What I’ve talked about above, is all prevention. However that doesn’t help you if you are staring at a monitor with a ransom demand on it. Let me give you a couple of examples of recently reported Ransomware incidents and how they were handled.

Bristol Airport recovers from Ransomware Incident

On the weekend of the 15th and 16th September, Bristol Airport suffered a Ransomware incident. This incident took their flight information screens off-line for much of the weekend. Luckily no other safety or flight systems were affected.

How did the authorities at Bristol Airport deal with Ransomware? They re-built the systems and restored backups. They did not pay the Ransom.

Scottish Brewery suffered a Ransomware incident from a job application.

In the last couple of weeks, the Arran Brewery in Scotland had all of it’s systems affected by Ransomware. They had been running a recruitment campaign, advertising for a role via their own website. The evil doers took that ad and posted it to some international recruitment websites. The brewery then started receiving several e-mails a day from interested candidates from all over the world. In among those e-mails the bad guys slipped in one with Ransomware. The CV got opened and their files got scrambled. Not only were their live files affected, but their recent backups were too. These were stored online, attached to their network. Their most recent offline backups were 90 days old.

How did the brewery deal with Ransomware? They also re-built their systems and restored what backups they had. In this case though, they did consider paying the (GBP) £9,600 ransom. They came to the determination that the value of the data they lost (90 days of sales data) was less than the cost of the Ransom demand. They also took into consideration that paying the Ransom does not guarantee they would get back their data.

The brewery then did something really sensible. They have kept a copy of the scrambled data.

Help may be available from the good guys.

There is a not-for-profit, freely available service called No More Ransom (https://www.nomoreransom.org). This is run by various Law Enforcement and Cyber Security firms around the world. They are constantly working on cracking the codes for the different Ransomware variants and enabling people to recover their data for free.

So the Arran Brewery is holding onto the scrambled data in the hope that someday they will be able to unscramble it.

So how should you deal with Ransomware?

Prevention is always better than a cure.

The first thing is to make sure you get your staff some security awareness training. This is something that I deliver. Details of the complete training is available here. We can do customised training to suit your organisation too. Call me on 087-436-2675 or e-mail on info@L2CyberSecurity.com to discuss your requirements.

Then ensure that you have your systems updated/patched regularly, have security appliances like Firewalls in place, Anti-Virus is generally helpful against malicious software and also you shouldn’t insert strange USB devices into your computers.

Finally, you should have a good data backup system in place. This can be a very simple set-up or more complicated depending on your business needs. Again, I offer advice and support on backup strategies and business continuity planning. I also have a commandment about backups.

That’s it! With all of the above in place, in the very unlikely event that you do subsequently suffer a Ransomware incident, you will be able to recover from it.

What if it would cost me less to pay the ransom?

This is a genuine struggle for a business owner, particularly small businesses. Recovering systems from a ransomware incident takes time, which costs money, and the business may be unable to operate while recovery is ongoing, so is not generating revenue. A good business continuity plan, should reduce such risks.

If you are tempted to pay, I just have two things I want you to consider:

1. There is no guarantee that you will get your data back. Figures vary wildly from 50% to 100% failure to recover data. If you pay and don’t get your data back, you will then have to pay the full cost of recovery anyway.
2. You are funding organised crime. You are paying criminals who not only do cyber crime, but human trafficking, drugs, weapons, etc. People think I am being jokey or have my tongue in cheek when I refer to Evil Doers. I’m not. This is an accurate description of these people. They! Are! Evil!

If you pay once, then the bad guys reckon you might pay again, so you will be a bigger target. My advice to deal with Ransomware is to implement preventative measures (call me on 087-436-2675 or e-mail info@L2CyberSecurity.com to have a no obligation chat) and never pay these evil doers.

What else do you need to consider?

Don’t forget that if the data that gets scrambled contains personal data, then you have a data breach on your hands, which may be notifiable under the new Data Protection Act 2018 which incorporates the General Data Protection Regulation (GDPR). I’ve a short video here:

Finally, if you do suffer a Ransomware incident, a crime has been committed, so please report it to local Law Enforcement. They may not be able to do much about it, but it needs to be reported for statistical purposes if nothing else. If it can be shown that Cyber crime is as big a problem, as I know it to be, then the more reports to Law Enforcement will mean they will get more resources to be able to tackle it’s root cause.

