BlueBorne Vulnerability

This week, it was discovered that there was a nasty collection of vulnerabilities that impact devices with Bluetooth connectivity. Armis Labs had discovered this attack vector was present on all major consumer operating systems (Windows, Linux, iOS, Android) no matter what type of device it is (desktop, laptop, smartphone, tablet, wearable, IoT). If you have a device with Bluetooth (except those using only Bluetooth Low Energy) that’s running an unpatched version of the software then it is vulnerable to BlueBorne. BlueBorne is a new malware that targets devices via Bluetooth and over five billion such devices globally are at risk.

Regardless of the security features on your device, the only way to completely prevent attackers from exploiting your device is to power off your device’s Bluetooth function when you’re not using it. Not putting it into an invisible or undetectable mode.

BlueBorne vulnerabilities are tracked under the following identifiers: CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785 for Android devices; CVE-2017-1000251 and CVE-2017-1000250 for Linux; CVE-2017-14315 for iOS, and CVE-2017-8628 on Windows. Three of these eight security flaws are rated critical and according to researchers at Armis — the IoT security company that discovered BlueBorne — they allow attackers to take over devices and execute malicious code, or to run Man-in-the-Middle attacks and intercept Bluetooth communications.

Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company’s network or even across the world.

Google patched the flaws in its September Android Security Bulletin.

Windows versions since Windows Vista are all affected. Microsoft said Windows phones are not impacted by BlueBorne. Microsoft secretly released patches in July for CVE-2017-8628, but only today included details about the fixed vulnerability in September’s Patch Tuesday.

All Linux devices running BlueZ are affected by an information leak, while all Linux devices from version 3.3-rc1 (released in October 2011) are affected by a remote code execution flaw that can be exploited via Bluetooth. Samsung’s Tizen OS, based on Linux, is also affected.

All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected, but the issue was patched in iOS 10.

New Arena CryptoMix Ransomware

A new variant of the CryptoMix ransomware that is appending the .arena extension to encrypted file names. When a file is encrypted by the ransomware, it will modify the filename and then append the .arena extension to encrypted file’s name. For example, a test file encrypted by this variant has an encrypted file name of EA1221EC8B516824060636CC280F0D0A.arena. This variant also contains 11 public RSA-1024 encryption keys that will be used to to encrypt the AES key used to encrypt a victim’s files.

Filenames associated with the ARENA Cryptomix Variant:
_HELP_INSTRUCTION.TXT
C:\ProgramData\[random].exe

Registry entries associated with the ARENA CryptoMix Variant:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”=”C:\ProgramData\[Random].exe””

Emails Associated with the ARENA Ransomware:
ms.heisenberg@aol.com

ARENA Ransom Note Text:
“All your files have been encrypted!
——————-
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
——————-

We recommend these safe security habits to follow:

  • Backup, Backup, Backup, yourself or use a good Anti virus product which will do this for you , such as Max Total Security
  • Do not open attachments if you do not know who sent them.
  • Turn on Email protection on provided by Anti-Virus such as Max Total Security.
  • Make sure all Windows updates are installed as soon as they come out, follow Max Total Security vulnerability scanner.
  • Also make sure you update all programs, especially Java, Flash, and Adobe Reader.
  • Use hard passwords and never reuse the same password at multiple sites.
  • Use a good Anti-Virus which protects your files from being encrypted in the first place, Max Total Security Max Crypto Monitor Tool does this for you

Connected and Autonomous Cars security concerns

By 2020, an estimated 188 million connected vehicles will be on the road according to Navigant Research. In 2025 partially autonomous cars and completely autonomous cars are expected to account for more than 15% of all cars shipped that year. This number will jump to 70% of all cars shipped in 2025, nearly 72 million cars annually.

