Category Archives for Virus & Malware

Cyber Threats – What are the common threat types?

The cyber threat to Australian individuals and organisations is undeniable, unrelenting and continues to grow.

You could be a target even if you don’t think the information held on your networks is valuable, or that your business would be of interest to cyber adversaries.

Many organisations are at risk purely because they are vulnerable through unpatched software or unaware staff members.

Common threats impacting Australians include

Malware

Malware is software that cyber criminals use to harm your computer system or network. Cyber criminals can use malware to gain access to your computer without you knowing, in targeted or broad-based attacks.

Ransomware

Ransomware is a type of malware that denies access to files or computer systems until a ransom is paid.

Distributed denial of service

A distributed denial of service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic.

Unauthorised cryptomining

Cryptocurrency mining (cryptomining) software uses a system’s processing power to solve complex mathematical problems, in return for a type of digital currency.

Unauthorised cryptocurrency mining (also known as cryptojacking) is where a website or software on your computer does this cryptocurrency mining without your authorisation. It is now the most popular cyber attack method.

You could be a target even if you don’t think the information held on your networks is valuable, or that your business would be of interest to cyber adversaries.

Malicious insiders

Malicious insiders are people such as employees, former employees, contactors or business associates who have inside information on your computer system, data or security, and access it for their own purposes.

Identity theft

Identity theft is when a cybercriminal gains access to your personal information to steal money or gain other benefits.

Phishing

Phishing is a method of stealing confidential information by sending fraudulent messages to a victim. It is one of the most prevalent scams reported in Australia.

Email scams

Criminals use email to manipulate or trick you into unintentionally sharing personal information, financial details, or money.

Phone call scams

There are many ways scammers try to get your information or money over the phone. They will usually pretend to be from a well-known organisation, such as a government agency, a utilities provider, Australia Post, a bank or the police. They can be incredibly convincing.

Dating and romance scams

Scammers often approach their victims on legitimate dating websites before attempting to move the ‘relationship’ away from the safeguards that these sites put in place, for example, by communicating through other methods such as email, where they can more easily manipulate victims.

Unauthorised cryptocurrency mining (also known as cryptojacking) is where a website or software on your computer does this cryptocurrency mining without your authorisation. It is now the most popular cyber attack method.

Secondary Targeting

Secondary targeting is where cyber adversaries try to gain access to networks of companies that provide products or services (e.g. through outsourcing arrangements) as a means to get to their higher value customers.

Prevention

Prevention is far better than cure. Ensuring your network is configured and aligned in line with the Australian Government’s “essential 8” recommendations is the bare minimum required.

Utilising an external IT support company that specialises in cyber security is also a good idea. Domain Digital not only specialises in preventative measures and ongoing, proactive day to day support of your system, we also have a cyber security education and training platform that can assist you and your staff form ever being “caught out”. Simply visit www.domaindigital.com.au or call (08) 9441 6300 to find out more.

Hackers Using Zero-Width Spaces to Bypass MS Office 365 Protection

Swati Khandelwal wrote on The Hacker News that Security researchers have been warning about a simple technique that cybercriminals and email scammers are already being using in the wild to bypass security features of Microsoft Office 365, including Safe Links, which are originally designed to protect users from malware and phishing attacks.

Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat Protection) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. Therefore, every time users click on a link provided in an email, Safe Links first sends them to a Microsoft owned domain, where it immediately checks the original link for anything suspicious. If Microsoft’s security scanners detect any malicious element, it then warns the users about it, and if not, it redirects them to the original link.

However, researchers at the cloud security company Avanan have revealed how attackers have been bypassing both Office 365’s URL reputation check and Safe Links URL protection features by using Zero-Width SPaces (ZWSPs).

Supported by all modern web browsers, zero-width spaces (listed below) are non-printing Unicode characters that typically used to enable line wrapping in long words, and most applications treat them as regular space, even though it is not visible to the eye.

Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat Protection) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. 

Zero-Width Space Phishing Attack Demonstration

According to the researchers, attackers are simply inserting multiple zero-width spaces within the malicious URL mentioned in their phishing emails, breaking the URL pattern in a way that Microsoft does not recognise it as a link. “Microsoft email processing did not recognize this URL as a legitimate URL, and neither applied URL reputation checking nor converted it with Safe Links for post-click checking,” the researchers say in a blog post published Wednesday. “The email was delivered to the intended recipient; but in their inbox, users did not see the ZWSPs in the URL.”

However, when the end-users clicked on the link in the email, they were landed to a credential harvesting phishing website.

Researchers also provided a video demonstration showing what happened when they sent a malicious URL to an Office 365 inbox without any ZWSP characters inserted in the URL and with ZWSP characters inserted into the URL.

