The Canadian Centre for Cyber Security has discovered a new form of ransomware targeting windows systems. This new form of ransomware is using exposed RDP services as a primary means for infecting systems.

Initial infection vector for this malware appears to be through exposed, unpatched Remote Desktop services, but can also include email spam and malicious attachments, deceptive downloads, botnets, malicious ads, web injects, fake updates and repackaged and infected installers.

Candian Centre for Cyber Security – Number: AL19-201 Date: 20 September 2019

To compound the issue the this version uses a recent vulnerability named BlueKeep. The result is that the code can be run on the system and infect it pre-authentication (Meaning they do not need a user name and password.) It is also ‘wormable’ meaning it can spread to other systems on the same network

….This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user right

Microsoft Advisory – CVE-2019-0708

This new ransomware, nicknamed TFlower, appears to be on par with other recent strains of malware. It will infect a system and establish communications to the command and control (C2) servers. After this it will establish persistence on the system before executing its payload. Like most forms of ransomware TFlower will leave a unique naming convention (prefixing all encrypted files with TFlower) and uploads a notice named “!_Notice_!.txt”.

You should work with your IT professionals (or open a ticket with us) today to run a vulnerability scan on your network checking for CVE-2019-0708. With proper planning these types of infections can be avoided. With preparation the impact of these attacks can be minimized. Here are some additional steps you or your IT staff can take:

• Ensure you are on the most recent version of Windows –
  • Windows 7 is almost at its end-of-life. Planning an upgrade is often much more cost effective.
• Secure or Disable Remote Desktop Services on your network –
  • RDP has limited use cases. As such access can be limited and security features implemented that can avoid these exploits.
• Always use Anti-Virus –
  • Running Anti-Virus and security software is a critical step in being preventing outbreaks and quickly responding to issues.
• Practice good Email hygine –
  • Email is still a source of infection. Good technical controlls (such as blocking spam or disabling macros) and good security training are cornerstones to preventing phishing attacks. Read more from US-CERT HERE
• Stay Informed –
  • Monitoring industry messaging and alerts is a great way to stay ahead of security issues.

A few dozen apps camouflaged as fashion and photo utilities on the Android app store have been found running malicious code. Combined some estimates put these apps at over 2 million downloads. This is just the latest in a increasing trend of hackers targeting cell phones and other IoT devices for their purposes. 

In this instance some 24 apps were found to have the code installed. The code seemed to hide itself from the Google Play Store security monitoring, as the malicious commands were downloaded AFTER the app was installed in a configuration file. 

“Instead, the switch is controlled remotely via the downloaded configuration file, allowing the malware developer to evade Google Play’s rigorous security testing,” says Symantec’s Threat Intelligence team who discovered the apps. – from BleepingComputer.com*

The app hijacked the phones to open full screen advertisements earn the hackers money. It even leveraged its own activity to boost the another version of the app to the trending section of the Google Play Store.

With the increasing monetization of hacking and malware, it is very important to ensure your network is protected. The first step in incident response is preparation. Be sure to contact your IT provider for your annual risk assessment.