37pc of Organizations Impacted by Cryptomining over Past Year

Check Point Software Technologies Ltd has published the first instalment of its 2019 Security Report.  The report highlights the main tactics cyber-criminals are using to attack organizations worldwide across all industries, and gives cyber security professionals and C-Level executives the information they need to protect their organizations from today’s fifth-generation cyber-attacks and threats.

The first instalment of the 2019 Security Report reveals the key malware trends and techniques observed by Check Point researchers during the past year. Highlights include:

* Cryptominers dominated the malware landscape:  Cryptominers occupied the top four most prevalent malware types and impacted 37 percent of organizations globally in 2018. Despite a fall in the value of all cryptocurrencies, 20 percent of companies continue to be hit by cryptomining attacks every week.  Cryptominers have also highly evolved recently to exploit high profile vulnerabilities and to evade sandboxes and security products in order to expand their infection rates.

* Mobiles are a moving target:  33 percent of organizations worldwide were hit by mobile malware, with the leading three malware types targeting the Android OS. 2018 saw several cases where mobile malware was pre-installed on devices, and apps available from app stores that were actually malware in disguise.

* Multi-purpose botnets launch range of attacks:  Bots were the third most common malware type, with 18 percent of organizations hit by bots which are used to launch DDoS attacks and spread other malware. Bot infections were instrumental in nearly half (49 percent) of organizations experiencing a DDoS attack in 2018.

* Ransomware attacks in decline: 2018 saw ransomware usage fall sharply, impacting just 4 percent of organizations globally.

“From the meteoric rise in cryptomining to massive data breaches and DDoS attacks, there was no shortage of cyber-disruption caused to global organizations over the past year. Threat actors have a wide range of options available to target and extract revenues from organizations in any sector, and the first instalment of the 2019 Security Report highlights the increasingly stealthy approaches they are currently using,” said Peter Alexander, chief marketing officer of Check Point Software Technologies.  

“These multi-vector, fast-moving, large-scale Gen V attacks are becoming more and more frequent, and organizations need to adopt a multi-layered cybersecurity strategy that prevents these attacks from taking hold of their networks and data.  The 2019 Security Report offers knowledge, insights and recommendations on how to prevent these attacks.”

via bwcio

Read more »

Malware Campaign Targeting Jaxx Wallet Holders Shut Down

A site spoofing the official Jaxx website was discovered packing several infections for Windows and Mac machines, and has been shut down.

A malware campaign targeted Jaxx cryptocurrency wallet holders through a website spoofed to mimic the legitimate Jaxx site, researchers at Flashpoint reported this week. The fraudulent site has since been taken down.

Jaxx was created by Ethereum cofounder and Decentral founder Anthony Di Iorio, who built the wallet in 2015 to help people manage digital assets. It has been downloaded more than 1.2 million times on desktop and mobile, the company reported in March. Its latest version, Jaxx Liberty supports more than a dozen cryptocurrencies, including Bitcoin and Ethereum.

Earlier this month, Flashpoint notified both Jaxx and the Cloudflare content delivery network of a spoofed site designed to mimic Jaxx's, created on Aug. 19. The site had a URL similar to the legitimate Jaxx[.]io and included line-by-line copy taken from the actual site, with modifications made to the download links to redirect visitors to a server controlled by attackers.

Researchers point out this campaign is built on social engineering and not a vulnerability in the Jaxx mobile app, website, or any domains owned by Decentral. The fraudulent Jaxx site packed several custom and commodity strains of malware developed to empty users' wallets.

"It's unclear how the attackers were luring victims to the spoofed Jaxx site, whether they were relying on poisoned search engine results, phishing via email or chat applications, or other means to infect victims," researchers report in a post on their findings.

Malware Skips Mobile, Goes to Desktop

This campaign was strictly focused on desktop victims, researchers report. Mobile users who clicked "download" on the malicious site were redirected to the legitimate Jaxx site, uninfected.

Windows and Mac OS X users, however, weren't quite as lucky. Visitors to the fake website would likely believe they were on the real one, as attackers installed the legitimate software onto victims' computers while malware was simultaneously installed in the background.

Mac users who clicked bad links received a custom malicious Java Archive (JAR) file, which was programmed in PHP and compiled using DevelNext, a Russian-language IDE. It seems the malware was developed specifically for this campaign; Jaxx branding is throughout the code.

If the JAR was executed it displayed a message in both Russian and English stating the user was temporarily blocked from creating a new wallet. They were rerouted to a "Pair/Restore Wallet" option, which prompted them for their Jaxx backup wallet phrase, a password used to decrypt wallets so threat actors could pilfer digital currency from the target's account. The victim's backup phrase went to the attackers' server, and they saw another error message.

The Windows link downloaded a custom-written .NET application, which contained both malicious behavior and two additional malware samples. This behavior included exfiltrating all the victim's desktop files to a command-and-control server, and the malware samples were KPOT Stealer and Clipper, both marketed on underground Russian-language cybercrime sites.

Victims who clicked the link downloaded a Zip archive from a Google Docs URL. The malicious .NET binary, like the JAR for OS X, was built for this campaign. Malware contacted the command-and-control server where the target's files were uploaded, while the fake application downloaded three executables from URLs: the Liberty Beta installer, KPOT, and Clipper.

KPOT is designed to steal information from the local hard drive; Clipper scans the clipboard for digital wallet addresses. Once it detects an address, it swaps it out for a different address under the attackers' control. If an address is changed in the clipboard, victims may not notice the recipient has changed when they copy-and-paste addresses to send payments.

via darkreading

Read more »

Mobile’s Latest Malware Threat: The All-in-One Android Trojan

A new Android Trojan — dubbed Android.Banker.L — combines the functionality of banking Trojans, keyloggers and ransomware to compromise victim devices and steal data.

As reported by Quick Heal, the latest malware threat uses multiple methods simultaneously to attack user devices. In addition to a typical Android banking Trojan, the malware contains code that enables it to forward calls, record sound, conduct keylogging and deploy ransomware. It’s also able to launch device browsers with a URL received from its command-and-control (C&C) server, which is contacted via Twitter.

Once installed, Android.Banker.L repeatedly opens the Accessibility Settings page and asks users to turn on Accessibility Service, which allows it to leverage any device permission without the need for user input.

Why the Latest Malware Threat Is So Elusive

Quick Heal noted that the code’s main Android application package (APK) is “highly obfuscated and all strings are encrypted.” When it receives the command to encrypt all device files, it renames them and then deletes the originals.

This new attack uses financial phishing overlays that are displayed after specific applications are launched. The overlays look legitimate and encourage users to provide their login credentials.

Even if users suspect their device may have been infected, the malware takes steps to prevent deletion. For example, it displays a fake alert message warning that the “system does not work correctly” and encouraging users to disable Google Play Protect. It also displays a fake system alert for “error 495” if users attempt to uninstall the app, which is listed as “sistemguncelle.”

How Companies Can Defend Against Trojans

To combat mobile Trojans, IBM security experts recommend using unified endpoint management (UEM) solutions that offer dedicated mobile threat protection (MTP) tools and include real-time over-the-air updates, automatic detection and removal of infected apps, and the ability to intelligently identify rooted, jailbroken or compromised devices.

Security experts also advise organizations to use mobile sandbox solutions to help manage the gap between known good code and known bad code that can pose a threat to the IT environment.

Finally, users should always verify the legitimacy of any unsolicited email attachments through a separate channel and delete without opening if they are unable to validate.

via IBM

Read more »