Ransomware scum infect Comic Relief server: Internal systems taken down

Nothing funny about stealing from a charity. Comic Relief’s internal systems are down for the third day running after a ransomware attack on one of the charity’s servers on Wednesday.

Sad, disappointed-looking baby. Photo by Shutterstock

Founded in 1985 by comedy scriptwriters, the charity behind the UK’s Red Nose Day telethon took down all of its internal systems in the wake of the attack. An email sent on Wednesday to the charity’s staff from Zennon Hannick, its CTO, confirmed that “there has been a ransomware attack on one of Comic Relief’s servers.”

Staffers were told there would “no access to other external systems such as the internet, Citrix or webmail”.

Workers at the charity were told to work from home if they needed internet access, which is not expected to be available on the premises until lunchtime today.

“[T]he information held on this server has been encrypted and we cannot access it,” Hannick’s email continued.

“However the good news is the files held on this server are only copies of information we hold elsewhere on our network drives. The IT and Data teams along with external specialists are continuing their investigation to ensure we understand all the implications of this attack,” the CTO’s email added.

Comic Relief’s systems are completely unable to access the outside world at the moment, although the team is attempting to put in place security measures to restore such access.

Users’ passwords have all been expired, and users will be requested to provide a new “strong” password which is more than eight characters long, and includes a mix of upper and lowercase letters, special characters and a number.

Neither Citrix nor Comic Relief had responded to The Register‘s requests for comment at the time of publication. We’ll update when we hear more. ®

Updated at 15:43, September 16 to add: A Comic Relief spokesperson said: “Comic Relief is investigating a criminal ransomware attack on a discrete part of our IT network. We have been working with a specialist cyber security company to assess the situation in detail and are taking proactive steps to augment our security.

“The attack appears to have been isolated and at present we have found no evidence that any information or data has been stolen. However, we are continuing to carry out a thorough forensic investigation of all our IT systems to assess the full extent of the situation and are taking additional precautions to protect the security of all the information that we hold.

“Comic Relief has always taken information security extremely seriously and have worked with cyber security experts to ensure we have the most robust systems and security practices in place to protect our network and the information we hold. These systems are rigorously tested and under constant review to ensure that they continue to evolve to respond to ever-changing cyber threats.


Posted in Cyber Security, Malware, Pruebas de Software | Tagged | Leave a comment

Ramnit Trojan Resurgence Now Complete as v2 Targets UK Banks

Ramnit’s revival is now complete as security researchers are starting to see more coordinated attacks spreading the banking trojan’s latest version, with the vast majority of targets being banks from the UK.

Ramnit appeared in 2010, but in the beginning was only a small trojan with wormable features.

It evolved into a dangerous threat in 2011 when security researchers saw Ramnit’s developers add capabilities usually seen in banking trojans when they slowly began adding features from the leaked Zeus banking trojan source code.

Ramnit v1’s botnet was taken down in February 2015

As time went by, Ramnit evolved, and by 2014, the trojan was the fourth most active banking trojan on the market, supported by a huge botnet of infected PCs that helped it send spam and perform other sorts of illegal activities thanks to Ramnit’s modular and versatile structure.

This success drew the attention of law enforcement, which in February 2015 sinkholed some of Ramnit’s C&C servers in an attempt to take down the botnet.

Things didn’t turn out as they hoped, because by November and December of 2015, the trojan as back in action, with its developers already working on an early v2.

Ramnit v2 surfaces online, currently focuses on the UK

As 2016 came along, attacks intensified and Ramnit attacks slowly picked up steam once more. Early attacks targeted banks in Canada, Australia, the US and Finland.

According to IBM, current attacks only focus on UK banks, but version 2.0 of Ramnit seems to be ready for widespread distribution.

The trojan has undergone a small facelift, not major, but added more features to broaden its attack surface.

IBM reports that its module tasked with injecting malicious code in the infected victim’s browser has remained the same, as well as its data exfiltration VNC module, and its data scanner component that identifies information worth stealing.

“The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real-time fraud attacks targeting online banking sessions,” Limor Kessem, IBM researcher explains. “Not all attacks have to happen in real time or from the victim’s device; Ramnit’s operators can also gather credentials from infected users and use them to commit account takeover fraud from other devices at a later time.”

As Ramnit v2 development reaches its final phases, expect Ramnit spam and exploit kit development to intensify once more, possibly at the levels seen in 2014, and expand the target list to include more countries.


Posted in Cyber Security, Malware | Leave a comment

Gozi Banking Trojan Campaigns Target Global Brands

Gozi, one of the oldest banking Trojans out there, is using highly elaborated webinjects along with behavioral biometrics for fraud protection bypass in new campaigns targeting global brands, buguroo researchers warn.

Discovered in 2007, Gozi has had its source code leaked twice, which has led to the creation of new variants, including the newly discovered GozNym, which borrows capabilities from the Nymaim Trojan too. GozNym has been already spotted in various campaigns, initially targeting users in the United States and Canada, and then migrating to Europe.

