New traces of Hacking Team in the wild

Previously unreported samples of Hacking Team’s infamous surveillance tool – the Remote Control System (RCS) – are in the wild, and have been detected by ESET systems in fourteen countries.

Our analysis of the samples reveals evidence suggesting that Hacking Team’s developers themselves are actively continuing the development of this spyware.

From Hacking Team to Hacked Team to…?

Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world.

The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied.

When the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.

Following the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.

Having just concluded our research into another commercial spyware product, FinFisher, two interesting events involving Hacking Team occurred in close succession – the report about Hacking Team’s apparent financial recovery and our discovery of a new RCS variant in the wild with a valid digital certificate.

The spyware lives on

In the early stages of this investigation, our friends from the Citizen Lab – who have a long record of keeping track of Hacking Team – provided us with valuable input that led to the discovery of a version of the spyware currently being used in the wild and signed with a previously unseen valid digital certificate.

Our further research uncovered several more samples of Hacking Team’s spyware created after the 2015 hack, all being slightly modified compared to variants released before the source code leak.

The samples were compiled between September 2015 and October 2017. We have deemed these compilation dates to be authentic, based on ESET telemetry data indicating the appearance of the samples in the wild within a few days of those dates.

Further analysis led us to conclude that all the samples can be traced back to a single group, rather than being isolated instances of diverse actors building their own versions from the leaked Hacking Team source code.

One indicator supporting this is the sequence of digital certificates used to sign the samples – we found six different certificates issued in succession. Four of the certificates were issued by Thawte to four different companies, and two are personal certificates issued to Valeriano Bedeschi (Hacking Team co-founder) and someone named Raffaele Carnacina, as shown in the following table:

Certificate issued to Validity period
Valeriano Bedeschi 8/13/2015 – 8/16/2016
Raffaele Carnacina 9/11/2015 – 9/15/2016
Megabit, OOO 6/8/2016 – 6/9/2017
ADD Audit 6/20/2016 – 6/21/2017
Media Lid 8/29/2016 – 8/30/2017
Ziber Ltd 7/9/2017 – 7/10/2018

The samples also have forged Manifest metadata – used to masquerade as a legitimate application – in common, appearing as “Advanced SystemCare 9 (9.3.0.1121)”, “Toolwiz Care 3.1.0.0” and “SlimDrivers (2.3.1.10)”.

Our analysis further shows that the author(s) of the samples have been using VMProtect, apparently in an effort to make their samples less prone to detection. This was also common among pre-leak Hacking Team spyware.

The connections among these samples alone could have originated with virtually any group re-purposing the leaked Hacking Team source code or installer – as was the case with Callisto Group in early 2016. We have, however, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.

The versioning (which we accessed after overcoming VMProtect protection) observed in the analyzed samples continues where Hacking Team left off before the breach, and follows the same patterns. Hacking Team’s habit of compiling their payloads – named Scout and Soldier – consecutively, and often on the same day, can also be seen across the newer samples.

The following table shows the compilation dates, versioning and certificate authorities of Hacking Team Windows spyware samples seen between 2014 and 2017. Reuse of leaked source code by Callisto Group is marked in red.

Furthermore, our research has confirmed that the changes introduced in the post-leak updates were made in line with Hacking Team’s own coding style and are often found in places indicating a deep familiarity with the code. It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code.

One of the subtle differences we spotted between the pre-leak and the post-leak samples is the difference in Startup file size. Before the leak, the size of the copied file is padded to occupy was 4MB. In the post-leak samples, this file copy operation is padded to 6MB – most likely as a primitive detection evasion technique.

Figure 1 – Startup file size copy changed from 4 MB pre-leak to 6MB post-leak

We found further differences that fully convinced us of Hacking Team’s involvement. However, the disclosure of these details could interfere with the future tracking of the group, which is why we choose not to publish them. We are, however, open to share these details with fellow researchers (for any inquiries contact us at threatintel@eset.com).

The functionality of the spyware largely overlaps with that in the leaked source code. Our analysis so far has not confirmed the release of any significant update, as promised by Hacking Team following the hack.

