Search This Blog

Showing posts with label Windows. Show all posts

New REvil Ransomware Version Automatically Logs Windows into Safe Mode

 

The REvil Ransomware is unstoppable when it comes to ingenious hacking tactics and techniques. The well-known ransomware has escalated its attack vector once again, this time by changing the victim's login password in order to reboot the computer into Windows Safe Mode. 

While malicious groups are constantly upgrading their attack strategies in order to fight security measures, the threat actors behind the REvil ransomware are especially skilled at honing their malware in order to make their attack campaigns more effective.

Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that improves the new Safe Mode encryption method by changing the logged-on user’s password and setting Windows to automatically login on reboot. The ransomware would update the user's password to ‘DTrump4ever’ if the -smode statement is used. 

Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information. It is currently unknown whether new REvil ransomware encryptor samples will continue to use the ‘DTrump4ever' password, but at least two samples submitted to VirusTotal in the last two days have done so. 

This latest strategy exemplifies how ransomware groups are actively refining their tactics in order to effectively encrypt users' devices and demand a ransom payment. 

Asteelflash, a world-leading French EMS company, confirmed last week that it has been the target of a cybersecurity incident, identifying the involvement of REvil ransomware. After initially setting the ransom at $12 million in Monero crypto, the attackers demanded Asteelflash pay a whopping $24 million ransom. However, as the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files. 

Acer, a computer manufacturer, was also hit by the REvil ransomware. REvil has demanded a ransom of $50 million, which may be the highest ever demanded ransom.

REvil has released a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or associated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.

New Worm Capabilities Targets Windows Machines

 

A malware that has verifiably targeted exposed Windows machines through phishing and exploit kits have been retooled to add new "worm" capabilities. Purple Fox, which originally showed up in 2018, is an active malware campaign that as of, not long ago required user interaction or some kind of third-party tool to infect Windows machines. However, the assailants behind the campaign have now upped their game and added new functionality that can force its way into victims' systems on its own, as indicated by new Tuesday research from Guardicore Labs.

“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs Amit Serper said. In addition to these new worm abilities, Purple Fox malware now additionally incorporates a rootkit that permits the threat actors to conceal the malware on the machine and make it hard to distinguish and eliminate, he said. 

Researchers examined Purple Fox's most recent activity and discovered two huge changes to how assailants are spreading malware on Windows machines. The first is that the new worm payload executes after a victim machine is undermined through a weak exposed service. Purple Fox additionally is utilizing a past strategy to contaminate machines with malware through a phishing effort, sending the payload by means of email to exploit a browser vulnerability, researchers observed. When the worm infects a victim's machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper. 

“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”

Gadgets caught in this botnet incorporate Windows Server machines running IIS form 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.

Hackers used 11 Zero-Days to Attack Windows, iOS, Android Users

 

Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized "watering hole" assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets. 

The cross-platform capacities and the readiness to utilize almost a dozen zero-days in under a year signals a well-resourced threat actor with the ability to access hacking tools and exploits from related groups. In another blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains found in the wild last October and cautioned that the most recent disclosure is attached to a February 2020 campaign that incorporated the utilization of multiple zero-days. As per Stone, the threat actor from the February 2020 campaign went dark for a couple of months but returned in October with dozens of websites redirecting to an exploit server. 

“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. In our testing, both of the exploit servers existed on all of the discovered domains,” Stone explained. 

The first exploit server at first reacted distinctly to Apple iOS and Microsoft Windows user-agents and was active for at least a week after Google's researchers began recovering the hacking devices. This server included exploits for a distant code execution bug in the Google Chrome rendering engine and a v8 zero-day after the underlying bug was fixed. Stone said the first server momentarily reacted to Android user-agents, proposing exploits existed for every one of the significant platforms.

Stone noticed that the assailants utilized a special obfuscation and anti-analysis check on iOS gadgets where those exploits were encrypted with ephemeral keys, “meaning that the exploits couldn't be recovered from the packet dump alone, instead of requiring an active MITM on our side to rewrite the exploit on-the-fly.”

Wi-Fi Mouse Application Detected with Bug

 

According to a researcher named, Christopher Le Roux, the smartphone app named Wi-Fi Mouse, which enables users to monitor the mouse movements on their PC or Mac with a phone or tablet, has an unpatched bug, which encourages opponents to sabotage computers. The impact of the associated "server software" of the Android app is the Wi-Fi Mouse, which is required for installation on a Windows system, that enables the moving desktop app to regulate the mouse. The bug enables an opponent with a popular Wi-Fi network to fully access the Windows PC via a software-opened communication port. 

The unpatched bug doesn't affect the Android smartphone operating the Wi-Fi Mouse program, as per Le Roux's analysis. The application has been installed more than 100,000 times, according to the developer's overview of the Google Play platform for Wi-Fi Mouse. And according to the developer, the bug is linked to the Windows desktop applications which have a poor password and PIN protection. 

