Tag Archives: malware

Bristol Airport Cyber Attack Leaves Passengers and Airport Staff Scrambling

Airline travelers at Bristol Airport, the UK’s ninth largest airport which handles more than 8 million passengers a year, were forced to read departure times off old-fashioned whiteboards due to technical issues caused by a recent cyber-attack.

Airport officials confirmed the airport was subject to an opportunistic ransomware attack, a type of malicious software which encrypts (“kidnaps”) user data unless a ransom is paid.

The Ransomware Attack

Ransomware (also called cyber extortion) is a type of malware (i.e. malicious software) designed to hijack your computer by locking your important files and forcing you to pay a ransom to unlock the files.  Cyber criminals infect your computer with ransomware by tricking you into clicking on a malicious email attachment that downloads the ransomware or by visiting a ransomware-carrying website.

Furthermore, a growing number of attacks have used remote desktop protocol and other approaches that don’t rely on any form of user interaction to cause the ransomware infection. Continue reading Bristol Airport Cyber Attack Leaves Passengers and Airport Staff Scrambling

CCleaner Utility Comes Bundled with Malware

Over the course of four weeks – and 2.27 million downloads – popular PC-cleaning software CCleaner came bundled with malware. Organizations and people using CCleaner need to check their system for signs of the malware infection.

The good news: There is a way to find out if your computer is infected.

The bad news: CCleaner does not actively remove the infection or auto-update the software.

Here’s what you need to know…

What is CCleaner?

CCleaner is a software application that performs routine maintenance on a user’s PC. How-To Geek refers to it as ‘disk cleanup on steroids.’ Various features include:

  • Scanning for and deleting temporary files
  • Analyzing the system for performance optimization
  • Streamlining the management of installed applications

CCleaner is extremely popular (as noted by Cisco Talos in the demographics below), increasing the potential impact of this malware infection. The estimated number of machines affected by the attack described below is 2.27 million.

CCleaner Bundled with Malware

When testing some of their own anti-malware software, the Talos group noticed that CCleaner was sounding alarms and raising red flags. The application was properly signed with a valid signature, but upon closer examination, they discovered an additional application downloading alongside CCleaner.

It turns out the distribution server delivering CCleaner was compromised and malware was added to the download. The Talos group notes the likely attack scenario was a compromised development environment used to insert the malware with the CCleaner download undetected.

Malware Details

The malware included in the CCleaner download is called Floxif. The primary function is to collect various data from infected computers:

  • Computer name
  • List of installed software
  • List of running processes
  • MAC addresses for network interfaces
  • Unique IDs for the computer

Note: the malware only executes if you are using an account with administrator privileges.

How can I tell if I’m infected?

The malware-bundled CCleaner was available for download from August 15th to September 12th. Anyone downloading or updating the software during that time likely has the malware infection.

The specific downloadable file in question is the 32-bit version of CCleaner v5.33. CCleaner updated to v5.34 on September 12th, closing the window of infected downloads. Again, anyone with version 5.33 needs to update to a newer version and check their machine for the malware files.

Steps to check the registry key for infection

Open the system’s Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo.

If you have CCleaner installed, you should be able to find the Piriform under the software folder. Piriform is the original developer of the CCleaner software.

If you have Agomo as a key in the Piriform folder, you are infected with the malware. Under the Agomo key you should find two data values: MUID and TCID. Both are used by the installed malware infection.

Removing CCleaner Malware

The Floxif malware was included in the application’s executable file. Updating CCleaner to v5.34 should rid your system of the malware. As noted above, CCleaner does not have an auto-update process. Affected users will need to proactively install the newer version themselves.

Floxif can install other malware that might steal user credentials. Users should also consider the following security steps after removing the malware:

  • Change passwords from another device
  • Run a security scan to look for other infections on your machine
  • Reinstall Windows to ensure complete removal of malware

Final Thoughts

The attackers executed a clever and elaborate attack here. A lot of effort was spent to deliver this Floxif malware through legitimate software distribution.

The malware-laced version of CCleaner was legitimately signed and valid. This breaches the level of trust users must have when downloading software from reputable vendors. Products like CCleaner don’t usually attract skepticism, providing attackers a crafty way to stay undetected as they deliver their malware.

