Ransomware is one of the most costly threats in today’s digital world. Malicious hackers can cause severe damage by taking over, encrypting, and controlling your data until you pay a ransom or it’s sold to the highest bidder.

A group of cybercriminals recognized as DarkSide has contributed significantly to the growth of ransomware. The group primarily targets their ransomware at companies that can pay hefty ransoms for their crimes. 

Still, as an individual user, it’s essential to adopt some best practices to protect yourself against all forms of ransomware.

Let’s uncover more about DarkSide ransomware, including what it is, how it works, and more.

Table of contents:

• What Is DarkSide Ransomware?
• How DarkSide Ransomware Works
• How to Prevent DarkSide Ransomware

What Is DarkSide Ransomware?

DarkSide ransomware is a type of ransomware used by the cybercriminal group known as DarkSide that targets organizations worldwide. The group first emerged in 2020 — it’s believed to have been behind the Colonial Pipeline cyberattack — and has since caused significant issues and financial losses.

DarkSide follows a popular business model in the cybercrime world called ransomware-as-a-service (RaaS). The RaaS model is a subscription-based software service that enables malicious affiliates to perform ransomware attacks while remaining anonymous.

Ransomware statistics show how devastating these attacks can be, and DarkSide ransomware is no exception. For example, one of its first major attacks caused the Colonial Pipeline to shut down 5,550 miles of pipe, which carries 45% of the east coast’s fuel supplies. DarkSide then received a ransom of approximately 75 bitcoins.

How DarkSide Ransomware Works

DarkSide ransomware attackers offer their own RaaS software to affiliates for a percentage of the profits. This modern and highly technical ransomware tactic identifies high-value targets and involves more precise monetization of compromised assets. 

Understanding their approach on a basic level can help you identify potential ransomware attacks sooner rather than later. Let’s take a look at their approach.

Initial Entry

DarkSide’s initial entry or access point starts by taking advantage of software and system vulnerabilities. They use legitimate tools for management and administration that were intended for use in security research and other good purposes.

Another common tactic includes phishing emails, which trick users into opening links or downloading compromised files to gain access to the system.

Access Escalation

Once in the system, hackers establish command and control channels to escalate their access level, gain administrative privileges and inflict more damage. They can move freely across networks and systems, expanding their reach exponentially.

Data Collection

Now that they have established control, the next step is to collect and encrypt as much sensitive data as possible. This data can include personal information, intellectual property, financial or medical records, etc.

Encryption

After they have gained control of the system and all the collected data, what follows is encrypting it. The encryption process includes freezing the data and denying access to anyone until their request is fulfilled (like a ransom being paid).

How to Prevent DarkSide Ransomware 

Even though DarkSide announced they’re no longer active and have shut down their website, we likely won’t every know if they will re-emerge for a future attack. It’s best to be prepared by applying the following prevention tactics to reduce the risk of compromise by ransomware attacks.

• Re-enforce your passwords: Make passwords unique and complex and use a password manager to keep track of them. You should also activate multifactor authentication for extra security.
• Install antivirus software: High-quality antivirus software, like Panda Security, can help protect you against ransomware attacks or viruses.
• Back up your data regularly: Important files must be backed up consistently in reliable cloud storage.
• Keep up with system updates: Regularly update your antivirus, operating system, and applications to minimize vulnerabilities.
• Ignore phishing emails: Learn about the signs of a phishing email and avoid clicking suspicious links or files in unfamiliar emails. You can also enable strong spam filters.
• Use a reliable VPN: A virtual private network secures your internet traffic when you connect to it. Choosing a reliable VPN is key as it allows you to protect your IP address, personal information and transmitted data — even if you access a public network without a WPA2 key.
• Create a blocklist: Filtering and blocking specific URLs helps prevent users from clicking suspicious IP addresses and websites. 

Implementing mitigation best practices, such as strong passwords, antivirus software, regular backups, and staying vigilant against phishing attempts, can help keep you from falling victim to a ransomware attack. Stay safe and protect your digital world with Panda Security.

Sources: U.S. Department of State, CISA, TechTarget, The Guardian, and Dark Reading

The post DarkSide Ransomware: Definition and Prevention Tips appeared first on Panda Security Mediacenter.

Clickjacking can be described as a dangerous form of online hide-and-seek. 

Hackers hide malicious links behind recognizable or appealing webpages and wait for users to unintentionally seek them out. Unlike the childhood version of hide-and-seek, the seeker in these UI redress attacks always loses the game.  

To protect yourself and your devices from cybercriminals, it’s important to know when and where clickjacking is at play. Our in-depth guide can help you better understand the dangers of hidden webpage links.

What Is Clickjacking?

Clickjacking occurs when hackers and cybercriminals create transparent layers over buttons or links that reroute users to unintended sites without their knowledge. These attacks take clicks away from legitimate pages and cause users to visit unauthorized websites or landing pages.

In addition to rerouting traffic, clickjacking could lead to:

• The theft of login credentials, including usernames and passwords
• Unauthorized access to cameras and microphones
• The spread of malware
• An increase in online scam success
• Unsolicited purchases
• Unapproved payments to ad and e-commerce sites

Types of Clickjacking

The goal of clickjacking attacks are fairly standard: trick a user into selecting a malicious button or link. However, there are different clickjacking variations cybercriminals use to encourage this outcome:

• Likejacking: “Like” buttons on social media pages are hijacked and cause users to interact with unintended or dangerous pages and profiles.
• Cursorjacking: Cybercriminals mask the location of a user’s cursor so it appears to be on a different part of a page than it actually is.
• Cookiejacking: Hackers steal a user’s cookies, which contain sensitive data that can be used to imitate the user.
• Filejacking: Filejackers place frames over “browse files” buttons, which causes victims to unintentionally give cybercriminals access to their online files.
• Mousejacking: Criminals remotely control the functions of a device and are able to click items, type commands and create code.