As for the distribution vector of the post-leak samples we analyzed, at least in two cases, we detected the spyware in an executable file disguised as a PDF document (using multiple file extensions) attached to a spearphishing email. The names of the attached files contain strings likely aimed to reduce suspicion when received by diplomats.

Figure 2 – Investigation timeline

Conclusion

Our research lets us claim with high confidence that, with one obvious exception, the post-leak samples we’ve analyzed are indeed the work of Hacking Team developers, and not the result of source code reuse by unrelated actors, such as in the case of Callisto Group in 2016.

As of this writing, our systems have detected these new Hacking Team spyware samples in fourteen countries. We choose not to name the countries to prevent potentially incorrect attributions based on these detections, since the geo-location of the detections doesn’t necessarily reveal anything about the origin of the attack.

IoCs

ESET detection names
Trojan.Win32/CrisisHT.F
Trojan.Win32/CrisisHT.H
Trojan.Win32/CrisisHT.E
Trojan.Win32/CrisisHT.L
Trojan.Win32/CrisisHT.J
Trojan.Win32/Agent.ZMW
Trojan.Win32/Agent.ZMX
Trojan.Win32/Agent.ZMY
Trojan.Win32/Agent.ZMZ
Samples signed by Ziber Ltd
Thumbprint: 14 56 d8 a0 0d 8b e9 63 e2 22 4d 84 5b 12 e5 08 4e a0 b7 07
Serial Number: 5e 15 20 5f 18 04 42 cc 6c 3c 0f 03 e1 a3 3d 9f
SHA-1 samples
2eebf9d864bef5e08e2e8abd93561322de2ab33b
51506ed3392b9e59243312b0f798c898804913db
61eda4847845f49689ae582391cd1e6a216a8fa3
68ffd64b7534843ac2c66ed68f8b82a6ec81b3e8
6fd86649c6ca3d2a0653fd0da724bada9b6a6540
92439f659f14dac5b353b1684a4a4b848ecc70ef
a10ca5d8832bc2085592782bd140eb03cb31173a
a1c41f3dad59c9a1a126324a4612628fa174c45a
b7229303d71b500157fa668cece7411628d196e2
eede2e3fa512a0b1ac8230156256fc7d4386eb24
C&Cs
149.154.153.223
192.243.101.125
180.235.133.23
192.243.101.124
95.110.167.74
149.154.153.223
Samples signed by ADD Audit
Thumbprint: 3e 19 ad 16 4d c1 03 37 53 26 36 c3 7c a4 c5 97 64 6f bc c8
Serial Number: 4c 8e 3b 16 13 f7 35 42 f7 10 6f 27 20 94 eb 23
SHA-1 samples
341dbcb6d17a3bc7fa813367414b023309eb69c4
86fad7c362a45097823220b77dcc30fb5671d6d4
9dfc7e78892a9f18d2d15adbfa52cda379ddd963
e8f6b7d10b90ad64f976c3bfb4c822cb1a3c34b2
C&Cs
188.166.244.225
45.33.108.172
178.79.186.40
95.110.167.74
173.236.149.166
Samples signed by Media Lid
Thumbprint: 17 f3 b5 e1 aa 0b 95 21 a8 94 9b 1c 69 a2 25 32 f2 b2 e1 f5
Serial Number: 2c e2 bd 0a d3 cf de 9e a7 3e ec 7c a3 04 00 da
SHA-1 samples
27f4287e1a5348714a308e9175fb9486d95815a2
71a68c6140d066ca016efa9087d71f141e9e2806
dc817f86c1282382a1c21f64700b79fcd064ae5c
SHA-1 samples
27f4287e1a5348714a308e9175fb9486d95815a2
71a68c6140d066ca016efa9087d71f141e9e2806
dc817f86c1282382a1c21f64700b79fcd064ae5c
C&Cs
188.226.170.222
173.236.149.166
Samples signed by Megabit, OOO
Thumbprint: 6d e3 a1 9d 00 1f 02 24 c1 c3 8b de fa 74 6f f2 3a aa 43 75
Serial Number: 0f bc 30 db 12 7a 53 6c 34 d7 a0 fa 81 b4 81 93
SHA-1 samples
508f935344d95ffe9e7aedff726264a9b500b854
7cc213a26f8df47ddd252365fadbb9cca611be20
98a98bbb488b6a6737b12344b7db1acf0b92932a
cd29b37272f8222e19089205975ac7798aac7487
d21fe0171f662268ca87d4e142aedfbe6026680b
5BF1742D540F08A187B571C3BF2AEB64F141C4AB
854600B2E42BD45ACEA9A9114747864BE002BF0B
C&Cs
95.110.167.74
188.226.170.222
173.236.149.166
46.165.236.62
Samples signed by Raffaele Carnacina
Thumbprint: 8a 85 4f 99 2a 5f 20 53 07 f8 2d 45 93 89 af da 86 de 6c 41
Serial Number: 08 44 8b d6 ee 91 05 ae 31 22 8e a5 fe 49 6f 63
SHA-1 samples
4ac42c9a479b34302e1199762459b5e775eec037
2059e2a90744611c7764c3b1c7dcf673bb36f7ab
b5fb3147b43b5fe66da4c50463037c638e99fb41
9cd2ff4157e4028c58cef9372d3bb99b8f2077ec
b23046f40fbc931b364888a7bc426b56b186d60e
cc209f9456f0a2c5a17e2823bdb1654789fcadc8
99c978219fe49e55441e11db0d1df4bda932e021
e85c2eab4c9eea8d0c99e58199f313ca4e1d1735
141d126d41f1a779dca69dd09640aa125afed15a
C&Cs
199.175.54.209
199.175.54.228
95.110.167.74
Samples signed by Valeriano Bedeschi
Thumbprint: 44 a0 f7 f5 39 fc 0c 8b f6 7b cd b7 db 44 e4 f1 4c 68 80 d0
Serial Number: 02 f1 75 66 ef 56 8d c0 6c 9a 37 9e a2 f4 fa ea
SHA-1 samples
baa53ddba627f2c38b26298d348ca2e1a31be52e
5690a51384661602cd796e53229872ff87ab8aa4
aa2a408fcaa5c86d2972150fc8dd3ad3422f807a
83503513a76f82c8718fad763f63fcd349b8b7fc
C&Cs
172.16.1.206

