Tag Archives: malware

A Matter of Triangulation.

Hi all,

I’ve some big news about a cyber-incident we’ve uncovered…

Our experts have discovered an extremely complex, professional targeted cyberattack that uses Apple’s mobile devices. The purpose of the attack is the inconspicuous placing of spyware into the iPhones of employees of at least our company – both middle and top management.

The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware they quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device.

Despite the attack being carried out as discreetly as possible, the infection was detected by the Kaspersky Unified Monitoring and Analysis Platform (KUMA) – a native SIEM solution for security information and event management; the system detected an anomaly in our network coming from Apple devices. Further investigation by our team showed that several dozen iPhones of senior employees were infected with new, extremely technologically sophisticated spyware we’ve dubbed “Triangulation”.

Read on…

For cyber-insurance – a watershed moment (involving a $1.4bn payout!)

Hi boys and girls!

It’s been a while since my last installment of iNews, aka – uh-oh cyber-news, aka – cyber-tales from the dark side, so here’s reviving the series to get back on track in giving you highlights of jaw-dropping cyber-astonishments you might not hear about from your usual sources of news…

In this installment – just one iNews item for you, but it’s plenty: an added item might have watered down the significance of this one (hardly appropriate when there’s ‘watershed’ in the title:)…

Briefly about the iNews: after lengthy legal proceedings in the U.S., a court has ruled in favor of big-pharma company Merck against its insurer for a payout of US$1.4 billion (!!) to cover the damages Merck suffered at the grubby hands of NotPetya (aka ExPetr or simply Petya) in 2017.

Quick rewind back to 2017…

In June of that year, all of a sudden a viciously nasty and technologically advanced encryptor worm – NotPetya – appeared and spread like wildfire. It initially targeted Ukraine, where it attacked victims via popular accounting software – affecting banks, government sites, Kharkov Airport, the monitoring systems of the Chernobyl Nuclear Power Plant (!!!), and so on and so on. Next, the epidemic spread to Russia, and after that – all around the world. Many authoritative sources reckon NotPetya was the most destructive cyberattack ever. Which looks about right when you count the number of attacked companies (dozens of which each lost hundreds of millions of dollars), while overall damage to the world economy was estimated at a minimum 10 billion dollars!

One of the most notable victims of the global cyberattack was the U.S. pharmaceuticals giant Merck. It was reported 15,000 of its computers were zapped within 90 seconds (!) of the start of the infection, while its backup data-center (which was connected to the main network), was lost almost instantly too. By the end of the attack Merck had lost some 30,000 workstations and 7,500 servers. Months went into clearing up after the attack – at a cost of ~1.4 billion dollars, as mentioned. Merck even had to borrow vaccines from outside sources for a sum of $250 million due to the interruptions caused to its manufacturing operations.

Ok, background out the way. Now for the juiciest bit…

Read on…

Flickr photostream

  • KLHQ
  • KLHQ
  • KLHQ
  • KLHQ

Instagram photostream

Ransomware: how we’re making our protection against it even better.

Being a developer of cybersecurity: it’s a tough job, but someone’s got to do it (well!).

Our products seek and destroy malware, block hacker attacks, do update management, shut down obtrusive ad banners, protect privacy, and a TONS more… and it all happens in the background (so as not to bother you) and at a furious pace. For example, KIS can check thousands of objects either on your computer or smartphone in just one second, while your device’s resource usage is near zero: we’ve even set the speedrunning world record playing the latest Doom with KIS working away in the background!

Keeping things running so effectively and at such a furious pace has, and still does require the work of hundreds of developers, and has seen thousands of human-years invested in R&D. Just a millisecond of delay here or there lowers the overall performance of a computer in the end. But at the same time we need to be as thorough as possible so as not to let a single cyber-germ get through ).

Recently I wrote a post showing how we beat demolished all competition (10 other popular cybersecurity products) in testing for protection against ransomware – today the most dangerous cyber-evil of all. So how do we get top marks on quality of protection and speed? Simple: by having the best technologies, plus the most no-compromise detection stance, multiplied by optimization ).

But, particularly against ransomware, we’ve gone one further: we’ve patented new technology for finding unknown ransomware with the use of smart machine-learning models. Oh yes.

