#Cybersecurity - three ways malware can gain persistence

The purpose of the Demystify Cyber project, is to bring cybersecurity and cybercrime awarenss to all users of technology. Part of that includes explaining terms commonly used by cybersecurity practitioners, that may seem a little myserious to everybody else. Given that cybercrime can impact anyone cybersecurity should not be kept a mystery.

Let's look at malware persistence

When a criminal has taken all that effort to get some nasty piece of malware on your computer, they want it to stay there and do its thing for as long as possible.  Ways to  keep malware active on a compromised device, even after rebooting, is referred to as malware persistence. 

'How do criminals get their malware to have persistence on a computer?'  - do I hear you ask?

Well I am glad you raised this, because there are many ways, and understanding a bit about them can help everyone who uses technology stay just that little bit safer from cybercrime.

The below is a very brief list, written in as non-tech terms as I could achieve on an afternoon after work and without sufficient coffee, covering three ways malware can gain persistence on a compromised computer.

Three ways malware can gain persistence

1. Compromised accounts

If the account used for the computer has been comprmosed (such as via a phishing email) the criminal could use the accoutn details to ensure the computer remains infected.

2. Start up folder / launch agents

As a computer starts, it automatically runs through processes to ensure everything is operating and connected for the user. The Windows operating system keeps these processes in a start up folder. and in Apple computers, the MacOS uses launch agents If malware edits the start up folder, or launch agents everytime the computer is started the malware will start as well.

3. Malicious browser extensions

A criminal may create what appears to be a legitimate browser extension, however once installed it is used to infect and gain malware persstence of a compromised computer.

Want to know more about malware persistence?

The Mitre ATT&CK site has an indepth look at malware persistence yu can access it via this link (or look up 'Mitre ATT&CK malware persistence' in the search engine of your choice) Link: https://attack.mitre.org/versions/v9/tactics/TA0003/

How to stay safer from malware

• Use a reputable and up to date anti-virus application and run regular as well as active scans on your computer.
• Keep your operating system and software patched
• Only install browser extensions from reputable stores, and be cautious even then 
• Take care not to click links in unsolicited emails
• Do not put your account credentials into a link you arrived at via an email - navigate to the site yourself to log in
• Consider using multi-factor authentication (MFA) wherever possible
• Take care to only instal legitimate sofware from official sources

This image has been created by the Demystify Cyber blog author (c) A. Turner 2021

#Ransomware - Brief guide to response

Following on from my short article on protecting yourself from ransomware, this post is a very brief overview of points to consider when formulating a response plan to a ransomware incident.

In ransomware events, prompt containment is critical and staying calm and following the pre-agreed steps your business has is essential. Communication should be done in parallel to response, and must be timely, relevant, and to the appropriate stakeholders. Different personnel and teams would be actioning these steps and sometimes in parallel. It is important for businesses to have an agreed plan of action in the event of a ransomware incident. it is also important to stay calm. 

In the words of the late Douglas Adams 'Don't Panic'.

From Hitch Hiker's Guide to the Galaxy - image owner unknown

Ransomware event actions

Notice in the below that communcation is at every step? This is very important. During a ransomware event there will be many stakeholders, (both internal and external) impacted, and various personnel and teams involved in responding to the incident. Despite the best intentions to stay calm, there will be panic, and there will be pressure from various areas to fix this, find answers and get things back to normal. It is important that communication is clear, calm and provided to the relevant people in a timely manner.

1. Stay Calm, isolate the compromised assets - communicate

Your goal here is to obtain as many details as possible, quickly, isolate the compromised machine/s, and then create a Sit-Rep to communicate to the relevant parties. Try to get a photo fo the ransome screen it may be useful later! Turning the compromised assets off helps prevent infection of other machines and communciation to the C2. (the command and control computer that gives the malware instructions). Ensure relevant network personal are notified and provided with concise instructions.

2. Investigate/ Analyse – communicate

What is the scope of this incident? – All machines? The entire network? One team? One person/ one computer? When was this first noticed? What is the malware and how did it infect the assets? What was the vector?

3. Contain and Eradicate -communicate

Make sure relevant people are informed, do you need to notify your businesses' media team? Will you be making a police report? Cyber security teams may need to access the compromised assets to analyse further, infrastructure areas may need to locate their backups (hopefully they have them!) and ensure the back up is clean. The network and any compromised assets neet to be throughly cleansed of the malware, to ensure it isn't sitting there waiting to return. Check for exploitable vulnerabiblties and ensure everything is patched, have passowrds been changed,  was their any data exfiltrated?Any impacted users need to be kept in communicated with in a timely fashion and given the approrpiate level of detail for their needs.