Clickjacking Attacks

In a clickjacking attack, users think they are making one action but invisible frames cause them to make a different unexpected action. These attacks can range from incredibly dangerous to simply inconvenient, and they can be the catalyst for larger, more dangerous attacks.

Self-Contained Attacks

Most clickjacking attacks are considered self-contained attacks because they rely on one action. In these cases, a user will click on an invisible webpage frame and take an unknown or unauthorized action.

Multistep Attacks

Similar to self-contained attacks, multistep clickjacking attacks use client-side actions to initiate strikes. These attacks are precise and require users to click on multiple invisible frames to work successfully. For example, a hacker who wants a user to make an unauthorized purchase must set up additional frames that cause users to add items to a shopping cart before their final click.

Combined Attacks

While many clickjacking attacks are self-contained, they can also be used to execute combined attacks. In these cases, hackers will successfully trick users into falling for a clickjacking attack, which can also execute larger malicious strikes. Clickjacking and DOM XSS attacks — attacks that target client-side code and cause webpages to act in a malicious manner — are common combination attacks that modify code and run unauthorized client-side actions.

Clickjacking Example

Clickjacking attacks have been successful in larger corporations like Facebook, Twitter and PayPal. However, these types of online attacks also target individual users.

For example, a cybercriminal may create a fake landing page or hijack the iframes of a legitimate website. In both cases, a clickjacking attack can occur like this:

1. Users will open and load a targeted website or webpage.
2. Enticing buttons like “Play Now” or “Win A Free Trip” will populate.
3. Users will attempt to click a button.
4. Users will click the transparent or hijacked frame instead.
5. Users will follow the bad actor’s button instead, potentially leading to the transfer of funds to the criminal, account deletion or any other type of malicious action.

In many cases, these attacks can’t be traced back to the cybercriminal because the user unknowingly agreed to the action.

Clickjacking Prevention

Clickjacking can occur on any website that can be framed, so clickjacking prevention measures usually attempt to restrict the framing capabilities of a site. Prevention techniques can be used both client-side and server-side.

Client-Side Prevention

Prevention measures that can be enacted by a user on their own devices or webpages without the help or knowledge of a network server are known as client-side prevention techniques. These techniques can usually be bypassed, so they are best used with other server-side methods.

Clickjacking Frame Busting Script

Prevention scripts are placed and used within a web browser. This clickjacking defense — also known as frame breaking scripts — is platform-specific, and it can also be easily neutralized by attackers with HTML and JavaScript knowledge. However, successful scripts can:

• Make invisible webpage frames viewable
• Stop invisible frames from being clickable
• Identify and protect against clickjacking attempts
• Ensure the intended window is not covered by an invisible frame

Anti-Clickjacking Extensions

Browser extensions can help prevent clickjacking, but they may disable JavaScript and negatively impact a webpage’s user experience. When installed, these JavaScript blockers may prevent popular sites like YouTube and Facebook from opening. 

Malicious browser extensions also exist and could cause additional issues for some users. If you choose to disable JavaScript with an anti-clickjacking extension, research your options or choose trusted sources like ScriptSafe or NoScript.

Antivirus Software

Dependable antivirus software works around the clock to keep devices protected from a variety of malicious attacks. In the case of clickjacking, antivirus software can warn users before they enter potentially dangerous websites, and it can help keep data and information secure in the event of a successful attack.

Server-Side Prevention

Defense mechanisms that need to be created and enacted by a server are known as server-side prevention techniques. These cannot be set up or used by a client and are only successful when implemented within the server.

X-Frame-Options

Originally created for Internet Explorer, X-Frame-Options was quickly adapted as a clickjacking prevention method within other browsers. This technique controls a webpage’s iframes and other objects by enacting directives like:

• X-Frame-Options: deny prevents use or change of frames
• X-Frame-Options: sameorigin restricts site framing to the original page
• X-Frame-Options: allow-from https://any-site.com allows framing changes from specific sites

X-Frame-Options: allow-from is only active on some browsers, but the other directives can be combined with a content security policy to create a multifaceted clickjacking prevention method.

Content-Security-Policy

Webpage attacks are usually prevented by the Content-Security-Policy (CSP), which also helps detect when and where these attacks might occur. This prevention method provides webpages with a specific list of allowed and unallowed sources, changes and users.

Similar to X-Frame-Options, CSP has specific protection directives:

• Content-Security-Policy: frame-ancestors ‘none’ stops malicious actors from changing frames
• Content-Security-Policy: frame-ancestors ‘self’ keeps site framing to the original page
• Content-Security-Policy: frame-ancestors any-site.com only allows specific sites to enact framing changes

When created properly and implemented within a multi-layer strategy, server-side prevention methods are incredibly successful at protecting against clickjacking attempts.

Clickjacking is a threat to all types of online browsers. Keeping devices clean of malware and other malicious software can help keep a user’s browser free of clickjacking vulnerabilities. Panda Security can even help tailor cybersecurity services to a user’s specific protection needs.

Sources: Intellipaat | OWASP | Sepio

The post Clickjacking: Definition and Attack Prevention appeared first on Panda Security Mediacenter.

Shortcuts aren’t just for keyboards. Digital browsers use various online shortcuts regularly — like web extensions — which can help them surf the web quickly.

Unfortunately, not all shortcuts are safe and secure. Our list of malicious Chrome extensions reveals the dangers lurking behind unlisted, poorly scanned and third-party downloads freely available across the web. 

Premium protective services from Panda Security can help keep your browsers and devices safe — even from malicious extensions. Pairing these protections with knowledge about dangerous add-ons, how to detect them and ways to remove them can help online users navigate the web without compromising privacy and security.

