Monthly Archives: February 2017

Exploit Kits — Recent Computer Security Threats

By Michael Birman on July 16, 2019

Cyber criminals are continually devising new ways to invade electronic devices and computer networks in order to steal valuable confidential information that is exploited for nefarious purposes. The never ending introduction of new malicious software (malware) threats is almost impossible for IT professionals to keep pace with, much less prevent, so it is especially difficult for the average computer operator to follow.

Security software developers are also kept busy creating new ways to detect, identify, locate and eradicate malware threats, the ever changing nature of which requires the continual creation of new software programs or updates to existing programs in order to defend against invasive cyber crimes.

Cybercrime has become so prevalent that a standard has evolved for naming various malware threats that are known as “Common Vulnerabilities and Exposures” or CVEs and there are a lot of them.

The variety and number of computer viruses and malware that IT professionals deal with on a daily basis are staggering. In addition to viruses, ransomware and thousands of other malware security threats, the latest means of illicitly gathering information is known as “exploit kits” (EKs) which are software programs designed to run on web servers that are capable of finding and exploiting vulnerabilities in any and all electronic devices that are connected to and communicate through the server. This enables cybercriminals to upload nefarious software programs and execute malicious codes in multiple vulnerable machines.

It has never been more important to use security software and to install manufacturer updates as soon as they become available. In addition, precautionary measures should include backing up files, removing unused programs, avoiding random clicking, only opening attachments from reputable sources and updating all frequently used programs all of which are essential elements to protecting electronic devices from cyber invasions.

Focusing on just one type of cybercrime, the following is a list of the top 10 EKs that Intel has identified as the most prevalent during the first few months of 2017, each of which includes multiple CVEs in the particular class of Exploit Kit:

1 – Neutrino Exploit Kit
Neutrino EK and its predecessor Neutrino-v surged in popularity in the middle of 2016 and are known for infecting compromised sites and malvertising with various malware applications. The creators and distributors of this kit are known as Operation Afraidgate and Operation ShadowGate and there are over 30 CVEs dating back to 2013 that have been identified as current potential threats in this category of Exploit Kits.

2 – RIG Exploit Kit
Created and distributed by Operation Deep Panda, Operation DragonFly, Operation Pitty Tiger and Operation Afraidgate, the latest VIP version of RIG EK is called RIG-v and uses new URL patterns. RIG is spread through advertisements that have been inserted into websites which are legitimate and unknowingly feature those suspicious ads. This EK has been around since 2012 and the nearly 50 updated versions that have been introduced since then keep RIG at the top of the list of biggest cyber threats.

3 – Empire Pack Exploit Kit
The Empire Pack Exploit Kit is also known as RIG-E and was introduced in 2016 to take advantage of flaws in Adobe and Microsoft software applications and 5 different CVEs have been found in this category of EKs.

4 – Sundown Exploit Kit
Operation ShadowGate introduced the Sundown EK which is also known as Beta Exploit Pack and was last updated at the end of 2016. This EK distributes remote-access Trojans (RATs) to malicious links using phishing emails sent directly to computer users who unknowingly click on those malicious links. Sundown EK is known to use steganography (a non-secret data or text used to conceal information) to hide exploitation codes contained within the malware. This EK dates back to 2014 and 17 CVEs have since been identified in this category of EK.

5 – Bizarro Sundown Exploit Kit
This EK is the predecessor of the Sundown EK and was first discovered in October, 2016. Intel has found 5 CVEs in this category dating back to 2014 that were distributed by Operation ShadowGate.

6 – Magnitude Exploit Kit
The Magnitude EK is also known as Popads and uses malvertising attacks to infect a plethora of victims who visit compromised websites. Intel has discovered 25 different CVEs dating back to 2011 in this category of EK.

7 – Astrum Exploit Kit
Astrum EK is also known as Stegano and hides in malicious advertising banners that are used by many websites. Intel has identified 12 CVEs dating back to 2010 in this category of EK.

8 – Sweet Orange Exploit Kit
The Sweet Orange EK uses phishing emails containing malicious links or attachments to spread various malware applications. To date 14 different CVEs have been found in this EK category that date back to 2012.

9 – Sednit Exploit Kit
Three different CVEs dating back to 2013 have been found in this category of EKs which are distributed by a hacking group that calls itself “Sednit” and creates malware that targets flaws contained in Microsoft’s Internet Explorer.

10 – CK Exploit Kit
The CK EK was first discovered in 2012 and affected primarily Korean and Chinese websites with “drive-by” downloads that infected users’ electronic devices. To date 7 different CVEs dating back to 2011 have been identified in this category of EK.

