Internet threat news
As hackers continue to look for new ways to mimic the success of previous banking Trojans such as Zeus and the Gameover botnet, there hasn’t been a shortage of potential threats this year (many of them have been covered on this blog). Perhaps to end this year with a bang hackers recently introduced a new – and extremely dangerous – banking Trojan that uses some interesting techniques and continues to evolve into an increasingly dangerous malware threat even as you read this. This threat, known as Vawtrak, was discovered by security research company SophosLabs last month.
A security flaw was recently uncovered that could affect 12 million businesses or more in the coming months. The critical software bug, which has been named the ‘Misfortune Cookie’, affects routers, modems and other gateway devices as well as other devices connected to the same network. Devices that could be affected indirectly by Misfortune Cookie include PCs, smartphones, tablets, printers and an assortment of smart devices such as TVs, refrigerators and thermostats. The security flaw resides not in the device, but rather in a web server (RomPager by AllegroSoft) typically embedded in the affected devices firmware.
As the holiday shopping season continues to build in these final weeks of 2014, hackers and cyber criminals around the world are up to many of the same tricks they use every year around this time in the hopes of tricking unsuspecting victims into downloading malicious and potentially dangerous malware. One of the most prevalent scams this year is being referred to as “malicious order confirmation emails.” As the name implies, spam email campaigns designed to mimic correspondence from popular retailers are the primary means of disseminating an array of known malware variants including the notorious Asprox Trojan – a dangerous piece of malware that can harvest email credentials and other passwords from infected machines.
This blog has covered many different varieties of ransomware in the past including Cryptolocker, Reveton and CryptoWall (just to name a few). As ransomware continues to be a popular attack venue for cyber criminals, we have seen many variations of similar source code. This phenomenon is not exclusive to ransomware - in fact, most modern malware threats share source code and hackers simply add small variations to make them undetectable by modern antivirus solutions and increasingly savvy PC users. That said, security researchers from SophosLabs recently uncovered a new form of ransomware that is actually new.
Security experts recently discovered a new type of point-of-sale malware similar in design to the devastatingly powerful BlackPOS malware which affected target and many other US retailers during the holiday shopping season of 2013. As you may recall from the coverage of the Target breach on this blog last year, the personal details of over 40 million customers were compromised when hackers were able to infect the point-of-sale system with BlackPOS. Compromised information included email addresses, credit card numbers and billing information which was then sold through a variety of “carding” websites around the world.
Destover, also known as Wipall, has been identified as the malware used in the attack against Sony Pictures Entertainment late last month. This attack was responsible for wiping the hard drives of numerous PCs within the company’s network before rebooting each infected system and displaying a copy of a bitmap image announcing to employees that the network had been hacked by a group calling itself the Guardians of Peace (GOP). Shortly after the Sony attack made headlines, the FBI issued a warning stating that a destructive – but unidentified – malware attack had been launched against a prominent US business (which was also not named within the warning). Following the breach, an email was sent to the Information Security Media Group by an individual claiming to be the leader of GOP.
Security researchers have recently discovered thousands of plugins and themes for popular content management systems (CMS) including Wordpress, Joomla and Drupal that have backdoors engineered into them that can be used to compromise web servers around the world. The backdoor, known as CryptoPHP, has been added to popular plugins used by webmasters to improve the functionality of websites using the popular CMSs mentioned above. Websites based on Drupal are only susceptible to CryptoPHP via infected themes. Websites based on Wordpress and Joomla, however, are also susceptible to infection via thousands of plugins specifically designed for the platform in question.
Citadel is a powerful banking Trojan that has been covered extensively on this blog in the past. A variation of the notorious Zeus Trojan, Citadel came into its own after the original Zeus source code was leaked online last year. While the widespread use of Citadel has waned due to improved detection by most popular anti-malware solutions, it is still a threat that should be remembered every time you open an unsolicited email attachment or visit a website that could be compromised by popular drive-by download exploit kits such as Blackhole.
Regin is an extremely difficult to detect malware variant that is already being referred to as the ‘Swiss army knife of clandestine tools’ by security experts worldwide. The good news — if there is any when talking about this dangerous malware variant — is that Regin specifically targets non-English speaking countries. That said, it’s still worth looking at this malware because history has proven time and again that what works in other countries certainly works in the United States and other English-speaking countries around the world. In other words, it’s only a matter of time before Regin (pronounced “region”) makes its way onto domestic soil.
A new malware campaign was recently discovered that has been targeting corporate executives using hotel WiFi in Asian hotels. According to security experts, this campaign — dubbed Darkhotel — has been ongoing for at least four years meaning the number of potential victims or the sensitive information that has been stolen from their computers is difficult, if not impossible, to estimate at this time. It appears that most Darkhotel attacks are occurring in Japan, Taiwan, China, Russia and South Korea with United States and Asian top executives the primary targets in most cases.
A new form of ransomware apparently from the same family as the notorious Cryptographic Locker has recently been discovered. Known as CoinVault, this malware works in a fashion similar to ransomware this blog has covered in the past. Specifically, the hackers demand payment in Bitcoins, the ransom goes up at set intervals (usually every 24 hours) and the GUI is almost identical. Once infected with CoinVault, the malware creates a system registry value called Vault which is set to run on startup. Once active, the malware scans all drives looking for and encrypting all data files it finds.
A San Francisco man was arrested earlier this week after it was discovered that he was responsible for operating the second iteration of the notorious Silk Road. For those readers unfamiliar with the Silk Road, it was an underground website only accessible via the supposedly anonymous Tor network. Originally run by Ross William Ulbricht (aka Dread Pirate Roberts), the Silk Road became synonymous with online black market dealings including the sale of illicit drugs, stolen credit card numbers and a host of other nefarious activities.
Many of the recent threats reported by this blog target the banking information of unsuspecting victims once a Trojan specifically designed to steal the login credentials of these victims has been installed on the PC. Most of these attacks use modern techniques such as drive-by downloads and other exploits that capitalize on known vulnerabilities in Windows as well as popular browser plugins including Flash, Java and Microsoft Silverlight. Now, rewind about 10 years. At that time, the most common way for a hacker to install malicious code on a system was by using macros embedded within Microsoft Office documents.
A cyberespionage group was recently discovered that has been deploying a version of the notorious BlackEnergy cybercrime tool. The group behind this campaign — which has still not been identified — is currently targeting routers and Linux systems based on the ARM and MIPS architecture. Windows machines are also being targeted by the group using a variety of readily-available plugins designed to make BlackEnergy even more powerful.
Page 1 of 11<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>