The Z-WASP attack is another chain in a list of exploits, including the baseStriker and ZeroFont attacks, that are designed to obfuscate malicious content and confuse Microsoft Office 365 security.

The security firm discovered the Z-WASP attack on more than 90 percent of Avanan’s Office 365 customers and reported the issue to Microsoft on November 10th last year after confirming its nature. See a video explaining this further:

Avanan then worked with the Microsoft security team continuously on assessing the scope of the vulnerability, which was then addressed on January 9th. To read the full article visit https://thehackernews.com/2019/01/phishing-zero-width-spaces.html

To lean more about how Domain Digital is working to protect Perth and Australian businesses from being affected by incidients like this, visit http://www.domaindigital.com.au or fill out this for for FREE, no obligation consultation to discuss your concerns

Ethereum Classic (ETC) Hit by “Double-Spend” Attack Worth $1.1M

Popular cryptocurrency exchange Coinbase has suspended all transactions of Ethereum Classic (ETC)—the original unforked version of the Ethereum network—on their trading platforms, other products and services after detecting a potential attack on the cryptocurrency network that let someone spend the same digital coins twice, reported Swati Khandelwal of thehackernews.com

Why is this attack concerning? The heist resulted in the loss of $1.1 million worth of the Ethereum Classic digital currency. The digital currency immediately fell in price after the news came out.

Coinbase revealed Monday that it identified “a deep chain reorganisation” of the Ethereum Classic blockchain (or 51 percent attack of the network), which means that someone controlling the majority of miners on the network (over 50%) had modified the transaction history.

After reorganising the Ethereum blockchain, the attackers were able to what’s called “double spend” about 219,500 ETC by recovering previously spent coins from the rightful recipients and transferring them to new entities chosen by attackers (typically a wallet in their control).

The heist resulted in the loss of $1.1 million worth of the Ethereum Classic digital currency. The digital currency immediately fell in price after the news came out.

“We observed repeated deep reorganisations of the Ethereum Classic blockchain, most of which contained double spends,” Coinbase security engineer Mark Nesbitt said in a blog post. “The total value of the double spends that we have observed thus far is 219,500 ETC (~$1.1M).”

Coinbase identified the deep chain reorganisation of the Ethereum Classic blockchain on January 5, at which point the firm halted on-chain ETC payments in order to safeguard its customer funds and the cryptocurrency exchange itself.

An update on status.coinbase.com reads: “Due to unstable network conditions on the Ethereum Classic network, we have temporarily disabled all sends and receives for ETC. Buy and sell is not impacted. All other systems are operating normally.”

It’s worth noting that this incident was not a one-time event, as the attacks are apparently ongoing. Initially, Coinbase identified nine reorganizations containing double spends, amounted to 88,500 ETC (about $460,000), but the latest update on its blog post suggests that at least 12 additional reorganizations included double spends, totalling 219,500 ETC (nearly $1.1Million).

At the time, it is not clear whom the attackers targeted, but Coinbase reassured its customers that the cryptocurrency exchange itself had not been the target of these attacks and that no customer funds were lost. To begin with, Ethereum Classic denied the Coinbase claims, saying that the ETC network appeared to be “operating normally,” but hours later it confirmed the “successful 51% attack” on the Ethereum Classic network with “multiple” block reorganizations.

Coinbase identified the deep chain reorganisation of the Ethereum Classic blockchain on January 5, at which point the firm halted on-chain ETC payments in order to safeguard its customer funds and the cryptocurrency exchange itself.

However, Ethereum Classic said that Coinbase did not contact ETC personnel regarding the attack and added that the investigation is an “ongoing process.”

Since it is incredibly difficult or perhaps virtually impossible to mount such attacks against heavily-mined cryptocurrency networks like Bitcoin and Ethereum, attackers chose to target small-cap cryptocurrencies like Ethereum Classic, Litecoin Cash, Bitcoin Gold, ZenCash (now Horizen), and Verge.

Created in June 2016, Ethereum Classic is the 18th-largest cryptocurrency with a market cap of over half a billion dollars (around $539 million), which makes it an attractive target for attackers.

This article highlights just how random and impersonal cyber attacks are. You may not think you or your Australian business would be a target, but you are. To ensure you are as secure and protected as possible, contact Domain Digital to have an obligation free initial consultation FREE OF CHARGE 

The Role of AI (Artificial Intelligence) in Cybersecurity

The origins of artificial intelligence (AI) can be traced all the way back to World War 2, when a team of British cryptographers developed what came to be the world’s first computer, a machine that used mathematical reasoning to decrypt polymorphic codes transmitted by the Axis powers. Historians have estimated that this innovation shortened the war by two to four years, saving between 14 and 21 million lives.

