Monthly archives for August, 2017

Two million shoppers told to change their passwords after tech retailer is hacked

Updated: Technology and entertainment retailer CeX has warned its online customers that their names, addresses, email contact details, and phone numbers may have been stolen.

The personal details of up to two million customers of technology and video games retailer CeX may have been compromised in a data breach.

Information including names, addresses, email contact details, and phone numbers of CeX customers in the UK who supplied their data to the retailer through online forms has been accessed in a “sophisticated breach”, the company has warned.

The company said it had suffered a phishing attack and a “a low-level breach in our online UK website security” which occurred “late last year”. CeX acted at the time to “immediately put in place additional security measures”, it added.

The company said “no further security breach has since taken place” and that “we would like to stress that at the time, there was no evidence that there had been any unauthorised access to customer data”.

However, the company said it “received communication from a third party claiming to have access to some of our online UK website data” in August this year.

The retailer said it immediately informed the relevant authorities, including the Information Commissioners Office (ICO) and National Crime Agency (NCA) “who are in the process of investigating and our cyber security specialists have implemented additional, advanced security measures to prevent this from happening again”.

It added: “We can confirm the breach was not connected to high street store data and as a priority, we are in the process of contacting all online customers who might be affected. As we are currently investigating this we are unable to provide further information at this stage.”

While no password data has been compromised, customers have nevertheless been urged to change their CeX online password, as well as the password for any other accounts that use the same password. CeX warns that it’s “precautionary measure” so customers can protect themselves further attacks in the event of the criminals cracking users’ passwords — especially those which aren’t complex.

CeX has also said that in a “small number of instances” encrypted data from credit and debit cards up to 2009 may have been accessed, but that no live payment information has been taken as those cards will have expired and the company no longer stores financial information.

The retailer is contacting all customers who are directly affected by the breach, which only affects the online arm of the company. No in-store personal membership details are thought to have been compromised. CeX has over 350 stores in the UK and over a hundred more overseas.

CeX has yet to detail how exactly attackers managed to gain access to the data, only that the incident occurred “recently”.

The retailer said it is working alongside the police, the NCA, and ICO to investigate the incident and has also employed a “cyber security specialist” to review security processes.

“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” CeX said in a statement.

“Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again,” the company added.


Windows 10 security: After Kaspersky fight, Microsoft talks up its case for Defender

Windows 7 machines mostly unprotected because they’re not running any antivirus, says Microsoft.

Microsoft’s latest security report makes a case for why Windows 10’s Defender fallback is right for end-user security.

Microsoft recently settled a fight with Russian antivirus (AV) vendor Kaspersky Lab that could have resulted in regulatory attention over claims that Windows 10 disadvantaged third-party AV.

Kaspersky last week dropped its complaints after Microsoft agreed to several concessions that will appear in the Windows 10 Fall Creators Update, due out next month.

Since Windows 8, Microsoft has enabled Windows Defender when a third-party AV expires. However, Kaspersky complained that Windows 10 notifications made it too easy for users to miss an expired subscription alert. Microsoft also admitted to disabling third-party AV under certain circumstances.

Though Microsoft’s implementation of the Defender fallback wasn’t perfect, data in its latest Security Intelligence Report, volume 22, suggests that the concept was overall sound. It also offers a defense for its handling of AV in Windows 10 after bowing to Kaspersky’s demand for more compatibility testing time and the right to use its own expired subscription notifications.

Windows 7 is still the most widely used version of Windows in the world, and was the primary casualty of the recent NotPetya and WannaCry outbreaks.

Despite its popularity as a target, by far the biggest reason for Windows 7 machines being classed as not “protected” in Microsoft’s telemetry data is that they don’t run any antivirus.

Microsoft’s graph compares four main reasons why Windows Vista, Windows 7, Windows 8, and Windows 10 aren’t protected.

For Windows Vista and Windows 7, over 50 percent of unprotected machines aren’t running any AV. The remainder have AV installed, but it’s either switched off or doesn’t have up-to-date virus signatures.

By comparison, the main reason Windows 10 machines were unprotected was out-of-date signatures or the AV was snoozed, while Windows 8 and Windows 8.1 were mostly unprotected because the AV product was turned off.

