37pc of Organizations Impacted by Cryptomining over Past Year

Check Point Software Technologies Ltd has published the first instalment of its 2019 Security Report.  The report highlights the main tactics cyber-criminals are using to attack organizations worldwide across all industries, and gives cyber security professionals and C-Level executives the information they need to protect their organizations from today’s fifth-generation cyber-attacks and threats.

The first instalment of the 2019 Security Report reveals the key malware trends and techniques observed by Check Point researchers during the past year. Highlights include:

* Cryptominers dominated the malware landscape:  Cryptominers occupied the top four most prevalent malware types and impacted 37 percent of organizations globally in 2018. Despite a fall in the value of all cryptocurrencies, 20 percent of companies continue to be hit by cryptomining attacks every week.  Cryptominers have also highly evolved recently to exploit high profile vulnerabilities and to evade sandboxes and security products in order to expand their infection rates.

* Mobiles are a moving target:  33 percent of organizations worldwide were hit by mobile malware, with the leading three malware types targeting the Android OS. 2018 saw several cases where mobile malware was pre-installed on devices, and apps available from app stores that were actually malware in disguise.

* Multi-purpose botnets launch range of attacks:  Bots were the third most common malware type, with 18 percent of organizations hit by bots which are used to launch DDoS attacks and spread other malware. Bot infections were instrumental in nearly half (49 percent) of organizations experiencing a DDoS attack in 2018.

* Ransomware attacks in decline: 2018 saw ransomware usage fall sharply, impacting just 4 percent of organizations globally.

“From the meteoric rise in cryptomining to massive data breaches and DDoS attacks, there was no shortage of cyber-disruption caused to global organizations over the past year. Threat actors have a wide range of options available to target and extract revenues from organizations in any sector, and the first instalment of the 2019 Security Report highlights the increasingly stealthy approaches they are currently using,” said Peter Alexander, chief marketing officer of Check Point Software Technologies.  

“These multi-vector, fast-moving, large-scale Gen V attacks are becoming more and more frequent, and organizations need to adopt a multi-layered cybersecurity strategy that prevents these attacks from taking hold of their networks and data.  The 2019 Security Report offers knowledge, insights and recommendations on how to prevent these attacks.”

via bwcio

Read more »

AMONG SMARTPHONES, ANDROID DEVICES ARE THE MOST COMMONLY TARGETED BY MALWARE, FINDS REPORT

(Last Updated On: December 7, 2018)

According to the latest Nokia Threat Intelligence Report 2019, Android devices are the most commonly targeted by malware. In mobile networks, Android devices were responsible for 47.15% of the observed malware infections, Windows©/ PCs for 35.82%, IoT for 16.17% and Apple’s iPhones for less than 1%.

Malware, Device breakdown 2018, source Nokia Threat Intelligence Report 2019

In the smartphone sector, the vast majority of malware is currently distributed as trojanized applications. The user is tricked by phishing, advertising or other social engineering into downloading and installing the application. The main reason that the Android platform is targeted, is the fact that once side-loading is enabled, Android applications can be downloaded from just about anywhere. In contrast, iPhone applications are for the most part limited to one source, the Apple Store.

Report also noted that Windows/PCs continue to be a target for malware infection. These Windows/PCs are connected to the mobile network using USB dongles and mobile Wi-Fi devices or simply tethered through smartphones. They are responsible for 36% of the malware infections observed. This is because these devices are still a popular target for professional cybercriminals who have a huge investment in the Windows malware ecosystem.

According to the report, IoT devices now make up 16% of the infected devices observed. This is mostly the result of IoT botnet activity. These bots actively scan for vulnerable victims using an increasingly rich suite of attacks. In networks where devices are routinely assigned public facing internet IP addresses we find a high IoT infection rate. In networks where carrier grade NAT is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

The report also found that Android malware samples continue to grow in 2018. Nokia Threat Intelligence Lab now has close to 20 million Android malware samples. This is an increase of 31% since last year.

Of the top 20 malware infections detected in fixed residential networks in 2018, the majority still focus on the traditional Windows/PC platform, however 5 of the top 20 target IoT and 3 target Android.

