeslaCrypt Stage 6 (Call Home) – ACE has detection for command and control traffic known to be associated with Teslacrypt Summary In the case of the email lure, the attackers injected code onto compromised sites and sent links to this content via email. Websense researchers were able to create an analytic to track this injected code across the billions of pieces of web traffic analyzed by its products every day. From this, we were able to identify that attackers used the compromised site in an opportunistic way to deliver spam to the masses, but malware to targeted victims. In this case, the code is injected onto popular sites and used to infect passing trade. Telemetry shows that code has been successfully injected into a number of popular sites. Given the recent upsurge in TeslaCrypt infections and the fact that Angler has been known to be involved in several high profile incidents, there is every reason to believe that the attackers made every attempt to infect as many users as they could opportunistically. This zero click or drive-by mode of infection gives the victim a remote chance to make the correct choices to prevent infection. Defense-in-depth is required at various stages of the attack kill chain to deal with complex threats such as these. Contributor: Mark Haffenden with input from Nicholas Griffin, Ran Mosessco, Rajiv Motwani, and Jose Barajas.
Read more >
Filed under: Malicious emails, Data loss, Ransomware, angler
14 Nov 2013 03:18 PM |
Elisabeth Olsen |
2013 was not an easy year in cybersecurity—and we expect 2014 attacks will be even more complex. In a new report out today, Websense Security Labs researchers collectively outlined eight predictions and recommendations for 2014. To read the full report, please visit www.websense.com/2014predictions . In addition, below is an infographic for quick reference. Here are the highlights: 1. Advanced malware volume will decrease. According to the real-time telemetry feeds in Websense ThreatSeeker® Intelligence Cloud, the quantity of new malware is beginning to decline. Unfortunately, this is bad news for organizations. Cybercriminals will rely less on high-volume advanced malware because over time it runs a higher risk of detection. They will instead use lower volume, more targeted attacks to secure a foothold, steal user credentials and move unilaterally throughout infiltrated networks. Although the volume of attacks will decrease, the risk is even greater. 2. A major data-destruction attack will happen. Historically, most attackers have used a network breach to steal information for profit. In 2014, organizations need to be concerned about nation-states and cybercriminals using a breach to destroy data. 3. Attackers will be more interested in cloud data than your network. Cybercriminals will focus their attacks more on data stored in the cloud vs. data stored on the network. This tactical shift follows the movement of critical business data to cloud-based solutions. Hackers will find that penetrating the data-rich cloud can be easier and more profitable than getting through the “castle walls” of an on-premises enterprise network. 4. Redkit, Neutrino, and other exploit kits will struggle for power in the wake of the Blackhole author arrest. We will see a fight for market leadership between a number of new entrants and existing exploit kits in 2014. We anticipate Redkit and the Neutrino exploit kit will secure a strong foothold in the coming year. 5. Java will remain highly exploitable and highly exploited—with expanded repercussions. Most end points will continue to run older versions of Java and therefore remain extremely exposed to exploitation. In 2014, cybercriminals will devote more time to finding new uses for tried-and-true attacks and crafting other aspects of advanced, multi-stage attacks. 6. Attackers will increasingly lure executives and compromise organizations via professional social networks. As social networking continues to appeal to the business community in 2014, attackers will increasingly use professional websites, such as LinkedIn, to research and lure executives. This highly targeted method will be used to gather intelligence and compromise networks. 7. Cybercriminals will target the weakest links in the “data-exchange chain.” Attackers will go after the weakest links in the information chain and target the consultants outside the network who have the most information. This includes consultants, contractors, vendors and others who typically share sensitive information with the large corporate and government entities. And, it turns out, few of these partners have sufficient defenses. 8. Mistakes will be made in “offensive” security due to misattribution of an attack’s source. For several years, we’ve been hearing more about “offensive” security, where global governments and enterprises have been threatening retaliatory strikes against anyone caught attacking them or their interests. Failure to accurately identify a cyber-perpetrator could result in an innocent organization being caught in the crossfire.
Read more >
Filed under: Exploits, Data loss, Java, Predictions, Hack, cyber-crime, LinkedIn, x
13 Feb 2013 08:30 AM |
Carl Leonard |
The 2013 Threat Report from the Websense® Security Labs™ is now available.
The report details mobile, social, email and web-based threats, and
while it is full of ominous data points, it is a very interesting read.
