About The Reading List

To keep current on threats and what they mean to businesses, I read a lot of sources every day. So I had the idea, why not share our reading list with everyone. So this page is dedicated to the never ending collection of articles that I think are important.

Cisco Releases Security Update

Read Full Article

Original release date: November 28, 2018

Cisco has released a security update to address a vulnerability in Cisco Prime License Manager. A remote attacker could exploit this vulnerability to obtain sensitive information.

NCCIC encourages users and administrators to review the Cisco Security Advisory and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Read Full Article

Someone Hacked 50,000 Printers to Promote PewDiePie YouTube Channel

Read Full Article

This may sound crazy, but it’s true!

The war for “most-subscribed Youtube channel” crown between

T-Series

and

PewDiePie

just took an interesting turn after a hacker yesterday hijacked more than 150,000 internet-connected printers worldwide to print out flyers asking everyone to subscribe to PewDiePie YouTube channel.

PewDiePie, whose real name is Felix Kjellberg, is a famous YouTuber from Sweden known for his game commentary and pranks and has had the most subscribers on YouTube since 2013.

However, the channel owned by Bollywood record label T-Series has been catching up in recent months, and now both are hovering around 72.5 million YouTube subscribers.

From this fear that PewDiePie won’t remain the number one most-subscribed YouTuber in the world, an anonymous hacker (probably his die-hard fan) with the Twitter username “

TheHackerGiraffe

” comes up with a hackish idea.

TheHackerGiraffe scans the Internet to find the list of vulnerable printers with port 9100 open using Shodan, a search engine for internet-connected devices and exploited them to spew out a message, saying:

“PewDiePie is in trouble, and he needs your help to defeat T-Series!”

“PewDiePie, the currently most subscribed to channel on YouTube, is at stake of losing his position as the number one position by an Indian company called T-Series that simply uploads videos of Bollywood trailers and campaigns,”

And then the message urges hack victims to unsubscribe from T-Series channel and subscribe to PewDiePie instead.

Though it’s a nice trick to raise cybersecurity awareness and consequences of leaving vulnerable printers exposed online, law and information security experts do not recommend other white hat hackers to participate in such stunts.

“Spread the word with your friends about printers and printer security! This is actually a scary matter,” the hacker tweeted.

Believe it or not, even your fax number is literally enough for a hacker to gain complete control over the printer and possibly infiltrate the rest of the network connected to it. Earlier this year we covered research explaining vulnerabilities discovered in the communication protocols used in tens of millions of fax machines globally.

Well, the gap between the two channels is narrowing, let’s see if PewDiePie could win the crown of most-followed YouTube channel.

Read Full Article

AccuDoc Data Breach impacted 2.6 Million Atrium Health patients

Read Full Article


Hospital network Atrium Health suffered a data breach, hacked accessed patients’ personal information after compromised the technology solutions provider AccuDoc.

Atrium Health offers healthcare and wellness programs in the Southeast of the United States through more than 40 hospitals and 900 care locations.

AccuDoc is a company providing technology solutions to the healthcare industry, including Hospital network Atrium Health.

Atrium Health was informed on October 1 that AccuDoc had detected unauthorized access to its databases that stored data related to payments made at several company locations, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC Physician Group, Scotland Physicians Network, and St. Luke’s Physician Network.

Hackers accessed to personal information on patients and guarantors (i.e. the individual paying for a patient’s bill), including name, date of birth, address, insurance policy details, medical record number, invoice number, account balance, date of service and, in some cases, social security number. The archive did not contain financial data or clinical/medical information.

The data breach impacted roughly 2.65 million patients, attackers gained access to AccuDoc systems for roughly one week between September 22 and September 29.

“Following an extensive forensics review, it appears that an unauthorized third party gained access to AccuDoc’s databases between September 22, 2018 and September 29, 2018.” reads the data breach notification published by Atrium Health.

“Based on the review, the information that may have been accessed included certain personal information about patients and guarantors (a person who is responsible for paying a patient’s bill), including first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, and dates of service. For some individuals, the personal information may also have included Social Security numbers.” 

Atrium Health

The company pointed out that no personal information was stolen from AccuDoc’s database and that it is not aware of any misuse.

Atrium Health notified the affected individuals by mail, the company recommends monitoring account statements, bills, notices, and insurance transactions for incidents of unauthorized activity.

