The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 25 May 2016
DMA Locker Ransomware Ready for Mass Distribution
From The Media
The new 4.0 version of the DMA Locker ransomware is believed to possess capabilities that will rank it as a top ransomware threat. With version 4.0, files are encrypted with AES-256 in ECB mode with a randomly generated key for each file. Malwarebytes indicates that, based on the recent updates, the ransomware is preparing to be distributed on a mass scale.
Read the Story: Help Net Security
iSIGHT Partners Analyst Comment
DMA Locker’s development indicates that malicious actors consider ransomware tools important enough to warrant continued improvement efforts. However, a better DMA Locker will not substantially change the ransomware marketplace or the overall threat of this type of malware. The updated DMA Locker offers no noticeable improvement or functionality compared to the already numerous sophisticated ransomware families currently operational.
Related iSIGHT Partners Reports
16-00006476 (Ransomware Trends: Diversification and Targeted Attacks), 18 March 2016
16-00002294 (Ransomware Threat Landscape Overview), 28 March 2016
Beware of Wireless Keystroke Loggers Disguised as USB Phone Chargers
From The Media
The FBI is warning of stealthy keystroke loggers capable of obtaining passwords and other input from wireless keyboards. The FBI’s notice is dated over a year after the release of Samy Kamkar’s KeySweeper, a proof-of-concept platform that covertly logs keystrokes from wireless keyboards using a device disguised as a phone charger. The FBI did not indicate why the notice was released so late, and Kamkar indicated that though he was not aware of attacks using KeySweeper, he could not rule out the possibility.
Read the Story: Arstechnica
iSIGHT Partners Analyst Comment
The FBI’s notification well after the release of KeySweeper suggests the attack may have been used in the wild; however, we are unaware of any such attempt (although introduction of various malicious devices into enterprise environments has been reported in the past). Charging infrastructure, whether for USB or wireless devices, can often be imitated by malicious attackers to infect or otherwise compromise sensitive enterprise data and devices.
Related iSIGHT Partners Reports
ThreatScape Media Highlights (Wall Charger Steals Keystrokes from Microsoft Wireless Keyboards), 14 Jan. 2015
15-00003756 (Overview of Methods for Real-Time Control of Air-Gapped Systems), 8 May 2015
Intel-993495 (Risk Posed to Enterprise IT Security by USB Drives), 29 Dec. 2013
Ransomware Multiplies Threat by Adding DDoS Capability
From The Media
Invincea researchers have reported on a new cyber crime trend of adding systems encrypted by ransomware to botnets. Renting out DDoS capabilities is a lucrative business, so by coupling the capability with ransomware, malicious actors can essentially “get two for the price of one.” A new variant of the Cerber ransomware reportedly uses this technique, a pair of functionalities that some researchers suggest will quickly start trending.
Read the Story: Dark Reading
iSIGHT Partners Analyst Comment
Bundling of multiple types of malware is a natural, though not novel, development as malware developers and operators attempt to make the most of a single compromise. Exploit kits and downloaders already distribute bundles of malware with differing capabilities on a single compromised device. Malware operators try to capture that same efficiency at the payload level, such as through the development of modular malware, which allows developers to more easily deploy multi-function malware.
Related iSIGHT Partners Reports
15-00011328 (ModPOS: Malware Behavior, Capabilities and Communications), 15 Oct. 2015
16-00001646 (LATENTBOT: Malware Behavior, Capabilities and Communications), 18 May 2016
16-00007926 (Cerber Ransomware: Observed Underground Activity and Technical Behavior, Capabilities and Communications), 17 May 2016
More Than 2,500 Twitter Accounts Hacked with Sexual Content
From The Media
Over 2,500 Twitter accounts were hacked and set to tweet links to adult dating and sex personals websites. Account profile pictures and details were also allegedly altered to promote the sites. According to Symantec, the attackers earned approximately $4.00 for each individual that signed up for the adult services.
Read the Story: Info Security Magazine
iSIGHT Partners Analyst Comment
As Symantec documents, compromised accounts likely had either weak passwords, password-only authentication, or had been inactive due to lack of user interest or even death. Verified or more notable accounts may also be particularly targeted since these typically have a greater number of followers and more credibility. The incident further demonstrates the need for corporate and government entities to secure their social media profiles. While any social media compromise would be embarrassing, one in which sexually provocative material and malware was spread would be particularly damaging to an entity’s brand and public image.
Related iSIGHT Partners Reports
16-00000698 (Turkish Hacktivists Target Russian Social Media Accounts and Websites amid Tense Turkish-Russian Relations), 29 Jan. 2016
Intel-985835 (Social Media Part I: Threats), 4 Nov. 2013
Intel-986159 (Social Media Part II: Mitigation), 4 Nov. 2013
The post ThreatScape Media Highlights Update – Week Of May 25th appeared first on iSIGHT Partners.