For as long as there have been computers, there have been hackers devoting their time to invading personal privacy and stealing valuable information that is then exploited for nefarious purposes. The types and numbers of viruses, malware, exploit kits and other invasive tools continue to expand exponentially, not only in type and number, but also in sophistication and frequency. It’s never been more important to use up-to-date security software and to maintain a good working relationship with an IT professional who stays abreast of the latest threats and ways to combat them to protect privacy and confidential information.

More information can be found on each of the above-identified EKs as well as multiple other potential cyber threats at Intel’s website (http://tld.mcafee.com/) that is devoted completely to cyber security. This informative site offers a wealth of information about multiple campaigns, vulnerabilities, ransomware and exploit kits that have been and continue to be used to gather confidential information for nefarious purposes.

Top Ten Cyber Threats

By Michael Birman on July 16, 2019

Computer operators around the world devote more and more time to fending off nefarious invasions into their electronic devices and computer networks. The ever changing list of viruses, campaigns, vulnerabilities, exploit kits, malicious software (malware) and a plethora of other cyber threats also keep cyber security companies busy keeping track of them so they can manufacture and provide customers up-to-date security software to locate, identify and eradicate cyber threats that are becoming more and more sophisticated and numerous.

It has never been more important to maintain up-to-date security software than today when cyber criminals continue to devise new cleverly deceptive ways to steal valuable information for purposes of exploitation. To help protect against nefarious invaders it is important to install manufacturer updates for all programs (especially those related to cyber security) used frequently and to remove from computers those programs that are seldom or never used in order to eliminate possible vulnerabilities. It’s also advisable to back up important files frequently and to avoid clicking on advertising and other types of links and attachments included in emails unless you are sure of their authenticity.

The U.S. Department of Homeland Security (DHS) divides cyber threats into two categories (vulnerabilities and exposures) and created the standard for security vulnerability names that’s known as Common Vulnerabilities and Exposures (CVE). In depth information about multiple CVEs can be found at https://cve.mitre.org.

The following is by no means a comprehensive list but comprises the current top ten cyber threats discovered by Intel Corporation which maintains a website devoted solely to cyber security known as the Threat Landscape Dashboard which can be viewed by visiting http://tld.mcafee.com.

1 – CVE-2016-7200
Microsoft Edge’s Chakra JavaScript engine lets remote hackers execute arbitrary code or cause denial of services via memory corruption in crafted websites.

2 – CVE-2016-7201
Operates the same way as CVE-2016-7200.

3 – CVE-2016-4190
Allows hackers to execute arbitrary code or cause denial of services using memory corruption via unspecified vectors on Adobe Flash Player, Windows and Linux.

4 – Cerber Ransomware
Cerber ransomware is sold to distributors in underground Russian forums and targets Office 365 users by encrypting files and playing an audio file that demands ransom to unlock the stolen data.

5 – Locky Ransomware
The continually evolving Locky ransomware does not infect computers using the Russian language but targets Windows users by encrypting files in multiple local and remote locations, as well as removable drives, mapped drives and unmapped networking.

6 – Satan Ransomware
This ransomware is hosted on the Dark Web and is provided free of charge for hackers to use as a “ransomware-as-a-service” (RaaS). Developers of the ransomware require 30% (of the ransom) to use the service and will reduce the amount based on funds actually received.

7 – RIG Exploit Kit
RIG is spread using suspicious ads that have been inserted into legitimate websites.

8 – Neutrino Exploit Kit
This EK and its predecessor Neutrino-v surged in popularity in 2016 and use compromised websites and malvertising to infect computers with various malware.

9 – Operation Shamoon 2
This cyber attack used seemingly legitimate credentials to spread malware across networks targeted in Saudi Arabia in late 2016 and used components similar to attacks perpetrated in 2012.

10 – Operation Methbot
This fraud campaign was discovered in 2016 and uses a bot net that spoofs thousands of name brand website domains to fraudulently net between three and five million dollars every day.

This is only one of multiple lists of top ten threats discovered by Intel and the lists are always changing and the information therein always valuable. It behooves computer operators everywhere to make themselves aware of various cyber threats and to take measures to protect against them.

Microsoft Windows 10

By Michael Birman on July 16, 2019

Before Microsoft introduced its Windows Operating System operators had to access data on computers using Microsoft MS-DOS which was a “command-line” operating system that required knowledge of multiple codes and was very different from and much more complicated than the latest icon laden operating system known as Windows 10.

MS-DOS contained no graphics or windows and users would see a “DOS prompt” when they booted up their computers. You had to know the commands necessary to launch certain computer programs or run utilities that were built into the system.

