Purelocker

Built to Dodge Your Detection: Could This Be the First ‘Smart Malware’

Cybercriminals have done it again, they’ve developed ransomware that can now be ported to ALL MAJOR operating systems including, Windows, Linux, and MacOS. These attacks come targeted against your data servers. The name for this is PureLocker, a snaky nod to the programming language it’s been written in Pure Basic.

Carefully designed to evade detection, hiding malicious behavior in sandbox environments, using only functions seen in music playback. Reports have flown in that this malware can check if it’s in a ‘debugger’ environment, it will exit immediately deleting and hiding the payload from execution.

This has enabled PureLocker malware to stay hidden from many of the industry’s leading detection devices for up to several months. Many attacks will be launched on servers, laying aim to holding you hostage and only returning full-operation, after the ransom has been paid. Typically, these are seen by many as ‘high-value assets’ making these payment demands, suddenly sky-rocket. It should be noted, several of these examples had code to remove ALL DATA if the ransom was not paid within 7 days.

After doing some internet sleuthing, we uncovered several of these ransomware campaigns on the Dark Web, being offered to many as ‘Attacks-as-a- Service.’ Although cybercriminal operations and groups are on the rise, this bespoke attack is now being poised for use in phishing emails.

Don’t Be Fooled

These attacks mean business and are designed for criminals who know exactly how to hit organizations where it can hurt. Although uncertain how exactly its payload is delivered to businesses at this time, we know it operates with multi-staged attacks, further muddying the ability to rollback servers and systems from a single recovery point.

Those infected with the malware will see the normal signs of an attack, a ransom note with an email to begin communicating the negotiation of a fee to decrypt your files. BE WARNED: you will only have 7 days to pay the ransom, or all files will become uncoverable.

Concerned About the Health of Your Security Infrastructure?
We can help, with experts looking to provide your business, and employees with peace-of-mind knowing your data, and company reputation is protected. Bring constant visibility and threat reporting to your team, with NetCentral Secure from Clare Computer Solutions – Call us today to begin discussing your options.

FBI Updates Statistics: CEO Fraud Is Now a $26 Billion Dollar Scam and Growing

In 2000, the FBI created the IC3, known as the Internet Crime Complaint Center was first developed to handle singular fraud cases, until 2003 when the expansion of this department became unignorable. As of late, the cyber climate began growing at a rapid pace, so to aid in safer business computing, the FBI utilizes this division to receive complaints regarding any cybercrimes or fraud dealing with intellectual property, business data, client information, or employee contact information.

FBI’s Internet Crime Complaint (IC3) reports updated numbers, with Business Email Compromise(BEC) scams, known for CEO fraud are continuing to grow year over year. With over 100% increase in identifiable losses between May 2018 and July 2019. Since releasing their last report in June 2016, the IC3 received complaints regarding 166,349 domestic or international incidents – that is too many people falling for CEO fraud. It gets worse, with a total of $26 billion being stolen from 2016 – 2019. These findings are starting for any growing business, as criminals prey on Personal Identifiable Information or Wage & Tax Statements.

What’s the scam behind the Billions lost?

Although business email compromise scams have grown, there is a heightened awareness regarding this style of fraud schemes. Making this scam the most reported scheme from victims all over the world, making up the estimated $26 billion loss. Obviously, the U.S. is hit hard, but so are 177 other countries, across 140 banking institutions. Forcing small business owners, to begin acting on proactive methods of protection, and reactive measures for employees and technology.

Defensive Measures Against Business Email Compromises:

  • Use two-factor authentication or multi-factor Authentication to verify requests regarding changes in account information.
  • Always check URLs in email links, to double-check the business is who it claims to be.
  • Be aware of purposefully misspelled links to suspicious domain names.
  • Do NOT supply logins or Personal Identification Information through email.
  • Monitor your personal accounts on a regular basis, like a missing scheduled deposit.
  • Keep software patches on ALL systems, applying any possible feature updates.
  • Always check the sender’s email address to the company, they claim to be from. In most cases, domains should be the same.
  • Ensure email extension settings are setup, according to your company policy, to address the 2nd largest attack vector.

To make sure your employees don’t fall victim to Business Email Compromises, many businesses have implemented more strict processes to double-check/authenticate information regarding payment processing, HR, or Tax Information. using familiar methods. Not sure where you Stand? Need more direction? Cyber Security is a multi-layered approach, designed to uniquely target threat-vectors in a proactive attempt to shore-up any defenses that could easily be breached.

