Global Cybersttacks and how to protect

Microsoft Reports Global Cyberattacks on Sporting and Anti-Doping Organizations from Russian Espionage ActorsMicrosoft Reports Global Cyberattacks on Sporting and Anti-Doping Organizations from Russian Espionage Actors

Original release date: October 29, 2019
Microsoft publicly released information revealing an uptick in cyberattacks globally targeting anti-doping authorities and sporting organizations. The Microsoft Threat Intelligence Center (MSTIC) routinely tracks malicious activity originating from the Russian advanced persistent threat (APT) group 28, also known as Fancy Bear, STRONTIUM, Swallowtail, Sofacy, Sednit, and Zebrocy. According to Microsoft, APT28 is targeting sporting and anti-doping organizations using spearphishing, password spraying (a brute force technique), fake Microsoft internet domains, as well as open-source and custom malware to exploit internet-connected devices.

To protect against similar attacks, Microsoft recommends:
• Enabling two-factor authentication on all business and personal email accounts,
• Learning how to spot phishing schemes and protect yourself from them, and
• Enabling security alerts about links and files from suspicious websites.

Hackers Can Manipulate Media Files Transferred via WhatsApp, Telegram

Hackers can manipulate media files transferred by users through the WhatsApp and Telegram messaging applications due to the way the Android operating system allows apps to access files in external storage. To minimize cyber risks it is essential that every user understand that they are both an asset and a potential security liability.

The attack works against WhatsApp in its default configuration and against Telegram if the user has enabled the “Save to gallery” option. Android Q will introduce a privacy feature called Scoped Storage, which changes how applications can access files on the device’s external storage.

New ransomware Sodinokibi

It assigns a random extension to each victim file typical of every ransomware. It is using a new delivery technique —distributed by malvertising that also directs victims to the RIG exploit kit. They are also using Spam or phishing emails.

Use Max Total Security to do a scheduled back up of your data regularly to ensure that data can be retrieved even after a successful ransomware attack. Be careful while opening mail attachments or mails you do not recognise.

Max Total Security pro actively looks for signs of Ransomware and stop as soon as they start. Also, offers free Backup utility included in the product for safe recovery. It also offers Folder Secure vault where you can keep your confidential data untouched by any malware including Ransomware.

Protect your data with Max Total Security. Also, our 24×7 highly skilled technical support team who can help you protect. Try Max Total Security for Windows from here .

Florida City hit by Ransomware attack

The leaders of Riviera Beach, Fla., looking weary, met quietly this week for an extraordinary vote to pay nearly $600,000 in ransom to hackers who paralyzed the city’s computer systems.

Riviera Beach, a small city of about 35,000 people just north of West Palm Beach, became the latest government to be crippled by ransomware attacks that have successfully extorted municipalities and forced them to dig into public coffers to restore their networks. A similar breach recently cost Baltimore $18 million to repair damages.

On Monday, the City Council unanimously agreed to have its insurance carrier pay the hackers 65 Bitcoin, a hard-to-trace digital currency, amounting to about $592,000. By making the payment, the City Council hopes to regain access to data encrypted in the cyberattack three weeks ago, though there is no guarantee the hackers will release the data once payment is received.

Protect your data with Max Secure Ransomware protection which kills Ransomware as it starts to spread. Also, our 24×7 highly skilled technical support team who can help you protect. Try Max Total Security for Windows from here .

(courtesy The New York Times https://www.nytimes.com/2019/06/19/us/florida-riviera-beach-hacking-ransom.html)

ShadowHammer Hacker hijacks Asus update tool

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers. ASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS, UEFI, drivers and applications. The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines.

ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company.

The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. The issue highlights the growing threat from so-called supply-chain attacks, where malicious software or components get installed on systems as they’re manufactured or assembled, or afterward via trusted vendor channels.

This is not the first time attackers have used trusted software updates to infect systems. The infamous Flame spy tool, developed by some of the same attackers behind Stuxnet, was the first known attack to trick users in this way by hijacking the Microsoft Windows updating tool on machines to infect computers. Flame, discovered in 2012, was signed with an unauthorized Microsoft certificate that attackers tricked Microsoft’s system into issuing to them. The attackers in that case did not actually compromise Microsoft’s update server to deliver Flame. Instead, they were able to redirect the software update tool on the machines of targeted customers so that they contacted a malicious server the attackers controlled instead of the legitimate Microsoft update server.

