Internet threat news
A new malware campaign was recently discovered that has been targeting corporate executives using hotel WiFi in Asian hotels. According to security experts, this campaign — dubbed Darkhotel — has been ongoing for at least four years meaning the number of potential victims or the sensitive information that has been stolen from their computers is difficult, if not impossible, to estimate at this time. It appears that most Darkhotel attacks are occurring in Japan, Taiwan, China, Russia and South Korea with United States and Asian top executives the primary targets in most cases.
A new form of ransomware apparently from the same family as the notorious Cryptographic Locker has recently been discovered. Known as CoinVault, this malware works in a fashion similar to ransomware this blog has covered in the past. Specifically, the hackers demand payment in Bitcoins, the ransom goes up at set intervals (usually every 24 hours) and the GUI is almost identical. Once infected with CoinVault, the malware creates a system registry value called Vault which is set to run on startup. Once active, the malware scans all drives looking for and encrypting all data files it finds.
A San Francisco man was arrested earlier this week after it was discovered that he was responsible for operating the second iteration of the notorious Silk Road. For those readers unfamiliar with the Silk Road, it was an underground website only accessible via the supposedly anonymous Tor network. Originally run by Ross William Ulbricht (aka Dread Pirate Roberts), the Silk Road became synonymous with online black market dealings including the sale of illicit drugs, stolen credit card numbers and a host of other nefarious activities.
Many of the recent threats reported by this blog target the banking information of unsuspecting victims once a Trojan specifically designed to steal the login credentials of these victims has been installed on the PC. Most of these attacks use modern techniques such as drive-by downloads and other exploits that capitalize on known vulnerabilities in Windows as well as popular browser plugins including Flash, Java and Microsoft Silverlight. Now, rewind about 10 years. At that time, the most common way for a hacker to install malicious code on a system was by using macros embedded within Microsoft Office documents.
A cyberespionage group was recently discovered that has been deploying a version of the notorious BlackEnergy cybercrime tool. The group behind this campaign — which has still not been identified — is currently targeting routers and Linux systems based on the ARM and MIPS architecture. Windows machines are also being targeted by the group using a variety of readily-available plugins designed to make BlackEnergy even more powerful.
As crypto-malware continues to be the preferred attack method for many cyber criminal organizations as of late, it begs the question of “What happened to malware variants that were prevalent just a few months ago?” One of the malware techniques thought to have fallen by the wayside is rogue antivirus malware. Just a few months ago, these scams were very popular among hacking groups large and small because they represented a relatively easy way to extort money from victims. In case you are unfamiliar with these types of scams, rogue antivirus software is a form of malware whereby the victim is constantly bombarded with warnings about viruses that have been detected on the machine.
Malvertising is becoming increasingly prevalent as an effective way for hackers to spread malware across the Internet. Now, it seems that one of the largest and most popular websites in the world, YouTube, is being targeted by hackers who have successfully inserted malicious advertisements into legitimate advertising channels in an effort to install malware on the computers of people clicking on YouTube advertisements. When a user clicks on an ad, traffic is directed through legitimate advertising aggregators before the traffic is rerouted to compromised websites serving malicious follows. It appears hackers are doing this by modifying the Domain Name Service information to automatically redirect advertising traffic to malicious sites serving Sweet Orange and other malware variants.
A still-unidentified cyberespionage group has been discovered that is using advanced spear phishing techniques to steal email login credentials from employees at high level targets including embassies, military agencies, international media outlets and defense contractors. Although the origin and whereabouts of the group behind this attack are still unknown, security experts are referring to the attack as Operation Pawn Storm and it appears this operation has been going on covertly since 2007. In the past, this group has relied heavily on spear phishing email campaigns to distribute malicious Microsoft Office file attachments that are designed to install a backdoor in the operating system for remote code execution.
Recently, hackers released a variant of the Dyre banking Trojan designed to target users of the popular sales platform Salesforce.com. In early September, Salesforce notified customers that they may be targeted by Dyre (also known as Dyreza) — a key logger designed to harvest user login credentials. More traditional Dyre campaigns target large financial institutions, but the variant affecting Salesforce customers was attached to an email that installed Dyre once opened.
Russian hackers, operating under the name of the “Sandworm team”, are targeting government leaders and institutions including the North Atlantic Treaty Organization (NATO), European Union and Ukrainian governments and academic targets in the United States. At least one U.S. academic was specifically targeted for his work and focus on Ukrainian issues. Based on recent analysis by security firm iSight, a company that has been watching Sandworm since last year, this cyber espionage campaign has been slipping into Windows computers for over five years — specifically extracting information pertaining to intelligence and diplomatic affairs in Ukraine.
Security experts recently uncovered a new and extremely dangerous botnet that has already infected an estimated 500,000 computers worldwide. Known as Qbot or Qakbot, this new botnet is designed to sniff packets related to online banking transactions. At the time of this writing, over 800,000 unique online financial transactions have been intercepted. Most of these are from at least five major United States banks, although security firm Proofpoint (the firm responsible for discovering Qbot) states that many large European banks are also being actively targeted. According to reports, Qbot started when a group of Russian cybercriminals obtained administrative login credentials for Wordpress sites via an underground marketplace. Malware was uploaded to these sites so visitors would become victim to the ever-so-popular drive-by download.
You may have heard about a recent security scare that many websites have been quick to compare to Heartbleed and other serious vulnerabilities that have been recently discovered. In case you are unfamiliar, Shellshock is a vulnerability affecting Linux/Unix and some OSX (Apple) computers whereby a hacker can remotely execute code from the terminal (known as Bash). This vulnerability is due to a coding oversight that allows certain variables to be read as commands by the terminal. Although the use of Linux for home computers is still relatively limited, Shellshock could spell big trouble for many large corporations that rely on Linux or Unix-based systems for many backend functions. This blog decided not to cover Shellshock previously because it does not affect Windows machines. However, security researchers have recently discovered that Windows has many similar vulnerabilities that could allow for remote code execution via the Windows terminal.
Police officers exist to protect us, right? So it shouldn’t come as much of a surprise when the local police department offers us - citizens of the United States - a tool designed to protect our children from the dangerous place colloquially known as the Internet. Unfortunately, it appears local police departments would rather follow in the footsteps of the NSA and spy on everything we do online, illicit or not. ComputerCOP is a free Internet security software offered by law enforcement agencies around the country. This software is purportedly designed as a way for parents to keep an eye on what their children are doing online.
A Greek security researcher recently uncovered a new malware campaign that takes advantage of two well-known programs to avoid detection by most antivirus solutions while functioning as a keylogger capable of stealing all keystrokes made on an infected machine. These keystrokes — which often include sensitive personal and financial data — are then sent discreetly to the cybercriminals behind the attack. This new threat is comprised of two unique pieces of software. The first is a well-documented keylogging program known as Limitless Keylogger.
Page 1 of 10<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>