“The password/PIN option in the Windows Desktop app does not prevent remote control of a target running the software,” stated Le Roux. “I believe this may be an oversight on the part of the developer.” 

While attempting to pair the smartphone operating on Wi-Fi Mouse with the corresponding Wi-Fi Desktop Program, the researcher said that the application doesn't really appropriately request smartphone app users to enter a password or PIN. The absence of encryption gives a possible rogue user the chance to use Wi-Fi Mouse's open data port, Le Roux added.

“The Wi-Fi Mouse mobile app scans for and connects to hosts with TCP port 1978 open. Upon connecting the desktop server responds with OS information and the handshake is complete,” he wrote. “From within the mobile app, you have a mouse touchpad option as well as a file explorer. The file explorer allows a user to ‘open’ any file on the System. This includes executable files such as cmd.exe or powershell.exe, which will open each command terminal, respectively.” 

It is as simple to send ASCII characters as HEX with covering on either side accompanied by a packet to type the main unrestricted access to the targeted device. Particularly since there's no authentication between server and application this procedure is fast and simple to program. An opponent only requires the Wi-Fi Mouse application, which can be used on a targeted PC – no smartphone application is necessary. 

“Sadly, the app can be easily mimicked even if it is not installed or on the network. The Wi-Fi Mouse desktop server will accept any connection so long as it is running on an endpoint and the firewall isn’t blocking its listening port 1978,” Le Roux said. An opponent will use the Windows system to run a simple command, to download a running program from an HTTP server, and execute it on the PC of the goal to get the remote shell. 

“An attacker could still feasibly exploit a Unix-based system with minimal effort,” he wrote.

Hackers Use Bugs To Attack iOS and Android Devices; Google Doesn't Disclose Details

 

Google's cybersecurity team found a cluster of high-end vulnerabilities in iOS, Windows, Android, and Chrome earlier this week. According to Google, these vulnerabilities were in high usage, which means hackers used them to carry out attacks. It is an alarming issue for cybersecurity. Besides this, the vulnerabilities share some similarities, says Motherboard. One can assume that the same cybercriminals exploited them. According to cybersecurity findings, few vulnerabilities hid in font libraries, few in chrome's sandbox to escape, and others controlled the systems. 

It means that the bugs belonged to a string of vulnerabilities used to attack user's devices. As of now, there's no concrete information about who the hacker is and their targets. Usually, whenever bugs are found, it is ethically disclosed to release security patches to fix the issue, before the hackers can exploit them. However, in the current case, it is confirmed that the hackers are using the bugs. In 2019, in a quite similar incident, google had found a string of vulnerabilities that hackers used to attack the Uighur community. In China, the government conducts a massive scale campaign of surveillance and monitoring on the Muslim community. 

Vice reports, "according to a source with knowledge of the vulnerabilities, all these seven bugs are related to each other, who asked to remain anonymous as they were not allowed to talk to the press." However, the experts don't have any information on the present situation, as Google hasn't disclosed anything about the vulnerabilities, the hackers, or the targets. Fortunately, Apple released iOS 12 (released in 2018) security patch, which can fix Apple devices up to the iPhone 5 series. 

It so happens that when a company releases a security patch that fixes old machines, it generally means that the bug is highly dangerous. Still, we can only assume, as no data is available. "In any case, some of these bugs were very critical and gave hackers a lot of power when they used them. The iOS bugs, for example, were so dangerous that Apple pushed updates not just for the current iOS 14, but also for the older, not usually supported, iOS 12," reports the Vice.

Emotet Returns: Here's a Quick Look into new 'Windows Update' attachment

 

Emotet Malware was first discovered by security researchers in the year 2014, but, the threats by Emotet have constantly evolved over the years. At present, the malware is highly active as its developers continue to evolve their strategies, devising more sophisticated tricks and advancements. Recently, it has been noticed to be delivering several malware payloads and is also one of the most active and largest sources of malspam as of now. 
 
The operators behind Emotet are sending spam emails to unsuspected victims to trick them into downloading the malware; botnet has started to employ a new malicious attachment that falsely claims to be a message from Windows Update asking victims to upgrade Microsoft Word. It begins by sending spam email to the victim containing either a download link or a Word document, now when the victim happens to ‘Enable Content’ to let macros run on their system, the Emotet Trojan gets installed. In their previous malspam campaigns, used by the criminals were said to be from Office 365 and Windows 10 Mobile. 
 

How does the malware works? 

 
Once installed, the malware tries to sneak into the victim’s system and acquire personal information and sensitive data. Emotet uses worm-like capabilities that help it spreading itself to other connected PCs. With add-ons to avoid detection by anti-malware software, Emotet has become one of the most expensive and dangerous malware, targeting both governments as well as private sectors. 