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Over 40% of online login attempts are attackers trying to invade accounts

As many as 43% of online login attempts globally are made by bots that are used for evil ends, as attackers are increasingly leveraging the automated tools for credential abuse, a report by Akamai has revealed.

Focusing on data for November, 2017, the content delivery network provider found that 3.6 billion out of 8.3 billion login requests during that month were malicious, specifically “attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet”.

A breakdown of the figures shows that the websites of retailers handled the highest number of login requests in November – 2.8 billion. “Only” 36% of them were intended to break into the accounts, according to Akamai’s Fourth Quarter 2017 State of the Internet / Security Report.

Meanwhile, the hospitality industry had to contend with the highest concentration of bad bots. A staggering 82% of nearly 1 billion login attempts on the websites of airlines, hotels and online travel agencies were found to be malicious.

Swarms of villain bots also swooped on the sites of high-tech businesses, with 57% out of 1.4 billion login attempts deemed malevolent.

The data was obtained by Akamai’s identifying “IP addresses that make multiple attempts to log into accounts using leaked credentials with no other activity to the target site”.

The data set covers mainly websites that use email addresses as login names. As a result, Akamai cautioned that the figures may understate the extent of the problem in industries in which email addresses are not used as user IDs, notably the financial industry.

Credential abuse attempts according to selected industries (Source: Akamai, Fourth Quarter 2017 State of the Internet / Security Report)

Bots that traverse the internet on behalf of their human operators can fulfill both legitimate and malicious automated tasks. Statistics indicate that bot-driven internet traffic, by helper and harmful bots combined, surpasses human traffic.

“Increased automation and data mining have caused a massive flood of bot traffic to impact websites and Internet services. Although most of that traffic is useful for Internet businesses, cybercriminals are looking to manipulate the powerful volume of bots for nefarious gains,” Akamai’s senior security advocate Martin McKeay is quoted as saying.

“Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal,” he added.

