'Critical' Israel power grid attack was just boring ransomware

Ransomware via a phishing attack hit Israel Electric Authority, not the power grid, but it still freaks out the world as the incident is dubbed a 'severe cyber attack;' that morphed in the media into an attack that took out the Israeli power grid.

Minister puts nation on alert, SANS Institute says move along, nothing to see here ...

The SANS Institute has moved to quell reports that Israel's energy grid has been hit by malware, revealing instead that the attacks were ransomware infecting the nation's utility regulatory authority.

Reports emerged after energy minister Dr Yuval Steinitz said a "severe" attack had hit the authority in what he reportedly called "one of the largest cyber attacks" the agency had experienced.

"We are handling the situation and I hope that soon, this very serious event will be over," Steinitz says.

Reports emerged suggesting the incident could impact the energy grid similarly to the targeted and sophisticated attacks against Ukraine, revealed earlier this year.

SANS security man Robert Lee says Israel-based analyst Eyal Sela of ClearSky Security says the reports are misleading.

"The Israel Electric Authority the Minister mentioned is in no way related to the networks of the Israeli electric companies, transmission, or distribution sites," Lee says.

"The Israeli Electric Authority is a regulatory body of roughly 30 individuals and this cyber attack is only referencing their networks.

"...new reporting shows that the cyber attack was simply ransomware delivered via phishing emails to the regulatory body's office network, and it appears it in no way endangered any infrastructure."

It is not known what ransomware infected the machines.

The latest versions of the most sophisticated malware – such as CryptoWall – cannot be removed without paying ransoms, while new and less-popular ransomware offerings contain encryption implementation flaws that allow the scumware to be removed without footing the extortion.

TeslaCrypt 2.0 conceals its identity to demand a US$500 ransom

Kaspersky Lab has detected curious behaviour in a new threat from the TeslaCrypt ransomware encryptor family. In version 2.0 of the Trojan notorious for infecting computer gamers, it displays an HTML page in the web browser which is an exact copy of CryptoWall 3.0, another notorious ransomware programme.

Perhaps the criminals are doing this as a statement of intent: so far, many files encrypted by CryptoWall could not be decrypted, which is not the case with many past cases of TeslaCrypt infection. After a successful infection, the malicious programme demands a $500 ransom for the decryption key; if the victim delays, the ransom doubles.

Early samples of TeslaCrypt were detected in February 2015 and the new ransomware Trojan gained immediate notoriety as a menace to computer gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays, etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB.

Mechanism of Infection 
When TeslaCrypt infects a new victim, it generates a new unique Bitcoin address to receive the victim’s ransom payment and a secret key to withdraw it. TeslaCrypt’s C&C servers are located in the Tor network. The Trojan’s version 2.0 uses two sets of keys: one set is unique within one infected system, the other is generated repeatedly each time the malicious programme is re-launched in the system. Moreover, the secret key with which user files get encrypted is not saved on the hard drive, which makes the process of decrypting the user files significantly more complicated.

Programmes from TeslaCrypt malware family were observed to propagate via the Angler, Sweet Orange and Nuclear exploit kits. Under this malware propagation mechanism, the victim visits an infected web site and the exploit’s malicious code uses browser vulnerabilities, most typically in plugins, to install the dedicated malware on the target computer.

“TeslaCrypt, a hunter of gamers, is designed to deceive and intimidate users. For example, its previous version displayed a message to the victim saying that his/her files were encrypted with the famous RSA-2048 encryption algorithm, and thus demonstrated there was no option to paying the ransom,” said Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab.

“In reality, the cybercriminals did not use this algorithm. In its latest modification, TeslaCrypt convinces victims they are dealing with CryptoWall – once the latter encrypts user files, there is no way to have them decrypted. However, all links lead to a TeslaCrypt server – apparently, the malware authors have no intention of giving their victims’ money away to a competitor,”

 Recommendations to users

• Create backup copies of all your important files on a regular basis. Copies should be kept on media that are physically disconnected immediately after the backup copying is completed.
• It is crucially important to update your software in a timely fashion, especially the web browser and its plugins.
• Should a malicious programme still land on your system, it will be best addressed by the latest version of a security product with updated databases and activated security modules.
• Kaspersky Lab’s products detect this malicious programme as Trojan-Ransom.Win32.Bitman.tk and successfully protects users against this threat.

In addition, a Cryptomalware Countermeasure Subsystem is implemented in Kaspersky Lab’s solutions. This registers activity when suspicious applications attempt to open a user’s personal files and immediately makes local protected backup copies of them.

If the application is judged to be malicious, it automatically roll backs unsolicited changes by replacing those files with copies. In this way, users are protected from yet unknown cryptomalware.