The malware keeps updating the way it delivers these malicious attachments as well as their appearances, ensuring prevention against security tools. The subject lines used in a particular malspam campaign are replaced by new ones, the text in the body gets changed and lastly the ‘file attachment type’ and the content of it are timely revised. 
 
Emotet malware has continuously evolved to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. After a short break, the malware made a comeback with full swing on October 14th and has started a new malspam routine. 
 
Originally discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from comrpmised machines. As per recent reports, Emotet also delivers third-party payloads such as IcedID, Qbot, The Trick, and Gootkit.

Prometei: A Cryptomining Botnet that Attacks Microsoft's Vulnerabilities


An unknown Botnet called "Prometei" is attacking windows and Microsoft devices (vulnerable) using brute force SMb exploits. According to Cisco Talos, these SMB vulnerabilities help in mining cryptocurrency. The botnet has affected around a thousand devices. It came in March; however, according to experts at Cisco Talos, the campaign could only generate a small amount of $5000 in four months of its activities. The botnet was working since the beginning of March and took a blow on 8th June. However, the botnet kept working on its mining operations to steal credentials. According to experts, the botnet is working for somebody based in Europe, a single developer.


"Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining. It has been successful in keeping its computing power constant over the three months we've been tracking it," says Cisco Talo's report.
Vanja Svajcer, a cybersecurity expert, says that earning $1250 monthly is more than average for a European. Therefore, the developer would 've made a fair profit from the botnet. Besides crypto mining, it can also steal private credentials and escape without getting traced.

About SMB attack 

The hacker exploits the Windows Server Message Block protocol using a vulnerability. After this, the hackers retrieve passwords from Mimikatz, which is an open-source app for credential authentication. To spread itself in SMB protocol, the hackers use the RdpcIip.exe spreader module. This spreader tries to authenticate SMB operation using retrieved credentials or a temporary guest profile, which doesn't require any password. If the spreader can infiltrate, it uses a Windows app to launch the botnet remotely. But if the attack fails, the hackers can use other versions of vulnerabilities to start botnet.

To protect yourself, Cisco Talos says, "defenders need to be constantly vigilant and monitor systems' behavior within their network. Attackers are like water — they will attempt to find the smallest crack to seep in. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."

All Windows Versions Hit By A Vulnerability; Attackers Take Full Control Over Computer




A vulnerability that existed in every single current Window versions allowing an attacker to misuse the Windows Group Policy feature to assume full control over a computer was recently dealt with by Microsoft. The administrators of the multinational technology can remotely deal with the entirety of the Windows devices on a system through the Group Policy feature.

This element permits the administrators to make a centralized global configuration policy for their organization that is pushed out to the entirety of the Windows devices on their network. The vulnerability was quite a serious one as it was capable enough to influence all Windows variants since Windows Server 2008.

These Group Policies allow an administrator to control how a computer can be utilized, like 'disabling settings in apps, prohibiting apps from running, enabling and disabling Windows features, and even deploying the same wallpaper on every Windows computer.'


To appropriately apply these new policies, the gpsvc service or 'Group Policy Client' service, is configured to run with 'system' privileges, which gives the same rights and permissions from the Administrator account.

However, Microsoft has already fixed the 'CVE-2020-1317 | Group Policy Elevation Privilege Vulnerability' discovered by cybersecurity firm CyberArk, who found a symlink attack against a file utilized for Group Policy updates to have access to elevated privileges.

"This vulnerability permits an unprivileged user in a domain environment to perform a file system attack which in turn would allow malicious users to evade anti-malware solutions, bypass security hardening, and could lead to severe damage in an organization network. This vulnerability could impact any Windows machine (2008 or higher), to escalate its privileges in a domain environment," CyberArk state in their report.

When playing out a group policy update that applies to the entirety of the devices in an organization, Windows will compose the new policies to a computer in a subfolder of the %LocalAppData% folder that any user, including a standard user, has permission.

Having full access to a file that is known to be utilized by a procedure with SYSTEM privileges, CyberArk found that they could come up with a symbolic link between the file to an RPC command that executes a DLL.

As the Group Policy Client service runs with SYSTEM privileges, when they endeavor to apply the policies in that file, it will rather execute any DLL the attackers need with SYSTEM privileges.

To trigger this vulnerability, a local attacker could execute the gpupdate.exe program, which plays out a manual group policy synchronization, and this command would then trigger the policy update and run an attacker's malevolent DLL.

As indicated by CyberArk, the full steps to ‘exploit’ this vulnerability would be as per the following:

  1. List the group policy GUIDs you have in C:\Users\user\AppData\Local\Microsoft\Group Policy\History\ 
  2. If you have multiple GUIDs check which directory was updated recently 
  3. Go inside this directory and into the sub-directory, which is the user SID. 
  4. Look at the latest modified directory; this will vary in your environment. In some cases, it can be the Printers directory. 
  5. Delete the file, Printers.xml, inside the Printers directory. 
  6. Create an NTFS mount point to \RPC Control + an Object Manager symlink with Printers.xml that points on C:\Windows\System32\whatever.dll 
  7. Open your favorite terminal and run gpupdate. 