The best protection from cyberattacks is multi-level protection. And not simply using different protective tools from different developers, but also at different stages of malware’s activity: penetration, deployment, interaction with the command center, and launch of the malicious payload (and this is how we detect the tiniest of hardly-noticeable anomalies in the system, analysis of which leads to the discovery of fundamentally new cyberattacks).

Now, in the fight against ransomware, protective products traditionally underestimate final stage – the stage of the actual encryption of data. ‘But, isn’t it a bit late for a Band-Aid?’, you may logically enquire ). Well, as the testing has shown (see the above link) – it is a bit too late for those products that cannot roll back malware activity; not for products that can and do. But you only get such functionality on our and one other (yellow!) product. Detecting attempts at encryption is the last chance to grab malware red-handed, zap it, and return the system to its original state!

Ok, but how can you tell – quickly, since time is of course of the essence – when encryption is taking place?

Read on…

Enter your email address to subscribe to this blog

Ransomware: what protects against it best?

What’s the No. 1 most unpleasant pain in the xxx thorn in the side of the modern-day cyber-world in terms of damage, evil sophistication, and headline-grabbing the world over? Can you guess?…

Ah, the title of this post may have given it away, but yes, of course, it’s ransomware (aka cryptomalware, but I’ll stick with the simpler, less tongue-twisting, and professional term ‘ransomware’).

So: ransomware. Bad. How bad?…

Well, it’s actually so bad, and has been so consistently bad for years, so deeply embedded in all things digital, and has so overwhelmed so many large organizations (even indirectly being followed by human deaths), which (large organizations) have forked out so much money to pay ransoms for, that the world’s news media has become almost indifferent to it. It’s stopped being headline news, having been transformed into an every-day casual event. And that’s what’s most worrying of all: it means the cyber-scumbags (apologies for such a strong language, but it’s really the best way to describe these folks) are winning; cyber-extortion is becoming a seemingly inevitable reality of today’s digital world and it seems there’s nothing can be done about it.

And they’re winning for three reasons:

Third (I’ll start at the end): the ‘big boys’ are still playing their schoolyard geopolitical games, which blocks national cyber-polices exchanging operational information for coordinated searching, catching, arresting and charging of ransomware operators.

Second: users aren’t prepared – resilient – enough to respond to such attacks.

And first (most important): not all washing powders are the same anti-ransomware technologies are equally effective – by a long way.

Often, ‘on the tin’, anti-ransomware technologies featured in cybersecurity solutions are claimed to be effective. But in practice they don’t quite do exactly what it says on the tin, or – if they do, consistently. And what does this mean? That users are scandalously unprotected against very professional, technically sophisticated ransomware attacks.

But don’t just take my word for it. Check what the trusted German testing institute – AV-TEST – say. They’ve just published complex research on the ability of cybersecurity products to tackle ransomware. They paid no attention whatsover to marketing claims (à la ‘this deodorant is guaranteed to last for 48 hours’), and didn’t just use widely-know in-the-wild ransomware samples. They besieged several of the top cybersecurity solutions in real ‘battlefield’ conditions, firing at them all sorts of live-ammunition ransomware artillery that’s actually out there today. As mentioned, no in-the-wild samples, but those technically capable of weaponizing a ransomware attack. And what did they find? On the whole – something thoroughly shocking and scary:

Read on…

Ransoms: To pay nothing or not to pay? That is the question.

Sometimes, reading an article about what to do in case of a ransomware attack, I come across words like: ‘Think about paying up’. It’s then when I sigh, exhale with puffed-out cheeks… and close the browser tab. Why? Because you should never pay extortionists! And not only because if you did you’d be supporting criminal activity. There are other reasons. Let me go over them here.

First, you’re sponsoring malware development

Read on…

Ransomware: no more jokes.

First: brief backgrounder…

On September 10, the ransomware-malware DoppelPaymer encrypted 30 servers of a hospital in the German city of Dusseldorf, due to which throughput of sick patients fell dramatically. A week ago, due to this fall, the hospital wasn’t able to accept a patient who was in need of an urgent operation, and had to send her to a hospital in a neighboring city. She died on the way. It was the first known case of loss of human life as a result of a ransomware attack.