TrickBot Banking Trojan Adds Worm-Spreading Features

While the WannaCry and NotPetya outbreaks are contained, innovative hackers are leveraging the learned tactics to strengthen other malware on the market.

The latest piece of malware to evolve based on the SMBv1 vulnerabilities in Microsoft Windows was discovered by Flashpoint – the TrickBot banking Trojan (1000029).

TrickBot Details

TrickBot is a banking Trojan malware targeting financial institutions globally. The Trojan is known for spreading via phishing emails impersonating invoices from a large, well-known international financial institution. Victims are redirected to a fake login page designed to steal credentials.

The new version of TrickBot attempts to leverage the SMBv1 vulnerability that gave way to the WannaCry and NotPetya attacks, creating a worm-like feature for the malware.

The banking Trojan currently appears to have capabilities to spread locally through a network. WannaCry’s functionality of scanning external IP addresses for SMB connections has not yet been implemented.

The new TrickBot malware will scan for local servers via the NetServerEnum Windows API and enumerate other computers via Lightweight Directory Access Protocol (LDAP). Basically, if TrickBot finds its way into an enterprise network that has not addressed the SMBv1 vulnerability, it could create a major fiasco.

The other key feature of the TrickBot malware is the ability to be disguised as ‘setup.exe’ to download another version onto any shared drives. To execute, it is delivered through PowerShell script and spread via interprocess communication (IPC).

Key Takeaways

Again, the new version of TrickBot could lead to a messy situation for any organization still vulnerable to SMBv1 attacks. It will give attackers new capabilities for lateral movement within a network and infect more victim computers.

The leading guidance is to apply the MS17-010 patch or disable SMBv1. Given the brief success of the WannaCry attack, other malware will look to use the same tactics. It’s very likely this won’t be the last we see of the SMBv1 vulnerability headache.

Ransomware Alert: Macs Targeted

It seems like ransomware is one of the few topics that keeps popping up so far this year. Right on cue, another ransomware alert! This time we think the first fully functional ransomware was discovered on Apple OS X system.

Discovered and reported by Palo Alto Networks, the ransomware is dubbed “KeRanger.” The malware was bundled into the installer of the Mac version of the fast, easy, and free BitTorrent client – Transmission. The prevailing theory thus far is that Transmission’s official website was compromised and the malicious files replaced the legitimate ones.

The attack was pretty clever because the malicious application was signed with a legitimate Mac developer certificate. This allowed KeRanger to sneak past Apple’s Gatekeeper defense. Once installed, KeRanger stays in stealth mode for three days. Then it gets busy encrypting the victim’s files. After it’s done, KeRanger reads the victim its demands – usually 1 bitcoin worth about $400 – to get the files back.

Palo Alto Networks reported the ransomware to Apple as well as the Transmission Project. In response, Apple has removed the certificate and updated the XProject anti-malware to recognize the ransomware. The Transmission Project removed the malicious files from its website.

Best Practices

Cyber criminals are recognizing the increased adoption of Apple device within corporate IT departments and turning more attention towards attacks against Mac users. Credit to Apple for being quick on their feet and removing the ransomware’s certificate. Now if a user tries to open the infected file, it warns “Transmission.app will damage your computer. You should move it to the Trash.” Or “Transmission can’t be opened. You should eject the disk image.”

The following steps will help identify and remove KeRanger:

  • Using either Terminal or Finder, check for the following files and if found delete:
    • /Applications/Transmission.app/Contents/Resources/General.rtf, or
    • /Volumes/Transmission.app/Contents/Resources/General.rtf
  • Using the preinstalled “Activity Monitor,” check if a process called “kernel_service” is running. If so, use the “Open Files and Ports” and check for the file name “/Users/<username>/Library/kernel_service”. This is KeRanger’s main process and should be deleted with “Quit à Force Quit.”
  • Also, check for and delete the following files from the ~/Library directory:
    • .kernel_pid
    • .Kernal_time
    • .Kernal_complete
    • .kernal_service

“Accessibility Clickjacking” Puts 500 Million Android Devices at Risk

ANDROIDThe threat of malware on Android devices is nothing new or revolutionary. But the latest malware found could have the biggest impact. The malware is being dubbed as “accessibility clickjacking” and 500 million Android devices are at risk. It’s ok… take a second to read that again. That means 65% of Android devices are vulnerable.