"There you have it; an arbitrary create on arbitrary locations, you can also delete and modify system protected files by using this exploit. There is a small change in behavior that goes on based on your GPO objects (printers, devices, drives). Alas, all of them end up in EoP," CyberArk explains.

As this vulnerability affects millions, if not conceivably a billion devices, it's a very serious security flaw that ought to be addressed to by all Windows administrators as soon as possible.


Maze Ransomware and its Various Campaigns Continue to Threaten the Cyber World


Ever since this year began, the Maze ransomware has been hitting headlines. Recently researchers discovered more samples of Maze in numerous industries making it one of the major threats for the cyber-world.

Another form of the "ChaCha" ransomware, Maze surfaced in mid-2019 and has been wreaking havoc ever since, across continents and any organization it could get it hands-on.

Per sources, Maze is most usually dispensed by way of emails loaded with malicious Exel and Word attachments. But that’s not the only method of distribution.

According to reports, cyber-criminals also use “exploit kits” by the name of “Spelevo”. Sources mention that in previous cases it has been used to exploit Flash Player vulnerabilities, CVE-2018-15982 and CVE-2018-4878. Other exploits that Maze has abused include CVE-2018-8174 (Internet Explorer) and CVE-2018-1150 (Pulse VPN).

Maze ransomware initially tries to get a strong idea of the target device’s internal surroundings and begins to create a place for itself. Once that’s done it tries to access user privileges to carry lateral movements and kick start the file encryption throughout drives. But, before the encryption, files are exfiltrated so as to be used for future compulsion in any way possible.

If the security system of a device isn’t laden with necessary protective gauges it could possibly crash completely under the pressure of Maze ransomware. The infection could put sensitive information at large and incapacitate operations almost killing the company’s finances.

Per sources, Maze ransomware has shown its hold across industries like construction, education, energy, finance, government, healthcare, hospitality, law, life sciences, media and communications, pharma, technology, and telecommunications. McAfee, in March, made available a detailed report about the Maze ransomware.

According to a report, there’s an “Anti-Ransomware Protection module” which hunts ransomware related encryption-based activities. It allows users to keep track of the activities.

Per sources, lately, Maze ransomware was spotted compromising several IT service providers. It also set up a footing in another victim device’s network via insecure Remote Desktop Protocol or by using brute-force on the account of the local administrator.
Cloud backups too aren’t safe from the Maze ransomware because they are widely tracked on the vulnerable networks. With the login credentials, all backed-up data could be sent to the threat-actors via a server under their control.

The solution for any such occurrences is as repetitive as ever; stronger security mechanisms, better passwords especially remote systems with remote access possibilities and of course, heftier protection measures.



Fileless Malware Attacks and How To Fight Them!



It has been crystal clear over these years with the increase in a number of cyber-attacks of an equally unique kind making it almost impossible for the out-dated or conventional security mechanisms to intercept and fight.

As if a single one-of-a-kind cyber-attack tool wasn’t enough, the threat actors now are laden with polymorphic tactics up their sleeves. Per sources, an entirely new version of a threat could be created every time after infection.

After "polymorphism" became apparent, the vendors as per reports engineered “generic signatures” had numerous variants in them. But the cyber-cons always managed to slip in a new kind.

This is when the malware authors came up with a concept of fileless attacking. They fabricated malware that didn’t need files to infect their targets and yet caused equal damage.

Per sources, the most common fileless attacks use applications, software, or authorized protocol that already exists on the target device. The first step is a user-initiated action, followed by getting access to the target’s device memory which has been infected by now. Here the malicious code is injected via the exploitation of Windows tools like Windows Management Instrumentation and PowerShell.

Per reports, the Modus Operandi of a fileless attack is as follows:
It begins with a spam message which doesn’t look suspicious at all and when the unaware user clicks on the link in it they are redirected to a malicious website.
The website kicks-off the Adobe Flash.
That initiates the PowerShell and Flash employs the command line to send it instructions and this takes place inside the target device’s memory.
The instructions are such that one of them launches a connection with a command and control server and helps download the malicious PowerShell script which ferrets down sensitive data and information only to exfiltrate it later.
Researchers note that as these attacks have absolutely nothing to do with stocking malicious files onto the target’s device, it becomes more difficult for security products to anticipate or perceive any such attack because they are evidently left with nothing to compare the attacks with. The fact that files less malware can hide from view in the legitimate tools and applications makes it all the worse.

Recently lots of fileless attacks surfaced and researchers were elbow deep in analyzing them. According to sources, some well-known corporate names that faced the attacks include, Equifax that had a data breach via a command injection vulnerability, the Union Crypto Trader faced a remote code execution in the memory, the version used was a 'trojanized' form a legitimate installer file and the U.S. Democratic National Committee faced two threat actors used a PowerShell backdoor to automatically launch malicious codes.

