Newly Designed Jaff Ransomware Now Encrypts Data with WLU Extension

An updated variant of Jaff ransomware boasts a more professional design and now encrypts victims’ data with the WLU extension.On 23 May, Internet Storm Center (ISC) handler Brad Duncan collected 20 malspam emails that all used a fake invoice theme and a spoofed email address. The emails also came with a PDF attachment containing an embedded Word document. This document leveraged malicious macros to infect a Windows computer.

The embedded Word document with malicious macros. (Source: ISC)Enabling the document’s macros initiated an infection at the hands of Jaff, a form of ransomware which researchers first discovered in early May. Duncan explains how this new campaign loaded the threat:“The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary that’s been XORed with the ASCII string I6cqcYo7wQ. Post-infection traffic merely returns the string ‘Created’ from the server after an infected host checks in.”The campaign stored the encoded Jaff binary with an ever-changing filename like “lodockap8” to the user’s AppDataLocalTemp directory. It then decoded the binary and saved its new form, an executable that also sported an ever-evolving name like “levinsky8.exe,” to that same directory. That executable in turn activated the ransomware payload, which appeared like this on the infected host:

Desktop of a Windows host infected with a Jaff ransomware sample from 2017-05-23. (Source: ISC)Compare the above sample with how it looked earlier in May:

Desktop of a Windows host infected with a Jaff ransomware sample before 2017-05-23. (Source: ISC)Not only that, but whereas Jaff previously encrypted victims’ files using the JAFF extension and demanded 2.036 Bitcoins (or roughly $3,726 in ransom), it’s now shifted to the WLU extension and asked Duncan’s machine for only 0.35630347 Bitcoins (around $833.50).To defend against Jaff, organizations should consider using software restriction policies that deny binary execution in certain Windows directories. They might want to also consider investing in other ransomware prevention strategies like disabling Office macros by default. A guide for this preventive step is available here.In the event Jaff has already infected your computer, here’s what you can do to try to recover your files.

