Weekly Briefing June 16th 2016 NOT PROTECTIVELY MARKED Current Threats Dridex and Locky Disruption Banking Malware Advice DMA Locker Ransomware Advice DNS TXT used as Command and Control Incident Reports - South West Ransomware – Dorset PBX - Somerset Preventing PBX Miscellaneous CiSP – Cyber Crime Threats Shared Additional Briefing Dissemination NOT PROTECTIVELY MARKED Dridex and Locky disruption Threat intelligence in relation to the Dridex and Locky malware suggests activity from these threats has reduced dramatically over the last few weeks. Dridex and Locky utilise a botnet command and control infrastructure called Necurs and it is likely that this botnet infrastructure has been disrupted. Necurs is used to pump out hundreds of millions of malware-laden spam emails around the world. It is unclear from reports what disruption has been made to the botnet or how long it will be before it is back up. However, based on the value of money being lost to the group running the malware, it may not be long before we see a resurgence of Locky and Dridex. NOT PROTECTIVELY MARKED Preventing Banking Malware In order to reduce the chances of becoming a victim of the Dridex banking malware please consider: Have anti-virus installed and up-to-date. Keep operating systems up-to-date and patched. Ensure software is up-to-date, for example internet browsers, Java and Adobe. Restrict the type of websites staff/ you can access. Prevent employees from using their own devices at work e.g USB devices Remove any banking Smartcard from the reader when you are not conducting a transaction, logging on or making amendments as a system administrator. Log out from online banking when finished with banking tasks. Look out for unusual prompts at login. Change passwords often. Ideally organisations should utilise a stand alone machine for all online banking kept separate from their email platform. If macros are not commonly used on the computer then disabling them will greatly reduce the chance of infection or chose “enable with notifications”. This should prompt you before macros are utilised. NOT PROTECTIVELY MARKED DMA Locker V3 The south west region, along with the rest of the UK, continues to suffer from significant numbers of ransomware attacks. Colleagues from Police Scotland have identified that the ransomware linked to the email address team2002@gmx.com is DMA Locker version3. DMA Locker has many versions. Versions 1 and v2 were de-cryptable however changes made by the group soon fixed that in version 3. Version 4 has also now been seen and intelligence suggests attackers are gearing up for a massive campaign to distribute this malware. Unlike version 3, which was distributed by malicious email, version 4 has been added to the Neutrino Exploit Kit, resulting in the infection of computers through the browsing of compromised websites. NOT PROTECTIVELY MARKED Preventing Ransomware Make sure you have anti-virus software installed and ensure it is up-to-date and running in real time. Keep browsers, operating systems, Adobe and other applications up-to-date and patched against vulnerabilities. Backups are an absolute necessity in protecting your data. Backup files regularly, store the backups on external storage and physically disconnect the storage from the computer and network between backups. Ensure you verify the backups. There are many fake emails with malicious attachments circulating the Internet. If you receive an uninvited email containing an attachment then do not instantly open it unless you are 100% sure of its origin. NOT PROTECTIVELY MARKED Preventing Ransomware Beware of unsolicited emails asking you to click on links. In the unfortunate case of infection, pull the plug on the computer and internet access. Do not pay the ransom as a first response - report to Action Fraud as soon as possible. The SWRCCU advise not to pay any ransom demands. This is for three reasons: - You are not guaranteed to get your data decrypted. - Further extortion demands may follow. - It encourages further attacks against other victims. NOT PROTECTIVELY MARKED DNS used for Command and Control Babcock MSS have recently identified that the APT hacking group Wekby have utilised the DNS Protocol for malware command and control. The Wekby Group is a state sponsored threat actor that has been operating since March 2011. The group is well known for its compromise of the security organisation RSA. However the group has also been observed targeting government, financial and research institutions across the globe. The group’s latest malware is called “Pisloader” and utilises the DNS Protocol for malware command and control (C2). The use of DNS as C2 allows the malware to bypass certain security products and network detection capabilities that may not be inspecting the traffic correctly, or at all. Babcock highlighted that attackers are taking advantage of the DNS TXT record which enables the attackers to append much more data to the DNS query when attempting to exfiltrate data. NOT PROTECTIVELY MARKED DNS used for Command and Control – ‘Technical’ Explanantion Data is encoded into DNS requests by first generating a 10-byte alphanumeric header which helps the malware perform session management over the DNS protocol (this can be thought of as a simplified implementation of TCP). The remaining data, C2 or data exfiltration is base32 encoded and appended to the DNS query, as detailed in the figure below. Highlighted in red is the appended C2. Advice Security experts advise that enterprises need to take better care monitoring and controlling DNS traffic, particularly outbound Port 53 traffic, in order to identify threats like “Pisloader” that will increasingly hit their networks as attackers utilise this methodology. NOT PROTECTIVELY MARKED Ransomware – Dorset and Cornwall We have received a reports of ransomware attacks affecting businesses based in Dorset and Cornwall. In both cases the victims are believed to have received malicious links via email. The victims opened the links and, within seconds, the encryption process started. After encryption, a message appeared instructing the victim to pay a ransom in order to recover their data. PBX – Somerset We have received a report of a PBX attack on a Somerset-based business. PBX system has been compromised and premium rate numbers have been called, incurring a bill of £2000 NOT PROTECTIVELY MARKED Preventing PBX Attacks Use strong pin/ passwords for your voicemail system, ensuring they are changed regularly. If you still have your voicemail on a default pin/ password change it immediately. Disable access to your voice mail system from outside lines. If this is business critical, ensure the access is restricted to essential users and they regularly update their pin/ passwords. If you do not need to call international/ premium rate numbers, ask your network provider to place a restriction on your line. Consider asking your network provider to block outbound calls at certain times eg when your business is closed. Ensure you regularly review available call logging and call reporting options. Regularly monitor for increased or suspect call traffic. Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the function, close it down! Speak to your maintenance provider to understand the threats and ask them to correct any identified security defects. NOT PROTECTIVELY MARKED CiSP - Cyber Crime Threats Shared The Cyber Security Information Sharing Partnership (CiSP), which is run by CERTUK, is an information sharing platform used to share and publish cyber crime threat information. The aim of the platform is to allow members to take remedial action and modify their organisations to prevent cyber attacks. If you would like to join the CiSP then please sign up at www.cert.gov.uk/cisp and contact us as we can sponsor you. Our South West Regional node has now been launched and we welcome you to join our group. This is a place for all businesses and individuals based in the South West to share threat intelligence and updates surrounding cyber security. NOT PROTECTIVELY MARKED Additional Briefing Dissemination This document has been given the protective marking of NOT PROTECTIVELY MARKED and may be disseminated outside law enforcement with no restriction. If you know anyone else who would like to receive this, please send us their email address and we will add them to the distribution list. If you would like to be removed from the list please send an email to the address below to let us know. Any comments or queries please email South West Regional Cyber Crime Unit at: at: swrccu@avonandsomerset.pnn.police.uk www.swCyberCrimeUnit.co.uk NOT PROTECTIVELY MARKED