The new Gozi campaigns are focused mainly on banks and financial services in Spain, Poland, and Japan, but some target users in Canada, Italy, and Australia. According to researchers, Gozi’s operators are using new techniques that haven’t been perfected. As soon as that happens, however, the infection campaigns will spread to the United States and Western Europe.

In Spain, the malware was being distributed via malicious links leveraging URL shortening services, which led to compromised WordPress sites. The number of affected Spanish companies is relatively low, at least when compared to those in Poland and Japan, researchers say. The servers used for the distribution of configurations and webinjects for campaigns in Canada, Italy and Australia were inactive or disabled at the time of the research.

Some of the brands impacted in these campaigns include PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and many more, buguroo reveals in a report. These attacks reveal that Gozi continues to evolve, as it is now using dynamic web injection. It uses a high degree of automation to optimize the selection of mules after profiling the victim: the most important targets might even see the live intervention of operators, researchers say.

Gozi uses web injection that is very elaborate and optimized to avoid detection, which allows it to go virtually undetected. Furthermore, its operators immediately refine the code after an attack has been discovered. The updated code ensures that the defensive measures by institutions under attack are rendered useless.

When the infected user attempts a transaction, the malware’s command and control (C&C) server is notified in real time and immediately serves the user false information necessary to carry out fraudulent transfers. The user sees a deposit-pending alert requesting the security key to complete the transfer but the real transfer page that is present to the bank is hidden beneath it. Thus, the unsuspecting user is inadvertently entering the requested key and sends money to a “mule.”

The security researchers observed that Gozi is delivering both automated and manual customized responses from the control panel. Some users are assigned to a specific mule in a particular country, and the operator decides how much money would be transferred. Other users are assigned to a random mule and a fixed amount is transferred. In the end, it all depends on the value of the target, as operators assign greater operations to more reliable mules, researchers say.

The new campaigns also revealed that, for certain versions of the webinjects, the Trojan would send a kind of biometric information to the control panel, including details on how long the user takes to move from an input field to the next or the time between keystrokes. Based on these values, the malware then attempts to bypass protection systems that leverage user behavior and fills the necessary fields to perform fraudulent transfers.

The webinjects used in these campaigns show similarities to a malware family called Gootkit, but this is not surprising, since Gozi has shared webinjects with other malware in the past. The similarities between Gozi and GootKit webinjects, however, weren’t limited to code and techniques, but also to the dates and times corresponding to updates in the corresponding automatic transfer system (ATS) panels once impacted companies make changes to hinder Trojan’s operations.

“These facts—the complexity of these webinjects, their detailed elaboration and the fast updates once they stop functioning properly—once again point to the trend toward professionalization of malware services. These are probably sold by independent underground businesses that specialize in delivering malicious code for use by different organizations and made available, for a price, for multiple families of malware and campaigns,” the report reads.


Posted in Malware | Tagged | Leave a comment

Hacker wins $5,000 for Chrome, Firefox address bar spoofing flaw

The “omnibox” vulnerability makes it easier to phish or steal user’s data.

Posted in Vulnerabilidad | Tagged | Leave a comment

1.4 Billion Android Devices Affected by Linux TCP Flaw

The security bug discovered in the Linux kernel’s implementation of the TCP protocol also affects a large portion of the Android ecosystem, mobile security vendor Lookout reports.

According to researchers, CVE-2016-5696, the Linux TCP bug, affects around 80 percent of all Android devices in use today, which is around 1.4 billion devices. The reason for this is the fact that the Android OS is built on a modified version of the Linux kernel.

The Linux Foundation has already taken all the steps to mitigate this security flaw, having patched the Linux kernel on July 11, 2016.

All Android versions 4.4 or higher affected

The security bug, CVE-2016-5696, allows an attacker who is not in a man-in-the-middle position to probe servers or users for active connections and then guess the packet sequence.

This enables the attacker to enter the packet flow between two parties, sniff on unencrypted traffic, or shut down encrypted connections. All Linux kernel versions between v3.6 and up to v4.7 are vulnerable.

The first vulnerable version that featured this TCP implementation flaw, version 3.6, was released in 2012 and was also used to create the Android OS 4.4 (KitKat).

Using a VPN will protect Android users

Since security researchers disclosed the flaw last week, Google has not yet released any security patches. Google usually releases security patches at the start of each month, but it is highly unlikely that the Android OS would feature a security patch for such a massive feature like the TCP stack just after a few weeks.

Even if security vendors have not discovered any weaponized exploit utilizing this flaw, Lookout recommends that all users protect themselves by encrypting their traffic.

