“I’m aware that <PASSWORD> is your password ” – Chances are you have gotten an email like this in the past year. As reported by Brian Krebs HERE, the messages varied but they followed a simple formula. Tell you HOW they know, What they know, and ask for the money.

A recently published article on TheNextWeb.com sheds new light on a spam email campaign. It seems that the attackers have caught on and are now publishing their own ‘removal’ tools.

” The firm was clear to point out that receiving the Bitcoin sextortion email doesn’t automatically mean infection, just that the recipient’s email address has been exposed in a password dump.

Researchers ironically found, however, that many sites offering products to supposedly remove the Save Yourself malware were actually peddling malware. “

Researchers find Bitcoin sextortion malware also mines Monero – TNW

Once a system is infected with this secondary malware, research found it would install a Monero crypto-currency miner, bringing yet more profits in to the attackers. In addition they found it reading and re-writing clipboard data; replacing any bitcoin wallet with the attackers [to trick users into transferring moneys]. The infection is known to spread itself to all accessible executable, making disinfection even more difficult.

Now more then ever CyberSecurity is becoming a core component of daily life. Don’t get caught off guard. Contact your IT professional for your annual risk assessment.

The Canadian Centre for Cyber Security has discovered a new form of ransomware targeting windows systems. This new form of ransomware is using exposed RDP services as a primary means for infecting systems.

Initial infection vector for this malware appears to be through exposed, unpatched Remote Desktop services, but can also include email spam and malicious attachments, deceptive downloads, botnets, malicious ads, web injects, fake updates and repackaged and infected installers.

Candian Centre for Cyber Security – Number: AL19-201 Date: 20 September 2019

To compound the issue the this version uses a recent vulnerability named BlueKeep. The result is that the code can be run on the system and infect it pre-authentication (Meaning they do not need a user name and password.) It is also ‘wormable’ meaning it can spread to other systems on the same network

….This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user right

Microsoft Advisory – CVE-2019-0708

This new ransomware, nicknamed TFlower, appears to be on par with other recent strains of malware. It will infect a system and establish communications to the command and control (C2) servers. After this it will establish persistence on the system before executing its payload. Like most forms of ransomware TFlower will leave a unique naming convention (prefixing all encrypted files with TFlower) and uploads a notice named “!_Notice_!.txt”.

You should work with your IT professionals (or open a ticket with us) today to run a vulnerability scan on your network checking for CVE-2019-0708. With proper planning these types of infections can be avoided. With preparation the impact of these attacks can be minimized. Here are some additional steps you or your IT staff can take:

• Ensure you are on the most recent version of Windows –
  • Windows 7 is almost at its end-of-life. Planning an upgrade is often much more cost effective.
• Secure or Disable Remote Desktop Services on your network –
  • RDP has limited use cases. As such access can be limited and security features implemented that can avoid these exploits.
• Always use Anti-Virus –
  • Running Anti-Virus and security software is a critical step in being preventing outbreaks and quickly responding to issues.
• Practice good Email hygine –
  • Email is still a source of infection. Good technical controlls (such as blocking spam or disabling macros) and good security training are cornerstones to preventing phishing attacks. Read more from US-CERT HERE
• Stay Informed –
  • Monitoring industry messaging and alerts is a great way to stay ahead of security issues.

A few dozen apps camouflaged as fashion and photo utilities on the Android app store have been found running malicious code. Combined some estimates put these apps at over 2 million downloads. This is just the latest in a increasing trend of hackers targeting cell phones and other IoT devices for their purposes. 

In this instance some 24 apps were found to have the code installed. The code seemed to hide itself from the Google Play Store security monitoring, as the malicious commands were downloaded AFTER the app was installed in a configuration file. 

“Instead, the switch is controlled remotely via the downloaded configuration file, allowing the malware developer to evade Google Play’s rigorous security testing,” says Symantec’s Threat Intelligence team who discovered the apps. – from BleepingComputer.com*

The app hijacked the phones to open full screen advertisements earn the hackers money. It even leveraged its own activity to boost the another version of the app to the trending section of the Google Play Store.

With the increasing monetization of hacking and malware, it is very important to ensure your network is protected. The first step in incident response is preparation. Be sure to contact your IT provider for your annual risk assessment.