A very sad case indeed – especially when you look closer: there was the fatal ‘accident’ itself (presuming the attackers didn’t foresee a fatality caused by their ghastly actions); there was also a clear neglect of the following of basic rules of cybersecurity hygiene; and there was also an inability on the part of the law enforcement authorities to successfully counter the organized criminals involved.

The hackers attacked the hospital’s network via a vulnerability (aka Shitrix) on the Citrix Netscaler servers, which was patched as far back as January. It appears that the system administrators waited way too long before finally getting round to installing the patch, and in the meantime the bad guys were able to penetrate the network and install a backdoor.

Up to here – that’s all fact. From here on in: conjecture that can’t be confirmed – but which does look somewhat likely…

It can’t be ruled out that after some time access to the backdoor was sold to other hackers on underground forums as ‘access to a backdoor at a university’. The attack indeed was initially aimed at the nearby Heinrich Heine University. It was this university that was specified in the extortionists’ email demanding a ransom for the return of the data they’d encrypted. When the hackers found out that it was a hospital – not a university – they were quick to hand it all the encryption keys (and then they disappeared). It looks like Trojan’ed hospitals aren’t all that attractive to cybercriminals – they’re deemed assets that are too ‘toxic’ (as has been demonstrated in the worst – mortal – way).

It’s likely that the Russian-speaking Evil Corp hacker group is behind DoppelPaymer, a group with dozens of other high-profile hacks and shakedowns (including on Garmin‘s network) to its name. In 2019 the US government issued a indictment for individuals involved in Evil Corp, and offered a reward of five million dollars for help in catching them. What’s curious is that the identities of the criminals are known, and up until recently they’d been swaggering about and showing off their blingy gangster-style lifestyles – including on social media.

Source

What’s the world come to? There’s so much wrong here. First, there’s the fact that hospitals are suffering at the hands of ransomware hackers in the first place – even though, at least in this deadly case in Dusseldorf, it looks like it was a case of mistaken identity (hospital – not a university). Second, there’s the fact that universities are being targeted (often to steal research data – including COVID-19 related). But here’s my ‘third’ – from the cybersecurity angle…

How can a hospital be so careless? Not patching a vulnerability on time – leaving the door wide open for cyber-scum to walk right through it and backdoor everything? How many times have we repeated that FreeBSD (which is what Netscaler works on) is in no way a guarantee of security, and in fact is just the opposite: a cybersecurity expert’s faux ami? This operating system is far from being immune and has weaknesses that can be used in sophisticated cyberattacks. And then of course there’s the fact that such a critical institution as a hospital (also infrastructural organizations), need to have multi-level protection, where each level backs up the others: if the hospital had had reliable protection installed on its network the hackers would probably never have managed to pull off what they did.

The German police are now investigating the chain of events that led up to the death of the patient. And I hope that the German authorities will turn to those of Russia with a formal request for cooperation in detaining the criminals involved.

See, for police to open a criminal case, a formal statement/request or subject matter of a crime committed needs to be presented at the very least. This or that article in the press or some other kind of non-formal comments or announcement aren’t recognized by the legal system. No formal request – no case. Otherwise attorneys would easily cause the case to collapse in the blink of an eye. However, if there is what looks like credible evidence of a crime committed, there’s an inter-governmental interaction procedure in place that needs to be followed. OTT-formal: yes; but that’s ‘just the way it is’. Governments need to get past their political prejudices and act together. Folks are dying already – and while international cooperation is largely frozen by geopolitics, cybercriminals will keep on reaching new heights lows of depraved actions against humanity.

UPD: The first step toward reinstating cooperation in cybersecurity has been taken. Fingers crossed…

Btw: Have you noticed how there’s hardly ever any news of successful attacks by ransomware hackers against Russian organizations? Have you ever wondered why? I personally won’t entertain for a moment the silly conspiracy theories about these hackers working for Russian secret services – as there are many ransomware groups around the world. Here’s why, IMHO: Because most Russian companies are protected by good quality cyber-protection, and soon they will be protected by a cyber-immune operating system – yep, that very protection that’s been banned for use in U.S. state institutions. Go figure.