These attacks are obviously disconcerting and require a different kind of approach for their prediction or prevention. A conventional security system would never be the solution corporates and organizations need to stand against such attacks.

Per sources, the Network Detection and Response (NDR) seem to be a lucrative mechanism for detecting uncommon malicious activities. It doesn’t simply count on signatures but uses a combination of machine learning tactics to fetch out irregular network behaviors. It perceives what is normal in a particular system, then tries to comprehend what isn’t normal and alerts the overseers.

Researchers think an efficient NDR solution takes note of the entire surrounding of a device including what is in the network, cloud deployments, in the IoT sections and not to mention the data storage and email servers.

Per sources, NDR gradually works up to its highest efficiency. Its and its sensors’ deployment takes a considerable amount of time and monitoring. But the final results encompass enhanced productivity, decreased false alerts, and heightened security.

24 Million Adware Attacks found on Windows


Avast, a security firm, discovered in their research the growing scale of adware. According to the report, around 72% of malware on android was adware. Another report by Malwarebytes reveals some shocking numbers with 24 million windows adware detections and 30 million on Macs. Nowadays, with good search engines and added internet security, we hardly consider adware as a severe threat. There was a time, around 2002 when adware attacks were at an all-time high. It was quite common to be faced with pop-ups and adds opening another window showing adverts. Only a few software provided essential protection against these pop-ups.


But in this digital-savvy decade, we hardly consider pop-ups as a security threat, but this report by Avast tells a different story. The numbers show that adware is still very much present and thriving. "Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser." This adware campaign can have malicious intents, especially using COVID-19, to fulfill their purposes.

Kaspersky released a report in which more than 120,000 malware and adware were impersonating meeting software like Zoom. Most evident were: DealPly and DownloadSponsor. This adware has evolved from their previous counterparts to a high capacity. Now they display that install and download other adware software. In some cases, the adware DealPly and ManageX can be installed automatically with the legitimate installer and other potentially unwanted applications (PUAs). Battling with adware is a hard war because of their large numbers. There are hundreds of apps developed every day and registered; many come laden with adware. To check every single one of them is more robust than finding a needle in a haystack.

In March, Google banned 56 malicious applications, but by then, they already had around a million downloads. It is effortless for these apps to pose as legitimate and carry adware along with them. Adware is often ignored in the shadows of more severe security threats, and even though it is less harmful, it nonetheless is far more ubiquitous. Hence, security teams must be cautious of adware and take preventive steps.

Winja (VirusTotal Uploader)- The Malware Detector!


Cyber-security is an important concern for everyone working from these days, amid the lock-down due to the current Coronavirus pandemic. There are several security measures one can employ to stay on top of all the cyber-hazards that hackers could be brewing.

Winja is one such free application and passive analysis tool that is designed for Microsoft Windows that helps the user find any potential malware on their system. By way of using the scanning engine of the anti-virus products, the application gives forth very specific details as to which file is hazardous in which way.

Whenever we download something from the internet our first step is to ensure that it’s safe for our device. With Winja, all you have to do is to drag the file in question on the mal window and Voila! The results apparently will show on the desktop.

In case you have a sneaking suspicion about your device being infected, you could scan all services and processes for malware and the application will help you.

Reportedly, Winja initially uses the “VirusTotal” public API to insert the fingerprint of a file. If the fingerprint is present, Winja sends the current analysis report and if it is not then Winja sends the “unknown file” to the VirusTotal servers for scanning. You can also analyze files any time you want to enhance the chances of detection.

As has been recognized by researchers over these years, hackers tend to have their places of choice in their victim’s devices to first sneak in and then hide the malware. With Winja it becomes extremely easy to locate any suspicious files in those places. Per sources, Services, Task Scheduler, Active Processes, Applications beginning with Windows and Actions that require network resources and internet are few to be mentioned.

All you need to do to scan any file that you have a suspicion on is to drag it and drop in onto the main window of the Winja application.

Plus, you can make use of an extension for the Windows Explorer that would aid you to request a scan by means of a right-click on any file of your choice from the file browser.

Per sources, all the subsequent versions after the sixth one are available in French making it a huge hit in the French-versed population. VirusTotal, which is an arm of Google, strongly suggests Winja as a substitute for their Windows desktop application.

This application goes hand in hand with the anti-virus software that you love to use for your devices. It is not a substitute for anti-virus software but it fits with them like a puzzle piece and does not intend to endanger their publicity in any way.

Hackers Attack Amazon Web Services Server


A group of sophisticated hackers slammed Amazon Web Services (AWS) servers. The hackers established a rootkit that let them manually command the servers and directed sensitive stolen corporate date to its home servers C2 (command and control). The attackers breached a variety of Windows and Linux OS within the AWS data center. A recent report published by Sophos (from Britain) last week has raised doubts and suspicions among the cybersecurity industry.


