19th Ave New York, NY 95822, USA

Insight Weekly Security News Letter-22-Aug-2018

Security researchers reverse engineered the updated GandCrab ransomware and discovered new features that improve its ability to evade detection and impede analysis by defense teams.

New Ransomware Attacks Use Powerful Encryption to Impede Analysis and Evade Detection:

Security researchers reverse engineered the updated GandCrab ransomware and discovered new features that improve its ability to evade detection and impede analysis by defense teams.

First discovered in January, GandCrab is now the most powerful threat of its kind, whether directed at a single person or an entire company, according to a July 31 threat report from McAfee.

GandCrab is similar to its peers in that it dupes users into installing it, locks them out of their devices and demands payment in cryptocurrency before restoring access. These new ransomware attacks can be introduced through a variety of attack vectors, from traditional phishing emails to Trojans, fake programs and exploit kits

Attacks Hiding in Layers of Encryption:

 The most recent versions, for example, use an algorithm called Salsa20 to encrypt files instead of slower and less efficient alternatives such as the Advanced Encryption Standard (AES) and RSA.

By generating random Salsa20 keys and initialization vectors for each file, GandCrab essentially guards itself with a series of encryption layers that prevent victims from breaking it open again. Security teams would need a private key to get at the embedded public key.

In addition, since GrandCrab deletes itself and any “shadow volumes” that might otherwise remain on an infected device, it is difficult for researchers to learn about new ransomware attacks after the fact.

How to defend ?

 In its “Ransomware Response Guide,” IBM X-Force recommends a method called last resort containment to help organizations respond when they can’t quickly or easily figure out where new ransomware attacks are coming from.

Steps to consider in this process include shutting down all file shares, taking them offline and restricting them by network. This can help decrease the likelihood that the ransomware will encrypt the shares and help businesses avoid paying fees to recover their stolen files.

Reference :


 Email Phishers Using New Way to Bypass Microsoft Office 365 Protections

Security researchers have been warning of a new phishing attack that cybercriminals and email scammers are using in the wild to bypass the Advanced Threat Protection (ATP) mechanism implemented by widely used email services like Microsoft Office.

Microsoft offers an artificial intelligence and machine learning powered security protection to help defend against potential phishing and other threats by going one level deep to scan the links in the email bodies to look for any blacklisted or suspicious domain.

But, phishers always find a way to bypass security protections to victimize users.

Cloud security company Avanan, uncovered a new phishing email campaign in the wild targeting Office 365 users, who are receiving emails from Microsoft containing a link to a SharePoint document.

How it works ?

 The body of the email message looks identical to a standard SharePoint invitation from someone to collaborate. Once the user clicked the hyperlink in the email, the browser automatically opens a SharePoint file.

The content of the SharePoint file impersonates a standard access request to a OneDrive file, but an ‘Access Document’ button on the file is actually hyperlinked to a malicious URL, according to the researchers.

The malicious link then redirects the victim to a spoofed Office 365 login screen, asking the user to enter his/her login credentials, which are then harvested by hackers.

Microsoft scans the body of an email, including the links provided in it, but since the links in the latest email campaign lead to an actual SharePoint document, the company did not identify it as a threat.

Therefore, no protection would be able to alert users of phishing, until and unless they are not trained enough to detect such phishing attempts.

How to Protect ?

So, to protect yourself, you should be suspicious of the URLs in the email body if it uses URGENT or ACTION REQUIRED in the subject line, even if you are receiving emails that appear safe.

When presented a login page, you are recommended to always check the address bar in the web browser to know whether the URL is hosted by the legitimate service or not.

Most importantly, always use two-factor authentication (2FA), so even if attackers gain access to your password, they still need to struggle for the second authentication step.

Reference : https://thehackernews.com/2018/08/microsoft-office365-phishing.html

Leave a comment