In an automated technique known as ‘credential stuffing’, criminals leverage stolen or leaked access credentials that belong to one account in order to break into other – often higher-value – accounts. This tactic has been found to pay dividends in anywhere between 0.1% and 2% of attempts, owing its success primarily to the fact that many netizens recycle their credentials across multiple accounts. Databases with reams of stolen username and password pairs can be easily bought online.

DDoS traffic

After several quarters of increases, the number of distributed denial-of-service (DDoS) attacks dropped by less than 1% in the fourth quarter of 2017 compared to the third quarter. On an annual basis, however, the attacks were up 14%, according to Akamai’s stats.

The gaming industry bore the brunt of the onslaughts, suffering 79% of all DDoS traffic. Germany and China between themselves accounted for the majority of source IP addresses involved in the attacks.

To say that DDoS attacks aren’t going anywhere would be an understatement, nor have we seen the last of Mirai. The notorious botnet, which took the internet by storm in the fall of 2016, remains alive and kicking. This is not least because of the proliferation of hackable Internet-enabled things, coupled with attackers continuing to adapt Mirai’s source code to befit their evil intentions.

Web app attacks

The number of web application attacks decreased by 9% following a quarter-over-quarter jump of 30% in the third quarter. They still rose by one-tenth compared to the last three months of 2016, however.

This type of threat most commonly involves scans to identify vulnerable sites with the ultimate aim of data thefts or other compromises. SQL injections, which Akamai highlighted as “easily automated and scalable”, accounted for one-half of web app attacks. On 36%, local file inclusion was the second-most-frequent attack vector.

The United States is by far both the top source and top target of web app attacks. The incursions that originate in the US soared by 31% compared to the last quarter of 2016.

 

 

About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

 

About ESET

Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, antivirus software system, NOD32, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. ESET NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100 Awards than any other antivirus product. ESET was named to Deloitte’s Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 countries. 

Privacy by Design: Can you create a safe smart home?

The Internet of Things (IoT) is, for many, about devices we connect to a network for convenience, such as thermostats, light switches, connected cars and interactive toys for our kids.

While the IoT is indeed a marvelous invention, designed to make daily digital life even easier, how safe is it in terms of protecting your privacy?

Alongside an ESET researcher team, I investigated some of the more popular IoT devices on the market today with the aim of creating a basic ‘smart home’ that mimics the connectable objects likely to be found in a typical household.

Notions of interconnectivity and the ‘smart home’ are now rarely seen as the main focus of science fiction narrative, but assumed as background. Today, the IoT makes the ‘smart home’ not only achievable, but in some respects commonplace.

But how plausible is it to create your own ‘smart home’? Many issues can crop up when trying to create your own interconnected dwelling space. One of the challenges facing even the most basic implementation of a ‘smart home’ is interoperability between devices provided by different manufacturers to provide a harmonious, unified experience… or as close as possible!

We purchased a few IoT devices that could be deemed as essential for the creation of a type of starter kit for anyone wanting the convenience of an interconnected experience in their home. We also purchased a virtual personal assistant (a device that takes verbal commands and can control many of the devices purchased; in fact, a ‘smart home’ may actually start with a device like this and then expand functionally with additional IoT devices).

Privacy concerns

The main area of concern was constructing a ‘smart home’ that did not compromise on privacy.

In that respect, there was unease that the devices in the home could potentially collect private data. Of course, we understood the need for most devices and services to collect basic personal details. Worryingly, however, we found that companies often used the term “but not limited to”, meaning they might collect more than what was on the applicable privacy policy.

In total, the team tested twelve products from seven vendors, including one product that we have not included in the final report due to discovery of significant vulnerabilities. As a security company, we value the commitment to responsible disclosure and the collaborative nature of the IT security industry — therefore, we notified the company in question with specific details of the device’s shortcomings and will not publish these details until the vendor has had time to rectify the issues.

While each device tested led to some privacy issues, it was the role of voice-activated intelligent assistants that raised the most concerns. This is due, among other things, to concerns the fear of oversharing of data by commercial services, insufficient protection of stored personal data, and the possibility of interception of digital traffic by cybercriminals or the mischievous.

Can you create a safe smart home?

