Category Archives: virus

Viruses are always so much talked about. They are more and more efficient and more and more formidable. Our mission is to inform you and protect you from the threats of the Web.

Understanding cyberattacks and malware

According to a statistic compiled anonymously based on several requests from the Threat Intelligence portal of the Russian cyber defence company Kaspersky, about 72%, or three-quarters of the malicious files that have been analyzed in recent times, categorizes itself into three particular areas of cyber malice:

– Trojans (Trojan)

– Backdoors or backdoors

– Malware injectors (Dropper)

Thanks to these statistics, it has also been shown that the malware that computer security specialists tend to spend more time on are the most prevalent.

As we know, the starting point of an investigation into a cyberattack and of course the detection of activity deemed malicious. To be able to deploy the necessary measures to address the problems posed by a computer incident, cybersecurity specialists must be able to:

– Identify the target targeted by the attack

– The origin of a malicious program

– The popularity of this program

This allows analysts to react effectively. Kaspersky's portal on computer threats is available to cybersecurity professionals, especially in the analysis of computer incidents. As a result, several requests are made to Russian society on a daily basis in order to obtain assistance on security issues. Regularly carrying on malicious objects, in the treatment seems a little trickier.

In the majority of cases, the most proposed or expertly reviewed incidents on:

– 24% of the backdoors

– Trojans in 25% of cases

– Malware players for 23 percent of requests

These malwares are usually used by their publishers to take control of either their target's computers remotely as is the case with Trojans and backdoors, or to be able to install pirated objects without the latter's knowledge, pirated objects in the case of Droppers.

In addition, Trojans generally perceived by many studies as the most common malware in the world. It is a category widely used and appreciated by cyber criminals. Probably because of the features they offer them. The backdoor and malicious file injectors are relatively unknown, and therefore less common. They make up only 3% of the malicious files usually blocked by the antivirus provided by Kaspersky.

One can understand on the result by referring to the fact that generally specialists tend to be interested in the final target of a computer attack. While in a majority of cases, terminal protection software tends to block them as quickly as possible. For example, it is known that the security product in a concrete way prevents the user from opening corrupted emails, which usually prevents certain malware from being able to achieve their ends. As for program injectors, they are only recognized when researchers are able to identify all the components that make up it, which is not a task but to be carried out.

In addition, the popularity of a malware also depends on the general interest in computer incidents in which it has played an important role and the requirement that researchers often analyze them in more detail. Take, for example, the case of the Emotet malware, which follows several press articles to pique the interest of cybersecurity researchers. On the other hand, following several security flaws involving Linux and Android distributions, the backdoors have been screened several times by specialists in order to better apprehend them. And this is the case for several vulnerabilities affecting Microsoft Windows.

"We noted that the number of requests sent to the Kaspersky Threat Intelligence Portal to verify viruses or code elements that fit into other programs is extremely low, less than 1%. However, it is traditionally one of the most common threats detected by incident protection, detection and response (EDR) solutions. This type of threat replicates and deploys its code in other files, which can lead to the appearance of a large number of malicious files in the infected system. As we have seen, viruses are rarely of interest to researchers, probably because they lack originality compared to other threats," says Denis Parinov, acting director of heuristic detection and threat monitoring at the Russian cybersecurity firm.

Now access an unlimited number of passwords:

Check out our hacking software

Ransomware: the number of attacks still on the rise in the United States

In the first quarter of 2020, there was a very significant 25% increase in ransomware attacks.

This result was published following a study published by a cybersecurity service provider named Beazley, by its computer security department Beazley Breach Response Services. According to brokerage firm Aon, Ransomware should be considered as the main source of problems in corporate IT.

This article will also interest you: Focus on ransomware that thwarts security measures

But the Canadian firm's report also highlights the explosion of online scams, which maximizes the concerns and doubts created by the current health crisis. "Cyber criminals are taking advantage of people's increased anxiety during this pandemic, prompting them to click and share links that steal information. Homeworkers may also have lower IT security than corporate networks. Organizations need to ensure that their security systems and protocols are up to date, and ensure that their colleagues working from home are extremely vigilant," said Katherine Keefe, Head of Beazley Breach Response.

