Internet threat news

Since 2015 the trojan LokiBot has been used by cybercriminals to create backdoors into Windows machines. Its continued popularity can be partly attributed to the various and often novel ways it has been distributed in the past and the tactics it employs to infect machines. In the past researchers have discovered campaigns where the trojan was spread via steganography, the technique of hiding secret data, often in an image to avoid detection. In this instance, the data hidden was malicious code that when the image was opened a script would execute. Now hackers deploying the trojan are disguising it as a launcher for one of the world’s most popular video games, Fortnite. This new campaign was discovered by researchers at Trend Micro who previously also discovered the campaign using steganography in August 2019. It is believed that the fake launcher is distributed via a spam email campaign sent to numerous potential targets.

Often new developments on the malware front can be broadly defined into two categories those that involve unique methods to carry out its designed purpose and those that are not. The recent development of hackers threatening, and in some cases, releasing sensitive data to the public if ransomware ransoms are not paid would fall into the not unique category. Such developments are blunt and rather heavy-handed, especially when compared to the new and unique method that the RobbinHood ransomware employs to bypass antivirus detection so that it can encrypt files without interruption.

Last week the US Federal Bureau of Investigation (FBI) sent out an alert warning the private industry of continued attacks carried out against software supply-chain companies. The report is yet to be released to the public as it is intended as a Private Industry Notification (PIN) which is only sent to selected industry partners and not the public at large. However, details of the alert have been provided to ZDNet who learned that attackers are attempting to infect companies with the Kwampirs malware. According to the alert sent out by the FBI stated,

Over the last several weeks the global health emergency surrounding the Coronavirus has overshadowed many other world events. Daily breaking news surrounding the virus’ spread too far-flung regions demand attention. Now, hackers are looking to further their own aims by abusing the medical threat posed by the virus. Currently, three separate campaigns have been discovered using the Coronavirus in an attempt to harvest user credentials or, as in one case, spread Emotet. This is by no means a new tactic, often phishers will send out spam emails related to upcoming sporting events or other world events that garner mass attention to try to get recipients to click on a link or malicious document. Exploiting a global health emergency, as declared by the World Health Organisation, is a key indicator of the moral fiber of the attackers behind these campaigns.

Last week this publication covered the arrest of three individuals accused of being part of a MageCart gang in Indonesia. This week brings more related news regarding MageCart attacks but so far none of this group has yet to be brought in front of a court. MageCart attacks often involve the injection of malicious JavaScript code into a trusted website's eCommerce checkout page. The malicious code then skims the card details entered by the customer resulting in the theft of consumer data. MageCart groups either gain access to the website directly or via third-party tools, such as analytics applications, to inject the malicious code.

Initially, a MageCart gang targeted an Olympic ticket reseller olympictickets2020[.]com by carrying out a MageCart-like attack on the website. Security researchers Jacob Pimental and Max Kersten discovered the attack, subsequently notified the company selling the tickets, and then later published their findings in late January 2020. The two researchers discovered that the group managed to append malicious code to the end of a legitimate JavaScript library, along with extra obfuscated code to help hide the group’s intentions. Once the researchers had managed to clear all the junk code away it was discovered that the malicious code would send the skimmed card details to opendoorcdn[.]com. Before any of this information was released to the public the researchers attempted to notify the ticket reseller via Twitter and email, as well as the chat feature included on the website in question. The pair did not receive much in the way of correspondence, however, it was noticed that the malicious code had been removed from the website on January 21, 2019.

For most of the Western World, December is associated with a myriad of holidays, for many hackers, it is open season. Consumers are warned to be careful when shopping online and companies are warned that they will be targets of what to some is a holiday period. When Wawa announced on December 19, 2020, that the retail giant based namely on the East Coast of the US suffered a data breach much of the InfoSec community was prepared for the news, even if they had no idea who would be the next victim.

At the time the company believed the breach was a result of being infected with point of sale POS malware. This specific type of malware is designed to steal credit and debit card details from point of sale devices commonly used in retail shops to process card payments. The threat posed by such malware led Visa to warn fuel stations throughout North America that there pumps and the devices attached are being targeted by cybercriminal organizations. POS malware is unique in how it manages to steal card data when compared to banking trojans. Payment devices encrypt the data of the card before sending it to the required bank network for approval. The encryption occurs in the device's random access memory (RAM), this allows the malware to scrap the hardware for the card details which are later stolen before they are encrypted. The details are then sent to command and control servers under the control of hackers.

In the fourth quarter of 2019, a spike in MageCart attacks was seen. The most infamous of which involved British Airways which involved nearly 400,000 individuals becoming victims through only a piece of code 22 lines long. Then in November, that same year details emerged detailing how Macy’s also fell victim to such an attack. The attack occurred between October 7 and October 15 when hackers had injected malicious code into the company’s online checkout web page. Now, Indonesian police have arrested three individuals accused of being part of a MageCart gang and carrying out similar attacks.

