The number of exploit attacks against known vulnerabilities continues to increase. The target is to install malware into the targeted system and to gain benefits for the criminals behind the attack.
According to F-Secure Threat Report H1/2013, the majority of Top 10 detections from the last six months involved exploits. Java is the most popular entry point and therefore, disallowing Java plug-ins might make sense. Java vulnerabilities have allowed attackers to use even classic forms of attack, known for about ten years already.
The table clearly shows that the users do not seem to understand the importance of security patches since exploits can target vulnerabilities that have had a patch for over 5 years!
On the other hand, exploit kits find their way to the market unbelievably fast – the F-Secure Threat report tells: “Java vulnerability CVE-2013-2423; a Metasploit module targeting this was first published on April 20th, and a day later we noticed in-the-wild attacks against it had already gotten underway by the CrimeBoss exploit kit”.
Why is it so hard to keep pace with the critical security updates then?
First, the number of patches releases is huge. For example, Microsoft alone recently published 13 patches against 47 bugs in its Patch Tuesday security update. Add to that the Java updates, Adobe updates, and all the rest of the products, and the number of necessary updates in a business environment can be devastating. Second – would the IT administrator always know which software is installed on which machine?
F-Secure Software Updater, an automated patch management tool integrated in the security clients, can help manage the huge task of keeping on top of the critical security updates. It follows the philosophy: find it, fix it, and forget it.
An employee opens an attachment from someone who claims to be a colleague in a different department. The attachment turns out to be malicious. The company network? Breached. If you follow the constant news about data breaches, you read this stuff all the time. But do you ever wonder how hackers get otherwise smart, professional people to fall for their tricks? How do they know who to email? What to say to get their victim to fall prey? Where do they get the information that gives them a foothold into an organization? The answer is so simple, and just makes too much sense: LinkedIn. Recon made easy The first phase of any targeted hacking scheme is the reconnaissance phase - where the hacker gathers information about the company, employees, their job titles, email addressses, etc. What better place to start than LinkedIn? "LinkedIn is a treasure trove of easily accessible personal information and company IT data," writes penetration tester Trevor Christiansen. "Unbeknownst to most of the employees who post their information on LinkedIn, any hacker looking to wreak havoc on a company’s highly sensitive, business-critical data could find his or her point of entry using this ubiquitous business networking forum." White hat hackers (the good guys) like Christiansen use LinkedIn to gather information too, albeit with a different end purpose in mind - to test and improve an organization's security. F-Secure CEO Christian Fredrikson described two such exercises performed by F-Secure's ethical hacking team in his recent keynote at CeBIT. In one exercise, the hackers targeted employees who mentioned mainframe-related info in their profiles. In the other, they targeted source code developers. So, exactly how do hackers, good and bad, use LinkedIn to gain a foothold into company they intend to hack? Our own white hat hacker, Knud in F-Secure's Cyber Security Services team, describes a common scenario. "You just search for employees working at a target company via the standard LinkedIn interface," he says. "Now, armed with a list of names, you can start Googling them until you find a company email address." Now, he says, you have the email format used in the company. For example, firstname.lastname@example.org. "Shoot off an email to a few random employees asking something stupid like 'Bob, is that you? Long time no see,'" he continues. "With a bit of luck, someone will reply and you'll have the corporate signature. With the corporate signature, plus names, positions and job descriptions people helpfully put on LinkedIn, you can start spoofing internal emails." Building rapport for social engineering Knud points out that the more information people share in their profiles, the easier it is to build rapport. "For example, someone lists their graphic design skills. So you send an email that reads, 'Due to your experience with icon design and great layout skills, I wonder if you have time to take a quick look at something we are working on in <other department>; see attached (malicious) document and get back to me." To gain even more information, a hacker can create a fake profile and then connect with the employee. This gives them greater access to contact details and the person's network. Combined with information gleaned from Facebook or other social networks, such as interests and