Netskope threat researchers said they detected a .pdf-based attack against at least 42 targets, primarily in the government, banking, and finance sectors. The attacks, which leverage Google Cloud‘s App Engine, are carried in .pdf email attachments. The emails have legitimate content and the malware is carried by “real” sources.
A goal of the malware is have the .pdf saved to cloud services. If this happens, the malware can propagate beyond the victim. In this case, Netskope said it recognized the infected file and prevented this secondary “fan-out” effect. Netskope Researcher Ashwin Vamshi said that the attack has been seen in the wild and currently is live.
An important element beyond the attack is that dangers are becoming more difficult to identify. “Attackers are becoming more clever at tricking users into clicking malicious links,” Vamshi told SDxCentral. “Training users to recognize the difference between a legitimate link and a malicious link is becoming increasingly difficult — with this example, they now have to be aware of common open redirects and inspect URL parameters to understand the provenance of a link. This makes even savvy users vulnerable.”
There is no magic bullet to network security. Basic best practices must be used consistently. “First, ensure users are aware of the active campaign so that they know to avoid it,” Vamshi wrote in an email. “Second, deploy a comprehensive threat and malware detection solution to prevent your organization from unknowingly spreading similar threats.”
Netskope offered 10 recommendations for network personnel and users. They include checking the domain of the links; deploying real-time visibility and control solutions; deploying threat and malware protection for all platforms; tracking and controlling unsanctioned cloud apps; educating users; unchecking .pdf option for remembering actions for particular sites; hovering the mouse over hyperlinks to assure they are legitimate; taking care in adding links added to “always allow” lists in .pdf readers and keeping security software up to date.
Ransomware Found by McAfee
McAfee on Monday reported on ransomware called Anatova, which is the name used on the ransom note. It has been seen in 10 countries. In ascending order of detections, the countries are Sweden, the Netherlands, Turkey, Italy, the Russian Federation, the United Kingdom, France, Germany, Belgium and the United States.
The exploit most likely has succeeded. “From our telemetry and visibility we saw hundreds of possible infections that we blocked globally since we put in detection immediately when we discovered it,” McAfee Lead Scientist Christiaan Meek told SDxCentral. “That said, we expect that there have been victims infected with this new family of ransomware.”
Meek described how the malware works. “Anatova makes a few checks to make sure it is not run in a sandbox or the victim is not from a certain country,” he wrote in an email. “It will look for files smaller than 1MB but makes sure not to disrupt the operating system. It also checks for network shares and will try to encrypt files in those locations too. After encrypting, the ransom-note is written to the system.”
It also tries to cover it tracks: “It will than clean the memory so no keys can be dumped and overwrites the backup-files (Volume Shadow copies) 10 times to make sure that no backup of local files is possible,” Meek wrote. “The user has to click on the executable to activate it.”
The ransomware, which was discovered in a peer-to-peer network, is particularly challenging because it is modular. “A modular approach means that the actors can easily insert new features,” Meek wrote. “For example, an exploit to distribute it over the network, change the behavior of the ransomware while it is running.”