Sophos just released their analysis of the MegaCortex ransomware whose speed and spread of attack are very worrying! Get the key details about MegaCortex and how to prevent an attack!
What Is Megacortex?
MegaCortex is a new ransomware that was rarely seen until it suddenly spiked in volume in May 2019. Similar to infamous ransomware like Ryuk and BitPyamer, it is now spreading rapidly in these countries :
Why Is MegaCortex Dangerous?
Ransomware attacks are usually carried out in 3 ways:
Unlike Ryuk and BitPyamer, MegaCortex is controlled by cybercriminals using more automated tools, and designed to spread infection to many victims at a much faster speed.
What Does MegaCortex Demand?
Unlike other ransomware attacks, MegaCortex has no clear ransom demands.
All it does is invite its victims to email the attackers on any of two free email addresses, attaching a file that had been dropped into the victim’s hard disk drive, to request decryption services.
The ransom note includes “a guarantee that your company will never be inconvenienced by us“. On top of that, if the victim pays the ransom, “You will also receive a consultation on how to improve your companies cyber security“.
How sweet of them.
How To Protect Against MegaCortex
Sophos recommends the following steps to protect your business from MegaCortex and the threat of ransomware attacks in general :
Companies are cautioned to be on the highest alert should they see warning signs about Emotet or Qbot, as there is strong correlation between MegaCortex and the two ransomwares.
Place the company Remote Desktop Protocol (RDP) machine behind a Virtual Private Network (VPN)
Practice two-factor authentication for systems logins
Regular backup of important and current data on an offline storage device
Sophos has just released their global report – Exposed: Cyberattacks on Cloud Honeypots with very alarming findings for servers worldwide! Get the full details and find out what this means for your business and IT operations!
Cyberattacks On Cloud Honeypots
A cloud honeypot is a cloud-based system set up to resemble targets of cybercriminals. When attached, they enable security experts to study the cyberattacks.
During the course of the study, Sophos had set up honeypots in 10 most popular Amazon Web Services (AWS) centers in the world like :
Cyberattacks On Cloud Honeypots Report Findings
During the 30 day period, Sophos reported:
A cloud honeypot that was set up in Brazil was attacked a mere 52 seconds after it went live.
Cloud servers were attacked an average 13 times per minute.
More than 5 million attacks were attempted on the network of honeypots in the 30 day period
This data sends a very chilling warning to every company worldwide of the real danger cyberattackers/cybercriminals present.
Cybercriminals are constantly scanning for weak and vulnerable open cloud buckets. They are the points of entry into servers or other networks.
“The Sophos report, Exposed: Cyberattacks on Cloud Honeypots, identifies the threats organizations migrating to hybrid and all-cloud platforms face.
The aggressive speed and scale of attacks on the honeypots shows how relentlessly persistent cybercriminals are and indicates they are using botnets to target an organization’s cloud platforms.
In some instances, it may be a human attacker, but regardless, companies need a security strategy to protect what they are putting into the cloud,” said Matthew Boddy, security specialist, Sophos.
“The issue of visibility and security in cloud platforms is a big business challenge, and with increased migration to the cloud, we see this continuing.”
Sophos just announced the integration of Sophos Mobile Security with Microsoft Intune. Here are the full details!
Sophos Mobile Security Now Integrates With Microsoft Intune!
With this integration, Microsoft Intune customers running Sophos Mobile Security 9.0, will be able to configure access controls fed by the latest mobile device threat information.
This would enable their employees to work and access data securely from any device or location, while remaining compliant with corporate data security rules.
Running on Microsoft Azure, the Sophos Mobile Security integration will provide IT administrators with the ability to configure individual device usage policies within Microsoft Intune. If an individual endpoint is compromised, IT administrators will have detailed insights from Sophos Mobile Security, which would allow them to better decide whether they should lockdown that endpoint and deny access to corporate data.
“As we move towards zero trust networking, enhanced conditional access is crucial. With remote working on the increase and the knock-on effect that has on corporate data access across a variety of mobile devices, there is a growing requirement to enable user productivity without compromising data security,” commented Dan Schiappa, chief product officer at Sophos. “Understanding and managing security threats is central to this operating environment and our integration with Microsoft delivers on this requirement. By offering detailed threat insights relating to individual mobile endpoints, IT administrators can make more informed choices on whether to block a device from network access. By giving administrators that extra context, access denial can be more effectively restricted to ensure productivity is only impacted where necessary.”
