Trickbot – new entrant in the Indian Online Banking Cyberspace

Trickbot-banking-trojan
Ransomware is not the only prevalent threat these days; there are threats too which have been making their foray. We humans tend to forget that security is an on-going process and is not limited to one single threat. We have to be on our toes 24×7 and be alert at all times, ensure that all the SOPs are adhered to and also ensure regular audits of all the security processes and procedures.

For past few weeks, Ransomwares has gained notoriety specifically due to the exploits used by WannaCry Ransomware, however during the same period, TrickBot a banking Trojans too was working towards stealing banking credentials and gaining access to the banking accounts of the victims.

Thanks to the release of the source code of Zeus Bot a couple of years ago, we have observed a rise in Trojans which share the same / similar codebase with that of Zeus. On these similar lines, Trickbot shares many similarities with Dyre yet another banking malware.

Trickbot’s configuration contains the list of Banking URLs which when accessed by the victim would be intercepted and exploited. In recent weeks, Trickbot has expanded its attack vector and has truly gone global and targets numerous banks, payment processors and CMS systems.

Targeting CMS systems, provides Trickbot with the access credentials which can then be further leveraged to carry out targeted attacks which includes spear phishing attacks and up to a certain extent water holing attacks.

Recently, Trickbot added a couple of Indian Banks to its configuration viz. SBI Bank and ICICI considering their huge consumer base, however we are yet to observe any active attack on the consumers.

Moreover, in coming weeks/months we expect much larger campaigns targeting Indian Online Banking Customers and a few more Indian banks to be added by Trickbot into its configuration. Furthermore, based on the success of Trickbot, we may also observe other banking Trojans sneaking into the Indian Cyberspace.

We at eScan believe that it is our duty to be proactive in alerting the users about the potential attacks, which will assist them to take necessary precautions. Moreover, eScan users are protected from the threats posed by Trickbot and all the other Banking Trojans.

Advisory:

1: Net-banking users should implement an Antivirus/Internet Security Suites on all of their devices including their mobile phones.

2: Regularly apply the patches, which have been released by Software Vendors.

3: Implement Email Gateway security solutions to protect your organization from malicious emails.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , | Leave a comment

Web Security: A Major Hurdle for Organizations

web security

Internet being the undeniably biggest growing market in the digitization era, are stressing on the necessity of Online Security. The development of technology happened in such a way that enterprises adopting it are lacking much on the Online Security measures to protect the data and digital identity of their customers/ partners. It is just similar to that of retail stores minimizing the risk of theft or shop-lifting by installation of surveillance cameras. If any organization is looking for online security of their critical data, then related safety measures are very important.
In the age of information, each and everything has its value and can be misused in multiple ways, unless necessary precautions are taken to prevent online attacks, as performed by hackers. We are always in danger to suffer financial losses, integrity and even mental peace. We regret such incidents which might have been easily avoided if we would have invested in Online Security measures.
The first important step to hide information shared in your site from potentially harmful eyes is to ensure SSL certification. The beginning of a URL that starts with https:// instead of http:// is much secured.

ssl certfication

Today encrypted sites are clearly displayed with green padlock signs in the Web browser. This is a signal to the user, that his/ her session with the website is encrypted. This ensures all communication are secured with a key that can not be retrieved easily by third parties and thus communication is secured and cannot be read. In case SSL certificate is unused by a website, the information goes in simple text format that is interrupted easily and is readable for anyone.
The risks of not investing in Online Security are much higher than the owners anticipate. The larger the company and business potential, the risk of attacks and data theft are also high. However, smaller businesses are targeted as well, since they often lack fundamental Online Security measures. As a result, they are easy targets.
Securing your website and its information with the readers establishes a trustworthy environment to conduct daily businesses. Since technology is evolving every day, it is logical to stay updated when it comes to Cyber Security and take necessary precautions. The trust factor is very important in this respect. You need to cross-check if online security is adhered to the system and the organization hardly have resources to migrate to HTTPS. It is advisable to get a specialist on-board to enable to do so by visiting HTTPS.IN.

Extended Validation Certificate

extended validity

This is the newest SSL certificate which gives more confidence to the users and takes the control of any given website. Extended validation certificate reassures the users that they are viewing the authentic website and it is not anything else in disguise. It displays a green address bar while the users log in to the website and on the right side of the address bar there displays a notice space which shows the legal company name and certification authority which authenticated the validation certificate. This helps the organizations to increase credibility and establish online trust in terms of viewership.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , | Leave a comment

Microsoft releases patches for exploits used by NSA’s hacking tools

Microsoft has released patches for the 3 more vulnerabilities, which were found in the exploit tools created by NSA and subsequently released by ShadowBrokers.

