GPS technology is more at risk from cyber attack than ever before, security expert demonstrates at VB2016

GPS technology is more at risk from cyber attack than ever before, security expert demonstrates at VB2016
Posted by Virus Bulletin on Sep 14, 2016

[Original Post: HERE]
An interview with VB2016 presenter Oleg Petrovsky of HPE Security research.

108×153-Oleg-Petrovsky.jpgMeeting Oleg Petrovsky, a senior anti-malware researcher at HPE Security research, is an experience. This tall, softly spoken fellow, now based in New York State, has a bright and unforgiving curiosity.

Oleg’s keenness of mind shines throughout his VB2016 paper. This is a researcher on a mission: raise awareness of the inherent vulnerabilities in the GPS system and provide recommendations and advice to help others uncover and prevent attacks.

Oleg will describe and categorize GPS attack methods that can be achieved with a limited budget and with a high rate of repeatability, including delayed retransmissions, record and playback, and direct signal synthesis.

During the presentation a number of countermeasures against GPS spoofing will be discussed, proposed and demonstrated.

With VB2016 in Denver less than a month away, VB chatted with Oleg to get a better understanding of why this research is so important to society.

Virus Bulletin: What attracted you to this subject, Oleg?

Oleg Petrovsky: GPS technology is not new. The latest version of GPS infrastructure has been widely used by the military since the 1990s. Over the past 15 years, with the advent of cheaper and more sensitive GPS receivers, GPS technology has secured its place in many civilian applications.

One notable aspect has to do with the core functionality. Twenty-year-old technology is still in use. The problem is that the civilian portion of it was not designed to deal with the current GPS threat landscape.

It is important to realize how vulnerable GPS is to malicious attacks. The possibility of attacks on GPS systems has been theorized since the early 2000s, but it has largely been left to state-sponsored actors or academic researchers to unveil its vulnerabilities due to the costs involved.

This was fine until affordable Software Defined Radio (SDR) technologies became generally available. That’s when the possibility of GPS attacks turned into a very real threat.

VB: Can you just give us a quick recap on GPS technology and how it is used?

OP: Most people don’t stop to think how dependent they have become on GPS technology.

GPS technology is already incorporated into many ubiquitous services that are taken for granted, with increasingly more applications leveraging it.

Power grid nodes are one example. They partially rely on GPS atomic clocks for the power grid networks synchronization. The same applies to the cell phone towers and real-time financial markets transaction services.

Another interesting example is the Automatic Identification System (AIS) used for tracking ships at sea. As part of its service, it relies on GPS to determine the location of a vessel.

More recent examples of GPS use include unmanned aerial and ground systems, self-driving cars, car tracking units used for mileage monitoring and insurance purposes, augmented reality games, and more.

VB: And why would you say that GPS technology is vulnerable?

OP: GPS technology in its current form dates back to the early 90s, and many things that were considered to be secure back then are no longer fit for purpose.

In addition, the GPS core was predominantly conceived for military applications. The military portion of the GPS signal is still way more secure than its civilian counterpart. It seems that the GPS for civilian use hasn’t been as important to secure.

Despite a number of academic articles and proof-of-concept demonstrations, we’re still largely unaware of GPS-attack vectors. I thought it would be a good idea to raise awareness of the subject and show how easily an attack can be carried out using limited and readily available resources.

I also would like to start a discussion in the community on possible mitigations of such threats.

To encourage research investment, I plan to show a few demonstrations recorded earlier in a controlled environment, such as hijacking a consumer drone by spoofing the GPS signal with a moderately priced equipment setup.

[Removed picture]

VB: That will be a great demo to see. But what type of person today would use GPS technology for nefarious purposes?

OP: There are many scenarios in which altering GPS signal can lead to disastrous consequences, such as taking a ship or a drone off-course, or disrupting a power or a cell service grid.

Adversaries can fake a geographical location for a number of personal gains, such as altering mileage, location and speed tracking devices for insurance purposes; gaining an edge in augmented reality games; and falsifying evidence pertinent to law enforcement organizations.

