Like most popular software, Pokemon Go has quickly become a magnet for cyber criminals. Within just a few days of its launch, the hottest mobile app today has already become the target of DDoS and malware attacks.

For those who have been living under a rock, Pokemon Go is an augmented reality game that runs on iOS and Android. Using the phone screen and camera as its main tools, Pokemon Go allows players to search and capture virtual critters – known as Pokemon – in the real world in real time. Once captured, Pokemons can be trained and brought into battle.

The game’s innovative use of augmented reality, which blends elements of a virtual world with the real world, has enthralled millions of users. Sadly, this extremely high level of activity also attracts individuals with malicious intent. There have been reports of players being robbed when they have wandered off to catch Pokemon or engage with other players.

Since Pokemon Go is first and foremost an app, threats are not limited to the brick-and-mortar world. There are cyber threats too. Two threats that have gained considerable attention are a DDoS attack and a malware attack.

DDoS attack on Pokemon Go servers

A DDoS (Distributed Denial-of-Service) attack was targeted at Pokemon Go login servers on the weekend beginning July 16. This prevented users from logging in to play the game. Two hacking groups have already claimed responsibility for the attack(s). The first group calls themselves OurMine, while the second is known as PoodleCorp. The latter was even bold enough to tweet about the event right before it happened:

PokemonGo #Offline #PoodleCorp

— PoodleCorp (@PoodleCorp) July 16, 2016

While some people believe the server crashes were simply due to the overwhelming influx of users, PoodleCorp has already issued a threat that seems to imply a bigger attack on August 1:

August 1st #PoodleCorp #PokemonGo

— PoodleCorp (@PoodleCorp) July 18, 2016

That’s just right around the corner, so we’ll see what happens.

The folks at Niantic (Pokemon Go’s developers and publishers) have ample time to set up contingency measures, so if some considerable downtime still takes place on that date, PoodleCorp must be on to something.

Pokemon Go Malware

Cyber crooks are hitting Pokemon Go on both the server and client fronts. Earlier this month (July 2016), Google removed a fake Pokemon Go app known as “Pokemon Go Ultimate” after researchers at ESET flagged the malicious app.

Pokemon Go Ultimate was capable of locking your phone’s screen after starting up. The app wasn’t designed to be ransomware, but because there was no way to unlock the phone. Users were forced to remove their phone’s batteries in order to restart. The problem was, that upon rebooting, the app would continue running; this time in the background. While running, the app would simulate user clicks on porn ads in a manner similar to Hummingbad.

Possible impact on business cyber security

While DDoS attacks on Pokemon Go servers might have little to zero impact on business’ cyber security, the possible impacts of Pokemon Go related malware are worthy of attention. Some employees might become too enthusiastic with the game and start downloading apps or visiting websites that appear related to the game.

If those apps or websites turn out to be malicious, the phones used to download them could end up getting infected. Those phones can then be a threat as soon as they connect to your network.

Learn more about mobile threats and how to prevent them from invading your network. Contact us now.

Millions of Android devices (about 10 million to be more exact) are infected by Hummingbad, a piece of malware that gains root access, installs malicious apps, and dupes users and ad networks in an elaborate fraud campaign. This is what researchers from Check Point discovered after a 5-month long study. While ad networks are currently the main victims, the level of sophistication of these attacks can potentially threaten a lot of businesses.

Infection and attack

Hummingbad primarily uses a drive-by download attack to infect devices. That means, your device can get infected if you happen to visit one of the attackers’ malicious websites even if you don’t intentionally download anything.

The attack consists of two main components:

1. One that utilizes a rootkit designed to exploit a wide selection of vulnerabilities in order to ultimately gain access to the system
2. One that’s called into play if the first component fails. This one displays a fake system update notification in order to deceive the user into granting the malware access to the system.

Even if Hummingbad fails to gain system-level access, it is still able to download several malicious apps. These apps display ad banners and force users to click on them. Because the ads actually belong to legit ad networks like Mobvista, Cheetah, the attackers are able to collect their share of the ad revenues from those clicks. It’s believed that the attackers earn about $300,000 per month from this exercise alone.