This was followed up by the birth of computer science as a field of study in the 1950’s, originally meant to simplify and automate human management of big data. With the evolution of technology and the rise of the internet, AI has been used increasingly to help information security teams to fight cyber crime, writes huntsource.io.

As technology evolves at a rapid pace, so do potential cybersecurity threats.

So what is it, what is it trying to do and how does it affect Australian, and more specifically Perth, businesses?

Using AI to Optimise Cybersecurity Results

AI can boost organisational cybersecurity by leveraging existing data to detect vulnerabilities and identify cyber attacks. According to Cisco Systems, up to 32% of businesses are currently highly dependent on AI for their cybersecurity needs. In its present form, Cybersecurity technology based on AI is being used to:

  • Accelerate incident detection using processing power and analytics
  • Identify security risks based on configuration errors and software vulnerabilities
  • Ranking and prioritising threats
  • Automate threat response

As technology evolves at a rapid pace, so do potential cybersecurity threats. Apps, smart phones and cloud services have done a great deal to simplify life for users and create great economic opportunities for IT companies and the professionals who work for them. On the other hand, more data and more software means more potential targets for hackers.

This increases the risk that cyber criminals will act while data silos are being analysed, exploiting existing vulnerabilities before they can be closed. AI can help solve this problem by dramatically decreasing the time it takes for analysts to work through and patch up security gaps.

In March 2017 IBM launched Watson for Cybersecurity, a cognitive AI tool for security operations centres (SOC’s). Watson is designed to help security professionals run through these mountains of data to quickly pinpoint real threats and generate reports in minutes. According to IBM researchers, cyber security teams go through over 200,000 security events every day, in a process that wastes up to 20,000 hours per year going after false attacks.

They also found that only around 7% of information security professionals are currently using cognitive AI tools, but expect the use of this technology to triple over the next 2-3 years.

What’s The Future?

The current state of AI in the cyber security world is what the market has been calling first generation cybersecurity AI, technology that helps humans solve problems in less time, but is nowhere close to replacing them. Since it still relies heavily on existing data, AI will have trouble detecting innovative approaches often taken by cyber criminals.

This means that AI and the automation of security processes need to be used as tools by qualified cyber security pros to optimise results. AI can’t act as a substitute for cyber security basics either. These include using separate devices for personal and professional purposes and taking care not to fall prey to phishing scams and social engineering.

For companies looking to integrate AI into their cyber security strategy, the number of security professionals they should keep on staff varies depending on their size and scope of operations. The development of AI software as a service (SaaS) has been rolling full steam ahead and should help information security professionals with basic tasks such as threat detection.

The current state of AI in the cyber security world is what the market has been calling first generation cybersecurity AI, technology that helps humans solve problems in less time, but is nowhere close to replacing them.

Some observers like Sam Bouso, founder of the AI cybersecurity company Precognitive, reckon that certain jobs involving security analysis, intrusion detection and vulnerability assessment will be in direct competition with AI within the next five to ten years.

As threat detection becomes increasingly automated through AI, certain entry level cyber security jobs on the defensive security side may be affected, while jobs related to offensive security like penetration testers, along with managerial positions are unlikely to face threats from AI.

 Domain Digital’s team specialise in offensive cyber security and work hard to stay ahead of the curs as cybersecurity specialists. For an obligation free consultation, simply fill out this form and one of staff will be in touch 

How the Quick Thinking of a Staff Member Saved a Perth Business Potentially Thousands of Dollars

The quick thinking of a staff member of Perth based Fleet leasing company, Easifleet, really did save the company potentially thousands of dollars as a nasty malware was hidden within a compromised Dropbox account of a client of theirs.

It seemed legitimate enough, an Easifleet staff member received a couple of emails from a client’s Dropbox account. She receives emails from this client from time to time, with documents being transferred via Dropbox. This time, however, was different. Firstly, she wasn’t expecting any documents, also there was more than one email sent.

Some quick looks and a recommendation to perhaps touch base with the sender and see if they were indeed trying to send something through resulted in the client being made aware their Dropbox account had been compromised.

The staff member decided to place call to Easifleet’s IT support company, Domain Digital, just to “ask the question”. Some quick looks and a recommendation to perhaps touch base with the sender and see if they were indeed trying to send something through resulted in the client being made aware their Dropbox account had been compromised.

The links had been sent to their entire Dropbox email database with a particularly nasty malware attached to the links. The presence of mind, the ongoing education of staff in and around phishing and detection of other suspicious emails, truly saved the company.