Microsoft notes a possible explanation for Windows 8/8.1 is that several malware families are capable of switching off anti-malware products.

The graph says nothing about what proportion of users on each version of Windows are unprotected. In 2013 Microsoft reported that 24 percent of Windows PCs weren’t protected by up-to-date antivirus.

Back then, Microsoft encouraged Windows users to install one of several third-party products in addition to its own for protection. Today it’s had to publicly reaffirm several times that it really does believe a “healthy antivirus ecosystem” is what’s best for Windows 10 security.


Windows security: Cryptocurrency miner malware is enslaving PCs with EternalBlue

Stealthy and persistent cryptocurrency-mining malware is hitting Windows machines.

Criminals are infecting Windows machines with fileless malware that runs in memory, and puts the hijacked PCs to work on mining cryptocurrency.

Two features in particular make this malware, known as Coinminer, “extremely stealthy and persistent”, according to malware researchers at Trend Micro.

To infect Windows machine, it’s using the so-called EternalBlue vulnerability employed by WannaCry and NotPetya as a spreading mechanism. Microsoft released a patch for the flaw in March but a spate of infections in Asia, mostly in Japan, suggest some systems have not been updated.

On machines vulnerable to this bug, the malware runs a backdoor that installs several Windows Management Instrumentation (WMI) scripts that run in memory, which makes them more difficult to detect.

IT admins can use WMI to run scripts that automate administrative tasks on remote computers and acquire management data from these computers and installed Windows applications.

However, in this case the cryptocurrency mining malware uses WMI for more nefarious purposes, including connecting to the attacker’s command-and-control domains to download the mining software and malware.

WMI malware isn’t new and was used in the infamous Stuxnet malware. FireEye has also found an advanced hacker group APT29 using WMI capabilities to create persistent and stealthy backdoors by automatically triggering a backdoor when a system starts up.

Malwarebytes identified WMI techniques being used to hijack Chrome and Firefox to redirect users to an attack site.

According to Trend Micro, the mining malware operation includes a timer that automatically triggers the malicious WMI script every three hours.

Admins should disable the SMBv1 file-sharing protocol to prevent attacks using Eternal Blue, an exploit for SMBv1 thought to be created by the NSA and leaked in April by the Shadow Brokers.

Even before the leak of EternalBlue and WannaCry’s adoption of it, Microsoft was urging customers to stop using the 30-year-old protocol.

Trend Micro also points to a Microsoft tool that can trace WMI activity and recommends restricting WMI on an as-needs basis, as well as disabling WMI on machines that don’t need access to it.


Gartner sets fire to all the cyber things

The 2017 evolution of Gartner’s cybersecurity framework comes with a new buzzword: CARTA. But really, we should just set fire to everything.

“A fire is coming,” says Steve Riley, a research director at Gartner. It’s a metaphorical fire, representing the rapid change in cybersecurity that’s making traditional techniques like blacklists, whitelists, and malware signatures irrelevant.

It’s now a spectrum of risk, Riley told the Gartner Security and Risk Management Summit in Sydney on Monday. Embrace the shades of grey, he said. Embrace all the colours of risk.

Each year, Gartner’s summit kicks off with an explanation of their current framework for thinking about cybersecurity. Each year it morphs a little bit, adding new concepts as the cybersecurity threat landscape and technology evolve, dropping items as they lose significance because everyone’s already on that same page.

Gartner’s framework is, therefore, an indication what organisations are not doing. And the more Gartner emphasises it, the more organisations really need to pull their fingers out.

In recent years, Gartner has stressed the importance of a risk-based approach to security, and a people-centric approach. Their most recent keyword has been “adaptive”, steering away from the overused “agile”. Most of these ideas were in one of the first slides we were shown on Monday.

“Manage Risk. Build Trust. Embrace Change by Becoming Adaptive Everywhere.”

There’s nothing new there, but it needs to be repeated.

Gartner also stressed the importance of using analytics to reduce the workload of cybersecurity staff. They cited the example of one US organisation that had used analytics to reduce the number of security events needing investigation daily from 1500 to 30.
Such productivity improvements are not unheard of. There’s nothing new there, but if Gartner has to remind us, then there are plenty of organisations that are not doing that either.