According to Sophos reports, the hackers were able to avoid Amazon Web Services SG (security groups) easily. Security Groups are supposed to work as a security check to ensure that no malicious actor ever breaches the EC2 instance (it is a virtual server used by AWS to run the application). The anonymous victim of this attack had already set up a perfectly tuned SG. But due to the rootkit installed in AWS servers, the hackers obtained remote access meanwhile the Linux OS was still looking for inbound connections, and that is when Sophos intervened. Sophos said that the victim could have been anyone, not just the AWS.

The problem was not with AWS, this piggybacking method could have breached any firewall, if not all. According to cybersecurity experts' conclusion, the hackers are likely to be state-sponsored. The incident is named as "Cloud Snooper." A cybersecurity expert even termed it as a beautiful piece of work (from a technical POV). These things happen all the time, it only came to notice because it happened with a fancy organization, he says. There are still unanswered questions about the hack, but the most important one that how the hackers were able to manage this attack is cleared.

About the attack 

“An analysis of this system revealed the presence of a rootkit that granted the malware’s operators the ability to remotely control the server through the AWS SGs. But this rootkit’s capabilities are not limited to doing this in the Amazon cloud: It also could be used to communicate with, and remotely control, malware on any server behind any boundary firewall, even an on-premises server. By unwinding other elements of this attack, we further identified other Linux hosts, infected with the same or a similar rootkit," said Sophos.

Windows Devices in Hospitals Vulnerable to Potential Exploits


Windows Devices in Hospitals Vulnerable to Potential Exploits According to recent reports, hackers can exploit the vulnerabilities present in health devices, and it can prove dangerous to the health of the patients at the hospital. But, the problem could be avoided by following some simple steps. The health devices have a more likable chance to the Bluekeep exploit than any other devices connected in the hospitals. Health devices can be exploited up to 2 times, using the Bluekeep exploit. This puts both the patients and the hospital staff in danger as witnessing the current scenario, the health sector has recently been one of the primary targets of the hackers.


Therefore, the issue of cybersecurity among the health sector is one of the main concerns of the digital age. Bluekeep was first discovered in 2019, and it is a vulnerability in Microsoft RDP (Remote Desktop Protocol). The vulnerability affects Windows7, Windows8, Windows Server2008, and Windows Server2008 R2. When the news of Bluekeep vulnerability surfaced, Microsoft immediately released a security patch to resolve the issue. Various intelligence agencies, including the US NSA (National Security Advisory) and Britain's NCSC (National Cyber Security Centre), immediately informed Microsoft to fix all the security patches related to the vulnerability.

The matter of concern was that Bluekeep could be used as malware to do the same damage that EternalBlue had caused, the exploit that triggered Wannacry. In this incident, various high profile organizations were taken the victim, but the greatest attack happened on the National Health Service of UK, in which the entire networks of the hospitals were shut down. But despite various warnings, health devices that run on Windows are still vulnerable to a potential Bluekeep exploit.

According to researchers at CyberMDX, a healthcare cybersecurity company, a newly made report's data suggests that more than 20% of healthcare devices (that run on Windows) in hospitals are vulnerable to the blue keep exploit, as they have still not configured to the latest security patches. The healthcare devices include x-ray machines, anesthesia machines, ultrasound devices, and radiology equipment. If these devices are not fixed to the latest security patch, chances are that hackers could exploit them using the blue keep vulnerability. This can risk the lives of the patients and the healthcare staff.

Apple Doubles Microsoft by 2:1 in Cybersecurity Threats


According to a fresh report on malware that further sinks deep into the debate of cyberattacks, research company Malwarebytes has used data from various fields to analyze the cybersecurity attacks that effected either the consumers or the business in 2019. But the most surprising thing is the platforms on which these attacks happened: Apple vs Microsoft. Surprisingly, the report tells us that the cybersecurity threats had a larger effect on Apple than that of Microsoft.


An insight into State of Malware Reports- 

The 2020 Malwarebytes research looked into the following fields for the potential cybersecurity threats: macOS and Windows, iOS and Android users, attacks based on web browsers, and attacks that happened on Windows or Mac PCs. After calculating the cybersecurity threats and analyzing the data, the 'State of Malwares' report revealed that cybersecurity threats against Apple increased by 400% in the year 2019. It also concludes that Apple outnumbers Microsoft by 2:1 in terms of cybersecurity threats.

The ratio shouldn't be ignored as Malwarebyte's Apple has a larger user base than Microsoft. Further, the report reveals that Mac files tend to have more malicious behavior (front and center) throughout the years, allowing more space for hackers to deploy evading techniques to escape iOS discovery. As the malware signs of progress keep affecting the iOS, users should rethink if they should install antivirus in their phones or not, as it opens up the space for cyber attacks.