#LetsBeCarefulOutThere and #StaySafe

#SecuritySimplified #GDPR

The post How to deal with Ransomware. appeared first on L2 Cyber Security Solutions.

Basically the evil doers implanted malicious software on the Point of Sale (POS) terminals in the upmarket stores in the USA. For nearly a year (between May 2017 to March 2018) this malware was capturing customers credit/debit card details and passing this back to the bad guys. The crooks claimed to have gathered up to 5 million cards as a result of this hack and they have been selling off batches of them on the internet.

We are quite familiar with Chip & PIN usage in Ireland as we have had it for quite some time. This does offer a great deal of protection as your card information is stored in an encrypted form on the chip. However in the US, they are only at the early stages of rolling out Chip & PIN, so most people are still swiping their cards at the terminals. The magnetic stripes that are swiped do not have the data encrypted, and so the information can be accessed and passed on quite easily.

It’s not been revealed how the malicious software got onto their POS terminals, but it seems that the POS was compromised at all of their bricks and mortar stores in the US. Their online store was not affected.

Credit Card issuers are usually fairly good at detecting fraud by knowing their customers usual buying habits. So if somebody who usually spends €20-€50 on shopping items, suddenly attempts to buy high-end phones, tablets or televisions this should trigger an alert. However for the customers of Saks or Lord & Taylor, such behaviour is much less likely to trigger an alert. So the crooks might be able to make away with a lot of goodies as a result.

The parent group, HBC, needs to put in place better segmentation and monitoring on their network, so if one store gets compromised, the malicious software cannot find it’s way easily to another store. They should also apply Commandments 1 (automatic updates), 2 (anti-virus), 3 (firewall) and 9 (control use of USB sticks) to their POS network.

The post Posh POS was Compromised appeared first on L2 Cyber Security Solutions.

I’m not going to go into any technical detail on these vulnerabilities. If you want to read the technical side you can go to the team that discovered the problems, Google’s Project Zero. There is some less technical information available on a dedicated webpage for the vulnerabilities. I’ve put in some easy to read background on this in the discussion section below.

What do you need to do about Meltdown NOW:

First of all DON’T PANIC. This is not the end-of-the-world. The situation is serious, but there are currently no active exploits out there. So keep a cool head and this can be managed successfully.

Original Text posted 4th January 2018 @ 16:30 GMT

Update 30th January 2018 @ 10:00 GMT:

Steve Gibson, a renowned security expert has created an excellent free little tool, called InSpectre for helping people to understand if they are protected or not from the two vulnerabilities. It has other useful advice there too. I would suggest you download it and run it against your Desktop/Laptop and see what your exposure is. Link to the download page is here.

https://www.grc.com/inspectre.htm

End-of-Update 2018/01/30-10:00

Update 8th January 2018 @ 10:00 GMT:

• It has been reported that the Microsoft patches are causing problems for people using some AMD processor chips. It stops the machine from booting properly and seems to require Windows to be re-installed. If you have a PC with an AMD processor, it might be advisable to turn off Windows Update temporarily until this issue is fixed.
• Qualcomm is another chip manufacturer, who make processors for mobile devices (e.g. – the Snapdragon processor that is used by many Android phones). They have now confirmed that their chips are also affected by these vulnerabilities.

End-of-Update 2018/01/08-10:00

Update 5th January 2018 @ 21:45 GMT:

• Intel have advised that they are rolling out software and firmware patches to address the exploits as best possible. They expect to have 90% of the chips that were made in the last 5 years updated by the end of next week. They don’t seem to be talking about anything older than 5 years, so this might be a concern for people with older equipment.

End-of-Update 2018/01/05-21:45

Update 5th January 2018 @ 11:00 GMT:

• What I didn’t mention yesterday was there are reports that fixing these vulnerabilities will cause the processor performance to degrade. While there will be some level of degradation, in typical workloads it shouldn’t be too noticeable. I won’t quote a percentage degree of slowdown as has been reported elsewhere, as it is purely speculation.
• Operating Systems:
  • Microsoft have pushed out their patch for this to all platforms. As mentioned earlier some Anti-Virus vendors need to make changes before the patch can apply correctly. Keep an eye on this google doc for the current situation with the various anti-virus packages. Be sure to test the patch where possible before widespread deployment, in case there are any issues.
  • Apple Macs – MacOS patches are available.
  • Linux – patches are available.
• Browsers:
  • Firefox – be on version 57 (currently available).
  • Chrome won’t be releasing version 64 for a few weeks, but Google advise people to enable an experimental feature called “Site Isolation” that can offer some protection against the web-based exploits but might also cause performance problems. Do the following:
    • Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
    • Look for Strict Site Isolation, then click the box labelled Enable.
    • Once done, hit Relaunch Now to relaunch your Chrome browser.
  • Internet Explorer/Edge will be updated with today’s patches from Microsoft
• Mobile and Smart Devices:
  • The big change since the original post is that iPhones and iPads have been declared as vulnerable by Apple. Expect updates in the coming days for iOS devices.
  • Google branded Android phones/tablets will get the January 2018 patches in the next few days. Non-Google branded phones will only get updates at the discretion of the manufacturer. So please watch out for these.
  • If you have any other devices (smart fridge/kettle/thermostat/toaster, CCTV cameras, digital assistants), be sure to check their interface to see if updates come available for them.
• Virtualisation Software:
  • VMWare have issued guidance on their affected products.
  • Citrix don’t believe they are directly affected, but have guidance for their customers as other software running on their platform may be impacted.
• Cloud platforms:
  • Google Cloud platform has detailed advice for their clients.
  • Microsoft’s Azure platform also has information for their customers.
  • Amazon also has a detailed statement for their clients.
  • If you use some other Cloud Platform, please contact them to find out what their plans are to address these vulnerabilities.

End-of-Update 2018/01/05-11:00

I hate to say it, but you need to patch and patch everything as soon as you can. Warning: Make sure patches/fixes come from their usual sources and not by somebody sending you an e-mail with the patch. That won’t end well for you.

• Microsoft are issuing their monthly Patch bundle today (4th January) to address Meltdown. Install it as soon as it comes available on your PCs and schedule an emergency patch for your servers ASAP. Warning: There have been reports that some Anti-Virus software may not play nicely with the Windows fixes and cause your machine to crash badly. Check this google doc for the current situation with the various anti-virus packages.
• Firefox users make sure you are running version 57 (click the three horizontal lines and go to Help->About Firefox).
• Chrome users need to wait for version 64 which is coming (click the three vertical dots and go to Help->About Google Chrome).
• Apple Macs already have the patches out there, so make sure you are up-to-date.
• If you have Linux anywhere, patches are available so update it ASAP.
• Hopefully Android phones/tablets will get updates, so please watch out for them.
• iPhones/iPads are currently safe from this issue.
• If you have any other devices (smart fridge/kettle/thermostat/toaster, CCTV cameras, digital assistants), be sure to check their interface to see if updates come available for them.

I would not be at all surprised if there will be multiple patches emanating from Microsoft over the next week or two in respect to this.

I use services in the cloud, am I affected?

Absolutely. However reports are that Amazon and Microsoft are busy working away patching their infrastructure. There are a LOT of other other cloud services out there, so please check with them to see if you are in anyway exposed to these bugs.

Discussion:

When I check Twitter each morning, I normally see about 10 or 20 tweets from overnight. This morning it was hundreds of tweets. The cyber security world has gone into overdrive in the last 24 hours. I was seeing rumours of an Intel processor vulnerability circulating yesterday and then the disclosure broke overnight. It seems that they were trying to hold off until next week, in order for more work to be done on issuing fixes, but it was leaked. So now there is the scramble to get the fixes out there as fast as possible.

The Meltdown bug is poorly named, as it is not going to “melt” anything (ignore the picture I’ve used for this post I just liked the look of it ?). What it does is it breaches protections between the operating system (e.g. Windows) and Applications that are in use (e.g. Excel, Sage, etc.). The bug enables a malicious program to get at parts of the computer memory that stores sensitive information, such as passwords. Once it has this information it could send it to the bad guys. This vulnerability is relatively easy to exploit and proof of concept exploits have shown up in the wild.

The Spectre bug is not as easy to exploit as Meltdown, but it is also not as easily fixed. It works by breaking the isolation between different applications, which enables an attacker to fool normal computer programs into revealing sensitive data that they have in memory. The current discussion on this indicates that to truly protect against Spectre, hardware may need to be replaced.

We’re in for an interesting start to 2018!!! ???

