to ( Format)

advertisement
Weekly Briefing
June 16th 2016
NOT PROTECTIVELY MARKED
Current Threats
Dridex and Locky Disruption
Banking Malware Advice
DMA Locker
Ransomware Advice
DNS TXT used as Command and Control
Incident Reports - South West
Ransomware – Dorset
PBX - Somerset
Preventing PBX
Miscellaneous
CiSP – Cyber Crime Threats Shared
Additional Briefing Dissemination
NOT PROTECTIVELY MARKED
Dridex and Locky disruption
Threat intelligence in relation to the Dridex and Locky malware suggests
activity from these threats has reduced dramatically over the last few weeks.
Dridex and Locky utilise a botnet command and control infrastructure called
Necurs and it is likely that this botnet infrastructure has been disrupted.
Necurs is used to pump out hundreds of millions of malware-laden spam
emails around the world.
It is unclear from reports what disruption has been made to the botnet or how
long it will be before it is back up.
However, based on the value of money being lost to the group running the
malware, it may not be long before we see a resurgence of Locky and Dridex.
NOT PROTECTIVELY MARKED
Preventing Banking Malware
In order to reduce the chances of becoming a victim of the Dridex banking malware
please consider:
Have anti-virus installed and up-to-date.
Keep operating systems up-to-date and patched.
Ensure software is up-to-date, for example internet browsers, Java and Adobe.
Restrict the type of websites staff/ you can access.
Prevent employees from using their own devices at work e.g USB devices
Remove any banking Smartcard from the reader when you are not conducting a
transaction, logging on or making amendments as a system administrator.
Log out from online banking when finished with banking tasks.
Look out for unusual prompts at login.
Change passwords often.
Ideally organisations should utilise a stand alone machine for all online banking
kept separate from their email platform.
If macros are not commonly used on the computer then disabling them will greatly
reduce the chance of infection or chose “enable with notifications”. This should prompt
you before macros are utilised.
NOT PROTECTIVELY MARKED
DMA Locker V3
The south west region, along with the rest of the UK, continues to suffer from
significant numbers of ransomware attacks.
Colleagues from Police Scotland have identified that the ransomware linked to
the email address team2002@gmx.com is DMA Locker version3.
DMA Locker has many versions. Versions 1 and v2 were de-cryptable however
changes made by the group soon fixed that in version 3. Version 4 has also
now been seen and intelligence suggests attackers are gearing up for a
massive campaign to distribute this malware.
Unlike version 3, which was distributed by malicious email, version 4 has been
added to the Neutrino Exploit Kit, resulting in the infection of computers
through the browsing of compromised websites.
NOT PROTECTIVELY MARKED
Preventing Ransomware
Make sure you have anti-virus software installed and ensure it is up-to-date
and running in real time.
Keep browsers, operating systems, Adobe and other applications up-to-date
and patched against vulnerabilities.
Backups are an absolute necessity in protecting your data. Backup files
regularly, store the backups on external storage and physically disconnect the
storage from the computer and network between backups. Ensure you verify
the backups.
There are many fake emails with malicious attachments circulating the Internet.
If you receive an uninvited email containing an attachment then do not
instantly open it unless you are 100% sure of its origin.
NOT PROTECTIVELY MARKED
Preventing Ransomware
Beware of unsolicited emails asking you to click on links.
In the unfortunate case of infection, pull the plug on the computer and internet
access. Do not pay the ransom as a first response - report to Action Fraud as
soon as possible.
The SWRCCU advise not to pay any ransom demands. This is for three reasons:
- You are not guaranteed to get your data decrypted.
- Further extortion demands may follow.
- It encourages further attacks against other victims.
NOT PROTECTIVELY MARKED
DNS used for Command and Control
Babcock MSS have recently identified that the APT hacking group Wekby have
utilised the DNS Protocol for malware command and control. The Wekby Group
is a state sponsored threat actor that has been operating since March 2011.
The group is well known for its compromise of the security organisation RSA.
However the group has also been observed targeting government, financial and
research institutions across the globe.
The group’s latest malware is called “Pisloader” and utilises the DNS Protocol
for malware command and control (C2). The use of DNS as C2 allows the
malware to bypass certain security products and network detection capabilities
that may not be inspecting the traffic correctly, or at all.
Babcock highlighted that attackers are taking advantage of the DNS TXT record
which enables the attackers to append much more data to the DNS query when
attempting to exfiltrate data.
NOT PROTECTIVELY MARKED
DNS used for Command and Control – ‘Technical’ Explanantion
Data is encoded into DNS requests by first generating a 10-byte alphanumeric
header which helps the malware perform session management over the DNS
protocol (this can be thought of as a simplified implementation of TCP). The
remaining data, C2 or data exfiltration is base32 encoded and appended to the
DNS query, as detailed in the figure below. Highlighted in red is the appended C2.
Advice
Security experts advise that enterprises need to take better care monitoring and
controlling DNS traffic, particularly outbound Port 53 traffic, in order to identify
threats like “Pisloader” that will increasingly hit their networks as attackers utilise
this methodology.
NOT PROTECTIVELY MARKED
Ransomware – Dorset and Cornwall
We have received a reports of ransomware attacks affecting businesses based in
Dorset and Cornwall.
In both cases the victims are believed to have received malicious links via
email.
The victims opened the links and, within seconds, the encryption process
started.
After encryption, a message appeared instructing the victim to pay a ransom in
order to recover their data.
PBX – Somerset
We have received a report of a PBX attack on a Somerset-based business.
PBX system has been compromised and premium rate numbers have been
called, incurring a bill of £2000
NOT PROTECTIVELY MARKED
Preventing PBX Attacks
Use strong pin/ passwords for your voicemail system, ensuring they are
changed regularly.
If you still have your voicemail on a default pin/ password change it
immediately.
Disable access to your voice mail system from outside lines. If this is
business critical, ensure the access is restricted to essential users and they
regularly update their pin/ passwords.
If you do not need to call international/ premium rate numbers, ask your
network provider to place a restriction on your line.
Consider asking your network provider to block outbound calls at certain
times eg when your business is closed.
Ensure you regularly review available call logging and call reporting options.
Regularly monitor for increased or suspect call traffic.
Secure your exchange and communications system, use a strong PBX firewall
and if you don’t need the function, close it down!
Speak to your maintenance provider to understand the threats and ask them
to correct any identified security defects.
NOT PROTECTIVELY MARKED
CiSP - Cyber Crime Threats Shared
The Cyber Security Information Sharing Partnership (CiSP), which is run by CERTUK, is an information sharing platform used to share and publish cyber crime
threat information.
The aim of the platform is to allow members to take remedial action and modify
their organisations to prevent cyber attacks.
If you would like to join the CiSP then please sign up at www.cert.gov.uk/cisp
and contact us as we can sponsor you.
Our South West Regional node has now been launched and we welcome you to
join our group. This is a place for all businesses and individuals based in the
South West to share threat intelligence and updates surrounding cyber security.
NOT PROTECTIVELY MARKED
Additional Briefing Dissemination
This document has been given the protective marking of NOT PROTECTIVELY
MARKED and may be disseminated outside law enforcement with no restriction.
If you know anyone else who would like to receive this, please send us their email address and we will add them to the distribution list.
If you would like to be removed from the list please send an email to the
address below to let us know.
Any comments or queries please email South West Regional Cyber
Crime Unit at:
at:
swrccu@avonandsomerset.pnn.police.uk
www.swCyberCrimeUnit.co.uk
NOT PROTECTIVELY MARKED
Download