Leave Worrying About Hackers to the Experts
Clare Computer Solutions has provided clients with IT consulting, and Managed Services in the Bay Area since 1990. Security isn’t a one-and-done approach – get the right fit security for your business.

Hackers Execute Ransomware Attack & Encryption on SF Asian Art Museum

In the wake of destruction from an ever-growing threat of cybercriminals, many major municipal branches in Baltimore and Atlanta fell victim to encrypted systems and were extorted for millions. Soon after, the major targets became local school districts and colleges, but it would appear the targets have changed once again. This time to an industry that will surprise many, who think this could NEVER happen to them.

Museums…. That’s right, last Tuesday it was reported that the Asian Art Museum in San Francisco was hit with a ransomware attack back in May. Initially, when I heard this, I was as surprised as you were, why would a Museum be hit with Ransomware? Why would someone search out cultural institutions to attack? The answer lays closer then we think, dealing in lower monetary value, museum donors’ personal information, can be easily stolen, alongside the typical digital footprint of email, phone number, first name, last name, etc.

It sounds like something out of an action movie, the hacking of a museum in San Francisco, came to the surface when the Asian Art Museum refused to pay the demanded ransom, sticking with the city’s official “no-negotiation policy.” Although everyone at the Asian Art Museum has been tight-lipped about the tactic’s used against them, we do know the data was recovered, by utilizing a trusted backup system.  Always making sure technology partners are checking-in, and running tests periodically, making sure systems built for fail-over are fully operational, and providing the museum the confidence needed to NOT PAY the ransom, knowing they can easily restore data, giving everyone at the Asian Art Museum, peace of mind.

Don’t be taken by surprise, protect your business with these five tips to better your data protection:

  1. End-Point Protection – To protect employees and business’ from cyberattacks and encryption, it’s critical to your success to employ up-to-date End-Point Protection (EPP) and Malware Alerting on high-value targets like servers or domain controllers.
  2. Gone Phishing – The human element is what gets most people, and it’s because these phishing examples have been developed to simulate a popular brand or coworker email. Without successfully phishing someone to gain access, the doors on your network can remain closed. Be warry, as social networks have been hit hard with email spoofing.
  3. See Something, Say Something – One of the most important things to teach employees within your network, is if they see a ransomware pop up, you should immediately disconnect this machine from the network. This will prevent the infected system from communicating with other nods on your network, damaging more of your data, and encrypting more technology.
  4. Group Policy Controls – Generate access controls or Group Policy, in case someone does get into one of the computers, they won’t be able to remote into someone else’s PC or system. Making it critical to prevent the spread and damage of further entities.
  5. Prioritize your Vulnerability – How much of a threat can your business take on, with information everywhere on the network, it grows impossible to secure everything, making it imperative to create a layered approach – to further secure financials and company email that could contain personal information.

In today’s cybersecurity landscape, ransomware poses a serious risk to every business. Taking a proactive approach is the key to reducing your risk. You can learn more about disaster recovery planning and reliable backup solutions by consulting a technology partner who understands your organization’s unique needs. Contact a Clare Computer Solutions Consultant today to determine your risk.

Flipboard News gets hit by data breach in IT Support Blog Clare Computer Solutions

Read Between the Lines: What Your Business Could Learn from Flipboard’s Recent Data-Breach

According to Flipboard, hackers were able to tap directly into the databases where the app-company housed customer information. The information stolen, including customer names, user names, hashed passwords, emails, and digital tokens or API tokens for your favorite social media apps. Although Flipboard does not know how many accounts hackers infiltrated, nor have they fully-assessed the damage, one thing is for sure: It’s time for many companies to begin reading between the lines. While data that was stolen is serious, it’s the number of time hackers were able to go undetected that is cause for concern. Companies need to focus on Endpoint Protection. Read more

SF Bay Area Law Firms hit by ransomware and hackers

Phishing Attacks Begin Leveraging Legal Threats From Local Law Firms

By far the most convincing email phishing and malware attacks come disguised as your “typical nastygram” from local businesses. These emails have grown in popularity with cyber-criminals. By making minor customizations to these campaigns, these phishing attacks are now being spoofed as though, local organizations are the culprits! These emails notify recipients that he/she is being sued and instructs them to review the following attached files, with a directive to respond within a specific time frame, or penalties will occur… Here’s a look at a recent phishing campaign that peppered more than 100,000 business executives. With the goal of phishing for employee personal information and exploiting data systems, by utilizing a local law firm’s system to send infected data to partners.