What Is a Browser Extension?

A browser extension is software that does exactly as the name suggests: it extends your browser — or specific browser tools — to other webpages. These extensions can analyze information, modify or edit user actions and provide additional functionality across various browsing sites.

Some of the most common browser extensions are Grammarly, AdBlock, LastPass, Google Calendar and Scribe. While most browser extensions are harmless and can be incredibly useful, users are still able to unknowingly download malicious software that can access personal information or cause damage to devices.

Popular Malicious Chrome Extensions

Google’s Chrome is the most popular web browser across the globe, supporting more than 130,000 unique browser extensions. Most of these unique extensions are safe and supported by Chrome itself, but a few popular extensions have been identified as malicious. 

These malicious Chrome extensions can contain malware, insert affiliate links into webpages and internally damage systems. This list includes some of the most notorious extensions Chrome users should be aware of.

Netflix Party

Designed to allow synchronized media viewing, the Netflix Party extension was actually used for affiliate links. This add-on would track a user’s digital footprint and inject affiliate links into appropriate pages. The owners of this extension can then make a profit based on the user’s browsing history.

Netflix Party 2

Netflix Party 2 was similar to its predecessor Netflix Party, which also attempted to inject affiliate links into a user’s browsing. Add-ons of this variety — including Netflix Party 1 and 2 — may even conceal their malicious intentions by waiting multiple days before injecting links.

Full Page Screenshot Capture — Screenshotting

More than 200,000 users downloaded the Full Page Screenshot Capture — Screenshotting Chrome extension before its malicious behavior was uncovered. Designed to screenshot webpages in one click, this extension also tracked user data and changed the location of certain cookies on e-commerce sites to disguise a user’s origin URL as a referral site.

friGate Light

Chrome extensions have various uses, and friGate Light was designed to access locked sites and encrypt user traffic data. However, this extension also housed malware, which was used to access user data. Additionally, users downloading this extension were asked to provide friGate Light with permission to access sensitive data.

friGate CDN

Similar to friGate Light, friGate CDN was designed to provide users access to blocked websites. This extension also housed malware, which could access sensitive user data. This extension also redirected users to secondary sites via its proxy, which could have been used to collect data and further infect devices.

SaveFrom.Net

Have you ever wanted to download media from your favorite sites — YouTube, TikTok, Facebook and more — with one click? If so, you’re not alone, and that’s why SaveFrom.Net became popular. This extension allows users to download videos and music, but it also collects user data like IP addresses and browsing behavior, which has been and can be leaked when using the site.

SHARPEXT

SHARPEXT is well-known in the world of email spyware. This extension was created and deployed by SharpTongue, also known as Kimsuky. SharpTongue is an infamous bad actor known for stealing and revealing private information — including usernames and passwords. SHARPEXT was designed to infiltrate email accounts, extract sensitive data and continuously spy on user behaviors.

Hola VPN – The Website Unblocker

It’s frustrating when you need to access a website or want to watch a movie, but your country is blocked from doing so. Hola VPN is a free, unlimited website unblocker created to remove these roadblocks from a user’s online experience. However, this malicious Chrome extension has experienced various security breaches and weaknesses while secretly tracking behavior and leaving web traffic unencrypted.

Dormant Colors Campaign

The extension campaign, Dormant Colors, isn’t a single malicious Chrome extension — in fact, it’s 30 unique, dangerous add-ons that millions of users have downloaded. These extensions were injected with malicious code after their initial introduction to the web store and corrupted into information-stealing extensions. Unfortunately, this campaign is still operational even though many affected extensions have been deactivated.

How to Detect Malicious Chrome Extensions

The above list of malicious Chrome extensions only contains the most popular and dangerous add-ons. It is possible — and probable — that other extensions also contain dangerous malware or other malicious programs. These tips can help you identify malicious Chrome extensions on your devices:

• Analyze an extension’s reviews and installs. Users who have fallen victim to a malicious Chrome extension may reveal this in a review. Additionally, extensions with fewer downloads could also be dangerous.
• Pay attention to permissions. Extensions with malicious intent may request permission to access unnecessary programs or personal information.
• Investigate extension owners. Where possible, only download extensions created and distributed by popular and well-known companies to limit potential malware downloads.
• Keep devices and Chrome updated. Updates to operating systems often include new protections against and warnings about identified malware and dangerous extensions.
• Install antivirus software. This software will automatically notify you of any malicious activity on your device.

How to Remove an Extension From Chrome

Similar to removing a virus, malicious extensions should be removed from Chrome as soon as they are detected. Once Chrome is downloaded on your device, you can remove these add-ons in 7 simple steps.

Step 1: Launch Chrome.

Step 2: Open Chrome settings. This can be accessed via the three vertical dots in the upper right corner.

Step 3: Open the dropdown under More Tools.

Step 4: Click on Extensions.

Step 5: Identify the extension you want to remove by scrolling down the page or searching for the add-on’s name.

Step 6: Select Remove.

Step 7: In the pop-up screen, select Remove again.

These steps can be repeated as many times as needed to remove any malicious or unwanted extensions from Chrome. Also, consider using a private search engine to help keep your information protected from potentially malicious add-ons. 

While the add-ons on this list of malicious Chrome extensions do exist and can cause extensive damage to personal devices, Panda Security can help clean up your PC and optimize its systems. Chrome consistently updates add-ons and removes well-known malware from its extension library — providing additional protection against digital dangers.

Sources: Software Testing Help | Oberlo | Bleeping Computer | Wonderfox | Volexity | Top10VPN

The post List of Malicious Chrome Extensions: 9 Popular Add-Ons appeared first on Panda Security Mediacenter.

Infected emails, malicious links, backdoor threats and even targeted advertisements can all be malware carriers. Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. These cyber attacks can cause financial and personal harm, including data breaches and system damages. 

