RSS Feed
Latest Updates
Apr
12
Maktub - A Love-hate Relationship
Posted by Thomas Foster on 12 April 2016 08:27 AM

Maktub a new nasty ransomware making the rounds that shocked security researchers and also swooned them with its complexity. It’s a love-hate relationship that ensures both ups and downs will be had.

Bring me up to speed

Up until now the vast majority of ransomware has been a mixture of fake FBI/made up law enforce agency [1] warnings about your “questionable” internet history and then encrypting all your files not only on your machine but across network shares and you had to pay to get your files back, at first sending money through a payment processor, but then these crypto savvy crooks demanded Bitcoin and directed their victims to install Tor to where  a .onion addresses [2] awaited their Bitcoins to in-return hand them a decryption key.

This was and still is an extremely successful method for the cyber criminal to profit off; so much so in fact that the real FBI released a statement telling small businesses [3] that “it’s best to pay up” when your small business is hit by ransomware as there’s a “good chance” you’ll get your data back.

What makes Maktub different?  

It knows where you live.  According to the BBC [4] some of its Radio 4 employees were sent personalized phishing emails that included their real home address and demanded they cough up hundreds of British pounds. The emails also included a link to where the recipients of these emails could pay up but… that link included a one-way ticket to crypto-city [5]. Maktub.

Phishing [10] to spread malware isn’t new, but the way these emails are put together and cleverly disguised show that the true senders know what they are doing.

If you imagine Maktub as a sea worthy vessel then it’s got a top-notch crew made up of specialists in their field from Phishing to FUD’ing (Fully UnDectable [7]), to encryption and malware design It really is an impressive extorting machine [6].

Maktub doesn’t just encrypt your files and call it a day. It fully embodies a typical ransom with raising demands such as the amount you have to pay in order to get your data back they add an additional cost for every day you miss a payment [8] it’s one notch of cruelty away from breaking your legs.

That’s what makes Maktub different – spear phishing, a well-written application, annoyingly solid crypto (no third party cut and paste [9]) and a robust payment mechanism with raising demands.

 

[1] http://www.bitdefender.co.uk/tech-assist/self-help/removing-police-themed-ransomware-malware.html

[2] http://www.ibtimes.co.uk/cerber-terrifying-russian-ransomware-speaks-bitcoin-demand-blackmail-victims-out-loud-1547592

[3] http://www.theregister.co.uk/2015/10/27/fbi_ransomware_advice_pay/

[4] http://www.bbc.co.uk/news/technology-35996408

[5] http://www.zdnet.com/article/new-phishing-attack-knows-your-address-and-brings-ransomware/

[6] https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/

[7] https://en.wikipedia.org/wiki/Fully_undetectable

[8] http://www.bleepingcomputer.com/news/security/the-art-of-the-maktub-locker-ransomware/

[9] https://www.grahamcluley.com/2016/03/ransomware-author-decryption-keys/

[10] https://en.wikipedia.org/wiki/Phishing


Read more »



Mar
8
End of Life for Debian 6 "Squeeze"
Posted by Julian Harse on 08 March 2016 12:36 PM

As of 29 February 2016, long term support for Debian GNU/Linux version 6 (codename "Squeeze") has come to an end, meaning that security updates will no longer be provided. We therefore recommend that any users of this distribution upgrade to a supported release as soon as possible in order to ensure the continued security of their server(s).

Debian users can check what version they are running by executing the following command via SSH:

# cat /etc/debian_version

If you are not running Plesk, it is possible to upgrade from one Debian release to the next. See https://debian-handbook.info/browse/stable/sect.dist-upgrade.html for instructions. However, please be aware that software versions will change and any software that has been custom-compiled or installed from third-party repositories may stop working, so we wouldn't recommend this for most users. Customers may also request a format and reinstall of their server with the latest operating system. Alternatively, you can contact our customer services team to arrange a migration to a new server.

Under no circumstances should Plesk users attempt an in-place upgrade, as Plesk does not support this and it will almost certainly cause problems.

Debian 7 "Wheezy" will continue to be supported until 31 May 2018.

However, from 26 April 2016, users of this release will have to enable the wheezy-lts repository in order to continue receiving security updates. See https://wiki.debian.org/LTS/Using for more details.

Likewise, Debian 8 "Jessie" will be supported until the end of April/May 2020, but users will have to enable the jessie-lts repository from May 2018.


Read more »



Jan
21

A vulnerability has been found in Linux kernels >=3.8 which could allow a local user to gain root access if combined with an exploit that allows an attacker to run arbitrary code (e.g. through a web application like Wordpress or Joomla). See below for a list of affected distributions.

CWCS recommends customers immediately update their systems if a patch is available/required. As this requires an update to the kernel, it will be necessary to reboot the server after patching.

CWCS will apply applicable updates for customers with Gold and Platinum management, customers will be notified when the patches have been applied to schedule rebooting. If you are interested in learning more about our management options, please contact your account manager on 0800 1 777 000 / +44 115 740 1234.