Pierluigi Paganini

(Security Affairs – Atrium Health, data breach)








Share On


Read Full Article

FBI Takes Down a Massive Advertising Fraud Ring

Read Full Article

FBI Takes Down a Massive Advertising Fraud Ring

The FBI announced that it dismantled a large Internet advertising fraud network, and arrested eight people:

A 13-count indictment was unsealed today in federal court in Brooklyn charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with criminal violations for their involvement in perpetrating widespread digital advertising fraud. The charges include wire fraud, computer intrusion, aggravated identity theft and money laundering. Ovsyannikov was arrested last month in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested earlier this month in Estonia, all pursuant to provisional arrest warrants issued at the request of the United States. They await extradition. The remaining defendants are at large.

It looks like an impressive piece of police work.

Details of the forensics that led to the arrests.

Tags: , , ,

Posted on November 29, 2018 at 6:17 AM

25 Comments

Read Full Article

New PowerShell-based Backdoor points to MuddyWater

Read Full Article


Security researchers at Trend Micro recently discovered PowerShell-based backdoor that resembles a malware used by MuddyWater threat actor.

Malware researchers at Trend Micro have discovered a Powershell-based backdoor that is very similar to a malware used by MuddyWater APT group.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

In the latest attacks detected by Trend Micro, threat actors used TTPs compatible with MuddyWater, the malicious code was uploaded to Virus Total from Turkey. The attackers used decoy documents that would drop a new PowerShell backdoor that is similar to MuddyWater’s POWERSTATS malware.

“These documents are named Raport.doc or Gizli Raport.doc (titles mean “Report” or “Secret Report” in Turkish) and maliyeraporti (Gizli Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all of which were uploaded to Virus Total from Turkey.states Trend Micro.

“Our analysis revealed that they drop a new backdoor, which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS, the command and control (C&C) communication and data exfiltration in this case is done by using the API of a cloud file hosting provider.”

The new backdoor uses the API of a cloud file hosting provider to implement command and control (C&C) communication and data exfiltration.

The weaponized documents contain images showing blurry logos belonging to some Turkish government organizations, they trick victims into enabling macros to display the document properly.

MuddyWater

The macros contain strings encoded in base52, a technique that is not common and that was used by MuddyWater in past attacks. Once enabled, the macros will drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp%directory.

The PowerShell code has several layers of obfuscation, the backdoor initially collects the system information and concatenates various pieces of information (i.e. OS name, domain name, user name, IP address) into one long string.

For communication, the malware uses files named <md5(hard disk serial number)> with various extensions associated with the purpose of the file:

  • .cmd – text file with a command to execute
  • .reg – system info as generated by myinfo() function, see screenshot above
  • .prc – output of the executed .cmd file, stored on local machine only
  • .res – output of the executed .cmd file, stored on cloud storage

“In both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous mechanism instead of connecting directly to the machine and issuing a command.” continues the experts.

“The malware operator leaves a command to execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command.”

The malware supports various commands including file upload, persistence removal, exit, file download, and command execution.

Experts concluded that the attacks aimed at Turkish government organizations related to the finance and energy sectors that were also hit by MuddyWater in the past.

“This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities.” concludes Trend Micro.

“If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – MuddyWater, backdoor)

 








Share On


Read Full Article

What the Marriott Breach Says About Security

Read Full Article


We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

TO COMPANIES

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.

This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.

TO INDIVIDUALS

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.

Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne’er-do-wells from abusing access to said data.

This includes assuming that any passwords you use at one site will eventually get hacked and leaked or sold online (see Reality #2), and that as a result it is an extremely bad idea to re-use passwords across multiple Web sites. For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised.

By the way, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Theassume you’re compromised” philosophy involves freezing your credit files with the major credit bureaus, and regularly ordering free copies of your credit file from annualcreditreport.com to make sure nobody is monkeying with your credit (except you).

It means planting your flag at various online services before fraudsters do it for you, such as at the Social Security Administration, U.S. Postal Service, Internal Revenue Service, your mobile provider, and your Internet service provider (ISP).

Assuming compromise means placing very little trust or confidence in anything that comes to you via email. In the context of this Marriott/Starwood breach, for example, consider all the data points that attackers may now have to make a phishing or malware attack more likely to be successful: Your Starwood account number, your address, phone number, email address, passport number, dates and times of your reservations, and credit card information.

How hard would it be for someone to craft an email that warns of a problem with a recent reservation or with your Starwood account, urging you to click a booby trapped link or attachment to learn more? Now imagine that such targeted emails can come from any brand with whom you’ve done business (for a refresher, see Reality #2 above).

