Malicious activity in Kaznet !!! Recommendations for users.

Computer Emergency Response Team KZ-CERT warns of a SPLASH of ACTIVITY of the Internet of malicious software. in the segment of the Internet of Kazakhstan.

Only in the first quarter of 2019 KZ-CERT has revealed about 200 online resources containing malicious software.

The Analysis of the materials obtained showed that the most common are the following malware.

The threat of Win32 / TrojanDownloader can download other malicious software from the Internet, run executable files and execute other malicious commands. Besides, this Trojan program is able to collect information data about user and its system unit, about the list of running processes, the installed anti-virus software on the victim’s personal computer, and transfer data to a remote machine. After all fraudulent actions have been completed, the threat is automatically removed from the infected computer.

The Win32 / Filecoder.WannaCryptor threat is an encryption Trojan that encrypts valuable files, databases, mail of the victim and then displays a ransom request for restoring access. The scale of the epidemic is due to its combination with the EternalBlue exploit for the network vulnerability Microsoft Windows.

Microsoft has released security update MS17-010, closing this vulnerability, even from March 14, 2017. However, the proposed patch has not yet been installed on all workstations, which has led to the massive nature of the attack.

Unlike many encryptors that are distributed in spam mailings, WannaCryptor has the ability to "infect" workstations without the direct participation of the user. The malicious program scans the network for unprotected nodes, followed by the installation of the encoder, which, in turn, blocks access to files.

The SMB / Exploit.DoublePulsar threat - is a backdoor developed by the Equation Group and published by the hacker group The Shadow Brokers in early 2017. Microsoft has fixed the flaws in the March update, but recent reports suggest that many PC owners have not used Microsoft patches, and still use an unsupported version of Windows.

This tool, as a result, in just a few weeks successfully attacked more than 500,000 personal computers that are run by Microsoft Windows operating systems. The malicious program is delivered via TCP port 445 using an EternalBlue exploit that exploits the vulnerability in the implementation of the Server Message Block (SMB) protocol. After the publication of information about the vulnerability, a group of hackers on May 12, 2017 released a virus program WannaCry, which is a network ransomware worm.

Next on the list of common malware threats is JS / CoinMiner, which is used for hidden mining of cryptocurrency. The malicious script was placed by malicious users on both fake resources and infected legitimate sites.

Malware such as Win32 / CoinMiner and Win64 / CoinMiner are also common with this functionality.

The threat of Win32 / MediaGet is a malicious program that, after hitting the victim’s computer, installed a browser extension, added files to run at boot time, and penetrated into other processes of the device. Cybercriminals often used this threat to download malicious applications, such as adware.

In addition, the software for displaying advertisements remained active. In particular, adware malware such as Win32 / Adware.PBot and Win32 / Adware.FotopApps.

Due to the increased activity of malware, KZ-CERT Service recommends users to be extremely cautious when working on the Internet, as well as to use complex antivirus solutions for effective protection of personal data and confidential information.

KZ-CERT recommendations

How to protect your computer from malware?

Malicious programs are often distributed in the application with other files, so do not open email attachments sent from unknown resources to you. Never accept files from users unfamiliar to you, and be careful when opening files with the extension: AVI, EXE, JPG, etc.

If you suspect that your computer is infected with malware:

- Suspend any activity that involves the use of logins, passwords and other confidential information.

- Use antivirus software to protect your system from possible online threats. Install antivirus and antispyware programs from reliable sources.

- Make sure that your antivirus program is updated, scans your computer and removes all programs that are identified as malicious. Often, in a hurry there is a chance to inattentively read a pop-up message that contains incorrect information about the end of a computer scan and the detection of malware. In a similar message, they usually offer to download fake software that is widely used to distribute malware.

- Never download anything in response to a warning program, offering to protect your computer or remove viruses that you did not install or that you do not know. There is a high Chance of infection with viruses.

Update software regularly

Cybercriminals are extremely inventive in their attempts to exploit software vulnerabilities. Therefore it is necessary:

• Regularly install updates for all of your software — antivirus and antispyware programs, operating systems, word processing programs, and other programs.

• Enable automatic software updates when available.

• Remove software that you do not use. Use strong passwords and keep them secret

• Strong passwords should consist of at least 10-14 characters and contain a combination of letters, numbers and symbols.

• Do not disclose your passwords to anyone.

• Do not use the same password on your personal computers and Internet resources, otherwise all information will be at risk.

• Create different strong passwords for your router and wireless connection at home. For information on how to do this, check with the company that provides the router.

Never turn off the firewall!

A firewall creates a protective barrier between your computer and the Internet. Turning off the firewall even for a minute increases the risk of malware infection of your PC.

Carefully use flash drives.

Minimize the possibility of malware infection on your computer:

• Do not insert unknown flash drives (or USB drives) into your computer.

• Do not open unknown files on the drive. Do not settle for downloads offered by malware.

• Be very careful when opening attachments or activating links in email, instant messages, or publications on social networks - even if you know the sender.

Do not click the “I Agree”, “OK”, and “I Accept” buttons in banner advertisement, in unexpected pop-ups or warnings, on Internet resources that look illegal, or in requests to remove spyware or viruses.

• If necessary, close all tabs and do not save them for the next launch of the browser. Download software only from online resources you trust.

• Do not click on links where free software is offered - especially free antivirus software. Beware of free downloads of music, games, videos, as they may contain malware.

IF YOU BECOME A VICTIM OF THE INCIDENT, CONTACT THE KAZAKHSTAN RESPONSE SERVICE FOR COMPUTER INCIDENTS AND RECEIVE A CONSULTATION CALL FOR FREE UNIFORM SHORT NUMBER 1400.

ELECTRONIC ADDRESSES: INFO @ KZ-CERT.KZ / INCIDENT @ KZ-CERT.KZ