ASUS customers who want to update the ASUS Live Update Utility to the clean 3.6.8 version can do it by following the step by step procedure available HERE.

Android adware disguised as game, TV, remote control Apps infects 9 million Google Play users

85 apps in Google Play that collectively have been installed nine million times by users all over the world came with an adware strain capable of showing full screen adverts at regular intervals or when the user unlocks the device.

None of the apps had real functionality and their true purpose was to make money for their developer by dropping a deluge of advertisements on the devices that installed them. The fake apps were disguised as games (car simulators), apps for streaming television channels from various countries (Brazil, Canada, South Africa, Spain), or posed as remote controllers for TV sets.

Google has now removed 85 such Apps. While the apps were uploaded on the Play Store from different developer accounts and were signed by different digital certificates, they exhibited similar behaviors and shared the same code, the most popular of the fraudulent apps was Easy Universal TV Remote, last updated on November 12, 2018. It is unclear how long it survived in Google Play, but it accumulated over five million installations.

Use Max Total Security to remove viruses and adware from all of your Android devices.

Shamoon Disk Wiper Malware returns

The Shamoon or Disttrack worm is a wiper. It is known to overwrite files stored in the affected system and infects its master boot record (MBR). Its first iteration overwrites documents, pictures, videos, and music files, wipes the MBR, and replaces it with an image of a burning flag.

It can overwrite the infected system’s disk with random data or could take the following names (dropped and executed in the system folder as %System%\{wiper name}):

_tdibth.exe
_wialx002.exe
acpipmi2z.exe
af0038bdax.exe
arcx6u0.exe
averfix2h826d_noaverir.exe
hidirkbdmvs2.exe
mdamx_5560.exe
mdmgcs_8.exe
mdmusrk1g5.exe
megasasop.exe
netbxndxlg2.exe
prncaz90x.exe
prngt6_4.exe
prnlx00ctl.exe
prnsv0_56.exe
tsprint_ibv.exe
vsmxraid.exe
wiacnt7001.exe

Shamoon spreads by dropping copies of itself in the system’s administrative shares. The Shamoon worm propagates in these shared network/administrative folders: ADMIN$, C$\WINDOWS, D$\WINDOWS, and E$\WINDOWS.

Users should enforce Patch and update the system to prevent vulnerabilities from being exploited. Regularly back up important data to mitigate damage. Employ multilayered security mechanisms such as application control, firewall and intrusion prevention and detection systems. We receommend using Max Total Security which provides all of these features.

Rotexy Android Trojan Banker and Ransomware

In a three-month period from August to October 2018, it launched over 70,000 attacks against users located primarily in Russia. An interesting feature of this family of banking Trojans is the simultaneous use of three command sources:

Google Cloud Messaging (GCM) service – used to send small messages in JSON format to a mobile device via Google servers;
malicious C&C server;
incoming SMS messages.

It spreads under the name AvitoPay.apk (or similar) and downloads from websites with names like youla9d6h.tk, prodam8n9.tk, prodamfkz.ml, avitoe0ys.tk, etc. These website names are generated according to a clear algorithm: the first few letters are suggestive of popular classified ad services, followed by a random string of characters, followed by a two-letter top-level domain.

After infection, the Trojan displays a fake HTML update page (update.html) that blocks the device’s screen for a long period of time.
The Trojan displays the extortion page (extortionist.html) that blocks the device and demands a ransom for unblocking it. The sexually explicit images in this screenshot have been covered with a black box.
The Trojan displays a phishing page (bank.html) prompting the user to enter their bank card details. This page mimics a legitimate bank form and blocks the device screen until the user enters all the information. It even has its own virtual keyboard that supposedly protects the victim from keyloggers.

According to our data, 98% of all Rotexy attacks target users in Russia. Indeed, the Trojan explicitly targets Russian-speaking users. There have also been cases of users in Ukraine, Germany, Turkey and several other countries being affected.

To avoid such Trojans form landing on your mobile device:

A powerful, updated security solution is a must for all devices you use to shop online. Avoid buying anything online from websites that look potentially dangerous or resemble an incomplete version of a trusted brand’s website.
Don’t click on unknown links in email or social media messages, even from people you know, unless you were expecting the message.

Use Max Total Security for Android devices for total protection.