More Ransomware called Locky

There has been a new type of Ransomeware currently taking the internet by storm right now. It is being spread by office365 or by an email in the form of an invoice. This has an attachment with a word doc that has embedded macros. It encrypts everything, and you either have to wipe your PC or pay between $200-$800 dollars to decrypt it.

*The Locky Ransomeware also has the ability to encrypt also your network backups so beware !*

Kevin Beaumont along with Larry Abrahms of BleepingComputer initially discovered the existence of Locky encrypted virus

Here is an excerpt taken from the Hacker News (hackernews.com) “Once a user opens a malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file and found the content scrambled and a popup that states “enable macros”.

Here comes the bad part:
  • Once the victim enables the macro (malicious), he/she would download an executable from a remote server and run it.
  • This executable is nothing but the Locky Ransomware that, when started, will begin to encrypt all the files on your computer as well as network.
Locky Ransomware affects nearly all file formats and encrypts all the files and replace the filename with .locky extension.”

You can read more about Locky at Kevin’s blog post here:

https://medium.com/@networksecurity/you-your-endpoints-and-the-locky-virus-b49ef8241bea#.6lomlhy32

Time to move those backups from network accessibility!!

Firestorm Vulnerability p0wning Next Gen Gateways.

I wanted you to be aware of a vulnerability called Firestorm. Some say it does not exist, or that it can’t be used. However it does in fact exist and totally works ! The folks at BugSec, actually demonstrate it here. Check it out:

http://www.bugsec.com/news/firestorm-movie/

It is very important that the vendor you pick for a security gateway, does in fact provide security, and not just an easy button for deployment.

Moreover, as I mentioned in an earlier post about vendors patching their stuff. They need to do it quickly when they find such a vulnerability. If not, well than I recommend another vendor. I have been an Incident Responder for a long time and have a few stories.

By the way the specific vendor being p0wned is Not Check Point.

Does your Security Vendor take a long time to patch their stuff ??

Ask yourself, if your Security Vendor knows about a vulnerability and chooses to ignore it, how would that make you feel?? How would you feel if this happens quite a bit ???

Check Point found a Vulnerability found in FireEye (see below)
Timeline (CVE-2014-5046):
Vendor Notified: July 24th 2014
Vendor Patch: July 7th 2015
Total time taken to patch vulnerability : 349 DAYS

It isn’t the fact that there is a vulnerability (and Check Point found it for them -HA!) it is HOW LONG it took them to fix it !!

Guys we can find your mistakes, but we can’t fix your code for you – Just saying.

https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/2015-q4-security-vulnerability-advisory.pdf

It isn’t about having a vulnerability – It is about how fast the vendor does something about it.

Bad Google App returns – AGAIN :-(

Check point originally found a malicious family of apps in the google play store. These apps were removed, and now they seem to have reappeared. Beware of this !! According to Check Point the app and other family apps like it (called BrainTest) root the device.

BrainTest-Google-Play-Store-1024x720

Read the article here: http://blog.checkpoint.com/2016/01/21/in-the-wild-mobile-security-observations-from-the-check-point-research-team-3/

Original post from September http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/

This app uses a few anti-removal techniques to stay on your device. – Beware !! However should you get this app or are concerned about such apps Check Point’s Mobile Threat Prevention can definitely help.

Fortinet Backdoor

Security Week posted an article with the title “Fortinet Says Backdoor in FortiOS Not Malicious”

The Article goes on to say “A security hole affecting older versions of Fortinet’s FortiOS operating system allows attackers to gain unauthorized access to vulnerable devices, but the vendor says it’s not a malicious backdoor.”

Uhhhhhh… yeah.

Check Out the article here.

http://www.securityweek.com/fortinet-denies-existence-malicious-backdoor-fortios

You’re watching TV – Is it also watching you?

Check Point Software recently mentions this on their blog site regarding EZCast. (See the full post here: http://blog.checkpoint.com/ )

“It’s an HDMI dongle-based TV streamer that converts your regular TV into a smart TV and allows you to connect to the Internet and other media.”

“Since the EZCast dongle runs on its own Wi-Fi network, entering the network is actually quite easy. This network is secured only by an 8-digit numeric password, which can be easily cracked.”

Check Point discusses the potential of information leakage that can come once a brute force attack (which they successfully did) is executed.

They further go on to ask the question “Would you sell access to your network for $25 dollars? Because that’s what you’re essentially doing when you buy and use this device.”

Since there are roughly 5 million users and EZCast has not bothered to address this, all I can say is enjoy that movie marathon.

Muhahahahahahahaha !!!!

 

References:

http://blog.checkpoint.com/

Palo Alto Networks boxes spray firewall creds across the net

This was the title of a security blog from a year ago at hackbusters.com.

The site goes on to state “The mess is a result of a user control module being allowed to operate in untrusted zones, rather than a vulnerability in Palo’s kit.”

The full article is at theregister.co.uk and they quote HD Moore who says “This flaw can “expose organizations to remote compromise, noting that attackers could use off-the-shelf tools to bounce authentication to external customer NTLMSSP infrastructure such as SSL VPNs, Outlook Web Access, and Microsoft IIS web servers”

“Palo Alto Networks’ response is an advisory pointing users to best practice guidelines to harden their kit.”

You can read the article here at :

http://www.hackbusters.com/news/stories/135922-palo-alto-networks-boxes-spray-firewall-creds-across-the-net

My two cents : Interesting that their default isn’t hardened to begin with…just saying.

References:

http://www.hackbusters.com/news/stories/135922-palo-alto-networks-boxes-spray-firewall-creds-across-the-net

http://www.theregister.co.uk/2014/10/21/palo_alto_customers_spray_net_with_firewall_creds/