This complicated operating system required various commands for operating the computer that included typing “A:” at the prompt to switch between a floppy drive and drive “A.” To change directories you would use the “CD” command; to view files in a directory you would use the “DIR” command and to run a particular computer program you would have to type in the name of the program’s “executable file” at the prompt.

MS-DOS did only one thing at a time so that multitasking with which we are so familiar today was impossible. If you were in a program and wanted to use another, you’d have to close the current program and enter the command to open the other program. If you wanted to add a new program from a floppy disk, you would have to insert the floppy disk into your computer’s “floppy” drive and wait for the computer to read the contents on the disk. Then you would have to follow a series of commands to actually be able to access and use the new program.

The old DOS system didn’t support electronic hardware devices that are needed to run various programs. For example if you purchased and installed a new game onto your computer, that game had to include options for supporting every type of sound card that computer users may use and you would have to use a SETUP program to configure settings for every computer program you added to your computer.

Thankfully, Microsoft developed its Windows technology that simplified computer use and increased the demand for personal computers. Multiple software applications have been developed to accommodate every computer user and provide software solutions for basically everything you need to accomplish.

Microsoft continually upgraded its Windows Operating System and is currently on Version 10. Windows 7.0 has proven to be the most popular version of the operating system and many people prefer it over Windows 10. However, if you purchase a new computer the upgraded Windows 10 is the only option available.

Many computer operators would like to incorporate some of the features of the older 7.0 version into the newer 10.0 and, if you are one of those people currently using Windows 10 but would like to make it seem more like 7, the following is a list of things you can do to accomplish that.

Signing in with a Local Account

Of course Windows 10 prefers you sign in using your Microsoft account but you can do a few things to enable signing in with a local account instead following these steps:

1 – Click on the “Start” button.

2 – Click on the “Settings” button which resembles a gear.

3 – Click on “Accounts.”

4 – Click on “Sign on with a Different Account.”

5 – Type the password used to access your Microsoft account.

6 – Click on “Next.”

7 – Type a “User Name.” You can also create a “Password” but it’s not required.

8 – Click on “Next.”

9 – Lastly click on “Sign Out and Finish.”

Revert to the Classic “Start” Menu

Windows 10’s “Start” menu is very different than the menu in 7 and you can revert back to that 7 menu if you prefer using the following steps:

1 – Use the “Start” menu, task bar or desktop to launch your preferred browser.

2 – Navigate to “www.classicshell.net.”

3 – Click on “Download.”

4 – After the file finishes downloading, click on “Run.”

5 – Click on “Next.”

6 – Click on the box next to “I accept the terms….”

7 – Click on “Next.”

8 – Click on “Next” again.

9 – Click on “Install” and then “Finish.

10 – Click on the “Start” which brings up the “Settings” menu.

11 – Click on “Windows Style 7.”

12 – Click on “Select Skin.”

13 – Click on the down drop arrow next to “Skin.”

14 – Select and click on a “Skin.”

15 – Click on “Okay,” which will make your “Start” menu look like Word 7.

Pin Internet Explorer to your “Start” Menu or Task Bar

Newer personal computers are already equipped with Windows 10 which uses “Edge”
as its web browser but you can use the following steps to use Internet Explorer instead.
These actions will remove the IE browser from storage, display it on your “Start” menu
or task bar and you can then begin using it as your browser instead of Edge.

1 – Right click on the “Start” button.

2 – Click on “Search.”

3 – Type “Internet Explorer.”

4 – Right click on “Internet Explorer.”

5 – Click on “Pin to Start” or “Pin to Task Bar” or both, if you want.

Unpin Microsoft Edge from Start Menu and Task Bar

If you want to get rid of the “Edge” icon you can follow these steps to remove it from your Start menu and Task Bar:

1 – Right click on the “Edge” button in your task bar.

2 – Click on “Unpin from task bar.”

3 – Click on the “Start” button.

4 – Right click on the “Edge” tile.

5 – Click on “Unpin from Start.”

Make Internet Explorer Your Default Web Browser

Computer users can make Internet Explorer their default web browser in Windows 10 by using the following steps:

1 – Click on the “Start” button.

2 – Click on the “Settings” button which looks like a gear.

3 – Click on “System.”

4 – Click on “Default Apps.”

5 – Click on “Microsoft Edge” or whatever is your default web browser.

6 – Click on “Internet Explorer.”

7 – Click on “Switch Anyway.”

