Summary of the NSA Malware Discovery

Security, ,
21
Jun 2015

nsa-malware-hard-drives-570

Security firm Kaspersky reveals malicious National Security Agency (NSA) malware hidden in drivers and firmware around the world. Read the summary here.

Kaspersky exposes NSA malware built into hard drives worldwide

Sitting on millions of hard drives across the globe lays a deep rooted NSA malware designed to spy on computer activity, which has also been noted to have done so for over a decade!  The NSA is responsible for gathering electronic intelligence on behalf of the U.S. government.

The majority of brands such as Seagate, Toshiba, Western Digital and many others, have had the tampered firmware built into their hard drives, according to the security software giant Kaspersky.

As many as 30 countries around the globe have the spyware infection implanted on their personal computers. Prime targets have been found to be military and government bodies, banks, energy companies, telecommunication firms and many others.

Most of the targets are from countries such as Afghanistan, Algeria, China, Mali, Mexico, Pakistan, Russia, Syria and Yemen; however it has been picked up in other western countries such as the UK, and parts of Europe.

The party behind all of this has been branded with the name “The equation Group”, who cleverly gained access to the various different firmware’s source code and cracked complex encryption algorithms. They’ve used their highly skilled ability to infect and access very specific targets.

Kaspersky has not named the firm responsible for all the spying operations. It’s believed to be strongly related to the Stuxnet attack which was led by the NSA. Stuxnet was a campaign designed to attack the uranium enrichment facility in Iran.

The Factors behind the Malware’s success

  • The malware, reported as a  dll file, is able to resist computer reformats and hard disk wipes in a ploy to reinfect the host.
  • Ironically, this has impressed Kaspersky Labs in the sense of a piece of hardware having the ability to cause re-infection to a pc. They described it as “ground-breaking technology”.
  • The malware was coded into the hard drive’s firmware, which is the software that allows it (the hardware) to run. For instance, when a computer is switched on it’ll access the firmware to talk to hard drives and other system hardware.
  • In the case of the dll file, a computer will end up getting re-infected as the firmware is needed to use the hard drives.
  • The spy program could work on any hard disk currently sold on the market.

How did it get there in the first place?

NSA-Listens-Shirtmock

It begs the question as to how such malware could have been embedded into the firmware of so many hard drives and to the majority of hard drive companies in the first place?
According to Kaspersky’s director, Costin Raiu, the makers of the spyware must have been able to have had access to the actual source code of each and every infected hard drive. The source code holds the structure, and when in the hands of a third party programmer, this can permit vulnerabilities to be identified and used to harbor malware within it and used for attack.

Raiu continued to add, that’s there’s little chance for the hard drive firmware to be rewritten by just anyone with the use of public information.

Most hard drive companies would not officially disclose whether or not they’ve allowed any such NSA agency officials to access the source code. However Western Digital, Seagate and Micron spokesmen have stated that they have not allowed their source code to be tampered with and take security very seriously.

Despite this, it is still possible for undercover NSA coders to have been employed by any given hard drive manufacturer over a decade ago or disguised as software developers to acquire the source code. It is also likely for hard disk code evaluations to have been requested on behalf of the Pentagon. All are theories of how social engineering could have been part of “the equation”.

This has now made many corporate giants, like Google and others in the US, rethink who could have attacked them back in 2009, which was originally pinned on China.

Evidence exists of hackers having reached the source code from various large American technology and defense corporations, according to reports from investigators.

For more ways to secure your data and systems, contact your local IT professionals.

Read More

USB Thumb Drives that can Fry your System

hardware, Security,
06
May 2015

PC On Fire Shoot

Learn how USB thumb drives can potentially destroy laptops / pcs. We’ll explain how this works and what measures can be taken to protect your computers.

If you happen to find an unknown flash drive in any place that you aren’t familiar with, we strongly advise not to plug it into a computer, especially one that is used for work.  It makes sense when there’s a high element of risk involved. Not only does the possibility of being infected by a virus exist, but as of late, a new type of attack has been created which can physically damage your systems. We have recently learned of dangerous USB thumb drives that are capable of frying a computer or laptop. 

How does it work?

Think of a computer’s ports as physical access points for an attack.

