Merry Christmas Ransomware

Nine days after Christmas, a new ransomware named “Merry Christmas” was discovered operating in the wild and later a new variant was found which transmitted the DiamondFox malware as a secondary infection. DiamondFox malware is a versatile malware that includes modules that recruit bots for distributed  denial of service attacks, steal credit card data from POS systems, pilfer browser passwords, open remote desktop connections and others.

The malware generates its ransom note as a file named “YOUR FILES ARE DEAD.hta” and inserts it in every folder wherein documents are encrypted. The note contains instructions directing victims to contact the criminals through telegram or email. The ransomware also communicates with the command-and-control server from the infected machine and transfers information including username, computer name, running processes, installed programs, local time and hardware information.

Palo Alto Networks and three other researchers are credited with discovering two variants of the Merry Christmas malware. MalwareHunterTeam discovered the DiamondFox secondary infection by the ransomware.


Internet Hosting Company OVH suffers DDoS attacks

​Over the past week, internet hosting company, OVH has suffered a massive DDoS attack with peaks of over 1Tb/s of traffic. This is the biggest DDoS attack known to date.

The founder and CTO of OVH tweeted: This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn,” and “last days, we got lot of huge DDoS. Here, the list of ‘bigger that 100Gbps’ only. You can see the simultaneous DDoS are close to 1Tbps!”.

KrebsonSecurity also suffered a huge attack of between 620 and 665 Gbps last week.

Teenagers arrested for offering Booter Services

rpxubn-a_400x400vDOS is a distributed denial-of-service (DDoS) kit that is allegedly responsible for most of the DDoS attacks in the past four years. Two teenagers have been arrested in Israel for their alleged link to the selling of the kit. The teenagers, Itay Huri and Yarden Bidani, both 18, were arrested on September 8 by Israeli authorities on the request of the FBI and are under house arrest and forbidden to use internet-connected devices for 30 days. The service has been running undercover for four years now until security researcher, Brian Krebs found a hole in another DDoS-for-hire service that enabled access to vDoS’s database leading to the arrest of the teenagers.

The vDoS service was offered for between $20 to $200 per month depending on how long the hackers wanted to operate and payment was preferred through Bitcoin digital currency. The database uncovered by Krebs had tens of thousands of paying customers and over $600,000 has been netted in the past two years by the operators.

Apps with DressCode malware found on Google Play

what-is-malware-as-a-serviceCheckpoint researchers found forty applications on Google Play Store that contains a new family of malware named DressCode.  The malware is able to infect corporate BYOD mobile devices and access internal network or corporate web servers. It is possible for an attacker to establish communication with infected mobile devices and send a command to retrieve files from internal networks if the device is on the internal corporate network.

Some of the applications of Google play that are infected are Dress up Musa winx, Dress up princess Apple White, Forsaken House and Dark Goddess and another 400 applications carrying the malware were discovered on third party app stores.

This is a warning that enterprises shouldn’t rely only on the protections that Google offers for its apps, considering the vulnerable nature of Android devices.

IRS Hack Affects 101,000 Tax Returns

The US Internal Revenue Service (IRS) has been hacked—again.

The tax collection agency was the target of a malware attack, it said, that allowed the perpetrators to access the electronic tax-return credentials for 101,000 social security numbers.

The IRS said that using personal data stolen elsewhere outside the IRS, identity thieves used an automated botnet in an attempt to generate E-file PINs for about 464,000 unique stolen social security numbers. Only just about a quarter were used to successfully access an E-file PIN. An E-file PIN is used in some instances to electronically file a tax return.

“While of great concern, this latest report of a cyber intrusion involving the IRS is not surprising in light of the vast inventory of PII (in particular Social Security numbers) in the hands of hackers as a result of countless breaches in the past few years,” said Adam Levin, chairman and founder of IDT. Continue reading

DDoS attacks continue to increase

On Monday 5 October, Corero Network Security launched its detailed mid-year report on the current state of DDoS attacks based on its global customers’ experience.

