Viewing entries tagged


NCSC - Statement: 'Bad Rabbit' malware incident

Statement: 'Bad Rabbit' malware incident

An official statement from the National Cyber Security Centre on the recent 'Bad Rabbit' malware cyber incident. 

A spokesperson for the National Cyber Security Centre said:

“We are aware of a cyber incident affecting a number of countries around the world.

“The NCSC has not received any reports that the UK has been affected by this latest malware attack. We are monitoring the situation and working with our partners to better understand the threat.”

Further information

  • The NCSC recommends that organisations and the public follow the guidance on the NCSC website -  install the latest security software patches, back up data and use proper antivirus software services.
  • The NCSC also recommends that passwords are never re-used across important accounts and also setting up Two-Factor Authentication (also called Two-Step Verification) in the security settings.
  • The National Crime Agency (NCA) encourages anyone who thinks they may have been subject to online fraud or cyber crime to contact Action Fraud at It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay. 


.author-name { display: none; }


Where Have All The Exploit Kits Gone?

The bloom is off exploit kits.

Once a mainstay for cybercriminals, attacks tied to exploit kits have now dried up to just a trickle. For sure, they haven’t gone away. But researchers say Angler, Neutrino and Nuclear, kits that once dominated the threat landscape, are gone; usurped by new threats and a resurgence in old ones.

“When we compare exploit kit activity from January to December of 2016 there’s a drop of 300 percent in activity. That’s primarily due to these EKs dropping off the face of the Earth,” said Karl Sigler, threat intelligence manager at Trustwave.

Exploit kits are a type of malicious toolkit chockfull of pre-written exploits for targeting various browser plugins such as Java and Adobe Flash. Kits are planted on booby-trapped sites or can be used in malvertising campaigns and spring into action if they can detect a vulnerability in a visitor’s browser or web application.

In their heyday Angler, Magnitude, Neutrino, and Nuclear exploit kits accounted for 96 percent of exploit kit activity at the end of 2015, according data from security firm Infoblox. Today, exploit kits are mostly dormant and development has gone stagnant.

Where did they go and why?

Arrests Send Crooks Scurrying

Some credit the downturn in exploit kit activity in 2016 to high-profile arrests of members of cybercrime outfits such as Lurk, who were behind the Angler Exploit Kit. In the case of Lurk, dozens of hackers were arrested across Russia in June 2016.

According to a detailed report by Kaspersky Lab on the takedown, the gang controlled Angler’s infrastructure and development, and was behind its distribution. At the time, Angler was one of the most notorious exploit kits on the Internet.

“The arrests of Lurk and the subsequent demise of Angler was not the single event that triggered exploit kit gangs to go dormant. But looking back, it’s hard not assume that others behind Neutrino and others didn’t see this as a harbinger,” said Deepen Desai, senior director of research and operations at Zscaler.

But even before the Lurk arrests, the Nuclear crew had all but shut down its operation in the May and June timeframe. That proceeded an in-depth analysis of the gang’s malware-as-a-service infrastructure by Check Point researchers.

The third nail in the coffin for dominant exploit kits was the decline Neutrino. It abruptly shut down in September following a joint Cisco and GoDaddy operation where a large number of malvertising campaigns spreading on the exploit kit were shuttered.

Patrick Wheeler, director of threat intelligence at Proofpoint notes that exploit kit activity has declined 93 percent between January and September last year, but notes activity hasn’t stopped altogether.

Wheeler said after Nuclear and Angler went dormant, criminals behind exploit kits have downsized and gone deeper underground focusing on private development and smaller campaigns. Such is the case with Magnitude, RIG, and Sundown, he said.

Strong Offense and Even Better Defense

It hasn’t been just a strong offense credited for pointing exploit kit gangs back into the shadows. A number of researchers credit a strong defense.

“Crimeware tools are only as good as their target’s defenses,” said Amol Sarwate, director of engineering at Qualys. He said recent efforts to fortify Microsoft’s browsers, Adobe’s Flash and Oracle’s Java browser components against exploit kit activity have paid off.

“There used to be a lot of low hanging fruit,” he said. “For now, that’s not the case.”

“Adobe Flash has been the top target for exploit kits such as RIG and Angler for a long time. Out of more than 3 billion scans that Qualys performs each year we saw that in 2016 Adobe flash vulnerabilities were patched about 40 percent faster as compared to the prior year. This implies that the industry is doing a better job with patching Flash, and although Flash is not dead it is being fixed more quickly,” according to a 2016 Qualys analysis.

