GhostCtrl Android Malware is Downright Scary

On July 20th, 2017, posted in: Hackers by konweb

Remember that time you let your tween borrow your phone and they “helped” you out by downloading WhatsApp for you? Well let’s hope what they downloaded was a legitimate copy of the app from a legitimate source or you may now be unwittingly sharing way more of your personal life with total strangers than you ever thought possible!

Dubbed GhostCtrl by the researchers at Trend Micro who first caught it in the wild, this nasty little malware beast, which typically masquerades as popular apps such as WhatsApp and Pokémon Go can give the hackers who unleashed it unprecedented control over a victim’s device.

A Rapidly Evolving Scary Ghost

GhostCtrl continues to evolve and there are at least 3 versions operating in the wild right now.  The first iteration steals information and controls some of the devices function, the second added the ability to hack more features and according to Trend Micro, “The third iteration combines the best of the earlier versions’ features—and then some.”

Based upon clues in its source code, GhostCtrl appears to be a scion of OmniRAT, the commercially sold Remote Access Tool that allows the takeover of Windows, Linux and Mac systems with the push of an Android button.

You Will Obey My Commands

Like some evil hypnotist, GhostCtrl can make the victim’s device do virtually anything the hacker wants it to do by sending commands from a remote control server.

Here is a partial but frightening list of those commands:

  • ACTION CODE =10, 11: Control the Wi-Fi state
  • ACTION CODE= 34: Monitor the phone sensors’ data in real time
  • ACTION CODE= 37: Set phone’s UiMode, like night mode/car mode
  • ACTION CODE= 41: Control the vibrate function, including the pattern and when it will vibrate
  • ACTION CODE= 46: Download pictures as wallpaper
  • ACTION CODE= 48: List the file information in the current directory and upload it to the C&C server
  • ACTION CODE= 49: Delete a file in the indicated directory
  • ACTION CODE= 50: Rename a file in the indicated directory
  • ACTION CODE= 51: Upload a desired file to the C&C server
  • ACTION CODE= 52: Create an indicated directory
  • ACTION CODE= 60: Use the text to speech feature (translate text to voice/audio)
  • ACTION CODE= 62: Send SMS/MMS to a number specified by the attacker; the content can also be customized
  • ACTION CODE= 68: Delete browser history
  • ACTION CODE= 70: Delete SMS
  • ACTION CODE= 74: Download file
  • ACTION CODE= 75: Call a phone number indicated by the attacker
  • ACTION CODE= 77: Open activity view-related apps; the Uniform Resource Identifier (URI) can also be specified by the attacker (open browser, map, dial view, etc.)
  • ACTION CODE= 78: Control the system infrared transmitter
  • ACTION CODE= 79: Run a shell command specified by the attacker and upload the output result

With this type of control the hackers can choose to be a nuisance, ransomer, evil spy or blackmailer depending upon their motives.

Scared? Who ya Gonna Call?

When it comes to mobile security, BYOD security and Network security our engineers are real life “ghost” busters who can develop comprehensive and holistic security solutions for your organization. So, who ya gonna call? Call Konsultek!

 

read more

Last Thursday within hours of one another two huge consumer multinationals announced that their second quarter earnings would be negatively impacted because of Petya based cyber-attacks.

According to the Financial Times, Mondelez International, purveyors of confections including Cadbury chocolates and Oreo cookies announced their financial pruning just a few hours after UK-based consumer goods conglomerate Reckitt Benckiser had announced theirs.

Petya Having a Greater Impact than Wanna Cry

If you were to look at a map of the distribution of Wanna Cry vs Petya you might think that Wanna Cry would be having the larger negative impact on global enterprises. However, this is turning out not to be the case, with Petya causing far more turmoil within large corporations because files are vanquished, not held for ransom.

From the Financial Times

“Cyber security experts dealing with the attack, which started in Ukraine, have advised stricken clients there is no hope of recovering infected systems. Unless organisations have backups of encrypted data, it is lost for good, they have warned. Western security officials say the severity of Petya’s impact points to its true purpose: not monetary gain, but pure destruction. Researchers at many of the world’s largest cyber security firms — including FireEye, Talos, ESET, Symantec and Bitdefender — have come to the same conclusion. “We believe with high confidence that the intent of the actor behind [Petya] was destructive in nature and not economically motivated,” Talos, the cyber security arm of Cisco told clients this week.”

Security Needs a Holistic Approach

What’s next? No one knows for certain, but with the NSA’s bag of tricks having been released into the wild a little under a year ago you can bet that the number and potency of attacks is only going to get worse. A holistic approach to security that includes encrypted data backup is going to become de ri·gueur.