Users can do this by using encrypted apps, navigating sites via their HTTPS versions, or by employing a VPN. For more technical users, the Lookout team recommends the following steps:

“  If you have a rooted Android device you can make this attack harder by using the sysctl tool and changing the value for net.ipv4.tcp_challenge_ack_limit to something very large, e.g. net.ipv4.tcp_challenge_ack_limit = 999999999  ”

Posted in Cyber Security | Leave a comment

Shade Ransomware Adds RAT Features to Spy on High-Value Victims

Crooks use RAT to assess the financial status of infected victims and decide on how much money to ask for.
The crooks behind the most recent versions of Shade have added an interesting new tidbit to their malware, installing a modified version of TeamViewer on infected systems so they could spy on their targets and adjust the ransom note accordingly.

This new Shade version only targets Russian companies that are running accounting software on their computers.

New Shade version delivers a RAT, but only to Russian businesses

Kaspersky researchers say that this new Shade version, prior to infecting the target, during its installation routine, actively scans the computer name for strings such as “BUH,” “BUGAL,” “БУХ,” “БУГАЛ.” These strings are likely to be found on computers used by the accounting departments at Russian-speaking companies.

If Shade finds any of these strings, it stops the ransomware installation process and delivers another trojan called Teamspy, also known TVSPY, TVRAT, or SpY-Agent.

The trojan contains a modified version of TeamViewer 6 that the malware authors have altered to hide its GUI. The trojan also includes the legitimate 7Zip archiving tool and the NirCmd command-line utility.

Furthermore, the crooks are also installing the TeamViewer VPN driver and the RDP Wrapper Library, used to open VPN connections and interact with the RDP protocol.

All of these utilities delivered inside Teamspy allow the crooks to modify OS settings on infected systems, open an RDP connection, and use TeamViewer to connect to the infected system.

Crooks using Teamspy to determine the proper ransom sum

Kaspersky suggests that the crooks are using Teamspy’s RAT (Remote Access Trojan) features to gather intelligence on the infected computer, to determine the appropriate ransom sum.

“The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” suggests Kaspersky’s Fedor Sinitsyn.

Teamspy is quite a powerful RAT and allows a crook to record audio from infected systems, record the victim’s desktop, run terminal commands, and download and install other executables.

Crooks are delivering the Shade ransomware at a later point

This last feature is most likely used to deliver the Shade ransomware at a later point in time, after crooks deemed the target important and decided on the ransom amount.

Shade is one of today’s most popular ransomware families, but Kaspersky researchers cracked its encryption and have provided a free decrypter via the No More Ransom initiative. Another name for the Shade ransomware is Troldesh.

This is not the first time malware specifically targets Russian businesses. During late June, Dr.Web discovered a trojan coded in 1C, a programming language used mostly in Russa. This trojan was delivering ransomware to companies using 1C:Enterprise, a popular accounting software in Russia.

Shade ransomware website

Shade ransomware website
Posted in Cyber Security, Malware, Pentest | Leave a comment

Australia Online Census Shutdown After Cyber Attacks

Cyber Attack Hits Australia Online Census Service

Australia was forced to reassure its citizens that their personal data was secure Wednesday, after malicious attacks by overseas hackers prompted an embarrassing shutdown of the online census.

Australians are required to complete the census every five years or face fines, and this was the first time there had been a major push for people to fill in the survey online.

But as thousands of people headed to the official website Tuesday evening, a series of denial-of-service attacks — attempts to overwhelm an online system to prevent people accessing it — prompted authorities to take the site offline.

“It was an attack, and we believe from overseas,” said David Kalisch from the Australian Bureau of Statistics, which organises the census.

“The scale of the attack, it was quite clear it was malicious,” he told the Australian Broadcasting Corporation.

The census website was not back online Wednesday.

The attacks are an embarrassment for the government, which earlier this year confirmed that the weather bureau, which reportedly owns one of the nation’s largest supercomputers, suffered a “cyber intrusion” in 2015.

The Labor opposition jumped on the incident, labelling it “the worst-run census in Australian history” and “one of the worst IT debacles Australia has ever seen”.

But Prime Minister Malcolm Turnbull insisted that no data had been compromised.

The ABS had acted with “an abundance of caution” in shutting down the site after a large-scale denial of service attempt followed by a hardware failure when a router became overloaded, he said.

“The site has not been hacked, it has not been interfered with,” he told reporters in Sydney.

The statistics bureau reassured Australians that their data was secure, with Kalisch saying the shutdown “actually confirms the strong position that the ABS has taken in terms of security”.

Some 2.33 million online forms were submitted before the outage and safely stored.

“The data that comes to ABS is encrypted and it was secured and received safely at the ABS… we have it at the ABS, no-one else has it,” Kalisch said.

On its Twitter account, the ABS Census insisted that no fines would be imposed on the thousands of people unable to complete the survey, provoking even more anger.

“Fine yourselves for the completely incompetent way this was handled,” wrote one respondent to @ABSCensus.

Australians officially have until September 23 to complete the census, with some two thirds of respondents expected to use the internet rather than paper to complete the survey this year.


Posted in Cyber Security | Leave a comment