For hackers, this evolution in automobile manufacturing and design means yet another opportunity to exploit vulnerabilities in insecure systems and steal sensitive data and/or harm drivers. Connected cars pose serious privacy concerns: When you get down to it, your car knows a lot about you: where you go, when you go, how long you are there, the route you took to get there, the way you drove to get there, the temperature of the cabin, what entertainment you engaged in, and how long you were chatting on the phone (if you use Bluetooth). If you’re using it, quite a detailed record of your life is being collected and potentially transmitted somewhere. The biggest risk of car cyber attacks is loss of lives.

The vehicle mobile phone hardware providing a connection to the on-board computer system is also vulnerable to malware being installed that could allow a thief to unlock the car remotely and steal it. This is serious as there is already talks of an app store for vehicle apps.

Harvey hurricane phishing scams

US-CERT (United states computer emergency readiness team) warns users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.

US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

1. Do not follow unsolicited web links in email messages
2. Use caution when opening email attachments.
3. Keep antivirus and other computer software up-to-date.
4. Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number.
5. You can find trusted contact information for many charities on the BBB National Charity Report Index

It is recommended to use a trusted Anti virus such as Max Total Security with 24×7 technical support.

Bam! Ransomware

This ransomware stealthily infiltrates systems and encrypts various data. During encryption, this malware appends the “.bam!” extension to the name of each file (for example, “sample.jpg” is renamed to “sample.jpg.bam!”). Following successful encryption, Bam! changes the desktop wallpaper.

The new wallpaper contains a message that details the encryption and encourages users to buy decryption software. It is currently unknown whether Bam! uses symmetric or asymmetric cryptography, however, in any case, file decryption requires a unique key. This key is stored on a remote server controlled by cyber criminals. Users are encouraged to pay a ransom in exchange for a decryption tool with the key embedded within. To receive this, victims must supposedly contact cyber criminals via one of the email addresses provided.

bam-ransomware_en

The infection process of Bam! Ransomware virus begins with a simple click by the victim. This click can be on a file that is uploaded online, such as:
1. Fake installers of a program you may have sought for to download for free (media player, torrent downloader client, etc.)
2. Fake license activators or key generators that instead of activating a program, cause the infection.
3. In addition to this, the ransomware virus may be spread via what is known as mailspam or malicious e-mail spam. Such messages are often sent to victims under the pretext they are an important invoice, receipt from the bank or notification of suspicious bank activity. These e-mails may contain either an e-mail attachment that is actually the infection file.

Targeted files can be dropped in these locations with different names , usually common windows services:
%AppData% notepad.exe
%Temp% setup.exe
%Roaming% svchost.exe
%Common% update.exe
%System32% software-update.exe
%{userprofile}% random-alphanumeric.exe or some valid application name

It may also delete system backup and disable system recovery.

The .bam! file virus aims to attack only specific files on the infected computer, more importantly:

Archives.
Videos.
Audio files.
Virtual Drives.
Pictures.

Max Secure software has just launched cyrptomonitor tool which can completely prevent any cryptoransomware infecting your c and encrypting data. Get it from here Max Total Security

Scorpio ransomware

Scorpio Encrypts the files on the compromised computer asking it’s owner to pay in BitCoin in order to get them back. The files encrypted with the .scorpio file extension added after them. The ransom note remains the same as with the .scarab file virus.

Distribution Method: Spam Emails, Email Attachments, Executable files

Scorpio Ransomware marks the files encrypted by the attack adding a specific extension to the end of each file’s name. The Scorpio Ransomware also will encrypt the affected files’ names, replacing them with what appears to be a string of random characters. The

Scorpio Ransomware’s ransom note is contained in a text file with the following name: ‘IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT.’ The full text of the Scorpio Ransomware ransom note reads:
——————————————————————————————————————-
‘*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
—–BEGIN PERSONAL IDENTIFIER—–
**************************************
—–END PERSONAL IDENTIFIER—–
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: qa458@yandex.ru
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
hxxps://localbitcoins.com/buy_bitcoins
* Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’
——————————————————————————————————————-

We do not recommend you to follow cybercriminals’ instructions because they do not provide any guarantees to you, besides, think about the consequences – paying the ransom simply allows criminals to fund their further illegal projects. Unfortunately, the files affected by the Scorpio Ransomware attack are not recoverable. Your best bet is to recover all of your files using Max Total Security Backup/Restore tool if you had this software installed on your PC, IF you did not , it is never late to start using it now and have a total peace of mind.