According to the Canadian company's cybersecurity unit, the 25 percent increase in ransomware-based cybercrimes affected the manufacturing sector, which alone accounted for nearly 156% increase in the first quarter of 2020 alone, compared to the fourth quarter of 2019. In addition, all other services are also affected by an increase in attacks on their systems. Among other things, the financial and health sectors continue to see the number of attacks grow exponentially. Because if combined, these two domains account for half of phishing-based cyberattacks, according to Beazley in its report on the first quarter of 2020

As the interest of cyber criminals is much more focused on ransomware, it has been observed that attacks on commercial e-mails, still called in the compromised business email jargon, are down about 16% over the first three months, taking into account the evolution of 2019. According to the Canadian society's report: "The problem is certainly not gone. The explanation for this decline may possibly be that fewer email compromises have been detected and reported, due to the interruption caused by COVID-19."

So for the year 2020, based on the figures of the first 3 months, experts predict a domination of ransomware compared to other threats of a computer nature. Thus, claims to cybersecurity insurance will be based primarily on these incidents according to the insurance broker AON. An analysis from his 2019 study, U.S. Cyber Insurance Profits and Performance, which has retained nearly 192 U.S. insurance companies, primarily in the area of cybersecurity.

In addition, insurers have reported a 10% increase in their loss in 2019, due to a rather exceptional increase in Ransomwares attacks.Claims increased from 35% to 45%, depending on the persistence of cyber attacks and other incidents."The average frequency of claims from all companies analyzed was 5.6 per thousand policies, up from 4.2 in 2018. The jump in the frequency of claims has erased the effect of a reduction in the severity of claims. The average size of a cyber insurance claim increased from 50,401 $US (68,404 $CA) in 2018 to 48,709 $US (66,108 $CA) in 2019. Aon's report notes.

In addition, there was a significant increase (by 11% according to and report) in the cost of underwriting insurance for cybersecurity. And that's compared to 2018. An estimated US$2.26 billion (3.7 billion Canadian dollars). 69% of premiums were taken out by the 10 largest U.S. insurance companies. The rest of the market is shared among small insurers. Of the 192 companies analyzed in the report, 92 of them subscribed to insurance at nearly US$1 million. 41 of them went up to $5 million.

On the subject of losses, all companies, regardless of size, have suffered a certain category. Especially smaller companies.According to the insurance brokerage company, the cyber insurance sectors should be expected to grow, particularly in this segment.

Now access an unlimited number of passwords:

Check out our hacking software

Focus on ransomware that thwarts security measures

It is a computer program that was discovered at the beginning of this year precisely during the month of January.

He calls himself Thanos, in homage to the supervillain of Marvel movies. According to the authorities responsible for combating cyber malice, it was developed by a group of cyber criminals named Nosophoros. Its particularity lies in the fact that it is able to circumvent the security measures installed in a network or computer system, which can go so far as to disable this protection. A very rare ability based on the use of a RIPlace technique. Added to the fact that Thanos is a ransom program, the damage it can cause is pretty impressive.From the common core of the Thanos ransomware, it was developed by cyber criminals the Crypto and Program classes.

This article will also interest you: Tycoon, the new ransomware that threatens Windows and Linux

With such a pawn in the game, cybercrime has become like a game of chat and mouse between those responsible for security information systems and malicious hackers. And unfortunately for security officials, the mouse is very difficult to intercept or even neutralize.

It should also be noted that the discovery in January 2020 of this ransomware was made by Inskit Group, a conglomerate working in cyber defence, and brought it to the world's attention in a report describing how this malware works. According to Inskit Group, the cybercriminals behind this malware put it up for sale on the dark web, in the form of a customizable version, up to 43 configurations available. In ways to adapt its use to the needs of cyber criminals who would be tempted by this program. The most impressive thing about all this is that the hackers of the Nosophoros group are not only selling the computer program, but will also professionalize their illicit trade by offering an after-sales service, access to a particular distribution model, often followed by an update offer to bring more functionality to the malware. "The Thanos customer is simple in its overall structure and functionality. It's written in C- and is easy to understand despite its offal, [consistant à rendre un exécutable ou un code source illisible et difficile à comprendre par un être humain ou un dé compilateur, NDLR]and although it incorporates more advanced features such as the RIPlace technique," notes Inskit Group.