hobbies, hackers can get a pretty full picture of the employee they intend to target, enabling them to sharpen their spear even more. The best defense So what's an employee to do, scrub your profile of all but the most basic info? Decline to list your employer? Such suggestions would seem to defeat the purpose of LinkedIn, where profile information can hopefully lead to networking opportunities. Companies in turn appreciate the promotion they get via their employees on LinkedIn. Luckily, F-Secure Security Advisor Sean Sullivan doesn't believe self-censorship the answer. "It's not really the problem of the employee to limit what they write on LinkedIn," he says. "A security-minded organization should have a policy that states that employees should be mindful." Indeed, the best weapon against these types of attacks is employee awareness. Your information may be available on LinkedIn, but if you're are aware of the ways hackers exploit that info, you'll be less likely to fall for tricks. Employer-sponsored education on social engineering tactics would help employees learn to be suspicious of any communication that seems even the slightest bit off. Hackers may love LinkedIn, but only as long as it gets them where they want to be. To head them off, awareness is key. Image courtesy of Mambembe Arts & Crafts, flickr.com
We who write stuff in the security industry are used to dashing off sentences like, “Online attacks are becoming more and more advanced” or “Malware is continually evolving in sophistication.” But in the past year we experienced a surprising throwback to one type of malware from an earlier era. Malware that uses a rather old technique, but it’s causing plenty of trouble nonetheless. It kinda feels like we've gone back in time. I’m talking about macro malware. It’s something we hadn’t seen prominently since the early 2000’s. And now, as touched on in our just released Threat Report covering the 2015 threat landscape, it has reared its head again. What is macro malware? Macro malware takes advantage of the macro feature in Office documents to execute commands. And macros are simply shortcuts the user can create for repeated tasks. For example, let’s say you are creating a document in Word and you find yourself repeatedly editing text to be red with a yellow highlight, 16 point, italic and right aligned. To save time, you can create a macro of your commands and then whenever you need that kind of style, simply run the macro. A little history Macro malware was common back in the 1990’s and early 2000’s. The first macro malware, Concept, was discovered in 1995, although it was basically harmless, simply displaying a dialogue box. In 1999, one of the most notorious macro malware, Melissa, was discovered. Melissa emailed itself to 50 addresses in the user’s address book, spreading to 20% of the world’s computers. But macro malware wouldn’t last long. When Microsoft released Word 2003, the default security settings were changed to stop macros from automatically running when a document opened. This made it more difficult to infect a computer through macros and attackers mostly dropped them to focus on other methods. So what happened? Why is it back again? The re-emergence, according to Sean Sullivan, Security Advisor in F-Secure Labs, may be correlated with the decline of exploitable vulnerabilities due to security improvements in today’s common software applications like Microsoft Office. Exploits have been one of the most common ways to infect machines in recent years, but with fewer software holes to exploit, malware authors seem to be reverting to other tricks. How it’s successful Today’s macro malware attempts to get around Microsoft’s default settings with a simple trick. When a document is opened, the information inside doesn’t appear properly to the viewer – for example, sometimes the document looks like scrambled gobbledygook. Text in the document claims that macros, or content, must be enabled for proper viewing. Here’s one example: Curiosity? Just plain unaware? Whatever the reason, as Sean says, the malware’s reappearance has been successful because “People click.” Once macros have been enabled, the malicious macro code is executed – which then downloads the payload. Macro malware is used by crypto-ransomware families like Cryptowall and the newest threat Locky. These families encrypt the data on a computer and then demand payment to unencrypt it. Although we don’t know for sure, it’s possible it was macro malware that was used in the holding of a Hollywood hospital for ransom last month. The banking Trojan Dridex, which allows attackers to steal banking credentials and other personal info from infected machines, also uses the technique. How to avoid it Fortunately, if you use security from F-Secure, you’re protected from these threats. But aside from that, the old advice still holds: Be wary of email attachments from senders you don’t know. And take care not to enable macros on documents you’ve received from sources you’re not 100% sure of. "Back to the Future" banner image courtesy of Garry Knight, flickr.com