Have File Explorer Open to Your Personal Computer

When you open “File Explorer” in Windows 10 you are automatically directed to a “Quick Access” section where frequently used files and folders are stored. Use the following steps to make File Explorer open those files and folders on your computer instead of Quick Access.

1 – From your “Start” menu, desk top or task bar, launch “File Explorer.”

2 – Right click on “Quick Access.”

3 – Click on “Options.”

4 – Click on the drop down arrow next to “Open File Explorer.”

5 – Click on “This PC.”

6 – Click on “Apply.”

7 – Click on “Okay.”

Disable Cortana

Cortana is a digital assistant included in Microsoft Windows 10 which can be helpful as well as annoying. Cortana could previously be disabled with the click of one button, but that is no longer an option. Options included for those using Cortana are: “Hey Cortana” which will make the digital assistant respond; “Lock Screen” allows Cortana to work when your electronic device is locked; “Taskbar Tidbits” allows Cortana to interject occasionally while you are in the “search” field; “Send Notifications Between Devices” allows Cortana to provide updates about any additional electronic devices that are connected to Windows; “History View” is self-explanatory in that it shows your history in the home screen of Cortana; and “My Device History” is the means by which your history is collected from all devices.

Although the one click option for disabling Cortana is no longer available you can adjust some settings to make it at least seem like you got rid of it by following these steps:

1 – Right click on the “Start” button.

2 – Click on “Search.”

3 – Click on the “Settings” button which, again, looks like a gear.

4 – Click on the switch that appears beneath “Settings” options to turn it off.

Removing Cortana from the Task Bar

Although having a “search” option on your task bar might be convenient, it doesn’t resemble the one in Windows 7 and many people would like to remove it which can be achieved by following these steps:

1 – Right click on a blank spot on your computer’s task bar.

2 – Click on “Cortana.”

3 – Click on “Hidden.”

Removing the Task View Option from the Task Bar

The “Task View” button on your computer’s task bar was designed for electronic hand held tablets. When you click on that button, a screen appears that shows all of your open windows (basically the same function as the Alt + Tab shortcut). You can remove it from your task bar by using these steps:

1 – Right click on a blank spot on your task bar.

2 – Click on “Show Task View Button” so the checkmark disappears.

Removing the Action Center Option from the Task Bar

Using the following steps will remove the “Action Center” option from your computer’s task bar:

1 – Right click on a blank spot on the task bar.

2 – Click on “Settings.”

3 – Scroll down to and click on “Turn System Icons On or Off.”

4 – Click on the “Switch” option next to “Action Center” to turn it off.

Changing the Color of Title Bars

In Windows 7 the title bars on open windows is blue but Windows 10 uses white as its default bar color. You can change the color of title bars following these steps:

1 – Click on the “Start” button.

2 – Click on the “Settings” button.

3 – Click on “Personalisation.”

4 – Click on “Colors.”

5 – Click on whatever color you want to use.

6 – Turn it on by clicking on “Switch” under “Show Color on the Title Bar.”

Malware – 2017

By Michael Birman on July 16, 2019

As if we don’t have enough to worry about these days the personal computer and Internet which most of us use daily in both our personal and professional lives have become a lucrative source of income realized nefariously by cyber criminals who are always looking for new ways to steal your valuable personal information for resale to other hackers not to mention your hard earned money. These cyber criminals use a variety of malicious software (malware) to accomplish their fraudulent activities including ransomware and encryption that is extremely difficult to decrypt.

The global cyber security firm Kaspersky Lab reported that the number of computer users who experienced attacks by invasive malware increased 22.49% in the fourth quarter of 2016 compared to the same time period in 2015. This indicates that malware is doing its job so well that more and more cyber thieves are using it to gain access to information to which they are not entitled which they use against targeted individuals, business entities and government agencies to steal private information and millions of dollars.

The researchers at Kaspersky Lab conducted an analysis of the cyber threats that were prevalent during the entire holiday period from the first of October through the end of December, 2016. These analysts observed an increase in the number of cyber attacks on Black Friday, Cyber Monday and throughout the entire Christmas holiday period.

Their research for the month of November revealed a spike in the number of invasive attacks on Cyber Monday, the first Monday after the Thanksgiving holiday observed in the United States on the fourth Thursday of every November. This spike in malicious malware attacks affected twice as many computer users than on the previous day.

Different patterns were indicated as far as Black Friday and the entire Yuletide season inasmuch as malicious attacks occurred one or two days before the actual holidays. Since Cyber Monday is all about online sales offered by e-commerce which greatly impacts credit card companies and financial institutions, Cyber Monday has proven to be a more lucrative time for hackers and has become their main focus for delivering malware to unsuspecting individuals and businesses alike.