At Konsultek we assess each client’s needs and develop security solutions that meet those needs in the most economical way possible. If this sounds like a sensible approach to security to you, give us a call to discuss your particular situation.

 

read more

In a recently released report on crime in the United Kingdom, the UK’s National Crime Agency breaks serious and organized crime into three principle categories, Vulnerabilities, Prosperity and Commodities.

A Crime of Prosperity

According to the National Strategic Assessment of Serious and Organised Crime, Cyber Crime, once a relatively benign area of crime whose offenders were solo techno-geeks has matured into a full-fledged organized crime alongside activities such as:

  • Money Laundering
  • Fraud and Other Economic Crime
  • Bribery, Corruption and Sanctions Abuse.

Cyber Crime and Technology Enable Fraud

The report notes that fraud in the UK is increasing and it is estimated that losses could be as much as GBP 193 billion. UK residents are now more likely to be a victim of fraud than any other type of crime. The use of malware and phishing emails to obtain customers’ details is a key driver of fraud.  And, it is probable that new technology value transfer methods (you have to love how the British can make even hacking sound cool!) will increase in criminal use as their popularity for legitimate use increases.

Cyber Crime In the UK Similar the USA

It is interesting to note that the findings of this report, specific to the UK, are quite similar to what we are experiencing in the USA. For example, the most competent cyber criminals are moving towards targeting businesses as the potential for higher returns on investment is much greater. Readily available hacking toolkits and ransomware are making it easier for less sophisticated individuals and organizations to enter the cyber crime space.

Some Businesses Stockpiling Bitcoins

One very interesting finding in the report that I have never seen documented anywhere else is their finding #79…

“79. A survey of security professionals by industry identified that some businesses are stockpiling bitcoins in anticipation of a ransomware attack. Ransomware has become one of the most profitable malware types in history. Its success is best illustrated by the sharp increase of varieties in the marketplace.”

Konsultek Knows Security

Konsultek’s UK office enables us to respond to the needs of our European clients quickly and efficiently. So whether your organization is located in the UK or continental Europe our expertise is ready to be deployed to help your organization become more secure.

 

read more

Ever wonder how stupid or careless someone has to be to be fooled by a phishing scam? Well, according to research conducted by a group of German experts, virtually anyone can be fooled.

In their study “Unpacking Spear Phishing Susceptibility” the researchers showed that although email  phishing scams get more publicity, Facebook scams would appear to be more effective.

“By a careful design and timing of a message, it should be possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message’s content and context.”

The Goal of the Study

The researchers, sensing there was a dearth of research related specifically to spear phishing decided to create a study that would fill the gap. They constructed a study that would explore the differences in delivery medium effectiveness (Facebook vs. email) while at the same time quantify the personal motivations that led to people either clicking on the phishing link, or just as importantly, not clicking on the link.

The Phishing Scam

The selected participants were sent a phishing link either as part of an email or a personal Facebook message from fake, non-existing person. The message claiming the link led to pictures from a party.

Facebook Gets 2X Clickthrough Rate

As Table 2 shows, when the same phishing message is presented via Facebook as compared to email individuals are over 2X more likely to click on the link and begin the phishing process.

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

 

Why Did They Click?

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

Why Didn’t They Click?

Just as important to the researcher’s was attempting to understand why people didn’t click. Here is what they found.

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

How Can Konsultek Help?

Whenever humans are involved there are going to be errors in judgement and successful phishing. That’s why all of our custom security solutions take a holistic approach to network security using a proven model of intrusion prevention, detection and mitigation. When you are ready to take your network security to the next level, give us a call.

 

read more

Last week Chipotle completed its investigation into the breach they initial reported on in late April.

The breach, which took place during the time period March 24, 2017 and April 18, 2017, has been attributed to malware that infected the POS systems at Chipotle locations around the country.

What Information Was Lost?

According to Chipotle’s public release, “the malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device.”

Illinois Locations Affected

If you visited any of the Chipotle locations below between March 24, 2017 and April 18, 2017 there is good reason to believe your data may have been compromised.

