Malware and cybersecurity have been top-of-mind for many business owners recently with the launch of the WannaCry malware. An attack of this kind can have devastating results, including loss of funds or data, and potentially both. And, as soon as one threat is gone, it seems another follows suit.
Here’s what you need to know about the current cybersecurity threats:
The security firm Check Point Software Technologies recently stated that it has found a malware infection of overwhelming scope and destructive potential. The “Fireball” malware infection, which originated in China, is believed to have infected more than 250 million computers worldwide and is currently present on 20 percent of all corporate networks, with major infections occurring in Asia and South America. Check Point informally calls it "possibly the largest infection operation in history."
The malicious software appears to be mainly intended to generate bogus clicks and traffic for its originator, a Beijing China marketing and advertising firm called Rafotech. Once installed, the worm forwards a user’s browser to websites that impersonate the look and feel of Google or Yahoo search homepages. The fake pages secretly gather private information on the user using what is referred to as “tracking pixels.”
A tracking pixel is a 1x1 pixel image on a webpage that contains java code designed to send data back to its creator. These images are invisible and can be placed anywhere on a page.
Fireball also has the ability to execute commands remotely. This includes the downloading of additional malicious software. Fireball’s creators, or others who find a way to exploit it, could theoretically transition from an ad scam scheme to selling collected data, or even connect infected machines into a global botnet of massive destructive power.
Many botnets, much smaller than Fireball’s assemblage of 250 million compromised machines, have been involved in a major denial of service scams or other destructive operations. The Mirai botnet, which knocked out the internet service of millions of people in December of 2016, was estimated to have been comprised of as few as 120,000 devices. Those were mostly connected cameras and routers with far less computing power than the systems targeted by the Fireball malware.
According to Check Point, another scenario could basically see Rafotech mass-gather data from infected systems and sell it to interested criminal elements. This data could range from credit card numbers to business plans and patents—all to be provided to the highest bidder.
Check Point describes Fireball as "a pesticide armed with a nuclear bomb." Rafotech, Check Point warns, "holds the power to initiate a global catastrophe." It also adds "The potential loss is indescribable."
According to the California firm, the Fireball package is covertly inserted into free software downloads and installed without the knowledge or consent of the user. A couple of examples of software found to contain the Fireball package include Soso Desktop and FVP Image Viewer. The clearest sign of an infection is learning that your browser has been forwarded to a new homepage. There are websites available that provide detailed instructions for detecting and eliminating infections.
"According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal," Check Point states.
The malware and the counterfeit search engines don’t carry any indicators that connect them to Rafotech, as well as concealing their true nature. The removal typically requires professional assistance.
On the heels of last month’s massive WannaCry outbreak, a major ransomware incident is currently underway by a new variant called “NotPetya.” Researchers believe the ransomware to be a variant of the Petya work, but Kaspersky Internet Security and other firms are reporting that, though it has similarities, it’s actually not Petya. Regardless of its name, here’s what you should know:
This attack doesn’t just encrypt data for a ransom, but instead hijacks computers and renders them completely inaccessible by encrypting their Master Boot Record.
NotPetya is another rapidly spreading attack which, like WannaCry, uses the same NSA exploit ENTERNALBLUE and PsExec. A few things about this new malware:
- It doesn’t have a kill switch like WannaCry does
- It is far more sophisticated—it has a variety of automated ways to spread, unlike WannaCry which required human interaction
The scope of the infection is not yet known, but reports continue to filter in across systems worldwide. Once a single system is infected, the worm spreads peer-to-peer to other Windows-based client and server systems.
Once on a machine, NotPetya waits for 90 minutes before performing any attack, likely to give time for more machines to be affected, and to confuse the point of entry.
After the time expires, it then encrypts the Master Boot Table of local drives, copies itself to the Master Boot Record, forces a reboot to lock out users, and then displays the ransom demand screen.
Prior to infection, the systems should be patched with MS17-010 to plug the same hole that WannaCry exploited.
The best way to ensure that systems are back up and running quickly after an infection and without having to pay the ransom is to have a system imaging and restore process in place.
Ongoing prevention is key in protecting you and your business from malware. The bottom line in preventing any infection is employee education as well as processes and procedures in place to mitigate or prevent the risk.
Ron Smith is an Infusionsoft Sr. Quality/Security Engineer. Having served in the USAF as a security specialist, he became passionate about security. During his 20 year career, he has worked for very large companies such as Microsoft, Intel, and Pearson, but his love for small business carried him to Infusionsoft. He is also the father of five boys and an avid Harley Davidson rider and home brewer.