Category Archives: virus

Viruses are always so much talked about. They are more and more efficient and more and more formidable. Our mission is to inform you and protect you from the threats of the Web.

What if our e-mails were spyware vectors

Recently, a study has shown a rather unprecedented situation that must be taken totally seriously.

The majority of emails received (2/3) by Internet users could contain spy pixels.

Thanks to the recent publication of the company publishing the application Hey, the scourge of spy pixels or even called web beacons, tracking pixels, pixel tags… is up to date again. The fact is that they are exploding. And this through e-mails. All it takes is for the user to open the infected email, so that it is immediately contaminated. This allows malware to activate and begin to collect user data.

This article will also interest you: Recognize email attacks, the need for training for users

The real problem with these pixels is that they are not immediately spy programs. These are very small images, usually of a single pixel that are often recorded in GIF or PNG format.They are not found everywhere, whether on the web or in the emails we receive almost every day. Whether it's corporate emails or e-commerce sites.

When used properly by a cyber criminal, the spy pixel is able to escape the vigilance of even the most seasoned specialists. Because, for example, it is enough to open e-mail for them to be able to activate. Faced with this there is no method to protect the conventional user from this problem. The hardest part of all this is that in practice, it is not illegal at all. We can therefore be tracked online in a totally legal way without the tracker being able to be worried by the law. And that's a practice that's been around for years.

However, for some time now, pixels have multiplied in terms of numbers. There are too many of them. This is what was demonstrated by the BBC through a study that it commissioned from the company that edited the App Hey.

According to Hey, two-thirds of e-mails that are exchanged personally contain a spy pixel. There is a good chance that all the major brands will use this process to successfully track down Internet users on the web. Among many others it has been identified:

– British Airways;

Vodafone;

– HSBC;

– Marks and Spencer;

Tesco;

etc.

According to Hey's boss, spy pixels are much more used and much more than we think.

In practice spy pixels are somewhat malicious programs that are used by advertisers in the marketing industry, in order to obtain some statistical data on users who visit websites and other online platforms. Thanks to this the people behind these spy pixels can have some information in this case:

– The opening time of the e-mail

– The device used to consult e-mail

– The IP address of the device in some cases

– The physical address in some cases.

Although this is not prohibited, it is notably regulating the use of spy pixels by the Privacy and Electronic Communications Regulations (Pecr) of 2003, not to mention the European Regulation for the Protection of Personal Data released in 2016 (the RGPD).

Now access an unlimited number of passwords:

Check out our hacking software

TrickBot according to AdvIntel

Recently in a report published by the company AdvIntel, it was observed the movement of a new Module TrickBot, called by researchers "PermaDll32".

This name caught the attention of researchers because it appeared to be a derivative of the term "permanent" because it made it look like a module that could cause persistent effects.

This article will also interest you: UEFI: TrickBot's persistent target

According to the analysis of computer security researchers, this module had the functionality of reading the information present in the BIOS firmware and also in the UEFI program, when it arrived infected with machines. "This low-level code is stored in a computer's motherboard SPI flash memory chip and is responsible for booting the hardware during the start-up process and transmitting control to the operating system. explains Lucian Constantin, CSO.

The discovery was made by researchers from AdvIntel and Eclypsium, which is known to possess a specialization in firmware security. The two companies have teamed up to better analyze the recent TrickBot module and determine what it could be used for. According to this survey: "The PermaDll32 module deploys a driver called RwDrv.sys" from RWEverything, a fairly popular free program with the functionality of allowing its users to read and write in the hardware components' firmware, including the SPI controller present for UEFI.

"The TrickBot module uses this capability to identify the underlying Intel hardware platform, check whether the BIOS control register is unlocked, and whether bioS/UEFI handwriting protection is enabled. For the full start-up chain to be secure, the UEFI firmware must be protected in writing, but OEM computer manufacturers have often left this misconfigured in systems in the past. explains Lucian Constantin. This feature has allowed groups of cyber espionage hackers to deploy stealth malware. "I think there are probably millions of devices that are still vulnerable to this problem in the field," Jesse Michael, principal investigator for Eclypsium, told CSO. "I don't have the number of devices targeted, but it was a very common thing before 2017 and even after 2017, we still see some out-of-factory devices coming with this vulnerability. Leading suppliers are doing what they can to fill that security gap," he adds.

The problem is well known. It is recalled that a similar loophole had been exploited in the past. This has been used by cyber criminals to deploy UEFI implants by hackers of the APT 28 group through the LoJax attack or with MossaicRegressor.u hackers more recently. Yet there remain many UEFI security flaws and several hardware configuration errors that have been constantly reporting for years now. Vulnerabilities that could be exploited by TrickBot later.

"The national security implications resulting from a widespread malware campaign capable of plugging devices are enormous," the researchers warn. "The TrickBoot module targets all Intel systems produced over the past five years. According to Eclypsium analysis, most of these systems remain vulnerable to one of the multitudes of firmware vulnerabilities currently known, with a smaller proportion likely to be susceptible to the problem of poor configuration."

