Security Roundup

By Riccardo Pietri on 3 Mar 2016

At EveryCity we take security seriously and we believe this requires continuous improvement. One of our commitments for 2016 has been to obtain ISO27001 accredited certification, the de-facto international standard for Information Security Management.

By providing compliance and certification against a recognised external standard we demonstrate our clear commitment and due diligence to our clients and stakeholders.

As part of our security focus, this is the first of our periodic Security Updates, where we will share our thoughts on some of the latest security threats, developments and preventative measures. We recognise that keeping up to date with security developments can be an onerous task, so we hope to keep things brief, while highlighting the most relevant current threats, as well as exploring a particular topic in more depth.  In this issue that topic is Ransomware which is on the rise, proving costly to victims and creeping from Ware to Web.

Security-Roundup

Ransomware

From RansomWare to RansomWeb
A significant increase in Ransomware attacks throughout 2015 has made it now the most widespread and damaging online threat. Relatively affordable ransoms, usually set around $500, and victims’ desperation to retrieve files, tends to result in payment in many cases, creating fertile ground for Ransomware growth.

The Unprepared
We’ve all learned, sometimes the hard way, that to err is human, so it’s inevitable that people are the weakest link in the security chain. Ransomware in particular is designed to exploit these human fallibilities. Disguised in ever more ingenious ways within social media, software updates, films and video as well as in increasingly realistic emails from apparently genuine sources, it’s all too easy for people to be caught off guard when busy or distracted. It’s now more important than ever to observe security best practice and to ensure all staff are kept updated on the current threats.

The Lucrative – CryptoWall
What is it? – known as the world’s worst ransomware, this targets all versions of Windows; encrypts filenames and file contents on computer, attached drives, devices and synched cloud storage such as dropbox and google drive; demands a ransom, usually around $500 in bitcoin to restore; no decryption is possible except via the attacker’s key. Attacks are increasingly hard to detect and can evade many firewalls.

Add-ons: while encrypting, CryptoWall may also install spyware that steals passwords, sending the data back to the command and control server.
Distribution: fake updates for Adobe Reader, Flash Player or Java Runtime, but also via malvertising and as email attachments.
Prevalence: In 2015, Europe received 25% of infections and the UK 7%. The US and Canada combined received 13% of infections and CryptoWall attackers are said to have received $325 million from US victims alone during 2015.
If attacked: Isolate machine from networks. There is no alternative but to rebuild from scratch. Those who pay the ransom do so because their files are not fully backed up, but paying does not guarantee the files will be returned to pre-attack state.
Precautions: Backup data often, ensure dated backups to allow restore to pre-attack date. Only download plugins and files from secure and approved sources. Regular training to keep all staff aware of latest phishing campaigns.

The Costly – Magento / Linux Attack
It was only a matter of time before cyber criminals moved beyond Windows-based devices and in November 2015, the first Linux ransomware emerged, Linux.Encoder.1. This exploits a security hole in the Magento e-commerce platform and although Magento were quick to release a patch it’s believed many sites have not yet applied this.  Since the key is generated on the victim’s computer it is possible to recover files with the aid of security software, but the disruption to business and inconvenience could be challenging.

The Magento shoplift bug has re-emerged a year after it first appeared in February, 2015. This vulnerability allows hackers to access customer credit card information and its return, which is resulting in successful exploits, shows there are still sites that have not applied this essential patch.

Magento has focused on resolving a number of as yet undetected vulnerabilities in its 2.0.1 major release. Magento 2.0.1 also brings the benefit of PHP 7.0.2 compatibility which brings dramatic performance improvements.

The Complacent – Mac OS X
Apple users have enjoyed decades relatively free from cyber dangers and have so far been spared ransomware attacks, but that’s not because it’s impossible. In December a Brazilian security researcher conducted an experiment to do just this and took only a couple of days to develop ransomware to breach OS X. He’s apparently not the first – and probably not the last since there are now approx. 60 million OS X users for criminals to target. The Sparkle vulnerability which recently emerged as a threat to updates for third party apps via non secure channels may be just the start for Apple users.

The Difficult – 7ev3n
One new ransomware, 7ev3n, is particularly difficult to deal with as it modifies Windows System settings and boot options so that keyboard keys and system recovery options are disabled on the computer.  7ev3N demands a higher ransom than normal at 13 bitcoins (roughly $5,000), but is not yet widespread.

The Enterprising – Ransom32
Ransom32 is a new Ransomware as a Service (RaaS) – modelled on the SaaS approach to business – and includes the first ransomware written in JavaScript. The developers make Ransom32 available via an underground TOR site and exploiters using it pay a 25% cut of their takings to the RaaS.

There is even an Affiliate Console that provides statistics on the hacker’s personal distribution campaign and settings to help configure the malware. Ransom32 uses a fork of Node.js known as NW.js that is a framework for developing applications for Windows, Linux and MacOS X using JavaScript. The ransomWare download is a 22MB self-extracting archive so tends to be delivered in large files such as films via torrent sites.

How to Protect Yourself

Keep Software Updated – At All Times
Ransomware is normally delivered onto web servers via vulnerabilities in website code, for example flaws within popular CMS systems such as WordPress, Drupal or Magento, and more increasingly, via flaws in 3rd party extensions.

Keeping your web application up to date is therefore essential. Attackers automatically scan the internet searching for exploitable websites, so the longer your website remains out of date, the greater the chances of being exploited.

To help you keep secure, we have recently launched a Managed Update Service, where for a nominal monthly fee, we will ensure your servers and web software is kept up to date at all times. Please contact us for more information.

Install a Web Application Firewall
A Web Application Firewall inspects all HTTP requests against your website, blocking attacks matching known signatures, such as SQL injections or Cross Site Scripting (XSS) attacks. They can even block attacks against known vulnerabilities in popular CMS systems. Signature databases are available from both the open source community and commercial vendors.

Web Application Firewalls are increasingly becoming a requirement for various information security standards, such as with the PCI DSS card payment standard.

We’re able to install a range of options depending on your requirements, so please contact us for more information.

Detect Vulnerabilities and Exploits Quickly
Another essential layer of defence is to perform periodic vulnerability scans against your website, to identify and discover known vulnerabilities. Often vulnerability scanning tools will also detect known exploits, helping you to identify if your website has already been compromised.

If vulnerabilities are found, it’s then possible to take preventative measures to ensure these are plugged before an attacker exploits them. In the situation where a scan identifies that your server has already been found to be compromised, you can quickly act to remove the vulnerability before your customer’s are affected.

We offer a range of managed vulnerability scanning services, where we can periodically scan your website and provide reports, as well as take action to resolve any issues raised. Please contact us for more information.

Feedback

I hope you’ve enjoyed reading this latest security roundup. We would welcome any feedback you may have. We’re always here for our customers as well, so if you have any security questions, please don’t hesitate to get in touch.

We also provided a roundup of threats and exploits over the past year in our Web Security – How Vulnerable Are You? blog post that rounded off 2015.

Catch you all in 3 months!

Riccardo Pietri