Adversaries could range from state-sponsored terrorist cells to avid Pokémon Go players.

VB: Have you presented at VB before?

OP: Last year I presented on the security of unmanned aerial systems. Interestingly enough, I theorized that an attacker could take control of a drone by spoofing the GPS signal in its flight path. This led me to this year’s presentation.

VB: A question from left field now: which five people across history would you invite to the ultimate dinner party?

OP: That is a tough one! I don’t think I would be able to manage a party with these Titans, but I certainly would have loved to learn from them, and even have them as my mentors. In no particular order, and amongst many deserving others: the Dalai Lama, Richard Feynman, Jeri Ellsworth, Richard Branson and Roger Waters.

VB: I love the idea of the Dalai Lama and Richard Branson conversing – imagine the topics that would come up! One last question: what do you do to relax when not out saving the world?

OP: I play a bit of guitar, learn to dance the Argentine tango, and do some rock climbing when I have time.

[]

Quantum Internet Edges Closer As Researchers Teleport Photon State Six Kilometers Away

Researchers from the University of Calgary, Canada, teleported the state of a photon (particle of light) over a six kilometer distance through a “dark fiber” cable. The accomplishment set a new record in quantum teleportation, getting us a little closer to having quantum networks, and ultimately a quantum internet.

Rise Of Quantum Systems

Over the past few years, research into quantum computers and quantum networks has increased as more academics and technology companies began to believe that we may be close to figuring out just how to make these systems work, and then use them outside of the lab.

We’ve had D-Wave announce a more specialized type of quantum computer, and upgrading it every few years. More recently, we’ve had IBM and Google announce their working universal quantum computers. We’ve also had research that showed quantum computers could be built on silicon (as opposed to more expensive materials). Even the NSA has begun warning that the day when quantum computers will break existing forms of encryption is sooner than we think.

Quantum networks are a somewhat different area of research, but still relevant to the quantum field as a whole. If we can teleport information, we may be able to drastically increase the amount of information we can send through networks, and the speed at which we send it, too.

A quantum internet would be beneficial to quantum computers in the same way our regular internet is beneficial to traditional computers. Quantum networks could also aid in protecting communications against eavesdropping, although the jury is still out on how effective that would actually be.

Calgary’s Experiment

The experiment done by the researchers from the University of Calgary involves using quantum “entanglement,” a process they explain below:

“Being entangled means that the two photons that form an entangled pair have properties that are linked regardless of how far the two are separated,” explained Wolfgang Tittel, professor in the Department of Physics and Astronomy at the University of Calgary and leader of the project.

“When one of the photons was sent over to City Hall, it remained entangled with the photon that stayed at the University of Calgary.”

The photon whose state was teleported to the university was then generated in a third location in Calgary, and then it also traveled to the City Hall, where it met the photon that was part of the entanglement pair.

“What happened is the instantaneous and disembodied transfer of the photon’s quantum state onto the remaining photon of the entangled pair, which is the one that remained six kilometres away at the university,” said Tittel.

Tittel’s group had to overcome some significant challenges along the way. One of the main issues concerned how the variable temperature outside would change when the photons would arrive at City Hall. The two photons were eventually timed to arrive within 10 picoseconds of each other, which is one trillionth–that is, one millionth of one millionth–of a second.

Towards A Global Quantum Internet

The long-term goal of the Tittel group is to create the basic building blocks for a global quantum internet. The City of Calgary will aid in this task by offering access to “dark fiber,” which got its name from its composition; it’s a single optical cable with no electronics or equipment to interfere with the quantum technology.

“By opening The City’s dark fiber infrastructure to the private and public sector, non-profit companies, and academia, we help enable the development of projects like quantum encryption and create opportunities for further research, innovation and economic growth in Calgary,” said Tyler Andruschak, project manager with Innovation and Collaboration at The City of Calgary.