Oracle has also taken steps to defend against crimeware used in exploit kits. Last year, the makers of Java announced it was pulling the browser plugin from the next desktop version of Java (Java JRE 9). That meant Java software will no longer plug directly into the user’s Web browser, reducing the number of browser attacks that target outdated Java plugins.

“As much as I’d like to say it’s one thing that we did, it wasn’t,” said Peleus Uhley, lead security strategist within Adobe’s Secure Software Engineering Team. He said work with Microsoft and Google has paid off especially when it comes to mitigating against memory-corruption bugs, a popular target of vulnerabilities exploited by exploit kits.Uhley said Control Flow Guard, a memory corruption security technology baked into Windows 10, has been an effective tool at mitigating against use-after-free attacks, which became a favorite crimeware exploit once ASLR and DEP put a damper in buffer overflow attacks.

“It’s a cumulative effort on our part and the security community. Nobody is resting on their laurels. The attackers continue their development and so will we,” Uhley said.

Crooks Try Different Tactics

Cybercriminals have continued to develop new delivery mechanisms for planting their malicious payloads on targeted systems. But, the focus isn’t currently on exploit kits, rather social engineering-based attacks, said Ryan Olson, intelligence director at Unit 42 of Palo Alto Networks.

“It’s not as if criminals have thrown in the towel,” Olson said. “A big component in a drought of exploit kit development has been the rise of Office macros used to deliver malware. For the past year we just have seen a continuous increase of macro document-based attacks replacing a lot of what exploit kits used to do,” he said.

Locky ransomware, Dridex banking Trojans and Gootkit Trojan information stealers all used to be distributed mainly via exploit kits and are now being spread primarily via spam, phishing and spear phishing campaigns.

“What we are finding it’s much easier to use social engineering to trick people into installing malware than to exploit a vulnerability,” said Proofpoint’s Wheeler. “What attackers have done is replaced the automated exploit with (socially engineered) ploys to get people to click.”

That type of social engineering has moved beyond the inbox as well, Wheeler said. “We saw attackers trying to trick Google Chrome users to install ‘Chrome Font’ malware on compromised websites,” Wheeler said. Instead of being attacked via an exploit kit, attackers presented visitors with a fake prompt to install a Chrome plugin called “Chrome Font” that was actually a type of ad fraud malware known as Fleercivet.

While spam-based ploys that enlist social engineering tricks may seem like a crude alternative to exploit kits, Trustwave’s Singler says they aren’t. “Social engineering attacks have always been popular, especially in phishing attacks. However, I would not say that social engineering attacks are any cheaper or easier to use. Good social engineering attacks require research if it’s a targeted attack or infrastructure like a spam botnet if it’s more of an opportunistic attack,” he said.

In June, Microsoft Malware Protection Center reported a resurgence in the use of Officedocument macro attacks. In December, attackers revived the old spamming techniqueknown as hailstorm and leveraged the Necurs botnet to spread both the Dridex banking malware and Locky ransomware via malicious Word documents.

Despite being a fairly archaic attack vector, it’s managed to work for attackers, said researchers.

Gangs Quietly Regroup

Meanwhile, new exploit kits are quietly under development. One example of this is anexploit kit called DNSChanger, spotted in December and being distributed via malvertising. Researchers at Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router.

Through a complex series of steps, DNSChanger is able to decrypt the target’s router fingerprints to determine if a target is using vulnerable model. “Once it performs the reconnaissance functions, the browser will report back to the DNSChanger kit which returns the proper instructions to perform an attack on the router,” according to Proofpoint. The goal: open ports on the router for malicious purposes.

New exploit kits also continue to surface, such as the Terror EK; identified by Zscaler earlier this year. Terror is an example of a newer exploit kit cobbled together from pieces of other exploit kits such as Sundown and Hunter, according to a Zscaler.

Zscaler’s Desai notes that Terror is typical of newer exploit kits. “It’s smaller, more customized and their target is much more defined and they have chosen a very specific geographic area to target,” he said.

Additional exploit kit innovations spotted by Zscaler are more kits leveraging SSL in order to protect the landing pages and gates to get past network appliances. Desai notes newer exploit kits are adding more anti-analysis fingerprinting code to avoid being detected in sandboxed environments.