Even if you’ve downloaded a VPN for internet browsing, our in-depth guide discusses the 11 types of malware you should be aware of, what malware is, and how to prevent them from overwhelming your systems.

Table of Contents:

• What is Malware?
• Common Types of Malware
  • Ransomware
  • Fileless Malware
  • Adware
  • Trojans
  • Spyware
  • Viruses
  • Worms
  • Rootkits
  • Botnets
  • Mobile Malware
  • Wiper Malware
• How to Prevent Malware

What is Malware?

Malware is a software that is designed to attack, control and damage a device’s security and infrastructure systems. Once launched, malware will attach itself to a selected program or device. In order for malware to infect a device, it must be sourced. Some of the most common malware sources include:

• Phishing: Phishing consists of an attacker posing as a trustworthy individual or site to convince a target to reveal personal or valuable information.

• Social engineering: Similar to phishing, social engineering gains a target’s trust in order to obtain information. This type of tactic harnesses human error and interactions in order to receive information. 

• Pop-ups: Advertisements and pop-ups can include malicious links or lead to fake landing pages where malware is waiting to infiltrate a system.

• Drive-by downloads: Visiting fake websites that host malware exploit kits can compromise systems.  

• Shared networks: Shared networks with a malware-infected device may spread malware to other network devices.

As internet technology and security has matured, so has malware. Today, most malware is considered hybrid malware, which is a combination of malware types. For example, many malware attacks will use trojans, worms, viruses and more in order to effectively invade a target system.

Common Types of Malware

While there are a variety of malware types and sub-types, there are 11 specific types of malware that are considered the most common. These types of malware include:

1. Ransomware

Ransomware is a virus that encrypts all the files on an infected device. Once encrypted, the device becomes unusable because none of the data stored on it can be accessed.

Ransomware attacks will request a ransome in exchange for a decryption key that will unlock a device’s files. As there is no guarantee that the hacker will release the decryption key, paying a ransom is not an ideal solution. To prevent ransomware attacks, keep a current backup of all your files on hand so you can restore you device yourself.

Types of Ransomware:

• Rogue Security Software: Rogue security software is a type of ransomware that poses as a virus or security breach. Users are required to pay the rogue software to remove the fake issue.
• Crypto-malware: Ransomwares that request ransoms in cryptocurrency are frequently referred to as crypto-malware.

2. Fileless Malware

Fileless malware is a type of malware that uses macros and system tools to invade a system rather than executable files. This type of malware will edit already installed files, which many systems recognize as legitimate. Fileless malware is difficult to protect against because there is no malicious program installed.

To protect your devices against fileless malware, limit login credentials and knowledge. Multifactor authentication is also an additional protective element that can keep hackers from infiltrating a system and running stealth operations unknowingly.

3. Adware

Adware does exactly what the name suggests — tracks internet surfing habits and suggests ads and spam to the user. While this type of malware doesn’t install anything onto your device, it can hamper performance which can make your items more vulnerable to other types of attacks. 

Adware that plants malicious ads onto a users device is known as malvertising. These types of malware are intended to plant dangerous code onto a device when a link, pop-up or advertisment is clicked on. Updated operating systems and spam filters can help protect devices against adware.

4. Trojans

Trojans, named after the Greek legend of the Trojan Horse, are a type of malware that sneaks onto a victim’s device. Once installed, the trojan waits to be activated before attacking.

This form of malware may delete and damage data or simply create a backdoor, allowing hackers to access and use the infected device when they choose. Trojans are a popular way to connect devices to botnets — another type of malware — or launch distributed denial-of-service attacks (DDoS).

5. Spyware

Modern systems are designed to protect passwords and sensitive data using encryption. Spyware helps attackers get around and break down encrypted data.

Once installed, spyware collects and logs usage data — including the websites you visit, credentials you use and keyboard buttons you push. This information is periodically updated, reported and reassembled, allowing the hacker to read your passwords and use them to break into your online accounts.

Types of spyware:

• Keyloggers: Keyloggers are a type of spyware that monitors the keystrokes on your keyboard. These can be used to steal password data, bank information and more.
• Grayware: While not a form of malware itself, grayware can affect the performance of a device as well as monitor its user’s behaviors and history.
• RAM scrapers: RAM scrapers steal and store data from devices before it can be encrypted. For example, point-of-sale devices temporarily store credit card information, which can be monitored and stolen by RAM scrapers.

6. Viruses

Viruses may be one of the most commonly known types of malware. These invaders can affect device speed and performance, steal sensitive data, damage and destroy files and create backdoor opportunities for larger scale attacks.

Viruses depend on host applications to run and survive. Removing a virus requires users to also remove its host. Additionally, viruses can infect additional systems, and downloading antivirus software is the best way to prevent this type of malware from affecting your devices.

Type of Virus:

• Logic bombs: Logic bombs will only attack a system once they have been triggered. These triggers can be a certain date and time, a specific number of logins or the startup of a certain application. These are used by viruses to deliver malicious code at specified times, and they can go completely undetected until triggered.

7. Worms

A worm is a type of virus designed to copy itself and spread to devices on a shared network. This means that an infection on your home PC can quickly spread to your laptop, phone and any other systems connected to the same network. 

While the infection may not necessarily damage or delete files, it can cause your devices and network to slow down or become unresponsive. This type of malware may also use your digital address book to email itself to other people you know, potentially infecting their devices, too.

8. Rootkits

Injected into applications and firmware, rootkits are a type of malware that give hackers complete remote control of an infected device. Because this software gives attackers administrative privileges, they can conceal other malware attacks and affect different types of files.

Rootkits were not initially created as malware, but their remote capabilities have made them a favorite attack option of hackers. Multiauthentication and limited administrative credentials can help protect against this malware type.