Reyptson ransomware

Reyptson virus operates as crypto-threat capable of encrypting data with the AES cipher. After the process, the malware appends .REYPTSON file extension to the data. Since the virus is written in the Spanish users, the malware targets users of this country.

Furthermore, recent analysis has revealed the threat’s tendency to hack victims’ Thunderbird contact list and plague its contacts with fraudulent invoices messages. Now it clearly prefers Spanish users. They are expected to receive the biggest share of such emails. The pop-up and text file contain a ransom-demand message in Spanish stating that files are encrypted using the AES-128 algorithm and that victims must pay a ransom to restore them.

reyptson

Reyptson includes the ability to distribute itself through a spam email campaign conducted from the victim’s computer. It does this by checking if the Thunderbird email client is installed, and if it is, it will attempt to read the victim’s email credentials and contact list. If it is able to retrieve the contacts and credentials, it will begin a spam campaign to send out fake invoices to the victim’s contact list. These spam emails will have a subject line of Folcan S.L. Facturación and will contain a fake invoice. This invoice is written in Spanish and tells the recipient to click on a link to download an invoice. When the recipient clicks on the link, it will download a file called factura.pdf.rar, which contains an executable. This executable will infect the user with the ransomware when it is opened.

Hashes:
SHA256: e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41

Network Communication:
http://www.melvinmusicals.com/facefiles/
http://37z2akkbd3vqphw5.onion/?usuario=[user_id]&pass=[password]
http://37z2akkbd3vqphw5.onion.link/?usuario=[user_id]&pass=[password]

Files associated with the Reyptson Ransomware:
%AppData%\Spotify\
%AppData%\Spotify\SpotifyWebHelper\
%AppData%\Spotify\SpotifyWebHelper\dat
%AppData%\Spotify\SpotifyWebHelper\fin
%AppData%\Spotify\SpotifyWebHelper\Reyptson.pdf
%AppData%\Spotify\SpotifyWebHelper\Spotify.vbs
%AppData%\Spotify\SpotifyWebHelper\SpotifyWebHelper.exe

Registry Entries associated with the Reyptson Ransomware:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spotify Web Helper v1.0 %AppData%\Spotify\SpotifyWebHelper\Spotify.vbs

At this time there is no way to decrypt files encrypted by Reyptson, but if you have been using Max Total Security then you can restore your files from the back up. Very soon Max Total Security is launching a totla protection tool from any ransomware.

Random6 Ransomware

Random6 Ransomware virus can alter your system security through Spam Emails, Browser Redirects, Bundled Installers and Malware Downloader. Random6 Ransomware virus will first lock down all your files with . Then after, it will leave a ransom note on your computer in TEXT or HTML format to describe about the decryption method. It will also replace the desktop background with a ransom image. It can also disable your anti-virus to make you helpless. It can block your Firewall security and make your system an easy target for other threats. It will force you to pay ransom money to rescue your files.

the Random6 Ransomware is programmed to alter not only the file’s structure but its name as well. The encoded files are recognized easily by the base64 encoded string and six random characters as a file extension. The cyber parasite is reported to target images, text, eBooks, PDFs, databases, and work-related files, which may be of great importance to the user. The Random6 Ransomware may run as [random 9-chars].exe in the Task Manager and change the desktop background of the compromised system. Due to the fact that users find unique extensions appended to the encoded files, the format of the ransom notification is a bit different as well. The Trojan is programmed to delete its traces after the encoding process is completed and it leaves the ransom request on the user’s desktop as ‘RESTORE-.[random 6-char ext]-FILES.txt.’ The file offers the following text:

‘Your files are Encrypted!
For decryption send letter on email filesrestore@tutanota.com in letter attach your Personal ID.
If email don’t works, register here: http://bitmsg.me, send letter to BM-NBazWh9xNVf2SgmvLv8pc3Uc9CCXtXMu
With your Personal ID and email for contacts.
After you send payment to given BTC adress in answer, you will get your files restored.
Your Personal ID:
[128 RANDOM CHARACTERS]’

To prevent ransomware-type infections, be very cautious when browsing the Internet. Never open files received from suspicious emails, download software from unofficial sources, or use third party tools to update installed software. In addition, use a legitimate anti-virus/anti-spyware suite.