Your computer and smartphone, held hostage

Cybercriminals are making their attacks personal, remotely locking your computers and smartphones until you pay a hefty ransom.

Tapping a link on your smartphone to watch a new music video might sound harmless, but it got one 12-year-old girl from Tennessee into trouble last year.

Instead of a video, the preteen -- whose name has not been disclosed because of her age -- had unwittingly installed malicious software that downloaded child pornography, locked her Android phone, and threatened to report the pornography to the FBI if she didn't fork over $500 in ransom. She reported the hacker's extortion demands to Frank Watkins, an investigator with the Coffee County Sheriff's Department.

It's called ransomware, a type of malicious code that leaves its victims feeling personally violated. Some versions destroy your data if you don't pay, while others merely threaten. Some will encrypt your device, scrambling everything it contains until you pay a ransom.

Ransomware can be big business. CryptoLocker, which uses email attachments to infect and encrypt computers, harvested nearly $30 million in about 100 days, according to estimates from Keith Jarvis of Dell's SecureWorks counter-threat division. CryptoLocker's descendant CrytoWall, which has infected more than 1 million computers, continues to mutate and adopt new techniques that make it harder to remove.

While ransomware has been around since 1989, it's gotten worse as criminals target billions of smartphones and tablets used around the world, demanding $100 to $600 (often in bitcoins) to release it.

A mobile threat report from Mobile Lookout Security, which makes security software for smartphones, found 4 million of Lookout's 60 million users were held hostage last year, said Jeremy Linden, senior security product manager for the San Francisco company.

Avast, which says 55 million people use its free mobile security software, reports similar numbers. Last month alone, the company blocked 5,000 ransomware attacks a day -- up from nearly zero only seven months earlier -- according to Jiri Sejtko, director of Avast's virus detection lab.

Having your computer locked out can be traumatic in its own right. Losing access to your smartphone can trigger "abject panic," said Larry Rosen, a psychologist and researcher at California State University, Dominguez Hills, who studies people's reactions to modern technology. "That little box contains everything you ever need on a daily basis. You're carrying around a phone, computer, friends -- your everything in one box," he said.

Small wonder, then, that hackers have trained their attention on mobile extortion. But payer beware. "You could pay a ransom and the malware would still not unlock your phone," said Mobile Lookout's Linden.

So far, mobile ransomware is considered to be easier to avoid than its desktop cousin. Experts have two tips for smartphone owners.

First, install an application that will block ransomware. And second, never download applications from outside the official Google Play store or Apple App Store.

And finally, report the crime to the police.

"Don't hesitate about calling," even if the attack installed child pornography on your phone, said Watkins, of the Coffee County Sheriff's Department. "Contact your local authorities. They'll be able to tell that it's ransomware."

Researchers measure reach of Australian TorrentLocker variant

Last year there were more than 10,000 web hits related to versions of the TorrentLocker malware tailored to Australian audiences in a single month of monitoring by security researchers.

TorrentLocker is a strain of malware that encrypts users' files and forces victims to pay a ransom in bitcoins in order to receive a key to decrypt them.

The base price in Australia is $598, but the ransomware threatens to double the price in 96 hours. Payment takes place through the Tor anonymity service.

TorrentLocker identifies itself as CryptoLocker, which is a separate piece of malware that operates in a similar fashion.

Security vendor Trend Micro and Deakin University researchers monitored local TorrentLocker activity in November last year and registered more than 10,000 hits relating to the malware originating from Australia.

The level of traffic to TorrentLocker-related addresses was obtained by studying a sample from the Trend Micro Web Reputation Service (WRS) and Smart Protection Network.

TorrentLocker phishing emails and destination URLs impersonated Australia Post and NSW's Office of State Revenue.

"This strain of CryptoLocker tailored for Australian victims started in the second half of 2014, and continued up to Christmas Eve," Jon Oliver, a senior threat researcher at Trend Micro Australia, said in a statement.

"The outbreaks have stopped for the New Year break, but will almost certainly continue in the New Year."

"These attacks are technically sophisticated and specifically aimed at Australians and have been significantly increasing since July with an enormous impact on businesses and individuals," said Deakin University's Professor Yang Xiang.

Full report available for download here.

Android ransomware 'Koler' turns into a worm, spreads via SMS

A malicious Android app that takes over the screen of devices and extorts money from users with fake notifications from law enforcement agencies was recently updated with a component that allows it to spread via text message spam.

Known as Koler, the ransomware Trojan has been on malware researchers' radar since May when it started being distributed through porn websites under the guise of legitimate apps. A new variant of the threat found recently by researchers from security firm AdaptiveMobile spreads through SMS messages that attempt to trick users into opening a shortened bit.ly URL.