  • Addison: 1078 N. Rohlwing Rd.
  • Algonquin: 412 N. Randall Road
  • Arlington Heights: 338 E. Rand Road
  • Aurora: 848 N. Route 59, 2902 Kirk Road, 1480 North Orchard Road
  • Berwyn: 7140 W. Cermak Road
  • Bloomingdale: 396 W. Army Trail Road, 170 E. Lake St.
  • Bloomington: 305 N. Veterans Parkway
  • Bolingbrook: 274 S. Weber Road
  • Bourbonnais: 1601 Route 50
  • Champaign: 903 W. Anthony Drive, 528 East Green Street
  • Chicago:(Over 50 Locations) Visit Chipotle for full list
  • Cicero: 2201 S. Cicero Ave.
  • Countryside: 5801 S. La Grange Road
  • Crestwood: 13340 S. Cicero Ave.
  • Crystal Lake: 5006 Northwest Highway
  • Deerfield: 675 Deerfield Road
  • DeKalb: 2383 Sycamore Road, 1013A W. Lincoln Highway
  • Downers Grove: 1556A Butterfield Road, 1203 W. Ogden Ave
  • East Peoria: 300 W. Washington St.
  • Effingham: 1207 Keller Drive
  • Elk Grove Village: 910 Elk Grove Town Center
  • Elmhurst: 353 S. Route 83, 139 York Road
  • Evanston: 711 Church St.
  • Fairview Heights: 6415 N. Illinois St.
  • Frankfort: 11129 W. Lincoln Highway
  • Geneva: 1441 S. Randall Road
  • Glen Ellyn: 695 Roosevelt Road
  • Glenview: 3846 Willow Road, 2341 Willow Road
  • Gurnee: 6040 Gurnee Mills Boulevard
  • Highland Park, 1849 Green Bay Ave.
  • Hoffman Estates: 4600 Hoffman Boulevard, 15 E. Golf Road
  • Homer Glen: 14114 S. Bell Road
  • Homewood: 17700 Halsted St.
  • Joliet: 2848 Plainfield Road, 2609 W. Jefferson St.
  • Kildeer: 20505 N. Rand Road
  • La Grange: 40 N. La Grange Road
  • Lake Bluff, 945 Rockland Road
  • Libertyville: 139 N. Milwaukee Ave.
  • Lincolnshire: 950 Milwaukee Ave.
  • Lincolnwood: 7150 N. McCormick Ave.
  • Machesney Park: 1570 W. Lane Road
  • Matteson: 4815 W. 211th St.
  • McHenry: 2304 Richmond Road
  • Melrose Park: 1401 W. North Ave.
  • Mokena: 19130 S. LaGrange Road
  • Moline: 3941 41st Avenue Drive
  • Mount Prospect: 102 E. Kensington Road
  • Naperville: 2856 Route 59, 22 E. Chicago Ave, 1516 North Naper Boulevard
  • Niles: 8480 W. Golf Road
  • Normal: 701 S. Main St, 1601 E. College Ave.
  • Norridge: 4234 N. Harlem Ave.
  • Northbrook: 786 N. Skokie Boulevard
  • Oak Brook: 2103 Clearwater Drive
  • Oak Lawn: 6230B W. 95th St., 11018 S. Cicero Ave.
  • Oak Park: 1128 W. Lake St.
  • Oak Brook: 18W050 22nd St.
  • Ontario: 291 E. Ontario
  • Orland Park: 15240 S. LaGrange Road: 2432 Route 34
  • Oswego: 2432 Route 34
  • Palatine: 781 E. Dundee Road
  • Park Ridge: 119 S. Northwest Highway
  • Peoria: 4512 N. Sterling Ave.
  • Plainfield: 12720 S. Route 59
  • Rockford: 751 S. Perryville Road
  • Rolling Meadows: 1211 Golf Road
  • Romeoville: 253 S. Weber Road
  • Rosemont: 7020 N. Manheim Road
  • Round Lake Beach: 1936 N. Route 83
  • Schaumburg: 601 N. Martingale Road, 2570 W. Schaumburg Road
  • Skokie: 9408 Skokie Boulevard, 5373 Touhy Ave.
  • South Elgin: 348 Randall Road
  • Springfield: 2579 Wabash Ave.
  • St. Charles: 3821 Main St.
  • Tinley Park: 15980 S. Harlem Ave.
  • Vernon Hills: 375 N. Milwaukee Ave.
  • Villa Park: 298 W. North Ave.
  • Warrenville: 28251 Diehl Road
  • Waukegan: 940 S. Waukegan Road
  • West Dundee: 201 N. 8th St.,
  • Westmont: 300 E. Ogden Ave.
  • Wheaton: 811 E. Butterfield Road, 2119 W. Roosevelt Road
  • Wheeling: 1572 W. Lake Cook Road
  • Willowbrook: 7173 Kingery Highway

Affected? What Do You Do Now?

Since the exact time frame of the breach varies by location you should visit here, scroll to the bottom of the page and fill in the locations you may have visited during the broader time frame.  If you find that you are indeed the likely victim of a breach you can follow the directions from Chipotle regarding account monitoring and identity protection.

Here is the overview of what Chipotle advises…

“It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.  The phone number to call is usually on the back of your payment card.  Please see the section that follows this notice for additional steps you may take.”

 

read more