This is the sixth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Chris, a very ordinary businessman, was on a very ordinary business trip when he received an urgent call from one of his business partners asking him to make a money transfer. Chris was waiting for a train at a station, but he was happy to have the opportunity to help out his colleague, so he quickly pulled his laptop out of his bag to make the transfer. The account for his company-owned mobile phone was maxed out, so he wanted to take advantage of the train station’s Wi-Fi while he had a chance. He booted up his laptop and started looking for a free connection. Fortunately, “Railway_Station_Name” was open to the public – no username, password, or registration required. “Phew! Caught a lucky break there,” thought Chris. Fueled by motivation to get the job done, Chris went ahead and connected to the seemingly trustworthy network. He noticed it was a little bit slow, and not wanting to risk missing his train, he closed all the background apps and processes, including his anti-virus software. He really wanted to use the opportunity to show his initiative to his team, and he didn’t want to risk missing his meeting or not finishing the transfer because his computer was slow. He figured that as long as he avoids opening emails or browsing the web, he wouldn’t have any problems. And just like he thought, it was all over in a couple of minutes. He completed the money transfer without any issues. He shut down his laptop and hurried off to catch his train, confident that he had done the right thing by taking a few minutes to help his business partner. “A job well done,” Chris thought to himself. Chris arrived back at his hotel later that evening and booted up his laptop again to send some emails and wrap up his day. But his computer wasn’t working properly. It was slow. Error messages were spreading over his desktop like flies on spoiled fruit. He tried running an anti-virus check, but even that wouldn’t work. He decided to take it into a computer store he had passed earlier to see if they could take a look at it for him. He only had to wait at the shop for a few minutes while the store’s staff checked his laptop. “The problem is your computer’s infected by a virus – several in fact,” said the clerk. “One of the viruses disabled your AV software, and you’ve also got a ton of spyware. We’ve cleaned it up for you so you should be good to go now, but try to be more careful in the future.” The satisfaction Chris had felt earlier was suddenly gone. Now he was plagued with doubt about whether or not his information was secure, and even worse, he was concerned that perhaps the bank account he had used earlier had been compromised. He’d heard of such things happening to other people working for other companies. He thought that maybe these other people had just been suckers, scammed by some spam emails or clicking random links they found online. But now he wasn’t so sure, so he decided to change all of the passwords for his online accounts. Chris retired to his hotel, feeling stressed, and with a lighter wallet from paying the guys at the computer shop for helping him out. He told himself that he would think twice before disabling his AV software in the future. But Chris’ doubts about what he’d done, and what kind of threats he had been exposed to, continued to linger. Chris didn’t realize that he’d fallen into a trap, and connected to a rogue Wi-Fi hotspot that a hacker had prepared at the train station. These kinds of opportunistic attacks are quite common because they capitalize on people taking Wi-Fi security for granted, and are quite easy and cheap for hackers to put together. As this video shows, it’s a small feat to trick people into connecting to public Wi-Fi hotspots that hackers can use to steal account credentials and intercept communications. [youtube https://www.youtube.com/watch?v=qk2RPOBpZvc&w=560&h=315] F-Secure Security Advisor Su Gim Goh recently conducted an experiment in Hong Kong to see how many people connect to Wi-Fi hotspots without verifying that the connections are safe. He put together a Wi-Fi hotspot for less than 200 U.S. dollars, and took it to different cafes and restaurants in Hong Kong. Goh was able to determine that 55% of people automatically connected to his hotspot, which was set up to spoof legitimate connections that people want to use. “Spoofing” legitimate Wi-Fi hotspots means that the bad Wi-Fi hotspots are able to trick devices into thinking they’re legitimate hotspots that have been used before, so anyone that’s used the legitimate (“spoofed”) Wi-Fi hotspot in the past, and has their device recognize it as a preferred or safe network, will be automatically connected to the “spoofing” hotspot. Goh and many other security researchers warn people against taking Wi-Fi security for granted. “Auto-connecting is typically bad for security, so you should disable that option on your phone, or even just keep your Wi-Fi off when you’re not using it. It’s really not that hard to toggle it on/off, and it’s better than learning the hard way.”