MageCart attacks involve hackers specifically targeting shopping cart applications found on eCommerce websites. The hacker uses malicious code to skim the card details entered by the customer, the process of skimming the card details has resulted in this type of attack been referred to as Web Skimming or eSkimming. The skimming of the card details amounts to theft and the hacker can now use those details for any number of purposes, popular uses been selling them on the Darknet. In order to inject the malicious code into the cart application, the hacker can either directly compromise the target eCommerce website, or target third party applications. This targeting of third party applications can be classified as a supply chain attack and often involves targeting analytics software, for example, in order to gain a foothold on the targets webpage.

Ransomware continues to be a major bane facing enterprises and government organizations, with the latest high profile victim being Travelex. The currency exchange suffered a Sodinokibi attack, which left some of the company’s online services offline for three weeks. Another new worry for those tasked with securing networks is that ransomware operators are now not only encrypting data but stealing it and threatening, in some cases actually, releasing the data to the public. Researchers spend time analyzing the code behind the malware but what of the costs associated with an infection? Often for CEOs, CFOs, and stakeholders this is often the most important factor when looking to come through such an infection relatively intact.

Online gaming has long been a target for hackers, whether to cheat or to deny other gamers the service they have in many cases paid for. In denying other players the online service hackers will often employ distributed denial of service (DDoS) attacks. Not only do such attacks prevent other players from playing or using attached services or web stores, but they impact negatively on the company’s earnings. Hackers have already figured out that they could hire out their services to other malicious gamers and reap a profit. In a process that started in September 2018, Ubisoft has adopted a new tactic to try and prevent future attacks from happening. This tactic involves the courts to sue operators advertising their DDoS skills to whoever is willing to pay.

It seems like the start of the year is not complete without a new and dangerous vulnerability been disclosed to the public. Last year it was the Spectre and Meltdown CPU vulnerabilities. This year the new threat is posed by CVE-2020-0601, better known as Curveball. The vulnerability is described as a spoofing vulnerability that exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. According to Windows, this vulnerability could allow an attacker to,

Sodinokibi and a handful of other ransomware variants are currently dominating discussions regarding ransomware. Continual updates; changes in tactics and infection vectors; and improved targeting tactics placing corporations and government organizations within their crosshairs, have all made Sodinokibi a nightmare to deal with if infected. Now another change in tactics adds to the threat posed by the ransomware variant. The change of tactics does not involve a new advanced code module or infection vector, rather the release of data stolen if the victim does not pay the ransom in time.

In December 2019, representatives of the Sodinokibi ransomware threatened to take such steps on an underground Russian hacker forum. The post was shared with the community by security researcher Damian who discovered UNKN, the public-facing representation of the ransomware, had posted the threat. Such a tactic has been seen before with Maze, another ransomware variant, published 700 MB of data stolen from Allied Universal. At the time this was believed to be only 10% of the data stolen by hackers while simultaneously conducting ransomware operations. The data was released in response to payment not being made by the victim. Sodinokibi now has followed suit.

With tensions near the boiling point between Iran and the US, news feeds across the globe have been dominated by headlines. The InfoSec community was also stirring with opinion pieces relating to Iran capabilities in carrying out cyberattacks. However, Iranian state-sponsored hackers are now in the headlines for an incident that occurred on December 29, 2019. It is believed the above-mentioned hackers infected Bapco, Bahrain's national oil company, with a new data wiper.

Wipers, also known as data wipers, are specific pieces of malware specifically designed to destroy data. In the past state-sponsored groups have used wipers in an attempt to remove all trace they had compromised a network. According to a security alert issued by Saudi Arabia's National Cybersecurity Authority and linked by ZDNet the attack was not as successful as intended as only a section of Bapco’s network and connected work stations were affected. The alert was sent to local businesses within the energy sector to warn them of potential intrusion and infection. Given the release of the alert happening over the weekend and the date of the incident, it is important to note that this incident is not directly related to current Iranian and American tensions.

In a recent blog article published by the Microsoft Defender, ATP Research Team reveals some interesting numbers regarding RDP brute-force attacks. The key findings of the research team include that brute-force attacks on RDP ports last an average of two to three days and only approximately 0.08% of these attacks are successful. The sample size for the research was 45,000 PCs over a period of months which lends to the study's credibility.

Remote Desktop Protocol (RDP) is a feature of the Windows operating system that allows users to log into a remote computer using a desktop-like interface via the computer's public IP address and port 3389. Typically used in enterprise environments it allows system and network administrators to manage servers and workstations remotely. Likewise, RDP is used by employees while away from their desks to perform work tasks. While proving a handy administrative tool, hackers soon learned that if they could scan for Internet-facing RDP ports that are not properly secured and gain access to targeted machines. Once access is gained hackers can drop any number of malware strains they want to.

The US Coast Guard announced that it had suffered a ransomware infection which resulted in the shutdown of a maritime facility for more than 30 hours. The security bulletin, published just before Christmas, also stated that the ransomware was Ryuk. The bulletin, however, makes no mention of the name or the location of the port authority, it merely described the incident as recent. The US Coast Guard noted that the security bulletin intended to inform other maritime authorities of the incident to act as a warning and hopefully prevent future attacks.

While the bulletin did not specify which port or maritime authority was impacted by the attack, it did state that they believe hackers gained access to the network via a phishing email sent to one of the authority’s employees. The agency further elaborated that,