It should also be noted that Thanos integrates in its trunk, nearly 12 years to 17 classes like Program, Crypto, NetworkSpreading, Wake on LAN, allowed so many others, and vary according to customer demand.

As we have described a little earlier, thanks to the RIPlace technique that is embedded in this ransomware, it is allowed to bypass the security systems put in place to protect systems and even networks. Whether it's firewalls like antivirus solutions, this program can disable them to continue what it's been running for. "With best security practices such as banning external FTP connections and blacklisting known offensive security tools, the risks associated with Thanos' two key components – Data Stealer and Lateral Movement (via SharpExec) – can be avoided," says Inskit Group.

Computer security specialists Kaspersky Carbon Black said they are each working on a way to fix the RIPlace security flaw. "The Thanos client uses AES-256 in CBC mode to encrypt user files. The key used for AES encryption is derived from a password and a salt that is made through the Windows function call rfc2898DeriveBytes. Once the Thanos client has used this key to encrypt all the files they discover, they use a built-in RSA 2048 public key to encrypt the AES password used. The base64 chain of this encrypted password is added to the ransom note, asking the victim to send the encrypted password chain to the threat actors to decipher their files. The private key associated with the public key used to encrypt the password is required to decrypt the AES password. Only the operator who created the Thanos customer must have access to the private key," Inskit Group said.

Moreover, if today the RIPlace technique has become a vulnerability for the computer defense system, it is because from the beginning it has been neglected by defense solutions vendors and other software providers. Indeed, at the end of 2019, Nyotron was the subject of a POC. Some vendors such as Microsoft had been notified. But they did not consider it a vulnerability at the time, with the exception of Carbon Black and Kaspersky, which did not hesitate to upgrade their security solutions. And as early as 2020, cyber criminals rushed to the darkweb to take advantage of the opportunity.

Now access an unlimited number of passwords:

Check out our hacking software

Tycoon, the new ransomware that threatens Windows and Linux

Tycoon is a new ransomware program.

It is not very well known because its operation remains very unusual in the face of other ransomware. It has been identified during some cyberattacks too precise and quite effective, beyond all this, it goes unnoticed.

This article will also interest you: Ragnar Locker, the ransomware disguised as a kind of virtual machine

The name of the Tycoon program references its code. Experts say the ransomware has been active since December 2019. It is usually used against Windows and Linux systems. Since its discovery, it has been noticed that it is used only in the context of targeted attack companions. What is in the picture to its publishers as being very selective hackers.

Its deployment is quite special. So that it can remain hidden on the contaminated network for as long as possible. The sectors most targeted by hackers who use Tycoon are education and software. It is known for exploiting Java.

His discovery was a result of a collaboration between BlackBerry security researchers and KPMG specialists. Since it was coded in Java, its shape is quite special, its unusual shape allows its editors to deploy like a simple Trojan horse, in a Java execution system. it has been able to compile it into an image, which facilitates its concealment. "These two methods are unique. Java is very rarely used to write malware on terminals because it requires the Java running environment to be able to run the code. Image files are rarely used for malware attacks.Attackers turn to unusual programming languages and obscure data formats. Here, the attackers didn't have to hide their code in order to achieve their goals," said Eric Milam, BlackBerry's vice president of research and intelligence.

As for the attack itself, the first stage is nothing exceptional. Indeed, it is introduced into the system, thanks to a flaw the RDP control servers are sufficiently secure. Well this intrusion method is quite common during companions involving malware. The most vulnerable servers are those whose passwords are low or where already compromised in a previous attack.In addition: "Once inside the network, attackers use IFEO (Image File Execution Options) injection settings, which most often allow developers to debug software to stay in place. explains Eric Milam. Subsequently, hackers will be able to use certain administrator privileges to get rid of anti-malware solutions, with the help of ProcessHacker, to increase their chance of success. After being executed, the ransomware proceeds to encrypt the network and files in order of specific extensions, such as ".redrum, .grinch and .thanos" and in accordance with the conventional modus operandi of the ransomware attackers, the hackers will demand payment of the ransom to free the network. Payment is required in bitcoin. The amount required varies depending on the victim and his or her readiness to contact cyber criminals.