This year, Gartner wants us to go beyond “adaptive”, and they’ve got a new word for it: CARTA, which stands for continuous adaptive risk and trust assessment.

“A CARTA strategic approach enables us to say ‘yes’ more often. With a traditional binary allow-or-block approach, we had no choice but to be conservative, and to say ‘no’. With a CARTA strategic approach we can say ‘yes’, and monitor to make sure, allowing us to embrace opportunities that were once considered too risky in the past,” Riley said.

But is that so new? Not really. Gartner has simply — and effectively — condensed a bunch of contemporary concepts in cybersecurity into a catchy initialism. But again, it needs to be repeated.

Sid Deshpande, one of Gartner’s principal research analysts, reminded us that digital business — which is to say business — is now deeply intertwined.

“Risk management is no longer the domain of a single enterprise, and it must be considered at the ecosystem level,” Deshpande told the summit. Businesses should expect to continuously monitor the security posture of key providers, and should expect them to do the same back.

Still nothing new there, at least if you’ve been to some of the cybersecurity conferences in the last couple of years, but it needs to be repeated.

I’m not mocking Gartner. Far from it. Gartner’s frameworks provide a pre-packaged mindset for organisations unable to create their own, which seems to be most of them. After all, as the Australian Financial Review reminded us on Monday, the Dunning-Kruger Effect means that clueless executives actually imagine themselves to be leaders.

Riley ended the keynote by returning to his metaphorical fire.

“There are two types of fires. Some that will consume everything in an uncontrolled and catastrophic manner, others that are anticipated. Perfect fire prevention isn’t possible. Striving for it makes the fire worse when inevitably it does occur. To adapt, we light backfires to clear out the underbrush and continuously monitor for indications of an outbreak. Now, the ecosystem adapts, and even flourishes when smaller fires burn,” Riley said.

“The fire is coming. It can bring destruction, or it can bring a new landscape of opportunity. Embrace the grey. Embrace the risk. Embrace CARTA.”

All hail CARTA!

Seriously, though, if organisations are still failing in so many fundamental ways — risk-based security, agility, trust-building, extending their security view out into their business ecosystem — then they’ll need more than a Gartner framework to save them.

They need a bit of that all-consuming, cleansing fire.


How a one man hacking operation was able to infiltrate international firms

A recent phishing and malware campaign looked like the work of a cybercriminal gang — but researchers have tracked it back to a lone attacker in Nigeria.

An international hacking campaign targeting thousands of oil, mining and construction firms sounds like the work of a sophisticated criminal operation. The scale of such an endeavour suggests it would need extensive resources and manpower, potentially even nation-state backing.

But a newly uncovered cyberattack that targeted more than 4,000 organisations in the oil and gas, mining, construction, and transportation sectors has been found to have been carried out by a 20-year-old man in Nigeria.

The lone attacker successfully hacked into the networks of at least 14 organisations, including a marine and energy company in Croatia, a transportation company in Abu Dhabi, a mining company in Egypt, a construction company in Dubai, an oil and gas firm in Kuwait, and a construction organisation in Germany.

Using a remote access Trojan and a keylogger, the attacker stole login credentials and financial information from these companies.

The fact that attacks were targeted at financial staff working in specific regions and sectors — energy and transportation firms in Europe and the Middle East — and the use of a phishing email lure claiming to be from oil and gas giant Saudi Aramco, initially led researchers to believe the campaign was the work of a well-organised group.

But researchers at Check Point investigating the attack found this wasn’t the case.

“We realised this was just one person, because of the technical analysis of the malware and the C&C communications, we realised it was a criminal, not a nation state conducting espionage,” Maya Horowitz, head of research for Check Point, told ZDNet.

And unlike professional hacking gangs, the culprit has very poor operational security, allowing researchers to identify him and monitor his actions.
“You can see holes in the phishing emails themselves and there are holes all over the infrastructure,” Horowitz said.

Put simply, the phishing emails are crude and unconvincing, with spelling errors, generic subjects and the target referred to as ‘Sir/Ms’. The mass-mailed messages ask users to download an attachment, which asks for macros to be enabled then installs two forms of malware — both of which are freely available on the web.

