19th Ave New York, NY 95822, USA

INSIGHT WEEKLY SECURITY NEWS LETTER-01-AUG-2018

Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

Hermes Ransomware via Password Protected Word Doc

Malicious spam (malspam) with password-protected Word docs continues to be an issue. 

Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

Earlier attackers distributed Hermes ransomware through the flash exploit and attacks targetted on South Korean users.

Many futures in newly evolved versions Ransomware such as change the method to get the Trojan key, algorithm, crypto-libraries and distribution method.

How Hermes is working?

Initially Hermes Ransomware distributed via malspam that claimes the job applications with malicious attached word documents.

Once user trying to open the documents, it keeps requesting the password to open the file and the password has mentioned within the mail body content with sending addresses ending in anjanabro.com.

After opening the document, a user asked to enable the macros with a security warning to proceed the malicious document to do further malicious activities.

Hermes encrypts most stored data, thereby making it unusable. To achieve this, Hermes 2.1 employs a RSA-2048 encryption algorithm.

Hermes does not append any extension or rename compromised files in any way. After successfully encrypting data, this virus generates an HTML file (“DECRYPT_INFORMATION.HTML“) and places a copy in each existing folder.

How Ransomware infiltrates:

Infectious email attachments are usually delivered in the format of JavaScript files or MS Office documents.

Once opened the attachments, these files stealthily download and install malware.

  • Trojans open “backdoors” for other viruses to infiltrate the system.
  • P2P networks and other unofficial download sources present malicious executables as legitimate software
  • Fake software updaters infect the system by exploiting outdated software bugs/flaws or simply downloading and installing viruses rather than updates

Reference: https://gbhackers.com/hermes-ransomware/

Remote Spectre Attack Steals Data Over the Network

A team of security researchers has discovered a new Spectre attack that can be launched over the network, unlike all other Spectre variants that require some form of local code execution on the target system.

NetSpectre, the new remote side-channel attack, which is related to Spectre variant 1, abuses speculative execution to perform bounds-check bypass and can be used to defeat address-space layout randomization on the remote system.

Impact:

It could allow an attacker to write and execute malicious code that could potentially be exploited to extract data from previously-secured CPU memory, including passwords, cryptographic keys, and other sensitive information.

Instead of relying on covert cache channel, researchers demonstrated NetSpectre attack using the AVX-based covert channel that allowed them to capture data at a deficient speed of 60 bits per hour from the target system.

Remote attacker needs to do is sending a series of crafted requests to the target machine and measures the response time to leak a secret value from the machine’s memory.

Conclusion:

If you have already updated your code and applications to mitigate previous Spectre exploits, you should not worry about the NetSpectre attack.

Preventing Enterprise Network from DDoS Attack

A distributed denial-of-service (DDoS) attack aims to exhaust the resources of a network, application or service so that genuine users cannot gain access.

There are different types of DDoS attacks, but in general a DDoS assault is launched simultaneously from multiple different hosts and can affect the availability of even the largest enterprises’ internet services and resources.

Types of DDoS attacks explored:

Volumetric attacks — These attacks aim to overwhelm a network’s infrastructure with bandwidth-consuming traffic or resource-sapping requests.

TCP state-exhaustion attacks — Attackers use this method to abuse the stateful nature of the TCP protocol to exhaust resources in servers, load balancers and firewalls.

Application layer attacks — The target of these attacks is some aspect of an application or service at Layer 7.

How to Prevent?

  • Securing internet-facing devices and services is as much about helping to secure network.
  • Repeatable Testing and Conduct Penetration testing for all kind ofweb application vulnerabilities.
  • Protocols such as NTP, DNS, SSDP, SNMP & any services using should be hardened & run on dedicated servers.Need to implement anti-spoofing filters to prevent hackers from sending packets claiming to originate from another network.

Leave a comment