At this time the only option is to restore your files from the back up . Use Max Total Security to protect your PC and easily back and Restore your files. Get 24×7 complimentary support if you have any issues due to malware.

NotPetya and ExPetr

There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of wowsmith123456@posteo.net and asks for a payment of $300 in Bitcoin. Petya’s initial distribution vector was a tainted update for an accounting software package popular in the Ukraine, from the legitimate MEDoc updater process.. The new ransomware has worm capabilities, which allows it to move laterally across infected networks.

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network. The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following command-line:

C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30

Other observed infection vectors include:

A modified EternalBlue exploit, also used by WannaCry.
The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.
IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code.

This ransomware attempts to encrypt all files, Unlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files. The AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.

After completing its encryption routine, this ransomware drops a text file called README.TXT in each fixed drive. The said file has the following text:
petya-readme

After execution, the ransomware infects the system at a low level, modifying the MBR and presenting the user with the following prompt:
windowsshutdown

After a reboot, instead of loading into the operating system installed on the computer, the user is faced with a fake Check Disk operation that, instead of actually checking your hard disk for issues, is actually encrypting files. This is done to buy the ransomware more time to encrypt all the relevant files on the system without being stopped by the user. The MFT (Master File Table) and the MBR are also encrypted. The MBR is overwritten to display the ransom note, which makes it impossible to boot the system without remediation—meaning users must either pay the culprit or be unable to access their system. The computer will then display a menacing black screen with red lettering listing the ransomware’s purpose and its demands. The attack affects users by encrypting anywhere from a single file to the entire system.

screen1-petya

look out for Max Total Security new tool next week which is blocking all malware access. Alomg with its already launched tool whitelist make your PC malware proof forever.

PSCrypt ransomware

PSCrypt is a ransomware based on GlobeImposter 2.0, a ransomware strain that’s been around for more than a year, and has evolved from the Globe ransomware family. Ukrainian users have been aggressively targeted during the past month with PSCrypt after XData and NotPetya.

The PSCrypt Ransomware Trojan is distributed to users via spam emails loaded with a macro-enabled Microsoft Word file. The document may be proposed to users as an invoice, order confirmation and message from a friend on a social media service. Either way, the file acts as an installer that includes a script which is loaded in Windows and issues commands that result in the installation of the PSCrypt Ransomware.

During data encryption, it appends .pscrypt file extension and makes data impossible to open. Once it’s done, this crypto-malware creates and saves a Paxynok.html file into every folder that contains encrypted data, including the desktop. The ransom note carries victim’s personal identifier and a message from cyber criminals which says that all files have been encrypted by PSCrypt. The letter suggests that the victim must buy Bitcoins[2] at LocalBitcoins, Coinbase or XChange and then transfer a required sum to a provided Bitcoin wallet.

Cyber criminals ask to write them a letter via systems64x@tutanota.com email address which is also provided in the ransom note. The crooks suggest that their “operator will give the further instructions.” According to the ransom note, victims have to pay 2500 hryvnia (approximately 96 US dollars) in order to decrypt corrupted files. The cyber criminals provide an unusual ransom payment method – paying the ransom via IBOX terminal.

Malware not only encrypts files but also makes the system vulnerable. It might make various modifications in the system, create new or delete existing registry entries, and even open the backdoor to other cyber threats. Thus, having this malicious program installed on a device might lead to even more serious problems. It goes without saying that you should first make a copy of data back up done by Max Total Security and then format PC. Reinstall new operating system and then do data recovery.