4. Restore - communicate 

Once the relevant teams are satisfied that any restore points/offline backups are clean and that the compromised assets are also now clean, restoration needs to be done as quickly as possible to restore services. Communciation is again essential with all relevant stakeholders.

5. Lessons learned - communicate

Every cyber security incident, regardless of how well prepared you  are, is going to throw some virtual spanner in the works somewhere. teams can always improve, nobody is perfect. It is important to debrief and apply lessons learned - without laying blame - in a constructive and positive way.

Nobody is safe from cybercrime, ransomware can compromise home computer users as well as the computers of both small and large businesses. Being prepared is key. Also - Don't Panic!

#ransomware - protect yourselves

Ransomware is a type of malware that is designed to, in very general terms, deny you access to your computer and files by either locking or encrypting them. The malware includes a pop up screen with instruction on how to pay the ransom to have the files unlocked/decrypted.

There are currently two main types of ransomware, locker and crypto. Locker ransomware aims to lock you out of your computer and its functions, but the malware permits some access so you can interact wth the ransom message. This type of malware does not usually destroy your files, it is aimed mainly to lock you out. Crypto ransomware, however, is used to encrypt your files meaning that while your computer still functions you are unable to open any of your files. Ransomware is evolving, and some cybercrime campaigns of this type now include data exfiltration.

The main mechinsims of ransomware infection tend to be via malicious attachments in emails, drive-by downloads from compromised websites, or through malware in advertising (i.e malvertising).  

While ransomware may be targeted to businesses or organisaitons that criminals believe will or can afford to pay the ransom, individuals and smal businesses can also be impacted by this type of cybercrime.

Prevention

This list is not exhaustive, however it does provide some easy to do ways to help prevent your computer/ files becoming compromised by ransomware, or prove a back up if they do.

• Ensure you keep up to date offline back ups of your important files and configurations
• Take care not to open attachments that prompt you to run macros to view 
• Do not click on  links in unsolicited emails
• Keep your operating system and software patched
• Use only official legitimate sources to download software

For ransomware incident response ideas please see the post on this page:  https://demystifycyber.blogspot.com/2021/05/ransomware-brief-guide-to-response.html

Where to go for help

If you are impacted by cybercrime or want more information about cybersecurity please have a look at the resources below.

Australia

• AusCERT www.auscert.org.au
• ACSC  www.cyber.gov.au/
• Report cybercrime www.cyber.gov.au/report
• Identity theft support  www.idcare.org
• Australian Privacy Commissioner www.oaic.gov.au/
• Scam Watch www.scamwatch.gov.au
• eSafety commissioner www.esafety.gov.au
• Think U Know www.thinkuknow.org.au
• AFP  www.afp.gov.au
• Have I been Pwned Haveibeenpwned.com

* * *

USA

• US-CERT  www.us-cert.gov
• Report identity theft identitytheft.gov
• Cyber safety information www.dhs.gov/stopthinkconnect

* * *

United Kingdom

• NCSC www.ncsc.gov.uk
• Report cybercrime report.ncsc.gov.uk
• Cyber safety information getsafeonline.org
• Information Commissioner’s Office  ico.org.uk

* * *

Useful links - International

• Computer vulnerabilities and exposures (CVE) list cve.mitre.org
• NIST cyber security www.nist.gov/topics/cybersecurity
• Krebs on Security - https://krebsonsecurity.com/
• ISO - www.iso.org

* * *

Cybersecurity Conference - #AusCERT 2021 goes hybrid

 AusCERT, Australia's pioneer cyber emergency response team, has its twentieth conference in May 2021.

Not letting the uncertainties of a global pandemic stop them, the team at AusCERT have created a hybrid delivery for the 2021 conference.

I will be attending virtually, as will some members of my team, we are thrilled to be able to attend without phsyically being there and hope to see hybrid conferences such as this continue way past the uncertain times of the pandemic.

The twentieth AusCERT conference has the theme, 'Soaring with cyber' and features a diverse mix of more than fifty presenters who will be speaking on a wide range of topics, so there will be something of interest to everyone there.

AusCERT are passionate about supporting their members, the communtiy and the nation against cybercrime, if you want to know more about them and what they do please go to their website at this link: AusCERT