How Hackers Attack Web Applications: Bots and Simple Flaws – Part 1

Public web applications are an attractive target for hackers. Attacks on web applications open up wide opportunities, including access to internal resources of the company, sensitive information, disruption of the application, and circumvention of business logic.Virtually any attack can bring financial benefits to the attacker and losses, both financial and reputational, to the owner of the web application. In addition, users of web applications are also at risk since successful attacks allow hackers to steal credentials, perform actions on sites on behalf of users, and infect workstations with malicious software.When investigating attacks on web applications, we first of all need to determine which attacks are most popular with attackers and what are the possible motives for their actions, as well as identify the main sources of threats for different industries. Such data allows us to understand what aspects we should pay attention to while ensuring the security of web applications.In addition, we need to consider the distribution of types of attacks and malicious activity depending on the scope of the company, as well as the dynamics of changes in the nature of attacks during the year.In order to collect the initial data of the attacks, we used the data obtained using the application layer firewall.The popularity of attacks by industryMost often, there were “Implementing SQL statements” and “Running OS commands.” Such attacks were fixed in more than 80 percent of systems. “Path Traversal” was the second most popular among the detected attacks.Attackers try to use the most simple attacks, which do not require special conditions for execution. Basically, a lower percentage of attack detection indicates a higher level of complexity or the need for special conditions for its implementation, such as the function of downloading files in a web application or performing certain actions on the part of users.When ranking the most popular attacks, we eliminated attacks that were carried out by a special software for automated scanning of a Web application for vulnerabilities like Acunetix or sqlmap.Rating of the most popular attacks (shares of web applications):Implementing SQL statements – 83%Running OS commands – 83%Path traversal – 76%Cross-site scripting – 58%Denial of service – 32%Connecting local files – 21%Implementing external entities of XML – 16%Uploading random files – 11%Cross-site request forgery – 11%Most attacks in this rating exploit critical vulnerabilities and can lead to a complete compromise of the web application and server, which can allow an attacker to gain access to local network resources.The ratio of the types of attacks vary depending on the industry to which the system under investigation is related. Attackers pursue different goals, while the level of skills and technical capabilities of violators also differ. The figures below show the average number of attacks per day per system, as well as the ratio of the number of attacks performed manually and using utilities for automated scanningThe average number of attacks per day per system:Government agencies – 3,351Online Stores – 2,081Finance – 1,386IT – 679Transport – 670Education – 123Industry – 57The ratio of automated scanning and manual attacks:Government agencies – 98%Online Stores – 81%Finance – 42%IT – 36%Transport – 34%Education – 16%Industry 3%Most attacks for all industries, except government agencies and online stores, are carried out with the help of specialized software to search for vulnerabilities. Automated scanning includes attempts to perform various types of attacks, such as the implementation of SQL statements and path traversal using ready-made tools for instrumental security analysis.The results of the scan can be used by an attacker to exploit vulnerabilities and further develop the attack vector before gaining access to sensitive information, local network resources and critical systems or to conduct attacks on users.The largest average number of attacks per day – approximately 3,500 attacks – was recorded in public institutions. The automated vulnerability scan constitutes only 18 percent of the total number of attacks. Online stores rank second in this rating: about 2,200 attacks were recorded on a day, while almost all of them were conducted without the use of automated scanning tools.In the financial sphere, we registered about 1,400 attacks per day, among which the automated vulnerability search predominated. Transport resources and IT companies account for an average of about 680 attacks per day, most of which were also automated vulnerability searches.From calculations of the average number of attacks per day for the education sector, the information and analytical center, whose functions include processing the results of state examinations, was excluded. There was an extremely large number of attacks on the web application in schools – more than 20,000 attacks per day. At the same time, the most common attacks were using scan tools for vulnerabilities.Students, having basic knowledge of information security and ways to circumvent protection mechanisms, could use public software for scanning the system. This explains the fact that most of the attacks of this type came from the United States – probably, public utilities or online services used proxy servers located in the US.The purpose of attacks on the information and analysis center, most likely, was access to the results of exams and examination materials. Perhaps the students thought that in this way they could change their scores for the exam. In addition, it can be assumed that the attackers tried to find vulnerabilities, the exploitation of which would allow access to the databases of exam materials for subsequent illegal distribution.For industrial systems, there where about 50 attacks recorded per day, almost all represented an automated vulnerability scan, and only one percent were conducted manually.For government agencies, more than 70 percent of the attacks were path traversal attacks, where bad actors tried to go beyond the current directory of the file system and access files on the server, in order to steal sensitive information.ConclusionMost of the attacks committed by intruders are fairly simple both in execution and in detection by the Web Application Firewall.At the same time, there was a significant increase in the number of attacks on web resources, primarily from the IP-addresses of Russia and Turkey. It is recommended that companies, in particular financial institutions, take appropriate measures in advance to protect critical components and ensure the effectiveness of the means of protection used.The research was conducted during a six-month period using Bod Intelligent Antivirus developed by Bod Security.In the second part of the article, we’ll discuss examples and sources of attacks. 

alex bod

About the Author: Alex Bod is an information security researcher and co-founder of Bod Security, an intelligent antivirus provider company.

