To get the most out of the site we strongly suggest creating an account with us. Be sure to check the box to indicate you want to get the newsletter. Below you’ll find an archive of the newsletters we’ve sent out in the past.
- RDP Manager within the portal. This enables the IT professional to monitor and manage all RDP ports within the network, and disable any that are not being utilized.
- Early Launch Anti-Malware project, which is a joint effort between PC Matic and Microsoft.
- Enabling Windows lockout thresholds by limiting the number of login attempts.
- Restriction of the uninstallation process, which is a control put into place that will not allow the hacker to uninstall PC Matic Pro on the endpoint.
Survey Confirms People Aren't Practicing Good Cyber Security - And It's Impacting Their Employers...
A recent study, conducted by PC Matic, dove into the password and
Users with poor
The survey results confirm, 51% of respondents check their personal email while on their employer's network. This should generate a security concern for employers. Why? Often times if a breach occurs, it is the user's personal email and/or password that is leaked. Therefore, personal email accounts are often targeted by hackers for phishing scams. If employees fall victim to a phishing attack from their personal email account, on company networks, the malware could spread to other endpoints and/or servers connected to the same network.
Additionally, one in five respondents confirmed, they use the same password for their personal and work accounts. This in itself is highly concerning because if the employee's password has been breached, and they're using it in the workplace, hackers can easily use the information to breach the employer's systems.
Theoretically, this would not be a problem if users were changing their passwords. But they aren't. Half of all surveyors reported only changing their passwords when they were forced to, while another 24% stated they rarely change it, and 7% reported they have never changed their account passwords.
North Korean Hacking Group Releases New Trojan
The U.S. Department of Homeland Security and the Federal Bureau of Investigation have issued a joint malware analysis report highlighting a new Trojan used by the hacking group, Lazarus, out of North-Korea.
The report, published on the US-CERT website, stated the new Trojan, deemed Hoplight, was detected while tracking the malicious cyber activity of the North Korean-backed hacking group Lazarus, also known as Hidden Cobra. Additionally, the report contains a detailed analysis of the nine executable files found to be infected with the Hoplight Trojan.
Seven of the nine files have proxy applications in place in order to mask the traffic between the malware and its operators.
Of the remaining two files, researchers confirmed one contained a public SSL certificate with the payload appearing to be encoded with a password or key. The remaining file did not contain any of the public SSL certificates, but attempted outbound connections.
The Hoplight Trojan is able to read, write and move files, enumerate system drives, create and terminate processes, inject into running processes, create, start and stop services, modify registry settings, connect to a remote host, as well as upload and download files. The malware is also able to open and bind to a socket, and uses a public SSL certificate for secure communication.
**PC Matic users, rest assured you are entirely protected from this newly found Trojan. The nine executable files would not be able to run on any computer that has PC Matic's whitelist protection running, as none of the files are known, trusted programs.
North Carolina City Offices Crippled by Robbinhood
The City of Greenville, North Carolina, was struck with ransomware on April 10, 2019. The ransomware variant, called Robbinhood, left the city with no choice but to shutdown their networks. Fortunately, even with their networks offline, public safety systems remained in tact.
The extent of the damage due to the cyber attack remains unknown. However, city officials
No one has confirmed the ransom demands, or if the City of Greenville intends of pay the demands in an attempt to restore their networks.
This is far from the first ransomware attack on a public municipality. In just the last few weeks the City of Albany in New York, and Michigan's Genesee County were also infected with ransomware.
Triton Wormed Their Way Into Another Critical Infrastructure, and Possibly Many More...
The advanced hacker group, Triton, was responsible for an attack on a Saudi petrochemical plant in 2017. The attack would have been successful in destroying the facility, except there was a bug in Triton malware’s coding.
Now, years later, researchers have confirmed finding traces of the Triton group in another critical infrastructure facility. Triton’s malware is designed to silently hide within a target’s network, taking the time to fully understand how the network looks and how each system is interconnected. The goal is to quietly gain access to the facilities safety instrumented systems and industrial control systems. The safety instrumented systems monitor the physical systems to ensure they do not operate outside of their normal operational state. By learning the ins and outs of the critical safety systems, the hacking group is able to execute their cyber attack without causing the systems to enter into a safe fail-over state.
Then, once the Triton group deploys the malware, they target the industrial control systems, which control the entire operations of the facility. By sabotaging these controls, there would be a significant disruption to daily operations, if not generate an entire shutdown of operations.
Triton group’s most recent victim has been very discrete about the incident. The name of the infrastructure is unknown, as is the type of facility and its location. What is known is, the attack was found after the malware caused a process to shutdown that led to an investigation. It is believed this shutdown was unintentional. Although the motives of the attack have not been confirmed, it is believed Triton was attempting to build the capability to cause physical damage to the facility when the shutdown inadvertently was triggered.
Due to the slow and steady approach used, there are concerns additional critical infrastructures may be compromised. In an attempt to catch the hacking group before damage is done, a list of hashes unique to the files found at the second facility has been published. The hope is, other at-risk facilities will use this hash list to check for any evidence their network files have been compromised.
Tax Evasion Scam Spreads, and Hackers Want
Paid -- or Else...
Extortion emails have increased in popularity lately, starting with the massive sextortion campaign that began earlier this year.