In May, two well-known anti-virus firms began detecting compromised files, specifically within Microsoft Word. Emails with attachments were sent with a simple variation of the message below. This exact kit is now being traded alongside others on the “dark web,” therefore we have numerous business names outlined in brackets below.

Read more

What Exactly Is a Security Posture & What Does It Mean to Your Business

Our business ecosystems have begun rapidly changing, with cybercriminals evolving rapidly, a new vocabulary is developing. A new addition to the lexicon of many is the concept of “Security Posture.” Another techy-word, referring to the strength and security of your IT infrastructure. Putting an increased presence on internet-born vulnerabilities for business technology. How you manage current hardware and software purchases, policy & procedure generation and controls.

What Makes-Up Your Security Posture

Any of these singular aspects are defined under cybersecurity, your security posture develops the likelihood of a breach, and what it would take for hackers to gain access to these critical pieces of network technology, but also the state of your employees, and if they can spot similar threats, making these difficult for many to observe.

In the context of managing cybersecurity, larger organizations, including Directors of IT, Chief Technology Officers, and any compliance officer, must make decisions based on the deliberation and analysis of their security posture. Generating a better understanding surrounding certain aspects of your cybersecurity approach, but this is simply not enough anymore. In today’s connected age a more holistic approach is needed to meet regulations and compliance. Read more

The Scariest New Ransomware Strain Taking Business Networks by Storm

Several security teams have recently discovered the scariest new strain of highly-sophisticated ransomware called MegaCortex. Although this new strain sounds like something out of this world, MegaCortex is a purpose-built threat used to seek and destroy corporate networks, as a whole. Yes, you read that correctly, ENTIRE NETWORKS. What makes this strain on ransomware so unique, is once penetrated, attackers will begin releasing various payloads, infecting your network by rolling out malware to servers, and workstations using your very own domain controller or “DC,” as many know it today.

These attacks have already been detected in the United States, Italy, Canada, France, and a few other European Union (EU) nations. This comes to many in the cybersecurity community as a recently discovered strain, meaning not much is known about how it’s encryption works, or how they are getting in. Worst of all, we don’t know if the ransom payments are being honored as of yet. This is everything we know about MegaCortex ransomware.

How MegaCortex Strikes

Many security and analytics companies have begun diving deeper into this strain of malware. Findings include similar actions to the RYUK Strain, where attackers use Trojan operators to access infected systems. What this means specifically is, if Emotet or Qakbot Trojans have been present on network devices, there is a growing concern, this could be potential network backdoors.

How MegaCortex Uses Your Own Domain Controllers

Although this case isn’t clear how the bad guys are getting into your network, many victims have reported numerous attacks originating from a compromised domain controller. On the domain controller, Cobalt Strike is being dropped and executed to create a reverse shell back to an attacker host.

Using this shell, attackers take control of your domain controller configuring and distributing a copy of the malware executable and batch-files across your network. This file then executes 44 different processes, including disabling Windows Services.

During the encryption of your system, ransomware will append extension file names, including “.aes128ctr.” We do not know if these extensions are static or created dynamically by each infection, including a secondary payload.

Secondary Payload? What Gives?!

In an effort to deliver the most accurate information, security researchers have also identified what would appear to many as a Secondary Hit, or Secondary Main Component. In plain-English, this means its delivery system is multi-staged and uses multiple payloads on a single device. We are still unclear at this time if the malware is dropping MegaCortex or if it’s maliciously installed.

How to Block MegaCortex Infections All Together

It’s recommended for many and Clare Computer Solutions’ best practice to have a weapons-grade backup solution, either off-site or in the cloud. As many strands of ransomware target these backups first, and foremost.

In this article “Locking it Down: Remote Desktop Protocol,” we highlighted the need for many businesses’ to secure RDP Services that are publicly accessed via the internet. If your machine MUST run RDP, make sure it’s placed behind a firewall, and only made accessible via a VPN tunnel.

Although this ransomware isn’t being spread by email spam, it’s possible the Trojans listed above, can and will. That is why it’s crucial to always identify and inform you of this phishing, and social engineering attacks, to build greater awareness.

Does It Feel like I’m Speaking Another Language?

If you’re unsure where to begin, our security specialists can help! With over 30 years of experience in information technology, our staff knows what it takes to meet security standards. Get ahead of the bad guys, with a Security Posture Evaluation.

 

Tax Season is Ending, Clean Up Your Sensitive Information Before the Criminals Do

If you’re anything like me, your tired of picking up the phone just to hear someone’s terrible recording of a tax collector, IRS agent or CPA demanding some outrageous sum of money. According to the IRS, in their latest security bulletin, they have formulated 2019’s “Dirty Dozen.” Keeping employees and end-users in mind, many will have sensitive data leftover on their devices, making your business a prime target.

