Be aware of the Ransomware Cryptolocker family

This important notification is being released for AWARENESS of the Ransomware Cryptolocker family. The main purpose of this Threat Awareness is to provide complete information about the threat and communicate the recommended solutions and best practices so that customers can apply them and avoid being affected or contain the threat from spreading further. If similar infections are being experienced in your respective regions, please contact your support engineer.
Threat briefWe are experiencing a resurgence of the malware family named Cryptolocker (and others variant). This is a crypto-ransomware variant which has the capability to encrypt files. It uses many techniques (HTTPS, P2P, TOR…) to mask its command-and-control (C&C) communications. Usually, this attack is delivered thought spear-phishing method as an email attachment. Upon execution, it connects to several URLs to download the crypto-ransomware. It displays a ransom message. Users must pay the ransom before the set deadline is done. Otherwise, all the files will permanently remain encrypted. But beware, ransom payment is no guarantee that the original files will be restored!
Notable Variant

  • A particular variant, TROJ_CRYPCTB.XX , offers users the option of decrypting 5 files for free—as proof that decryption is possible.
  • Users are also given 96 hours, instead of 72 hours, to pay the ransom fee.
  • The displayed ransom message has options for four languages, namely, English, Italian, German and Dutch.
  • In some case, infection could occur through embedded URL over email or compromised web site with drive-by download techniques.
 image012

How to protect from CRYPTOLOCKER attack ?

  • Use Reputation for real-time protection using cloud automatic sharing system (Smart Protection Network)
    • Email Reputation to block malicious and suspicious email
    • Web Reputation to block compromised websites, newly C&C remote hosts and other disease vectors
    • File Reputation through SmartScan technology for real-time security updates on your solutions
  • Leverage sandbox, emulation and heuristic integration in current Trend Micro product with Custom Defense approach
    • Automatic execution of suspicious content on innovative dynamic engines
    • Native & easy deployment to existing Trend Micro solutions (OffiScan, IMSva, IWSva, ScanMail…)
    • Empower Deep Discovery approach to detect over network any Cryptolocker attack, ransomware, 0-day, targeted attack and any others unknown malware/variant
  • Education to end-user is key to pro-active defense
    • Always check who the email sender is
    • Double-check the content of the message
    • Refrain from clicking links in email
    • Backup important data
  • Coming soon into OfficeScan 11 Service Pack 1 !!! Anti-Cryptolocker feature to protect your personal file against encryption or malware action. Beta will start in few weeks. Contact your support engineer for more information.
How te remediate if Cryptolocker infection is running ?

  • Detection and removal tool for Cryptolocker :

Threat Cleaner for GOZ and CryptoLocker (32-bit and 64-bit)

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Remembering the Vulnerabilities of 2014