Clickjacking is a technique attackers use to trick users into clicking on an element that is different than the one they are intending to click. It relies on the attacker’s capability to load a neutral webpage with an invisible overlay with the malicious content. Web browsers have mitigated against this type of attack, but it turns out Android is still vulnerable.

Recently, Symantec discovered a ransomware – Android.Lockdroid.E – that used the clickjacking technique to get admin rights for the device.

For more technical details and a video demonstrating the attack, check out the blog published by Skycure.


Skycure explains, “Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected device, as well as take automated actions via other apps or the operating system, without the victim’s consent. This would include all personal and work emails, SMS messages, data from messaging apps, sensitive data on business applications such as CRM software, marketing automation software and more.”

With the widespread range of vulnerable devices, the impact of this type of attack is pretty high. Any organization that has employees using Android devices to access work information or emails should take note.

Best Practices

Users of Android devices can take the following steps to be better protected against this malware:

Update: Update the operating system to the latest version. The clickjacking attack affects devices running anything from Android 2.2 Froyo to Android 4.4 KitKat. Update to Android 5.0 Lollipop or above is you haven’t already.

Third-Party Apps: Try to stay away from downloading apps from third-party app stores. To help, turn off the setting that allows third-party app installs:

  • Open “Settings” app
  • Find “Security” settings
  • Uncheck “Unknown sources”

Accessibility Permissions: Double check the apps you have installed that use accessibility permissions on the device. If you don’t need that functionality, turn it off:

  • Open “Settings” app
  • Find “Accessibility” settings
  • Make sure there is no group named “Services”
  • Or… make sure the group has no enabled entries

OCR’s Cyber Tips for Defending against Malware and Scams

The Office for Civil Rights is launching a cyber awareness initiative in 2016 to help the healthcare industry become more knowledgeable about security threats and vulnerabilities. Their guidance is designed to provide best practices on measures that can help reduce breaches of electronic protected health information.

This month’s topics:

  • Ransomware
  • “Tech Support” Scam
  • Better Business Bureau Scam Tracker


Ransomware is malicious software that, when deployed, effectively walls off data so that it is inaccessible to authorized users.  Ransomware frequently infects devices and systems through spam and phishing messages, botnets, exploit kits, compromised websites, and malvertising. Ransomware uses a social engineering trick to get potential victims to click on malicious email attachments or open crafted Short Message Service (SMS or text) messages, which lure them to compromised or malicious websites.  Ransomware targets all sizes of businesses and institutions, home computers, mobile phones, and other devices.

According to the FBI, ransomware attacks have been increasing significantly in recent months.  Reports by IBTimes claim that cybercriminals from many different countries are increasing ransomware attacks on U.S. targets.  Also, a joint study conducted by several security firms estimates that creators of “CryptoWall 3.0,” a ransomware, have obtained over $325 million from victims since its January 2015 launch. Fox-IT, a cybersecurity company, reported that “CryptoWall,” “CTB-Locker,” and “TorrentLocker” are the three top active ransomware programs.

Cybercriminals charge anywhere from hundreds to thousands of dollars to unlock the data. Ransom payments are usually collected using digital payments systems such as “MoneyPak,” “CashU,” “Reloadit,” and “Bitcoin.”

Best Practices:

To combat the threat of ransomware, Covered Entities and Business Associates should consider:

  • Backing up data onto segmented networks or external devices and making sure backups are current.  
  • Ensuring software patches and anti-virus are current and updated.
  • Installing pop-up blockers and ad-blocking software.
  • Implementing browser filters and smart email practices. 



“Tech Support” Scam 

This scam involves a criminal posing as a computer support technician that makes an unsolicited call to trick a potential victim into believing his/her computer is infected with malware. A victim is then persuaded to visit websites to download malicious software that gives the criminal the capability to remotely access and control the victim’s machine. Once the criminal has gained the victim’s trust, the criminal charges hundreds of dollars for “phony” assistance with malicious software removal or for the purchase of fraudulent support plans or software.

Other forms of scam tactics have been used besides phone call scams. These include: pop-up ads seeded into websites that claim a victim’s computer is infected with malware; promoting promises to increase the speed and performance of a victim’s PC, which leads a victim to a malicious website; and malicious search ads that attract an unsuspecting victim seeking online support.