Victims end up infected with Netwire, a remote access Trojan that allows the attacker to gain full control of infected machines, and Hawkeye, a commercially available form of keylogging software. While both forms of malware are relatively simple, they’ve enabled the attacker to steal banking and other credentials, and earn thousands by stealing from accounts and selling on credentials.

While they’ve managed to infiltrate a number of large organizations, the perpetrator is far from a cybercriminal mastermind. Indeed, he has not even made much of an effort to cover his tracks and has even discussed his actions on Facebook.

“He’s not very techie, but he’s on a Facebook group of several Nigerian hackers where they exchange tactics and techniques,” said Horowitz.

Attacks using phishing to infect machines with malware are gaining in popularity, she added, and are replacing the infamous 419 scams of old. “The same people who ten years ago were only able to send Nigerian Prince scams today they can just rent malware and send it to whoever,” said Horowitz.

“It’s the same people, with the same technical skills, but now this whole market works more like a business where you can just buy or rent your tools online as malware-as-as-service. In this case it’s not even on the dark web, it’s just on the internet,” she added.

The increasingly availability of malware-as-a-service — or freeware such as Netwire and Hawkeye — means it’s easier than ever for budding cybercriminals to get in on the action. However, in many cases, the attacker doesn’t have the knowledge to take the necessary steps to hide themselves.

In the case of this individual, Check Point has shared its findings with Nigerian police and international agencies in order to stop future attacks and arrest the culprit.

Those organisations that have already fallen victim to the attacks will need to take extra security precautions, because it’s likely log-in credentials and other sensitive information have been sold on to criminals who could use them to perform further attacks.

Ultimately, the phishing emails used in this attack were very basic but nonetheless fooled employees in the target organisations. Horowitz stressed the importance of companies making employees aware what these emails look like and the threats they pose.

“These attacks can be prevented, nobody has to be infected with this malware,” said Horowitz.

“Fourteen organisations were hit but there’s no reason they should have, because with proper security measures and — more importantly — education and awareness, these emails shouldn’t have got into the systems.”


Microsoft PowerPoint exploit used to bypass antivirus and spread malware

It’s the first time this exploit has been used to target PowerPoint users – and it’s being used to distribute powerful Trojan malware, say researchers.

Cyber attackers are exploiting a vulnerability to evade antivirus detection and deliver malware via Microsoft PowerPoint.

The flaw in the Windows Object Linking and Embedding (OLE) interface is being exploited by attackers to distribute malicious Microsoft Office files.

The exploit is commonly used to deliver infected Rich Text File (.RTF) documents, but cyber security researchers at Trend Micro have spotted attackers using it to compromise PowerPoint slide show files for the first time.

As with many hacking campaigns, this attack begins with a spear-phishing email. The message purports to be from a cable manufacturing provider and mainly targets organisations in the electronics manufacturing industry.

The sender’s address is disguised to look like a message from a business partner and the email appears to relate to an order request, with an attachment purportedly contatining

However, the attachment is useless to the receiver, containing a malicious PowerPoint show that when opened simply displays the text ‘CVE-2017-8570’, the reference of a different Microsoft Office vulnerability to the one used in this attack.

The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which initialises the infection process and results in malicious code being run using the PowerPoint Show animations feature, which downloads a file logo document if successful.

This downloaded logo.doc contains XML and JavaScript code, which runs PowerShell to execute a file called ‘RATMAN.EXE’, a Trojanised version of the Remcos remote access tool, which then connects to a command and control server.

Once up and running on a system, Remcos is capable of many criminal operations, with compromised machines at risk from keylogging, screenlogging, webcam and microphone recorders, and the downloading and execution of additional malware. Ultimately, it can give the attacker almost full control over the infected machine without the owner being aware.

Researchers note that the sample behind this attack uses NET protector, which includes several protections and obfuscations to make it more difficult for researchers to reverse engineer. That indicates skill on the part of the attackers, suggesting that this isn’t an amateur campaign.

Critically, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack vector means attackers can code the malware to avoid antivirus detection.

Fortunately, there’s a way to completely avoid becoming a victim of this particular attack; Microsoft released patches to address the vulnerability in April and any systems updated with these is safe from this attack.

Nonetheless, users need to remain alert to the risks posed by legitimate looking phishing emails.

“Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails–even if they come from seemingly legitimate sources. Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files,” wrote TrendMicro researchers Ronnie Giagone and Rubio Wu.

There are various techniques organisations can use to defend themselves against these attacks, with education of staff playing a key role.


Windows 10 security: Here’s tech support scammers’ latest ploy, says Microsoft

Tech support scammers are borrowing phishing techniques from criminals who seek online 10credentials.

Scammers are now using links in phishing-like emails to lead potential victims to fake tech support sites.

The new tactic, noticed by Microsoft’s Malware Protection Center, marks an evolution in bogus tech support scams that allow criminals to cast a wider net in search of fraud victims.

Historically, tech support scams have cold-called targets. But more recently they have used a combination of malicious ads that automatically redirect victims to a bogus tech support page, and malware that displays a fake Blue Screen of Death (BSOD) or other bogus Windows security alerts.

Online criminals meanwhile have long used mass email to spread links to bogus online bank and email login pages to phish credentials.

Tech support scammers are now using nearly identical techniques, sending emails purportedly from well-known brands such as LinkedIn, Alibaba, and Amazon. The email pretends to be an invoice, canceled order, or social media message that contains dodgy links hidden in seemingly harmless text.

“However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary ‘technical support services’ that supposedly fix contrived device, platform, or software problems,” explain Microsoft malware protection researchers Alden Pornasdoro, Jeong Mun, Barak Shein, and Eric Avena.

The links in the email generally point to a compromised website that, as with existing tactics, automatically redirects visitors to the scam site. Once there, visitors face a range of social engineering techniques, such as bogus security alert popups, to convince them to call the fake support call center.

One advantage of using phishing email, as Microsoft notes, is that it allows scammers to cast a wider net in addition to existing tactics.

Microsoft’s data indicates that three million users each month are exposed to tech-support scams, with most of those affected coming from wealthier nations including the US, UK, Canada, Australia, France, and Spain.

The most widespread tech-support scam malware is known as TechBrolo, which Microsoft calls “support-scam malware on steroids”, thanks to its use of a looping dialog box that effectively locks the browser, and an audio file that describes the supposed problem and urges the user to call a support number.

Microsoft notes Windows 10,, Edge, and Exchange Online Protection have a number of features that combine to block tech-support scams and threats targeting the inbox.

Edge can also stop dialog loops by allowing the user to prevent a specific page from creating more pages. Microsoft is also working on a feature for Edge that allows the user to close the browser or specific tabs when this is a popup or dialog message.

Finally, it’s worth noting that Microsoft doesn’t proactively reach out to users to offer unsolicited tech support. However, users can contact Microsoft via its real support page.

Windows 10 Fall Creators Update: What’s coming on the security front

Microsoft will be adding a number of new security features to Windows 10 Fall Creators Update, but for Enterprise and Windows Server users only.

Windows 10: Microsoft’s new Insider Preview is packed with security features

Microsoft doubles down on enterprise security features ahead of the Windows 10 Fall Creators Update.

Windows 10: Here’s how Microsoft thinks Defender Security Center will make life safer

Microsoft has outlined how its new security app, due in the Creators Update, will bring together all Windows 10 security information and won’t prevent you from using third-party antivirus.


Privacy group accuses Hotspot Shield of snooping on web traffic

The privacy group says the FTC must investigate discrepancies in the company’s privacy policy.

The Federal Trade Commission must investigate claims made against VPN provider Hotspot Shield for allegedly deceptive trade practices, according to a new filing by a prominent privacy group.

Among the chief allegations in the 14-page filing, the Washington DC-based Center for Democracy & Technology (CDT) said the VPN provider violates its “anonymous browsing” promise by intercepting and redirecting web traffic to partner websites, including advertising companies.

Hotspot Shield, which we profiled last year, enables its more than 500 million worldwide users to bypass state censorship as well as regional restrictions on websites and streaming services. David Gorodynasky, chief executive of the service’s parent company AnchorFree, told ZDNet at the time that about 97 percent of his users run the free, ad-supported version of the software.

In an interview in our New York newsroom, Gorodynasky said that the company doesn’t make money off its customers’ data, instead opting for a “zero knowledge” approach to ensure that governments cannot request data on its customers that it doesn’t store.

