Tag: Facebook Messenger
A few days ago I got a message on Facebook from a person I very rarely speak to, and I knew that something fishy was going on.
The attack compromised their devices and exfiltrated data to the attackers’ C&C.
In addition, the compromised devices were pushed Trojan updates.
The operation remains active at the time of writing this post.
The fact that news stories measure the affect of ransomware in terms of cash helps grab the public's attention. (One analysis estimates more than $1 billion in ransoms were paid out in 2016). The most frightening thing about ransomware is that its success is built on trust. Ransomware often gains access by way of a clever email designed with the sole intention of winning the victim's confidence. "My skill is in my ability to get a bunch of people to click on the attachment," explains a malicious actor in a YouTube primer. Ransomware perpetrators have even started copying incentive tactics from legal industries.
There's the Christmas discount for victims who pay up, and a pyramid scheme offer, described in the press as "innovative": "If you pass this link and two or more people pay, we will decrypt your files for free!" This sophistication and business savvy speaks to ransomware's growth as an industry, and IT has had to take notice.
A recent survey of IT professionals from around the globe found that more than 50% of IT staff and more than 70% of CIOs see defending against ransomware as their #1 priority for 2017. What made ransomware into such a strong threat? Is it really a greater malice than traditional security threats or data theft? Or is it just more buzzworthy because the consequences are more dramatic? What's enabling the epidemic, and what produced the conditions for ransomware to flourish? The Patching ConundrumIn a way, the rise of ransomware in 2016 was in the works for a long time.
Vulnerability patching has been a significant IT challenge for several years — among industrial control systems, 516 of 1,552 vulnerabilities discovered between 2010 and 2015 didn't have a vendor fix at the time of disclosure.
A full third of known "ways in" had to wait for a patch to be developed, providing ample time for criminals to do their worst. Reliance on distributed security appliances has only exacerbated the problem.
Even after patches become available, there's still a significant lag.
A combination of staff shortages, the volume of devices deployed across today's business networks, and distance has dramatically lengthened patch rollout times.
Varying reports put the gap between 100 days to 18 months. Before ransomware even became a trend, the stage had been set for adversaries to gain access. It Should Be Easy to StopFrom an IT perspective, one of the most aggravating things about ransomware is that even after the attack gains a foothold, it should be relatively easy to stop.
The file encryption — which actually does the damage — is the final stage of a multistep process.
In fact, there are several opportunities to block the attack before it affects valuable data.
First, if the attack is caught by URL filters or secure Web gateways, it will be averted. The second step is where the initial malware "drop" downloads the ransomware program.
To do this, it must connect back to the attacker's server from within the compromised network.
It's only after the ransomware program itself deploys inside the victim's environment that it encrypts local and network server files.
And still, before the process can launch, most ransomware must connect to a command-and-control server, to create the public-private key pair that encrypts the data. At any point in the process, a network security stack has ample chance to block the malicious program from making these connections, and data lockdowns would never happen. With all these opportunities to stop the attack, how has ransomware been so successful? Complexity upon ComplexityIn November, security researchers discovered a mutation to exploit Scalable Vector Graphics (SVG), and this may provide a clue.
SVG is an XML-based vector image format supported by Web-based browsers and applications.
These files automatically redirect users to malicious websites and open the door to eventual endpoint infection.
The obfuscation tricks detection engines, and signature-based detection will always fall behind as code morphs to new signatures for the same threat. Figure 1: The string "vqnpxl" is the obfuscation function.Source: Cato Networks The above attack spotlights an urgent need to simplify. Modern networks see their vulnerability go up thanks to a patchwork of point solutions.
It's not sustainable to expect IT pros to update each point solution, and patch every existing firewall, when each new attack vector comes about.
Skilled attackers will always build new threats faster than IT can defend against them.
For ransomware, the critical test is, "how fast can you roll defenses out?" Higher StakesWhen prevention is the only true cure, it's no wonder ransomware goes to the front of CIOs' agendas for 2017.
But the predominant trend toward cloud-based security and the promise of a "patch once, fix all" model are starting to correct the problem.
Cloud defenses promote quicker adaptation to ransomware mutations.
The idea is to consolidate all traffic from physical locations and mobile users, and integrate a single firewall service as a permanent "line of sight" between any given user, any given device, and a potential threat source.
In this respect, the cloud is not just about saving work, but also about improving speed to security. 2016 was the year that IT's reluctance to use the cloud backfired, and it played right into ransomware's hands.
Familiarity, comfort, and experience with using the cloud to keep networks safe may improve outcomes in 2017. Related Content: Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based Web applications security and acceleration company.
Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and ...
View Full Bio More Insights
Developer Open Whisper Systems says the country is censoring its messaging and voice calling program.
Egypt has reportedly censored encrypted chat service Signal.
App developer Open Whisper Systems on Monday confirmed the transcontinental country is censoring its messaging and voice calling program.
We'll begin deploying censorship circumvention in Signal over the next several weeks. Until then, Tor or a VPN can be used to access Signal.— Open Whisper Systems (@whispersystems) December 19, 2016
The issue surfaced on Saturday, when IT specialist Ahmed Gharbeia tweeted about "wide reports" of Signal failure in Egypt.
"Everything is functioning normally on our end," Open Whisper Systems wrote in response, suggesting "something might be up" on the local network.
The firm reached out to the Open Observatory of Network Interference (OONI)—a global organization operating under the Tor Project to detect censorship, surveillance, and traffic manipulation on the Internet.
The project last week released two new software tests designed to examine the blocking of WhatsApp and Facebook Messenger, allowing anyone to monitor the accessibility of the apps and collect data as evidence.
Signal, a free app for Android, iOS, and desktop, is one of several messaging services to support end-to-end encryption—including Facebook's WhatsApp and Messenger. It is also one of several to come under fire from law enforcement officials who can't keep tabs on the conversations of suspected criminals.
Further details on the alleged censorship were not revealed; Open Whisper Systems did not immediately respond to PCMag's request for comment.
Constraints to encrypted social media are not new in Egypt: Facebook's free Internet service was shut down in December 2015 because the country's government could not spy on the browsing activities of local users.
The Egyptian Ministry of Communications and Information Technology also did not respond to a request for comment.
Open Whisper Systems recently ruffled some more government feathers with added support for disappearing messages. Users can determine how long—from five seconds to one week—a chat message is available to recipients before it self-destructs.