How Hummingbad can affect your business

The fact that Hummingbad can gain root access and install other malicious apps makes it a serious threat to enterprises. With most everyone bringing smartphones and/or tablets to work, either unofficially or through a BYOD (Bring Your Own Device) program, it’s likely that there is work-related data on their devices.

With the level of access Hummingbad is capable of acquiring, it’s not a stretch to imagine the malware operators – or even copycats – to eventually introduce features for exfiltrating sensitive information stored in the victim’s device. The stolen data can then be sold to fraudsters and identity thieves.

Attackers may also sell access capabilities similar to the way server login credentials were sold at online marketplace xDedic. Other possibilities include putting together all these compromised devices (we’re talking millions) into botnets or using some of them to carry out targeted attacks on people with sensitive positions (e.g. system admins or C-level executives).

Any of these attacks can cause considerable harm to your organization.

While most of the victims are located in Asia, Android users in the United States haven’t been spared completely, with about 286,800 victims in the US.

Upgrading to the latest version mitigates the risk of infection

According to the study, a combined 90% of all infected devices were running on Jelly Bean (40%) and Kitkat (50%). These are old Android versions that were first released in July 2012 and October 2013, respectively. By comparison, only 1% of those infected were running Marshmallow, the latest version.

This underlines the importance of upgrading to the latest version. Upgrades may include security updates designed to patch known vulnerabilities. Such updates are especially critical in devices running the Android OS, where vulnerabilities abound. Early this month alone (July 2016), Google released its largest ever security update for Android. That single update addressed an astounding 108 vulnerabilities.

For more information about this malware and how to avoid getting infected, contact us now.

What can hackers do to a server once they’ve broken into it? A lot. Some install malware and make it part of a botnet. Others steal valuable data stored within. Still others, like those mentioned in this post, sell login credentials at shady marketplaces in the Dark Web.

Thousands of servers for sale

Earlier this month, researchers at Kaspersky revealed yet another alarming discovery in the field of cybercrime. Login credentials to over 70,000 hacked servers were being sold at an online marketplace known as xDedic. Like many underground online marketplaces where tech-savvy crooks trade illicit goods, xDedic can only be reached through the Dark Web.

Apparently, hacked servers are very affordable. Prices for hacked servers were found to go as low as 6 USD. Most of the servers were located in Brazil, China, Russia, India, Spain, Italy, France, Australia, Republic of South Africa, and Malaysia.

Launched in 2014, xDedic gained its reputation as a leading source of compromised server login credentials when 3,000 servers were added to its inventory sometime in 2015. Business has boomed since then.

Tools of the trade

xDedic not only provides a platform for buying and selling hacked servers. It also offers both buyers and sellers tools they can use in finding servers that suit their specific objectives as well as carrying out remote administration via RDP.

One example is a tool used by sellers to scan a hacked system and obtain relevant information such as the Windows version, size of RAM, type of CPU, whether ports 25 and 80 are open, type of VM used, antivirus installed, upload/download speeds, and so on. The same profiling tool is used to search for an RDP service on the server and then to patch it if any is found.

The patch modifies the RDP settings to allow multiple user logins, which would enable a buyer to access the server without alarming the server’s legitimate administrator. The buyer could then access the hacked server through xDedic’s own RDP client.

What can buyers do with a hacked server?

A hacked server can open up a lot of opportunities to a buyer, especially one who operates in the cybercrime industry. Because most of these servers have not yet been blacklisted by blacklisting engines and web reputation sites, they’re perfect for a variety of cyber attacks, including ransomware, malvertising, DDoS, phishing, and many others.

Of course, if a server also happens to store or provides access to storage systems that contain sensitive data, a buyer who specializes in identity theft could have a field day.

The Kaspersky researchers observed a marked interest for servers containing accounting, tax reporting and point-of-sale (POS) applications. Apparently, buyers need these applications for carrying out fraudulent operations. By making use of existing software, attackers can avoid arousing attention.

What countermeasures can help?

Servers that end up at xDedic acquire certain characteristics that can help cybersecurity specialists determine whether a server has been hacked. For instance, the profiling tool mentioned earlier, which is installed on a hacked server after the server is compromised (usually through brute-force attacks), communicates with certain Command-and-Control locations.

