Tag Archives: Threat alert

CCleaner Utility Comes Bundled with Malware

Over the course of four weeks – and 2.27 million downloads – popular PC-cleaning software CCleaner came bundled with malware. Organizations and people using CCleaner need to check their system for signs of the malware infection.

The good news: There is a way to find out if your computer is infected.

The bad news: CCleaner does not actively remove the infection or auto-update the software.

Here’s what you need to know…

What is CCleaner?

CCleaner is a software application that performs routine maintenance on a user’s PC. How-To Geek refers to it as ‘disk cleanup on steroids.’ Various features include:

  • Scanning for and deleting temporary files
  • Analyzing the system for performance optimization
  • Streamlining the management of installed applications

CCleaner is extremely popular (as noted by Cisco Talos in the demographics below), increasing the potential impact of this malware infection. The estimated number of machines affected by the attack described below is 2.27 million.

CCleaner Bundled with Malware

When testing some of their own anti-malware software, the Talos group noticed that CCleaner was sounding alarms and raising red flags. The application was properly signed with a valid signature, but upon closer examination, they discovered an additional application downloading alongside CCleaner.

It turns out the distribution server delivering CCleaner was compromised and malware was added to the download. The Talos group notes the likely attack scenario was a compromised development environment used to insert the malware with the CCleaner download undetected.

Malware Details

The malware included in the CCleaner download is called Floxif. The primary function is to collect various data from infected computers:

  • Computer name
  • List of installed software
  • List of running processes
  • MAC addresses for network interfaces
  • Unique IDs for the computer

Note: the malware only executes if you are using an account with administrator privileges.

How can I tell if I’m infected?

The malware-bundled CCleaner was available for download from August 15th to September 12th. Anyone downloading or updating the software during that time likely has the malware infection.

The specific downloadable file in question is the 32-bit version of CCleaner v5.33. CCleaner updated to v5.34 on September 12th, closing the window of infected downloads. Again, anyone with version 5.33 needs to update to a newer version and check their machine for the malware files.

Steps to check the registry key for infection

Open the system’s Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo.

If you have CCleaner installed, you should be able to find the Piriform under the software folder. Piriform is the original developer of the CCleaner software.

If you have Agomo as a key in the Piriform folder, you are infected with the malware. Under the Agomo key you should find two data values: MUID and TCID. Both are used by the installed malware infection.

Removing CCleaner Malware

The Floxif malware was included in the application’s executable file. Updating CCleaner to v5.34 should rid your system of the malware. As noted above, CCleaner does not have an auto-update process. Affected users will need to proactively install the newer version themselves.

Floxif can install other malware that might steal user credentials. Users should also consider the following security steps after removing the malware:

  • Change passwords from another device
  • Run a security scan to look for other infections on your machine
  • Reinstall Windows to ensure complete removal of malware

Final Thoughts

The attackers executed a clever and elaborate attack here. A lot of effort was spent to deliver this Floxif malware through legitimate software distribution.

The malware-laced version of CCleaner was legitimately signed and valid. This breaches the level of trust users must have when downloading software from reputable vendors. Products like CCleaner don’t usually attract skepticism, providing attackers a crafty way to stay undetected as they deliver their malware.

Is Your Organization Prepared? New Details on HIDDEN COBRA Botnet

North Korea’s HIDDEN COBRA botnet is targeting organizations in the finance sector, media, aerospace, and critical infrastructure around the globe with disruptive DDoS attacks.

The team at US-CERT issued an alert including technical details on the tools and infrastructure used by the botnet: DDoS, keyloggers, remote access tools, and wiper malware.

The alert notes common vulnerabilities used by these cyber criminals:

  • CVE-2015-6585: Hangul Word Processor Vulnerability
  • CVE-2015-8651: Adobe Flash Player and 19.x Vulnerability
  • CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
  • CVE-2016-1019: Adobe Flash Player Vulnerability
  • CVE-2016-4117: Adobe Flash Player Vulnerability

Organizations should update these applications as soon as possible to reflect the latest version and patches. Better yet, if you don’t need Adobe Flash or Microsoft Silverlight, remove them from your system altogether.

Indicators of compromise are included in the alert. Network administrators should review the IP addresses, file hashes, network signatures, and YARA rules provided. Additionally, add the IP addresses associated with HIDDEN COBRA to the watchlist to observe any potential malicious activity.

Key Takeaway

Unpatched applications continue to be a weak point for organizations. Vulnerabilities in Flash and Silverlight are commonly targeted by HIDDEN COBRA to spread malware. The US-CERT alert gives network administrators a good jump start on protecting their systems from the active botnet. Now the onus is on organizations to implement the information.