With the New Year celebrations safely behind us, it’s time to look forward and plan for 2015. Before we can do that, however, we need to spend a few minutes to remember the vulnerabilities of 2014 and what we can take away from these.
Every year there are several zero-days and tons of undisclosed vulnerabilities fixed by software vendors. This year was a little different:
- The total number of disclosed vulnerabilities per year almost hit 10,000. Because of this, the maintainers of the CVE database announced that the CVE syntax would be modified, which now allows up to 10 million vulnerabilities to be assigned identifiers annually.
- Major “named” vulnerabilities like Heartbleed, Shellshock, Poodle, and WinShock were disclosed and became widely known within the security industry. These vulnerabilities were notable for their severe impact, widespread attack surface, and difficulty in patching.
- There was an increase in amplification distributed denial-of-service (DDoS) attacks. These attacks are used to create high volumes of traffic used in denial of service attacks. It exploits weakness in network protocols to “elicit” large volumes of response packets which can be “redirected” to a victim to cause denial of service against them.
- Some good news – there were no Java zero-days in 2014! However, that doesn’t mean that Java vulnerabilities weren’t exploited. They are still being actively exploited by exploit kits. Users still running older versions of Java should upgrade.
- For Adobe products, it was a mixed story. Overall, the number of vulnerabilities in Adobe products declined from 2013. However, the number of vulnerabilities in Adobe Flash went up from 56 to 76. Vulnerabilities in Acrobat/Reader went down by almost 30%.
- There were a lot of vulnerabilities found in OpenSSL, not just Heartbleed. In 2014, 24 vulnerabilities were found – which equaled the number from the previous three years combined.
With the above events in mind, what should be some of our key takeaways from all this?
- Even old applications can still have uncovered vulnerabilities, as we saw with Heartbleed and Shellshock.
- Open source software is said to be inherently more secure, as it goes through more reviewers (and thus, more opportunities for any vulnerabilities to be spotted). However, that is not necessarily the case, as OpenSSL and Bash showed.
- The CVSS score is not a be-all-and-end-all for vulnerability severity. After all, Heartbleed only received a CVSS score of 5.0! Assess the impact of vulnerabilities depending on your organization’s situation and applications. Add salt to the (CVSS) score!
- Upgrade older versions as soon as possible. Patch as soon as your situation allows it.
- Continuously review your security posture and plan your investments in information security tools and practices accordingly. Employee coaching is a key part in securing a company’s information. At the same time, ensure that you make the best use of your security solutions – e.g. by configuring them properly, tuning them to your requirements etc.
- Implement a lowest privilege access policy. Many exploits today obtain the privileges of the logged in user; a lowest privilege access policy would help mitigate the damage from these exploits.
There were some other things in 2014 that were not unexpected, but still significant.
- There were eight zero-days in Internet Explorer and four in Adobe Acrobat/Reader. There are alternative browsers and PDF readers available; consider your options.
- For web servers, zero-days were found in both Apache Struts and WordPress (as well as WordPress plugins). What’s clear aside from server software, added plugins have to be considered a possible source of risk as well.
No matter how many zero-days or Heartbleed/Shellshock-type vulnerabilities we may see, we should never forget that the fundamental vulnerabilities in web applications such as SQL Injection, Cross Site Scripting (XSS), broken authentication etc. are still very prevalent. They are, quite often, the reason behind the big data breaches that occur.
Also, we should never forget the best practices on controlling access to data, encrypting it as much as we can, ensuring right security products are in place shielding quickly against vulnerabilities.

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Four steps

In today’s world of frequent targeted attacks – when breaches are a matter of when and not if – a carefully crafted strategy to respond to targeted attacks must be part and parcel of the larger defense strategy. This can be the difference between a minor nuisance and a major breach that could spell the demise of an organization.
The SANS Institute provides some guidelines to organizations on how they should react to incidents. Broadly speaking, however, the response can be divided into four steps:

  • Prepare
  • Respond
  • Restore
  • Learn

 

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

2015 Predictions: The Invisible Becomes Visible

These are the trends that we think will shape 2015:

– More cybercriminals will turn to darknets and exclusive-access forums to share and sell crime ware.
– Increased cyber activity will translate to better, bigger, and more successful hacking tools and attempts.
– Exploit kits will target Android, as mobile vulnerabilities play a bigger role in device infection.
– Targeted attacks will become as prevalent as cybercrime.
– New mobile payment methods will introduce new threats.
– We will see more attempts to exploit vulnerabilities in open source apps.
– Technological diversity will save IoE/IoT devices from mass attacks but the same won’t be true for the data they process.
– More severe online banking and other financially motivated threats will surface.

More details about these predictions can be found at Trend Micro Security Predictions for 2015 and Beyond.

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Server admins, start your Windows Update….Now!

Microsoft may have an issue of massive problem on its hands with a critical patch issued via Windows Update today.

The patch in question is MS14-066, or otherwise known as the cryptically named “Vulnerability in Schannel Could Allow Remote Code Execution,” which affects Windows Server 2003/2008/2012, Vista, 7, 8, 8.1 and Windows RT.

You know what’s really a pain? It affects everything running a modern version of Windows, meaning we all will need to patch a lot of machines as soon as possible. Microsoft also says that there is no workaround or ways to mitigate the attack, other than via a patch.

Trend Micro Deep Security customers with Virtual Patching is of course protected. If you can’t run Windows Update right now you can use our DPI rules release even before Microsoft announced the vulnerability publicly.

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro