The malware has targeted Russian-speaking users so far, but its authors have also created an English version of their decryption portal, suggesting they will likely expand their attacks to other countries soon.
Spora stands out because it can encrypt files without having to contact a command-and-control (CnC) server and does so in a way that still allows every victim to have a unique decryption key.
Traditional ransomware programs generate an AES (Advanced Encryption Standard) key for every encrypted file and then encrypts these keys with an RSA public key generated by a CnC server.
The problem with reaching out to a server on the internet after installation of ransomware is that it creates a weak link for attackers. For example, if the server is known by security companies and is blocked by a firewall, the encryption process doesn’t start.
Some ransomware programs can perform so-called offline encryption, but they use the same RSA public key that’s hard-coded into the malware for all victims. The downside with this approach for attackers is that a decryptor tool given to one victim will work for all victims because they share the same private key as well.
The Spora creators have solved this problem, according to researchers from security firm Emsisoft who analyzed the program’s encryption routine.
The malware does contain a hard-coded RSA public key, but this is used to encrypt a unique AES key that is locally generated for every victim. This AES key is then used to encrypt the private key from a public-private RSA key pair that’s also locally generated and unique for every victim. Finally, the victim’s public RSA key is used to encrypt the AES keys that are used to encrypt individual files.
In other words, the Spora creators have added a second round of AES and RSA encryption to what other ransomware programs have been doing until now.
Lynda.com, the online learning subsidiary of LinkedIn, has reset passwords for some of its subscribers after it discovered recently that an unauthorized external party had accessed a database containing user data.
The passwords of close to 55,000 affected users were reset as a precautionary measure and they have been notified of the issue, LinkedIn said in a statement over the weekend.
The professional network is also notifying about 9.5 million Lynda.com users who “had learner data, but no protected password information,” in the breached database. “We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts,” according to the statement.
In a notice to users, Lynda.com said that the database breach could have included some of the users’ Lynda.com learning data, such as contact information and courses viewed. It added that it was warning users out of an abundance of caution.
The company said in a reply on Twitter that it was taking the issue very seriously and was working with law enforcement.
Lynda.com was acquired by LinkedIn for $1.5 billion in a cash and stock deal. The parent was in turn acquired by Microsoft this month after meeting regulatory approval from the European Union for the all-cash transaction worth US$26.2 billion.
“We believe that it is the largest Google account breach to date,” the security firm said in blog post.
The malware, called Gooligan, has been preying on devices running older versions of Android, from 4.1 to 5.1, which are still used widely, especially in Asia.
Gooligan masquerades as legitimate-looking Android apps. Checkpoint has found 86 titles, many of which are offered on third-party app stores, that contain the malicious coding.
Of the 1 million Google accounts breached, 19 percent were based in the Americas, 9 percent in Europe, while 57 percent were in Asia, according to Checkpoint.
It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said.
“The Navy takes this incident extremely seriously – this is a matter of trust for our sailors,” Chief of Naval Personnel Vice Admiral Robert Burke said in a statement.
Burke said the investigation of the breach was in its early stages.
“At this stage of the investigation, there is no evidence to suggest misuse of the information that was compromised,” the Navy said.
Over 412 million accounts on dating and entertainment website FriendFinder Networks have reportedly been exposed, the second time that the network has been breached in two years, according to a popular breach notification website.
The websites that have been breached include adultfriendfinder.com, described as the “world’s largest sex and swinger community,” which accounted for over 339.7 million of the 412 million accounts exposed, LeakedSource said Sunday.
Other network sites that had user accounts exposed were cams.com with 62.6 million exposed, penthouse.com with 7 million, stripshow.com with 1.4 million, icams.com with about 1 million and an unidentified website adding 35,372 users whose accounts were exposed.
The sites were hacked in October through a local file inclusion vulnerability on FriendFinder Networks that was reported at about the same time by a researcher. Soon after disclosing the vulnerability, the researcher, who used the Twitter handle 1×0123 and is also known as Revolver, stated on Twitter that the issue was resolved, and “…no customer information ever left their site,” according to CSO’s Salted Hash.
FriendFinder did not immediately comment. The network, however confirmed to ZDNet that it identifed and fixed a vulnerability that “was related to the ability to access source code through an injection vulnerability.”
LeakedSource said it found that passwords were stored in plain visible format or using the weak SHA1 hashed (peppered) algorithm, increasing the possibility of their misuse. LeakedSource claimed it had cracked over 99 percent of all the passwords from the databases to plain text.
It also found that about 15 million users had an email in the format of: email@example.com@deleted1.com, suggesting that information on users who earlier tried to delete their accounts was still around.
The FriendFinder Networks hack, if confirmed, would outstrip that of Myspace in its impact. The exposure of an estimated 360 million accounts of Myspace users was reported earlier this year. The FriendFinder hack also has the potential of being more embarrassing for a number of users, because of the sensitive transactions on its sites.
Law enforcement authorities on Monday also “began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data,” the company said in a regulatory filing to the U.S. Securities and Exchange Commission. Yahoo said it would “analyze and investigate the hacker’s claim.” It isn’t clear if this data is from the 2014 hack or from another breach.
Forensic experts are also investigating whether an intruder, which it believes is the same “state-sponsored actor” responsible for the security incident, “created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” according to the filing.
“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access…,” the company said in the filing Wednesday.
A source familiar with the matter described the investigation as ongoing and said via email it wasn’t yet clear “who knew what/when/what they shared to whom if at all.”
The person also said that the company does not believe it is currently possible for the attackers to forge valid Yahoo Mail cookies.
Yahoo disclosed in late September that the account information was stolen in 2014 by what it described as a state-sponsored actor, though some security experts said it could have been done by a criminal hacker or group of hackers working on their own.
The disclosure of the hack followed an announcement by Verizon Communications that it planned to acquire Yahoo’s operating business for $4.8 billion, but the communications company has said it is evaluating whether the hack had a material impact. Yahoo said in the filing that there are risks that as a result of facts relating to the security incident, Verizon may seek to terminate or renegotiate the terms of its purchase.
The company is facing 23 proposed consumer class-action lawsuits following the hack both in the U.S. and abroad. The company recorded expenses of $1 million related to the hack in the quarter ended Sept. 30.
The stolen records are up for sale on TheRealDeal, a darknet marketplace that offers illegal goods. For 3 bitcoins, or $1,824, anyone can buy them.
The hacker, known as peace_of_mind, has claimed to have previously sold login credentials for LinkedIn and Tumblr users.
In a brief message, peace_of_mind said the Yahoo database came from a Russian group that breached LinkedIn and Tumblr, in addition to MySpace.
In the case of the Yahoo accounts, the database “most likely” comes from 2012, the hacker said. Copies of the stolen Yahoo database have already been bought, peace_of_mind added.
On Monday, Yahoo said it was “aware” that the stolen database was on sale, but it neither confirmed nor denied that the records were real.
“Our security team is working to determine the facts,” the company said in an email.
Back in 2012, Yahoo reported a breach, but of only 450,000 accounts. A hacking group called D33ds Company had claimed responsibility, but Yahoo said that most of the stolen passwords were invalid.
It’s unclear if that hack is connected with this sale of 200 million accounts. Other security researchers have also noticed a Russian hacker known as “the Collector” selling tens of millions of email logins from Yahoo, Gmail and Hotmail.
Peace_of_mind has posted a sample of the stolen Yahoo database, which includes user email addresses, along with passwords that have been hashed using the MD5 algorithm.
Those passwords could easily be cracked using a MD5 decrypter available online. The database also contains backup email addresses, as well as the users’ birth dates.
IDG News Service tried several email addresses from the stolen records and noticed that Yahoo’s login page recognized them and then asked for a password. However, other emails addresses were no longer valid.
Although Yahoo hasn’t confirmed the breach, users should still change their passwords, said Adam Levin, chairman of security firm IDT911, in an email.
In addition, users should make sure they aren’t using the same passwords across Internet accounts, he added.
Microsoft is mandating the hardware changes in a bid to improve Windows security, as it incorporates support for TPM 2.0 into the Windows 10 Anniversary Update, which will be rolled out from 2 August.
TPM 2.0 is an international standard led by the Trusted Computing Group. It provides a secure area to store authentication keys built in to the hardware of the device. The TPM 2.0 function can be firmware-based, integrated into the silicon or a module in the device.
The standard provides cryptographic features embedded in silicon and into the device, and supports new authentication modes and algorithms, including SHA-2 and SHA-256.
A number of Windows 10 features, including BitLocker, Credential Guard, Measured Boot, Device Health Attestation and Virtual Smartcard, all require TPM, and their security ought to be improved by TPM 2.0.
TPM 2.0 needs to be built in to devices as follows:
An ‘endorsement key’ certificate must be pre-provisioned to the device’s TPM when it is built, and capable of being retrieved on first boot-up.
It must ship with SHA-2 cryptographic hash functions in the platform configuration register, a memory location in the TPM.
It must support for the TPM2_HMAC command.
The forthcoming Anniversary Update to Windows 10 will complete the work that Microsoft has done to support TPM 2.0 in the operating system. It will be shipped from 2 August and auto-updated to all Windows 10 devices. Prior to this, Windows 10 had supported only version 1.0 of the TPM.
Part of Microsoft’s plan is to push the Windows Hello authentication security, which uses biometrics to log users in, across all Windows 10-based devices. The security system supports face, fingerprint and iris recognition, enabling users to log-in with just a glance, at least in theory.
Windows Hello is being integrated into Microsoft PCs, smartphones and tablets, along with the Xbox games console and the HoloLens augmented reality headset.
Intel Security, Kaspersky Lab and Europol have teamed up to launch a new initiative designed to educate people about the threat of ransomware and offer keys that can unlock devices without having to pay the fraudsters.
The No More Ransom portal, which also has the backing of the Dutch National Police, has been put together in response to the rising threat from ransomware which had almost one million victims in Europe last year.
The portal will contain material designed to educate users about the threat of ransomware and where it comes from, but it is the access to some 160,000 keys that is most notable. These cover numerous ransomware strains, most notably the Shade trojan that emerged in 2014. This is a particularly nasty ransomware spread via websites and infected email attachments.
However, the command and control servers for Shade that stored the decryption keys were seized by law enforcement, and the keys were given to Kaspersky and Intel Security.
These have now been entered into the No More Ransom portal so that victims can access their data without paying the criminals.
Jornt van der Wiel, security researcher with Kaspersky’s global research and analysis team, explained that the portal will help people to take a stand against the rise of ransomware.
“The biggest problem with crypto-ransomware today is that when users have precious data locked down they readily pay criminals to get it back. That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result,” he said.
“We can only change the situation if we coordinate our efforts to fight against ransomware. The appearance of decryption tools is just the first step on this road.”
Raj Samani, EMEA chief technology officer at Intel Security, echoed this sentiment. “This collaboration goes beyond intelligence sharing, consumer education and takedowns to actually help repair the damage inflicted on victims,” he said.
“By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment.”
The burgeoning threat of hacking and the need to protect data more stringently will accelerate demand for cyber insurance in Europe, insurer Allianz said as it launched its first product aimed at Germany’s small-to-medium-sized manufacturers.
Cyber insurance has been slow to take off in Europe with fewer than one in 10 firms having taken out a policy, said Christopher Lohmann, head of the region Central and Eastern Europe at Allianz Global Corporate & Speciality (SGCS).
But he believes greater awareness among companies and new regulation, such as Germany’s I.T. security law which came into force last year and orders 2,000 providers of critical infrastructure to report serious breaches, will spur demand.
“There are many reasons to believe that cyber insurance will evolve into the fire insurance of the 21st century,” he said, adding a functioning IT system and secure data are critical to many businesses and their reputations.
Home to world champion manufacturers, Germany offers rich pickings for hackers, and attacks on industrial production sites are rising, according to the government’s latest IT Security Report.
Forty percent of German companies were affected by e-Crime over the past two years, according to a study by consultancy KPMG in 2015, an increase of 50 percent over 2013.
Germany’s small-to-medium-sized manufacturers, known as the Mittelstand and which form the backbone of its economy, are particularly vulnerable as they lack the big budgets for I.T spending.
The threat is growing as companies move to connect machinery to the Internet to enable it to collect and exchange data and make it easier to control remotely.
Despite this, cyber premiums in Germany were estimated to be worth only around $10 million last year. This compares with an estimated premium volume of $2.5 billion in the United States, according to Lohmann.
Peter Grass from the German Association of Insurers expects cyber insurance to become a matter of course for all companies whose business models depend on I.T.
“The development is relatively rapid – also because the public and politics are becoming ever more aware that this can be an economic problem,” he said.
The first cyber insurance policies were launched on the German market in 2011 and around 15 insurers are now active in the market. Other big players include Axa, Hiscox, Ergo (part of Munich Re) and Zurich Insurance.
This past weekend, the hacker, called thedarkoverlord, began posting the sale of the records on TheRealDeal, a black market found on the deep Web. (It can be visited through a Tor browser.)
The data includes names, addresses, dates of birth, and Social Security numbers – all of which could be used to commit identity theft or access the patient’s bank accounts.
These records are being sold in four separate batches. The biggest batch includes 9.3 million patient records stolen from a U.S. health insurance provider, and it went up for sale on Monday.
The hacker used a little-known vulnerability within the Remote Desktop Protocol to break into the insurance provider’s systems, he said in his posting on the black market site.
The three other batches cover a total of 655,000 patient records, from healthcare groups in Atlanta, Georgia, Farmington, Missouri, and another city in the Midwestern U.S. The hacker didn’t give the names of the affected groups.
To steal these patient records, the hacker used “readily available plain text” usernames and passwords to access the networks where the data was stored, according to his sales postings.
Using an online message sent through the market, thedarkoverlord declined to answer any questions unless paid. The hacker wants a total of 1,280 bitcoins for the data he stole.
Qatar National Bank has confirmed that its systems were hacked but said that the information released online was a combination of data picked up from the attack and from other sources such as social media.
The incident will not have a financial impact on the bank’s customers, whose accounts are secure, the bank said — without providing details of how its systems were hacked, the possible identity of the hackers and what information was harvested.
The announcement Sunday by one of the leading financial institutions in the Middle East follows the posting online last week of leaked documents. The attack targeted only a portion of Qatar-based customers, the bank said, claiming the hack attempted to target the bank’s reputation rather than specifically its customers.
“QNB Group’s Risk Team monitored abnormal activity in our system environment; this was immediately communicated to relevant authorities,” the bank said in a statement. “We also took immediate steps and our systems are fully secure and operational.”
The 1.4GB trove of documents leaked online included both financial information such as customer transaction logs, personal identification numbers and credit card data. But on closer scrutiny the data was found to have folders with detailed profiles on specific individuals, including what appeared to be files on members of the Qatari royal family, employees of media outlet Al Jazeera and people listed as working for the British MI6 and some other intelligence agencies, security firm Trend Micro said on Wednesday.
The attackers used an open-source SQL injection tool to extract all of the customer data they needed, wrote Simon Edwards, cyber security expert at Trend Micro. SQL injection is used against against websites that use SQL (structured query language) to query information from a database server.
The log file suggests that the attack could have started about nine months ago in July last year, Edwards said.
QNB said Tuesday that it would not comment on reports in social media of “an alleged data breach,” but sought to assure all concerned that there was no financial impact on the bank or its clients.
The not-for-profit organization, which runs 10 hospitals in the Washington, D.C., area, was hit with ransomware, the Baltimore Sun reported on Wednesday, citing two anonymous sources.
MedStar Health officials could not be immediately reached for comment. The organization issued two statements Wednesday, but did not describe what type of malware infected its systems.
It said in one statement that its IT team has worked continuously to restore access to three main clinical systems. It said no patient data or associate data was compromised.
Ransomware has become one of the most prevalent kinds of malware on the Internet although it has been around for more than a decade.
Several medical facilities have come forward over the last few weeks and publicly said ransomware had disrupted their operations. The targeting of medical groups has added a new and dangerous angle to these kinds of cyberattacks because patient care could be directly impacted.
MedStar encouraged patients on Wednesday to call doctor offices directly to make appointments, as it was still trying to restore its electronic appointment system.
Nonetheless, MedStar said it has been able to keep humming along. Since the attack, it has cared for 3,380 patients a day across 10 hospitals, performed 782 surgeries and delivered 72 babies.
“The malicious malware attack has created many inconveniences and operational challenges for our patients and associates,” according to a statement. “With only a few exceptions, we have continued to provide care approximating our normal volume levels.”
The Baltimore Sun reported the hackers offered MedStar a bulk decryption discount: three bitcoins to decrypt one computer, or 45 bitcoins, roughly US$18,500, to unlock them all.
Authorities are largely at a loss for how to stop ransomware. Some of the ransomware gangs, believed to be in Eastern Europe or Russia, are far out of the reach of law enforcement.
The company said the attacker however did not gain access to Customer Proprietary Network Information (CPNI) or other data.
CPNI is the information that telephone companies collect including the time, date, duration and destination number of each call and the type of network a consumer subscribes to.
Krebs On Security, which first broke the news of the breach, said a member of a underground cybercrime forum had posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.
The seller priced the entire package at $100,000, but offered to sell it off in parts of 100,000 records for $10,000 apiece, Krebs added.
The vulnerability, which was investigated and fixed, did not leak any data on consumer customers, Verizon said in a statement.
The company is currently notifying customers impacted by the breach.
Palo Alto Networks has uncovered a new iOS threat dubbed “AceDeceiver” that is targeting non-jailbroken iDevices via a flaw in Apple’s DRM mechanism.
Palo Alto Networks has an eye for this kind of thing, having uncovered the WireLurker malware wreaking havoc on iPhones back in 2014.
Since then, iOS malware has got more advanced, and the latest threat to iPhone users has successfully managed to infiltrate non-jailbroken kit.
“What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all,” Palo Alto says in a blog post.
AceDeceiver is abusing a design flaw in Apple’s DRM protection mechanism called FairPlay via a technique called “FairPlay Man-in-the-Middle”, enabling attackers to install malicious apps on iOS devices while bypassing Apple’s baked-in security measures.
It can do so without a user knowing, too, and the only tell-tale sign will be a new app icon showing on an iPhone’s home screen that most will probably assume they drunkenly installed.
Palo Alto notes that while this technique has been used by hackers since 2013, this is the first time that it’s been exploited to spread malware.
“In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim,” the security firm explains.
“Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.”
Three different iOS apps in the AceDeceiver family were uploaded to Apple’s App Store between July 2015 and February 2016, and all of them claimed to be innocent wallpaper apps. Apple cleared the App Store of these apps back in February, albeit after they had managed to bypass its security seven times, but Palo Alto notes that even with the apps no longer available, they could still wreak havoc on iPhones and iPads.
“Even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”
There’s no need to panic just yet, though, as Palo Alto notes that, for now at least, AceDeceiver is only targeting users in China.
While you don’t need to panic yet, Palo Alto notes that AceDeceiver demonstrates how easy it can be for malware to infect non-jailbroken devices, which could pave the way for similar threats to start cropping up in more regions soon.
“AceDeceiver is evidence of another relatively easy way for malware to infect non-jailbroken iOS devices. As a result, it’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique.”
The firm has also issued a stark warning to iPhone and iPad-wielding businesses, adding: “Since AceDeceiver also spreads via enterprise certificates, we suggest that enterprises check for unknown or abnormal provision profiles as well.”
Palo Alto networks has notified Apple of the malware threat, but it has yet to be patched.