“Exploit kits still pose a significant threat. There is nothing new about exploit kit authors hiding their activities and frequently changing tactics,” Desai said. “There is no reason to believe we won’t see a resurgence of exploit kits in the future. The question is when.”


.author-name { display: none; }


Threatpost - New Fileless Attack Using DNS Queries to Carry Out PowerShell Commands

A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers, a method that researchers said makes it difficult to detect that a remote access Trojan is being dropped onto targeted systems.

According to experts at Cisco’s security research outfit Talos, the infection chain begins with a rigged Word document sent to recipients who are encouraged to “enable content” so they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan.

“This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection,” wrote Cisco’s Edmund Brumaghin and Colin Grady.

The initial PowerShell instructions that are executed are contained within the Word document itself.

Researchers said the attack is unique because it does not involve a typical infection chain that includes files written to the targeted system. Instead, the malware infection technique uses DNS TXT messaging capabilities to request and fetch malicious PowerShell commands stored remotely as DNS TXT records.

Researchers said the malware sample uses DNS TXT record queries and responses creating a bidirectional command and control channel. “This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker,” researchers wrote.

According to a technical analysis, attackers leveraged multiple VBA scripts, each unpacking a unique self-contained PowerShell script. During each of the stages in the infection process, malware would send DNS queries to one of multiple domains hardcoded in the script.

“The document uses the Document_Open() function to call another VBA function. The called function sets a long string that defines a Powershell command and includes the code to be executed. The command is then executed using the Windows Management Interface (WMI) Win32_Process object using the Create method,” researchers said.

This process, “allows the code to be executed without ever requiring it to be written to the filesystem of the infected system,” according to Talos.

The objective of the multi-stage infection process is to determine access privileges of the targeted system, what version of PowerShell is installed on the system, make changes to the Windows Registry and open a backdoor in order to maintain persistence.

Cisco notes that DNSMessenger demonstrates the ingenuity and lengths attackers are going to avoid detection. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure,” researchers wrote.

“This appears to have been a fairly targeted attack and was not very widespread compared to other campaigns we regularly observe,” said Brumaghin. He added the intent of the malware is unclear. “We were unable to get the C2 infrastructure to send commands to execute. This is common with targeted attacks as the attackers will only choose to send commands to their intended victim.”


.author-name { display: none; }



InterContinental Hotels Group (IHG), parent company to Crowne Plaza, Holiday Inn and Kimpton Hotels and Resorts, confirmed on Friday a breach of payment card systems used in 12 of its hotels located in North America and the Caribbean.

According to IHG, which operates 5,000 hotels worldwide, malware was found on servers used to process credit cards. The servers were infected between last August and December; the company declined to say how many payment cards were impacted.

In a statement released Friday, IHG said it found malware installed on servers used at popular destinations such as Michael Jordan’s Steak House and Bar in Chicago, the Holiday Inn San Francisco Fisherman’s Wharf, the Copper Lounge in Los Angeles, and the Palm Bar in Aruba.

The hotelier reported on Dec. 28 that it was investigating customer complaints of unauthorized charges on credit cards. At the time, the company said only a limited number of destinations were impacted before revealing more details on Friday.

“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties,” according to a statement. “Cards used at the front desk of these properties were not affected.”

According to IHG, the malware searched for magnetic stripe track data as it was being routed through servers. Track data included cardholder name, card number, expiration date and internal verification code. There is also no information provided on the strain of malware used in the attacks.

Hotels, restaurants and other hospitality outlets are frequently singled out as victims of opportunistic hackers. Last year alone there were nearly a dozen reports of card breaches. One of those breaches occurred in August and included 20 hotels run by HEI Hotels and Resorts, which owns chains Marriott, Sheraton, and Westin. Similarly, malware was used to siphon payment card data.

The prevalence of malware use to steal payment card data hit a peak in 2014 when it was at the center of several high-profile breaches, including Target and Neiman Marcus.

As recently as last November, security researchers at Trustwave said the Carbanak cybercrime gang, first discovered by Kaspersky Lab, had shifted strategy and began targeting the hospitality and restaurant industries with new techniques and malware. Part of the Carbanak tactics involved targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target was credit card data scraped from the memory of point-of-sale systems.

“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG wrote in a statement regarding the breach.


.author-name { display: none; }