Reports of this type of scam have increased recently, especially among older individuals. According to Microsoft’s Digital Crime Unity, tech support scams are the single largest consumer scam perpetrated in America today, with approximately 3.3 million victims, and criminals who are collecting $1.5 billion annually.

Further, for those who suspect they are a victim of a tech support scam, immediately change passwords for all accounts including email passwords and online banking accounts; and conduct a scan for malware.  In some cases, re-imaging the system would be the best option, to ensure that all malware has been removed.

Best Practices:

To combat the threat of this type of scam, Covered Entities and Business Associates should consider training staff to: 

  • Hang up the phone if you are suspicious of the caller.
  • Never allow a third-party to have remote access to your computer if the caller’s authenticity cannot be verified directly through the CE or BA. 
  • Do not trust unsolicited phone calls.
  • Do not provide any personal information over the telephone.
  • Do not download any unknown software or purchase online services.
  • Verify the identity of the caller directly with the CE or BA, or with the company the caller claims to represent.
  • Record the caller’s information and report it to the CE or BA and to law enforcement.


Better Business Bureau (BBB) Scam Tracker

Earlier this year, the Better Business Bureau launched a website that allows consumers to track scams that have been reported in their area.  This is a free platform for information-sharing and awareness of scams in the United States and Canada.  The website features a “heat map” that shows the number of scams reported in each area, based on area codes.  Also, anyone can use the tracker feature “Report Scam” to provide details such as:

  • Specific information about the scam,
  • Information about the scammer,
  • Information about the individual scammed, and
  • Information about the individual reporting the scam.

There are multiple reportable scam types recognized by the BBB:

  • Phone scams,
  • Phishing emails,
  • Illegal business schemes, and
  • Fraud.

Visit the BBB Scam Tracker website https://www.bbb.org/scamtracker/us for additional information.

Ransomware Alert: The First JavaScript Ransomware Appears

A new ransomware – Ransom32 – is now on the radar in the security community. One interesting note about Ransom32 is that it’s implemented using JavaScript, enabling it to run on most operating systems – Windows, MacOS X, LInux. Most anti-virus software is still unable to detect the malware because Java is a legitimate framework that runs many different applications.

Victims are infected with the ransomware through an attached executable file that is usually sent by email. Once the file is run, the malware installs its files on the computer, most notably a file called chrome.exe that spoofs the Chrome browser.

How Ransom32 Works

After Ransom32 is executed on a computer, it will unpack its files into the temporary files folder. It uses the bundled “s.exe” file to create a shortcut in the Startup folder named “ChromeService” to ensure the malware is executed on every boot. The malware uses its Tor client to connect to its command and control server and communicate the Bitcoin address to deposit the ransom. Ransom32 then displays the following message:ransom32_message

How to Protect against Ransom32

The best defense to a ransomware attack is to have a robust backup strategy in place. You don’t want to be left hostage by the ransomware attackers.

We also have a short list of preventative measures to help protect yourself from falling victim to ransomware attacks.

Ransomware was one of the more significant trends in cybersecurity throughout 2015, and we are expecting to see more variations and attacks in 2016. To hear more about ransomware and other Cyber Trends for 2016, tune in to the next ePlace Solutions free webinar – 2016 Cyber Trends – January 28, 2016 at 10:30 AM PT/1:30 PM ET. Click here to register, and feel free to share with others in you organization!

  • Event Password: 2016

HIPAA Settlement: Phishing Email Causes Breach

In what is the sixth HIPAA resolution agreement of 2015, the University of Washington Medicine (UWM) has settled allegations with the Office for Civil Rights (OCR) for failing to implement policies and procedures to prevent, detect, contain, and correct security violations.

The OCR started investigating after receiving notice of a breach affecting about 90,000 individuals. The investigation revealed that protected health information was inappropriately accessed after an employee downloaded an email attachment that contained malware.

The malware subsequently compromised the organization’s IT system and two groups of patient data. For 76,000 patients, information exposed included names, medical record numbers, and dates of service. For the other 15,000 patients, names, medical records numbers, contact information, dates of birth, Social Security numbers, and Medicare numbers were compromised.