“The university receives secure access to a small portion of our fibre optic infrastructure and The City may benefit in the future by leveraging the secure encryption keys generated out of the lab’s research to protect our critical infrastructure. In order to deliver next-generation services to Calgarians, The City has been increasing its fibre optic footprint, connecting all City buildings, facilities and assets,” added Andruschak.

Source: toms hardware

http://www.tomshardware.com/news/quantum-internet-photons-teleportation,32735.html

Guest blog: Nemucod ransomware analysis

Guest blog: Nemucod ransomware analysis

Guest blog: Nemucod ransomware analysis

Posted by    on   Sep 2, 2016

[Original Post HERE]

In the run up to VB2016, we invited the sponsors of the conference to write guest posts for our blog. In the third of this series, Webroot’s Jesse Lopez writes about the Nemucod ransomware.

Note: some security vendors refer to the downloader component alone (which has been seen to download other kinds of malware as well) as ‘Nemucod’. This analysis focuses on both the downloader and the ransomware.

 

Nemucod is a piece of ransomware that changes file names to *.crypted. While it’s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but one thing has remained constant: it is deployed via bogus shipping invoice spam messages.

The JavaScript initially received in a spam email downloads malware and encryption components stored on compromised websites. Because this ransomware is written in a scripting language, it’s easy to modify and re-deploy, and in most cases, it has bypassed anti-virus and spam protection. However, a flaw has been found in the encryption routine, which allows victims to recover their files.

  • January 2016: Nemucod changes file names to ‘.crypted’, but does not actually encrypt them.
  • March 2016: Adds XOR encryption using a 255-byte key contained in a downloaded executable. This downloaded executable encrypts the first 2048 bytes of a file.
  • April 2016: 7-Zip is used instead, which creates an archive to password-protect files.
  • April 2016: Instead of a hard-coded key, the JavaScript generates a key and passes it as an argument to the downloaded executable and performs the encryption of the first 1024 bytes of each targeted file.
  • May 2016: A small change is added to the previous build, which encrypts 2048 bytes instead of 1024 bytes.
  • June – August 2016: A PHP script is used along with a PHP interpreter to encrypt the first 1024 bytes of a file.

The following is an example of an email used to distribute Nemucod:

1-email-example.png

After opening the email attachment, you can see that the file located inside is a JavaScript file cleverly disguised as a .doc. The file appears to be a .doc for users with the folder option setting ‘hide extensions for known file types’ enabled:

2-file-appears-to-be-doc.png

JavaScript analysis

When the sample is first opened, it is heavily obfuscated; this is done by design as a means to thwart AV analysis and static detection:

3-Nemucod-Java.png

After de-obfuscating the script, I found that several compromised domains are used to store multiple files for use later on in the execution routine. Of the downloaded files, we can see that the first two (a1.exe and a2.exe) are designed as backdoors to the system. a1.exe is usually W32.Kovter and a2.exe is usually W32.Boaxxe. Since PHP is not installed natively on the Windows OS, the third and fourth files to be downloaded (a.exe and php4ts.dll) are part of a portable PHP interpreter, which allows the ransomware (a.php – the fifth file to be downloaded) to run.

4-Nemucod-Java-2.png4b-Nemucod-Java-3.png

Analysis of a.php

At first, we saw several samples of a.php written in plain text without obfuscation, but the developers soon changed this to thwart static detection techniques. The obfuscation techniques below use chr() to encode each as a number specified in ASCII, while also using array() to store the php script in a list of array values.

Examples of obfuscated ransomware variants

chr()

5-Nemucod-chr.png

To de-obfuscate this, I converted all of the chr values to ASCII characters and finally decoded base64 stored to get the original script.

Array()

6-Nemucod-Array.png

To de-obfuscate this, I echoed the output of implode for all of the arrays (and removed eval), using the following at the end of the script:

;echo implode($f,"); ?>

De-obfuscated:

7-Nemucod-php.png

 

The PHP script first uses ‘set_time_limit(0);’ to keep the interpreter running.