In 2018 the average percentage of devices infected each month was 0.31%. The peak month was June with 0.46% due to an increase in activity of Android.Adware.Adultswine, malware that displays ads from the web that are often highly inappropriate and pornographic, attempts to trick users into installing fake “security apps” that also serve ads and entices users to register for premium services with hiddenexpenses. It is very persistent and difficult to uninstall.

The report also stessed the emergence of new IoT botnet variants in 2018. In particular – Fbot, which is a Satori related botnet that has two major distinguishing features. It spreads by scanning for devices that have the default Android Debug Bridge (ADB) port open. Very few Androids phones have this port open, but apparently some smart TVs and other Android based IoT devices have been deployed accidentally with this debug port open.

Read more »

Mobile banking Trojan Asacub hits 40 000 per day

Kaspersky Lab has picked up on a large-scale distribution campaign of the infamous mobile banking Trojan, Asacub.

Researchers at the company estimate Asacub is reaching 40 thousand individuals each day. Although the Trojan is primarily aimed at Russian users, it has also hit users in many other countries, including Germany, Belarus, Poland, Armenia, Kazakhstan and the US.

According to Kaspersky, Asacub was discovered in 2015, and has evolved over the years. Its erlier iterations were closer to spyware than banking malware. They could steal all incoming SMS messages, irrespective of the sender, and upload them to the intruders' server. The functionality of the latest Asacub modifications help attackers gain remote control of infected devices and steal banking data.

Over the last year, Asacub authors have been upping their efforts and conducting large scale campaigns for its dissemination, to the point that it has held the leading position among mobile banking Trojans for the past twelve months.

Researchers say the reason behind its continued sustainability is that the domains of its command server change, and there are disposable phishing links for downloading the Trojan.

How it works

Asacub is distributed through phishing SMS messages, which invite victims to view a photo or MMS message. If the victim's device settings permit installations from unknown sources, Asacub is able to install itself on the target device as the default SMS application.

See also

Chrome browser flags all sites that are 'not secure'

GandCrab ransomware continues to evolve

In this way, when a new SMS message arrives, it can transmit the sender's number and message text to the intruders' command server. Asacub can withdraw funds from a bank card attached to the phone by sending SMS messages for transferring funds to another card or phone number, and it can intercept SMS messages from a bank containing one-time passwords.

Tatyana Shishkova, malware analyst at Kaspersky Lab, says the Asacub Trojan highlights how mobile malware can function for several years with minimal changes to its distribution pattern.

"One of the main reasons for this is that the human factor can be leveraged through social engineering: SMS messages look like they are meant for a certain user, so victims unconsciously click on fraudulent links. In addition, with regular change of domains from which the Trojan is distributed, catching it requires heuristic methods of detection," she adds.

Better than cure

Kaspersky advises users to follow several steps to avoid getting infected with mobile banking malware:

• Only download applications that are from official resources;
• If possible, disable the installation of applications from third-party sources in smartphone settings;
• Never click on links from suspicious or unknown senders;
• Install a reliable security solution to protect mobile devices.

via ITWeb

Read more »

Malware Campaign Targeting Jaxx Wallet Holders Shut Down

A site spoofing the official Jaxx website was discovered packing several infections for Windows and Mac machines, and has been shut down.

A malware campaign targeted Jaxx cryptocurrency wallet holders through a website spoofed to mimic the legitimate Jaxx site, researchers at Flashpoint reported this week. The fraudulent site has since been taken down.

Jaxx was created by Ethereum cofounder and Decentral founder Anthony Di Iorio, who built the wallet in 2015 to help people manage digital assets. It has been downloaded more than 1.2 million times on desktop and mobile, the company reported in March. Its latest version, Jaxx Liberty supports more than a dozen cryptocurrencies, including Bitcoin and Ethereum.

Earlier this month, Flashpoint notified both Jaxx and the Cloudflare content delivery network of a spoofed site designed to mimic Jaxx's, created on Aug. 19. The site had a URL similar to the legitimate Jaxx[.]io and included line-by-line copy taken from the actual site, with modifications made to the download links to redirect visitors to a server controlled by attackers.

Researchers point out this campaign is built on social engineering and not a vulnerability in the Jaxx mobile app, website, or any domains owned by Decentral. The fraudulent Jaxx site packed several custom and commodity strains of malware developed to empty users' wallets.