“In today’s increasingly mobile environment, more granular context is becoming essential to ensure networks are less easily compromised by malware or potentially unwanted content,” said Ryan McGee, Director, Microsoft Security Marketing at Microsoft Corp. “Integrations with security solution providers like Sophos are important to us. We are excited to extend the capabilities of the Microsoft Intune solution to deliver improved security posture to our customers.”
Sophos Mobile Security runs on both Android and iOS devices and can share threat details with Microsoft to provide that extra bit of context. Conditional Access policies can now take threat detections from Sophos into consideration when deciding whether to allow access to requested resources.
Sophos Mobile Security can be purchased from registered Sophos partners, or these online options :
Sophos today announced the availability of Intercept X with malware detection powered by advanced deep learning neural networks. Join us for a briefing by Sumit Bansal, Sophos Managing Director for ASEAN and Korea!
Sophos Intercept X with Predictive Protection
Combined with new active-hacker mitigation, advanced application lockdown, and enhanced ransomware protection, this latest release of the Sophos Intercept X endpoint protection delivers previously unseen levels of detection and prevention.
Deep learning is the latest evolution of machine learning. It delivers a massively scalable detection model that is able to learn the entire observable threat landscape. With the ability to process hundreds of millions of samples, deep learning can make more accurate predictions at a faster rate with far fewer false-positives when compared to traditional machine learning.
This new version of Sophos Intercept X also includes innovations in anti-ransomware and exploit prevention, and active-hacker mitigations such as credential theft protection. As anti-malware has improved, attacks have increasingly focused on stealing credentials in order to move around systems and networks as a legitimate user, and Intercept X detects and prevents this behavior.
Deployed through the cloud-based management platform Sophos Central, Intercept X can be installed alongside existing endpoint security software from any vendor, immediately boosting endpoint protection. When used with the Sophos XG Firewall, Intercept X can introduce synchronized security capabilities to further enhance protection.
New Sophos Intercept X Features
Deep Learning Malware Detection
Deep learning model detects known and unknown malware and potentially unwanted applications (PUAs) before they execute, without relying on signatures
The model is less than 20 MB and requires infrequent updates
Active Adversary Mitigations
Credential theft protection – Preventing theft of authentication passwords and hash information from memory, registry, and persistent storage, as leveraged by such attacks as Mimikatz
Code cave utilization – Detects the presence of code deployed into another application, often used for persistence and antivirus avoidance
APC protection – Detects abuse of Application Procedure Calls (APC) often used as part of the AtomBombing code injection technique and more recently used as the method of spreading the WannaCry worm and NotPetya wiper via EternalBlue and DoublePulsar (adversaries abuse these calls to get another process to execute malicious code)
New and Enhanced Exploit Prevention Techniques
Malicious process migration – Detects remote reflective DLL injection used by adversaries to move between processes running on the system
Process privilege escalation – Prevents a low-privilege process from being escalated to a higher privilege, a tactic used to gain elevated system access
Enhanced Application Lockdown
Browser behavior lockdown – Intercept X prevents the malicious use of PowerShell from browsers as a basic behavior lockdown
HTA application lockdown – HTML applications loaded by the browser will have the lockdown mitigations applied as if they were a browser
Having been in the threat marketplace for several years, botnets are still successful today as it provides a powerful cloud computing network for hackers to spread malware and spam.
Like any other malware, botnets are introduced to the computer network through email attachments, websites and USB sticks. As the user accesses these files or compromised websites, malware from the botnets begin to spread and exploit vulnerabilities on the system.
In a recent research on global spam by SophosLabs, it was found that the global volume of spam dropped by more than half just before Christmas and continued to stay at around the same level, believed to be due to the notorious Necurs botnet going quiet.
However, an old-school type of scam was seen to have resurfaced just last month with huge success. Known as pump-and-dump, the scam inflated the stock price of Incapta, a media holding company, encouraging the public to buy into the scam, thus pumping up the stock further.