Does it raise concern over Mac Security- 

If you look back in the past media coverage on cybersecurity, the reports would suggest that there were more attacks to Microsoft or Windows users than to Apple or iOS. But simply having fewer reports than Microsoft doesn't mean that Apple has better cybersecurity. There have been a few prominent incidents that raised suspicion over Apple's commitment to security. For instance, the iPhone specific threats, or the Siri feature that left encrypted emails encrypted, or the apps that could tell if "your iPhone was hacked," or to ensure the security of the Apple Smartwatch 5. The Malwarebytes report suggests that one shouldn't ignore this while moving into 2020, as 2019 showed it was a bad year for Apple.

Modified TrickBot Trojan can now Steal Windows Active Directory Credentials


TrickBot trojan, a strain of malware that has been around affecting users since 2016 - is now evolved to steal Windows Active Directory credentials. Today, in the cybersecurity ecosystem it is considered as one of the top threats abusing businesses, experts estimate that TrickBot is responsible for compromising more than 250 million email accounts till date. Earlier, TrickBot went a step further while targeting Windows 10 users by disabling Windows defender onto their systems rather than just bypassing the protection. Fundamentally, TrickBot is a banking Trojan and is generally deployed through spearphishing emails like invoices mailed to the accounts department. Typically, it is attached as infected Microsoft Excel or Word documents. The malware can be spread across an organization in a number of ways, one of them is via exploiting vulnerabilities in a protocol called SMB which makes the process of sharing and accessing files on other systems easy for Windows computers.

First identified by Sandor Nemes, a security researcher from Virus Total, this new module of TrickBot dubbed as "ADII" further amplifies the threat it possesses for security, it steals Windows Active Directory information by executing a set of commands.

An Active Directory database is being created and stored into the default C:\Windows\NTDS folder on the domain controller, a server here is acting as the domain controller. Now, all the information including passwords, computers, users, and groups of Windows Active Directory are saved in a file by the name "ntds.dit" in the database. As all the aforementioned information is sensitive in nature, Windows resort to a BootKey that is located in the system component of the Registry and encrypts the information with the help of it. Admins who are responsible for database maintenance use a special tool known as "ntdsutil" to work with that database. Reportedly, standard file operations cannot access the BootKey.

How TrickBot Goes About Stealing Active Directory Credentials?


Administrators use the command "install from media", also known as "ifm", to create a dump of Active Directory. The command leads to the creation of an installation media for setting up new Domain Controllers. The new module "ADII" exploits the ifm command to produce a copy of the Windows Active Directory database; after the database is dumped into the %Temp% folder, the bot collects the information and transfers it to the admin. The collected data can be effective in infecting more systems in the same network and could also be employed by various other malware in search of similar vulnerabilities.

SNAKE Ransomware Targets Entire Corporate Systems?


The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.

The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.

After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.

The ransom note of SNAKE ransomware (Source: Bleeping Computer)

“It is clearly evident from the language in the ransom note, that this Ransomware specifically targets the entire network rather than individual workstations. Further indicating that any decryptor that is purchased will be for the network and not individual machines, but it is too soon to tell if they would make an exception.”
 - This is what Bleeping Computer said in a blog post on SNAKE. 

Nonetheless, the rise of SNAKE Ransomware highlights the critical requirement for organizations to defend themselves against a Ransomware infection.

While making effective use of the suggestions to forestall a Ransomware infection in the first place, they ought to likewise consider 'investing' into a solution like Tripwire File Analyzer for the purpose of distinguishing suspicious documents and conduct on the network.

Cyber Attack Alert! Microsoft Gives Inside Revelations About RDP Brute Force Attacks


Microsoft conducted a long-term study, which majorly focused on RDP brute-force attacks, their success and the duration they last for.

Per sources, according to the reports of the study, over 0.8% of the RDP brute force attacks on an average last for about “2-3 days”. The study also revolved around the effect of such attacks on various business organizations.

Data from over 45,000 devices and workstations that ran “Microsoft Defender Advanced Threat Protection” (commercial version of the free Defender anti-virus app) was acquired in terms of RDP login related acts.

According to reports, both failed and successful attempts at RDP login was part of the data collected for the detailed study that spread across numerous months of dedication.

Reportedly, the aforementioned successful and failed events include Windows events with ID 4264 and 4265, correspondingly. The usernames that the attackers or users may have used were also collected.


Per sources, RDP, Remote Desktop Protocol happens to be a feature of the Windows operating system that enables the users to log into a “remote computer” or device by way of an interface that looks much like a desktop, by means of the computer’s public IP address and port 3389.

Businesses and organizations usually make use of RDP and its provisions to manage servers, workstations and other connected devices in remote areas. It’s easier for the administrators and employees alike to work that way.

Brute force attacks have been pretty common on Windows devices especially via open RDP ports. Automated tools that the hackers use help them to create various combinations of passwords and usernames to figure out the target computer’s RDP login details.

Simple and basic combinations stand at the top of the hit list. The password and usernames combinations that have previously been leaked on the dark web are also used the most.