"It's unclear how the attackers were luring victims to the spoofed Jaxx site, whether they were relying on poisoned search engine results, phishing via email or chat applications, or other means to infect victims," researchers report in a post on their findings.

Malware Skips Mobile, Goes to Desktop

This campaign was strictly focused on desktop victims, researchers report. Mobile users who clicked "download" on the malicious site were redirected to the legitimate Jaxx site, uninfected.

Windows and Mac OS X users, however, weren't quite as lucky. Visitors to the fake website would likely believe they were on the real one, as attackers installed the legitimate software onto victims' computers while malware was simultaneously installed in the background.

Mac users who clicked bad links received a custom malicious Java Archive (JAR) file, which was programmed in PHP and compiled using DevelNext, a Russian-language IDE. It seems the malware was developed specifically for this campaign; Jaxx branding is throughout the code.

If the JAR was executed it displayed a message in both Russian and English stating the user was temporarily blocked from creating a new wallet. They were rerouted to a "Pair/Restore Wallet" option, which prompted them for their Jaxx backup wallet phrase, a password used to decrypt wallets so threat actors could pilfer digital currency from the target's account. The victim's backup phrase went to the attackers' server, and they saw another error message.

The Windows link downloaded a custom-written .NET application, which contained both malicious behavior and two additional malware samples. This behavior included exfiltrating all the victim's desktop files to a command-and-control server, and the malware samples were KPOT Stealer and Clipper, both marketed on underground Russian-language cybercrime sites.

Victims who clicked the link downloaded a Zip archive from a Google Docs URL. The malicious .NET binary, like the JAR for OS X, was built for this campaign. Malware contacted the command-and-control server where the target's files were uploaded, while the fake application downloaded three executables from URLs: the Liberty Beta installer, KPOT, and Clipper.

KPOT is designed to steal information from the local hard drive; Clipper scans the clipboard for digital wallet addresses. Once it detects an address, it swaps it out for a different address under the attackers' control. If an address is changed in the clipboard, victims may not notice the recipient has changed when they copy-and-paste addresses to send payments.

via darkreading

Read more »

Mobile’s Latest Malware Threat: The All-in-One Android Trojan

A new Android Trojan — dubbed Android.Banker.L — combines the functionality of banking Trojans, keyloggers and ransomware to compromise victim devices and steal data.

As reported by Quick Heal, the latest malware threat uses multiple methods simultaneously to attack user devices. In addition to a typical Android banking Trojan, the malware contains code that enables it to forward calls, record sound, conduct keylogging and deploy ransomware. It’s also able to launch device browsers with a URL received from its command-and-control (C&C) server, which is contacted via Twitter.

Once installed, Android.Banker.L repeatedly opens the Accessibility Settings page and asks users to turn on Accessibility Service, which allows it to leverage any device permission without the need for user input.

Why the Latest Malware Threat Is So Elusive

Quick Heal noted that the code’s main Android application package (APK) is “highly obfuscated and all strings are encrypted.” When it receives the command to encrypt all device files, it renames them and then deletes the originals.

This new attack uses financial phishing overlays that are displayed after specific applications are launched. The overlays look legitimate and encourage users to provide their login credentials.

Even if users suspect their device may have been infected, the malware takes steps to prevent deletion. For example, it displays a fake alert message warning that the “system does not work correctly” and encouraging users to disable Google Play Protect. It also displays a fake system alert for “error 495” if users attempt to uninstall the app, which is listed as “sistemguncelle.”

How Companies Can Defend Against Trojans

To combat mobile Trojans, IBM security experts recommend using unified endpoint management (UEM) solutions that offer dedicated mobile threat protection (MTP) tools and include real-time over-the-air updates, automatic detection and removal of infected apps, and the ability to intelligently identify rooted, jailbroken or compromised devices.

Security experts also advise organizations to use mobile sandbox solutions to help manage the gap between known good code and known bad code that can pose a threat to the IT environment.

Finally, users should always verify the legitimacy of any unsolicited email attachments through a separate channel and delete without opening if they are unable to validate.

via IBM

Read more »