The OCR found that UWM didn’t ensure that its affiliated entities were properly conducting risk assessments and responding to potential risks and vulnerabilities in their environments.

The settlement includes a $750,000 penalty, a corrective action plan, and annual reports on HIPAA compliance. The corrective action plan again brings up the importance of conducting a robust risk analysis.

OCR Director Jocelyn Samuels said, “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address risks and vulnerabilities to patient data.”

Key Takeaways

The first area of significance from this settlement comes from the fact that once again, a data breach is stemming from a classic phishing attack. Social engineering is still one of the top threats to the privacy and security of sensitive information. Social engineering awareness and training is essential in preventing a malware infections from phishing emails.

Another note for healthcare organizations, the OCR expects subsidiaries and affiliates to be held accountable for complying with the HIPAA Security Rule and ensure security safeguards are in place to protect ePHI.

To learn more about employee data security training available to you through ePlace Solutions, please feel free to reach out to our team at (559)577-1248 or droberts@eplaceinc.com.

Stay Secure During the Holiday Season

The holiday season is a busy time for cyber criminals as consumers look to take advantage of the holiday sales and buy gifts, and businesses rely on the surge in sales to close the year on a strong note.

Retailer Tips

Cyber criminals take advantage of the holiday season by attacking large retailers via PoS malware in order to steal millions of credit card numbers. Malware can remotely infect PoS systems by using one or multiple vulnerabilities in the merchant’s network (i.e. operating systems such as XP, unpatched systems, or networks not separated but still connected to the corporate network). One type of malware that is common this time of year is ransomware. Businesses can’t afford to have their operations down this time of year, making ransomware lucrative for cyber criminals. Some best practices that a retailer or merchant should practice include:

  • Keep all systems patched and up-to-date. This is especially important for online shopping carts and blogging plugins.
  • Regularly backup data files to be able to restore the system in the event of a security incident.
  • Restrict PoS terminals from having the ability to access the Internet.
  • Implement two-factor authentication for any remote access to PoS systems.

Online Shoppers

During the holidays, cyber criminals target shoppers as well. The bad actors understand that people are shopping around for best prices and send phishing emails, directing consumers to phony websites with prices that are too good to be true in order to collect their credit card information. As consumers, what can be done in order to protect from these scams?

  • Don’t click on email links that take you vendor websites. Instead, visit the vendor from their website / URL.
  • When shopping online, research the website you are trying to purchase from by reading other people’s experiences and reviews. When you are in doubt don’t use that website despite the bargain prices.
  • Use credit cards instead of debit when purchasing online. At least there’s some recourse through the credit card company should the vendor not deliver on what you purchased.
  • Make sure the vendor’s web site has the https:// preceding the web address.
  • Don’t shop while connected to a public Wi-Fi. There could be a fake Wi-Fi with someone sniffing and intercepting your information.

Always practice safe online shopping

Malware Campaign: Digitally Signed Malware

A malware campaign has been spotted that uses digitally signed spam email to trick users into thinking the email and attachment are legitimate.

Here is the message validating the digital signature as a trusted source:digitally signed malware - fake message

The signature turns out to be legitimate, but those who open the message find a JavaScript attachment posing as a PDF file. Once the attachment is run, the malware is downloaded and executed. While this is happening in the background, the user is shown a PDF file as a decoy to maintain the perceived credibility of the email and attachment.

Malware researchers at Blaze’s Security Blog attribute this malware to an Andromeda/Gamarue backdoor variant. This type of infection would make the infected device part of a botnet.

Best Practices

For administrators:

  • Create a Sender Policy Framework record to prevent sender address forgery. More on SPF.
  • Ensure that strong passwords are used for Domain Controller servers.
  • Ensure that antivirus is installed, up-to-date, and running on all workstations.
  • Consider disabling Windows Script Host, which is needed for JavaScript to run locally. More on steps to disable WSH.

For users:

  • Don’t ever open attachments from unknown senders.
  • Install antivirus. Keep it up-to-date and running. Enable the option to scan Compressed Files.
  • Choose an antivirus with a firewall to prevent unauthorized access.
  • Consider disabling Windows Script Host, which is needed for JavaScript to run locally. More on steps to disable WSH.