Where on an average these brute force attacks last for 2 to 3 days, in 90% of the cases, as the reports have found out, the attacks last for around a week.

According to the study reports the attacks spread across days because the hackers were trying out selected combos per hour rather than blindly shooting combos.

This clearly helped the attackers dodge the chances of their attack Internet Protocols getting banned by the firewalls.

Microsoft, according to sources, also mentioned that “0.8% of the devices that were attacked by the brute-force attacks were compromised. Also, that on an average a machine was expected to have a high probability of being compromised leading to an RDP brute force attack every 3-4 days”.

Per sources it’s imperative to look for the following things in a sign-in attempt:
 Event ID 4625 login type
 number of other devices with RDP inbound connections from one or more of the same IP
 number of failed sign-ins
 Event ID 4625 failure reason
 The number count of a username and the times it failed to log in
 number of RDP inbound external IP
 an hour and the day of the failed sign-in
 RDP connections
 Timing of successful sign-in attempts

To secure your device from such attacks, it’s supremely essential to monitor unknown connections and failed sign-in attempts.


Clop Ransomware Upgraded, Now can Terminate 663 Windows Processes


In February 2019, Michael Gillespie from MalwareHunter Team founded Clop ransomware that has been evolving to reach its full potential and now a variant of the same can terminate a total of 663 Windows processes.

While it was first discovered, it did not demonstrate any unique quality which made it stand out amid other ransomware variants, it was merely another likewise addition in the ransomware ecosystem like others that existed since 2017. However, it has continued to take various forms since its discovery and is emerging with all new and integrated process killer that affects several processes of Windows 10 apps, office applications, programming IDEs, languages and text editors.

As per the sources, it was noted in March 2019, that the attackers behind Clop Ransomware started to target entire networks instead of individual systems, they changed the ransom note to imply the same. The same year also witnessed a sudden disruption in the services of Clop Ransomware wherein they abruptly changed and disabled services for Microsoft SQL Server, MySQL, Microsoft Exchange, BackupExec and other enterprise software.

In 2019, while warning the organizations and businesses regarding app-killing malware, the Federal Bureau of Investigation (FBI) reported that the ransomware threat now is even amplified as the attackers are continually upgrading themselves, they have devised ways to bypass detection and be more effective in their operations. Organizations are being warned by investigative agencies to keep abreast of such potential threats and build a security net to guard their systems.

While commenting on the matter, Abrams, editor-in-chief for Bleeping Computer said, "It is not known why some of these processes are terminated," Bleeping Computer editor-in-chief, Abrams, said, "especially ones like Calculator, Snagit, and SecureCRT, but it’s possible they want to encrypt configuration files used by some of these tools."

Meanwhile, in a conversation with SC Media UK, Javvad Malik, security awareness advocate at KnowBe4, told "Clop is a variant of the CryptoMix ransomware family, but has been evolving rapidly in the last year to disable an increasingly large number of windows processes,"

"The main goal of Clop is to encrypt all files in an enterprise and request a payment to receive a decryptor to decrypt all the affected files," read the McAfee report in August.

"To achieve this, we observed some new techniques being used by the author that we have not seen before. Clearly, over the last few months, we have seen more innovative techniques appearing in ransomware."

Smominru Botnet Affecting Over 4,000 Windows Systems Every Day


Affecting Windows machines across the globe, Smominru has been labeled as one of the most rapidly spreading botnet malware, as per a report by data center and cloud security company, Guardicore Labs. The infection rate of this computer malware has been detected to be up to 47,000 machines per day and in the month of August alone, it compromised almost 90,000 computers, according to the report.

While attacking, Smominru compromises Windows PCs by using the NSA exploit, EternalBlue and brute-force on various services like RDP, TELNET, MS-SQL, and others. The malware is configured to steal the target's credentials and then install a cryptominer and Trojan module to compromise the network. After establishing a foothold, the malware moves laterally to affect as many systems as it potentially can inside the targeted organization.

Reportedly, the US, Russia, China, Taiwan, and Brazil witnessed the maximum number of attacks, however, other countries remain equally vulnerable to the computer malware which saw an upsurge in recent times. To exemplify, we can look at the largest network targeted and hence compromised by Smominru, which was a healthcare provider in Italy, it left a total of 65 hosts affected.

The unspecified and non-targeted nature of the attacks was notable as the compromised networks ranged from medical firms to higher-education institutions, the victims infected by the malware included cybersecurity companies as well.

It has been discovered that around 85% of the attacks are carried out on Windows 7 and Windows Server 2008 systems, while, some others are observed to be taking place on Windows XP, Windows Server 2012, and Windows Server 2003.

Seemingly, the failure of company administrators to timely patch their computer networks and servers is one of the primary reasons for the networks being compromised, although for a lot of organizations, the inability is a result of logistical scarcity, for others, it's simply due to negligence and not being regularly updated with the requirements of the sector.