Beware of Hurricane Harvey Charity Scams

You might be like many Americans wanting to help the relief effort for victims in the aftermath of Hurricane Harvey. If you’re considering a donation to a charity, watch out for fraudsters trying to take advantage of well-meaning citizens. They have been known to promote fake charities and phony relief efforts to steal money.

Here are tips to make sure your donations are going towards the hurricane victims in need:

  • Donate to charities you know and trust
  • Be wary of charities that seem to have sprung up overnight
  • Research the charity’s reputation before donating (BBB’s Wise Giving Alliance, Charity Navigator, Charity Watch)
  • Designate the relief effort instead of the general fund
  • Don’t assume charity messages posted on social media are legitimate
  • If you’re texting to donate, confirm the number and the source first
  • Beware of phishing emails purporting the Hurricane Harvey relief effort

Threat Alert: Patch Critical for Samba Vulnerability

All versions of Samba from 3.5.0 onwards are susceptible to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. This advisory warning was released by Samba maintainers on Wednesday, urging Samba vendors and administrators of the networking utility to install a patch on any affected version as soon as possible.

Samba provides file and print services for clients using the SMB protocol (yes, same protocol leveraged in the WannaCry attacks) including Windows and Linux.

The vulnerability – CVE-2017-7494 – could give an attacker the ability to execute arbitrary code on a device with root-level privileges.

Samba notes this might disable some expected functionality for Windows clients. Additionally, older devices may not be receiving a patch for the firmware or operating system. If workarounds are not possible, devices should be considered insecure.

Given the ease and reliability of exploits, as we have seen with WannaCry attacks, this hole is worth plugging as soon as possible. It’s only a matter of time until attackers begin actively targeting this vulnerability.

How are WannaCry, EternalRocks (WannaCry 2.0) and this Samba alert related?

Windows has had a vulnerability in Server Messaging Block (SMB or Samba), which is an integral service related to network file sharing, since 2008. The NSA developed a tool to exploit this vulnerability called ETERNALBLUE. ETERNALBLUE is the attack agent used to spread WannaCry/EternalRocks.

When the exploit was released to the public by the ShadowBrokers crew a month ago, Microsoft acted very quickly and released the MS17-010 patch to address it. Those who have MS17-010 installed are, and continue to be safe from the issue.

This US-CERT alert is for the Linux/UNIX version of Samba. It’s evident that the maintainers of this codebase took lessons learned from WannaCry and realized that their version of SMB service is susceptible to a similar but not equivalent problem.

Threat Alert: WannaCry 2.0 aka EternalRocks

Just as the crisis caused by WannaCry has started to die down, EternalRocks has recently appeared as a significantly more complex variant of ransomware, a WannaCry 2.0 version.

What is EternalRocks?

EternalRocks is a worm (self-propagating, automatically attacks, and compromises systems) that uses *seven* NSA SMB exploit tools to locate vulnerable systems:


By contrast, WannaCry utilized only two of the NSA tools leaked by the ShadowBrokers group (ETERNALBLUE and DOUBLEPULSAR).

What Makes EternalRocks More Dangerous and Complex: EternalRocks, unlike WannaCry, has NO ‘kill switch’.

What Action Should Organizations Take?

The good news is that the same patch (MS17-010) can be used to protect against EternalRocks.

Be sure to patch sooner rather than later, given too much time EternalRocks leaves the DOUBLEPULSAR implant unprotected and could give your organization reason to panic. Leaving this vulnerability open would allow other threat actors to leverage EternalRocks’ infected machines for their own intents and purposes.

For anyone who has not installed MS17-010, do so immediately.

This might not be the last variant either, with the huge WannaCry outbreak, we expect to see an increase of similar attacks joining the momentum.

Threat Alert: WannaCry Ransomware Leverages a New Microsoft Vulnerability

If your Windows machines aren’t patched with the latest Microsoft updates, watch out for WannaCry Ransomware. This newer ransomware strain has taken the cyber world by storm in the past 48 hours.

Europol estimates over 200,000 machines in hospitals, universities, manufacturers, and governmental agencies in the UK, Russia, and China were hit with WannaCry ransomware. It’s expected to hop-scotch across the pond and wreak havoc in the U.S. as well.

The WannaCry attack is being touted as the worst ransomware outbreak ever. Organizations publicly impacted by WannaCry over the weekend include Britain’s national public health service, telecommunications company Telefonica, FedEx, and Russian government servers.

WannaCry Ransomware

WannaCry is a ransomware strain that surfaced about two weeks ago. It performs the typical ransomware functions of encrypting data files and holding them hostage until the victim pays a $300 ransom demand in Bitcoin. Apparently, once a machine is infected, the victim has six hours to pay before the ransom starts to increase.