9. Botnets

A botnet, made up of bots, is a software that is able to follow automated, remote commands. While many botnets and bots are used for important, legitimate tasks — like search engine indexing — they can also be used as a type of malware that attacks central servers.

If botnets are used for flood attacks like DDoS attacks, they can incapacitate systems, servers and devices. Additionally, botnets can include large numbers of technological devices, so they can be difficult to shut down completely.

10. Mobile Malware

Unlike traditional types of malware, mobile malware is designed to target a specific type of device: mobile devices. Mobile malware for smartphones, tablets and other mobile devices can spy on user actions, steal credentials, overtake administrative privileges and more.

Mobile malware is frequently spread through SMS phishing (smishing) and text message scams. Trojans, ransomware and adware targeting mobile devices can also be considered mobile malware. Additionally, jailbroken phones are at a higher risk of a mobile malware invasion.

11. Wiper Malware

Wiper malware is a type of malware with the sole purpose of erasing data and making it unrecoverable. Many attackers who use wiper malware use this type of attack to target both private and public businesses. 

Wiper malware is also used after other malware attacks. Because it can erase and destroy data, attackers will use wipler malware to remove traces of invasions, which can make organizational recovery difficult to impossible.

How To Prevent Malware

Preventing malware from infecting your devices can be difficult. If they manage to invade your systems, they can move from device to device, slow down entire servers and steal, delete or encrypt sensitive data. To prevent this from happening, follow these 6 tips:

1. Use multifactor authentication. Multifactor authentication adds additional security to accounts, including banking, socal and shopping accounts. This can help protect your credentials and passwords.
2. Don’t click suspicious links. Many attackers embed malware into email links or pop-ups. Avoid clicking anything that doesn’t come from a trusted source.
3. Adjust email security settings. Email is one of the most common delivery methods for malware. Keeping spam filters high and email security on can reduce the amount of infected messages landing in your inbox.
4. Regularly backup files. If your device is invaded by malware — like ransomware or a virus — you can restore your device’s most recent files. This can help you remove malware without paying ransomes or infecting other devices.
5. Keep devices updated. Device updates frequently include security updates to patch holes and potential backdoor entries. Enabling automatic updates or updating a device as soon as new software is available can help keep you protected.
6. Remove malicious apps or downloads. If your device becomes infected, remove the malware, app or download as soon as possible. Each device has a different removal process, so be sure to research the safest way to remove malware before diving in.

Most importantly, install antivirus software on all of your devices. Because all types of malware can cause varying levels of damage — from simple annoyances to total data loss — they should never go ignored, tolerated or concealed. In addition to antivirus software, our Panda Dome security toolkit can help prevent malware installation, and it can detect, block and clean viruses that may already be infecting your devices.

The post 11 Types of Malware and How to Prevent Them appeared first on Panda Security Mediacenter.

A Smurf attack is a distributed denial-of-service (DDoS) attack in which an attacker floods a victim’s server with spoofed Internet Protocol (IP) and Internet Control Message Protocol (ICMP) packets. As a result, the target’s system is rendered inoperable. This type of attack gets its name from a DDoS.Smurf malware tool that was widely used in the 1990s. The small ICMP packet generated by the malware tool can cause significant damage to a victim’s system, hence the name Smurf.

How Does a Smurf Attack Work?

Smurf attacks are similar to a form of denial-of-service (DoS) attacks called ping floods, since they’re accomplished by flooding a victim’s computer with ICMP Echo Requests. The steps in a Smurf attack are as follows:

1. Attacker locates the target’s IP address: An attacker identifies the target victim’s IP address.
2. Attacker creates spoofed data packet: Smurf malware is used to create a spoofed data packet, or ICMP Echo Request, that has its source address set to the real IP address of the victim.
3. Attacker sends ICMP Echo Requests: The attacker deploys ICMP Echo Requests to the victim’s network, causing all connected devices within the network to respond to the ping via ICMP Echo Reply packets.
4. Victim is flooded with ICMP replies: The victim then receives a flood of ICMP Echo Reply packets, resulting in a denial-of-service to legitimate traffic.
5. Victim’s server becomes overloaded: With enough ICMP Reply packets forwarded, the victim’s server is overloaded and potentially rendered inoperable.

Smurf Attack Amplifiers

Another component to Smurf attacks that increases their damage potential is the use of Smurf amplifiers. The amplification factor correlates to the number of hosts on the victim’s IP broadcast network.

For example, an IP broadcast network with 300 hosts will yield 300 responses for every fake ICMP Echo Request. This enables an attacker with low bandwidth to successfully disable a victim’s system, even if that system has much higher bandwidth. Smurf amplifiers can be deployed as long as the attacker maintains a connection and the amplifiers are broadcasting the ICMP traffic.

Smurf Attack Example

To put this type of attack into simpler terms, it’s helpful to picture a metaphorical Smurf attack example. Think of a trickster (the DDoS.Smurf malware) calling an office (the IP broadcast network) while masquerading as the company’s CEO.

In our example, the trickster asks a manager to tell every employee to return his call (the ICMP Echo Requests) on his private number to give a project status update — but the private number (the spoofed IP address) actually belongs to the trickster’s targeted victim. As a result, the victim receives an onslaught of unwanted phone calls (the ICMP Echo Replies) from each employee in the office.

Types of Smurf Attacks

Smurf attacks are generally categorized as basic or advanced. The only difference in the type of attack is the degree of the attack that takes place.

• Basic: The attacker floods a single victim’s network with ICMP Echo Request packets.
• Advanced: The attack is identical to a basic attack, except the Echo Request Packets are configured to allow them to respond to additional third-party victims, enabling the attacker to target multiple victims at once.

What’s the Difference Between a Smurf Attack and a DDoS Attack?