Now, a new extortion scam is underway that claims the victim’s computer was hacked. Then, upon being hacked, it was determined taxes were being hidden from the Internal Revenue Service and other tax authorities. To avoid further issues, the hackers demand two bitcoins. If the victims opt not to pay, hackers threaten to notify the "Tax Department", execute a denial-of-service attack on the network, and then encrypt network files using the WannaCry ransomware.
The tax extortion email has a subject line of "Incident: [random characters]" and appears to be targeting companies rather than individual users. Researchers are able to confirm this based on the first sentence of the spam email, which states "Forward this mail to whoever is important in your company and can make decision!"
To date, the listed bitcoin address has not received any extortion payments and it’s unlikely that it will. These extortion scams rely on scaring the user into making a payment in order to avoid embarrassment. Unlike individual users, businesses are less likely to make a hasty judgement call, and pay the hackers. Alternatively, they will likely take a different approach and contact the proper authorities.
Advanced Malware, Baldr, Targets Key Locations to Extract Vital Data
An advanced malware variant designed to steal information, deemed Baldr, is being sold on various cybercrime forums on the dark web. The malicious software is sold for a mere $
In the short-term, hackers have been able to iron out the wrinkles and add new capabilities, which in turn adds to the long-term success of this malicious attack. Additionally, Baldr is essentially invisible to the victim, as it lifts information on the go and doesn’t actually persist on the computer.
Once installed on the device, the malicious software targets key locations including browser profiles, digital currency wallets, records from VPN clients, FTP programs, and Telegram sessions in an attempt to extract the most important data. Additionally, it also searches for and steals the data within document files, including .doc, .log, and .txt files.
Surprisingly, during the exfiltration stage it appears there is no effort to disguise or hide the process of stealing the user’s data. While the malware is lifting the information, regardless of the number of files, they are all sent in one large, and rather obvious, network transfer.
Now for the good news – if there is any. Baldr is non-persistent and does not include a spreading mechanism. Meaning, it targets every victim individually, and does not attempt to spread throughout the network to additional devices.
Russian Hackers Move From Skimmers to Ransomware by Exploiting Vulnerable RDP Ports
FIN6, a Russian cybercrime group that has historically focused on attacking point-of-sale (POS) devices to steal credit card data, is now expanding their portfolio into ransomware distribution.
Over the last three years, the hacking group has targeted the hospitality and retail industries, successfully collecting millions of data sets from credit and debit cards. It is estimated FIN6 has been paid approximately $400 million for the data they have exfiltrated from POS systems. So, why make the leap to ransomware distribution? It’s even more lucrative.
Recently, FIN6 has been found targeting businesses with two different ransomware variants, LockerGoga and Ryuk. Both of these ransomware variants are considered to be newer threats. LockerGoga is the ransomware variant that infected the Norwegian aluminum company, Norsk Hydro, just last month.
Ryuk, although not as new, has proven to evade most security solutions, making it appealing to many cyber criminals. Ryuk does not infect via executable file; alternatively, it runs through PowerShell. It is because of this fileless attack method, that Ryuk is able to bypass most security programs. Ryuk has also been in the news lately for infecting Chicago-based Tribune Publishing, which in turn impacted newspaper distributions nationwide.
It is believed since making to switch to ransomware distribution in 2018, FIN6 has been paid millions in ransom demands. Now to the ground breaking question – how are they doing it? The hacking group has been seen using stolen credentials to access the network through the endpoint’s Remote Desktop Protocol (RDP) ports. Once they gain access to the network through the RDP port, the hackers abilities become unlimited. Attackers can drop a backdoor to allow for additional malware to be installed, execute ransomware, disable the antivirus protection, steal intellectual property, and more.
In order to protect against RDP attacks, users can do two things. Disable the RDP port, if they are not using it. Or, if it must remain open for access, users should deploy a security solution that actively thwarts these types of attacks.
PC Matic Pro has made the following product enhancements to block these types of attacks:
Banking Trojan TrickBot Spreads Like Wildfire
For years, cyber criminals have increased spam campaigns around tax time, in an attempt to make a quick buck. This year is no different. Cyber criminals have begun distributing the banking Trojan, TrickBot, through malicious emails fraudulently portraying tax and payroll services.
Researchers confirmed the malware has been used in three different malware campaigns since late January. These email campaigns are targeting victims pretending to be from large accounting, tax and payroll services firms, like ADP and Paychex. However, in reality the messages were carrying malicious Microsoft Excel attachments masked as tax or billing invoices, which upon opening will download and execute the TrickBot trojan.
Once the Trojan is installed on one endpoint, TrickBot does two things. First, it steals as much data as possible on the device. The data stolen can range from basic email content to banking credentials – the possibilities are limitless, as the hackers have full control of the device. Then, the malware attempts to spread throughout the network to maximize destruction. If it is able to spread to additional devices, it will again steal as much data as possible on each device it touches.
Unfortunately, TrickBot is not noticeable to the average user, as the action it takes is executed in the background. However, IT professionals will likely notice the changes in traffic or attempts to connect to unauthorized domains when the malware tries to connect to its command-and-control servers.
Researchers have confirmed the mail styles, behavior of the malicious attachments, and the subsequent malware URLs were the same for all three email campaigns used to distribute TrickBot. Due to these three similarities, it is believed the same cyber criminals were behind all three campaigns.
The exact target of these emails is unknown; however, since the hackers are fraudulently portraying large firms, like ADP and Paychex, the attacks are likely to have some success.
279 total views, 1 views today
About The Pit Crew
PC Pitstop's Pit Crew is committed to providing you with the information you need to keep your PC safe and running like new.