A recursive TREE function is then used with preg_match to match folders:

winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache

If a match is found, the script opens the directory and checks for more directories using is_dir; if a directory is found, it runs TREE again, which continues the loop to check whether the object is a folder or a file.

Once a file is found, it uses preg_match again to match its file extension:

zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso

Once a file matching the file extensions above is found, it stores that file name and path as the variable ‘$fp’ and a new variable, ‘$x’, is made, which uses the function fread.

fread() reads up to length bytes from the file pointer referenced by handle.

After reading the first 1024 bytes of a file, a for loop is used with strlen and the variable $k (a base64 string) to encrypt the files.

It’s 2016. Can we stop using MD5 in malware analyses?

It’s 2016. Can we stop using MD5 in malware analyses?

It’s 2016. Can we stop using MD5 in malware analyses?

Posted by   Martijn Grooten on   Jul 26, 2016

[Original Post: HERE]

When a security researcher comes across a new piece of malware, the first thing he (or she) does is check the file hash to see if it has been seen, or maybe even analysed, before. For that reason, if the researcher does end up writing an analysis, it is considered good practice to add the hashes of the analysed samples to the report.

It is still fairly common for these hashes to be generated using the MD5 algorithm, which is odd given that it was officially broken in 2004, when a collision was found. Since then, it has been broken a lot further, and in 2012 it was found that the Flame malware exploited weaknesses in MD5 to create a fake certificate to sign updates supposedly coming from Microsoft.

In recent months I have given a number of presentations on the exploitability of weaknesses in cryptographic protocols, my conclusion being that, while we should stop using weak protocols, the risks vary from small to negligible.

This is also true when it comes to using MD5 hashes in malware analyses. Firstly, to create another file with the same hash as a given piece of malware is not a trivial task, to put it mildly. And secondly, the harm someone with this power could do would likely be restricted to creating some frustration.

Still, there is a strong argument as to why using MD5 is bad even in this case: it reinforces bad practices. Some security products still use MD5 internally, and there have been reported cases of products using MD5 hashes to whitelist previously analysed suspicious files. Given that it would be feasible to create two executables, one malicious and the other harmless, with the same MD5 hash, an attacker could send the harmless file to such a product first and then take advantage of the whitelisting to get a free pass for the malicious file.

So let’s just stop using MD5 everywhere. And, while we’re at it, do the same with SHA-1, a collision for which is expected to be found this year, and skip straight to SHA-256.

Finally, if you’re worried that your Tweets will be too long if you use SHA-256 hashes to refer to malware samples, use a link to the file’s report on VirusTotal or malwr.com instead, which takes up fewer characters than even MD5. Or, if you really want to, find a way to encode SHA-256 hashes into emojis.

ostrich.png

Spreading Malware Through Dropped USB Sticks Could Be Highly Effective, Research Finds

Spreading Malware Through Dropped USB Sticks Could Be Highly Effective, Research Finds

Elie Bursztein of Google’s anti-abuse research team tested how effective spreading malware would be through “lost” USB sticks on a university’s campus. He found that 98 percent of the 297 dropped usb sticks were picked up by people, and of those who found them almost half (45 percent) of them clicked on the stored files inside the USB sticks.

Most operating systems, with the exception of Qubes OS, don’t isolate the USB drives from the rest of the system by default. Therefore, if there is malware on them, it could infect the systems either through user action (by clicking on the files) or even through inaction through various firmware vulnerabilities.

Testing People’s Behavior Around “Lost” USB Drives

Bursztein, the researcher behind this project, also tested to see if giving the sticks various labels, such as “Confidential,” or “Exams,” would influence the behavior of those who found them. He discovered that when they were labeled, the people finding them were more likely to open the sticks on their PCs compared to when the sticks had no label at all. However, he also found that those drives that had a return address on them, were much less likely to be opened.

To further test the behavior of those who found the sticks, Bursztein also labeled the files as “private” on sticks that came with physical keys attached, were labelled with a return address, or were unlabelled. The files on the “confidential” sticks were labeled with “business.” None of the files had the expected content on them, though. They were all HTML files with embedded images that were connecting to the researcher’s server, from where he could see which files were opened.