In addition, it has been found that the hacked servers are also infected with other pieces of software, including a certain Trojan, bitcoin mining software, and a wrapper for a proxy tool, among perhaps others. For more details about xDedic and these malicious tools, refer to the Kaspersky report on the subject.

Of course, prevention is always preferable to treatment. Once you’ve determined that your servers are safe, you should carry out server hardening to prevent future compromises.

Need help in determining whether your servers have been compromised? Contact us now for a free Harbinger network risk assessment.

Ransomware and the interest around it is surging. A quick look over time at Google Trends reveals an astounding visual representation of the growing interest…

The first ever malware that could be classified as ransomware emerged way back in 1989. Known as the AIDS Trojan, that particular piece of malware hid directories and encrypted filenames, in turn causing its victim’s computer to be unusable (just like today’s CryptoLocker, Locky, Teslacrypt, Cryptowall, and CTB-Locker). To regain control of their PCs, victims had to send money to a Post Office box.

As the graph above shows, ransomware has never before achieved the level of notoriety that it enjoys today. So why are we seeing this growth now?

In this post, we take a closer look at the key drivers fuelling this rapid ascent to infamy. But first, let’s briefly discuss what ransomware is.

What is ransomware?

Ransomware is a piece of malware that, as it name implies, involves ransom money. Once it gets installed on your computer, the malware holds digital assets (in most cases, files) captive and prevents you from retrieving or viewing them. Just like your typical kidnap-for-ransom criminal, it then declares an ultimatum – either you pay a ransom or your files go kaput.

This malware will usually block access to files by locking the screen or encrypting the files themselves. To regain access, you need to pay. Ransom payment is typically done through bitcoins or other electronic payment methods like Ukash, Paysafecard, or MoneyPak. Most systems get infected with ransomware when their users inadvertently download trojans through either phishing emails or malicious websites.

Some ransomware can infect entire establishments, which is what happened to a large hospital in Hollywood. The entire network of the Hollywood Presbyterian Medical Center was locked down by ransomware whose controllers demanded payment in exchange for the “freedom” of the locked patient files.

So why is ransomware fast becoming so popular?

Technology has arrived

Back in 1989 (specifically as depicted by the AIDS Trojan) the idea of ransomware was clearly ahead of its time. It spread through floppy disks and encrypted files through symmetric encryption. Floppy disks had to be distributed by hand (literally), while symmetric encryption suffered from the necessity of having decryption keys accompany the trojan files themselves.

Today, trojans that carry the ransomware payloads can spread much faster through the Internet and other connected networks. Encryption is also now asymmetric, which allows the attacker to tuck the decryption key away in a safe location.

Last but not the least, payment can now be done without the hassles of having to deposit to a physical location. Electronic methods like bitcoins and Ukash allow ransom payment to be delivered in just a few clicks.

There’s also a psychological aspect to it.

Instant pain = instant gratification

For the victims, the impact of a ransomware infection can be felt instantly. They can no longer use their computer and they can no longer access important files. Those effects are different from a data breach wherein, although the potential legal repercussions and damage to reputation are known, they’re not felt immediately.

What’s more, the solution to the problem is clear and easily achieved. To get out of their predicament, victims simply have to pay. If they can afford it, many of them will pay. This reaction of course plays into the hands of the crooks responsible for these attacks because it makes these operations highly lucrative.

$$$RANSOM$$$ = funding for R&D

So then it becomes a vicious cycle. The more victims pay, the faster these cybercrime syndicates get their ROI. The crooks then have enough to invest into research and development. That’s why ransomware like CryptXXX are getting updated and acquiring additional malicious functions.

Countering ransomware

Ransomware infection can be prevented through a combination of proper education and the right malware detection and prevention solutions. For example, users must be trained how to identify suspicious email attachments as well as who to contact in the event that one is encountered. In conjunction with that, your network must be secured by advanced anti-malware solutions that are capable of detecting malicious activity.

A large majority of the applications running on the Web today rely on free, open-source libraries. These pieces of software are responsible for many of the features that we often take for granted. While these software suites enable developers to build web applications quickly, they can also be problematic.

When these libraries have vulnerabilities, all he servers that depend on their code become sitting ducks until a patch is made available. That’s what’s happening now with ImageMagick, which has been found to have multiple vulnerabilities.