The best way to protect yourself from gender attacks and of course to constantly update the BIOS/ UEFI. As the known vulnerabilities are being fixed. It is important to make updates because these are things that are mostly overlooked. A simple routine but without knowing why is difficult for companies to follow.

"People often focus on operating system updates and neglect firmware updates," says Jesse Michael. "So you may have a firmware update for your system that you can deploy to fix this problem, but because you don't have it, because you don't include firmware updates in your normal IT operations, you take longer to apply them. As a precautionary measure, you must include firmware updates in your normal processes."

It is possible to solve this problem. However, another problem will have to be addressed in the early stages of the lack of visibility of firmware problems when analyzing vulnerabilities.

Now access an unlimited number of passwords:

Check out our hacking software

UEFI: TrickBot's persistent target

Recently computer security researchers AdvIntel made an amazing discovery.

A TrickBot module allowing malware to persist and continue to act even though the targeted system has been reformated or replaced. A feature that is not going to make it easy for information system security managers.

This article will also interest you: Trickbot: Microsoft and the U.S. authorities against the world's largest zombie network

Technically, It should be noted that TrickBot uses a platform that has the ability to identify hardware modules running on Intel but in an underlying way. It then allows you to check the BIOS control register to make sure it is unlocked or without any protection.

A rather disturbing development of the TrickBot program, which was already giving professionals a hard time. As a reminder, it should be noted that TrickBot is a Botnet, that is, a network of computers fraudulently connected to generate computing power, usually used by hackers to gateway companies to corporate networks to inject ransomware or other malware to subject them to their control. Thanks to the new modules identified by security researchers, the Botnet can now search for the UEFI configuration that has security flaws on systems they have previously infected. This then allows the cyber attackers to deploy backdoors, so low level, that it is difficult for researchers to remove them.

As accurate as it means that UEFI for "Unified Extensible Firmware Interface" is a tool that ensures that on a computer system no malware of the rootkit kind (used by hackers to modify operating systems for the purpose of hiding malware, transferring data or backdoors) is installed. It should be remembered that Kaspersky announced that he had discovered a rootkit called MoazaicRegressor, which mainly attacks UEFI discs.

"This marks an important milestone in the evolution of TrickBot," said researchers from computer security companies Advanced Intelligence (AdvIntel) and Eclypsium in their recent report released today. "UEFI-level implants are the deepest, most powerful and most stealthy form of bootkits. Because the firmware is stored on the motherboard as opposed to system drives, these threats can provide attackers with continuous persistence, even if the disk is replaced. Similarly, if the firmware is used to brick a device, the recovery scenarios are markedly different and more difficult than recovering from traditional file system encryption than a ransomware campaign like Ryuk, for example." They note.

Going back to TrickBot, it was basically a Trojan horse-type malicious program. He was generally in the area of online banking fraud and the theft of login credentials such as passwords and usernames.

Today, it presents itself as a vast cybercrime platform that extends to multiple features and capabilities that takes into account RDP analytics, remote access going through the VNC plus, exploits through SMB vulnerabilities.

Several operators have been observed behind the use of TrickBot. Among many others is the famous cybersecurity group called Overdose or The Trick. It uses the malware to gain access to corporate networks, and then provides other groups of cyber criminals with access, especially the operators behind the Ryuk ransomware. The Lazarus group, known as a hacker group working on behalf of the Korean state, is also said to have used TrickBot to develop backdoors.

According to computer security researchers, TrickBot operators most often offer their service to the APT category group or to higher-class hacker groups.

Last October, Redmond Microsoft and several other organizations came together to deal a major blow to the TrickBot malware control and control infrastructure. Although the operation was a success, the Botnet is still alive. In November, several cybercrime companions in the summer initiated on the basis of the latter.

Now access an unlimited number of passwords:

Check out our hacking software

More innovative malware in 2021

In a report provided by a Computer Security specialist Nuspire, there has been a fairly meteoric increase in malware.

This is at a time when cybercriminal attacks are becoming increasingly ruthless. Indeed, it has also been observed in the same vein as hackers in tendency to attack structures that find themselves overloaded in terms of responsibilities to be filled. In particular, the health and education sector. The report to specify a growth if we can say so 128 percent in the third quarter of 2020 compared to the second quarter. This increase is more than 43,000 different malware that was detected per day.

The report also watches, that the actors of cybercrime have become increasingly ruthless in their choice of targets. "Throughout the third quarter, hackers shifted their attention from domestic networks to overburdened public entities, including the education sector. Nuspire's report.

This article will also interest you: The coronavirus pandemic and security strategies in a company

In the forecasts provided by the German computer software publishing company for security G DATA CyberDefense, in 2021, the malware used to target mobiles will be more and more innovative. These are malwares that will present themselves as software updates widely used by users in mobile. "In this case, applications initially present themselves as legitimate applications, which is why they are often referred to as legitimate by some security solutions. It is only after a number of updates that malware installs itself on the system without being noticed, with all the consequences that this entails. German cybersecurity company.

As far as social engineering is concerned, the practice will also improve like the others.