Upon opening the files on the drives, the users were asked if they wanted to participate in a survey, with the possibility of earning a gift card. About 20 percent of them agreed. Over two thirds of those who agreed said that they intended to return the sticks to their owners, 18 percent said they were “curious” about what was in them, and 14 percent gave other explanations.

Potential Attack Vectors

There are multiple ways in which the users could have been infected. The HTML files on which they clicked could have activated malicious code when they were opened, or the users could’ve been redirected to a phishing site that would then try to steal their credentials. There’s also the possibility that an attacker could put malicious executable files on the USB drives. Then, if users clicked on them and allowed the files to run, their systems would’ve become infected.

Alternatively, attackers could use devices that physically look like USB sticks but would be recognized by a computer as keyboards. This is a more sophisticated attack done through HID (Human Interface Device) spoofing. It allows attackers to “inject” some keystrokes as a set of commands into the systems, which would then give the attackers remote access to those systems.

The most sophisticated type of attack done by seeding USB sticks is one that takes advantage of zero-day vulnerabilities in a computer’s USB drivers. This is a method that’s used more often by state-sponsored attackers. One example of such an attack is the infamous Stuxnet malware, which infected Iran’s nuclear facilities.

Because of the complexity and cost, attacks that take advantage of USB firmware zero-days should be more rare. However, large organizations should still be on the lookout for those, as that’s one way large data breaches could happen. Most regular users would be targeted more often with keyboard-spoofing devices that look like USB sticks, or real USB sticks that contain malicious files, which the users may access out of curiosity.

Security researchers recommend that you don’t insert random USB sticks into your computer. If you have to open them, at least have your system’s patches up to date. Ideally, one would only open them in a virtualmachine, specifically set up for such risky scenarios, or on a system that doesn’t allow writing on its own drive.

 

Source: Toms hardware

http://www.tomshardware.com/news/dropped-usb-sticks-spreads-malware,32391.html

Panda Security Dissects the “Cyber-Pandemic”

Panda Security Dissects the “Cyber-Pandemic”

Panda Security Dissects the “Cyber-Pandemic”

pandasecurity-hospitals-1

Economic gain is the fuel that motivates cyber-criminals. There are thousands of credit cards stolen, infected computers and POS terminals, and kidnapped information that cyber-criminals use in order to make large sums of money. These victims are in the line of fire, and are willing to pay these ransoms in order to get their private information back.

Recently, we have seen particular cases of large scale attacks that are designed specifically for industries, like the hotel sector or certain financial institutions, but can you imagine what would happen if a hospital fell into the hands of a cyber-criminal? PandaLabs,Panda Security’s anti-malware laboratory, presents a new whitepaper, “The Cyber-Pandemic”, with examples of real threats that seem science fictional but can affect us all.

A History of Attacks

The healthcare industry is very technologically advanced but it also has huge security flaws, making it an easy target for cyber-criminals. If we add this to the immense amount of highly sensitive information that is managed by hospitals, pharmacies and health insurance providers, plus the high price that it could be sold for on the black market where a medical history is much more valuable than a credit card, we are able to understand how this was the most attacked industry last year.

A Timeline of the Most Notorious Attacks

2008: The University of Utah Hospital and Clinics announced that the private information belonging to 2.2 million of their patients was compromised. The information was stored on backup tapes belonging to an external employee that was subcontracted, who failed to comply with the established protocols.

2015: One of the most infamous attacks that was aimed at the second largest Insurance company in the United States, Anthem. In this attack 80 million customer records was stolen, including sensitive data such as Social Security numbers.

2016: The cyber-attack that hit the Hollywood Presbyterian Medical Center in Los Angeles left their employees without access to patient medical records, emails and other systems. As a result, some patients could not receive treatment and had to be transferred to other hospitals. What was the ransom? 3.7 million dollars.

pandasecurity-hospitals-2

They Can Hack Our Health

These attacks have demonstrated that these cyber-criminals are capable of shutting down all hospital activity, When we take into account all the medical equipment that is connected to the network, we can imagine how this cyber-pandemic could affect any ordinary person.