The post Meltdown and Spectre appeared first on L2 Cyber Security Solutions.

Here is the offending dodgy e-mail:

To me, there are a number of obvious indicators that this is a dodgy e-mail:

1. The sending address (the bit after “UPS View”) was not a UPS address.
2. The two links in the e-mail did not go to a UPS website.
3. Most obviously … I wasn’t expecting a delivery!

So lets take them one at a time:

• Some e-mail clients don’t actually show you the whole e-mail address of the sender. They just show the Display Name, which in this case is “UPS View”. So if you were using such a client, then it would appear to be a legitimate UPS e-mail address. However in my case, there was this @aol.com e-mail address, which is not associated with UPS.
• When you see a link in an e-mail or website, you can hover the mouse over it. Somewhere towards the bottom of your browser window, you should be able to see where the link is going to take you. In this e-mail’s case it was going here, which is not a UPS site:

• In my case I wasn’t expecting any delivery. But what if I was? What if I was an under pressure procurement clerk in a large organisation? I’d be getting deliveries on a regular basis. I’d be very inclined to click on those links.

Please note I carried out the following action on a sacrificial machine, so please do not be tempted to ever click on links to see what happens next. It could end very badly for you.

So what would have happened if I did click on the link? A word document, with a name that started “Tracking-3154631…” was downloaded. This document, if opened, would persuade me to click on “Enable Editing” and then click on “Enable Content”. Once I had taken those actions, macros (a set of instructions for a computer) in the word document would have downloaded a really nasty piece of software. Then all of my files would have been scrambled and I would be presented with a ransom demand to get my data back.

If I was that under pressure procurement clerk, it would not have stopped at just the files on my computer, but any files that I could access on the company’s network. That could be very, very disruptive to the organisation.

Out of curiosity, I checked the website (the bit before the “/UPS/16-Nov….”) that hosted that document. It appears to be a legitimate business website. However, they’ve probably been hacked by the bad guys, who are now using their site to host their malicious downloads.

UPS offer advice on fraudulent e-mails.

As usual, we’ve even got a commandment that covers dodgy e-mails too. So have a read to see what you can do to protect yourself.

The post Dodgy e-mail that looks legit. appeared first on L2 Cyber Security Solutions.

Actually Avast was not the company that had been breached. It was a company called Piriform, who were the original creators of CCleaner. Avast bought Piriform in July 2017, but Piriform were already compromised at that time. I’ll take you through the timeline, explain what a backdoor is and what you should do if you were affected.

Update – 21st September 2017:

Cisco have been continuing to analyse what went on and have discovered that this backdoor may have been used to target specifically named Corporations, namely Intel, Microsoft, Samsung, Sony, HTC, VMWare, Linksys, Cisco, Vodafone and more. They analysed the controlling server which law enforcement shut down and found that at least 20 machines had some malicious software downloaded to them (what they refer to as “Stage 2 Payloads”). This number could possibly rise, as this is an active investigation.

While this appears to be a targeted attack, I would still urge extreme caution. If you used the compromised version of CCleaner, please do follow the suggestions below, which will mitigate any risk of compromise.

The remainder of this article below remains as originally posted.

Timeline of events:

• First week in July: It would seem this was when hackers compromised Piriform’s development systems.
• July 18: Avast buys Piriform, the company that created CCleaner.
• August 15: CCleaner version 5.33 is released. The CCleaner 5.33.6162 installer includes the backdoor, but this only works on 32-bit systems.
• August 24: CCleaner Cloud version 1.07.3191 is released and this also includes the backdoor.
• September 12: A company called Morphisec had detected some unusual activity around CCleaner 5.33 and so they notified Avast and also Cisco. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
• September 14: Cisco tells Avast what it has found and also around the same time they had taken some steps to prevent the backdoor from being effective.
• September 15: Following a collaboration between Avast and law enforcement, the evil doers server that controlled the backdoor was shut down. Avast releases a clean version of CCleaner 5.34 and CCleaner Cloud 1.07.3214 that remove the backdoor.
• September 18: The incident comes to public attention, following Avast, Cisco and Morphisec reports.

A backdoor might not sound dangerous, but it is:

What happened in this case was the bad guys managed to gain access to Piriform’s software development systems and they implanted computer code that created a backdoor in CCleaner. This went undetected and so the compromised version of CCleaner, version 5.33 was released. People would have downloaded this, or updated to it, as paid versions of CCleaner have an automatic update feature.