Corero notes that attackers continue to leverage sub-saturating DDoS attacks with growing frequency. Attackers use shorter attack durations to evade defences and the report shows how DDoS scrubbing solutions can cause disruption in a network, often used to distract victims while other malware penetrates networks and steals customer information and company data.

Corero customers experienced about 4.5 DDoS attacks per day in Q2 2015, a 32 percent increase on Q1. The report found that a majority of attacks were less than less than 10Gbps and lasted less than 30 minutes. A rise in attacks was blamed on the increasing availability of cheap (sometime free) DDoS attack tools such as botnets-for-hire. These tools are simple to launch and can be used with complete anonymity.

Corero also analysed DDoS mitigation actions by about 100 online enterprises in a survey. The results show nearly 75 percent of respondents would like their internet service providers to offer more security services to prevent DDoS traffic from entering their networks. Ninety percent of respondents are willing to pay for a premium DDoS defence. A majority are willing to assign between five and 10 percent of their overall ISP spend to secure this service.

“As companies continue to combat the increasing onslaught of cyber-attacks, including DDoS, they are turning to their service providers to aid them,” said Dave Larson, CTO and VP, product, of Corero. “Carriers are in a unique position to effectively eliminate the impact of DDoS attacks on their customers by surgically removing the attack traffic transiting their networks. This type of DDoS protection as a service is in high demand among enterprise customers.”

A survey conducted by Kaspersky Lab and B2B International showed that in most cases, a DDoS attack is only the “tip of the iceberg”. Nearly 75 percent of respondents representing the corporate sector stated that DDoS attacks against their companies corresponded with other IT security incidents.

In the survey, respondents cited malware (21 percent) and hacking (22 percent) as the leading threats to their companies. DDoS was chosen as the most dangerous threat by only six percent. However, DDoS attacks often coexist with malware incidents (45 percent of the time) and corporate network intrusions (in 32 percent of all cases). Data leaks were also detected with DDoS attacks in 26 percent of cases.

Longer page loading times still remained the most common aftermath of DDoS attacks (53 percent this year vs. 52 percent last year), but the survey says attacks can last for days, even weeks.

“It is natural that DDoS attacks are increasingly causing companies problems. The methods and techniques used by criminals are evolving, with attackers looking for new ways of ‘freezing’ their victims’ operations or masking intrusion into their systems. Even with a large staff of IT professionals it is almost impossible for companies to handle a serious DDoS attack and recover their services on their own. Moreover, if other malicious activity is going on at the same time, this multiplies the damage. The most dangerous part is that companies may never learn they were subjected to DDoS smokescreening,” says Evgeny Vigovsky, head of Kaspersky DDoS protection, Kaspersky Lab.

AT&T reported a 62 percent increase in DDoS attacks over the past two years in its new Cyber-security insights report, “What every CEO needs to know about cyber-security—decoding the adversary”.

Igal Zeifman, senior digital strategist at Imperva compares these numbers to Imperva’s DDoS findings from Q3: “These numbers are in line with what we see on our network. Specifically, we saw double the number of attacks, accounting for a 116 percent increase in the number of daily attacks on our clients, just in the last three months. We also noticed that, in this period, the attacks grew shorter in duration.

“Looking at both data sets, we think that the influx in the number of attack is a result of two different trends. The first is a growing adoption of hit-and-run DDoS tactics, with more perpetrators preferring to launch multiple periodic attacks to a single prolonged assault. The second is an increase in popularity of DDoS-for-hire tools that allow anyone to launch a short-living DDoS attack for a laughable cost. ”

“In order to effectively protect their networks, prevent disruptions to customer operations, and better protect against data theft and financial loss, companies need real-time visibility and mitigation of all DDoS attack traffic targeting their networks, regardless of size or duration,” Larson concludes.