USB-Killer-2

  • An attacker would modify or build a USB thumb drive by using an inverting DC-DC converter to draw power off the USB port.
  • The power drawn from the USB port is then used to create a -110VDC charge on a capacitor bank.
  • Once the caps have charged up, this triggers the converter to shut down.
  • This forces a transistor to propel the voltage from the capacitor over to the port’s data pins.
  • This pattern repeats every time the caps recharge, discharging its high voltage through the port.
  • As long as there’s a bus voltage and high current present, the attack will run its course and overrun the small TVS diodes present on bus lines  of the computer or laptop.
  • Inevitably this will lead to a computer’s components, including possibly the CPU, to fry.
  • With fried components, a laptop or computer will be “dead”.

In typical circumstances a USB thumb drive is design to be protected, and a computer is normally able to dissipate manageable amounts of power, which wouldn’t cause this type of damage.

An example of an attack

A thief had stolen a USB flash drive off a commuter on the subway.  When the thief inserted the flash drive into his computer USB port, the least he’d expected was to see some data. Instead, his computer died as its internal components have been fried.  Although one may think that it was good for the thief to get their just desserts, it addresses a more serious problem- trusting unknown peripherals such as flash drives.

Precautionary measures

Now that we have a good overview of how a USB thumb drive can be engineered to take out a computer, let’s discuss how to prevent such an occurrence.

  • Don’t allow strangers to connect a USB thumb drive in to a mission critical computer or laptop.
  • Don’t plug in USB thumb drives found in public.
  • Do only use thumb drives purchased from reliable retailers or officially provided by an IT administrator.
  • Avoid sharing thumb drives, especially if they leave the premises and return to be used on computers.
  • Aim for individuals to carry their own thumb drives which can safely be used within an office environment.
  • Always question any thumb drives which may be presented to your business by an unknown third party. Even if it lands at your office’s reception desk, have an IT admin check it out first.
  • Have a thumb and flash drive policy in place to cover all of the above as part of your IT security policy.

For more ways to safeguard your computers and IT infrastructure, contact your local IT professionals.

Read More

CryptoWall: Advanced Ransom Malware

Security, ,
04
May 2015

ransomware-161113CryptoWall 3.0, a new variant of the Cryptolocker ransom-ware virus is out causing problems to many businesses. Learn how it works and how to prevent it.

Discovered in late February 2015, CryptoWall 3.0 works very much like the previous versions of this virus, however its strategy to infect systems is somewhat different..

How CryptoWall 3.0 works

  • When the infected file containing CryptoWall 3.0 is opened, the malicious program encrypts all files that it finds mapped over the network.
  • Files become encrypted and unreadable.
  • Only the perpetrator can unlock the code to make it readable again.
  • Once it finishes encrypting all files, it asks for a ransom of around $500USD.
  • This amount is expected to be paid in Bitcoin currency, which is a universal currency used around the world.

Point of entry and identification

CryptoWall 3.0 employs social engineering tactics via phishing emails. These come through with attachments disguised as an “incoming fax report” displaying the same domain as the one the user is on creating a false sense of trust by making them believe it is a legitimate document. Once opened, Cryptowall picks up all mapped drives identified from the host machine it infects and encrypts all of the contents on it as well as the data on the mapped drives.

CryptoWall 3.0 uses .chm attachments, which is a type of compressed file used for user manuals within software applications. Since .chm is an extension of HTML, this allows the files to be very interactive with different types of media such as images, hyperlinked table of contents and so forth. It also uses JavaScript to allow the attack to send users to any website on the Internet, which occurs when a user opens up the malicious .chm file.
Once the file is opened, the attack automatically runs its course.

CryptoWall: More than meets the eye

rouge

Ransom Malware bas been evolving since the first wave of Cryptolocker attacks back in September 2013, which had netted the virus writers over $27,000,000 from claiming ransom money within only a few months of the Cryptolocker operation. Attacks are happening all over the world with detections in Europe, the UK, the US and in Australia.
The sophisticated Cryptolocker and CryptoWall attacks also use botnets, which is a wide network of compromised machines, to be the originators of the attack. Aside from speeding up distribution of the virus, it allows anonymity for the virus writers.

How to prevent CryptoWall 3.0

For more ways to stay protected and safeguard your network, contact your local IT professionals.

Read More

Lenovo Caught Shipping Laptops with Invasive Adware

Security, Uncategorized, ,
28
Apr 2015

Comp 1 (0;00;00;00)

Lenovo has been caught red-handed shipping laptops with invasive adware. Read more here to find out the implications of why you should be concerned.