What is ImageMagick?

ImageMagick is a commonly used library that enables applications to manipulate images in bulk. It supports a wide range of image formats (at least 200) including png, jpeg, bmp, cgm, ico, and many others. Through this library, applications can, for instance:

• Convert images from one format to another;
• Create thumbnails of uploaded images;
• Reduce the number of colors in an image through color quantization or posterization;
• Carry out dithering;
• Resize, rotate, flip, and crop images; or
• Generate animated GIFs out of a series of images

These are just the basics. It can also perform discrete Fourier transformations, morphology, pixel distortions, color management, and many other complex image-manipulation tasks.

Where is it used?

Because of its versatility, several major programming languages have implemented bindings for the ImageMagick library. For example, Java has JMagick, C++ has Magick++, Python has PythonMagick, PHP has IMagick, and so on.

Consequently, it has become ubiquitous and is usually the underlying code responsible for image-manipulation features in:

• Content management systems like WordPress and Drupal (that means, over half of the blogs out there rely on it for image processing);
• Social media sites;
• Forums (e.g. phpBB); and
• Wikis

Possible exploits

There are currently a handful of known vulnerabilities in ImageMagick. But the two most alarming are CVE-2016-3717, which allows remote attackers to read arbitrary files through a crafted image and CVE-2016-3714, which allows remote attackers to execute arbitrary code in a crafted image.

The latter, now dubbed ImageTragick, is the more serious of the two. In layman’s terms, that particular vulnerability, once successfully exploited, would allow attackers to remotely control a compromised web server.  The attackers could, for instance, gain access to all system files, spread malware, steal sensitive information, or cut the entire system off the network. In other words, they would be able to do practically anything they want to on a compromised system.

Early this month, a bug bounty hunter discovered the CVE-2016-3714 vulnerability on one of Yahoo’s domains and was awarded a $2000 bounty for it. If this security flaw managed to go unnoticed at one of the largest Internet companies in the world, how do smaller organizations fare?.

Even when the vulnerability was first discovered, security researchers already believed that it had already leaked to other individuals. And because the exploit is rather basic, the number of threat actors were expected to multiply quickly.

The developers at ImageMagick have released multiple patches, now the onus is on admins and security teams to make sure that their systems are up to date.

You’ve probably browsed pages – some on well-known high traffic sites – that are full of ads with fake download buttons that took you further away from what you were actually searching for, to dark corners of the internet you’d never willingly visit and software you regret downloading. The real intent of these deceptive ads? Malware. Although they’ve been around for quite a while, they are becoming more prevalent. Some don’t even require a click to pass on an infection.

Here are some examples you probably recognize:

Good news for those of you who may not recognize these deceptive ads: Google’s Safe Browsing update aims to minimize your exposure to them. Recently, Google announced a new Chrome feature – as part of its Safe Browsing update – that warns users when they are about to visit sites with these call-to-malware ads. This means that any pages that mimic trusted entities (like your device, browser or the actual site) and trick you into disclosing sensitive information like passwords (that you’d typically only disclose to a trusted entity) will now be flagged by Google. Opening such site would give you the following warning:

The update is turned on by default in Chrome. You can switch it on and off by checking or unchecking the “Protect you and your device from dangerous sites” box located under Preferences in Chrome (Preferences → Settings → Advanced → Privacy).

The ultimate question is: will Google’s latest update keep you completely safe from call-to-malware ads? The answer is most definitely “no.” Even when combined with ad blocking software or applications, Google’s Safe Browsing may not be able to completely keep these ads at bay.

For example, earlier this year, Forbes forced visitors to disable ad blocking software before they could read its content. Since Forbes serves a ‘quote of the day’ and an ad before directing visitors to main content, Google does not accurately cache the page’s content/data. The result was that users were immediately served malware after they disabled ad blockers. Other high profile sites like the New York Times have been victim to similar attacks.

It also looks like it will take a while for Google to compile a comprehensive list of flagged sites. If your site has been flagged, you can follow these instructions to fix the issue.

While Google’s latest Safe Browsing update is an important step towards making the internet a safer space for us, we certainly won’t see the end of malware ads just yet.