Here is what the ransom screen looks like when a victim is hit with WannaCry:

Encrypted files will have ‘.WNCRY’ extension. Here’s an example of the ransom note in a text file presented to victims:

Security firm Avast, among other security experts, attribute the quick rise of WannaCry to an identified and patched vulnerability in the Microsoft’s Server Message Block (SMB) – ‘EternalBlue’ or MS17-010. SMB is a service Windows computers use for file-sharing and accessing printers across local networks.

Exploits against the SMB protocol are a nightmare for organizations because the file-sharing functionality allows the ransomware to infect any vulnerable machines connected to the network.

Microsoft issued a patch for this vulnerability in its monthly Patch Tuesday updates in March. You can find that security update and patch for Windows here.

Technical Analysis

US-CERT released the following technical details after analyzing the WannaCry ransomware:

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.

The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.

This malware is designed  to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

Decryptor Tool

In the past few days since the dust settled around the WannaCry attack, security researchers have released tools to help victims recover their files.

The decrypting tool to try is called WanaKiwi. Security expert Matt Suiche tested the tools and provides good guidance in his blog write up. Apparently, the tool will work for every version of Windows from XP to 7, including Windows 2003, Vista, 2008, and 2008 R2.

Suiche’s immediate advice to WannaCry victims: “DO NOT REBOOT your infected machines and TRY WanaKiwi ASAP!”

Suiche outlined the process with 3 simple steps:

  • Download WanaKiwi
  • WanaKiwi.exe will automatically look for the encrypted files
  • Cross your fingers the encryption keys are still in the computer’s memory and the tool works!

Attack Update

WannaCry is affecting organizations across all industries. It spread like the plague because of its worm-like features.

Fortunately, a British security researcher dubbed “MalwareTech” slowed the attack over the weekend (full write-up here). MalwareTech registered a domain used by the ransomware to check and verify it was installed on a legitimate machine. If the ransomware didn’t find the domain, it executed.

From MalwareTech:

“I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis… because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and further ransoming of computers infected with this malware.”

In effect, registering the domain caused all new infections of WannaCry to think they were running in an anti-virus environment and simply quit.

MalwareTech notes the sinkholing tactic only prevents this specific ransomware strain. The ransomware group can remove the domain check and restart the attack. But for now, kudos to MalwareTech for halting the global infection.

Microsoft Guidance

Due to the Windows exploits leveraged in the WannaCry attacks, Microsoft issued a customer guidance highlighting the updates available.

Windows Defender received an update to detect the WannaCry threat as Ransom:Win32/WannaCrypt.

Microsoft did something rare and issued a security update for all customers to protect Windows machines no longer receiving mainstream support. This includes Windows XP, Windows 8, and Windows Server 2003.

Update links:

What to Do Now?

To prevent WannaCry ransomware from locking your computers and servers, apply the Microsoft patch released in March to all systems. Again, you can find that information in this security update.

Unfortunately, it won’t help machines that are already infected. In the event your machines have been hit, removing the malware and restoring from backups is the best option.

US-CERT provided steps to prevent WannaCry and related ransomware attacks:

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users
  • Authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares
  • Test your backups to ensure they work correctly upon use

Threat Alert: FTP Servers Targeted for Health Information

The FBI released a threat alert highlighting cyber criminals who are targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode. The purpose of the attacks is to access protected health information and personally identifiable information to blackmail or extort medical and dental facilities.

Threat Details

According to researchers at the University of Michigan – FTP: The Forgotten Cloud – over 1 million FTP servers were configured to allow anonymous access. FTP is a protocol widely used to transfer data between network hosts.

Anonymous FTP servers allow a user to authenticate using a common username – i.e. “anonymous” or “ftp” – without a password, or by using a generic password or email address. Cyber criminals are searching for FTP servers in anonymous mode that contain sensitive health and personal information. The idea is to leverage the information against business owners through blackmail or extortion.

FTP servers in anonymous mode can also be used to allow “write” access to store malicious tools or launch targeted cyber attacks.


The FBI encourages medical and dental healthcare entities to consult with their IT personnel. Request that they check networks for FTP servers running in anonymous mode.

If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive health and personal information is not stored on the server.

For further advice or recommendations, reach out to our team of V-CISOs at cyberteam@eplaceinc.com.

Threat Alert: Extortion Emails about Data Breaches

SCAM ALERT red Rubber Stamp over a white background.
[This alert is from a recent IC3 Threat Alert. Please share with others in your organization and make sure employees are aware of the threats and consequences of these kinds of phishing emails.]

Have you heard about the massive data breaches with LinkedIn, MySpace (no joke, it’s still around), and Tumblr? The Internet Crime Complaint Center (IC3) continues to receive reports from individuals who have received extortion attempts via email related to these recent high-profile data breaches.

Recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient’s social media contacts, family, and friends if a ransom is not paid. Recipients are instructed to pay in Bitcoin, a virtual currency that facilitates anonymous transactions. The recipients are typically given a short deadline, so they do not have the opportunity to verify whether their personal information has actually been compromised.  The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200.

Fraudsters quickly use the news release of a high-profile data breach to initiate an extortion campaign. The FBI suspects multiple individuals are involved in these extortion campaigns based on variations in the extortion emails.


The following are some examples of the extortion emails:

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”

“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”

“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, you can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”

Best Practices

  • Do not open email or attachments from unknown individuals.
  • Use strong passwords, and do not use the same password for multiple websites.
  • Never provide personal information of any sort via email.
  • Ensure security settings for social media accounts are turned on and set at the highest level of protection.
  • When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes “https”, or the status bar displays a “lock” icon.
  • Do not store sensitive or embarrassing photos online or on your mobile devices.

Threat Alert: Tech-Support Scams

There’s a new twist on tech-support scams — you know, the one where crooks try to gain access to your computer or sensitive information by offering to “fix” a computer problem that doesn’t actually exist. Lately, the FTC is receiving reports of people getting calls from scammers claiming to be from the Global Privacy Enforcement Network. Their claim? That your email account has been hacked and is sending fraudulent messages. The scammers say they’ll have to take legal action against you, unless you let them fix the problem right away.

If you raise questions, the scammers turn up the pressure. They’ve given out phone numbers of actual Federal Trade Commission staff (who have been surprised to get calls). The scammers have also sent people to the actual website for the Global Privacy Enforcement Network. (It’s an actual organization that helps governments work together on cross-border privacy cooperation.)

Quick Tips

Here are few things to remember if you get any kind of tech-support call, no matter who they say they are:

  • Don’t give control of your computer to anyone who calls you offering to “fix” your computer.
  • Never give out or confirm your financial or sensitive information to anyone who contacts you.
  • Getting pressure to act immediately? That’s a sure sign of a scam. Hang up.
  • If you have concerns, contact your security software company directly. Use contact information you know is right, not what the caller gives you.

Read on to learn more about tech-support scams and government imposter scams. And, if you spot a scam, tell the FTC.

Would You Pay a Ransom to Get Your Information Back?

According to FBI and other law enforcement agency sources, ransomware attacks are now one of the most popular cyber-attacks and will continue to threaten individuals, as well as small and large organizations. At ePlace, we’ve reported on ransomware recently here and here. Ransomware attacks have become popular for several reasons:

  • Attack tools are available for free through Windows or open source projects.
  • Bitcoins are an easy method for ransom payments and provide anonymity, making it difficult for law enforcement to trace the sender and receiver.
  • The sheer public lack of security awareness.

Ransomware Attack

A recent ransomware attack on Hollywood Presbyterian Medical Center was discovered when staff members noticed issues trying to access the hospital’s computer network. An investigation by the IT department revealed the ransomware attack and the hospital notified law enforcement.

The attack caused computers at the hospital to be down for more than a week. The impact of the attack broadly affected critical functions like CT scans, documentation, lab work, and pharmacy needs. With computers offline, staff had to rely on the technology of our ancestors and get work done using fax machines and telephones.

Initial reports said the attackers were demanding 9,000 bitcoin in exchange for the decryption key – a mere $3.6 million. But the hospital resolved the situation by sending the attackers 40 bitcoin, or $17,000.

The hospital’s CEO stated, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Ransomware Overview

Ransomware uses strong encryption software to encrypt a victim’s files and hold them hostage. Once the victims comply with the attacker’s demands – usually a payment of bitcoin – the keys are sent to the victim to unlock and decrypt the files. Most ransomware in 2015 was spread through a few different channels:

  • Fake updates for Adobe and Java products
  • Downloads from infected websites
  • Malware in phishing emails

Attackers don’t want to be one-trick ponies though. New schemes are attempting to infect whole networks with malware. Clever attackers are using persistent access to scour the network and locate network backups and delete them – squashing any chance the victim has of recovering the data.

Defend Against Attacks

There is no silver bullet solution for protecting against Ransomware. However, the following steps can reduce your chance of being infected.

Top IT Best Practices:

  • Use Anti-Virus and ensure that the software is up-to-date.
  • Ensure Windows users have EMET enabled to sandbox applications.
  • Use regular backups and ensure backup copies are stored in a separate and secure location (not on the local area network).
  • Limit access to different areas on the network to the minimum necessary. It could help control the spread of malware.

Top User Best Practices:

  • Do not open attachments included in unsolicited e-mails.
  • If you have to download free software, always verify the website’s reputation before downloading.
  • Block pop-ups on your browser to prevent fake update ads.
  • Use virtual browsing sessions whenever possible. The virtual session is deleted including any malware when the browsing is closed.
  • Make sure User Account Control (UAC) is on and users are aware of its functions.