UPD2: Just yesterday a ransomware attack was reported on one of America’s largest hospital chains, UHS: its computers – which serve ~250 facilities across the whole country – were shut down, which led to cancelled surguries, diverted ambulances, and patient registrations having to be completed oin paper. There are no further details as yet…

Playing hide and seek catch – with fileless malware.

Malicious code… – it gets everywhere…

It’s a bit like a gas, which will always fill the space it finds itself in – only different: it will always get through ‘holes’ (vulnerabilities) in a computer system. So our job (rather – one of them) is to find such holes and bung them up. Our goal is to do this proactively; that is, before malware has discovered them yet. And if it does find holes – we’re waiting, ready to zap it.

In fact it’s proactive protection and the ability to foresee the actions of attackers and create a barrier in advance that distinguishes genuinely excellent, hi-tech cybersecurity from marketing BS.

Here today I want to tell you about another way our proactive protection secures against yet another, particularly crafty kind of malware. Yes, I want to tell you about something called fileless (aka – bodiless) malicious code – a dangerous breed of ghost-malware that’s learned to use architectural drawbacks in Windows to infect computers. And also about our patented technology that fights this particular cyber-disease. And I’ll do so just as you like it: complex things explained simply, in the light, gripping manner of a cyber-thriller with elements of suspense ).

First off, what does fileless mean?

Well, fileless code, once it’s gotten inside a computer system, doesn’t create copies of itself in the form of files on disk – thereby avoiding detection by traditional methods, for example with an antivirus monitor.

So, how does such ‘ghost malware’ exist inside a system? Actually, it resides in the memory of trusted processes! Oh yes. Oh eek.

In Windows (actually, not only Windows), there has always existed the ability to execute dynamic code, which, in particular, is used for just-in-time compilation; that is, turning program code into machine code not straight away, but as and when it may be needed. This approach increases the execution speed for some applications. And to support this functionality Windows allows applications to place code into the process memory (or even into other trusted process memory) and execute it.

Hardly a great idea from the security standpoint, but what can you do? It’s how millions of applications written in Java, .NET, PHP, Python and other languages and for other platforms have been working for decades.

Predictably, the cyberbaddies took advantage of the ability to use dynamic code, inventing various methods to abuse it. And one of the most convenient and therefore widespread methods they use is something called reflective PE injection. A what?! Let me explain (it is, actually, rather interesting, so do please bear with me:)…

Launching an application by clicking on its icon – fairly simple and straightforward, right? It does look simple, but actually, under the hood, there’s all sorts goes on: a system loader is called up, which takes the respective file from disk, loads it into memory and executes it. And this standard process is controlled by antivirus monitors, which check the application’s security on the fly.

Now, when there’s a ‘reflection’, code is loaded bypassing the system loader (and thus also bypassing the antivirus monitor). The code is placed directly into the memory of a trusted process, creating a ‘reflection’ of the original executable module. Such reflection can be executed as a real module loaded by a standard method, but it isn’t registered in the list of modules and, as mentioned above, it doesn’t have a file on disk.

What’s more, unlike other techniques for injecting code (for example, via shellcode), a reflection injection allows to create functionally advanced code in high-level programming languages and standard development frameworks with hardly any limitations. So what you get is: (i) no files, (ii) concealment behind trusted process, (iii) invisibility to traditional protective technologies, and (iv) a free hand to cause some havoc.

So naturally, reflected injections were a mega-hit with developers of malicious code: At first they appeared in exploit packs, then cyber-spies got in on the game (for example, Lazarus and Turla), then advanced cybercriminals (as it’s a useful and legitimate way of executing complex code!), then petty cybercriminals.

Now, on the other side of the barricades, finding such a fileless infection is no walk in the cyber-park. So it’s no wonder really that most cybersecurity brands aren’t too hot at it. Some can hardly do it at all.

Read on…

Cyber-tales update from the quarantined side: March 92, 2020.

Most folks around the world have been in lockdown now for around three months! And you’ll have heard mention of a certain movie over those last three months, I’m sure, plenty; but here’s a new take on it: Groundhog Day is no longer a fun film! Then there’s the ‘damned if you’re good, damned if you’re bad’ thing with the weather: it stays bad and wet and wintry: that’s an extra downer for everyone (in addition to lockdown); it gets good and dry and summery: that’s a downer for everyone also, as no one can go out for long to enjoy it!