Once installed on a device, Koler opens a persistent window that covers the entire screen and displays a fake message from local law enforcement agencies accusing users of viewing and storing child pornography. Victims are asked to pay a "fine" using MoneyPak prepaid cards in order to regain control of their phones.

The Koler ransomware is capable of displaying localized ransomware messages to users from at least 30 countries, including the U.S., where the impersonated law enforcement agency is the FBI.

The new version found by AdaptiveMobile sends a text message to all contacts in the victim's address book. The message reads: "someone made a profile named -[the contact's name]- and he uploaded some of your photos! is that you?" followed by a bit.ly URL or a similiar URL shortened link:

The URL points to an Android application package file called IMG_7821.apk that's hosted on a Dropbox account. When installed, this application uses the name PhotoViewer, but is actually the ransomware program.

Due to the Worm.Koler's SMS distribution mechanism, a rapid spread of infected devices since the 19th of October is observed, which is believed to be the original outbreak date.

During this short period, several hundred phones that exhibit signs of infection have been detected across multiple US carriers. In addition to this, other mobile operators worldwide -- predominantly in the Middle East, have been affected by this malware.

The best protection against ransomware threats like Koler is to have the "unknown sources" option turned off in the Android security settings menu. When this setting is disabled -- and it typically is by default -- users won't be able to install applications that are not obtained from the official Google Play store. Some users do turn this option on though, because there are legitimate applications that are not hosted on Google Play for various reasons.

Koler does not encrypt users’s files, for this reason it is easy for users to eliminate it from infected devices. Below the instructions to remove the malware:

• Reboot the mobile device in the “Safe Mode“
• Remove the malicious ‘PhotoViewer‘ app using standard Android app uninstallation tool

Instructions on how to reboot the device in safe mode should be available in the phone's manual, but it generally involves pressing and holding the power button until the power menu appears, then tapping and holding Power Off until the option to reboot in safe mode appears.

As of 24 Nov, this worm has reached the shores of Singapore, as reported in a popular local forum.

YouTube Ads Lead To Exploit Kits, Hit US Victims

Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube.

Over the past few months, Trend Micro has been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.

Recently, they saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.

The ads observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.

In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)

The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.

The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:

• CVE-2013-2460 – Java
• CVE-2013-2551 – Internet Explorer
• CVE-2014-0515 - Flash
• CVE-2014-0322 – Internet Explorer

Based on Trend Micro's analyses of the campaign, they were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical.

The final payloads of this attack are  variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible.

Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure. Backing up files is also a good security practice to prevent data loss in the event of an attack like this.

In addition to blocking the files and malicious sites involved in this attack, Trend Micro's browser exploit prevention technology prevents attacks that target these vulnerabilities.

With additional insight from Rhena Inocencio (Threat Response Engineer), the following hashes are detected as part of this attack:

09BD2F32048273BD4A5B383824B9C3364B3F2575
0AEAD03C6956C4B0182A9AC079CA263CD851B122
1D35B49D92A6E41703F3A3011CA60BCEFB0F1025
32D104272EE93F55DFFD5A872FFA6099A3FBE4AA
395B603BAD6AFACA226A215F10A446110B4A2A9D
6D49793FE9EED12BD1FAA4CB7CBB81EEDA0F74B6
738C81B1F04C7BC59AD2AE3C9E09E305AE4FEE2D
A1A5F8A789B19BE848B0F2A00AE1D0ECB35DCDB0
A7F3217EC1998393CBCF2ED582503A1CE4777359
C75C0942F7C5620932D1DE66A1CE60B7AB681C7F
E61F76F96A60225BD9AF3AC2E207EA340302B523
FF3C497770EB1ACB6295147358F199927C76AF21

Google has been about this incident.

Digitally signed ransomware lurking in the wild

Trend Micro researchers have spotted two ransomware variants bearing the same (probably stolen) digital signature in order to fool users into running the files.

Other than that, the malware acts like any other ransomware: it blocks the victims' computer and shows messages that seem to come either from the FBI or the UK’s Police Central e-crime Unit:



"Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability," say the researchers.

And if the bogus law enforcement messages are anything to go by, it seems that those same malware peddlers have managed to hack the DNS records of Go Daddy hosted websites so that they can redirect victims to malicious sites hosting the Cool exploit kit.

Sophos' researchers speculate that the DNS records hijacking was due to stolen or weak passwords.

"Go Daddy customers who wish to check they have not been affected by these attacks should check their DNS configuration according to the Go Daddy support page," they advise.