So the backdoor in this case, effectively meant that version of CCleaner would have occasionally made contact with servers on the internet controlled by the bad guys and look for for new instructions. The hackers could have put any malicious code they want on these servers, and this would have almost certainly affected the victims machine, regardless of the protections that were in place (Antivirus, Firewalls, etc.). They could have loaded Ransomware onto the victim or something that would have stolen banking credentials.

What you should do if you were affected:

Avast recommend simply installing version 5.34 will remove the nasty backdoor. Cisco’s detailed write-up doesn’t offer much in the way of guidance, but their work on this pretty much hobbled the malicious software.

However, looking at the timeline, the infected software was available from 15th August and nothing was detected until 12th September. So that’s 27 days where this thing could have been doing something evil. There’s no evidence to say that anything had happened, but there’s no evidence that nothing happened. It’s possible that other malicious software has been deployed on affected machines.

I would therefore be of the view that any machine that had this software installed, is potentially still compromised. The safest course of action is to wipe the machine and reset to factory settings. I would also change any passwords for e-mail, banking, social media and other online services. Maybe even bite the bullet and give your online accounts the best protection possible. I know this is a pain in the ass, but because there is uncertainty, I wouldn’t take the risk,

I had the free version 5.32 of CCleaner installed on my personal desktop, so I don’t need to worry. I might wait for the dust to settle before I upgrade it though.

The post Draughty Backdoor in popular application. appeared first on L2 Cyber Security Solutions.

The report shows that people are clicking on e-mails with the above subjects (which could potentially be business related). However some of the other subject lines are not very “business-like” at all and people are still going into them and potentially bringing things like Ransomware into their employers networks.

1. 21% Security Alert
2. 14% Revised Vacation & Sick Time Policy
3. 10% UPS Label Delivery 1ZBE312TNY00015011
4. 10% BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO
5. 10% A Delivery Attempt was made
6. 9%  All Employees: Update your Healthcare Info
7. 8%  Change of Password Required Immediately
8. 7%  Password Check Required Immediately
9. 6%  Unusual sign-in activity
10. 6%  Urgent Action Required

Clearly #4 above is not in anyway a business related e-mail (unless you are a United Airlines employee, obviously ?). However #3 and #5 could also be unrelated to your company’s day-to-day business.

The e-mails in the research actually made it passed any spam or malware filters that the surveyed organisations had in place, showing that technology cannot be completely relied upon to give 100% protection against the many evils on the internet. Your staff will be your last line of defence.

Of course you could avail of our Internet Security Awareness and Safety Training. This will show your staff what to watch out for and how to handle such dodgy e-mails. It will also give them a very comprehensive insight into what threats are out there and how they can prevent downtime in your business

If you don’t want to go down that road, then at least have a read of Commandment 5 of our very own Top 10 – The Ten Commandments of Cyber Security, which will give you plenty to think about in respect to handling e-mail with any type of phishing subject lines.

The post Phishing subject lines – Top 10. appeared first on L2 Cyber Security Solutions.

They have been publicly posting on their website the current status of the various systems that were impacted. One of the biggest systems hit was their customer service phone lines. This would have been their main route for communication with their clients and being able to deal with specific queries that concerned customers would have for them. However the Ransomware took that offline and so, the Maersk teams went to work to start recovering their systems.

They obviously followed a Disaster Recovery Plan, as they mention on 6th July that their business-critical systems were up and running which allowed them to take on new business. But they also admit that there are backlogs for existing business. They also show on July 8th that they have been able to respond to 70% of the customer service e-mail backlog. For a business of their size, this would have been a significant number of e-mails to have responded to in a period of great stress for their teams. On the 10th July they admit that there were problems with getting their rate sheets out in a timely manner and advise of further delays to get it sorted out again.

This communication, warts and all, was out there in the public domain,  in great detail, for everyone to see and it is refreshing and reassuring that they take customer service so seriously.

There were other businesses widely affected by Petya/NotPetya. DLA Piper, the large global law firm issued 3 public notifications on their website, on the day of the attack, the following Monday and then last Monday. However the communication in their case was more to do with Public Relations than customer service. “Our IT team acted quickly to prevent the spread of the suspected malware and to protect our systems.” and “We continue to see no evidence that client data was taken or that there was a breach of the confidentiality of that data.” These are boiler plate statements, which you expect to hear, but don’t provide anything meaningful to understand what the current actual status is.