Affected Distributions

CentOS

CentOS 5 and 6 are not affected, as they run earlier kernels. CentOS 7 is affected, and will be addressed in a future patch. The CentOS-announce mailing list is the place to keep an eye on for when CentOS release their patch:

https://lists.centos.org/pipermail/centos-announce/2016-January/thread.html

[Update 26/01/2016]: a patch for CentOS 7 is now available:

https://rhn.redhat.com/errata/RHSA-2016-0064.html

Debian

Debian 8 (jessie) is affected, and a patch has already been released:

https://security-tracker.debian.org/tracker/CVE-2016-0728

The fixed kernel version is 3.16.7-ckt20-1+deb8u3. Earlier Debian releases are not affected.

Ubuntu

For Ubuntu, the situation is complicated by their LTS Enablement Stacks:

(https://wiki.ubuntu.com/Kernel/LTSEnablementStack) which allow kernels from later releases to be run on earlier ones.

- Anything before 12.04 (precise) is EOL, but is not affected.

- 12.04 may be affected depending on the kernel version:

     * 12.04 without any linux-generic-lts-* package or with linux-generic-lts-quantal is not affected.

     * 12.04 with linux-generic-lts-raring or linux-generic-lts-saucy are affected, but these kernels are EOL, so will need upgrading to linux-generic-lts-trusty.

     * 12.04 with linux-generic-lts-trusty is affected, fixed in version 3.13.0-76.120~precise1 (http://www.ubuntu.com/usn/usn-2870-2/).

- 12.10 is EOL, but not affected.

- 13.04 and 13.10 are affected, but EOL.

- 14.04 is affected:

     * 14.04 without any linux-lts-* package is affected, fixed in version 3.13.0-76.120 (http://www.ubuntu.com/usn/usn-2870-1/).

     * 14.04 with linux-lts-utopic is affected, fixed in version 3.16.0-59.79~14.04.1 (http://www.ubuntu.com/usn/usn-2873-1/).

     * 14.04 with linux-lts-vivid is affected, fixed in version 3.19.0-47.53~14.04.1 (http://www.ubuntu.com/usn/usn-2871-2/).

     * 14.04 with linux-lts-wily is affected, fixed in version 4.2.0-25.30~14.04.1 (http://www.ubuntu.com/usn/usn-2872-2/).

- 14.10 affected, but EOL.

- 15.04 is affected, fixed in version 3.19.0-47.53 (http://www.ubuntu.com/usn/usn-2871-1/).

- 15.10 is affected, fixed in version 4.2.0-25.30 (http://www.ubuntu.com/usn/usn-2872-1/).


Read more »



Jan
15
OpenSSH Vulnerability (CVE-2016-0777)
Posted by Barry French on 15 January 2016 12:59 PM

On 14th January 2016, a serious bug was discovered in OpenSSH. The bug can allow cryptographic keys to leak across secure connections.

The vulnerability resides only in the client packages and not the versions used by servers. But a maliciously configured server could exploit the bug to obtain the connecting computers private key. This could then be used to perform a ‘man in the middle’ attack, allowing all data to be intercepted.

This bug uses a similar mechanism to the Heartbleed vulnerability of 2014. That bug was much more serious, whereas the OpenSSH bug can only be exploited after a vulnerable end user connects to a maliciously configured server. Regardless, CWCS recommends users take immediate action and update their servers packages to the latest versions using yum and apt-get.

All CWCS managed servers are being patched automatically.

Affected systems:

  • Ubuntu 12.04
  • Ubuntu 14.04
  • Ubuntu 15.04
  • Ubuntu 15.10
  • CentOS 7
  • Debian 7 (Wheezy)
  • Debian 8 (Jessie)

If you think your server/s may be affected and would like assistance to apply the security patch please feel free to contact our support team by phone on 0808 1333 247 or via the ticket system who will be more than happy to assist.


Read more »



Aug
10
CentOS 6.7 + Plesk 12 Compatibility Issue
Posted by Julian Harse on 10 August 2015 02:44 PM

UPDATE 13/08/2015: Odin have now released a fix for this issue: http://download1.parallels.com/Plesk/PP12/12.0/release-notes/parallels-plesk-12.0-for-linux-change-log.html#12018-mu60

On Friday 7 August, CentOS 6.7 was released. Running 'yum update' on any CentOS 6 server should update it to version 6.7. However, this release introduces an incompatibility with Plesk 12. Running 'yum update' on affected servers will fail with dependency errors relating to the ImageMagick package.

Odin are aware of the issue and are working on a fix. In the meantime, we recommend that customers with CentOS 6 servers apply updates as usual to avoid missing out on important security patches. The following command can be used to apply updates but skip the problematic package:

# yum --skip-broken update

Once Odin release a fix for this issue, yum will be able to update ImageMagick to the latest version, at which point 'yum update' should start working as normal once again.

CWCS will manage updates for customers with the Gold and Platinum management service. If you would like to learn more about these service options, please contact our sales team on 0800 1 777 000 (+44 115 740 1234).


Read more »