Domain Digital’s online training and education platform could help your staff upskill and educate themselves as to what may constitute a suspicious email or a genuine phishing attempt. To find out more about how this can benefit you and your staff contact the Domain Digital team

Extremely stealthy malware – Controlled by your emails

A long list of government foreign offices are the most recent victims in a cleverly crafted backdoor, allowing malware to be controlled by PDFs sent via email to an infected machine to gain control of confidential government information.

What is the threat?

An advanced persistent threat group by the name of Turla, have crafted a malware that uses COM Object hacking to tamper the Windows Registry system, allowing itself to run in stealth every time Outlook is opened.

The malware constantly monitors all incoming & outgoing emails and crafts a log of activity and information into a crafted PDF which is then sent to the Turla operator.

According to ESET, the malware code suggests a basic version of the email backdoor was created in 2009, which originally could only dump email files, and has since been adapted to increase its level of stealth and capabilities.

An advanced persistent threat group by the name of Turla, have crafted a malware that uses COM Object hacking to tamper the Windows Registry system, allowing itself to run in stealth every time Outlook is opened.

How does it work?

As the malware scans emails for information to log, it also constantly scans attached PDFs for new commands sent by the operator.

Due to the nature of the malware, these specially crafted emails may never reach the users’ inbox as the malware will be commanded to delete the email upon receival, and are generally sent during business hours to maintain its level of stealth and mask unusual behaviours.

How is this different from other malware?

Usually, Malware is controlled using command and control servers, also referred to as C2.

The downfall for hackers using this method, is as soon as the C2 address is blocked the hacker loses control of the malware.

Whereas, with the PDF controlled variant, the operator is able to regain control by sending a specially crafted PDF with a new C2 address from any rogue email.

What is the current threat?

In its current stage, there is no direct threat to regular businesses, and individuals as Turla focus their efforts on government bodies and contractors to gain invaluable political information and operations.

Due to the nature of the malware, these specially crafted emails may never reach the users’ inbox as the malware will be commanded to delete the email upon receival, and are generally sent during business hours to maintain its level of stealth and mask unusual behaviours.

Now the threat is publicly addressed, copycat malware is likely to be produced due to its level of stealth, and ability to regain control through coded PDF via an email; meaning businesses will need to carefully monitor email activity for unusual behaviours.

How can you protect yourself from the Threat?

The best level of protection is to take the necessary actions to prevent an infection in the first place.

  • Use virtual machines on PCs – allowing staff to boot a new uninfected image on each start-up.
  • Real-time protection to block an initial infection with active security software on devices, and across the network.
  • Maintaining software, system, security, and network updates to ensure your systems aren’t vulnerable to old backdoors.

As rogue emails use the enterprise exchange server, they do not have to worry about dealing with firewalls; meaning in its current stage to find an infected machine, all email activity needs to be monitored for unusual behaviour to identify a possible infection.

Contact us for a FREE 27-point network and cybersecurity risk assessment. One of our senior technicians will evaluate your network for potential vulnerabilities, providing you with a full report with recommendations if any risks & potential areas of improvement are found.

New Global Ransomware Threat

There’s a new form of ransomware that emerged globally this month – and it’s leaving a nasty payload on computers both corporate and personal.

What is ransomware?

Ransomware is a software designed to block a users’ access to their computer until a sum of money is paid. It is a subset of malware, that typically encrypts the files on the computer. Ransomware can be a lot more complicated to deal with than malware. Once ransomware takes control of a users’ files, it can be very difficult to remove and thus, protections policies are always advised.

What is the new threat?

KeyPass ransomware – a variant of the STOP ransomware – turns a legitimate part of computer security against the user and leaves them open to further attacks.

According to researchers from the Kaspersky Lab, there is not much that can be done once a user has been infected. As they say, the best form of Offense is Defense.
Kaspersky Lab mentioned the ransomware uses “fake installers that download the ransomware module”.

Once it has taken over, the ransomware leaves a ransom note telling the victim to pay $300 to get their files back, and threatening that if it’s not paid within 3 days, it will cost even more to unlock their computer.

KeyPass ransomware – a variant of the STOP ransomware – turns a legitimate part of computer security against the user and leaves them open to further attacks.

However, the Kaspersky Lab recommends not paying the ransom as it is likely that the files will not be decrypted, and you’ll be left without your files AND out of pocket.

The researchers suggest taking precautionary measures is the only way not to fall victim to the new ransomware, and we here at Domain Digital wholeheartedly agree. Prevention is always better than cure.

What can you do to protect yourself from Ransomware?