Still, I guess that maybe it’s some consolation that most all of us are going through the same thing sat at home. Maybe. But that’s us – good/normal folks. What about cyber-evil? How have they been ‘coping’, cooped up at home? Well, the other week I gave you some stats and trends about that. Today I want to follow that up with an update – for, yes, the cyber-baddies move fast. // Oh, and btw – if you’re interested in more cyber-tales from the dark side, aka I-news, check out this archives tag.

First off, a few more statistics – updated ones; reassuring ones at that…

March, and then even more so – April – saw large jumps in overall cybercriminal activity; however, May has since seen a sharp drop back down – to around the pre-corona levels of January-February:

At the same time we’ve been seeing a steady decline in all coronavirus-connected malware numbers:

// By ‘coronavirus-connected malware’ is meant cyberattacks that have used the coronavirus topic in some way to advance its criminal aims.

So, it would appear the news is promising. The cyber-miscreants are up to their mischief less than before. However, what the stats don’t show is – why; or – what are they doing instead? Surely they didn’t take the whole month of May off given its rather high number of days-off in many parts of the world, including those for celebrating the end of WWII? No, can’t be that. What then?…

Read on…

The world’s cyber-pulse during the pandemic.

Among the most common questions I get asked during these tough times is how the cyber-epidemiological situation has changed. How has cybersecurity been affected in general by the mass move over to remote working (or not working, for the unlucky ones, but also sat at home all the time). And, more specifically, what new cunning tricks have the cyber-swine been coming up with, and what should folks do to stay protected from them?

Accordingly, let me summarize it all in this here blogpost…

As always, criminals – including cybercriminals – closely monitor and then adapt to changing conditions so as to maximize their criminal income. So when most of the world suddenly switches to practically a full-on stay-at-home regime (home working, home entertainment, home shopping, home social interaction, home everything, etc.!), the cybercriminal switches his/her tactics in response.

Now, for cybercriminals, the main thing they’ve been taking notice of is that most everyone while in lockdown has greatly increased the time they spend on the internet. This means a larger general ‘attack surface’ for their criminal deeds.

In particular, many of the folks now working from home, alas, aren’t provided with quality, reliable cyber-protection by their employers. This means there are now more opportunities for cybercriminals hacking into the corporate networks the employees are hooked up to, leading to potentially very rich criminal pickings for the bad guys.

So, of course, the bad guys are going after these rich pickings. We see this evidenced by the sharp increase in brute-force attacks on database servers and RDP (technology that allows, say, an employee, to get full access to their work computer – its files, desktop, everything – remotely, e.g., from home) ->

Read on…

ILOVEYOU – 20 years ago – to the day!

Ancient cybersecurity folks with more than 20 years’ experience in the industry will of course remember the infamous ILOVEYOU Love Letter email worm from the early 2000s. What they may not recall is that it was exactly 20 years ago when it first reared its ugly head.

20 years? What?! Yep: Two decades ago to the day this cyber-maggot paralyzed practically the whole world. Wanna know what the guy responsible for this global cyber-tragedy is doing now, and where? I’ll get to that a bit later…

But I’ll start with a summary of the events of 20 years ago, in case you missed them. First up: why ‘Love Letter’?

This cyber-vermin crawled into millions of folks’ email inboxes. The receiver got a ‘love letter’ from what looked to be a friend or acquaintance.

source

Curiosity killed the… email recipient: after the attached VBS was clicked, the malware basically took control and sent itself on behalf of the recipient to everyone in his/her address book. And in some kinda totally mental mega-exponential way managed to infect – in a matter of hours!! – practically the whole email-using planet!

This caused colossal damages (yes, the worm also damaged certain files) (damages: to the tune of several BILLION dollars!)). Curious fact: the code for e-mail distribution was swiped from another worm – Melissa – which a year earlier ran amok around the whole world too (Microsoft had to switch off its corporate email (in current terminology – self-isolated) in order to stop the spread of the worm).

There’s another interesting element of Love Letter: the worm would download from the internet a Trojan that stole the infected computers’ internet-access logins and passwords (this is back when access was mostly dial-up, costing a lot – using per-hour tariffs), and sent them to a given address.

Read on…