The answer is… possibly. No device or software is guaranteed to be secure or immune to potential vulnerabilities. However, a company’s security culture can be judged based on its reaction to vulnerabilities when they are disclosed. Some of the devices tested had vulnerabilities that have been dealt with quickly with new software and firmware. When vulnerabilities are not fixed promptly (or at all), then choosing an otherwise equivalent device would be an appropriate response. But with sound judgement and caution, it is possible to start a basic ‘smart home’.

Conclusion

At its inception, the goal of this project was to create a basic ‘smart home’ that mimics something that could end up in typical household. The concern from our research team was “what if we don’t find any issues?” Alas, this was not the case, and in fact the conclusion that I have written is different from what we had envisioned at the start.

The potential for home, lifestyle, health and even browsing data collected by internet service providers to be available to a single entity should only be permitted after due consideration for the consequences.

A full list of the tested devices, along with a more technical breakdown of the products, may be found in the white paper: IoT and Privacy by Design in the Smart Home.

 

 

About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

 

About ESET

Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, antivirus software system, NOD32, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. ESET NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100 Awards than any other antivirus product. ESET was named to Deloitte’s Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 countries. 

Fighting persistent malware with a UEFI scanner, or ‘What’s it all about UEFI?”

The short answer to the headline’s question is that a UEFI scanner is all about helping you protect your computer against people who seek to take it over by abusing its Unified Extensible Firmware Interface (UEFI). A successful attack on a system’s UEFI can give the attacker complete control of that system, including persistence: the ability to secretly maintain unauthorized access to the machine despite rebooting and/or reformatting of the hard drive.

As you can imagine, this form of persistence is not a virtue and can prolong the pain and inconvenience of a malicious code infection. If your security software only scan drives and memory, without scanning UEFI, it is possible to think you have a clean machine when you don’t, that’s why we recommend a security solution that scans it, like ESET.

Why does my device have a UEFI?

Computing devices work by executing code: the instructions that we call software and which make the hardware – such as a laptop or smartphone – do something useful. Code can be fed to the device in several ways. For example, it can be read from storage on a disk, held in memory, or delivered via a network connection. But when you power on a digital device it has to start somewhere (bootstrap), and that first piece of code is typically stored in a chip on the device. This code, referred to as firmware, may include a “power-on self-test” or POST to make sure things are working correctly, followed by the loading into memory of the basic instructions for handling input and output.

If you’ve been into computers for a while you might recognize this chip-based code as BIOS or Basic Input Output System. In fact, BIOS technology dates back to the 1970s and so it is not surprising that it would eventually struggle to meet the demands of today’s computers, a point made by my colleague, Cameron Camp, in this excellent article on UEFI scanning. As Cameron details, UEFI technology has evolved to replace BIOS, although some devices still refer to it as BIOS. (I’m tempted to say “Meet the new BIOS, same as the old BIOS” but UEFI is signifcantly different, and besides, this article already has a headline that exploits a classic lyric: “What’s it all about, Alfie?”)

“FOR MOST PEOPLE, THIS IS THE RIGHT QUESTION TO BE ASKING, AND THE RIGHT ANSWER WILL DEPEND ON WHO YOU ARE”

Technically, UEFI is a specification, maintained by the Unified Extensible Firmware Interface Forum (uefi.org). According to the forum, the specification defines a new model for the interface between personal computer operating systems and platform firmware, and it “consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its boot loader.” Without going into greater technical detail, UEFI added a great deal of functionality to the boot process, including some serious security measures (these are discussed in the  ESET white paper referenced by this article).

Unfortunately, the illicit benefits of devising code that can surreptitiously take over a system early in the boot process – generically referred to as a bootkit – are a powerful motivator to the folks who specialize in unauthorized access to digital devices. Such folks could be: cybercriminals; domestic and foreign agencies like NSA and CIA; and private companies that sell “surveillance tools” to governments.

For more details, check out the excellent article by my ESET colleague Cassius Puodzius that discusses these “threat actors” and their interest in UEFI. The broader topic of bootkit evolution from early days through 2012 is ably covered by ESET Senior Research Fellow, David Harley, in this article. You might also check out the paper “Bootkits, Past, Present, and Future”, presented at Virus Bulletin 2014. And of course there are plenty of technical papers on the UEFI Forum site.