Last month, WannaCry Ransomware used one of the exploit code-named EternalBlue by NSA, was already patched by Microsoft in the month of March.Even though patch was issued, there were many who didn’t patch their systems and allowed WannaCry to take control of their systems and encrypt their data.

Considering the fact that WannaCry affected many of the systems worldwide, users and system administrators should patch their XP and Windows 2003 Server systems immediately.

NSA Hacking Tool Exploit CVE Patch Download Link
“EnglishmanDentist” CVE-2017-8487 https://support.microsoft.com/en-us/help/4025218/security-update-for-windows-xp-and-windows-server-2003
“EsteemAudit” CVE-2017-0176 https://support.microsoft.com/en-us/help/4022747/security-update-for-windows-xp-and-windows-server-2003
“ExplodingCan” CVE-2017-7269 https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server
“ErraticGopher” CVE-2017-8461 https://support.microsoft.com/en-us/help/4024323/security-update-of-windows-xp-and-windows-server-2003

Microsoft has also released some additional patches for XP and 2003 Servers, all the end-users who are using older versions of Microsoft Windows should visit this link to download the patches made available fopr the additional vulnerabilities not covered in here.

https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms

Previously, Microsoft had issued patches for the below mentioned hacking tools developed by NSA

NSA hacking Tool Patch Information Download Link
“EternalBlue” MS17-010 https://technet.microsoft.com/
library/security/ms17-010.aspx
“EmeraldThread” MS10-061 https://technet.microsoft.com/
library/security/ms10-061
“EternalChampion” CVE-2017-0146 & CVE-2017-0147 A: https://portal.msrc.microsoft.c
om/en-US/security-guidance/
advisory/CVE-2017-0146
B: https://portal.msrc.microsoft.c
om/en-US/security-guidance/
advisory/CVE-2017-0147
“EsikmoRoll” MS14-068 https://technet.microsoft.com/
library/security/ms14-068.aspx
“EternalRomance” MS17-010 https://technet.microsoft.com/
library/security/ms17-010.aspx
“EducatedScholar” MS09-050 https://technet.microsoft.com/
library/security/ms09-050
“EternalSynergy” MS17-010 https://technet.microsoft.com/
library/security/ms17-010.aspx
“EclipsedWing” MS08-067 https://technet.microsoft.com/
en-us/library/security/
ms08-067.aspx

eScan users are protected by eScan’s proactive critical patch management, which checks the endpoints for missing patches on the OS by matching the installed patches with the released patch list. The missing critical Windows update patches are then downloaded and installed on the computer where eScan is running. The above mentioned patches have been added to eScan’s Critical Patch Management Database and would be available to all our customers.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , , , , | Leave a comment

Fireball – the inferno within

fireball-malware

Fireball-Malware

There are very few countries which emanate threats globally, with China being one of them. Fireball is a legitimate software since it is digitally signed by the very organization which has developed it, however it also bundles up malicious binaries and browser extensions.

Traditionally, ad-wares were never considered to be malicious, since their sole intention was to redirect traffic and bombard the user with advertisements, and furthermore, these ad-wares were always bundled with other legitimate software, so that unsuspecting users ended up installing them too. Besides, there exists Pay-Per-Install (PPI) revenue sharing model between the developers and the bundled software providers. Due to the fact that they piggyback on a popularity of legitimate software, this association is profitable for all the stakeholders.

Fireball, not just installs an ad-ware, but also manipulates the victims default browser search engine to fake ones, which in turn redirect the search query to Yahoo.com or Google.com. However, these fake search engines do a lot more than simple redirect, they track the users and they can spy on their victims too by dropping and executing malwares.

The concern around Fireball is that the adware it installs after downloaded to a device, is capable of installing malwares using backdoor. This in turn could be used by cyber criminals to exploit and use to push malicious codes or exploits to create large scale attacks or disruptions. Though adware installation by various software download applications are seen as an accepted practice by the end-users, however the Fireball issue could be different than what meets the eye, which is a huge concern with its largest install base of more than 250 million devices worldwide.

eScan’s Advisory suggests the below precautions to be implemented for such attacks in the ever growing complex cyber threat landscape:

  • eScan recommends using an adware scanner to scan if there is anything wrong with the browser
  • Once you found the adware in the system, go to Programs and Features list in the Control panel of Windows OS to uninstall the program
  • MacOS users should user finder to locate and uninstall the application. After that empty the trash to delete the compromised file
  • Go to your browsers and explore tools and extensions to uninstall anything suspicious
  • Do a regular check for any unauthorized or suspicious browser extensions and plug-ins to make sure your homepage and search engine are the ones that you have set
  • Always opt for custom installation and then de-select anything that is unnecessary or unfamiliar

The information provided above will help you to protect your system from being victim of Fireball malware.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , | Leave a comment