A DDoS attack aims to prevent victims from accessing their network by flooding it with fake information requests. A Smurf attack is a form of a DDoS attack that renders a victim’s network inoperable in a similar way, but the difference is that it does so by exploiting IP and ICMP vulnerabilities. Leveraging these vulnerabilities is what sets a Smurf attack apart, in turn increasing the potential for damage.

What’s the Difference Between a Smurf Attack and a Fraggle Attack?

Both a Fraggle attack and a Smurf attack are forms of a DDoS attack that aim to flood a victim’s system with fake information requests. The difference is that while a Smurf attack uses spoofed ICMP packets, a Fraggle attack uses spoofed User Datagram Protocol (UDP) traffic to achieve the same goal. Everything else about these attacks are the same.

Consequences of a Smurf Attack

While the goal of a Smurf attack is to render a victim’s system useless for days or even hours, iit can also be the first step toward more harmful attacks like data theft or identity theft. Either way, the consequences of a Smurf attack remain:

• Revenue loss: A company server that’s inoperable for hours or days on end often means a halt in business operations, resulting in lost revenue and frustrated customers.
• Data theft: Attackers can gain unauthorized access to the data on the victim’s host server during an attack.
• Reputational damage: If your clients’ confidential data is leaked after an attack, it can lead to a permanent breach in their trust and loyalty to your organization.

Mitigation Methods and How to Protect Yourself

Mitigating a Smurf attack comes down to securing your network, which begins with your router. To protect yourself, you’ll need to configure how your routers and devices interact with ICMP packets. This involves two important prevention steps:

• Disable IP broadcasting on all network routers.
• Configure your network devices to not respond to ICMP Echo Requests.

If your current router is an older model, it’s wise to invest in a new one, as newer models usually come with the above configurations already in place by default.

In addition to these steps, investing in an antivirus and anti-malware solution to secure your firewalls adds an added layer of protection to your network.

As with most cyberattacks, prevention is often the best strategy for protection. While Smurf attacks are nothing new, they remain a common tactic among cybercriminals looking to exploit vulnerable networks. To further protect yourself from cyberattacks in all their forms, consider installing a trusted antivirus software to keep all your devices secure.

The post What Is a Smurf Attack? appeared first on Panda Security Mediacenter.

It all started on July 2, when attackers targeted the popular remote management and monitoring (RMM) software from a Florida-based IT services company called Kaseya. By taking advantage of a flaw in Kaseya VSA software, ransomware authors gained access to the RMM system and were able to use it to install ransomware on some of Kaseya’s customers networks. Since those customers are managed system providers (MSPs), the ransomware also infected their customers, hundreds of businesses worldwide.  Kaseya says the attack didn’t affect users of their SaaS version, only ones using the on-premises Kaseya VSA. The attackers are asking $70 million in ransom to restore all the victims.

The main focus of the attack seems to by US MSPs, but the cyber-attack quickly spread internationally, threatening many types of companies. Kaseya claims round 1500 companies are confirmed to have the ransomware, but it may indirectly affect many other companies. Kaseya advised all its customers to take on-premises VSA servers offline Friday and has not yet given them the go-ahead to go back online. They are preparing a patch to fix the vulnerability used to get it and plan to release it soon.

WatchGuard Partners and End Users Are Safe and Secure

This weekend’s attack is the latest in a rising barrage of ransomware attacks. According to Forrester, ransomware attacks shot up 500% in 2019, while in 2020 they rose 715% year over year. The good news is that WatchGuard partners and end users using our endpoint products were kept safe in all of these incidents.

Thanks to our Zero Trust approach, we are able to classify and validate 100% of processes running on the endpoints. These levels of visibility and control strengthen our prevention, detection and response capabilities.

Keep informed in Secplicity.org

WatchGuard’s Secplicity blog, provides daily video, podcast and editorial content about IT security for today’s busy professional. Breaking news, real solutions, useful tips, and all the information that you need.

In fact, Secplicity released all the details of this attack earlier this weekend. Being one of the first and most reliable sources of information about this case.

Subscribe to the email newsletter to keep informed and join our webinar to find out all the details about this attack and tips on how to avoid it.

Webinar: Learnings from the Kaseya Supply Chain Attack and Mass Ransomware Incident

Date: July 8 2021 – 8am PDT (3pm GMT)

Join The Webinar

The post A new wave of ransomware attack hits up to 1,500  businesses worldwide  appeared first on Panda Security Mediacenter.

Mac devices located in more than 150 countries worldwide have been infected by malware called Silver Sparrow. There are tens of thousands of affected Apple devices currently, and it is yet unclear how they got infected. Cybersecurity experts believe that the new malicious code might be hiding in malicious advertisements, compromised websites, pirate apps, or fake Flash updates. The virus appeared to mainly end up in Apple devices located in the USA, Germany, United Kingdom, and Canada. Luckily, the new virus has not yet engaged in malicious activity.

What makes this particular piece of malware mysterious is that no one knows the final goal of the virus. Once settled in the infected device, the malicious software waits for commands from its creators. However, such orders have not been observed yet. Even though MacWorld says the virus “has no point,” it is possible that this is the first version of a virus that hacker groups are testing. It will not be a surprise if future versions have the potential to be destructive.

The virus registered high infection rates so it appears to not be the work of a lone wolf. The fact that Silver Sparrow can infect Apple devices running on Apple’s latest M1 chip also means that the virus is new and will likely be a headache for the Cupertino-based tech giant.

In a statement, Apple said that the malware could no longer spread. They revoked the certificates for the developer accounts used by the malware’s creator to sign the packages. Apple also hinted that they will likely include a layer of protection in the next iOS update. Apple suggested that the safest place to acquire software is the Mac App Store, as code there passes thorough verification before it is offered to Apple customers. However, even though the virus is no longer spreading, there are still affected Macs around the world, and novel strains may resurface. The origins of the malware have not been identified yet.