In 2013, former U.S. Vice President Dick Cheney revealed that his doctors disabled wireless communication on his pacemaker because they saw that it was highly possible for someone to remotely attack his device if they wanted to. Globally known hackers have demonstrated how it is possible to remotely alter a portable insulin pump that is used by thousands of diabetics or how to remotely manipulate a pacemaker in order to send a life-threatening electric shock.

In a hospital room, everything from the belts that raise your feet to the infusion pump that injects your medicine is connected to a computer. To demonstrate how easy it is to access this equipment, a number of these machines were tested to alter the dose of medicine to lethal levels. This can be done on more than 400,000 of these pumps throughout the world that remain vulnerable.

How Can We Avoid These Attacks?

It is important to take note: paying a ransom does not guarantee that stolen documents or information will be returned. The ransom payment did not secure that the victim got back their documents in any of these examples. It is better to avoid this altogether. Here are some of PandaLab’s recommendations on how you can avoid a cyber-pandemic:

  • Depend on a cyber-security solution that has both advanced protection functionalities and is also able to detect and remedy possible threats.
  • There is something in common in all of the systems that were targeted in the attacks: a lack of control. What would have helped prevent these attacks is a cyber-security solution that is capable of controlling all running processes, in every machine, connected to the network.
  • Revise staff policies and control systems in order to adjust the privacy requirements and adapt them to available technology.
  • Keep all operating systems and company devices updated.

To help the Healthcare sector stay ahead of cyber-crime, Adaptive Defense 360 offers complete security to fight off attacks. Adaptive Defense 360 provides everything that your company may need to remedy known vulnerabilities.

Download this whitepaper and learn how to avoid a “Cyber-Pandemic”, here:

DOWNLOAD

Check out our Cyber-Pandemic Infographic

Microsoft Offers Same-Day Windows 10 Upgrade For Your Windows Device Or You Get A Free Dell Inspiron 15

Microsoft’s offer of a free Windows 10 upgrade ends in a little over a week. However, the company is still attempting to attract more people to the new operating system with a new promotion. You can bring your Windows device to a local Microsoft Store and get a same-day upgrade to Windows 10. If Microsoft cannot upgrade the device to Windows 10 by the end of the business day, the company will give you a free Dell Inspiron 15 laptop.

Obviously, there is a caveat to the deal. You must check the device in at the store’s Answer Desk before 12 p.m. local time. If the device isn’t compatible with the new OS for some reason, then Microsoft will recycle the device and offer you $150 towards the purchase of a new PC. However, that promotion has its own set of rules as well, chief of which is that the device needs to be on a Windows 8 or newer OS. Your device also needs to meet the following qualifications to be eligible for recycling if the Windows 10 upgrade doesn’t work:

  • You must own the qualifying device.
  • Device must power on
  • Battery must hold a charge and not require being plugged in to operate.
  • The device must be in fully functional, working condition without broken/missing components. A cracked display/housing, liquid damage, modification(s) or broken warranty seals are disqualifiers.
  • Cannot be password protected and must include the device’s original chargers and accessories.
  • The device must contain a hard drive.

In addition to these promotions, Microsoft continues to improve its latest OS. As we found out last month, the Windows 10 Anniversary Update comes out on August 2, days after the free Windows 10 upgrade promotion is over. Xbox One owners will also see some updates to the console, not to mention the fact that the 2 TB variant of the Xbox One S comes out on August 2 as well. The highly anticipated update will include updates to existing features such as Windows Hello and Cortana, but it will also introduce new tools such as Windows Ink.

