• A
  • A
  • A

IPV6 Test         email Hindi Marathi

Last Updated: 23rd Jun 2018


Cyber Security Alerts

Gh0st RAT Malware


There is a surge in the distribution of Gh0stRAT Malware which is a full-featured remote access Trojan for windows operating system.

Malicious activity

  • Attackers are distributing Gh0stRAT malware by using the HTTP File Server (commonly abbreviated as HFS, a free and easy way to send and receive files across the Internet).

  • Attackers are exploiting the HTTP File Server vulnerability (CVE-2018-8174) to download the file from the URL onto the disk which was identified as Gh0st RAT. Once this malware reaches on victim machine it tries to communicate with the C2 server under controlled of an attacker.

Countermeasures

  • Keep checking the web proxy logs for users downloading the file having MD5 (as given above) from an external host using a non-standard or high TCP port.

  • Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient responsibility after diligently verifying them without impacting the operations.

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.


Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malware/botnets and to download free botnet removal tools.

 

Hawkeye Key Logger Malware


Hawkeye Key Logger Malware is an info-stealing malware which steals the credentials from the victim browser and email client.

 

Malicious activity

  • The malware spread through a malicious document which contains the shortened URL to connect with the remote location. Once victim reaches there, it downloads the remote frame which finally downloads the excel file having a macro.

  • This macro contains the final URL to download the malware (at location C:\Users\Public\svchost32.exe) with the help of power shell. Once malware executed, it deletes Windows Defender AV’s malware definitions and restricts the access to certain domains which are associated with antivirus or security updates so that it remains undetected in the victim machine.


Countermeasures

  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign.

  • Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient responsibility after diligently verifying them without impacting the operations.

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.


Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malware/botnets and to download free botnet removal tools.

 

Magniber Ransomware


Magniber Ransomware is being distributed through malvertisements, compromised websites which make the victim to land on the Magnitude exploit kit page.
 

Malicious activity

  • A victim is landed on the Magnitude exploit page with the help of obfuscated javascript along with a Base64 encoded VBScript.

  • It tries to exploit the vulnerability (CVE-2018-8174) present in a VBScript engine with the help of internet explorer. This VBScript then executes the shell code.

  • The shell code just acts as a simple downloader for downloading the obfuscated payload. This obfuscated payload contains the Magniber Ransomware in packed form, which it unpack and try to inject it into the legitimate process.

  • Finally, the ransomware starts encrypting all the files with a unique key and add the .dyaaghemy extension to all the encrypted files. While encrypting the files, Magniber will also create a ransom note and links to a URL (which contains the victim actual ID) of TOR decryption service to decrypt its files.


Countermeasures

  • Perform the regular backup of all the critical information to minimize the loss.

  • Keep the operating system and third-party applications (MSOffice, browsers, browser Plugins, and antivirus) up-to-date with the latest patches.

  • Use Microsoft Bit locker full-drive encryption feature to mitigate the unauthorized data access by enhancing file and system protection.

  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.


Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malware/botnets and to download free botnet removal tools.

 

Healthcare Sector Malware Orangeworm

An attack campaign dubbed Orangeworm mainly targeting the healthcare sector IT infrastructure - healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry - is reported using a backdoor Kwampirs.

Malicious activity

  • The malware targets in medical devices (including high-tech imaging gear such as X-ray devices and MRI machines); network shares and servers; and platforms that assist patients in completing consent forms for required procedures.

  • Backdoor Trojan executes, decrypt and extract the copy of its main DLL payload, insert a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.

  • It collects information like network adapter information, system version information, language settings, system date, domain local groups, running process and services etc.from the victim system.


Countermeasures

  • Use firewalls, gateway antivirus, intrusion detection devices and monitoring to screen for the unauthorized intrusion, port scans, and other network attacks and security breaches.

  • Update the operating system with the latest patch to fix the known vulnerabilities. Keep up-to-date Antivirus and Antispyware signatures and keep checking the traffic flow from your system at above-mentioned IP, domains regularly.

  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled.


Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malware/botnets and to download free botnet removal tools.

 

Banking Trojan Emotet

Banking Trojan Emotet

     The Emotet Trojan designed to steal banking credentials and other sensitive information and is most often propagated by way of phishing emails containing a crafted document purporting to be invoices or other business communications or links to similar Reportedly, a surge in the Emotet activity is observed involves the use of a spam botnet, which results in its rapid distribution via email thus distributing IcedID, TRICKBOT etc. Emotet can also spread via a network propagation module that brute forces its way into an account domain using a dictionary attack. Emotet’s use of compromised URLs as C&C servers likely helped it spread as well.  Once Emotet has infected a host, a malicious file that is part of the malware is able to intercept, log, and save outgoing network traffic via a web browser leading to sensitive data being compiled to access the victim's bank account. According to reports, The Trojan may download the following modules to carry out various tasks:

Banking module

Distributed denial of service (DDoS) module

Spam module

Email client infostealer module

Browser infostealer module

Personal Storage Table (PST) infostealer module

Recommendations

  Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains / IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations. Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints. Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running. Restrict the execution of PowerShell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

 

Information Stealer Backdoor Malware Darkcomet

Reports of Darkcomet RAT variants that collects and exfiltrates system information, user credentials, cryptocurrency wallets, browser info, and login credentials. It is designed to allow a remote operator to perform various specific functions, such as recording the victim's information and downloading additional malicious payloads.