Today’s Cybersecurity Challenges Started in 1648

Understandably, a few eyebrows raise up when I suggest today’s cybersecurity challenges started nearly 370 years ago, some 300 years before the invention of ENIAC (the world’s first digital computer). But I stand by this observation because of the unintended clash of two systems: the nation-state and the Internet.Many of the institutions, social constructs and domains we have accepted as norms came out of the Peace of Westphalia, a series of treaties to end the 30 Years War. No, the problems do not stem from the fact that many of us wish to throw our devices out the window when things go wrong or we find ourselves in disagreement with technology. (Though defenestration does sometimes feel like a natural response to many of our cybersecurity problems.)Rather, the problems stem from the boundaries that the Peace of Westphalia established. Consider the three principles that the Peace of Westphalia established:SovereigntyLegal equalityPolicy of non-interventionismIn lay terms, these principles translate into the following: defined boundaries, jurisdiction, and “keep out of my house.” These basic principles have served – and continue to serve – as the bedrock principles of our foreign relations, forming the system we know today: the modern-day nation-state.Without this system of the nation-state, it is quite possible continental Europe would have spun further out of control, continuing to tear itself apart, as it was in the 15th and 16th Centuries. If that chaos had continued, the world would certainly look much different today.In the simplest sense, the Peace of Westphalia established norms that most persons (particularly of the ruling class) were willing to accept. Even those who have wildly different worldviews on how to live life are able to agree on what “a country” is. (Disclaimer: okay, I am not as confident as I was a couple of years ago on this argument given recent social discourse and public debate.)Fast forward to the 1960s, and we see how the clash of systems begins. The development of ARPANET (the beginning of the Internet) and the years shortly thereafter spurred a debate regarding what type of controls the network should have. Fred Kaplan’s book Dark Territory: The Secret History of Cyber War sheds light into this debate with some detail, but I will try to simplify: should the network be secured in some manner with controls, or should the network be open, allowing the freest flow of information sharing?The latter argument eventually won out (which is why the Internet today is inherently vulnerable), but I hope you are starting to see how this emerging system (the Internet) has developing features that are in direct opposition to an established system (the nation-state).We can define three developmental features of the Internet:There is no established sovereignty.Legal blurring is prevalent.By virtue, the Internet is interventionist and disruptive in nature.Or to put it another way, the Internet is: free of boundaries, has no jurisdiction (from a practical enforcement perspective at least), and is “in everybody’s house.” Therefore, it should come as no surprise to any one of us that we are having such a hard time trying to solve the most difficult challenges in cyberspace when these two systems are in constant conflict. (With all respect to my technologist friends, patching a critical vulnerability or tracking down malicious code that is making your system go bonkers is an easy challenge compared to this one.)And with that said, here is the real noodle bender: we (humans) created the Internet with the intent of confinement as a means of positive control. (Note: “control” is not nefarious (or conspiratorial) in this case. Rather, “control” is analogous to having a “hand on the wheel” to make sure you do not drive off a cliff.)Instead of positive control, we have a system that completely controls how we conduct ourselves. Hopefully, the diagrams below help visualize what I am presenting:

I challenge anybody not living under a rock to prove otherwise. The Internet touches every aspect of our lives. Your reading this is proof of this, as there is no way I could reach you in the manner that I have by traditional print means. It is simply too expensive, and the distribution channels are not accessible to me without heavy investment in capital (which most people do not have, by the way).This change in control matters because it alters everything we do from foreign relations, business, cultural interaction and even personal relationships. Furthermore, this change in control allows actors to attempt unfettered interference into another actor’s business that was simply impossible in the past.Whether interference is successful is up for debate, though commentary and opinion on the matter has run amok. And I will qualify that statement: interference is successful, but the degree to which that interference had a meaningful impact is up for debate and incredibly difficult to measure. Measurement, at best, is limited to a subjective analysis.As indicated in my previous article, many of today’s cyber challenges are an extension of some pre-existing conflict happening in the physical domain, but it is the tools that are incredibly different and much more powerful in some corners.Would the Arab Spring of 2011 played out as it had if social media networks had not been present? Would the 2016 US Presidential Elections played out differently? Of course they would have, but to act as some clairvoyant and confidently state “if x didn’t occur, then y would have happened” is a hard argument for me to accept when there are millions – billions – of factors at play.What I will accept is that there is level of asymmetry and disproportionate impact that we are not accustomed to seeing all because of these systems in opposition. This is all the more reason why identifying these issues (and properly labeling them) matter.In the next article, I will elaborate further on this clash and how national interests will continue to take precedent over any other interest for the foreseeable future. FBI Director James Comey in his May 3, 2017 testimony in front of the Senate Judiciary Committee presented some very nuanced and important comments, which illustrate how profound this clash of systems is. More importantly, the comments reinforce how much of the cybersecurity challenge requires further and deeper human understanding of the issues. George Platsis

George Platsis

About the Author: George Platsis has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team ( For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Russian hackers rob a million from bank customers

A Russian cyber hacking group, “Cron” has used malicious apps and software to infect around 1 million android smartphones and steal 50 million roubles (around £677,000 or $892,000) from domestic bank customers. According to Group-IB, the cyber security firm investigating the attack with the Russian Interior Ministry, the group infected smartphones at a rate of 3,500 devices a day.

The group of 20 hackers had purchased a more powerful piece of malware and it was planning to expand the attack to European financial leaders before being arrested. The core members of the group were arrested on November 22 last year. The group began targeting French firms Credit Agricole, BNP Paribas and Societe General but no funds were stolen from customers.

