This Week In Security #1

This Week In Security #1

Security is looking past what you know. With new threats and vulnerabilities found every day we’ll try to give you an organized weekly dose of security news. This is Koda Ops TWIS#1



It’s 2016 and ransomware is stronger than ever. This week alone we’ve come across some unique strains. Just when we all thought ransomware was leveling out Mamba hit the shelves and hopefully not hard-drives near you. What is the biggest difference between this and other types of ransomware? Well, Mamba skips file-level encryption and goes straight to full disk encryption, overwriting the existing Master Boot Record MBR and replacing it with a custom MBR. Bad news, because that means windows won’t boot up without your newly acquired passphrase to unlock the system. Of course, it wouldn’t be ransomware without a ransom. The money demanded of victims is currently at the going rate of around one bitcoin per infected host. Hospitals and all, watch out! Mamba joins Petya as another ransomware variant that encrypts at the disk level. To learn more about Petya, click here.

When Android.Lockscreen hit the scene in March of 2015, we all knew that ransomware took a deep turn. With more and more mobile devices being used in lieu of desktops and laptops, this was a logical move for makers of ransomware. The latest news on Android.Lockscreen is an update as to how it works. Previous versions of Android.Lockscreen used hard coded passcodes which were eventually reverse engineered. Unfortunately, the recent variants now use pseudo-random numbers to make sure victims pay the ransom. With this new variant Android.Lockscreen can generate passcodes of six to eight digits to lock down your phone.

Ransomware and the Cloud? Yes. It is happening with a new variant of Virlock which is capable of spreading stealthily through cloud storage and collaboration applications, enabling one infected user to inadvertently spread the malware across an enterprise network. Cyber criminals are regularly deploying new techniques to make ransomware more effective. This new Virlock variant is expected to cost organizations a total of one billion U.S dollars in 2016 alone.



So when it comes to ransomware what you need to know is this: Backup, backup, backup.Here is an easy rule that can help you make sure you keep all your files stored and secured. It’s called the 3-2-1 Rule:

  1. Have at least three copies of your data.
  2. Store your copies onto two different media/storage units.
  3. Keep one backup copy offsite.

Rule one: “three copies”. In addition to your primary data, you should have at least two more backups. I the case of failure this will give you the highest chance of successfully saving your important files.

Rule two: “Store copies on two or more media”. You should always backup your backups to more than one type of storage media, for example, Internal hard disks with RAID configurations AND removable storage such as tapes, external hard drives, USB drives etc.

Rule three: “Keep an offsite copy”. The physical separation between copies is very important. It’s definitely not ideal to keep all your copies in one location because if something went wrong you would lose all your data in one fell swoop. Storing your backups elsewhere is best. Using cloud or companies who do offsite data storage is a great option. But always weigh your risks carefully when choosing outside options for data storage and safety.



Australia hit the news as more and more Australian homes are reporting that USBs containing harmful malware have been left in letterboxes. Residents of Pakenham, a suburb in the Melbourne area, have reported finding unmarked USBs in their mailboxes. Plugging them into a computer triggers fraudulent media-streaming service advertisements as well as other malware contained on the USB. Local police warn citizens to be careful and that the devices are extremely harmful.


An exponential rise in malware leaves little room for mistakes as the risk gets higher for employees to accidentally install malicious software onto enterprise networks, with malware hitting a company every four seconds on average. with over 30,000 security events across one thousand companies globally we’ve found that employees in the industry, finance, government, and other sectors are taking a very lenient attitude towards cyber security or proper OpSec and are downloading potentially harmful files to the company network.


The infosec world has had its hands full with SWIFT. This system is used for international wire transfers but major flaws in it allowed hackers to route money into legitimate-looking accounts and disappear without a trace. Now, something new has hit the streets when it comes to banking malware and this time it’s going after Android users: Trojan-Banker.AndroidOS. Tordow. The attacker needs to only have a basic knowledge of Android development; the infection spreads by cloning popular apps, such as Pokemon Go, Subway Surfer, Telegram or Russian social media platform Vkontakte and placing the new APK files on sites outside of the Google Play store. A good example would be the release of Pokemon Go which was widely downloaded “illegally” by third party sites with the APK. Unlike other banking trojans, this trojan goes after full access, allowing hackers to send, steal and delete texts; record, make, redirect or block calls; check the victim’s balance, steal contacts and remove, add or run new files allowing them further access to your phone and personal files. With this full access, it can go outside of just stealing money from your bank and into ransomware or blackmailing.

Corporate boo-boos

Yahoo finally told the world of their 500 million user data breach that happened in 2014, stating that a state-sponsored hacker was likely behind the attack. With the recent spate of massive breaches, people are getting used to hearing companies apologize. However, the Yahoo breach of 500 million users is thought to be the largest in terms of user accounts. The FBI said they are aware of the intrusion and are investigating it but won’t give any information about who might be behind the attack and why it took Yahoo so long to report it. Around August a hacker with the handle “Peace” was allegedly trying to sell Yahoo account info on the Darkweb. Recent reports now cite an organized crime group from Eastern Europe as responsible for the Yahoo breach, as well as several of the other major breaches.


With more and more IoT smart devices hitting the market and entering the common household, more and more ways to use them for what they weren’t intended are being explored. In the past few months we’ve been seeing very sophisticated and insane DDoS attacks, with last year’s biggest attack being 500Gbps, a new record. Most recently Brian Krebs had a DDoS attack of 665 Gbps against his site which thankfully was mitigated. On September 27th, the world’s largest DDoS attack happened to hit a France-based hosting provider, OVH, which fell victim to 152,000 smart IoT devices attacking them for a combined attack of 1Tbps. How is this possible? Well, last year we discovered that most manufacturers of IoT devices were reusing the same set of hard-coded SSH keys, leaving millions of embedded devices open to hijacking. What’s even worse is that most of these devices have reached their end of life EOL for security updates, which means that your new toy could be hacked right now and in the future.


This is this week in security I hope you enjoyed reading, please comment below and stay tuned for more TWIS.



Leave a comment