With highly targeted attacks plaguing many of us today, it’s not uncommon to see Business Email Compromised or more-commonly, CEO Fraud. Reaching $12.5 Billion in total known losses, these attacks have bad guys trying to convince end-users, typically in Accounting, Receiving, HR, and sometimes IT to release information or funds based on their faked email address or title. Typically, this results in many unknowing employees making some form of payment or releasing the information as they view their job could be at stake.

We’ve even seen these “Fake CEOs” attempt to send out emails regarding W-2 issues. Once opened, the payload can be delivered from these attacks at any point in time. In most cases, we’ve witnessed malware laying low in systems for 90 days. With tax season closing, we wanted to shed some light on the technology aspects of the “IRS’ Dirty Dozen.”

Here’s a recap of this year’s ‘Dirty Dozen’ scams:

1. Phishing: Business’ filing on their own behalf this year, should be alert to the potential for faked emails or websites looking to steal personal information. The IRS notes, “The IRS will never initiate contact with taxpayers via email about a bill or tax refund.” Don’t click any links or attachments from someone claiming to be from or on behalf of the IRS. For more information from the IRS website see here: (IR-2019-26)

2. Phone Scams: Phone calls from criminals or on behalf of them impersonating IRS agents remain an ever-growing threat to end-users during tax season. It’s these same calls your employees receive that contain outlandish threats including police arrest, deportation, or my personal favorite license revocation. For more information from the IRS website see here: (IR-2019-28)

3. Identity Theft: During tax season, businesses will have taxpayer information on-hand for one of the few times all year. This means for the period between March to May, the IRS warns that identity theft will rise, although the security industry has made several large strides in protecting employees currently. The IRS warns business’ as they continue perusing these criminal actions. For more information from the IRS website see here: (IR-2019-30)

6. Tax Return Preparer Fraud: Unfortunately for some business’ the amount of fraudulent Tax Preparer has also grown in stride. As we all know, the vast majority of tax professionals are there to provide honest, high-quality services but others will operate during the filing season and it’s these scams that continue to push refund fraud and identity theft further. For more information from the IRS website see here: (IR-2019-32)

8. Inflated Refund Claims: Alert the IRS or the police of anyone whose promising inflated refunds or credits. Be alert to anyone promising large returns or asking for credits. This falls on local law enforcement to assist as these frauds will use flyers, fake storefronts, and community groups to infiltrate your trust. For more information from the IRS website see here: (IR-2019-33)

Continue staying diligent, as the typical end-user and employee has sensitive information nearby. Maybe it’s an email of your tax return or that W-2 from human resources. Regardless, having it near anything business related can be an area for concern, for cybercriminals and frauds they will have hit the jackpot.

Learn how to secure your end-users and employees, educating them on how to handle sensitive information, how to interact with strange emails.

Cyberattacks Using SSL Encryption Swells the Success Rate of Malware to 400%

Utilizing Microsoft’s latest partner release of the 2019 Security Intelligence Report, a report put together to inform Microsoft and Office365 Partners of the latest threat-analytics to hit the landscape. Of the 470 billion emails analyzed, the year-to-date trend was well over 250% since it’s last publication in 2018. As phishing attacks continue to trend upwards, attackers are beginning to leverage more sneaky tactics to accomplish their end goal, including blackmail, extortion and worst of all, data corruption.

For many businesses, encryption has become the norm as cyber-criminals begin looking to disrupt operations to turn a quick profit.  One of the largest goals behind any cyber-attack is stealth, the longer a malicious activity goes on unnoticed in your systems, the greater the chances of their attack succeeding. One popular avenue has begun involving SSL encryption to disguise the transmissions of the attack from your local anti-virus or malware agents.

As previously warned, these attackers are persisting to utilize website encryption to provide users with a false sense of confidence while surfing or researching something on the web. As we have mentioned here, Security Awareness Training can assist in informing your employees of the perils found in today’s connected businesses. Begin scrutinizing the sender’s domain name, and the content they want from you.

  • Phishing – 2.7 Million phishing attacks occur monthly, a 400% increase since we’ve been tracking these states in 2017.
  • Content is King – 196 Million instances of “malicious content” including websites, malicious scripts, and malvertising we all found on some of the most well-known websites this year.
  • Botnets – 32 Million botnet callbacks were performed and blocked on average each month since 2018
  • Domains – 32% of all spoofed domains or websites were using SSL to deliver content.