But that isn’t the case, says the CDT in its filing. It’s accusing the company of logging connections and using third-party tracking to serve targeted advertising.

“Hotspot Shield engages in logging practices around user connection data, beyond troubleshooting technical issues” by using a user’s location and IP addresses to “improve the service, or optimize advertisements displayed through the service,” the filing says.

The CDT is calling on the FTC to intervene under its authority to prohibit unfair and deceptive acts and practices.

The privacy group began investigating the case in April after Congress repealed broadband privacy rules, which would have prevented internet providers from selling browsing history data to advertisers. The surge in demand for VPN services following the repeal led the group to investigate Hotspot Shield, by far the largest provider for subscribers on the market.

The group partnered with researchers at Carnegie Mellon University to analyze the app and the service and found “undisclosed data sharing practices” with advertising networks.

“Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing,” said the complaint.

“Hotspot Shield also monitors information about users’ browsing habits while the VPN is in use,” it read.

The researchers also found that the app transmits some sensitive cell carrier information on mobile users over an unencrypted connection, the filing says.

VPN providers can be a godsend to anyone living in a region where state surveillance and censorship are rife, and merely a convenience to those who wish to conceal their internet history and browsing traffic from their internet providers — and any law enforcement agency that comes along. But an inherent issue is that users have to trust their VPN providers as much, if not more than their internet provider not to also collect, monitor, or sell their data.

“People often use VPNs because they do not trust the network they’re connected to, but they think less about whether they can trust the VPN service itself,” said Michelle De Mooy, director of CDT’s Privacy & Data Project. For many internet users, it’s difficult to fully understand what VPNs are doing with their browsing data. That makes clear and accurate disclosures and practices essential.”

De Mooy added that the service “fails to live up to its promises or meet the reasonable expectations of its customers.”

Gorodyansky said in an email late Monday that he does “not agree” with the filling.

“We strongly believe in online consumer privacy,” said Gorodyansky. “This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves.”

He also called the claims in the CDT’s filing “unfounded.”

“While we commend the CDT for their dedication to protecting users’ privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns,” he added. “AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT’s concerns.”


New Trojan malware attack targets restaurant chains

Dubbed Bateleur, this malware uses with macro-laden phishing emails that allow attackers to take screenshots, steal passwords, and more.

A notorious hacking group is back with a new method of distributing Trojan malware, with the aim of creating backdoors into the networks of restaurant chains across the US.

Dubbed Bateleur — after a breed of eagle — by the researchers at Proofpoint who uncovered it, it’s thought to be the work of Carbanak, a group that focuses its attacks on corporate targets.

The group has stolen over $1bn from banks worldwide and is thought to be behind a string of other attacks.

Carbanak has previously targeted hospitality organisations including retailers, merchant services, and suppliers. This time, however, it is attempting to infiltrate chain restaurants through a backdoor into their Windows systems, enabling the group to take screenshots, steal passwords, execute commands, and more.

In order to increase the chances of infection without being detected, the Javascript backdoor is accompanied by new macros, anti-analysis tools, and sandbox evasion techniques that help cloak its activity.

As with many cyberattacks, a phishing email is used to lure in the target. The message is sent from an Outlook address or a Gmail and claims to contain information about a previously discussed cheque in an attached Word document.

The attachment claims the document is encrypted and protected by ‘Outlook Protect Service’ or ‘Google Documents Protect Service’ depending on the email address sending the message. In both cases, names of authentic antivirus companies appear on the JScript document dropper in order to lure the victim into a false sense of security.

If the user is tricked into enabling editing of the document, the document accesses the malicious payload with a series of scheduled tasks, in an attempt to avoid detection.

Researchers describe the Jscript as having “robust capabilities” including anti-sandbox functionality and anti-analysis obfuscation. It’s also capable of retrieving infected system information, listing running processes, execution of custom commands and PowerShell Scripts, uninstalling and updating itself, and taking screenshots.

In theory, Bateleur can also exfiltrate passwords, although this particular instruction requires an additional module from the command-and-control server in order to work. Currently, the malware lacks some of the features required to do this, and does not have backup servers, but researchers expect these to be added in the near future — especially given the persistent nature of the attackers.

