North Carolina held for ransom and Agent Tesla becomes stealthy
Android apps offer to mine unmineable cryptocurrencies and UK targets IoT vulnerabilities.
North Carolina water utility shut down by ransomware
Hurricane Michael, Florence, and now this. It seems North Carolina just can’t catch a break as one of its major water utilities went offline following a ransomware attack. The Onslow Water and Sewer Authority (ONWASA) was shut down by a ransomware attack over the weekend. IT sleuths believe the malware called Ryuk infiltrated ONWASA’s systems through the Emotet trojan on October 4th. Although the infection was thought to be contained, Ryuk managed to outsmart the utility by springing into action on the early morning of October 13th instead.
Ryuk has since encrypted many files and despite ONWASA’s best efforts, it has managed to shut down their system for at least the next few weeks. The utility received a ransomware note from the attackers, but decided not to yield to the demands and will instead focus on rebuilding its database. Efforts are ongoing to restore the system to full capacity.
The timing of the attack seems strategic. And heartless. “Ransomware attacks happen all around the world” says Luis Corrons, Security Evangelist at Avast. “Even though the timing could not be worse, using the hurricanes as an excuse is probably not the best strategy.” Corrons continues, “To start, all computers managing critical infrastructure should – always and without exception – be properly isolated from the general network of the company. Having all systems updated and running vetted security solutions is a must, too.”
Cryptomining apps promise riches, serves ads instead
A new scam with apps promising to make users rich by mining cryptocurrency on their behalf recently surfaced on Google Play Store. The kicker was that they simply pretend to mine coins that cannot be mined in the first place, all while bombarding the users with ads. No doubt someone somewhere is literally laughing their way to the bank.
The currencies being “mined” were Ripple, Cardano, and Tether, all of which have their own propagation methods which are very different from traditional cryptocurrencies. After downloading the app, a user will be prompted to hit the “Start” button to generate coins.
The app does a fantastic job conning the user by displaying false, random hash speeds and even “slows down coin production” as they go on. Ads will continuously be displayed from the time someone logs in.
The user won’t realize something is amiss until they try to withdraw their earnings. The app will throw an error message stating their mobile wallets are malfunctioning and ask them to try again later. Apps such as these are nothing new. Cryptojacking malware masquerading as legit apps have been seen following a similar MO, too. To make sure you never fall for such a gimmick, always research a cryptomining app thoroughly before installing it.
UK aims to secure vulnerable IoT devices
Acknowledging the weak security of most smart web-connected devices, the UK has published a code of practice to show how they can better secure their products. UK’s security step comes just a few days after California passed a bill requiring device manufacturers to have mandatory strong password protection.
Devices such as web-connected cameras, doorbells, switches, kitchen appliances and smart apps have become a hot target for cybercriminals as they often do not have strong security features. Botnets, man-in-the-middle attacks and data theft coupled with social engineering are all becoming increasing threats as the Internet of Things takes off. The UK’s initiative lays out 13 separate steps for manufacturers to secure their endpoint devices, including securely storing customer data, applying software patches, requiring the user to create strong passwords, and making it easy for users to delete data, as well as proactively bringing their attention to device vulnerabilities.
IoT security has become a hot debate in IT circles. A recent Gartner report highlighted that at least 20% organizations have experienced one IoT attack. Coupled with the fact that IoT adoption is expected to reach $3 billion by 2021, the cavalier attitude towards security is definitely worrying. So far, HP and Hive Centrica have agreed to follow the rules laid out by UK.
“This is a brilliant initiative” says Corrons. “All 13 guidelines in the UK’s Code of Practice for Consumer IoT Security make sense, and requiring vendors to adhere to them is a great approach.” He adds, “I’d like to see this same Code of Practice get adopted by the EU, the US and Japan — across the globe.”
Agent Tesla learns to hide from antivirus
A new malware campaign sporting the who’s who of the malware world has been pointed out by researchers. Utilizing two vulnerabilities in MS office, hackers can download Tesla, Loki and Gamarue information stealers and operate them undetected.
The vulnerabilities in question – CVE-2017-0199 and CVE-2017-11882 can allow hackers to remotely download an RTF file from an infected DOCX file. The exploit chain furthermore uses the RTF file structure to trick antiviruses into thinking it is a legit program. The attackers also change the OLE object header’s value to ensure their operation remains undetected.
The primary malware being used here is Agent Tesla, a powerful keylogger that can steal information from almost every web browser, email client, and even document files. Tesla can also take screenshots and record webcam broadcasts and even allow the attackers to install more malware on the infected system. While Tesla can be used as a multi-purpose tool, Loki is strictly a login credentials stealer; Gamarue, meanwhile, is a family of malware that can steal information, and give its creators access to compromised systems.