Weekly Threat Report - 2nd March 2018
Report's are drawn from recent open source reporting, see the latest report here:.
Ransomware infects Colorado Department of Transportation IT system
International media reports suggest that ransomware infected computers at the Colorado Department of Transportation (CDOT) on 21 February, encrypting files and requesting payment in Bitcoin to restore them. CDOT is responsible for managing and maintaining roads as well as monitoring traffic in the US state of Colorado, but no critical operational IT systems are believed to have been affected.
The organisation has taken 2,000 computers offline as a precaution to isolate those infected and prevent the malware spreading. Employees are making use of personal devices as well as cloud services to continue to work, although reports suggest that some processes, such as contract bids/tendering and payment of employee wages, are being delayed. CDOT have stated that they do not intend to pay the ransom and that data can be recovered using backups.
It remains unclear how CDOT’s systems became infected, although the malware involved is believed to be a variant of the SamSam (or Samas) ransomware. This ransomware has previously affected the education and healthcare sectors in the US, with an Indiana hospital recently paying $55,000 in Bitcoin to get their files back. We are unaware of any UK organisations being affected by SamSam. However, these cases highlight the importance of having adequate measures in place to mitigate against the risks associated with such malware infections.
NCSC has published new guidance on how organisations and home users can reduce the likelihood of malware infection: https://www.ncsc.gov.uk/guidance/mitigating-malware
Reports of increased use of Counterfeit Code-Signing Certificates
A recent open source blog post from Insikt suggests there is a small but growing market in counterfeit code-signing certificates. This raises further questions regarding the effectiveness of code-signing certificates in providing assurance to website users by establishing the identity of software authors and confirming that the software has not been corrupted or altered since its original distribution.
The Weekly Threat Report of 15th December 2017, highlighted that websites using SSL and HTTPS, signified by the padlock, are not inherently protected from attack. Malevolent actors can potentially compromise sites using HTTPS domains or obtain legitimate certificates for use on malicious websites.
Counterfeit certificates were first identified in 2015. They are advertised as being registered under legitimate corporations and supplied by known issuers. The early versions were expensive at approximately $1,000 but more recent standard certificates have been found for sale at $295.
The main benefit for malicious actors of the counterfeit certificates is that the certificates are highly effective in remaining undetected by antivirus software. However, as these certificates are thought to be created for each buyer individually, it seems likely that, at present, the majority of cyber criminals won’t use this technique.
Smartphone malware on the increase
Cyber security company Trend Micro issued its annual Mobile Threat Landscape report last month. The number of unique mobile malware samples detected by the company increased by 415% from 2016 to 2017.
Previously, identified threats had mostly affected Android users downloading mobile apps from unofficial third-party stores but, according to the report, for the first time Google’s official mobile app store, Google Play, was significantly affected too.
Ransomware and banking malware were the major threats and are likely to pose a growing problem in 2018, according to the report. Mobile ransomware detections were highest in China, followed by Indonesia, India and Japan, with banking malware detections highest in Indonesia and India.
Symantec also reported this month that it had found eight apps infected with the Sockbot malware on Google Play. The malware can add compromised devices to a botnet and potentially perform DDoS attacks. Symantec’s estimate of potential victims ranges from 600,000 to 2.6 million devices with US users appearing to be the main target.
Apple was also affected and, although it exerts more control over apps added to its app store, Trend Micro report that many applications infected with adware and other unwanted functionality found their way to the company's app store.
On a more positive note, the clear majority of mobile ransomware that Trend Micro spotted last year was not as capable as desktop versions of the malware and less than 1% of it ended up infecting end user devices. Nevertheless, the increased threat is leading to a stronger approach to mobile security including initiatives on mobile vulnerability research and proactive coordination between vendors and platforms. According to the Android Open Source Project (AOSP) committee, Google is also working on two built-in features for the next version of its operating system, Android P, to protect users from malicious apps spying on them using their smartphones’ camera or microphone.