So what’s my UEFI risk?

For most people, this is the right question to be asking, and the right answer will depend on who you are. For example, are you someone whose computer might be of interest to the NSA or CIA or other government entity that has the resources to invest in code that abuses UEFI, either its own code or a commercial surveillance product purchased from a commercial vendor? Are you using your computer to develop, review, or otherwise handle intellectual property worth stealing? If you answered either of those questions in the affirmative, then I would say you have an above average risk of encountering UEFI malware.

Currently, I am not aware of any large-scale, broadly-targeted criminal malware campaigns that exploit UEFI to attack the general public’s computer systems (if you know of any, please share the knowledge). However, even if you are not in a high risk category, I strongly suggest you still need security software with UEFI scanning capability. Why? Remember those three letter agencies that have been developing UEFI attacks? Well, they don’t have a stellar reputation for keeping their tools secret. In fact, the biggest news in malware so far this year has been WannaCryptor a.k.a. WannaCry, and one reason that particular ransomware spread so fast was because it used a “top secret” exploit developed by the NSA, an agency known to have dabbled in UEFI compromise.

In other words, we just don’t know when a new malware campaign that abuses UEFI to maintain persistence on compromised systems will appear in the wild. What I can say is that folks who are performing UEFI scans on a regular basis will be better prepared to protect their systems from future malware than people who are not. And that is what UEFI scanning is all about.

ESET latest endpoint security products now include an industry first UEFI scanning.

 

 

About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

 

About ESET

Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, antivirus software system, NOD32, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. ESET NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100 Awards than any other antivirus product. ESET was named to Deloitte’s Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 countries. 

免費防毒軟體的三大威脅

這幾年全球重大資安事件頻傳,世界容易遭受駭客病毒攻擊國家,香港、台灣一直也名列前茅,資安意識雖逐年抬頭,但心存僥倖的仍不少,這也是為什麼每次香港、台灣也都會無法幸免於難的主因,在與大家討論到底要使用免費防毒軟體還是付費防毒軟體前,想先問各位兩個簡單的問題,

您(公司)是否願意用很低的金額或無償交換您(公司)的隱私或財產,如個資及重要文件檔案等…,卻只能獲得基本的病毒防護?!

您(公司)會使用一個免費的鎖在您家的大門上,讓提供免費鎖的公司有鑰匙進入您的房子,還是您願意花小錢購買了全功能的鎖而只有您有鑰匙可以進入家門呢?!

我想答案已很清楚了,接下來跟大家分析使用免費防毒軟體及付費防毒軟體的差別,

1. 隱私/財產全都露

天下沒有白吃的午餐,這個道理人人都懂,絕大多數的防毒軟體都是由專業的資安公司所推出,它具有一定的開發以及維護成本,例如研發人員需要撰寫防毒軟體的程式,並且隨時收集最新的病毒資訊,還要發佈更新檔,以提升防毒軟體的防護能力。然而如果消費者選擇的是免費的防毒軟體,那麼這些成本是要如何回收呢?大家可以好好的思考一下….

之前時有所聞,免費的防毒軟體更改使用者條款,放寬使用者個人資料的使用限制,讓廠商可能可以將使用者的瀏覽器歷史記錄、搜尋記錄、GPS定位記錄等無法辨識個人身份的資料,出售給廣告商,用來作為廣告投放的參考依據。請問您在下載或使用這些軟體之前,是否都有仔細的閱讀這些相關的條約內容,還是想快點把軟體程式安裝完,就只是按「Yes」或「同意」;又如果軟體沒有繁體中文的說明,您是否也有耐下心來逐一閱讀呢。如果以上情況您都有的話,那麼”恭喜”您,您己經將您的隱私曝光在陽光下了。

結論:花小錢_即可確保你的隱私安全

2. 當災難發生時,只能坐以待斃

若您不幸遭受資安威脅侵害時,使用免費防毒軟體,則求救無門,只能花錢了事,以2017年讓人聞之色變的勒索病毒為例,通常會向受害者勒索價值 50 至 500 美金不等的贖金,並要求以比特幣付款,如果以美金 50 元來計算的話,大約等於港幣 400 元,已經比一般防毒軟體一年授權的費用還要高了,再加上您不幸被勒索的金額是美金 500 元的話,就等於需要支付港幣 4,000 元;好一點的是您付了錢,勒索者會提供解密金鑰,讓您拿回檔案,算是花錢消災。慘一點的,付了錢,檔案還是付之一炬。請問您是要省一時的小錢保護您的重要檔案資料,還是要花您無法預測且一定得支付的大錢呢? 建議您好好思考這個問題….