How does a stock scam work?
Hackers pick a cheap stock, concoct a believable story to talk it up, such as claiming the company is undergoing an acquisition. The hackers then buy the stocks to increase its stocks price and email unsuspecting victims encouraging them to buy shares in that company. The unsuspecting victims are influenced by the dramatic rise in the company’s stock price and are enticed into buying the shares, falling prey to stock fraud.
The impact of botnets
Botnets can have a devastating impact on organisations, particularly if the objective is to steal sensitive information. If the botnet is not after company data, it could be using the organisation’s devices and network resources to cause harm to another organization; likely a partner company by spreading malware to their network too.
Once the botnet has a foothold in your organisation, it will typically call home to the hacker’s command and control (C&C) server to register its success and request further instructions. It may be told to lie low and wait, attempt to move laterally on the network to infect other devices, or participate in an attack. This attempt to call-home presents an ideal opportunity to detect infected systems on your network that are part of a botnet, but it requires the right technology to be effective.
Unfortunately, other than the call home communications, a bot on your network may be extremely difficult to detect. In most cases, the infected device will continue to operate normally or perhaps experience a slow-down in performance that could be easily dismissed or attributed to other factors.
And this why a next-generation firewall is the first line of defense against botnets.
Best practices in protecting against botnets
Advanced Threat Protection (ATP): ATP can identify botnets already operating on your network. Ensure your firewall has malicious traffic detection, botnet detection, and command and control (C&C) call-home traffic detection. The firewall should use a multi-layered approach to identify call-home traffic and immediately identify not only the infected host, but the user and process. Ideally, it should also block or isolate the infected system until it can be investigated.
Intrusion prevention system (IPS): IPS can detect hackers attempting to breach your network resources. Ensure your firewall has a next-gen IPS that’s capable of identifying advanced attack patterns on your network traffic to detect hacking attempts and malware moving laterally across your network segments. Also consider blocking entire Geo IP ranges for regions of the world you don’t do business with to further reduce your surface area of attack.
Sandboxing: Sandboxing can easily catch the latest evasive malware before it gets onto your computers. Ensure your firewall offers advanced sandboxing that can identify suspicious web or email files and detonate them in a safe sandbox environment to determine their behaviour before allowing them into your network.
Web Application Firewall (WAF): A web application firewall can protect your servers, devices and business applications from being hacked. Ensure your firewall offers WAF protection for any system on your network that requires remote access from the Internet. A web application firewall will provide a reverse proxy, offload authentication, and harden systems from being hacked.
Support Tech ARP!
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
April 25, 2017 – Sophos (LSE:SOPH) today announced that its next-generation anti-ransomware CryptoGuard technology is now available with its Sophos Server Protection products.
With this optimisation, Sophos Server Protection now has signature-less detection capabilities to combat ransomware – similar to Sophos Intercept X for endpoints. In September 2016, Sophos launched Sophos Intercept X with CryptoGuard, which stop the spontaneous encryption of data by ransomware within seconds of detection.
By adding CryptoGuard to server security, Sophos is closing a critical gap by preventing ransomware attacks that could come in through rogue, guest or remote access users or other weaknesses in a company’s network. For example, if a company allows bring-your-own-laptops on the network, remote access for employees or is victimised by an insider cyber threat, servers become highly susceptible to ransomware.
Additionally, network shares on servers are high-value targets as they contain proprietary financials, personally identifiable information and other key data, and should be protected as such.
“Servers are considered the jackpot for cybercriminals, since they can store confidential corporate and employee information, medical records with social security numbers or private customer documents. It would be devastating for organisations to lose this kind of sensitive data to ransomware,” said Dan Schiappa, senior vice president and general manager of Sophos’ Enduser and Network Security Groups. “Most organisations back-up their data, but recovery from a backup is not always easy. Businesses, schools or hospitals do not want the liability, hassle and operational disruption required to restore from a backup. Anti-ransomware technology is a critical layer for the protection and ongoing accessibility of the information that resides on servers. Sophos has optimised its Server Protection products with CryptoGuard, adding another layer of next-gen protection to block this pervasive and highly-damaging cyber threat.”