According to Blackberry researchers, it is highly likely that "Tycoon could potentially be linked to another form of ransomware, Dharma – also known as Crysis – because of similarities in email addresses, encrypted file names and the text of the ransom demand. ». And since the companions based on this program are still ongoing, it would seem, according to the probability, that cybercriminals are successful.

The good news is that it can be stopped remotely. But as a precaution, it is recommended to always update your equipment, and to avoid anything that is likely to expose one of the terminals connected to the company's network. Blackberry Experts recommend: "As DPPs are a widespread factor in network compromise, organizations can ensure that only ports that require an internet connection are connected to it. ». For this purpose, companies must ensure that the accounts used to access its ports do not work with default identifiers or passwords weak enough to be guessed by a hacker.

Now access an unlimited number of passwords:

Check out our hacking software

Ransomware: Businesses under threat

On 14 May, a subsidiary of the Bolloré group based in Congo was the victim of a cyber-attack on ransomware.

There was talk of the group's so-called ransomware. The cyber criminals behind the cyber attack threatened the group with disclosing information they allegedly stole during the cyberattack if it did not respond favourably to their request. Emmanuel Gras, co-founder and CEO of Alsid, who is also a former auditor at the National Agency for Security of Information Systems, noted that such cyberattacks were not isolated. However, he notes that "the target has moved into the logistics sector. Before Bolloré, the Australian industry specialist, Toll Group, had suffered the agonies of Netwalker, also known as Mailto," explains the CEO of Alsid.

This article will also interest you: The Bolloré group attacked by a ransomware

It is for this reason that this specialist has put forward the security of both private and public structures, as a major issue for the next 5 years. He says his current role in his company is to "take stock of companies after an attack and ensure that cyber criminals can't come back."

The creation of the specialized company Alsid responds to the idea of responding to a growing need for security. "We had come to the conclusion that a pattern was repeated in every company in the world: servers, stations and mobiles are managed by a central system, Active Directory, and this one is very attractive to cyber attackers because, once they take possession of it, they can attack the whole company. So we decided to found Alsid to address this major issue." This is the kind of plan that was followed by the hackers behind the Netwalker ransomware. However, the expert noted a marked evolution of long-term motivations."Initially, the motivations were strategic. Data theft was reported in the context of public espionage, between states, industry, or others. More and more, the motivations become financial," says Emmanuel Gras.Let's not forget that the same processes were used against an American law firm called GSMlaw, reputed to have in its clientele big names such as Donald Trump, Madonna, or Lady Gaga. On the other hand, cybercriminals had demanded payment of $42 million as a ransom for not disclosing the confidential information of the firm's clients.

For the start-up Alsid, the protection of corporate networks must start with active Directory. Because in the event of computer attacks, cyber criminals will first seek to gain access and control the core of the system, i.e. Active Directory. "Active Directory," he says, "is a highly critical infrastructure that paradoxically allows a cyber-assailant to infiltrate the entire network very simply, from a single compromised post. A true central access kit, "AD" era of user rights, email accounts, information related to activities or financial data. It is, in most cases, the cornerstone of corporate security." Explains Emmanuel Gras. He adds that the major flaw of this system (Active Directory) is none other than its complexity, because, "Rather than making a clear distinction between administrators who can do anything and others, it assigns more or less rights among dozens of possible to each user. So much so that the list of people with their responsibilities is illegible and, without a platform like Alsid's that monitors AD's weaknesses, it becomes impossible for security teams to identify suspicious behaviors on the network. ».

The expert shares a situation experienced in this context where he had the opportunity to take a closer look at the problem: "During an audit, for example, we saw an AD group called DNSadmin that allocated access rights to the profiles in charge of the network. Of these, most were not directors and therefore appeared harmless. However, their group gave them the opportunity to join other groups through which they could obtain administrative rights on certain systems." According to Emmanuel Gras, establishing a monitoring of user activity was not a process already established. This means that it was enough for a single one to take by a phishing attack for cyber-prisoners to have access to very important information.

Now access an unlimited number of passwords:

Check out our hacking software