Mondelez, the food giant, who were also affected by Petya/NotPetya published a single post on their website, over a week after the incident, and it’s main focus was the impact the disruption would have on their revenue “Our preliminary estimate of the revenue impact of this event is a negative 300 basis points on our second quarter growth rate.” There was some other boiler plate platitudes in the post, but this has got to be the worst communication of the three organisations.

Still, it’s better than no communications.

Bottom line:

1. make sure you have a Business Continuity Plan (BCP) in place that is regularly reviewed
2. make sure it’s backed by a tried and tested IT Disaster Recovery Plan (ITDRP)
3. and for the love of dogs, make sure that communicating clearly and honestly with your customers is built in to the plan. It will make for happier customers if you do it right.

The post Communication is vital after a disaster. appeared first on L2 Cyber Security Solutions.

Essentially this is where the bad guys have a web page at an address that is very very very close to the spelling of a popular or well known webpage and they count on you having a typo and either missing a letter (e.g. instgram.com) or hitting an adjoining letter (e.g. facebooo.com) in error.

Don’t try this on your desktop/laptop/tablet/phone. I have a separate, sacrificial machine which I can use for such things.

I tried to access www.instgram.com (missing the “a” in the middle) and received the following page:

Notice the address where it is going to (circled in yellow) – that is not an Instagram address, but some sort of ad/advertising address.

When I clicked to continue, I got:

I didn’t continue any further, as I googled gr8musik.com and the results indicated it was a scam site, which if you registered with it, would take money from your credit card, even though you were supposed to be in some kind of a free trial period.

Similarly, I tried www.facebooo.com (an “o” instead of the “k”) and got the following:

This was just some kind of survey. But you never know what you will get. A subsequent attempt to go to www.instgram.com brought me to the survey, followed by the survey (again), followed by a sign-up form for mcplayz.com (identical to the above gr8musik.com). So these crooks are randomly sending you to different pages trying to compromise you in someway.

According to this post, the victim’s typo sent him to a “Technical Support” page, where he was advised that his PC was locked and he needed to telephone for support. If he did this, the scammers at the other end of the line would have talked him through giving them remote access to the PC and then they would have totally locked him out and looked for his credit card details to “fix” the problem.

Some pages reached by a typo try to apparently show you a video, but then indicates there is a problem and that you need to download a specific video player to watch it. For example, the following headline is tempting you to watch the video to get your hands on software worth $7,000.

These will typically download what is referred to as adware, and if you read our last week’s post about the Fireball adware, you can see  how insidious that adware can be. Adware will take control of your browser and fire ads at you while you are trying to use the internet. It might also re-direct your searches to odd search engines, which will likely attempt to track you and violate your personal privacy on the internet.

So just be careful when typing addresses. Better still use bookmarks.

If you do inadvertently get taken to some page that you never intended to go to, just close the browser immediately by way of the X in the top right-hand corner of the window. You might get warnings about losing data, just ignore them and close that browser. It would do no harm to run a spyware check on your PC at this point, in case any adware did manage to sneak in without your knowledge or permission. There are free tools from Malwarebytes or Safer Networking that can do this for you, but you might want to also talk to some real life technical support (a techy friend or the IT team in your place of employment) about it and have them give your PC a once over.

Whatever you do, don’t continue to engage with a website that you weren’t intending to visit and stay safe.

The post How a typo can cause you problems. appeared first on L2 Cyber Security Solutions.

Not only has it not carried out anything of note … yet … it has mainly been spread around India, Brazil, Mexico and Indonesia, which account for ~33% of the total infections. The US has about 5.5 million infected machines or 2.2% of the total. Fireball is an Adware product of a Chinese Digital Marketing agency called Rafotech. This has been discovered by security researchers at Check Point.

So how has it spread so widely and quietly?

Lets answer that by saying what it is first. It’s what is known as a browser high-jacker. It takes control of your browser (Chrome, Firefox, Safari, Internet Explorer or Edge) and directs any searches you make on the internet to go through Rafotech search engines rather than Google or Yahoo. They use other tracking technology (tracking pixels) to capture personal data about you. All of this generates advertising revenue for Rafotech as Fireball controls where your browser goes.