In a study provided by Bromium, a virtualization company, and commented by the Senior Lecturer in Criminology at the University of Surrey, Dr. Mike McGuire, several tactics used by cyber-prisoners to attract the attention of Internet users were observed. Social networks being theirs in their field of choice. The same report explains that cyber criminals manage to generate more than $3 billion using social engineering alone. While this is in a fairly new context, it has been possible for cybercriminals to earn more than $1,500 billion in revenue each year. "This is a conservative estimate, based solely on data from five of the most highly prominent and lucrative varieties of revenue-generating cybercrimes. The report notes.

According to G DATA CyberDefense, in view of the improvement of the cyber security sector, hackers are seeking to improve their approach to social engineering in order to make it more efficient.

This is why organizations are encouraged to take appropriate measures to protect themselves and their IT systems and their employees.

On the connected objects side, the trend of cybercrime will also evolve. Indeed, with the growth of the Internet of Things in all sectors of activity, organizations will be forced to improve their computer security and for good reason, cyber-malicious activities in this sector have spread much faster than in other areas. It must be recognized that the Internet of Things has never presented itself as a safe enough space in terms of security, of course. And from the very beginning, computer attacks have always had the advantage over users. "If a device is not constantly monitored and is not considered part of the network infrastructure, it needs to be fixed," the German security company warned. Clearly, there will be a noticeable increase in attacks on IoT devices. "The convergence of information and operational technologies makes environments more vulnerable. These environments often work on existing systems for which there are no patches or that simply are not installed. Organizations that use the IoT would also be well advised to develop an comprehensive cybersecurity roadmap and conduct regular security audits," recommends G DATA CyberDefense.

According to G DATA CyberDefense, organizations can conduct an audit to see if they are organized enough to prepare for cyberattacks. In case they can start now, take appropriate action. "It is important that staff handle IoT systems correctly and be aware of the risks. Finally, most cyber incidents are caused by human actions," concludes the German company.

Now access an unlimited number of passwords:

Check out our hacking software

REvil: How does the most active ransomware of the moment work?

REvil is a ransomware-type malware, which like Ryuk or WastedLocker has been widely used in several malicious operations.

Once cybercriminals gain access to an organization's computer network, they use a set of computer tools to map the network and targeted computer systems. They will then make every effort to acquire as many administrator privileges as possible. This is how they manage to deploy the ransom program. "Since REvil is distributed by different affiliates, the initial access vectors differ between phishing emails with malicious attachments to compromised RDP (Remote Desktop Protocol) credentials and the exploitation of vulnerabilities in various utilities." Lucian Constantin, CSO. Last year, for example, cyber criminals using this malware used an already known security flaw in the Oracle WebLogic system (CVE-2019-2725).

This article will also interest you: REvil: Focus on the most popular ransomware of the moment

According to the recent report produced by the security company Coveware, REvil is distributed mainly through:

– Compromised RDP sessions (65%)

– Phishing (16%)

– Software security flaws (8%)

In a Russian blog, a hacker supposed to get out of REvil's group of cybercriminals operators claimed that several of the group's affiliates mainly use brute force attacks.

"REvil differs from other ransomware programs in its use of elliptical curve Diffie-Hellman key exchange instead of RSA and Salsa20 instead of AES to encrypt files. These encryption algorithms use shorter keys, are very effective and unbreakable if properly implemented. Ransomware kills certain processes on infected machines, including email clients, SQL and other database servers, Microsoft Office programs, browsers and other tools that can keep important files locked or backed up in RAM. It then removes Windows copy shadows and other backups to prevent file recovery. explains Lucian Constantin.

According to experts in the field, to secure computer systems against this malware it will be necessary in the prelude to the security of remote access:

– The use of fairly solid identification data is required.

– It is also recommended that VPN networks be used specifically for remote information transmissions, regardless of the nature of these exchanges.

– All applications or servers that are publicly accessible need to be regularly updated.

– It must be analyzed and taken into account anything that may appear to be errors in the configuration of suspicious behaviors or security vulnerabilities for an effective immediate response.

– Protection solutions against brute force attacks should be permanently activated. This will require finding a way to block all excessive requests for credentials when they are incorrect.

In addition, the hospital sector should be given a relatively special interest. "Some industries, such as health, may appear to be more highly targeted than others, due to the sensitive data they hold and their relative intolerance to downtime," Coveware researchers noted in the study. "However, what we have seen over time is that the presence of cheap vulnerabilities to exploit, which happen to be common in a given industry, is what points to an industry concentration," they add.

Researchers from the security company also point out that certain sectors such as law firms or accountants are very vulnerable to attacks by REvil. A significant risk when serving in the United States, these types of firms account for 14% of all total businesses in the country, with nearly 4.2 million companies registered. It accounts for 25% of computer attacks. "These companies are more likely to take the threat of ransomware less seriously," says Coveware researchers. "They generally leave vulnerabilities like RDP open to the Internet and are victims much more regularly than companies in other sectors. It is essential that small professional services companies recognize that there is no such thing being "too small" to be targeted. The cyber extortion industry doesn't work that way. If you present a cheap vulnerability to the Internet, you will be attacked. It's just a matter of when, not if. »

Now access an unlimited number of passwords:

Check out our hacking software