反觀,使用付費防毒軟體時,完整的防護功能或機制,除了協助您即時抵禦資安之威脅外,您還也可以跟在地團隊透過客服電話或請他們派專人至公司享受專業的資安服務,讓您或公司的損失可以降至最低。

結論:花小錢_即可享”網路安全”大效益,還能保護重要資料及享有在地且專業的資安團隊服務

3. 軟體或系統的漏洞的潛在資安威脅

天下沒有完美的事物,軟體會有Bug,就跟一般人會說錯話、寫錯字一樣,在所難免。不論是硬體或硬體的因素,系統只要出一次包,就可能影響成千上萬使用者。但其中執行的程式一旦有功能性的失誤,甚至有安全性漏洞,想要修正就沒那麼簡單,來來回回之間,往往耗費許多時間和人力進行。對許多IT人員來說,持續關注系統資安弱點資訊、定期執行漏洞修補,已經成為例行公事之一。從2001到2003年之間,開始有許多惡意程式利用Windows、IE、Outlook Express、Outlook的安全性弱點發動攻擊,肆虐全球個人電腦與伺服器,像是Code Red、Nimda、Blaster、Sasser等蠕蟲。

除了微軟,在個人電腦使用率相當高的數位內容格式Adobe PDF和Flash在2009年之後,也因為漏洞而頻頻遭到攻擊,到了2012年、2013年,Java成為新的苦主,再舉2017年「WanaCrypt0r 2.0」的勒索軟體攻擊感染,近乎所有 Windows 系統及其伺服器版本均受威脅,而這都在在證明知名及很多人在使用的軟體,是駭害的最愛,因為每次出手皆有斬獲,這真的不是危言聳聽。

以上所述,也都不是只具簡單及基本防護功能的免費防毒軟體所能解決的,因此對抗無法預期的軟體或系統漏洞所產生的已知或未知的資安威脅,選擇專業且知名的資安品牌或解決方案來做防護或抵禦是很重要的。

結論:花小錢_買專業知名的資安產品或解決方案,方能高枕無憂

 

 

關於Version 2 Limited

Version 2 Limited是亞洲最有活力的IT公司之一,公司發展及代理各種不同的互聯網、資訊科技、多媒體產品,其中包括通訊系統、安全、網絡、多媒體及消費市場產品。透過公司龐大的網絡、銷售點、分銷商及合作夥伴,Version 2 Limited 提供廣被市場讚賞的產品及服務。Version 2 Limited 的銷售網絡包括中國大陸、香港、澳門、台灣、新加坡等地區,客戶來自各行各業,包括全球1000大跨國企業、上市公司、公用機構、政府部門、無數成功的中小企及來自亞洲各城市的消費市場客戶。

 

關於ESET

ESET成立於1992年,是一家面向企業與個人用戶的全球性的電腦安全軟件提供商,其獲獎產品 — NOD32防病毒軟件系統,能夠針對各種已知或未知病毒、間諜軟件 (spyware)、rootkits和其他惡意軟件為電腦系統提供實時保護。ESET NOD32佔用 系統資源最少,偵測速度最快,可以提供最有效的保護,並且比其他任何防病毒產品獲得了更多的Virus Bulletin 100獎項。ESET連續五年被評為“德勤高科技快速成長500 強”(Deloitte’s Technology Fast 500)公司,擁有廣泛的合作夥伴網絡,包括佳能、戴爾、微軟等國際知名公司,在布拉迪斯拉發(斯洛伐克)、布里斯托爾(英國 )、布宜諾斯艾利斯(阿根廷)、布拉格(捷克)、聖地亞哥(美國)等地均設有辦事處,代理機構覆蓋全球超過100個國家。