The cron group, named after the malware they used-disguised the malware as fake banking applications, ecommerce and pornography web clients. When Android users in Russia searched online, the search engine results would suggest the fake apps and users would be tricked into downloading the phony version. After having control over the infected smartphone, hackers were able to send SMS messages to the mobile users’ banks instructing the transfer of money- up to $120 to one of the 6,000 fraudulent accounts. They intercepted the transaction confirmation codes, preventing the victims from receiving messages notifying them about the transaction. The attack was able to bypass two-factor authentication features that would require a user to enter a secondary code—often sent via text message—to confirm their identity.
“Cron’s success was due to two main factors,” Dmitry Volkov, head of investigations at Group-IB, said in a statement. “First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement.”
They targeted customers of Sberbank, Alfa Bank, and online payments company Qiwi, exploiting SMS text message transfer services.
“Group-IB first learnt about Cron in March 2015: Group-IB’s Intelligence system tracked the activity of a new criminal group that was distributing malicious programs named ‘viber.apk’, ‘Google-Play.apk’, ‘Google_Play.apk’ for Android OS on underground forums,” explained the cyber security company.
The situation came to light when sources close to the investigation tipped off Reuters.
The Russian hackers rented a “Tiny.z,” a piece of malware designed to attack checking accounts systems, for $2,000 a month in June 2016, and adapted it to target European banks in Britain, Germany, France, the United States, and Turkey, among other countries.
Luckily for the people with infects smartphones and unfortunately for the hackers, only small sums can be transferred via SMS instructions, so despite the volume of devices affected, the amount of money the hackers stole was not astronomical.
A total of 16 people have been arrested thus far in relation to the case, including a 30-year old man who is believed to be the leader of the group operating across six different regions of Russia.
The exploit highlighted the dangers of SMS messages in mobile banking. SMS banking services are used in Russia to help people living in isolated areas, where access to banks is not easy. But security always has to outweigh consumer convenience.

Android defect opens path for malware to users, not resolving for the time being

(pc-Google Images)

A security powerlessness in the Android working framework (OS) that gives malevolent applications a chance to commandeer a gadget’s screen has apparently left almost 40% of clients defenseless against ransomware, keeping money malware and adware – however Google says it won’t be settled for quite a long time.

The defect was found in a center security instrument of Android 6.0.0 (Marshmallow) or more, which in light of authority insights is 38.3% of gadgets. Google has affirmed it knows about the issue yet says the bug won’t be settled until the arrival of ‘Android O’ in Q3 2017.

According to experts at cybersecurity firm Check Point, the problem persists due to a Google policy which grants certain permissions to applications directly installed from the official Play Store.

The faulty model – “SYSTEM_ALERT_WINDOW” – allows apps to “overlap” on a device’s screen. 

This, as the researchers noted in a blog post this week (9 May), is one key method used by hackers and cybercriminals to trick unwitting Android users into falling for malware and phishing scams that can result in ransomware, banking Trojans and adware.

Check Point said more than 70% of ransomware (malware that secures a framework until cash is paid to the programmer), more than half of adware and about 15% saving money malware spreads by abusing this sort of consent. “This is unmistakably not a minor danger,” specialists said.

In a past transitory settle, Google divulged a fix for Android 6.0.1 that permitted the Play Store application itself to have improved control over authorizations, yet it apparently exploded backward. On the off chance that a vindictive application was downloaded from Play it would be “consequently conceded” the consent.

The specialists stated: “Since Google comprehended the dangerous way of this authorization it made the unmistakable procedure to favor it. This soon brought about issues, as this authorization is additionally utilized by authentic applications, for example, Facebook, which requires it for its Messenger talk.”

While Google right now utilizes a framework known as “Bouncer” to consequently examine applications trying to battle off those containing infections, some can in any case get lost in an outright flood. As of late, revealed strains have included “BankBot” and ‘FalseGuide’.

“Be careful with fishy applications,” the scientists cautioned, including: “Clients ought to dependably be careful with noxious applications, notwithstanding when downloading from Google Play. Take a gander at the remarks left by different clients, and just give authorizations which have pertinent setting for the application’s motivation.”

As per Android Police, an innovation site, the Android “O” engineer see will incorporate four discharges ahead of time of the last form, right now set to hit the application stores in Q3. A correct date has not been declared, but rather we as of late got a look at Google’s new Fuchsia OS.