News wrap on trending cyber-attacks

July 20, 2017

A new Android RAT (Remote Access Trojan) detected under the name of GhostCtrl can lock mobile device by resetting their PIN and display a ransom note to infected victims. These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections, where the RAT was mostly used for its data exfiltration capabilities. The GhostCtrl RAT was discovered by Trend Micro researchers part of a wave of attacks against Israeli healthcare organizations. The campaign targeted primarily Windows computers with RETADUP, a combination of a worm, infostealer, and backdoor trojan.

Read More

New “operational” samples of the NukeBot banking trojan have emerged months after its original creator published its source code. NukeBot’s source code leak, which occurred in late March 2017, apparently attracted the attention of malware developers seeking to push out their own threats. Kaspersky Lab’s Sergey Yunakovsky spotted some of those new samples in the wild. A few are “active,” but most of them only in a limited form.

Read More

Google is making it even harder to accidentally install a malicious plugin. Today, the company announced new changes to the way Google services handle plugins, adding new warnings for users and a more involved verification system for apps. The result is more scrutiny on apps plugging into Google services, and more active involvement from Google when an app seems suspicious. The changes come after a sophisticated phishing worm hit Google Drive users in May, masquerading as an invitation to collaborate on a document. The malicious plugin was not controlled by Google, but because it was named “Google Docs,” the app was able to fool many users into granting access. Once granted access, it sent a new request to everyone in the target’s contact list, allowing the app to spread virally. Ultimately, the app was blacklisted by Google, but not before it reached tens of thousands of users.

Read More

The sensitive personal and financial details of nearly 2.2 million Dow Jones & Co. customers were inadvertently exposed due to a configuration error on a cloud storage server, the publication confirmed on Monday. The exposed data included the names, addresses, account information, email addresses and last four digits of credit card numbers of millions of customers, including Wall Street Journal and Barron’s subscribers, were accessible online to anyone who had an Amazon Web Services account. The exposed information that included the names, addresses, account information, email addresses and last four digits of credit card numbers of millions of customers, including Wall Street Journal and Barron’s subscribers were accessible online to anyone who had an Amazon Web Services account.

Read More

Remote Access Trojans (RATS)

Remote Access Trojans (RATs) provide cybercriminals with unlimited access to infected endpoints. Using the victim’s access privileges, they can access and steal sensitive business and personal data including intellectual property, personally identifiable information (PII and patient health information (PHI). While automated cyber-attacks (e.g. Man-in-the-Browser) allow cybercriminals to attack browser-based access to sensitive applications, RATs are used to steal information through manual operation of the endpoint on behalf of the victim. Most Advanced Persistent Threat (APT) attacks take advantage of RAT technology for reconnaissance, bypassing strong authentication, spreading the infection, and accessing sensitive applications to exfiltrate data. RATs are commercially available (e.g. Poison Ivy, Dark Comet) and can be maliciously installed on endpoints using drive-by-download and spear-phishing tactics.

 Organization should specifically address RATs in their enterprise defense strategy at the endpoint layer. The risk is especially high when RAT infection occurs, as the detection of RATs in run-time is extremely difficult to do.

Detect and Block Malicious Remote Access Activities

RATs enable cybercriminals to perform key-logging and session logging of the user activity as a way to capture credentials, sensitive data, and gather intelligence on internal application flows and structures. By preventing these run-time activities when sensitive applications like VPN and VDI clients (or the browser) are used, the ability of the attackers to leverage the RAT to execute an attack is dramatically reduced.

Block Malware Infection, Remove Existing Malware

Controls should be implemented to prevent RAT malware from infecting managed and unmanaged devices. If a device is infected, the controls need to quickly detect and remove RATs from end users’ machines. Future infections must be stopped by blocking malware installation processes and spear-phishing attacks. Special focus should be given to resource consumption and management overhead when balancing strength of the protection and risk reduction with end user and IT security impact.

Enterprise Controlled Deployment and Management

Anti-malware solutions must cover the vast majority of managed and unmanaged device platforms, including PCs, Macs and Mobile (iOS and Android devices). The solution must be readily available to end users to instantly secure their devices. An on demand deployment option is required when enterprise resources are accessed from home computers or on the road. Organizations must have the ability to mandate that all VPN access be performed from secured endpoints (i.e. ensure that an endpoint security control is installed and functioning).
Pin It

Comments (0)
» Blog, Uncategorized » News wrap on trending cyber-attacks
On July 20, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *

« »