Kaspersky Lab’s researchers also determined that Zbot, Shiotob, Gozi, Neurevt and Nymaim Trojan malware accounted for 92.35% of cyber attacks conducted during the holiday period.

Network security has become a real headache for Internet Technology (IT) professionals because malware continues to get more and more complicated, sophisticated and harder to locate, identify and eradicate.

A host of hacking tools were just released on the Internet and are believed to have been designed by the United States’ National Security Agency (NSA). These tools consist of 61 files that target computers and other electronic devices that utilize Microsoft Windows applications (Word, Excel, PowerPoint) and are available for free downloading by anyone who wishes to use the tools to help fight cyber attacks via Windows.

The recent release of these hacking tools was apparently made by a Russian hacking group that calls itself The Shadow Brokers, which previously declared that it would be selling those tools to the highest bidder but then backed off that announcement because of a lack of interest by computer users worldwide probably because of the hackers’ ridiculous request of at least 10,000 bitcoins which represents about 8.2 million U.S. dollars.

Shortly thereafter the hacking group announced that it was ceasing its nefarious operations and going “dark” which means they are suddenly terminating communications. The Shadow Brokers released a bewildering statement in broken English that said “TheShadowBrokers is deleting accounts and moving on so don’t be trying communications. Despite theories, it always being about bitcoins for TheShadowBrokers. You are being disappointed? Nobody is being more disappointed than TheShadowBrokers.”

That puzzling post didn’t clarify why the group was taking such action, but referenced “political talk” and the increased risk involved with its high profile hacking cyber crimes.

Nobody can assuredly conclude that The Shadow Brokers really got those hacking tools from the NSA but it is assumed they did originate from there because programming codes were the same as those that whistleblower Edward Snowden (who is now exiled from the U.S. and living in Russia) apparently unlawfully obtained when he worked for that organization. Cyber experts think the hacking tools were designed and produced by an organization called The Equation Group, which many believe is also a team of hackers and is supported by the NSA.

The Shadow Brokers indicated that their dirty deeds may not actually be over inasmuch as it has stolen passwords that may be released at a later date if nobody comes forward with the ridiculous amount of money requested in order to prevent them from being released.

Although intelligence experts are not sure why the group is relinquishing its most powerful tools to date, it appears that the group is connected to Russian intelligence agencies and the move was made in an attempt to warn the new U.S. Trump administration to not escalate the ongoing cyber war between the two superpowers.

Another well known Russian hacking group that calls itself Guccifer 2.0 was responsible for hacking emails of the Democratic party’s Presidential nominee Hillary Clinton and releasing them to WikiLeaks during the period before the U.S. 2016 Presidential election. In an announcement made on the same day that The Shadow Brokers released its malware tools the Guccifer hacking group denied any affiliation with the Russian government.

One of the most successful cyber criminal groups that has ever operated is called the Carbanak Gang whose malware has helped the hacking group steal over a billion dollars from banks and financial institutions worldwide. Since most large businesses employ up-to-date security systems and trained IT security personnel to block communications with questionable organizations and websites in an attempt to prevent inadvertent downloading of malicious software, the group had to figure out another way to get into computers.

Since Google services are popularly used worldwide and Google domains are very unlikely to be blocked the Carbanak Gang developed a new way to deliver their malicious software and commands used to send and receive data from the computers they’ve infected by using Google Spreadsheets and Google Forms. This use of an authentic third party service provider enables cyber criminals to hide in plain sight which increases the chances of their successfully conducting even more lucrative cyber heists.

This is not a novel way to introduce malware since the security firm Symantec discovered a Trojan in 2012 they named “Makadocs” which was using Google Docs to transmit communications.

The Carbanak malicious threat is delivered and spread using a phishing attack in the form of an attachment to Google Docs. This kind of cyber crime has proven to be an effective hacking tool since even the best security experts can be tricked into opening phishing emails and malicious attachments if they look legitimate enough.

Google is aware of the new Carbanak threats and its official spokesperson said “We’re constantly working to protect people from all forms of malware and other types of attacks. We’re aware of this particular issue and taking the appropriate actions.”

Since malicious invasions increase every day it is imperative that all computers and other electronic devices utilize up-to-date security software and that they are set up to automatically receive updated versions of every computer software application they use. Users should also remove any software programs they rarely or never use from their computers and backup all computer files frequently if not every day.

There are so many malicious threats utilized to steal information and money and it is extremely important that individuals, businesses and government agencies worldwide take precautionary measures to prevent such attacks and maintain a good working relationship with an IT company or individual who keeps abreast of the latest threats.