 

Source: tomshardware

http://www.tomshardware.com/news/microsoft-windows-10-free-dell,32271.html

POS and Credit Cards: In the Line of Fire with “PunkeyPOS”

POS and Credit Cards: In the Line of Fire with “PunkeyPOS”

POS and Credit Cards: In the Line of Fire with “PunkeyPOS”

pandasecurity-punkeypos-principal.png

PandaLabs, Panda Security’s anti-malware laboratory, has been working on an in-depth investigation since May related to Point of Sale terminals (POS) in restaurants across the United States. A new malware sample was discovered during this investigation calledPunkeyPOS, a malware variant that is able to access credit card data. PandaLabs left this information at the disposal of American law enforcement so they can take the appropriate actions. Let’s see what this is and how it operates.

How can they steal your card without touching your wallet?

PunkeyPOS runs seamlessly in all Windows operating systems. The cyber-criminal’s plan is to install the malware in POS terminals in order to steal sensitive information such as account numbers, magnetic strip contents (tracks) from bank cards, etc.

PunkeyPOS seems simple:

It installs a keylogger that is responsible for monitoring keystrokes, then it installs a RAM-scraper that is responsible for reading the memory of all processes running on the system.

Based on the information it captures, the malware performs a series of controls to determine what is valid and what isn’t. Regarding the keystrokes, PunkeyPOS ignores all information other than credit card data. It is mostly interested in tracks1/2 from the process memory that is obtained from RAM-scraping. The POS terminals read this information from the bank cards’ magnetic strips and then can use this data to clone the cards at a later time.

Once the relevant information has been obtained, it is encrypted and forwarded to a remote web server which is also the command and control (C&C) server. In order to avoid the detection of the card information in case somebody is scanning the network traffic, it is encrypted before it is sent using the AES algorithm.

The command and control (C&C) server address can be easily obtained based on this malware sample through reverse engineering or analyzing their communications. This is the main page of the control panel; it requires a username and password to get access:

pandasecurity-punkeypos-1

Follow the Trail to the Digital Pickpocketers

The cyber-criminals behind this attack haven’t been very careful. Since the server was not configured correctly, PandaLabs was able to access it without credentials.

Because of their neglect, PandaLabs was able to see where PunkeyPOS sends the stolen information. In addition to being in front of a panel that is used to access the stolen data, from this panel cybercriminals can reinfect or update current clients (POS bots).

pandasecurity-punkeypos-2

The version of the analyzed PunkeyPOS sample is hardcoded: “2016-04-01”. If we compare this sample with older versions, some from 2014, we can barely see any difference in the way it operates (in the References section of this article you can find links that will go further into detail about how it works.)

PandaLabs has been able to gain access to the control panel of PunkeyPOS, and has geolocated around 200 Point of Sale terminals that were compromised by this specific malware variant. We can see that virtually all the victims are in the United States:

pandasecurity-punkeypos-3

Taking into account how easy it is to sell this information on the black market, and how convenient it is to compromise these POS terminals anonymously through the internet, we are certain that cyber-criminals will be increasingly drawn to these terminals.

Protect your devices proactively from these types of attacks with an advanced cyber-security solution like Adaptive Defense. Real-time control of all inappropriate user operations is in your hands.

References:

http://krebsonsecurity.com/2016/06/slicing-into-a-point-of-sale-botnet/

https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges—Punkey/

Fraudulent Emails Threaten Businesses with “Whaling”; A New Scam with a Long History

Fraudulent Emails Threaten Businesses with “Whaling”; A New Scam with a Long History

Fraudulent Emails Threaten Businesses with “Whaling”; A New Scam with a Long History

pandasecurity-whaling

Last year, an undisclosed employee from Pennsylvania based Alpha Payroll was wrongly fired because he fell for a deceptive cyber-criminal’s trap. The company, Alpha Payroll, is known for processing payroll solutions for businesses, but now the company will be remembered as the victim of a very large Phishing scam.

It all started when an employee received an email from the company’s CEO that stated, “send me copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers.”

Of course, the employee believed the email was legitimate and he fulfilled the CEO’s request. Attentive and obedient, the assistant fulfills his mission.