Even if you are not a Mac user, having high-end antivirus software installed on all your connected device is a must. In its initial mass-spread, the Silver Sparrow affected both Intel and Apple silicon processors. It won’t be a surprise if the virus develops further in the near future and becomes able to infect Windows machines too. Luckily, quality antivirus solution providers are always on top of the continually evolving threats and ensure customers remain protected from novel viruses.

The post Silver Sparrow Malware Infected Tens of Thousands of Macs appeared first on Panda Security Mediacenter.

Built for Chrome-based browsers, WebDiscover promises to bring the power of the web to your desktop. And while “a sleek search bar” neatly tucked away sounds nice in theory, users who download the application may find their searches redirected, a slower browsing speed, and intrusive pop-up ads. Whether you’re using Mac or Windows, learn how to uninstall WebDiscover and proactively protect your device against threats with this step-by-step guide.

What is WebDiscover?

WebDiscover is an open-source Chrome-based browser that’s categorized as a potentially unwanted program (PUP) and a type of adware. The program functions as a browser hijacker by anchoring an internet search bar directly on your desktop.

The program claims to enable features like a VPN, streaming service, and media player. When a user searches with the WebDiscover application, the search unnecessarily redirects to safestsearches.com, trovi.com, or search.yahoo.com before a second redirect through the Bing search engine.

Is WebDiscover a Virus?

WebDiscover is considered adware because users typically install it unintentionally since it is bundled with other programs on the internet. 

After WebDiscover is installed, it performs unwanted activities such as:

• Changing the default browser to WebDiscover 
• Monitoring browser history
• Installing the WebDiscover extension
• Invading your browser with pop-up ads 
• Slowing browser speed 
• Redirecting browser searches
• Infecting your device with possible malware

The longer WebDiscover stays installed on your computer, the more susceptible your computer becomes to viruses and other unwanted programs. 

How to Remove WebDiscover on Windows

If WebDiscover was downloaded without your knowledge from another program, or you find you no longer want the application, follow the steps below to uninstall it from your device.

• Step 1: WebDiscover runs in the background of your Windows operating system. To close the program, “right-click” the WebDiscover icon in your taskbar and select exit. You’ll need to do this before you can uninstall the program.
• Step 2: Open your Control Panel by going to the “Start” button in the lower-left corner of your desktop and typing “Control Panel.” Click the icon.   

• Step 3: Select the “Programs” icon and click “Uninstall a program.”
• Step 4: Use the search bar to find WebDiscover and click “Powerful uninstall.”

How to Remove WebDiscover From Mac

Removing PUPs on Macs is a straightforward process. Follow the steps below to delete the application and scan your device for any remaining threats. 

• Step 1: Click the Finder icon on the bottom menu bar and open “Applications.”

• Step 2: Use the search bar to find the application by typing “WebDiscover.”

• Step 3: Right-click the icon and click “Move to trash.”

• Step 4: Right-click the trash bin icon on the bottom menu bar and click “Empty trash.”

• Step 5: Scan your computer with antivirus software to find and remove any remaining threats. 

How to Remove WebDiscover From Your Browser

WebDiscover can restore itself after deletion if there are any files remaining, so it’s important to uninstall it from not only your operating system but also from your browser. In short, you’ll remove the add-on and change the homepage back to its default setting. 

After removing WebDiscover from your browser, search for any remaining software on your computer by typing detection names into the search bar. Detection names can include PUP.Optional.WebDiscover, Program.Unwanted.3860, HEUR/QVM06.1.3F8B.Malware.Gen, and VirusTotal.

Remove WebDiscover from Chrome

1. Select “Chrome” in the top menu bar and click “Preferences.”
2. Click “Extensions” on the left menu bar. 
3. Find WebDiscover and click “Remove.”
4. Go back to the general settings menu and click “On startup” on the left menu bar.
5. Scroll to the bottom of the page and choose “Restore settings to their original defaults” and select “Reset settings.”

Remove WebDiscover from Safari

1. Select “Safari” in the top menu bar and click “Preferences.” 
2. Open “Extensions” on the top of the open window. 
3. Find WebDiscover and click “Uninstall.”

Remove WebDiscover from Firefox

1. Select “Firefox” in the top menu bar and click “Preferences.” 
2. Open “Extensions & themes” on the bottom left of the sidebar.
3. Find WebDiscover and click “Manage.”
4. Click the three dots on the top right of the extension and choose “Remove.”
5. Open “Home” from the left of the sidebar. 
6. Select “Restore defaults” to reset to factory settings. 

To avoid unwanted computer viruses, always practice safe computer habits. A good rule of thumb is to read the license agreements and deselect any software that you’re unfamiliar with during download processes. While WebDiscover itself isn’t generally harmful to your computer, it can significantly decrease the functionality of your operating system. After you have learned how to uninstall WebDiscover and remove it from your browser and OS, run antivirus software on your device to clean your computer from any remaining malware and provide protection from future threats. 

The post How to Uninstall WebDiscover Browser appeared first on Panda Security Mediacenter.

Nowadays, all types of businesses across all sectors are affected by cybercrime. This year, as the attack surface has grown due to the increase in telecommuting as a response to COVID-19, so other cyberthreats arising from generalized global uncertainty have also increased. Cybercriminals have not hesitated to take advantage of the situation in order to roll out phishing campaigns, propagate malware, exploit new vulnerabilities, and up the number of DDoS attacks, to name just a few strategies that are jeopardizing the cybersecurity of numerous companies.