When executed, the malware checks if the following Anti-Virus (AV) applications are installed:

  • Bitdefender
  • Kaspersky Anti-Virus

It logs victim's activities in plaintext such as keystrokes, along with time, clipboard changes, applications and more into "%AppData%\dclogs\YY-MM-DD-00.dc". It attempts to connect to a domain "dkcengin.ddns.net" using port 4891 and waits for commands from the C2 or controller.

 

CERT-In Recommends

  • Restrict connection towards the domains. Put the IPs under watchlist. [Note: blocking of IPs can impact the business. The IP address may hosts multiple genuine domains/ or may belong to a compromised infrastructure. Blacklisting is completely on the business policy of the organization.

  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.

  • Restrict execution of PowerShell/WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    Reference:https://www.fireeye.com/blog/threatresearch/2016/02/greater_visibilityt.html

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution. Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains.

  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) /APPLOCKER to block binaries running from %APPDATA% and %TEMP% paths.

  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through a browser.

  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content.

  • Block the attachments of file types;  exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

 

Malware SAMSAM Ransomware

A surge in SAMSAM Ransomware activity with various tactics such as vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network. Succesful infection encrypts all the user data with RSA-2048 encryption.

Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" [extracted from the resource section] to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.

CERT-In Recommends;

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
     
  • Restrict connection towards the domains. Put the IPs under watchlist. [Note: blocking of IPs can impact the business. The IP address may hosts multiple genuine domains/ or may belong to a compromised infrastructure. Blacklisting is completely on the business policy of the organization]
     
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    Reference:https://www.fireeye.com/blog/threatresearch/2016/02/greater_visib ilityt.html

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
    Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains.
     
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) /APPLOCKER to block binaries running from %APPDATA% and %TEMP% paths.
     
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through a browser.
     
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content.
     
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389) and file transfer Protocol(TCP 21).

 

Satori Botnet

Satori Botnet affecting IoT devices

You may be aware that a new Botnet named as Satori has been found infecting Internet of Things (IoT) devices.

One of the possible modus operandi of this malware is as under:

  • Compromise IoT systems.
  • Create botnets of the compromised devices.
  • Use compromise devices to launch DDoS attacks.
  • Make network connections to receive commands to launch further attacks.

Following countermeasures can be taken to protect the IOT devices;

  • Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords
  • Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
  • Keep up to date Antivirus on the computer system
  • Keep up-to-date on patches and fixes on the IoT devices, operating system, and applications.
  • Unnecessary port and services on the devices should be stopped and closed.

Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malwares/botnets and to download free botnet removal tools.

 

Mirai Botnet

Mirai Botnet affecting IoT devices

A new malware named as Mirai targeting Internet of Things (IoT) devices such as printers, video camera, routers, smart TVs is spreading.The malware is capable of scanning the network devices or Internet of Things and try to compromise these systems especially those protected with defaults credentials or hardcoded username passwords.    

The malware is capable of performing the following function:

  • Compromise IoT systems with default username and passwords
  • Create botnets of the compromised devices.
  • Use compromise devices to launch DDoS attacks.
  • Make network connections to receive commands from launch further attacks.

 Indicators of compromise:

  • Abnormal traffic on port 2323/TCP and 23/TCP as it scans for vulnerable devices.
  • Command and Control Network traffic on port 48101/TCP.
  • Huge outbound traffic if the device is part of DDoS attack.

When the malware runs, it turns the infected system into a bot connecting to a C&C server. Bot-infected systems are connecting to the C&C Servers on specific ports and listen for commands from the remote attacker. In view of the high damage potential of Botnet infected machines, the customers are requested to disinfect their systems and take appropriate countermeasures suggested below to prevent such incidents in future.

Countermeasures for securing IOT devices:

  • Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords.
  • Always change Default login credentials before deployment in production.
  • Change default credentials at device startup and ensure that passwords meet the minimum complexity.
  • Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
  • Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Control access to the devices with Access List.
  • Configure devices to "lock" or log out and require a user to re-authenticate if left unattended.
  • Identify systems with default passwords and implement abovementioned measures. Some the systems that need to be examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces.
  • Implement account lockout policies to reduce the risk of brute forcing attacks.
  • Telnet and SSH should be disabled on a device if there is no requirement for remote management.
  • Configure VPN and SSH to access device if remote access is required.
  • Configure certificate-based authentication for telnet client for remote management of devices.
  • Implement Egress and Ingress filtering at the router level.
  • Report suspicious entries in Routers to your Internet Service Provider.
  • Keep up to date Antivirus on the computer system.
  • Keep up-to-date on patches and fixes on the IoT devices, operating system, and applications.
  • Unnecessary port and services should be stopped and closed.
  • Logging must be enabled on the device to log all the activities.
  • Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.

FTTH HighSpeed Vertical Banner 200 x 700