But the CEO never sent this email, in fact the company had a policy that prohibits employees from sharing W-2 information. But put yourself in the victim’s shoes, a bottom level employee… would you question an email sent to your from the CEO? Unaware that he was victim of a phishing scam, and that his boss was being impersonated, the employee fell for the scam and, later, was fired.

It wasn’t until one of the company’s clients discovered something strange on payrolls and notified the authorities that an investigation was opened. Alpha Payroll was finally involved in the mess but by then it was too late, they were already involved in a cyber-criminal’s Whaling scheme.

Phishing is old-school. It is the most basic form of impersonation without any specific objective. Then spear phishing was discovered, which is more personalized and directed. Now we have what is called whaling, because cyber-attackers are aiming for senior managers exclusively.

How does Whaling work?

It is easy for an attacker to steal identities that belong to company executives and deceive employees. The fraudsters simply go after employees who are less cautious or unfamiliar with detecting internet fraud.

According to the FBI, whaling has become such a big problem that it has already cost companies in 80 different countries more than 2.3 million dollars (more than 2 million euros) in the last three years. Since January 2015, the number of identified victims had increased by 270%, including well-known companies like Mattel, Snapchat and Seagate Technologies.

Whaling has already cost companies in 80 different countries more than 2.3 million dollars (more than 2 million euros).

A great way to protect your business is with a team of duly trained employees, especially those who have access to highly sensitive information or who perform delicate operations like transfers. It is also very important to establish clear policies for transferring information or reports between departments, employees and executives.

The usual protection solutions don’t begin working until after the attack has already been successful, making them impossible to remedy. In order to proactively protect yourself against this type of attack, next-generation EDR solutions are the only option because they look for both unknown and known vulnerabilities. They control 100% of the processes, whether they are malware or goodware, and they are always in control of any strange behaviors.

Antivirus For Mac: Is It Really Necessary?

Antivirus For Mac: Is It Really Necessary?

pandasecurity-mac-antivirus

The last few days have been intense for Apple fans. Last week, Apple’s Worldwide Developers Conference took place, where they presented the company’s new hardware and software. The “bitten apple” went into depth about their new operating systems for iPhone, Mac, Apple Watch and Apple TV but… what about security-related updates?

Following the horrible San Bernardino attack from last December, a controversial topic stemmed regarding the attacker’s iPhone.Apple’s case against the FBI initiated a dispute between user privacy and government access to personal data.

Meanwhile, other giants in the sector, like Facebook and Google, showed their support for Apple by promising to implement more effective encryption tools in the future. WhatsApp was the first to use end-to-end encryption.

Now Tim Cook presents a new file system called APFS, the Apple File System, which incorporates a new encryption system that gives developers multiple options like leave something unencrypted, encrypt it with a unique password, or encrypt it with multiple passwords. The Apple File System is already available online for developers and the new version will leave HFS system and improve security and data encryption.

Why is my Mac vulnerable to advanced threats?

Despite efforts of large security companies, the truth is that no operating system is 100% reliable. Apple computers are not the Macintosh systems that we once knew. Years ago, they had a safety-guarenteed reputation, with a different and solid operating system than others. At that time, hackers targeted computers with Windows operating systems, however, as Apple’s popularity has grown, so have the malicious-code-making hackers. Mac OS X is no longer impregnable and needs mac antivirus software.

In the recent PandaLabs’ Q1 report, experts discussed the latest threats directed specifically towards Apple operating systems. One example of this is the highly powerful ransomware based on Encoder, called KeRanger, which managed to infect Apple users at the beginning of 2016. We all remember the major Trojan attacker flashback and Browlock, also known as the Police Virus or Shellshock. All of the previously mentioned examples confirm that attacks on Mac OS X are growing.

While it is true that the number of threats in the Mac’s operating system are lower than other platforms (such as Windows) we must be aware of the importance of an effective antivirus for Mac in order to fully enjoy our Apple computers. Enough excuses, let’s start preventing viruses!

Contact us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Questions, issues or concerns? I'd love to help you!

Click ENTER to chat