Any organization could at some point be a target for cyberattacks. We have witnessed how the APT group dubbed ‘Vicious Panda’ has orchestrated a spear phishing campaign that uses the pandemic to spread the group’s malware. And it is not just the healthcare sector that is being targeted by organized cybercrime. Even the most advanced military institutions in the world, such as DISA (Defense Information Systems Agency), charged with overseeing US Defense Department and White House communications, reported a cyberattack in February that compromised the data of up to 200,000 staff and military personnel.

All these incidents can have grave consequences for victims, from damage to an organization’s reputation to productivity outages or even the complete shutdown of business activity, causing major financial losses. There can be no doubt that the most vulnerable sectors include critical infrastructure and those responsible for safeguarding a nation’s security. When military and diplomatic agencies are targeted, lives could be at risk.

Now CactusPete, an APT group based in China, has entered the fray with attacks targeting military and financial organizations in Eastern Europe.

CactusPete: a highly sophisticated APT

The China-based APT group known as CactusPete has re-appeared with a new campaign aimed at military and financial targets in Eastern Europe, which is a new area of operations for the group, as previously it has appeared to focus on organizations within a limited range of countries: South Korea, Japan, the United States, and Taiwan. Present campaigns seem to show that the gang has its sights on other organizations in Asia and Eastern Europe.

This time, it has upgraded a backdoor to attack military and financial organizations in Eastern Europe and access confidential information. The group used a new variant of the Bisonal backdoor, which allows attackers to steal information, run code on target computers, and move laterally within a network, according to researchers at Kaspersky. Moreover, the speed at which new malware samples are being produced suggests that the group is expanding rapidly, so organizations in the targeted area should keep their guard up. Also, in the 2020 campaign we have seen how the group has improved its techniques, with access to more sophisticated code, such as the ShadowPad modular attack platform.

How to protect systems against an APT

• Constant vigilance. The best way to prevent any threats from attacking your systems is to know exactly what is happening on them at all times. Panda Adaptive Defensemonitors all processes running on systems at all times. It detects any unusual activity and stops unknown processes from executing, thereby dealing with the threat before it can act.
• Proactive threat hunting. Instead of just reactively responding to malware threats, our security analysts perform active threat hunting. Leveraging all the information harvested from our 30 years of experience in the security industry, these experts search for new threats and compare hypotheses with the data collected through our EDR solution to verify the legitimacy of processes.
• Raising user awareness about good security practices. To prevent your company’s human potential turning into the weak link in your security chain, it is important that you provide the training required to keep everyone up-to-speed on best security practices.
• Corporate cyber resilience. Particularly important for critical targets such as those of the CactusPete APT group. The importance of security resilience with a plan to return to normality after security incidents and remedy their effects is critical. The common theme in all strategies analyzed by Panda is prevention, detection, containment, and response.

The post CactusPete APT group takes aim at military and financial targets appeared first on Panda Security Mediacenter.

Cybersecurity has changed markedly over the last few years. The first malware dates back to the 1970s and led to the creation of the first antivirus -Reaper-, designed to detect computers infected with the malware Creeper and remove it. Since then, cybersecurity has become increasingly important and is now an essential consideration for any organization.

This evolutionary process has taken us from software based on virus blacklists designed to counter known threats during the professionalization of cybercrime in the 1990s, through the setting up of security perimeters and heuristic strategies that leveraged behavior analysis, until the turning point represented by Stuxnet in 2010, the first known example of a weapon designed for cyberwarfare. This saw malware become much more sophisticated, using stealth techniques and becoming practically undetectable, and leading the way for the first zero-day attacks.

Adversaries are now moving so quickly to discover these zero-day vulnerabilities in software, that according to the Internet Security Report from WatchGuard Technologies, during the first quarter of 2020, 67 percent of malware was encrypted – i.e. it was delivered via HTTPS protocols. And, in addition, 72 percent of the encrypted malware was classified as zero-day, so there is no antivirus signature to slow it down as it becomes increasingly undetectable to organizations. This data is in line with the predictions of Gartner, which indicated that during 2020 70 percent of malware attacks will use encryption.

Zero-day attacks – a cyber pandemic

These figures have no doubt been exacerbated by the COVID-19 pandemic and the consequent increase in telecommuting. As this trend has increased, so has the attack surface, forcing companies to strengthen cybersecurity measures to avoid falling victim to criminals.

If we were to look for a cyber equivalent to the COVID-19 pandemic, it might be an attack that spreads automatically using one or more zero-day exploits. As zero-day attacks are rarely discovered immediately, it would take time to identify the virus and prevent it from spreading. Consequently, if it spread across a social network with say, 2 billion users, a virus with a high reproductive rate would take no more than five days to infect more than a billion devices. Yet most worryingly, there are still no patches or antivirus that can counter this type of attack.

To minimize and mitigate the threat from zero-day encrypted malware, there are a number of strategies that IT teams and analysts should consider when planning an organization’s cybersecurity defenses:

• Organizations need to have advanced behavioral detection and response solutions, as traditional antivirus solutions cannot usually deal with such attacks. It is also important to include HTTPS protocol inspection as an indispensable requirement for any strategy.
• These strategies should include a multilayer security service that covers all endpoints. In addition, the services and solutions must be based or run in the cloud, so that triage, investigation, and response processes are immediate and effective.
• To stop this type of malware, tools must leverage artificial intelligence, machine learning, and threat intelligence techniques in order to identify suspicious behavior patterns. As a result, they should be able to generate alerts that are prioritized according to the severity of the threat and that contain all the information required for a rapid and effective response.

Adaptive Defense 360 enables continuous monitoring, logging, and supervising of all processes on endpoints to block non-trusted software, detect advanced threats in real time, respond in seconds, and facilitate instant recovery. This prevents adversaries from exploiting unknown security holes and stops exploits of vulnerabilities by zero-day attacks.

The post Zero-day attacks: the cyber equivalent of COVID-19 appeared first on Panda Security Mediacenter.