Proofpoint have identified Carbanak as the perpetrators of this campaign with “a high degree of certainty” due to some telltale signs.

Firstly, similar messages have been sent to the same targets, attempting to deliver messages containing GGLDR, a malicious script associated with Carbanak’s VBScript malware.

Secondly, a Meterpreter in-memory DLL injection downloader script called TinyMet has been spotted being downloaded by Bateleur, and subsequently been used repeatedly by the group.

Researchers also note that the Powershell password grabber utilised by Bateleur contains a Dynamic-link library identical to the one found embedded in GGLDR samples.

“The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines,” Proofpoint researchers Matthew Mesa and Darien Huss said in a blog post.


Ombudsman says SMBs are a growing target for cybercrime in Australia

As the threat escalates, Australian Small Business and Family Enterprise Ombudsman has said knowledge of where small-to-medium businesses should turn in the event of a cyber attack is also unclear.

According to Kate Carnell, Australian Small Business and Family Enterprise Ombudsman, half of small-to-medium enterprises (SMEs) operating in Australia believe their limited online presence protects them from cybercrime.

However, Carnell believes the opposite to be true — that the presence they have does make them a prime target for cyber criminals.

Speaking at the ASIAL Security Conference in Sydney last week, Carnell said a lot of SMEs don’t think they have anything warranting a cyber attack, believing criminals instead would target the “big guys”.

“They know the big guys have really cool systems and they know the little guys haven’t,” she explained. “Cyber criminals now are attacking small businesses as a result, very, very regularly.”

A former pharmacy owner, Carnell said she employed a range of physical security practices, including multiple safes, as a way of preventing the bad guys from accessing both her business’ money and medication. But now, she said the threat to a pharmacist is the world — not just a few known local nuisances.

“Everybody can attack the computer system in a pharmacy,” she said.

“Small business are attacked for a whole range of reasons, one is their systems are pretty low, their knowledge in the area is pretty low, they don’t have in-house IT people, most people don’t really understand this stuff at all … and they have a tendency to pay accounts and invoices quickly. When you get a false account, they have a nasty habit of being paid.”

According to the ombudsman, the average cost to businesses as a result of an online scam is about AU$10,000, with most of the scams coming in via email or phone.
30 percent of small businesses reported experiencing a cybercrime incident in the year to mid-2015 — a 109 percent increase over the year prior. Carnell, however, is certain that figure was a lot higher as a lot of small businesses don’t want to admit they’ve fallen victim.

Australia is a nation of small business operators — defined by the ombudsman as business employing less than 20 employees and by the Australian Taxation Office as businesses turning over below $10 million.

In Australia right now, 97 percent of business are small businesses employing less than 20 employees — that is 2.1 million individuals employed by a small business.

“The vast percentage of businesses in this country fall into that category,” she said.

Carnell added that many do not have a chief operating officer, in-house lawyers, or IT folk. They don’t really get cybersecurity even though they know it’s a problem, and the CEOs are often actively running the day-to-day business with an office structure around them. As a result, cyber protection is often forgotten.

“This is starting to be a bigger impact among our economy … than some traditional forms of crime,” she explained, but noted that the challenge for many SMEs is they don’t know how to protect themselves.

“The reason they don’t know how to deal with it is that there’s so much stuff in the space across government … there’s a lot of different parts of the federal government dealing in the cybersecurity space.

“But from a small business perspective, where do you go? Do you go to ASIC, the AFP, Scamwatch, the ATO?”

Previously, Opposition Leader Bill Shorten said that millions of SMEs in Australia need the federal government to help them stay safe in the digital world.

“They need [help] in the way that’s simple enough for them to incorporate it into their business and that they can afford,” Shorten said, addressing Parliament in November. “This means having the resources to design cyber defences for products, processes, and people.”

With grants of up to AU$2,100 becoming available next year to SMEs to support a cybersecurity IT system, Carnell said Australia is still a mile away from small businesses knowing where they have to go to report and what they have to do to be safe.

“60 percent of small businesses that have a major cyber attack go broke within 12 months,” she said.

“This is a huge problem and it’s a major opportunity for the cybersecurity industry.”


System Requirements

Both OsMonitor Server and Client can work on Windows XP, Windows Server 2003/08/12/2016, Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.