If your office has purchased any number of Lenovo laptops during the latter part of 2014, then these systems are likely affected by pre-installed adware.

There’s now little wonder  as to why your office’s antivirus or antimalware software might have been bugging you about a malicious adware named “Superfish”. If your systems administrator hasn’t been able to pinpoint the particular source, the culprit could really be the OS itself or Lenovo.

In 2014, several Lenovo notebook users reported injected advertisements while doing regular internet searches. The adware was identified as “Superfish” with capabilities of injecting third-party advertisements to not only on search engines like Google but by any website visited as well. Experts and technical enthusiasts have determined the adware was already pre-installed with the notebook by the time a unit is purchased.

Is It a Big Issue?

Although Lenovo would claim otherwise, experts point out that this invasive software can affect both users’ privacy and security.

For internet users who are annoyed by those numerous and deceiving web advertisements, this would already be a problem. Even the more savvy users can be deceived due to the nature of the advertisements displayed, which are designed in a way to look like they are part of the search results or the webpage itself.

A serious security threat which can spy and steal your data

Other than the ability to bombard you with online advertisements,”Superfish” also gives the perpetrators an opportunity to spy on the user’s activities when online and even monitor personal data:

  • The adware installs itself as a root security certificate in the laptops.
  • A security certificate is a small system file/key that determines which websites, servers, and software are trustworthy and which are not.
  • A root certificate can be likened to having a “master key”, where its authority will be adopted within the internet settings of a computer.
  • This makes a computer vulnerable by tricking it into thinking a website is secure, even if it’s not.

It’s a window of opportunity for cyber criminals to spy on their targets or even deceive them to give out personal data like usernames and passwords. There’s also a risk for laptops to be susceptible to malware and virus attacks since they can slip through their antivirus/antimalware software by using the certificates to make them look like legitimate files.

Lenovo’s Response

superfish-screenshot

Lenovo recently confirmed selling their units pre-installed with adware and shipping them worldwide. According to Lenovo, only units produced between September and December of 2014 were affected. Additionally, Lenovo defended the addition of “Superfish” in its laptops citing that the goal was to improve user experience when shopping online and that it does not monitor user activity.

As of January 2015, Lenovo has stopped shipping the adware on its computer products and has promised not do so in the future. It has also disabled “Superfish” and server interactions for the affected units and users. This “feature” should now cease to exist.

Check if you are affected by Superfish

 

superfish

Filippo Valsorda has setup a quick online test to see if your computer and internet connection are affected.  The test can be run here.

For more ways to stay protected, contact your local IT professionals.

Read More

Java 7 End of Life: How to stay protected

Security,
22
Apr 2015

Java_ai

Most systems today need to run Java occasionally. With the Java 7 end of life approaching, learn why it’s important to migrate to Java 8 to stay protected.

Oracle has supported Java SE 7 for 11 years now, however, with new developments on the latest version to support current and future technological developments, it has reached its end of life.

As of April 2015, Oracle will cease to provide updates for Java 7, which also includes discontinuing downloads for this version from their websites.

The good news is that existing customers are entitled to have continued support for any given security fixes or critical bug issues, including long term maintenance for Java 7 and older versions. All this will be available from Oracle’s Java SE Support team. However, it’s best to migrate to the latest version.

Oracle has also included an auto update feature since their January update to help migrate systems from Java 7 to 8.

Why migrate to Java 8?

Java 7 security updates will no longer be made automatically, making any systems running this version vulnerable. We strongly advise all users to switch to Java 8 for continued feature updates and to further close vulnerability exploits. Since vulnerabilities are likely to lead to exploits, its important to secure  your computer when browsing the internet on Java based websites.

Java exists to help applications and websites run correctly, which is fantastic. Being dependent on this component can lead to problems. With unpatched or outdated versions of Java, hackers can take advantage of using web browsers to serve up malware by exploiting its vulnerabilities.

By not maintaining frequent Java updates, this only serves to invite attackers to exploit your web browser and computer.

How to update Java and stay protected

Ophtek managed services clients are automatically updated.  Follow these steps to update Java manually.

Here are more detailed steps on how to install Java updates. Although the Java version shown in this tutorial is older, the method to install and update are still very much the same.

Remember that it’s worth spending a few minutes updating Java on your systems to lock them down from any possible future attacks.

For more ways to protect your office data, contact your local IT professionals.

Read More
1 38 39 40 41 42 48