Sophos has also expanded Synchronised Security by adding Sophos Security Heartbeat capabilities to Sophos Central Server Protection Advanced. By adding Security Heartbeat to servers, an IT administrator can now leverage Sophos XG Firewall to automatically isolate infected servers and endpoints to identify and respond to the source of compromises faster.
Sophos Central Server Protection also includes Malicious Traffic Detection, which monitors for traffic to Command and Control servers and application whitelisting with one-click Server Lockdown, which secures servers in a safe state and prevents unauthorised applications from running.
Sophos Server Protection products with CryptoGuard capabilities now includes Central Server Protection Advanced on the cloud-based Sophos Central platform and Sophos Server Protection Enterprise, which is managed with a traditional on-premise console.
Pricing for the complete range of Sophos Server Protection products is available from authorised Sophos Partners worldwide.
Support Tech ARP!
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
28 February 2017 – Sophos, a global leader in network and endpoint security, today announced Sophos Mobile 7, the latest version of its Enterprise Mobility Management (EMM) solution. This new version extends containerization support for Android Enterprise (formerly “Android for Work,”) enables IT administrators to manage IoT devices, strengthens security features and will be available through the Sophos Central cloud-based management platform.
Sophos Mobile 7
Sophos Mobile 7 security enhancements include anti-phishing technology to protect users from malicious links in emails and documents and improvements to Sophos’ Android security and anti-malware app. There are also usability enhancements to the Secure Workspace and Secure Email app where users now can open, view and even edit encrypted and secure Office format documents and attachments without leaving the secure and encrypted container.
Sophos Mobile 7 is the latest in an increasing number of products that are available through the integrated Sophos Central management platform, including the next-generation XG Firewall, Sophos Endpoint Security, Sophos Intercept X, Sophos Email Security, Sophos Server Protection, Sophos Encryption and Sophos Phish Threat.
The new IoT functionality will provide basic management features to organizations that are designing and deploying solutions at scale using low-cost Android Things or Windows 10 IoT devices. This includes management tasks such as applying policies, checking the online device status, monitoring battery levels or confirming or updating firmware.
Sophos will be one of the first security companies to provide organizations with a cost-efficient way to add management and security capabilities to their IoT projects, offering a communication and management framework that can be built into industrial and commercial IoT solutions such as POS/retail or connected classrooms.
Sophos Mobile 7 Availability
Sophos Mobile 7 is available now for on-site installation and will be available through cloud-based Sophos Central in mid-March 2017. For more details of Sophos Mobile for IoT, customers and partners can email Sophos-Mobile-IoT@sophos.com.
Sophos will also be demonstrating Sophos Mobile 7, including the new IoT features, at stand 5H31 in hall 5 at Mobile World Congress 2017 in Barcelona, 27 February to 2 March 2017.
22 December 2016 – 2016 saw a huge number and variety of cyber attacks, ranging from a high-profile DDoS using hijacked Internet-facing security cameras to the alleged hacking of party officials during the US election. The year also saw a rising tide of data breaches, from organizations big and small, and significant losses of people’s personal information. With the year almost over, Joergen Jakobsen, regional vice president for Asia-Pacific and Japan (APJ) at Sophos, looks into his crystal ball to predict the top cyber security trends for 2017:
#1 : Shift from exploitation to targeted social attacks.
Cybercriminals are getting better at exploiting the ultimate vulnerability – humans. Ever more sophisticated and convincing targeted attacks seek to coax users into compromising themselves. For example, it’s common to see an email that addresses the recipient by name and claim they have an outstanding debt the sender has been authorized to collect. Applying shock by pretending to be borrowing authority or law enforcement are common and effective tactics. The email directs users to a malicious link that they are panicked into clicking on, opening them up to attack. Such phishing attacks can no longer be recognized by obvious mistakes.
#2 : Financial infrastructure at greater risk of attack.
The use of targeted phishing and “whaling” continues to grow. These attacks use detailed information about company executives to trick employees into paying fraudsters or compromising accounts. We also expect more attacks on critical financial infrastructure, such as the attack involving SWIFT-connected institutions which cost the Bangladesh Central Bank $81 million in February. SWIFT recently revealed that there have been other such attacks and it expects to see more, stating in a leaked letter to client banks: “The threat is very persistent, adaptive and sophisticated – and it is here to stay”.