Our CEO, Charlie Stephens recommends a number of steps to protect yourself from cyber-crime, including regular computer back-ups so, in the event your computer is infected, you’ll be able to restore it back to the latest version with minimal loss, without having to pay hard earned dollars to the cybercriminals.

It is extremely important to password protect access to any backup files and copy them to an external backup drive. This ensures that should you be affected, a recent backup is unattached from your network and therefore unaffected by the attack.

Remember, always use a paid anti-virus & malware program, as many free programs people and businesses alike tend to use, don’t provide real-time protection, meaning the software will only partially protect your device after being infected rather than preventing the initial attack.

There are a number of other practices and procedures that businesses can do to protect themselves from ransomware attacks. This includes incorporating security software such as commercial grade firewalls and malware protection across individual devices, and across the server; with real-time monitoring to isolate an attack if there’s a breach and prevent it from spreading to other devices on the network.

As part of Domain Digital’s 2-hour “Cyber Security and Network Risk Assessment”, our senior technicians look to identify any loopholes and back-end entry points in your network that could make your business susceptible to a ransomware attack, or any other cyber threats, and provide recommendations on how to fix those issues.

We like to ask “Do you know if your network looks like a sieve?”.

There are also several policies business owners should implement to reduce the risk:

1) Set-up Automatic System Back-ups, including an offsite back up.
2) Do not open attachments if you do not know who sent them
3) Scan attachments with a real-time anti-virus / malware tool
4) Apply Windows updates and patches as soon as they are available
5) Use hard passwords and never use the same password on multiple sites. (A hard password is longer than 12 characters, containing at least one capital letter, number, and special character)
6) Implement Two-factor authentication login (2FA), which requires you to use an authenticator or one-time code in addition to your regular login.

Remember, always use a paid anti-virus & malware program, as many free programs people and businesses alike tend to use, don’t provide real-time protection, meaning the software will only partially protect your device after being infected rather than preventing the initial attack.

Domain Digital can assess the risk of your current Security measures & Network with an obligation free, 2 hour “Cyber Security and Network Risk Assessment”, please contact us and we’ll arrange an appointment with you.

O365 – Restore Access Scam

If you are on the administrator list of any Office 365 service, you will see many notifications coming through to advise you of various adds/ moves and changes.  The notifications come with standard branding by way of colours etc to ensure you recognise the messages.  The fact that the branding is clear and powerful, also makes these messages an easy scam if you are not careful.

The message below was sent through this morning complete with standard O365 colours.  I had not seen this particular message before, however the big green button made it very clear on what I was supposed to do.  Lucky I took a closer look – as should you with every action you take on line.

Firstly, we can see the the email address is not originating from Microsoft.

 Secondly, if you hover your mouse over the “Restore Access” button (being careful not to click it), you will see the following.  Again, it is clearly not linking to the intended Microsoft site.  

o365-scam

You need to remain alert – It would be very easy just to click on the restore and proceed to torch your computer – Possibly your entire network.

If you are looking for additional tips, sign up to our security tip list below:

WiFi on Krack

If you have ever used WIFI and lets face it, who hasn’t, then this is something you need to know.

We’ve already covered two recent Wifi vulnerabilities with Android and Apple devices and have another potentially much bigger piece of news about wifi.  The device you are using is on the KRACK – Maybe not what you are thinking (pretty sure your computer doesn’t have a pipe), but it is equally as serious.

KRACK – Is the code name for Key Reinstallation AttaCK.  In short this means attackers can use this attack to read information that was previously thought to be safely encrypted.  This means that the attack can be used to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.

This is breaking news and in short, there is nothing you can do other than plug your computer into an Ethernet connection which will avoid WIFI altogether.  Whilst this is not particuarly helpful advice as we all love the freedom of wireless, it is what it is till there are system fixes to make this vunerability go away.

KRACK – Is the code name for Key Reinstallation AttaCK.  In short this means attackers can use this attack to read information that was previously thought to be safely encrypted.

Here is a little bit more information if you are chasing some more detail – https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

Stay tuned as we find out more on what is happening with this issue.  We expect a fix will be released – then every WIFI device will need to be updated.  At work and at home.

To make sure you are up to date with security tips and tricks, sign up below:

Legitimate Invoice Request

Sometimes we see Spam message that are really clever.  Some are so bad, they make us laugh, just like this one.

Has anyone seen the message below?

As always, if  you see a questionable message just delete it.  Don’t try to figure out what their angle is – Don’t ever click on the links.

If you would like a weekly security reminder, sign up below to keep yourself safe.

1 2 3

Want to know more about how Domain Digital’s IT services in Perth could be of value to your business?