Most Phished Brands through HTTPS:

  1. Microsoft Office365 or OneDrive – 58%
  2. Facebook – 12%
  3. Amazon – 10%
  4. Apple or iTunes – 10%
  5. Adobe – 4%
  6. Dropbox – 4%
  7. DocuSign – 2%

By preparing your employees with a security mindset, we broaden business’ stance on security, to better prevent things like SSL attacks from reaching your end-users. Each of these acts leverages more ways for cybercriminals to establish credibility, and the context needed to fool business.

Recently, I received an email from one of our clients in the North Bay, and they copied me on an email that was dressed up to represent a Microsoft Office 365 notice. Now, this notice contained links to an “invoice” that were crafted and carefully coded, to send the staff to a fake Russian URL, where Office365 logos were plastered everywhere. Even more conveniently, was the willingness for this HTTPS encrypted website to take down ANY information relating to my own personal Office 365 account. Thankfully, this partner reached out to our staff to double-check the status of their Office 365 account and wouldn’t you know it, no issues were reported.

(Email Pictured Below)

7 Cybersecurity Tips That Give Your Business an Unfair Advantage in 2019

Clare Computer Solution’s partner and security experts, Webroot, revealed the findings on their 2019 Threat Report, displaying many “tried-and-true” attack vectors or methods are still at the top of the list, with new threats emerging every day. It would appear the attackers are innovative, to say the least. This comes just in time, as many of our partners spoke to these very claims at the 2019 RSA Conference hosted just last week in San Francisco, California.

Hal Lonas, Chief Technology Officer at Webroot reports:

 

“We wax poetic about innovation in the cybersecurity field, but you only have to take one look at the stats in this year’s report to know that the true innovators are the cybercriminals. They continue to find new ways to combine attack methods or compromise new and existing vectors for maximum results. My call to businesses today is to be aware, assess your risk, create a layered approach that protects multiple threat vectors and, above all, train your users to be an asset—not a weak link—in your cybersecurity program.”

Clare Computer Solutions Couldn’t Agree More; Here are some from Webroot’s 2019 Security Report highlights:

  1. A staggering 40% of malicious URLs were found on “good” or “safe” domains. Legitimate websites are frequently compromised to host malicious content. To protect users, and employees data cybersecurity needs URL-level visibility or domain-level metrics to accurately showcase these dangers. Far too often, standard antivirus or endpoint protection can lack the capabilities, leaving these links in an employee inbox.
  2. Phishing attacks have increased by 36%, with the number of malicious sites swelling to 220% from last year. We’ve even seen phishing sites use SSL Certificates, and HTTPS to trick unknowing users into believing they’re secure and legitimate. Microsoft’s latest Security Intelligence Report, confirms this with analytics reporting 250% increase in phishing messages being sent through Office 365.
  3. 77% of spear phishing attacks impersonated financial institutes, and most likely to use HTTPS over other types of target. With over 80% of financial institutions finding compromised links residing on an HTTPS page.
  4. Google followed by Microsoft, and UPS/FedEx ranked among the most impersonated brands in phishing overall for 2019.
  5. Security Awareness Training reports from Webroot and KnowBe4 both show an average of 80% less likely to fall for phishing attempts, especially with phishing simulations, and on-demand training.
  6. One-third of all malware makes attempts to hide inside of %appdata% folders. What makes these locations price for hiding, is the commonality between paths. Every user directory, with full user-permissions, will install here and are hidden by default in most operating systems. Although malware can and will hide almost anywhere, the most common locations are as follows:
    – 29.4% in %appdata%
    – 24.5% in %temp%
    – 17.5% in %cache%
  7. Devices using Windows 10 are at least 2x more secure than those systems still on Windows 7. Webroot has reported a steady decline in malware on Windows 10 machines in the business space.

Furthering your Security Measures

While ransomware was less of a problem in 2018, it has become more targeted, and companies, customers, and employees will fall victim to ransomware. In 2018 many attacks saw the use of Remote Desktop Protocol (RDP) as an attack vector. Leveraging tools to scan systems with inadequate RDP settings. It’s these unsecured RDP connections that hackers can use to gain access to a given system and browse through all its shared data. Further providing criminals with sensitive information that ransomware can exploit.

Begin furthering your security measures today, with the use of a cybersecurity assessment. Easily track your current security posture, and rely on the experts to build you a roadmap for securing your business. Dive-deeper into your network than ever before, with the use of our Security Posture Assessment from Clare Computer Solutions. If you wish to view the Webroot report, you can find that here.