#3 : Exploitation of the Internet’s inherently insecure infrastructure.
All Internet users rely on ancient foundational protocols, and their ubiquity makes them nearly impossible to revamp or replace. These archaic protocols that have long been the backbone of the Internet and business networks are sometimes surprisingly flaky. For example, attacks against BGP (Border Gateway Protocol) could potentially disrupt, hijack, or disable much of the Internet. And the DDoS attack on Dyn in October (launched by a myriad of IoT devices), took down the DNS provider and, along with it, access to part of the internet. It was one of the largest assaults seen and those claiming responsibility said that it was just a dry run. Large-scale ISPs and enterprises can take some steps to respond, but these may well fail to prevent serious damage if individuals or states choose to exploit the Internet’s deepest security flaws.
#4 : Increased attack complexity.
Attacks increasingly bring together multiple technical and social elements, and reflect careful, lengthy probing of the victim organization’s network. Attackers compromise multiple servers and workstations long before they start to steal data or act aggressively. Closely managed by experts, these attacks are strategic, not tactical, and can cause far more damage. This is a very different world to the pre-programmed and automated malware payloads we used to see – patient and evading detection.
#5 : Growth of malvertising and corruption of online advertising ecosystems.
Malvertising, which spreads malware through online ad networks and web pages, has been around for years. But in 2016, we saw much more of it. These attacks highlight larger problems throughout the advertising ecosystem, such as click fraud, which generates paying clicks that don’t correspond to real customer interest. Malvertising has actually generated click fraud, compromising users and stealing from advertisers at the same time. [adrotate group=”2″]
#6 : Ransomware evolves.
As more users recognize the risks of ransomware attack via email, criminals are exploring other vectors. Some are experimenting with malware that reinfects later, long after a ransom is paid, and some are starting to use built-in tools and no executable malware at all to avoid detection by endpoint protection code that focuses on executable files. Recent examples have offered to decrypt files after the victim shared the ransomware with two friends, and those friends paid to decrypt their files. Ransomware authors are also starting to use techniques other than encryption, for example deleting or corrupting file headers. And finally, with “old” ransomware still floating around the web, users may fall victim to attacks that can’t be “cured” because payment locations no longer work.
#7 : Emergence of personal IoT attacks.
Users of home IoT devices may not notice or even care if their baby monitors are hijacked to attack someone else’s website. But once attackers “own” a device on a home network, they can compromise other devices, such as laptops containing important personal data. We expect to see more of this as well as more attacks that use cameras and microphones to spy on households. Cyber criminals always find a way to profit.
#8 : Rising focus on exploits against virtualized and cloud systems.
Attacks against physical hardware raise the possibility of dangerous new exploits against virtualized cloud systems. Attackers might abuse the host or other guests running on a shared host, attack privilege models, and conceivably access others’ data. And, as Docker and the entire container (or ‘serverless’) eco-system become more popular, attackers will increasingly seek to discover and exploit vulnerabilities in this relatively new trend in computing. We expect active attempts to operationalize such attacks.
#9 : Destructive DDoS ioT attacks will rise.
In 2016, Mirai the malware that turns computer systems running Linux into remotely controlled “bots”, that can be used in large-scale network attacks, showed the massive destructive potential of DDoS attacks as a result of insecure consumer IoT (Internet of Things) devices. Mirai’s attacks exploited only a small number of devices and vulnerabilities and used basic password guessing techniques. However, cybercriminals will find it easy to extend their reach because there are several IoT devices containing outdated code based on poorly-maintained operating systems and applications with well-known vulnerabilities. Expect IoT exploits, better password guessing and more compromised IoT devices being used for DDoS or perhaps to target other devices in your network.
#10 : Technical attacks against states and societies.
Technology-based attacks have become increasingly political. Societies face growing risks from both disinformation (e.g., “fake news”) and voting system compromise. For instance, researchers have demonstrated attacks that might allow a local voter to fraudulently vote repeatedly without detection. Even if states never engage in attacks against their adversaries’ elections, the perception that these attacks are possible is itself a powerful weapon.