Assuming you’re compromised means beefing up your passwords by adopting more robust multi-factor authentication — and perhaps even transitioning away from SMS/text messages for multifactor toward more secure app- or key-based options.

TOUGH TRADE-OFFS

If the advice above sounds inconvenient, unfair and expensive for all involved, congratulations: You are well on your way to internalizing Realities #1 and #2. For better or worse, being a savvy consumer means constantly having to make difficult trade-offs between security, privacy, and convenience.

Oh, and you generally only get to pick two out of three of these qualities. Same goes for the trio of high-speed, high-quality, and low-cost. Or good, fast, and cheap. Again, pick two. You get the idea.

Unfortunately, these transactions become even more lopsided and difficult to weigh when one party to them always selects the same trade-off (e.g., fast, low-cost, and convenient). Right now, it sure seems like there aren’t a lot of consequences when huge companies that ought to know better screw up massively on security, leaving consumers and their paying customers to clean up the mess.

I don’t know how many more big-time privacy and security debacles we need to convince our nation’s leaders that perhaps we should enshrine in law some basic standards of care for how companies handle and secure consumer data, and what rights and expectations consumers should have when companies fail to meet those standards. Because it’s clear that unless and until this happens, some subset of businesses out there will continue to make the most expedient and short-sighted trade-offs available to them, regardless of the impact to their customers and the public at large.

On this point, as with many others related to Internet security and privacy, I found it hard to argue with the opinion of my home state Senator Mark Warner (D-Va.), who observed:

“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”















This entry was posted on Saturday, December 1st, 2018 at 4:16 pm and is filed under A Little Sunshine, Data Breaches, Security Tools.
You can follow any comments to this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.



Read Full Article

ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

Read Full Article


Over 270,000 connected devices run vulnerable implementations of UPnP, threat actors are attempting to recruit them in a multi-purpose botnet.

In April, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy.  Now the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy is still up and running.

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

Experts recommend users to install routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.

“In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.” Akamai notes

“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.”

The latest campaign observed by Akamai tracked as EternalSilence, is targeting millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed (CVE-2017-7494) exploits.

“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.” continues Akamai.

“Unfortunately, Akamai researchers are not able to see what happens after the injections are have occurred , they can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.”

Experts observed millions of successful injections attempting to compromise millions of systems running SMB services, Akamai researchers speculate attackers are leveraging the Eternal family of exploits belonging to the NSA arsenal.

Hackers hijacked some 45,113 routers that expose a total of 1.7 million unique machines to the attackers.

“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” states Akamai.

According to the experts, that attackers are being opportunistic, they are scanning the Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.

“Criminals are clever, and will take any advantage they can get when it comes to exploiting systems and services. So, while it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually.” concludes Akamai. “That these attacks likely  leverage two well-known vulnerabilities, which have been patched for some time, should come as no surprise.”

Pierluigi Paganini

(Security Affairs – UPnProxy, NSA hacking tools)








Share On


Read Full Article

TA18-331A: 3ve – Major Online Ad Fraud Operation

Read Full Article
Original release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.

Boaxxe/Miuref Malware

Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:

  • %UserProfile%\AppData\Local\VirtualStore\lsass.aaa
  • %UserProfile%\AppData\Local\Temp\<RANDOM>.exe
  • %UserProfile%\AppData\Local\<Random eight-character folder name>\<original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Above path to executable>\

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:

  • %UserProfile\AppData\Local\Temp\<RANDOM> .exe/.bat
  • %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RANDOM>\<RANDOM FILENAME>.exe
  • %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.lnk
  • %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.bat

Kovter is known to hide in the registry under:

  • HKCU\SOFTWARE\<RANDOM>\<RANDOM>

The customized CEF browser is dropped to:

  • %UserProfile%\AppData\Local\<RANDOM>

The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:

  • /?ptrackp=\d{5,8}
  • /feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
  • /feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-]

The following is a YARA rule for detecting Kovter:

rule KovterUnpacked {
  meta:
    desc = "Encoded strings in unpacked Kovter samples."
  strings:
    $ = "7562@3B45E129B93"
    $ = "@ouhKndCny"
    $ = "@ouh@mmEdctffdsr"
    $ = "@ouhSGQ"
  condition:
    all of them
}

Solution

If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

  • Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
  • Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
  • Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
  • Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
  • Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

References

Revision History

  • November 27, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Read Full Article

U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

Read Full Article
The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware.
The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed.
The duo used

Read Full Article

U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

Read Full Article
The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware.
The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed.
The duo used

Read Full Article