The report is designed to help security professionals keep current with
threat trends and improve the effectiveness of existing security
solutions. It can also be used to identify and prioritize security gaps
that may require new approaches and more innovative strategies.
Creating the report began with the ThreatSeeker® Network,
composed of big data clusters used by the WSL to collect and manage up
to 5 billion inputs each day from 900 million global endpoints. Malware
samples, mobile applications, email content, web links and other
information were then passed through deep analysis processes including
our Advanced Classification Engine (ACE), which applied over 10,000 different analytics.
Read more >
Filed under: Compromise, Facebook, Malware, Social Networks, Malicious emails, Research, Spam, Phishing, 0-day, Mass Injection, Data loss, Web Research, Spear Phishing, Threat Report, ThreatSeeker Intelligence Cloud
06 Jun 2012 03:44 PM |
Carl Leonard |
LinkedIn is investigating reports that approximately 6.4 million user
passwords have been posted on the Web. While the breach is still
unconfirmed by LinkedIn (as of the time that we wrote this blog), they
have acknowledged on their Twitter feed that their investigations have begun.
If you're a LinkedIn user, Websense® Security Labs recommends that
you change your password immediately to help prevent your password from
falling into the wrong hands.
After retrieving the password files that are being distributed on
forums in the .ru TLD space, it appears that the passwords are
hashed. However, based on samples seen by us, it is easy to translate
them into clear text. Our initial investigations reveal that a password
of "linkedin" features heavily.
It is uncertain how the hackers retrieved the stolen passwords;
however, the passwords that users are finding in the hashed files do
appear to be real.
Read more >
Filed under: Web 2.0, Social Networks, Passwords, Data loss
05 Jan 2012 08:26 PM |
First it was the Cheesecake Factory ; now, it’s Timeline . Facebook, like many other social networking companies, is experiencing some user dissatisfaction, and scammers are taking advantage of anti-Timeline sentiment. According to Insidefacebook , scammers are creating pages that assure the public that by “liking” the page, watching the linked video, downloading a certain browser application, or inviting their friends to the page, they will be allowed to opt out of Timeline. These pages all ask readers to "Like" the account, and some even ask them to subscribe. Some pages ask readers to install a browser application; Google Chrome and Firefox are common targets of such scams. Though some Facebook pages may look harmless, remember that being cautious is the best way to prevent potential data loss. Timeline was introduced by Mark Zuckerberg during the F8 developer conference. There, he announced that the beta version of the interface would be available to Facebook users on September 22nd. So, what is Timeline? Facebook engineers implemented an algorithm that gathers all of your Facebook activity and organizes it based on what it deems important: your birth, high school graduation, first job, wedding, special events, and so on. The Timeline profile page is divided into two columns that contain recent photos, games, posts, and other activity. Since the algorithm decides what is relevant and what is not, there is a chance an event or a post you think is relevant might not show up in Timeline. But fear not, the new page layout will allow editing so that users can manually change what information is shared or deemed important. Facebook employee Paul McDonald explains that Timeline allows users to add details of their lives before Facebook was created, providing an easy way to rediscover things once shared in real life. You have seven days to review and modify the timeline before it goes live and anyone else can see it. As long as Facebook remains the top social networking site, scammers will use new and innovative methods to try to steal and exploit user information, but rest assured that ACE ( Advanced Classification Engine ) protects our customers from such scams.
Read more >
Filed under: Web 2.0, Facebook, Scam, Data loss
27 Dec 2011 03:23 AM |
Xue Yang |
Last week, China's largest software programmers' Web site CSDN (China Software Developer Network) was hacked, and account information for more than 6 million users was leaked and quickly spread via the Internet. One day later, Tianya, the biggest Chinese online forum, was reportedly hacked for the account information of 40 million users. This cyber attack has continued, with several well-known sites like the Duowan game, the 7k7k game, the e-commerce sites 360buy and Dangdang, the popular dating sites like Zhenai being hacked and user data leaked. Some sites' databases have been published on the Internet and can be easily downloaded....
Read more >
Filed under: News, Data loss, Predictions
04 Apr 2011 09:25 AM |
Carl Leonard |
On Friday 1 April 2011 Epsilon, a marketing services firm, notified their customers of "unauthorised entry into email system" . Their press release can be seen here.
The press release advises that the information stolen during the attack included only customer email addresses and customer names.
In the wrong hands however even this limited amount of information can have consequences for those to whom the data pertains. We shall explore some typical scenarios....
Read more >
Filed under: Malicious emails, Spam, Data loss