How it has spread was by being bundled with other software, which people have downloaded and installed. Fireball was included and installed without permission on the victim’s computer. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.

What this means is that, at this time it is nothing more than a sneaky spy that is watching what you are browsing and re-directing your searches to it’s own search engines so it can generate advertising revenue for Rafotech. It could very easily be weaponised and have much more destructive malware execute without your permission on your machine.

How do I know if I’m infected?

To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions? If the answer to any of these questions is “NO”, this is a sign that you’re infected with some type of adware.

How do I clean it up?

1. To remove almost any adware:

Follow these simple steps on Windows:

1. Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.

For Mac OS users:

1. Use the Finder to locate the Applications
2. Drag the suspicious file to the Trash.
3. Empty the Trash.

Note – A usable program is not always installed on the machine and therefore may not be found on the program list.

2. Scan and clean your machine, using:

• Anti-Malware software
• Adware cleaner software

3. Remove malicious Add-ons, extensions or plug-ins from your browser:

On Google Chrome:
a. Click the Chrome menu icon and select Tools > Extensions.
b. Locate and select any suspicious Add-ons.
c. Click the trash can icon to delete.

On Internet Explorer:
a. Click the Setting icon and select Manage Add-ons.
b. Locate and remove any malicious Add-ons.

On Mozilla Firefox:
a. Click the Firefox menu icon and go to the Tools tab.
b. Select Add-ons > Extensions.
    A new window opens.
c. Remove any suspicious Add-ons.
d. Go to the Add-ons manager > Plugins.
e. Locate and disable any malicious plugins.

On Safari:
a. Make sure the browser is active.
b. Click the Safari tab and select preferences.
    A new window opens.
c. Select the Extensions tab.
d. Locate and uninstall any suspicious extensions.

4. Restore your internet browser to its default settings:

On Google Chrome:
a. Click the Chrome menu icon, and select Settings.
b. In the On startup section, click Set Pages.
c. Delete the malicious pages from the Startup pages list.
d. Find the Show Home button option and select Change.
e. In the Open this page field, delete the malicious search engine page.
f. In the Search section, select Manage search engines.
g. Select the malicious search engine page and remove from the list.

On Internet Explorer:
a. Select the Tools tab and then select Internet Options.
    A new window opens.
b. In the Advanced tab, select Reset.
c. Check the Delete personal settings box.
d. Click the Reset button.

On Mozilla Firefox:
a. Enable the browser Menu Bar by clicking the blank space near the page tabs.
b. Click the Help tab, and go to Troubleshooting information.
    A new window opens.
c. Select Reset Firefox.

On Safari:
a. Select the Safari tab and then select Preferences.
    A new window opens.
b. In the Privacy tab, the Manage Website Data… button.
    A new window opens.
c. Click the Remove All button.

The post Fireball – 1,000 times bigger than Wannacry. appeared first on L2 Cyber Security Solutions.

According to this, the concept of using malicious subtitle files to compromise a machine goes back to the early 2000’s. However that was not a very widespread phenomenon back in the day.

In this modern era, where every home probably has multiple media players, this could become a very serious problem, because you might not have the media player set to automatically update. In fact in some cases there is no automatic update facility available, only a message to suggest you update the software manually. This is the case with VLC and Kodi for Windows. As we say in our First Commandment, you should always keep your software up-to-date with patches and new versions.

You might ask what kind of impact could a malicious subtitle file really have. The researchers at Check Point posted their research into this attack vector and the following is what they said could happen:

By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

So, yes it is pretty serious alright. The researchers also discovered that it is possible to manipulate sites that host subtitles in order to make a malicious subtitle file more “popular” so the sick subtitles would be more likely to be chosen and loaded by the media player when the video is being played.

They have also provided a video to show, as a proof of concept, how easy it is to take control of the victim’s computer by way of malicious subtitles.

I realised after reading this story that I still have Kodi installed on my home PC, though I have not used it in a couple of years (as I use Plex to watch my media now). It was running version 14.1 whereas the current version is 17.3. So I’ve uninstalled it altogether now and also verified that my Plex installation is fully updated, as well as any installs of VLC. I gotta practice what I preach. 

The post Sick subtitles can infect your media player appeared first on L2 Cyber Security Solutions.